How to prepare for a DDoS attack?

stein · December 15, 2020, 9:45pm

Hello,

I assume Anvil has some kind of DDoS protection. I’d like to understand what that means for my app and how I can prepare for an attack.

My app has a log-in, so the attacker can not make any resource-intensive calls. Does that mean that with the DDoS protection it is unlikely that my app will become available?

Will Anvil’s DDoS protection stop the attack, so that fairly quickly I would be back to normal?

This is my design for keeping my app available for my clients during an attack:

Split the app in 2:

The main app (private), where all logic, data and (private) http endpoints are.
The public app. This only imports the main app as a dependency and makes it available via a public url.

If 2 is DDoS-ed, I un-publish it and then re-publish it under a new url that I share with my users. The urls for the http endpoints under the main app will not change, so clients of those endpoints will not be affected. When the attack is over, I re-publish under the old url and notify users.

Does that make sense, or is there a better way?

Is there someting else I should do, or need to understand?

This was many questions in one topic… Any insights you can share will be highly appreciated!

Cheers,
Stein

Tony.Nguyen · December 16, 2020, 1:15am

Hi @stein, unfortunately, it’s unlikely to work because the main app url will be easy to find as soon as you change it. (Chrome → Developer Tools)

One way to protect DDoS is to use cloudflare, a dedicated service for DDoS protection.

stein · December 16, 2020, 12:41pm

Hi Tony,

Thanks for you reply!

The Public Anvil app does not re-direct to the main app’s url, but loads the Main Anvil app as a dependency. The Public app then loads a form from the Main app and displays it. I wouldn’t expect this to require any knowledge of the Main app’s url. I did a quick test, and I could not find the Main app url by inspecting the source of the Public app in Chrome.

Tony.Nguyen · December 17, 2020, 2:27am

You might find the http endpoints similar to the ones in the images.

Moreover, the private app is not a matter, the someone can attack your public app and make it down anyway. (10,000 request per seconds is more than enough and it is very easy to do that with a not very powerful PC ).

stein · December 17, 2020, 7:39pm

Here is a mock up: Import the main app as a dependency in the public app. It does not seem to me that the private url of the main app is visible through inspecting the public app in the browser.

Public app (https://my-public.anvil.app/): https://anvil.works/build#clone:XJXNNP742B26CX7O=24XB4QHKLNJINK3HKI65M7H3

Main app: https://anvil.works/build#clone:EVJZ7UUKS4STH7ML=UAW5R3G7U5PNCFBWINYKN4QJ

The endpoint in the main app will be available from the origin url of the public app: https://my-public.anvil.app/_/api/hello_world/ and visible to the attacker.

But if the clients of my endpoints instead use the private url for the endpoints, their url does not have to change if I temporarily change the url of the public app during an attack. And the attacker should not be able to find the private url. Does that sound right, or is my main app exposed to the attacker somehow?