New: Flexible Plans for Render PostgreSQL

Learn more
December 21, 2021

Free DDoS Protection for All Users

Chris Castle
A few months ago, Render quietly became the first full-stack Platform-as-a-Service to offer completely free DDoS protection to every application and website hosted on our platform. We’re using Cloudflare’s industry-leading DDoS protection infrastructure behind the scenes. Since releasing this feature, we’ve protected customers from more than one thousand DDoS attacks. Even better, we made this change with no downtime, which is exactly how we like to launch significant infrastructure improvements to Render! An additional (and timely) benefit to Render users is Cloudflare’s quick work to mitigate the log4j vulnerability announced last week. See our community post detailing Render’s response for details.

Why do we care about DDoS protection?

As DDoS attacks continue to increase in size and frequency, we don’t want Render users to have to worry about them. These attacks are a threat to your site’s uptime and responsiveness and are typically complex and time-consuming to diagnose and resolve. And while it may not be the brightest, shiniest feature, reliability is always top of mind for our work at Render. It’s one of the most important features we can offer to you. When you entrust Render to replace your DevOps team, you rely on us to keep your site available, even when it’s under attack. By eliminating DDoS as a threat, we help ensure your users have uninterrupted access to your content and services at all times.

DDoS Attacks Explained

DDoS stands for Distributed Denial of Service. DDoS attacks flood a site with requests from multiple IP addresses simultaneously. These requests aren’t legitimate traffic trying to access your website or API in the way you intend. Attacks are often orchestrated by malicious actors motivated by profit or politics or just a desire to cause general chaos. DDoS attacks can target a specific site, IP address, or an entire hosting platform. A typical denial-of-service attack involves a malicious actor sending a massive number of HTTP requests (or TCP packets) to your website1 — typically several orders of magnitude more than usual, exhausting its resources and preventing it from serving legitimate traffic. In a distributed denial-of-service attack, these requests come from many different IP addresses, typically belonging to malware-infected devices (including ‘smart’ home appliances like refrigerators!). This set of infected machines is called a botnet: tens of thousands of devices from personal computers to compromised servers sending traffic to the target website simultaneously, effectively overloading it and making it inaccessible to legitimate users.

Mitigating DDoS Attacks

DDoS attacks are hard to mitigate because they come from many different IP addresses and often from legitimate but compromised computers. You don’t want to restrict legitimate IP addresses from accessing your site, but how do you distinguish between legitimate and malicious traffic from the same IP address? The attack can also change IP addresses every few seconds, further compounding the difficulty of stopping the attack. Cloudflare is a proven leader in DDoS mitigation, blocking “an average of 76 billion threats per day, including some of the largest DDoS attacks in history.”2 Similar to how our customers rely on us for DevOps expertise, we decided to rely on experts to manage this critical aspect of our underlying infrastructure. The team at Cloudflare continues to build some of the most sophisticated mechanisms to differentiate between legitimate and malicious traffic, and Render users will continue to benefit from future improvements to Cloudflare’s DDoS protection mechanisms without lifting a finger.

One Less Thing to Worry About

We already abstract away the infrastructure for your sites, and now we’re also abstracting away DDoS protection for all HTTP services on Render. Best of all, we’re doing it in a way that’s zero-configuration and completely free! While you’re still responsible for application-level security and performance, we’re excited to add yet another product to our portfolio, so you have one less thing to worry about.

Footnotes

  1. It could be any type of service (not just a website), but we’re focusing on websites (and HTTP services in general) because Render only accepts traffic on HTTP ports (80 and 443) for user-deployed code.
  2. https://www.cloudflare.com/ddos/