Customized Edges
Deploy flexibly in a single cloud, multi-cloud, on-premises DC, or using Infrastructure as Code (IaC), giving you full control over data, gateway visibility, and on-demand network coverage.
AppZTNA Anti-DDoS
AppZTNA security model is entirely opposite to Cloudflare’s. It doesn’t depend on centralized network mitigation for DDoS attacks. In a Server Find Client zero-trust network, attackers can’t attack what they can’t see.
This is my startup idea. I don’t know if anyone will need it. I hope to get your feedback. Thank you.
All I can say is, wut?
This is the most ridiculous thing I read in the last year…no wait……… yes it is…
Even if you can get the appZTNA stuff to work (which I doubt), how is your infra going to absorb multi Tbit traffic without customer impact?
Perhaps I didn’t express my thoughts clearly, and for that, I apologize.
In the past, we typically approached the challenge of mitigating DDoS attacks by countering and combating resources at the L3-L7 level. I do not deny that this is a correct and effective solution, and I am familiar with how it works.However, in my previous work, our mobile app often fell victim to DDoS attacks, and I found that there could be an alternative approach to addressing the issue. Why must we tackle DDoS with a firewall mindset? Is it possible to make DDoS disappear more proactively?We analyzed DDoS from the ATT&CK perspective of the attacker, focusing on the typical steps of attacking a mobile app:
1、Downloading the app from the App Store.
2、Analyzing the app through packet capture or debugging tools to identify the attack target: Domain or IP address.
3、Using DDoS tools to initiate an attack on the target using a botnet.
Typically, we address DDoS at the third step when the attack has already occurred, and we are left seeking additional layers of protection.Our approach is in the second stage. When I have a certain number of edge IPs to distribute user or device connections and manage global traffic based on user or device context, this method is highly effective.The only drawback is that this method is only effective for native mobile or client applications. However, the benefits it brings include making the application actively immune to DDoS rather than passively defending against it and effectively identifying attackers.You expressed yourself just fine and my question is still valid. Do you have the capacity to handle multi Tbit traffic on the edge ips that you use to hide the backend ips? Because if all of those are flooded, not only will the backend app be unreachable, but all your customers will be unreachable as well.
A mini self-hosted cloudflare… you mean, like building a reverse proxy? If so… we already have treafik, nginx, haproxy, etc…
Self-hosted, ruins the reason I use cloudflare, completely.
I use cloudflare, because…
- DDOS / Attack protection. The bandwidth hits their servers, and not mine. You CANNOT SELF HOST ddos protection, unless you have a MASSIVE amount of bandwidth. Otherwise, it just overwhelms your internet connection. It doesn’t matter if the traffic is blocked. It still fills your pipe.
- Hiding my private IP / handling my dynamic IP.
- Processing my domain’s SMTP. You don’t want to handle email at your home IP… its likely blacklisted from major providers.