Search code examples
google-app-engineherokudnsddoscloudflare

CloudFlare and Dynamic DNS for Web Apps

My understanding is that CloudFlare is a CDN that specializes in thwarting DDoS attacks for web apps; that is basically creates a read-only "cache" of your entire app so that, if you are DDoSed, your users can still access portions of your app and not experience a total denial of service.

My understanding of Dynamic DNS is that it is a technology that somehow allows you to immediately change the DNS settings of your web app URL without having to wait the standard 24 hours for DNS changes to "ripple out" over all the DNS servers in the world and take affect.

So first off, if anything I have said so far is misguided or incorrect, please begin by correcting me!

Assuming I am more or less correct, I'm trying to protect my web app (as best as I can) against DDoS attacks.

For one, I have decided to host my app with either Google App Engine or Heroku (haven't made the final decision yet), and I have to imagine that their IT staff is fully prepared to scale up/handle if my app is DDoSed while deployed to their servers.

Unfortunately for me, that means they'll scale up and handle the attack (!), which means my billing would soar through the roof and I'd be out of business (I guess that's called a "cash attack"!).

So I need a solution that handles both of the following scenarios:

  • The DDoS is enormous, and even Google/Heroku say "enough is enough", we're not supporting this load!
  • I specify a billing "ceiling" (which both Google and Heroku provide), and after that ceiling is reached, I somehow redirect traffic to my CloudFlare/read-only web app hosted elsewhere

I suspect I will need to use Dynamic DNS somehow to handle the 2nd scenario, but without knowing how most web apps fortify themselves against DDoSes (i.e. I've hear of so called "bastion hosts"?!?) I'm not even sure if I'm heading down the right path or not. Thanks in advance!

Solution

  • Some minor corrections: Heroku will not scale your app for you nor does it provide the ability to specify a billing ceiling. You should implement the appropriate monitoring and alerting strategy depending on how you want to react to specific scenarios.

    Preventing DDoS attacks is not something most app developers concern themselves with - but perhaps you're in a particularly susceptible domain? If so, a service like CloudFlare that does this automatically is a good option. You set your DNS to use their nameservers and they handle the IP address assignments on your behalf and in response to various threats and other optimization opportunities.