> a sustained DDoS attack will just make your host drop you

I'd love to see someone suing the host for damages. The contract binds them as much as it binds you.

Sounds like a good way to have your next gaming rig financed.

DDoS attacks are frequently shorting than 15 minutes. We've seen plenty of attacks last less than a minute.

> It is obvious those two are very different situations. I'm not sure I understand point.

Your host taking down the site and forgetting to bring it back up after a DDoS attack isn't a common thing with any host, unless it's the kind that does this routinely even without a DDoS. And then you should look long and hard at your choice of hosting.

Either you suffer from a DDoS attack and come back when it's over, or you have a host that occasionally brings your site down and fails to bring it up until you chase them. But one does not follow the other without a lot of twisting.

Forgiveness not necessary, these are good questions.

Internet packets have to travel through many routers between the source and the attack and the server they're attacking, at each step the routers usually get smaller. the smaller routers are less able to withstand the amount of traffic destined for one server, which means they can't route traffic to all the other servers that are not under attack. a common strategy is to drop the traffic at a much farther away server, thus protecting the smaller routers, thus protecting all the other servers.

The host Network would definitely still be affected by the DDOS, which is why the strategy is often to "blackhole" the traffic farther away from the individual server racks.

I see people say route traffic to /dev/null All the time, but I personally try to reserve that for the individual servers or the nearest router, just to avoid your exact confusion.

depending on how well designed, any specific network is the "hug of death" which has taken down many sites would also degrade the performance of the peers next to that server. Which is why many ISP are quick to block the traffic farther away. To protect not you but their other customers.

To be fair (pedantic), if it's part of a DDOS, it's not a legit request. Depending on the capabilities of the attackers, they will either choose obviously invalid requests because those take longer to process or exclusively valid requests which take longer to process. it is generally speaking much easier to send valid well-formed requests because that's what most libraries exist to do. you're often writing custom code if you want to send an invalid request because that is a bug in other cases.

A good example of an invalid request is setting up TLS transmitting a partial packet and then closing the connection (or leaving the TCP open), This one can be particularly expensive and much harder to detect.

> How does taking the site down stop the DDOS attack?

When people say take the site down, in this context, they often mean one of two things, either changing the DNS configuration to point to a different IP address (or none at all), or "null routing" traffic to the under attack IP, at an edge router, edge in this case meanthing their upstream ISP or other network peer. (farther from the victim server) I object to both uses because the specificity is important. When I say take down the server, I almost always mean quit [nginx] or power off the box.