Not the same poster, but the first "D" in "DDoS" is why rate-limiting doesn't work - attackers these days usually have a _huge_ (tens of thousands) pool of residential ip4 addresses to work with.
We had rate limiting with Istio/Envoy but Envoy was using 4-8x normal memory processing that much traffic and crashing.
The attacker was using residential proxies and making about 8 requests before cycling to a new IP.
Challenges work much better since they use cookies or other metadata to establish a client is trusted then let requests pass. This stops bad clients at the first request but you need something more sophisticated than a webserver with basic rate limiting.
danielheath|1 year ago
chillfox|1 year ago
rixed|1 year ago
nijave|1 year ago
The attacker was using residential proxies and making about 8 requests before cycling to a new IP.
Challenges work much better since they use cookies or other metadata to establish a client is trusted then let requests pass. This stops bad clients at the first request but you need something more sophisticated than a webserver with basic rate limiting.
Aachen|1 year ago
So how is Cloudflare supposed to distinguish legitimate new visitors from new attack IPs if you can't?
Because it matches my experience as a cloudflare user perfectly if the answer were "they can't"
hombre_fatal|1 year ago
unknown|1 year ago
[deleted]