After RSnake introduced slowloris in 2009, it’s been something of a minor miracle that L7 attacks have stayed as rare as they have until now. Don’t understand why SYN Floods have been the preferred way to DDoS until recently-they’ve been obsolete for nearly a decade..
L7 DoS requires more sophistication, because the attack code needs to stateful (iow. establish sessions) and craft requests that are better targeted. These in turn require either real effort or tools that reduce the effort.
All of this implies one thing: packet flood mitigation has finally become so ubiquitious that dumb flooding is no longer lucrative. So one could say that due to lack of low-hanging fruit the attackers are now moving up in the value chain.
Synfloods are really easy to accomplish comparatively. That said with the size and sophistication of the botnets these days I suspect that'll start to change to higher level attacks against services.
I thought this is the older way of doing DDoS, like replicating user's behaviour and overwhelming the server with repeated requests. And it's very obvious that any public facing API should be heavily cached and rate limited, in fact, all the major application frameworks provide easy to implement code for these.
But yeah, more developers should be aware of the possibility of this.
I am not a ddos mitigation expert, but I am under the impression that the remedies you mention are only going to help with relatively small attacks. It is very inexpensive to buy enough DDOS capacity to saturate a whole server's CPU just decoding requests. Caching and rate limiting aren't going to help you much then.
If you're a serious target these days, you basically need to have your services behind one of the big solutions. Rolling your own is far too expensive for any but the largest players. Cloudflare, GCE, and I'm sure many others offer ddos mitigation for grownups.
Devs need to remember to use performance monitoring tools to see where the slow code is - we had an app that could come to a halt if more than 10 people logged in, in one second - it took forever to dynamically generate the menus. Stupid recursion error, quieted NewRelic alerts down right away.
I do remember, but I don't see how it's relevant to this article.
It seems unfair to say that "Cloudflare continues to pretend this never happened" since they have a blog entry detailing exactly how the leak happened: