Probably. Mitigating a DDOS (from my understanding) has two important things that need to happen. (1) You need a larger incoming pipe than the data being sent to you. (2) you need to ignore invalid requests so you don't flood your outgoing pipe as well.
Properly ignoring invalid requests can be a challenge, the process of doing so will depend on the type of attack being used. SYN floods can difficult since the src IP is most likely invalid. The attacks we've seen with DNS and NTP amplification are difficult as the attack isn't trying to get your servers to respond, they are just flooding your incoming pipe with data. If they are trying to abuse some page within your application you can more easily mitigate it as you'll know the source IP of the request so it can be blacklisted.
As for mitigation, while we hear about Cloudflare a lot, AT&T and other large providers can provide DDOS protection for leased lines[0]. Basically what happens, before the data gets to your leased lines, traffic headed to you will go through AT&T's DDOS detection/prevention systems that attempts to filter bad traffic. This type of service would apply more to companies like Linode or possibly the datacenter that they are housed in.
It depends if this attack is on basecamp.com or the IPs that basecamp.com resolves to.
It appears Basecamp only has a /23, so even if they redirected traffic through Cloudflare, the attacker could still find their direct servers fairly easily and attack that IP. It's still possible to block, but not quite as easy as setting up Cloudflare.
> so even if they redirected traffic through Cloudflare, the attacker could still find their direct servers fairly easily and attack that IP.
Why would it be easier for the attacker to find their direct servers if they only have a /23 - doesn't Cloudflare obscure the identity/location/IP of the server on the other side?
It's only 512 addresses, so the attacker can just switch between different IPs until service degrades and keep on that address. Also, it's likely their rack/cage has a limited amount of bandwidth compared to the whole datacenter, so they can just send traffic to that range and overload the switch.
We've had issues with saturated upstreams and then been negotiating new ISP connections. All the ISPs I've asked (Level3, NLayer, Cogent) won't put an active restriction to only CDN blocks upstream.
The ISPs will help during a DDOS but response times are slow and we haven't tried getting them to put this type of block in place yet.
After taking a look at CloudFlare's knowledge base, it seems that their services would definitely help if you were under attack. According to CloudFlare, they offer basic DDoS Protection with their plans, and it seems like you can upgrade to a business account during attacks for improved protection/mitigation. They also claim that they don't have a cap on the size of attacks they can handle.
I'll leave it to others to answer this (for this situation) but keep in mind also that adding cloudflare also adds an additional layer that can fail for different reasons.
That tradeoff may well be worth it for certain high visibility web properties but maybe not if you are a low value target.
There are pros and cons to any decision you make that depend on specific circumstances.
I've been wondering myself, if CloudFlare helps against DDoS attacks when the page is dynamically generated for each user. For static pages it should help.
If the attack is working by essentially flooding Basecamp's network links until they reach capacity, then yes, it could. CloudFlare could simply filter out malicious traffic and only pass on legit requests to Basecamp.
That's obviously very much dependent on the kind of attack and whether CloudFlare has more network capacity than Basecamp (which I would imagine is highly likely).
Depends on the scale/power of attack. The latest hits (happening in the last few months) have been very large and I doubt CloudFlare would be able to successfully defend any of those while maintaining all of the current clients online. I have a client that occasionally gets this kind of blackmailing followed by attacks and they told me they use a US based company specialized in DDoS defending - until now the defense was pretty efficient. I've never bothered to ask for a name, but I guess it's a known one in the "network industry".
You're mistaken. CloudFlare has mitigated many the largest DDoS attacks in history, including some that have exceeded 400Gbps. These recent extortion-based attacks are large, but they are typically 1/10th the volume of the largest attacks we see. For instance, Meetup has publicly stated that they used our network to stop a similar attack. Many of the other recent victims have used CloudFlare as well.
Because of the unique design of our network, I'm unaware of any other service that has as much capacity that can be utilized in aggregate to mitigate large-scale attacks.
