How to mitigate a DDoS attack?

Hi all,

Backendless is looking really great, but I have the following question. To be clear this has not manifested itself (yet), but I was wondering how this should be handled or how other users are handling this situation.


Eve starts a DDoS against an API running on Backendless. In that case, there are two things that might happen: (1) a high amount of “bad” data (e.g. 1000 new user accounts, made by Eve ) is generated and (2) one could use up all the API calls in the subscription from Backendless. In the latter, one is forced to buy extra. Not a desirable situation.

For a static frontend one can use a CDN or put some caching mechanism in place, but the best way to handle this kind of problem on the backend is less obvious to me.

A couple of things that I came across:

  • I saw some posts that suggested to rate limit activity per IP. Sure this is possible, but I don’t think this is solving the right problem. To me this seems like a bad attempt to imitate a real DDoS mitigation service.
  • Using an API gateway (AWS seems to have it: Protecting API Endpoints (BP4) - AWS Best Practices for DDoS Resiliency). I have personally never used a service like this. Would this be a good thing to use? First issue would be that the API gateway should be context aware to some extend. Creating 3 user accounts per minute is strange, but requesting real data as a user might be totally normal.
  • CDN provider, as the requests will come from an application, this is the result from a “robot” and the CDN will rightfully detect it is not a human. So this does not seem to be the correct solution in this scenario.

I would like to hear how this is problem is supposed to be solved.

Hi @overcardio,

have you considered using Cloudflare DDoS Protection?

Yeah, I am aware of Cloudflare, but my issue with them is the SSL termination at there end. Isn’t there a competitor to Cloudflare who does protect, but on layer 3 for example (so the HTTPS data goes through it without being analyzed)?