Hi all
Is phoenix or erlang vm protected against DDOS attack?
Thanks
2 Likes
DDoS attacks are really only a matter of how much crap they can send your way, so there is no “solution” to it that doesn’t have massive caveats and it’s something that you might want to solve earlier in the stack in the IP routing layer.
The natural isolation of processes in any Erlang-style system means that, until a certain point, performance will degrade but you will still retain functionality and comparative to a lot of other languages the out of the box solutions survive far longer, so given no real work on your part (or on the part of the framework developers) you’re in a good position. I think trying to safeguard yourself against DDoS attacks is hopeless for a small actor, though, and you’re better off going with an external solution (Cloudflare comes to mind).
Edit: It should be said that part of what makes it harder to completely lock up an application running on the BEAM is that the scheduler makes it exceedingly hard to lock up cores. Long running requests and the like will not have to yield in order to allow other requests to be processed, since the scheduler does all that management automatically.
5 Likes
Yeah. It’s however worth mentioning that the Beam-based systems will be, generally speaking, more resistant to DDOS attacks than say Rails-based systems. It’s not just about the raw performance that is indeed better, allowing to handle more requests, it’s also about how you manage to keep the connections open and the way handling “slow clients” can be performed.
Being able to open and handle thousand concurrent connections versus handling dozens or hundreds matters in DDOS-defense strategies :).
4 Likes
There are 3rd party services that will take on theirs back such attack.
http://www.toptenreviews.com/business/internet/best-ddos-protection-services/
2 Likes
It depends on what are your setup.
If in production you run Phoenix server in nginx you need just to monitor nginx access.log by fail2ban (you need to setup rule for DDOS).
If you are going to run your app without nginx you need to log all request (probably with Plug and Logger with backend that is saving your messages to logs file) and add rule to fail2ban.
Fail2ban is a program to monitor log files. If it match an IP with one of rule it adds this IP to iptables and that IP cannot do that attack.
Of course it’s possible to implement programs like fail2ban in Elixir/Erlang, but I don’t see a reason for using them.
It’s also worth keeping in mind that more and more hosts and data centres now offer DDOS protection of some sort 
If you get hit by massive DDOS (over Terabit/sec) there is not much protection regardless of the techstack beyond having a sizable, robust and distributed infrastructure.
