• 3 Posts
  • 3.45K Comments
Joined 8 months ago
cake
Cake day: February 17th, 2024

help-circle






  • Ideally, you’d limit your resource utilization to always leave enough of a buffer that your management tools can run. But even if that’s not the case, you should also be able to disable incoming traffic so that your servers stop even seeing the requests. Or you can just plain destroy and recreate with a new version.

    But none of that addresses the fact that your retrying clients are basically DDoSing you. That can be mitigated by your WAF filtering requests so that only a fraction are passed to the server, as mentioned in the article, but preferably you’d just scale up to handle the load, or fix your clients to retry less frequently so that they don’t DDoS you with retries. Even a large number of clients shouldn’t be retrying so frequently that it overwhelms your system. Even if you’re selling Taylor Swift tickets, where millions of clients are hammering you, you can scale horizontally to at least implement a queue for users so they’re not hitting refresh every time they get a blank screen.


  • tl;dr:

    Each request takes exactly one second to process, and a new request arrives every second

    That’s their core issue. They were never able to process requests fast enough, and the moment there was any delay it all came down like a house of cards. If you’re already running at 100%, yeah no shit you’re going to have problems if anything changes even slightly.

    Further, it doesn’t seem like retries backed off enough, or maybe should have just given up eventually.

    The writing style also made it kind of hard to follow. Technical articles work better when they’re not written like a children’s story, but with technical writing.





  • Some of my internal stuff goes out to Let’s Encrypt, so I don’t worry about it at all. My internal AD stuff is set for like three years. If anyone has compromised the CA, they’re already past where issuing malicious certs would be useful.

    I would up your root cert expiration. You can keep the root CA offline if you’re concerned about compromise.

    There are also ways to run LE-style automatic renewals internally, but I’ve never bothered because what I’ve described above means I don’t need it.








  • catloaf@lemm.eetoTechnology@lemmy.worldWhat the hell Proton!
    link
    fedilink
    English
    arrow-up
    29
    arrow-down
    1
    ·
    edit-2
    18 hours ago

    True, but this is generally not useful information to anyone. They can see you’re visiting bank.com, but they still can’t see your bank details.

    It might be useful if they’re trying to target you for phishing, but a targeted attack is extremely unlikely.

    Also, any wireless equipment from the past 15 years or so supports client isolation.