Load balancer hit by a huge amount of HTTP requests
Checked on the Nginx access log that most of them are:
requesting for a search, .e.g. /product/?search=[random string] , this is a clever trick as search are always bypassing cache and are heavier than listing / viewing product details
source IP are all different, confirming its a D-DOS instead of a singleIP-DOS attack, hence IP blocking trick will not work here
The lowest cost possible way to handle such attack is with Cloudflare, fortunately we had Cloudflare setup, they even sent us a DDOS attack alert email:
The rest is simple, since all traffic are looking for search, and most of our users are from Singapore, just need to add a WAF rule will Managed Challenge:
Requests that's not from Singapore
Requests that contain /product/?search= in URL
And Load Balancer sees no more DDOS traffic:
Of course we can make use of AWS WAF to create a similar rules in WEB ACL to do the filtering with a low cost:
But since Cloudflare are generously offering the service for $0 and is simple to deploy, no cost is better than low cost in this case. :)