Vercel Usage, DDoS & Cloudflare (a fun topic i know)

So me any my co-dev just released our new project which is a web app for listing your discord server. Now we didn't naively think this was going to be the CHEAPEST operation, as with any serverless UGC app we knew costs would scale. What we didn't anticipate was (potential) DDoS attacks within the first week. Now we do have hard billing limits because we simply don't have the funds to support endless billing but i was wondering the extent of protection i can take on the web app to prevent similar things? Moreover the steps i can take to minimise usage (especially function invocations) While the requests in the screenshots provided don't detail a HUGE amount of traffic, the 33k requests to /:80 were all within around 1-5 minutes and all had ?cacheBust param attached. Is this an attempt at DDoS or simply web scraping for SEO? Regardless of intended purpose it did somehow manage to limit usage on our app for around a minute or 2 for some users. We currently have high security level on cloudflare, along with some additional rules. And to the best of my knowledge vercel mitigates DDoS on their behalf, bu for some reason this pattern of request wasn't deemed suspicious? We were wondering what rules would be optimal in this scenario? We were also considering programatically enabling under attack mode based on request patterns and frequency, but weren't sure if it was possible. I'd like to reiterate that i know this isn't a MAJOR amount of requests or billing but for our use case we are opting to try to minimise billing NOW rather than being susceptible to vulnerabilities as we scale. Notable things to mention are we are using NextJS@v14 and server actions.
No description
No description
5 Replies
Xyliase
XyliaseOP3mo ago
^ It's also our first time using both of these technologies which is why we may not have an optimal approach rn, we're not expecting to be spoon fed. Just a little friendly advice would help :)
WillDelish
WillDelish2mo ago
I'm not like a super expert here (I'm used to using AWS WAF directly with CDK etc) My general rule that has served me well is to block everything by default and then write firewall rules to allow only what I want to get pass. You could set a rule for a GET to port 80 root / to a redirect to 443 /, but these days, I just don't allow anything on port 80.
splitfire?
splitfire?2mo ago
maybe try rate limitting?
Charlie B
Charlie B2mo ago
Theo has name dropped upstash for rate-limiting in his videos https://github.com/upstash/ratelimit-js
GitHub
GitHub - upstash/ratelimit-js: Rate limiting library for serverless...
Rate limiting library for serverless runtimes. Contribute to upstash/ratelimit-js development by creating an account on GitHub.
Styly
Styly2mo ago
ignore all trafic on port 80, its a ddos.
Want results from more Discord servers?
Add your server