That's lazy engineering and I don't think we as technical, rational people should make that our way of working. I know the saying, but I disagree with it. My fuckups, my problem, but at least I can avoid fuckups actively if I am in charge.

▲

reassess_blind 10 hours ago | parent | next [-]

How do you mitigate large scale DDoS?

▲

lpcvoid 9 hours ago | parent [-]

I don't, since my stuff is reachable only within the company network/VPN. If I needed to though, I would consult the BSI list of official DDOS mitigation services [0] and evaluate each one before deciding. I would not auto-pick Cloudflare.

[0] (German) https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Si...

▲

reassess_blind 9 hours ago | parent [-]

When the solution you pick inevitably has downtime too you’re in the same boat.

DDoS mitigation is one of those areas that an on-prem solution just isn’t well suited to solve.

	▲	lpcvoid 9 hours ago \| parent \| next [-]
		Yeah, but people aren't using Cloudflare just for DDOS Mitigation. Some are running pretty much everything over it, from DNS to edge caching to load balancing and even hosting. That's what I oppose mainly.
	▲	lousken 7 hours ago \| parent \| prev [-]
		Unless you are really big, onprem stuff would be 90% internal anyway. For everything public you'd host your hardware in a datacenter with better high speed connectivity. And pretty much every single datacenter I interacted with in the last 5 years does have a DDOS protection solution that you can order for your network.

▲

saubeidl 10 hours ago | parent | prev [-]

The problem is the people that sign our checks usually aren't technical, rational people.

The system isn't designed for technical, rational decision making.

	▲	lpcvoid 9 hours ago \| parent [-]
		That's fair, yeah, and I agree it's not always feasible - but if you have any influence over technical direction at your org, I encourage what I wrote above. Otherwise yeah, let the pea counters in the C-Levels dig their own grave.