Web-apps of any size should be running with a WAF (web application firewall).
If you're not, you're just rolling the dice every day on whether or not you'll get DDoSed and ransomed.
They're not expensive or difficult to set up anymore. Set it and forget it.
@nateberkopec How's Rack::Attack for that?
@slimdave @nateberkopec I don't think rack attack is considered a WAF at all. But no, been there done that. Rack attack doesn't protect you from a DDOS.
We use cloudflare + rack attack. We adjust both when getting attacked to handle different scenarios.
But bottom line, you gotta think a DDOS (or any decent attack really) is coming from different ips, locations, etc.
It's a shitty problem to have to be honest.
@pmcnano @nateberkopec Interesting, thanks. We're on Heruku, so considering https://devcenter.heroku.com/articles/expeditedwaf which looks decent.
@slimdave @nateberkopec sorry for the late reply I just can't figure out why I don't get notifications.
That's the WAF we used before and their support sucked. When they couldn't explain why customers were having routing issues, they just stopped responding to my emails.
I tried for weeks until we drop them for cloudflare.
@pmcnano @nateberkopec oof, thanks for the heads up.