undefined | Better HN

0 points418tpot11mo ago0 comments

Have you tried anubis?

0 comments

Anubis is affective against certain kinds of bots and abuse, but wouldn't be that affective against large scale DDoS attacks. And it does have a negative impact on usability, as users have to wait for the browser to do the proof of work, which may or may not be worse than cloudflare's captchas.

DoctorOW11mo ago

Anubis is a partial mitigant of DDOS attacks, since it's less resource intensive to serve the Anubis page than the origin[1].

Cloudflare's captchas are only convenient for a subset of users, I'll bet there'd be decent money in one of the competing CDNs (Fastly maybe?) including an Anubis-like captcha.

[1] : https://news.ycombinator.com/item?id=43864108

thayne11mo ago

Yes, it's a partial mitigator, but it isn't as complete of a solution as a CDN, for a number of reasons. For one thing, with Anubis your server is still responding to requests, so a full scale DDoS could potentially take you down without having to actually complete the PoW, they just have to make enough requests.

Using a CDN for DDoS typically has multiple levels of protection:

- caching reduces load on your server

- In the event of a (D)DoS attack, the cdn can absorb the attack traffic with their much higher capacity than your server(s)

- The CDN can block certain kinds of attacks, especially low level (D)DoS attacks without the traffic ever touching your servers

- Since the CDN fronts many sites, it can have more information about which IP addresss, and user agents are more suspicious. This one is a little controversial, because there is a conflict between getting an accurate profile of how suspicious a request is, and preserving the privacy of users.

- It may have built in support for some kind of bot detection, such as captcha or a proof of work. IDK about the free tier of cloudflare, but for paid offerings at least, this is usually optional.

In short, Anubis could be part of a DDoS mitigation plan, but if you are worried about a targeted attack, it probably isn't sufficient. And critical services are potentially a valuable target for attacks.

jtbayly11mo ago

I tried to figure it out for about 5 minutes, and decided that it probably wasn’t possible on my shared hosting.

j / k navigate · click thread line to collapse

0 comments

thayne11mo ago

DoctorOW11mo ago

Anubis is a partial mitigant of DDOS attacks, since it's less resource intensive to serve the Anubis page than the origin[1].

Cloudflare's captchas are only convenient for a subset of users, I'll bet there'd be decent money in one of the competing CDNs (Fastly maybe?) including an Anubis-like captcha.

[1] : https://news.ycombinator.com/item?id=43864108

thayne11mo ago

Using a CDN for DDoS typically has multiple levels of protection:

- caching reduces load on your server

- In the event of a (D)DoS attack, the cdn can absorb the attack traffic with their much higher capacity than your server(s)

- The CDN can block certain kinds of attacks, especially low level (D)DoS attacks without the traffic ever touching your servers

- It may have built in support for some kind of bot detection, such as captcha or a proof of work. IDK about the free tier of cloudflare, but for paid offerings at least, this is usually optional.

jtbayly11mo ago

I tried to figure it out for about 5 minutes, and decided that it probably wasn’t possible on my shared hosting.

j / k navigate · click thread line to collapse