DDoS Protection

๐Ÿ”ฅ Vibe Prompt

"Design DDoS protection: Cloudflare, rate limiting, auto-scaling, Anycast network."

DDoS Attack Types

| Layer | Attack | Example | Volume |
|-------|--------|---------|--------|
| L3    | Volumetric | UDP flood | 1 Tbps+ |
| L4    | Protocol   | SYN flood | 100 Mpps |
| L7    | Application | HTTP flood | 1M req/s |

Protection Stack

Cloudflare (Anycast CDN + WAF)
   โ†“  Scrubs L3/L4/L7 attacks
   โ†“  Only clean traffic forwarded

Nginx (Rate limiting, geo-blocking)
   โ†“  Drops excess requests
   โ†“  Blocks known bad IPs

App (Auto-scaling, circuit breaker)
   โ†“  Absorbs remaining traffic
   โ†“  Degrades gracefully

Nginx Rate Limiting

# Zone: 10MB memory, 100 req/s per IP
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/s;

# Burst up to 200, then delay
limit_req zone=api burst=200 nodelay;

# Connection limit
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn addr 10;

Auto-scaling for DDoS

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
spec:
  minReplicas: 10  # Start higher during attack
  maxReplicas: 100
  metrics:
    - type: Pods
      pods:
        metric:
          name: nginx_http_requests_total
        target:
          type: AverageValue
          averageValue: 500  # per pod

Cloudflare DDoS Settings

Under Attack Mode: enabled
  - Challenges all visitors with JS
  - Increases challenge difficulty

Rate Limiting:
  - 1000 req/10s per IP (API)
  - 100 req/10s per IP (login)

WAF:
  - OWASP Top 10
  - DDoS L7 mitigation

Security Level:
  - High during attack (challenge suspicious)
  - Essentially Off normally

Response Plan

1. Detect: traffic anomaly (5x normal)
2. Verifyn
3. Mitigate: Cloudflare "Under Attack" mode
4. Scale: increase min replicas
5. Block: Geo-block non-target regions
6. Absorb: auto-scaling absorbs valid traffic
7. Investigate: post-attack analysis

Best Practices

  • Use CDN with DDoS protection (Cloudflare, AWS Shield)
  • Implement rate limiting at multiple layers
  • Design for graceful degradation
  • Auto-scale aggressively during attack
  • Geo-block non-served regions
  • Anycast network distributes load

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!