DDoS Protection
๐ฅ Vibe Prompt
"Design DDoS protection: Cloudflare, rate limiting, auto-scaling, Anycast network."
DDoS Attack Types
| Layer | Attack | Example | Volume |
|-------|--------|---------|--------|
| L3 | Volumetric | UDP flood | 1 Tbps+ |
| L4 | Protocol | SYN flood | 100 Mpps |
| L7 | Application | HTTP flood | 1M req/s |
Protection Stack
Cloudflare (Anycast CDN + WAF)
โ Scrubs L3/L4/L7 attacks
โ Only clean traffic forwarded
Nginx (Rate limiting, geo-blocking)
โ Drops excess requests
โ Blocks known bad IPs
App (Auto-scaling, circuit breaker)
โ Absorbs remaining traffic
โ Degrades gracefully
Nginx Rate Limiting
# Zone: 10MB memory, 100 req/s per IP
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/s;
# Burst up to 200, then delay
limit_req zone=api burst=200 nodelay;
# Connection limit
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn addr 10;
Auto-scaling for DDoS
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
spec:
minReplicas: 10 # Start higher during attack
maxReplicas: 100
metrics:
- type: Pods
pods:
metric:
name: nginx_http_requests_total
target:
type: AverageValue
averageValue: 500 # per pod
Cloudflare DDoS Settings
Under Attack Mode: enabled
- Challenges all visitors with JS
- Increases challenge difficulty
Rate Limiting:
- 1000 req/10s per IP (API)
- 100 req/10s per IP (login)
WAF:
- OWASP Top 10
- DDoS L7 mitigation
Security Level:
- High during attack (challenge suspicious)
- Essentially Off normally
Response Plan
1. Detect: traffic anomaly (5x normal)
2. Verifyn
3. Mitigate: Cloudflare "Under Attack" mode
4. Scale: increase min replicas
5. Block: Geo-block non-target regions
6. Absorb: auto-scaling absorbs valid traffic
7. Investigate: post-attack analysis
Best Practices
- Use CDN with DDoS protection (Cloudflare, AWS Shield)
- Implement rate limiting at multiple layers
- Design for graceful degradation
- Auto-scale aggressively during attack
- Geo-block non-served regions
- Anycast network distributes load