On 08/08/17 01:57, Akshay Kumar wrote:
Not true about AWS or GCP. You don't get charged on ingress and it's in their best interest to mitigate this at the perimeter.
Indeed, they don't charge for ingress, but your server has to answer to HTTP requests. Even small responses can add up quickly, moreso if you are serving ISOs. Another problem is with autoscaling setups - if you automatically spawn several hundreds of EC2 instances to handle the increased number of HTTP requests, you'll end up with a pretty big bill. I've heard of several cases of Amazon choosing to "forgive" the bill resulting from an attack and you can set usage limits, so it's probably not that bad.
L3 and Prolexic(Akamai) have all your traffic go through their scrubbing centers - really expensive. mod_evasive won't work with any half decent reflection attack.
Yes, I think scrubbing centers are technically the best solution (reverse proxy companies are in the position to perform MitM on SSL traffic and can only handle HTTP, but they are the most affordable solution).
Anyway, glad that it's solved now! :)