Our business operates in a market that has a lot of wannabe hacker types: bored teenagers in the gaming community with the minimum knowledge required to order a DDOS. As such, we're very very careful about <i>never</i> leaking our IPs anywhere. This has been tricky at times but it's well worth it. Cloudflare has made our lives a lot easier as it handles the bulk of the requests. Still, a lot of what it takes to be DDOS resilient is just being able to scale to high concurrency very quickly: ability to cache everything at every level, read-only mode, CDN for everything including HTML when possible, API gateways and self imposed rate limiting to third party services. With that said, there's not much you can do if your IP leaks. Some often overlooked areas for IP leaks: user generated content (your server makes a request to a URL specified by the user), or even sending an email (even many services provide the origin sender IP - such as SendGrid - as a matter of policy, so we don't use those services.)<p>Still to do: developing our own online ML based monitor which can detect abnormal user behaviour before it becomes a problem (ie. aggressive HTML scrapers, burp suite scans, etc.)
This is very well written and practical. It's exactly how you think about security when you own a company. I'm guessing the author is/was holding a large amount of stock in Heroku/Salesforce.<p>Summary:<p>1. Don't publicly expose endpoints that are either slow or require a ton of resources.<p>2. If you can't get rid of a slow endpoint; put authentication in front of it so you have a lever to pull in the event of an attack.<p>3. Throttle / rate limit everything with high barriers so not to impede normal traffic patterns.<p>4. Don't make it easy for someone to DoS you; reduce or eliminate well-know attack vectors and vulnerabilities.<p>5. Scan your app for regex and zip bombs.<p>6. The bad guys will sniff-out your N+1 queries, so fix them.<p>7. If necessary: pay for DDoS mitigation from a cloud provider.
Some of the best DDOS attacks work by sending data as character by character as slow as possible before the connection times out so as to mimic extremely slow connections and consume handler threads. Also HTTP1.1 downgrade attacks can force the usage of more connections especially if keep-alive is false.