On Fri, Sep 23, 2016 at 9:24 PM, Jon Lewis <jle...@lewis.org> wrote: > On Fri, 23 Sep 2016, Patrick W. Gilmore wrote: > > Is CloudFlare able to filter Layer 7 these days? I was under the >> impression CloudFlare was not able to do that. >> >> There have been a lot of rumors about this attack. Some say reflection, >> others say Layer 7, others say .. other stuff. If it is Layer 7, how are >> you going to ÿÿstep in front of the cannonÿÿ? Would you just pass through >> all the traffic? >> > > Anycast + load balancers + high powered varnish? > > notionally (because I have been paying zero attention to this) jon's suggesting: 1) setup a crapload of nginx/squid/etc configured tightly for things to be accessed behind them 2) ecmp to them across several layers (assume 32 ecmp at each layer, call it 4 layers get craploads of machines running) 3) change over the dns 4) profit--
eh? If you can eat the PPS, you can spray across enough tcp listeners, you can weed out the chaff and start filtering in the 'application'... perhaps also run a 'low bandwidth' version of the target site... hey look, we invented prolexic.