My friend's website promoting freedom of speech in communist Vietnam has recently been brought down by a 400k+ IP DDOS launched affirmatively by a government-sponsored cyber army. I've been asked for some ideas, and have had some experienced warding off some minor DDOS on my own non-political website.
Anyway, I've read this great discussion thread and came up with an idea that I think might work, especially for us individual webmasters who can't afford large distributed networks that can absorb such massive attacks. It is as follows, please let me know your thoughts:
1. Use iptables to redirect all traffic to reCaptcha validation page
- reCaptcha generation is handled by Google's distributed network designed to withstand DDOS
- the reCaptcha validation page is therefore a static page and does not weigh down your server's processing power
2. Once validated, the IP is added to iptables Allow list, and the user is redirected back to homepage
- entries that have been idle for some time should be removed from the list