Ask HN: How does Hacker News avoid (successful) DDoS attacks?
Hacker News has an API¹ that doesn't require authentication and doesn't have a rate limit. Naively, that seems like a perfect recipe for DDoS attacks. Yet HN is typically a very reliable site. So what's the secret?
Fn 1: https://github.com/HackerNews/API It does have a rate limit, it's just very very high. I've hit it sometime when trying to download every single item since day 0. But it's very lenient, you have to run multiple threads downloading as fast as they can in order to hit it. The API is not hosted by HN/Ycombinator themselves. If I recall correctly, it was initially hosted by Firebase which is/was a company seed-funded by Ycombinator. It (Firebase) is now a part of Google, so I guess you could say Google is hosting the HN API now. With that, comes everything they are doing to prevent malicious ddos attacks. > It does have a rate limit, it's just very very high. I've hit it sometime when trying to download every single item since day 0. Interesting. The API README states: > There is currently no rate limit. I guess that's wrong/out of date. I wonder when that changed? Would hazzard a guess, matches service provider account limits.
(hopefuly not because got billed for exceeding account limits) So this might be naive, but... what interest would someone have in taking down HN? Like, people with skills to run an attack are also more likely to actually enjoy participating here. It'd be like someone trying to take down Stack Overflow. Even if you can do that – especially if you're the kind of person who could do that – you'd probably be shooting yourself in the foot, right? Yeah, I thought of that. But (especially given political polarization) I would expect that there'd be at least someone with an axe to grind and the necessary technical skills. I mean, there's certainly no shortage of criticism of Hacker News/some HN moderation actions even on HN (or "the orange site" as it's known in some circles). I would imagine that this (admittedly plausible-sounding) scenario is offset by the fact that, given the audience, a politically-motivated DDOS would have the opposite of the desired impact. No one here would cheer the loss of HN, even its critics (like me.) We want it to do better. It's simply too valuable for either side to destroy. Generalizing, it's not a belief in unfettered free speech that saves us but rather a belief in carefully curated conversation. The archangel Dang keeps the discussion so valuable that there is no margin in damaging it. If the tenor of the conversation declined to the point where it was a Twitter-grade dumpster fire, then yes, someone would eventually DDOS it. I have the axe but not the skills :) There's a lot of disdain for HN on Twitter for some reason To be fair, there's a lot of disdain for pretty much everything on Twitter There's a lot of disdain for Twitter on Twitter. It's one of the few places we can vent about HN without being reprimanded, rate limited and eventually banned. does HN rate limit people? Yes. You'll get a message saying that "you're posting too fast." That's because you've been limited to only a few (four or five) posts per hour. You'll never be told when this is applied to your account, or what the limit is, or when it's lifted, if it is. They also used to purposely slow response times as a way to drive certain posters away but I think they've stopped that. They also shadowban, but at least that's reversible. Unless you vouch for the wrong people, then you lose your vouching privileges. Basically, the mods will tweak anything and everything they can to either increase the quality of your comments or decrease the damage they do, with banning outright as a last resort. You can hit the rate limit, just open 50 tabs and try to load them all at once. You will get IP banned, likely if there are a lot of cache-miss queries (querying old pages rather than recent ones). There are many services you can use that will filter traffic and prevent DDoS. It's relatively easy to shift traffic to them if there is a problem. Lastly the content of HN is almost entirely text, high read, very low write. Nearly all writes are behind an account, signup can be protected by a captcha or turned off entirely. The architecture means that reads can be cached, and the caching, serving, and traffic layers (assuming they are there) can likely scale horizontally nearly unbounded. Then hacker news is full of tech folks who would probably enjoy investigating a DDoS. DDoSing seems high risk low reward. Rate limiting, caching, very little code being run for each request, overkill hosting, most data being accessed is likely already in RAM, etc. IP based rate limiting probably (?) This doesn't really do much against all but the most trivial denial-of-service attacks. If someone does try to DDos HackerNews, the amount of resources required to DDos would not justify the investment,as there's nothing to gain here in terms of monetary benefit. Would it though? Most of these operations seem to use botnets. So it's enterprise routers and smart fridges and juiceros doing the heavy lifting. I have a very rudimentary understanding of a botnet, but I am sure it's not going to be super expensive if you are trying to DDos a site like this. It would be prohibitively expensive if you are trying to do this to something like AWS. However, the monetary gain from doing this is gonna be zero dollars. The entertainment factor isn't gonna be likely either. There's a lot of people who do not DDoS for monetary benefit, but instead as entertainment. And as somebody else mentioned... botnets Sure, some people aren't looking for anything logical, but even for them, it might really not be worth it. If they were to bring it down for a some period of time,there won't be any schaudenfreude for someone of a certain political ideology performing a DDos to make the people of another politicial ideology suffer. This site isn't overwhelmingly conservative or left-wing or libertarian, at least to me. Its kind of amorphous. Its folks just sharing cool websites, apps, new posts,jobs and, blogs etc. HN doesn't attract many DDoS attacks, most websites don't attract any DDoS attacks. Historically HN has not been hosted on infrastructure that would be particularly resistant to DDoS attacks, nobody has been DDoSing it.