I need DDoS protection because they get hit nearly daily (esports/gaming related; this is par for the course in this vertical).
I can't pay per GB because of the DDoS protection portion - the last time I used AWS/Cloudfront the skids just wget looped on a hundred thousand threads in the most expensive per-GB region. Cloudflare is basically the only "CDN" that I can feasibly use for even just images. I'm happy to pay, but unmetered only.
I deliver via SSL but there is close to no PII, I don't mind that much about the MITM factor.
Lower layer protection against volumetric floods is needed (standard attacks, all UDP needs to be dropped as high up as possible), but also L7 protection is needed - not vulns/XSS/SQLi/etc, but we're talking bursts of 10m-20m+ req/s to whatever the most expensive endpoint is (usually search), registration attempts, if any third party APIs are used, the intent is to exhaust as many calls as possible or deny service in the end.
I have a stupid amount of nginx and custom lua rules + redis trying to clean up whatever gets passed through, things like "if IP has shown over 40 different user agents in the last 2 minutes, drop it as high up as possible, ideally before it enters my network" and "if this user agent contains Chrome but the request headers don't accept sdch then this is an flood".
The commercial/for-profit larger sites in this group are behind Akamai and Distil. Both of these cost $comedy.
This level of bullshit is fairly normal for video games.
I can't pay per GB because of the DDoS protection portion - the last time I used AWS/Cloudfront the skids just wget looped on a hundred thousand threads in the most expensive per-GB region. Cloudflare is basically the only "CDN" that I can feasibly use for even just images. I'm happy to pay, but unmetered only.
I deliver via SSL but there is close to no PII, I don't mind that much about the MITM factor.
Lower layer protection against volumetric floods is needed (standard attacks, all UDP needs to be dropped as high up as possible), but also L7 protection is needed - not vulns/XSS/SQLi/etc, but we're talking bursts of 10m-20m+ req/s to whatever the most expensive endpoint is (usually search), registration attempts, if any third party APIs are used, the intent is to exhaust as many calls as possible or deny service in the end.
I have a stupid amount of nginx and custom lua rules + redis trying to clean up whatever gets passed through, things like "if IP has shown over 40 different user agents in the last 2 minutes, drop it as high up as possible, ideally before it enters my network" and "if this user agent contains Chrome but the request headers don't accept sdch then this is an flood".
The commercial/for-profit larger sites in this group are behind Akamai and Distil. Both of these cost $comedy.
This level of bullshit is fairly normal for video games.