It's actually sort of funny. Not for the receiving end, which would likely be able to negotiate or just suspend their service instead of owing $38k, but still. There should be a documentary on this if I'm being honest.<p>Today's topic: Content Delivery Networks that charge per request.<p>It's a common practice but it's horrific for smaller companies that can't negotiate contracts.<p>Fastly, CloudFront, Google Cloud CDN and more all charge for requests made to CDN deployments.<p>Vultr. Linode. Digital Ocean. -and more. $5/month for a not too terrible server and 1TB of egress. Not a threat until you spam someone's CDN deployment. And no, I'm not talking about 1TB. I'm talking about sending 51 billion requests a month to CDN endpoints for $5/month. Want to mitigate that? That'll cost 10x the amount per request for Google Cloud Armor or Amazon WAF (not kidding). I'm sure this actually is't a common practice, but it makes you wonder about the companies that switch from enterprise CDNs to Cloudflare.......<p>HTTP stress testing software like wrk is wickedly powerful and insightful. WRK can easily send 20k requests per second per core. Find a resource small enough and it's game over for the receiving end. It can easily be used as a tool for your worst enemies. The only way to mitigate it is to host your own solution, like Varnish etc. or negotiate a contract with the CDN provider, which will costs hundreds or thousands of dollars a month. Not a likely solution for small to medium sized businesses.<p>Thoughts? Comments? Stories? Ideas?
Small business here. I get hit with DDoS attacks (sometimes as large as 1 Gbps) frequently enough that I won't touch cloud services. I do use Backblaze and Wasabi for user uploads but I proxy them through Nginx (with local caching). My host, OVH, does OK filtering some of the obvious bad traffic, but application level DDoSs get through.<p>I don't really understand the CDN business. I've got a ~130ms ping to my web apps from where I am right now, and can't say I've noticed it compared to the 60ms ping I had before. If I put my stuff on a CDN, it speeds up loading static assets the first time the page loads (nice). But then I have to worry about the CDN going down and taking me with them, or getting my account disabled by some algorithm in the fraud department (see Cloudflare posts from last week). Seems like a high price to pay.
Most CDNs would be able to filter such traffic, especially if it comes from a single VM. On the other side, most cloud providers are also quite serious about these things and will cut you off once they notice you're using a VM to DDoS other systems, so you won't be able to do that for very long.
While S3 is not a CDN as such, it does have a feature called "Request payer" which means the requester pays for the request. It won't mitigate anything for public files, but it will mitigate DoS attacks through a third-party.
We did an article about it 1 year ago!<p><a href="https://blog.kalvad.com/ddos-on-demand-how-to-properly-load-test-your-application/" rel="nofollow">https://blog.kalvad.com/ddos-on-demand-how-to-properly-load-...</a>
How does region locking works with CDN? Does out of region requests counts as a chargable request?<p>If a content is delivered through a CDN can dynamic IP blocking with edge computing prevent requests from being "counted"?