I self-funded my startup to the tune of half a million dollars.
I've had what I can only assume to be a VC-funded competitor study my endpoints for high latency / expensive queries, then saturate them with millions of requests a second across thousands of simultaneous IP addresses.
Business is survival of the fittest. Pressures and growth gradients come in all shapes and sizes.
- Moved DNS to Cloudflare, which handled the brunt of it.
- IP and CIDR blocks
- A few trivial heuristics to catch certain behaviors they were using
- In-app query caching for read-only endpoints that serve the same data to all users
- Redis TTL caching for read-only endpoints that take view arguments. A means to manually expire on writes.
- Runtime control plane additions to dynamically block IPs/CIDRs, user accounts, and endpoints (if they find another hole to exploit, we can just block a few endpoints rather than the whole service)
- A tool to inject bad responses (we found another, probably different actor consuming and reselling our service)
I've had what I can only assume to be a VC-funded competitor study my endpoints for high latency / expensive queries, then saturate them with millions of requests a second across thousands of simultaneous IP addresses.
Business is survival of the fittest. Pressures and growth gradients come in all shapes and sizes.