What to do if they are attacking a project of mine?

Hello!, Yesterday I suffered an attack on one of my projects, they made 6 million requests in a very short time. Since I have the free plan, it will not cost me any money, I will only have to go a few weeks without sharing my projects. In my case it will remain a funny experience, but I have friends who do have payment plans because they need it for their businesses. Is there a configuration or something like AWS Network Firewall to mitigate or prevent this type of attacks?
No description
DAH
Deno AI Helper42d ago
Hello! I'm sorry to hear about the attack on your project. Unfortunately, I wasn't able to find the answer to your question in the official Deno documentation. Deno's standard library and third-party modules may offer various solutions for handling web traffic and mitigating attacks, but specific features like AWS Network Firewall are not part of Deno's core functionality. Based on the information you've provided, it sounds like you're looking for a way to protect your Deno applications from DDoS attacks. While I can't provide a solution based on the Deno documentation, I can suggest some general best practices: 1. Rate limiting: Implement rate limiting to restrict the number of requests a user can make in a certain time frame. 2. CAPTCHA: Use CAPTCHAs to verify that traffic is coming from humans and not automated bots. 3. IP blocking: Block or challenge IPs that are identified as sources of malicious traffic. 4. Cloud-based security services: Consider using cloud-based security services that offer DDoS protection. Please note that this advice is not based on the Deno documentation, and I advise you to double-check the accuracy of the advice given. For a Deno-specific solution, you might want to explore third-party modules that could help with security concerns or consider implementing custom logic in your application to mitigate such attacks. If you're running your Deno application behind a service like AWS, you might be able to use AWS-specific tools to help protect your application. However, you would need to consult AWS documentation or support for guidance on using their services. Remember to stay vigilant and consider security best practices when developing and deploying your applications.
MG
Mark G42d ago
My site got hit too
No description
MG
Mark G42d ago
This kind of protection needs to be built into the Deploy platform itself, as users of it we have no ability to prevent this, apart from putting some other gateway in front of it, but that kind of defeats the point of Deploy being a simple deployment platform. @Sheik it's no coincidence that we both recently linked to our sites in the #showcase channel!
S
Sheik42d ago
oh
L
Leokuma41d ago
Deploy doesnt have a rate limit setting or something?
R
rbetts41d ago
Deploy enforces a quota on the free tier. We are planning on shipping a billing or usage cap early Q3 for paid accounts.
S
Sheik41d ago
So the only thing we can do is add some captcha? If the limits are at the Requests level, it does not matter whether they complete the captcha, the request counts the same
E
Esente41d ago
I found that people usually put Cloudflare in front of the project.
MG
Mark G41d ago
It kind of defeats the point of what Deploy is meant to be, if you also have to deploy additional infrastructure in front of it. It's a hard sell to the rest of the company if it still needs that additional gateway. If we have to use Cloudflare to protect the site, then may as well just host with Cloudflare! Although I'd much rather just use Deno Deploy. This question about DDoS protection on Deploy has been raised many times in discord and in github, but the Deno/Deploy team seem to not want to engage in the discussion. It's THE elephant in the room with regard to Deploy adoption.
C
cknight41d ago
@Mark G FYI
MG
Mark G41d ago
@rbetts @cknight Yeah, I know that's the case, my site is now completely blocked due to that. DDoS protection needs to do more than that to protect us, by preventing quota exhaustion in the first place. I know my account is free, and I don't expect everything for free, but we also pay for a pro account, I've been trialling Deno & Deploy a lot, with the view to introducing other paid users within our company, but with this situation as it is, I can't promote it in good faith.
C
cknight41d ago
fair enough, just highlighting that by delivering billing/usage caps, its a first step and public recognition of the issue.
R
rbetts41d ago
Appreciate the feedback. There are a few things that we are thinking through. Our first priority is to add commercial protection / financial exposure cap for pro users so they don't face run-away bills (though we would do our best to make those right commercially, a feature and a clearer policy is needed). We're happy to forgive/reset quota on DoS attacks on free tier accounts when asked via support. We can also set up some reporting internally on quota exhausted responses and better monitor these occurances. Adding proactive DoS protection is a third option. This is significantly more work/dev-time and so far we prefer to resolve these incidents via a support process, which perhaps we can better automate as mentioned above. This is more a matter of roadmap prioritization as we decide where to spend our development time for the best impact.
C
cknight41d ago
This is great to hear, thanks for sharing. I think people have significant concerns as there is no public policy or recognition from Deno around this and users feel it's on them to take the risk and impact of a DoS attack, while frustrated that this doesn't appear to be a priority. Publicly recognising the issue and documenting the above (a DoS policy and potential roadmap) would go a long way towards giving people more confidence on this subject. Finally, in lieu of your own option 3 WAF/DoS protection, official documentation (or link to the existing article above) on setting up such protection via other providers like Cloudflare would again boost confidence. Many folk are likely unaware of that possibility or unable to configure it on their own without help/documentation. Keep up the great work!
S
Sheik41d ago
Hello! I very much appreciate the time you are dedicating to your responses. Although I personally only use Deno for hobby projects, I would like to reset part of the quota (I don't usually exceed 200 requests per month). I can't find how I can contact via support, could you tell me how to open a ticket?
L
lia39d ago
How is this quota enforced? What responses can requests expect when the quota is reached?
R
rpeterson36d ago
I was just attacked as well here, thankfully I saw it and setup CLoudFlare, am on a pro account. Also had shared Fresh site in Showcase channel.
NS
Northern Savage26d ago
just got attacked. the ability to prevent attack in Deploy is so needed
More Posts
Error Installing Deno using PowerShellHello, may I please ask for assistance in regards to installing Deno using PowerShell on VS Code. AnSvelte/SvelteKit support in 2024What’s your experience?Subprocesscan someone help me how do i get to show Hello world in my terminal by using Deno.Commands () using Problems using @apple/app-store-server-library, how do I debug?Hi, I'm attempting to build out the backend of an IOS app on Supabase and want to be able to verifyIs there an easy way to read tls certificate and key from a filesystem?I do the following: ```js if (Deno.env.has("TLS_CERT_PATH") && Deno.env.has("TLS_PKEY_PATH")) { coPartials in a redirect ???Does anyone have any idea how i can redirect after login to a route with initialised partial: ExamHow to troubleshoot runaway (100% CPU) deno processDeno has been running a couple of websites rock solid for many months. But during last week or so I'Import SCSS in TS filesHey, I am currently building a template for web development and I want to use ESBuild as a bundler. How to modify HTTP cache folderHello, I'm using Astro framework with Deno and Directus, but after a while of the website running onDeno deployment can't connect to the Mongo Cloud, due to the Mongo Cloud Network Access Rules.Is there a way to add the Deno Deploy IP to Mongo Cloud? The Deno Depoy Regions only region names fIs there a way to pull a module from x in favour of jsr?I have ported my module `@vicary/fresh-graphql` to JSR and I would like to redirect my users go JSR In-Source Testing with deno test?Can I do something like [vitest's In-Source Testing](https://vitest.dev/guide/in-source.html) with `How to use vendoring with node_modulesAs trying to recreate a `DENO_DIR` via `deno cache` creates different results on different machines,Make an image cropper that crops from data uriHow to make an image cropper that crops to the given dimensionsBest practice for releasing a deno package on GitHubIs there a best practice for the release process of a Deno library on GitHub? I use semantic-releasedeno oak : howto force reply immediatly, and process the request later ?Bonjour, My server needs to reply an ACK (200 OK) for each request. If it did not, the client dies. Rust: Unable to bootstrap MainWorkerMy message was too long, moved it to a GitHub discussion: https://github.com/denoland/deno/discussioTailwindCSS: Class-Strings build with variablesSince TailwindCSS does not support classes with variables (like I used before with twind), how wouldImport path autocomplete doesn't workHi 👋 It behaves like it's just a string and not an import path. I have the latest version of Deno aDeno: How to import npm scoped packages with @ in deno?I am trying to import @whiskeysockets/baileys in deno like this: import * as a from "npm:@whiskeyso