Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You have to realize that DDoS mitigaters are in a position to not stop attacks. They get paid more money when attacks happen; so any company whose sole purpose is mitigation, has a major conflict of interest. A small site can easily be hosted on AWS, which has their own protection which is transparent. Any other cloud provider should offer it transparently anyway.

I absolutely hate people who claim Cloudflare is their only solution for mitigation/protection, because it simply isn't true, and Cloudfare does some rather shady stuff.



I feel like saying DDoS mitigators are in a position to not stop attacks is akin to saying car insurance companies are in a position to not stop car accidents. I think the value prop is the quality of the service WHEN the attacks happen, and when they aren't happening it is effectively an insurance-like business. However if I get DDoS'd and my mitigator does nothing, one would think they would eventually be overtaken by a more competent competitor.


Your analogy is accurate, but... If you don't have a mitigator, they have incentive to force you on one; if you are already on it, their incentive is throttling, or otherwise 'attacking' (loosely defined) your source.

With car insurance, the insurance company has incentive to mitigate their risk, (they don't want to shell out more than they need to,) charging more if you are higher risk. They don't want to take more risk than they have to. Key point, they evaluate risk on a case by case basis.

DDoS mitigators however, they already have invested in the risk by getting the hardware to handle the bandwidth. They don't care if you are attacked or not. Nothing then stops them from playing dirty. This kind of stuff frequently happened with Minecraft servers (what feels like) ages ago. Mitigating services would go out and attack servers, and competitors to get customers to switch to them.


A good DDoS mitigation service can take the brunt of the attack and so you stay online. So, it's not exactly like car insurance companies unless insurance companies actually were able to put a steel wall in front of your car to prevent accidents.

But you still get attacked, but it's like a frame around you, so you don't hurt or damaged. (Here's an example of how Incapsula mitigates DDoS attacks - https://www.incapsula.com/ddos/ddos-mitigation-services.html)


> I feel like saying DDoS mitigators are in a position to not stop attacks is akin to saying car insurance companies are in a position to not stop car accidents.

Only if there's no overcharge when an attack happens. If there is, you are in the conflict of interest situation the GP was talking about.

I don't know what is CloudFare billion policy.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: