Ask HN: How does Hacker News avoid (successful) DDoS attacks?
Hacker News has an API¹ that doesn't require authentication and doesn't have a rate limit. Naively, that seems like a perfect recipe for DDoS attacks. Yet HN is typically a very reliable site. So what's the secret?
Fn 1: https://github.com/HackerNews/API
24 comments
[ 0.25 ms ] story [ 81.6 ms ] threadLike, people with skills to run an attack are also more likely to actually enjoy participating here. It'd be like someone trying to take down Stack Overflow. Even if you can do that – especially if you're the kind of person who could do that – you'd probably be shooting yourself in the foot, right?
It's simply too valuable for either side to destroy.
Generalizing, it's not a belief in unfettered free speech that saves us but rather a belief in carefully curated conversation. The archangel Dang keeps the discussion so valuable that there is no margin in damaging it.
If the tenor of the conversation declined to the point where it was a Twitter-grade dumpster fire, then yes, someone would eventually DDOS it.
Basically, the mods will tweak anything and everything they can to either increase the quality of your comments or decrease the damage they do, with banning outright as a last resort.
However, the monetary gain from doing this is gonna be zero dollars. The entertainment factor isn't gonna be likely either.
And as somebody else mentioned... botnets
If they were to bring it down for a some period of time,there won't be any schaudenfreude for someone of a certain political ideology performing a DDos to make the people of another politicial ideology suffer. This site isn't overwhelmingly conservative or left-wing or libertarian, at least to me. Its kind of amorphous. Its folks just sharing cool websites, apps, new posts,jobs and, blogs etc.
The API is not hosted by HN/Ycombinator themselves. If I recall correctly, it was initially hosted by Firebase which is/was a company seed-funded by Ycombinator. It (Firebase) is now a part of Google, so I guess you could say Google is hosting the HN API now.
With that, comes everything they are doing to prevent malicious ddos attacks.
Interesting. The API README states:
> There is currently no rate limit.
I guess that's wrong/out of date. I wonder when that changed?
Historically HN has not been hosted on infrastructure that would be particularly resistant to DDoS attacks, nobody has been DDoSing it.
There are many services you can use that will filter traffic and prevent DDoS. It's relatively easy to shift traffic to them if there is a problem.
Lastly the content of HN is almost entirely text, high read, very low write. Nearly all writes are behind an account, signup can be protected by a captcha or turned off entirely. The architecture means that reads can be cached, and the caching, serving, and traffic layers (assuming they are there) can likely scale horizontally nearly unbounded.
Then hacker news is full of tech folks who would probably enjoy investigating a DDoS.
DDoSing seems high risk low reward.