[liberationtech] query

[Chris Palmer]

On Nov 3, 2010, at 5:52 AM, Ronald Deibert wrote:

> knows of a best practices document or website that offers guidance on a) protection, b) minimization of
> damage and c) post-atttack response that their webmaster can study?

Cloud providers such as Google App Engine, Amazon AWS/S3, et alii can afford to protect against DDoS, and you definitely can't.

The thing about DDoS is that it's the dumb way to DoS a site --- there are usually far more effective application-level DoS vulnerabilities available. Of course, that's little comfort if you're being targeted by DDoS, but the point is that if you make DDoS harder for attackers by moving your app/site into the cloud, they'll move up to app DoS.

So, find ways to make the site more efficient in: database access, filesystem access, network I/O, and CPU time. Almost all sites can make significant improvements in these areas, with lots of juicy low-hanging fruit. Steve Souders' book (http://oreilly.com/catalog/9780596529307) is a good resource.


-- 
Chris Palmer
Technology Director, Electronic Frontier Foundation