What to do if they are attacking a project of mine?
Hello!,
Yesterday I suffered an attack on one of my projects, they made 6 million requests in a very short time. Since I have the free plan, it will not cost me any money, I will only have to go a few weeks without sharing my projects.
In my case it will remain a funny experience, but I have friends who do have payment plans because they need it for their businesses.
Is there a configuration or something like AWS Network Firewall to mitigate or prevent this type of attacks?
18 Replies
Hello!
I'm sorry to hear about the attack on your project. Unfortunately, I wasn't able to find the answer to your question in the official Deno documentation. Deno's standard library and third-party modules may offer various solutions for handling web traffic and mitigating attacks, but specific features like AWS Network Firewall are not part of Deno's core functionality.
Based on the information you've provided, it sounds like you're looking for a way to protect your Deno applications from DDoS attacks. While I can't provide a solution based on the Deno documentation, I can suggest some general best practices:
1. Rate limiting: Implement rate limiting to restrict the number of requests a user can make in a certain time frame.
2. CAPTCHA: Use CAPTCHAs to verify that traffic is coming from humans and not automated bots.
3. IP blocking: Block or challenge IPs that are identified as sources of malicious traffic.
4. Cloud-based security services: Consider using cloud-based security services that offer DDoS protection.
Please note that this advice is not based on the Deno documentation, and I advise you to double-check the accuracy of the advice given. For a Deno-specific solution, you might want to explore third-party modules that could help with security concerns or consider implementing custom logic in your application to mitigate such attacks.
If you're running your Deno application behind a service like AWS, you might be able to use AWS-specific tools to help protect your application. However, you would need to consult AWS documentation or support for guidance on using their services.
Remember to stay vigilant and consider security best practices when developing and deploying your applications.
My site got hit too
This kind of protection needs to be built into the Deploy platform itself, as users of it we have no ability to prevent this, apart from putting some other gateway in front of it, but that kind of defeats the point of Deploy being a simple deployment platform.
@Sheik it's no coincidence that we both recently linked to our sites in the #showcase channel!
oh
Deploy doesnt have a rate limit setting or something?
Deploy enforces a quota on the free tier. We are planning on shipping a billing or usage cap early Q3 for paid accounts.
So the only thing we can do is add some captcha? If the limits are at the Requests level, it does not matter whether they complete the captcha, the request counts the same
I found that people usually put Cloudflare in front of the project.
It kind of defeats the point of what Deploy is meant to be, if you also have to deploy additional infrastructure in front of it. It's a hard sell to the rest of the company if it still needs that additional gateway. If we have to use Cloudflare to protect the site, then may as well just host with Cloudflare! Although I'd much rather just use Deno Deploy. This question about DDoS protection on Deploy has been raised many times in discord and in github, but the Deno/Deploy team seem to not want to engage in the discussion. It's THE elephant in the room with regard to Deploy adoption.
@Mark G FYI
@rbetts @cknight Yeah, I know that's the case, my site is now completely blocked due to that. DDoS protection needs to do more than that to protect us, by preventing quota exhaustion in the first place.
I know my account is free, and I don't expect everything for free, but we also pay for a pro account, I've been trialling Deno & Deploy a lot, with the view to introducing other paid users within our company, but with this situation as it is, I can't promote it in good faith.
fair enough, just highlighting that by delivering billing/usage caps, its a first step and public recognition of the issue.
Appreciate the feedback. There are a few things that we are thinking through.
Our first priority is to add commercial protection / financial exposure cap for pro users so they don't face run-away bills (though we would do our best to make those right commercially, a feature and a clearer policy is needed).
We're happy to forgive/reset quota on DoS attacks on free tier accounts when asked via support. We can also set up some reporting internally on quota exhausted responses and better monitor these occurances.
Adding proactive DoS protection is a third option. This is significantly more work/dev-time and so far we prefer to resolve these incidents via a support process, which perhaps we can better automate as mentioned above. This is more a matter of roadmap prioritization as we decide where to spend our development time for the best impact.
This is great to hear, thanks for sharing. I think people have significant concerns as there is no public policy or recognition from Deno around this and users feel it's on them to take the risk and impact of a DoS attack, while frustrated that this doesn't appear to be a priority. Publicly recognising the issue and documenting the above (a DoS policy and potential roadmap) would go a long way towards giving people more confidence on this subject. Finally, in lieu of your own option 3 WAF/DoS protection, official documentation (or link to the existing article above) on setting up such protection via other providers like Cloudflare would again boost confidence. Many folk are likely unaware of that possibility or unable to configure it on their own without help/documentation. Keep up the great work!
Hello! I very much appreciate the time you are dedicating to your responses.
Although I personally only use Deno for hobby projects, I would like to reset part of the quota (I don't usually exceed 200 requests per month). I can't find how I can contact via support, could you tell me how to open a ticket?
How is this quota enforced? What responses can requests expect when the quota is reached?
I was just attacked as well here, thankfully I saw it and setup CLoudFlare, am on a pro account.
Also had shared Fresh site in Showcase channel.
just got attacked. the ability to prevent attack in Deploy is so needed