Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
X
X
xxx44yyy2020-10-29 08:09:08
Amazon Web Services
xxx44yyy, 2020-10-29 08:09:08

How can a small web project escape DDoS?

The client has a small site running nginx and Amazon Route 53 as DNS. He is often beaten up by sending a lot of requests that the server cannot handle. Previously, when he was on Cloudflare, he could press one button (under attack) and everything was solved instantly: a captcha page appeared before each request and everything was fine. He then switched to Route 53, which does not have this feature. How to defend yourself now? WAF on Amazon costs about $3,000 per month. Maybe there is something simple and inexpensive that will not protect against a real powerful DDoS, but will protect against small ones?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

7 answer(s)
Report
I
Ivan Shumov, 2020-10-29
@inoise

On aws, waf and shield are built into CloudFront. 3000 usd costs if you need a dedicated team from AWS for a better response. Also, CloudFront has its own geo policy and routes, which seems to be cheaper and better than route53 since it does not require changing dns records and avoids caching.
Well, yes, waf is not related to ddos, this is the responsibility of shield

Report
S
Sergey Gornostaev, 2020-10-29
@sergey-gornostaev

DDoS attack on nginx with 1 byte packets?

Report
V
Vitaly Karasik, 2020-10-29
@vitaly_il1

The only budget option AFAIK is to go back to Cloudflare. Yes, on cheap tariffs, this requires keeping DNS with them. Why not?
With a business plan ($200), Cloudflare allows you to use third party DNS.

Report
X
xmoonlight, 2020-10-29
@xmoonlight

Through the signing of traffic (after validating the "purity" of the client) between different sites (at least 2), this is done.
Unsigned - the other one is immediately ignored before the connection is created.
All connections are checked for a valid signature.

Report
E
Eugene, 2020-10-29
@yellowmew

The traffic you have nginx accepts - set up rate limiting . To do this, you still need to analyze - what are the limits for which urls for you ok.
In addition, you can set up rate limiting for one src ip. nginx is such a powerful thing in terms of features and protection settings.
If you don't want to deal with nginx - connect the site to cloudfront, the necessary protection services are built into it, as Ivan Shumov wrote . However, they also need to understand how to configure them correctly.

Report
K
Kamil, 2020-10-29
@Lakika

Alternatively, the lowest rate https://gshost.net/ will suit you

Report
B
boss_lexa, 2020-11-01
@boss_lexa

https://ddos-guard.net/ru/store/web

Similar questions
H
hallyaxon2021-06-28 16:05:17
Amazon don't work key on SES service? 0Reply
P
Puma Thailand2012-01-16 08:38:54
How to know when the ECU(cpu) limit is exhausted on amazon ec2? 0Reply
R
Roman Mirilaczvili2018-03-20 20:19:33
How to bypass the HTTPS restriction when using CNAME for S3? 1Reply
N
Nikolay2021-07-15 19:47:53
What does "Killed" mean in AWS Lambda logs? Why is this happening? 0Reply
G
gremlintv22018-03-25 22:43:10
How to calculate RDS cost on Amazon for db >5000iops? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question