I wonder if there will be a day where on-premise solutions will be touted as the solution to the DDoS vulnerability of cloud-based solutions, in much the same way that there seems to be an ebb and flow between fat and thin clients over the course of computing history.
Because on-premise solutions are even more vulnerable to DDoS. A large data centre will have large amounts of connectivity, giving you a lot of head room for most types of attacks. But in this case 20Gbps of extra traffic was too much too. What on-premise solution can handle 20Gbps of extra traffic?
And I don't think Basecamp is technically "cloud", but collocated. They appear to own most or all of their servers.
If you define on-premise as being accessed over a private network (which seems to be the idea here), then it is not directly vulnerable to DDoS at all, because it isn't reachable from the public internet.
