we have been pondering this as well, ideally we would have a lab cluster built to simulate a DDoS attack and profile the server performance under controlled circumstances. but this is quite expensive to set up and we would like to exhaust all of our options for mocking an attack locally before renting a cluster for research.
one problem we have right now is that we don’t have a handy way to detect if an attack is even taking place - from the server’s perspective everything is functioning normally (it is still receiving requests and sending responses over the network), it is only from the perspective of the outside world that the server appears unresponsive. this is essentially the same “backpressure” problem discussed in the other thread.
swift-nio-http2 gives us the tools to apply backpressure at the stream level, but not at the connection level.
by the way, for those keeping score, swiftinit repelled three more attacks overnight!
based on aggregate logs, it appears the attacker impersonated a whitelisted bingbot user-agent during the first wave, and human-like user-agents during the second two waves:
