DDoS protection

I was reading the blog post "August 22nd DDoS Learning Review, and saw where it mentions “This affected all users with an A record pointed to the IP address of our load balancer. It’s important to understand that we always encourage users to use our full blown CDN instead, by pointing a CNAME at our services.”

How does this relate to when the domain is pointing to Netlify’s own system record: Type=NETLIFY

I have a team member that is big on security and suspicious of Netlify. Unfortunately this area is not my strong suit. Forgive me if I am asking something silly or obvious.

Hey @Mei152 :wave:t2:

Welcome to The Community :slight_smile:

That’s a great question. For starters, feel free to point your team member(s) to The Community and this thread if you prefer. The team here (including Community members such as myself and Netlify Support Engineers) would be happy to talk through any concerns with them! Static sites come with a number of security advantages since they simply don’t operate running servers in the traditional sense :slight_smile:

To your question - if your domain is using Netlify’s Nameservers (which is the only way to see a NETLIFY type record, so I presume it is) then you don’t need to worry about the DDoS review / info at all. Using an Apex record and/or CNAME record for your apex and/or www. and/or other subdo’s is a process for when you’re not using Netlify’s DNS servers (e.g. nameservers, e.g. hosting your domain with Netlify).

For those looking to go a little bit deeper, I recommend this article from Netlify’s Co-Founder. It’s a great breakdown of DNS strategies. Tl;dr though, a NETLIFY record is essentially an ALIAS record :slight_smile:

Hope that helps!


Jon

@Mei152 As @jonsully pointed out, if you are using Netlify name servers you don’t have to worry about DDoS taking down your site (unless it is a monster of an attack, presumably), but you might run up some bandwidth charges.

I was wondering if there was a way to have a dedicated machine be a firewall or just something else FREE by using hardware (or software) to protect myself. Obviously common sense is a good protection along with using secure passwords etc, krogereschedule how else do I protect myself?

@jonsully thank your for the prompt and helpful reply!

@gregraven, you mention running up bandwidth charges. What is the best way to realize you have a situation before it goes on too long and runs into money? Would enabling analytics give me all the tools I need?

@Mei152 Yes, you would need to employ some sort of analytics … and then monitor the results.

Your team overview should also show you your current bandwidth usage:


@Janiya - I’m not sure what you mean. Netlify has their own firewalls and spam protection measures in place, but ultimately they serve purely static files so there’s no servers to need protecting. Bots or malicious users would, at worst, just get delivered your static file contents from Netlify.


Jon