Two Weeks Of DDOS Attacks - Did We Survive?

CHECK OUT VERCEL AND UPSTASH BECAUSE THEY KEPT US ALIVE THROUGHOUT THIS
vercel.com/?ref=theo
upstash.com/?

You should make a dedicated video about DDoS-protection on the T3 stack, as clearly there is a possibility of creating unreasonable cost for the service provider and not everyone will have their bill refunded. You mention as a side note that you could put rate limiting on each route for a personal CloudFlare, maybe you expand on that and/or provide a package as framework for that.

We had a DDoS attack about a year ago where it was about ~10TB/minute and we are hosted behind cloudflare, so just couple clicks inside cloudflare panel (there is a button "we are under attack") and this attack is gone, next minute I checked where is it comes from and every single IP of attack came from outside of my country (No one wants to ddos from same country or your business since police could investigate it and attacker could end up in jail), so I did just enabled captcha for any request form outside of my country (since our business doesnt have international customers) and disabled "we are under attack" and never had an issues since then while they still trying (one year later). So may be something like cloudflare could help you.

Either they bought botnet time and it costed them money directly; or they used their own botnet (instead of renting it to other people during this time), and that's money they could have earned but didn't. So the result is the same : it cost them money. Probably a decent amount.
Which I find hilarious considering the ridiculous impact they had.

This happened to me too! It might not have been targeted towards you because it happened to a test deployment of mine which didn't even have any real traffic. It was also on Vercel, and I get blocked pretty quickly (although support helped me get unblocked)
Edit: My attack caused 462 GB-Hrs within like 20 minutes

Who has that much time to waste on a DDOS attack that gains them absolutely no benefits? It's clear that your tech stack handled the attack quite well, it didn't even cost you much at all. If you get enough views you'll probably even get money out of this video that they helped create. Someone really hated you, lol.

This video got hundreds of hits in the first few minutes. Maybe your TH-cam is getting DDOS’d 😮

I am glad that there is an official report, from the DDOS Foundation, on this incident and that Theo is now a part of it! 👍😉

You got lucky because you are publicly sponsored ... but this brings up a BIGGER point. When you pay for metered services, the providers NEED to indemnify you against DDOS attacks or other potentially ruinous events. This could be a huge selling point, because not all services have built in caps. As a matter of experience, I witnessed a peer who used AWS, his application while still in beta had a memory leak and AWS sent him a $13k bill. Insane! Risk avoidance is important to any business especially if there is no ceiling or price cap. As someone who uses these services this keeps me up at night.

Did Vercel give more details? Such as if the IP addresses were all from the same IP block or dispersed across many, whether or not they were residential IPs, their own IPs, IPs from other cloud providers, etc, geolocation lookups of the IPs? All of this seems like it would be super useful to know about to prevent future attacks both for you and them

The key is that you need to rate limit these attacks whether you use server or serverless. So this demonstrates serverless has tools to handle it. Ofc if you had a server and rate limited it could handle it too. Re one of your last statements, it doesn’t mean servers would’ve been worse. It means not rate limiting would’ve been bad, server or serverless

Love that the stack you are recommending is the one that you use for your stuff.
I can imagine that the people behind this were just absurdly annoyed that you are recommending tools that don't fit their certificates or what they consider is the "right move".

Considering that one 10gbit server can (in theory) handle 1.5tb raw traffic (in 20min) I don't believe that this was a big DDOS attack. Also I believe that having multiple cheap vps with high bandwith automatically deployed when needed, would be probably way cheaper than vercel.
Obv. the developer experience will be worse, especially when setting all the servers up or other cluster related issues occure.

It is actually really cheap to buy residential proxies (pools with millions of IP addresses) and then use them to bombard requests to services. These residential proxies exist to enable scraping of SERP content as well as regular sites with hardened DDOS protections. Some residential proxy services also bypass recaptchas (using AI and sometimes even humans) for premium. Residential proxies have legitimate use cases but can be misused to create botnets too. That is what I am suspecting is happening here. They haven't actually paid for those 600 IPs. Rather, they are tapping into a pool of million IPs provided by residential proxy services.

If you weren't on the pro license and sponsored by vercel this might have been a different story. I can imagine a normal person would have to suck up the big fees or take down their application

Side note - The vid I'm most looking forward to is the one you mentioned about syncing clerk with your own db 🙂

I think both CloudFlare and Linode (Akamai CDN) has ddos protection included.

This was not even that big of an attack. The traffic is literally less than 1 GB per second. If anything this was a skid attack which is further supported by them literally just loading one JS file over and over. This wasn't a DDOS attack, this was some kid trying out their $5 booter.

Love it, keep them coming

huh, so vercel has no rate limitting by default? I would have expected a managed service to handle this, not have me set up my own edge middle ware (upstash?)
It doesn't look good on their part

It was probably @theprimeagen...

It would be great to know how to prevent a DDOS attack against AWS and GCP (Cloud Run and Cloud Functions).

Would be good to get an in depth video on the specifics of how you (or the tech) delt with it 🙏

I mean, having a punchable face and arrogant personality is bound to provoke someone when exposing yourself to thousands of strangers. Even so, it takes some extra thick emotional issues to waste any amount of time and resources to get revenge on a parasocial relationship.

>>> I think it’s quite impossible to take us down with this stack
Bro, you’ve just broke the main rule of opsec 😅😅

That would be an awesome tutorial setting up ddos protection using upstash

Honestly Theo, now I am very relaxed about the decision of using T3 Stack and the services you recommend us. If even Chirp handled this insanity! Then we’re in safe hands as Solo-preneurs 😊

Is it me, but why are they are targeting static assets? I mean if you want to increase Theo's bill, DDoS the api route which has the upstash rate limiter as well? It will cost him 0.20 cents - 0.40 cent per 100k request for upstash and probably far more for serverless/edge functions on vercel. Thus sending 100 milion request will at least cost 1000 * 0.20 + 500 GB hours ( 5*40) = 400 dollar + rest of vercel

Can you do a more in depth video on how to stop DDOS and other random attacks?

Wouldn't surprise me if some from /g/ were part of this, your videos have started making thier rounds over on the board.

at what point does vercel consider the requests as a ddos attack do they use any tools? what happens if a tiny dev's app gets ddossed, would vercel refund 100% of the money by all requests that day? how long do they take to answer from the point where you're under attack to when the situation gets resolved?

your hair looks majestic dude !!!

It's laughable how much the attacker likely spent vs what you incurred. Perfect example of mitigation, you can't stop it from happening, you have to make it too expensive for bad actors to continue.

Where is redis in your data fetching flow?

if you're putting the upstash ratelimiter infront of everything, how are you not hitting ratelimits on upstash?

Can someone describe the AWS scenario? What would have happened and how to do rate limiting?

Can you not put a Vercel site behind a Cloudflare proxy?

I have a question. Are those people generating these attacks going to be held accountable or there are ways to generate botnets attack and get away with it

Yep, serverless rocks. Won't ever go back to dedicated hardware

Good stuff.

upstash rate limit is good for backend but what about fronted to save from ddos attack

dude, im sold on this platform you are using.. what a way to advertise..

This won me over!

How much would it have cost? Isn’t the point they were making is that on demand computing can make your costs sky rocket?

DDOS is my main concern with Serverless. With an nginx proxy you can get sub 1ms 503 responses in a DDOS and cap the number of requests per IP so that it doesn't touch your actual app code when it happens. So for a free or cheap server vs a Serverless platform, at least getting started out, I know someone can't rack up costs for me.

Wow! Holy crap!

ddos a static file :genius:

Jeff Bezos hired DDOS assassins to protect his stack

I can't imagine that someone decided to waste any significant ammount of money doing this. I'm wondering how they had access to 600 static ip addresses.

6:09 I dont understand this part. Why would you fare worse if you had actual servers? They have rate limiting and IP blacklisting as well

Where is your video on the rate limiting with UpStash?

Theo makes a video about Twitch dying then gets DDOS’d hmmm… 😂 all jokes aside your services handled well!

this is a pretty cool vercel ad to be honest.

How much did it actually cost you?

Does anyone have any examples of using upstash's rate-limiter with tRPC?
Been using it more, and I haven't really gotten around the concept of how rate-limiting could be added to it. It most likely would be done via a middleware, but just putting up the flag for any existing repos that have it.

What do you think about IP based rate limiters? Would they prevent such attacks? That's the only protection I have against DDOs.

But, what exact cost for you of this DDOS attack?

What contents do you have about Vercel?
I guess we all have some app to protect.

How do you know the attackers have used static IP addresses?

it migth be done from the rust foundation

we got ddosed, and vercel did nothing. 6.8TB

Just wondering why it’s costing the attacker more? The hundreds of IPs used by the botnet are probably someone else’s.

Because you were Ddosed you have got a subscriber.

Would a simple solution be - count how many requests for each IP address, and if it goes above 100 per second you block them?

Theo what are these thumbnails 😂

1400 GB costs USD 180 on Vercel. (First 1000 is USD 20)
What're you talking about?!

Nice promotional video :-)

Who has the resources to pull this off? Amazon does, that's who...

Absolutely hilarious that some people will spend thousands out of pure spite for absolutely nothing. Still, I can't help but be skeptical of these new cloud providers you're showcasing. When the 'growth' period ends and the 'taking profits' period begins, is it still going to be more attractive than AWS? We'll see!

It was probably the angular team trying to make t3 look bad.

Oh nice!! Long live rate limiting.

People can be nasty, that’s why it’s better sometimes to build in private. Oh and good for you man the infrastructure really held up

Gotcha

i see what you did there

Instead of bringing down your services, they just gave you a topic to talk about? hilarious!!

Must be rust foundation

How would you be dead if you had actual servers running this? Wouldnt it be better because then you wont get charged a lot of money? Thanks for helping a newb like me understand

introducing captchas might also help.

Well you sold me on Vercel thats for sure.

Did Vercel try to charge you?

Vercel needs bun

Primeagen testing out his Rust pen test code?

"impossible to take down our services" my guy, you are challenging the wrong community here 😂, and for those that say it cost them money, ego doesn't care about money. We do things some time just to prove that we can, no need to hate you to do something like this (I'm not saying I'm even capable of this), but if i could, i wouldn't do it because hate, but ego or passion, and seems you already have enough of both

👍

If the haters attack again, please have a bowtie for the next vid.

I thought hacker is always smart, they absolutely stupid in this case.

oof

Considering how much this cost the attackers and how little it affected you, it had to be someone with disposable income.
Seems like Elon wants to get his revenge after you told him how ads work.

Seems someone's back-end needs Rust Framework 😊
Edit: idk why my reply multiple times got deleted. so i am sorry, i cant explain due to no freedom of speech

Haters are just mad you can beat them in games of skate and they are mongo

lmao they literally gave you content

no they didnt burned 500 slots. you burned yourself 500 slots and from all that who knows how many of them was players:))