Opened 8 days ago

Last modified 8 days ago

#15376 assigned Question/How do I...?

Question about DDoS protection

Reported by: William Sean Taylor Owned by: JaimeV
Priority: Low Component: Tech
Keywords: ddos Cc:
Sensitive: no

Description

Fund Texas Choice has been undergoing a security review. One question came up about how to protect our website from a DDoS attack. I've been searching the docs and tickets for information about how to perhaps enable some form of protection through MayFirst, but I can't find anything definitive. I did find a MayFirst presentation from 2016 recommending Deflect, which is the same provider we're considering if MayFirst doesn't offer protection just through membership. So my question is, does MayFirst provide options for DDoS protection? If so, how do I turn it on? If not, is there anything in particular on MayFirst's end that we'll need to know/do to set things up with Deflect (I'm assuming most of it will be through their docs, but just in case)? Thanks for your help!

Change History (1)

comment:1 Changed 8 days ago by JaimeV

Owner: set to JaimeV
Status: newassigned

Hi William,

Unfortunately we don't have an inhouse DDoS protection service. We are working on a new version of our infrastructure that will allow us to add some additional measures but we don't currently have the resources to maintain the huge array of proxy servers like those used by Deflect. We do have several members who use Deflect for DDoS protection and host the actual site (origin server) with us.

One thing we have learned is that sites going through Deflect actually benefit greatly by additionally routing through our own caching server. Normally we have several mechanisms in place to block malicious traffic like brute force login attempts and over aggressive bots that don't necessarily constitute a full blown DDoS attack, but we are forced to whitelist all traffic that comes form Deflect's server which means some of that bad traffic can then overload our servers. Routing through our caching server gives us an additional chance to filter out stuff that Deflect has not and a little content caching can also greatly increase the responsiveness of your site.

If you are going to get setup with Deflect I would suggest we first set up fundtexaschoice.org to route through our caching server on dolores.mayfirst.org

Last edited 8 days ago by JaimeV (previous) (diff)

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.