CloudFlare and Dynamic DNS for Web Apps [closed]

Question

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 8 years ago.

My understanding is that CloudFlare is a CDN that specializes in thwarting DDoS attacks for web apps; that is basically creates a read-only "cache" of your entire app so that, if you are DDoSed, your users can still access portions of your app and not experience a total denial of service.

My understanding of Dynamic DNS is that it is a technology that somehow allows you to immediately change the DNS settings of your web app URL without having to wait the standard 24 hours for DNS changes to "ripple out" over all the DNS servers in the world and take affect.

So first off, if anything I have said so far is misguided or incorrect, please begin by correcting me!

Assuming I am more or less correct, I'm trying to protect my web app (as best as I can) against DDoS attacks.

For one, I have decided to host my app with either Google App Engine or Heroku (haven't made the final decision yet), and I have to imagine that their IT staff is fully prepared to scale up/handle if my app is DDoSed while deployed to their servers.

Unfortunately for me, that means they'll scale up and handle the attack (!), which means my billing would soar through the roof and I'd be out of business (I guess that's called a "cash attack"!).

So I need a solution that handles both of the following scenarios:

• The DDoS is enormous, and even Google/Heroku say "enough is enough", we're not supporting this load!
• I specify a billing "ceiling" (which both Google and Heroku provide), and after that ceiling is reached, I somehow redirect traffic to my CloudFlare/read-only web app hosted elsewhere

I suspect I will need to use Dynamic DNS somehow to handle the 2nd scenario, but without knowing how most web apps fortify themselves against DDoSes (i.e. I've hear of so called "bastion hosts"?!?) I'm not even sure if I'm heading down the right path or not. Thanks in advance!

Answer 1

Some minor corrections: Heroku will not scale your app for you nor does it provide the ability to specify a billing ceiling. You should implement the appropriate monitoring and alerting strategy depending on how you want to react to specific scenarios.

Preventing DDoS attacks is not something most app developers concern themselves with - but perhaps you're in a particularly susceptible domain? If so, a service like CloudFlare that does this automatically is a good option. You set your DNS to use their nameservers and they handle the IP address assignments on your behalf and in response to various threats and other optimization opportunities.

Answer 2

First off, Dynamic DNS isn't what you describe it as. Each DNS server can set the timeout for its records to whatever it wants; shorter timeouts make changes propagate faster, but result in more load and higher latencies for users. Dynamic DNS is a set of services to allow users with dynamic IPs (eg, on consumer internet connections) to have stable DNS names. Dynamic DNS has little to nothing to do with a web application hosted somewhere professionally like Heroku or App Engine.

App Engine will handle both the things you ask about. You can specify a daily billing ceiling, and if your app goes over that, it will be shut down and serve over quota errors instead of billing you for more. The Google infrastructure may deny obviously abusive requests, but provides no promises; however, App Engine does provide a DoS/Blacklist API, which allows you to blacklist specific IP ranges that are the sources of abuse to prevent their traffic from reaching your app.

Cloudflare purports to help with this in the way you described, by acting as a CDN and caching parts of your app. However, it has its own caveats. Because all traffic now travels via Cloudflare, all dynamic requests have additional latency because of the extra hop. You also lose valuable information about the true origin of a request, since all requests appear to your app to come from Cloudflare servers. Finally, it's even possible for Google infrastructure to mistakenly identify Cloudflare as an abusive service in a situation where it ends up forwarding abusive traffic, in which case all your users can end up without service.

It's my personal opinion that Cloudflare isn't of much use for App Engine, and can even be harmful. Pretty much everything they offer is already provided by App Engine, or can be built into a well written App Engine app.

Answer 3

I work at Incapsula. Like CF we also provide Cloud based security and acceleration services, including DDoS mitigation. The services are pretty similar, both are very good and CF is more acceleration oriented while we are more security focused.

(Just Google "Incapsula and Cloudflare review" to see some comparisive user reviews)

First of all I wanted to say that, as far as I know, (and please correct me if I`m wrong), like Incapsula, CF also provides DDoS mitigation by deflation. This is basically means "swallowing up" all extra traffic while having the site 100% functional throughout the attack.

This type of protection goes beyond web application layer and provides a DDoS safe-net that will handle any type of DDoS related scenario. (just as long as the available "pipe" can handle the extra incoming traffic)

In our Case this Anti-DDoS solution comes paired with PCI compliant WAF so you also be safe of the application level.

Also, payment wise, we will provide you with the DDoS mitigation "ceiling" based model you are looking for.

Meaning, you can determine - in advance - the max amount of DDoS protection you want to have and pay only for that amount.

In case of divination, we will contact you and let you decide, either to pay for extra traffic or to say "enough is enough" and wait for the storm to pass.

Also, I wanted to address the comment about Google related blacklisting.

This is a valid concern but here at Incapsula we manually submit all our IP ranges for Google evaluation. This eliminates any fears of SE blacklisting. I'm actually very confident about this as I covered this topic in recent blog post about Cloud CDN related Myths, and with 6+ years of SEO experience (including Senior Adviser and Department Manager) I`m pretty certain that I have the right facts.

If nothing else, in our 2.5 years of experience, we never had any incident of client blacklisting.

From what I`ve read CF also does the same for all their IPs.