For $5/mo, you can steal $38,000/month from your enemies
Today's topic: Content Delivery Networks that charge per request.
It's a common practice but it's horrific for smaller companies that can't negotiate contracts.
Fastly, CloudFront, Google Cloud CDN and more all charge for requests made to CDN deployments.
Vultr. Linode. Digital Ocean. -and more. $5/month for a not too terrible server and 1TB of egress. Not a threat until you spam someone's CDN deployment. And no, I'm not talking about 1TB. I'm talking about sending 51 billion requests a month to CDN endpoints for $5/month. Want to mitigate that? That'll cost 10x the amount per request for Google Cloud Armor or Amazon WAF (not kidding). I'm sure this actually is't a common practice, but it makes you wonder about the companies that switch from enterprise CDNs to Cloudflare.......
HTTP stress testing software like wrk is wickedly powerful and insightful. WRK can easily send 20k requests per second per core. Find a resource small enough and it's game over for the receiving end. It can easily be used as a tool for your worst enemies. The only way to mitigate it is to host your own solution, like Varnish etc. or negotiate a contract with the CDN provider, which will costs hundreds or thousands of dollars a month. Not a likely solution for small to medium sized businesses.
Thoughts? Comments? Stories? Ideas?
23 comments
[ 4.8 ms ] story [ 59.4 ms ] threadTL;DR Do your own content distribution and app firewall solution. It's cheaper and it'll perform better. That's why Facebook and the big guys aren't using cloud services. Even Google uses their own private networks. CDN's are a scam if they're charging per request.
Of course they do.
as someone who has had accounts locked down due to perfectly acceptable behavior and had to plead my case with various cloud providers : I concur, they act first and ask questions later.
Vultr, Linode and Digital Ocean are all absolutely terrible at dealing with abuse.
I don't really understand the CDN business. I've got a ~130ms ping to my web apps from where I am right now, and can't say I've noticed it compared to the 60ms ping I had before. If I put my stuff on a CDN, it speeds up loading static assets the first time the page loads (nice). But then I have to worry about the CDN going down and taking me with them, or getting my account disabled by some algorithm in the fraud department (see Cloudflare posts from last week). Seems like a high price to pay.
https://blog.kalvad.com/ddos-on-demand-how-to-properly-load-...
If a content is delivered through a CDN can dynamic IP blocking with edge computing prevent requests from being "counted"?
Often 1800 numbers are paid for by the minute. Calling them costs them money. Lobbying for restrictions on businesses cost money.
All of these represent legitimate business. Requesting 38 billion does not and could be considered fraud