How does Hacker News avoid (successful) DDoS attacks?

Question

Hacker News has an API&sup1; that doesn't require authentication and doesn't have a rate limit. Naively, that seems like a perfect recipe for DDoS attacks. Yet HN is typically a very reliable site. So what's the secret?Fn 1: https://github.com/HackerNews/API

capableweb · Accepted Answer

It does have a rate limit, it's just very very high. I've hit it sometime when trying to download every single item since day 0. But it's very lenient, you have to run multiple threads downloading as fast as they can in order to hit it.
The API is not hosted by HN/Ycombinator themselves. If I recall correctly, it was initially hosted by Firebase which is/was a company seed-funded by Ycombinator. It (Firebase) is now a part of Google, so I guess you could say Google is hosting the HN API now.
With that, comes everything they are doing to prevent malicious ddos attacks.

Archipelagia · Answer

So this might be naive, but... what interest would someone have in taking down HN?Like, people with skills to run an attack are also more likely to actually enjoy participating here. It'd be like someone trying to take down Stack Overflow. Even if you can do that &ndash; especially if you're the kind of person who could do that &ndash; you'd probably be shooting yourself in the foot, right?

hayst4ck · Answer

You can hit the rate limit, just open 50 tabs and try to load them all at once. You will get IP banned, likely if there are a lot of cache-miss queries (querying old pages rather than recent ones).
There are many services you can use that will filter traffic and prevent DDoS. It's relatively easy to shift traffic to them if there is a problem.
Lastly the content of HN is almost entirely text, high read, very low write. Nearly all writes are behind an account, signup can be protected by a captcha or turned off entirely. The architecture means that reads can be cached, and the caching, serving, and traffic layers (assuming they are there) can likely scale horizontally nearly unbounded.
Then hacker news is full of tech folks who would probably enjoy investigating a DDoS.
DDoSing seems high risk low reward.

trillic · Answer

Rate limiting, caching, very little code being run for each request, overkill hosting, most data being accessed is likely already in RAM, etc.

anshumankmr · Answer

IP based rate limiting probably (?)

rosnd · Answer

HN doesn't attract many DDoS attacks, most websites don't attract any DDoS attacks.Historically HN has not been hosted on infrastructure that would be particularly resistant to DDoS attacks, nobody has been DDoSing it.

How does Hacker News avoid (successful) DDoS attacks?

Hacker News has an API¹ that doesn't require authentication and doesn't have a rate limit. Naively, that seems like a perfect recipe for DDoS attacks. Yet HN is typically a very reliable site. So what's the secret?
Fn 1: https://github.com/HackerNews/API

Rate limiting, caching, very little code being run for each request, overkill hosting, most data being accessed is likely already in RAM, etc.

IP based rate limiting probably (?)

HN doesn't attract many DDoS attacks, most websites don't attract any DDoS attacks.
Historically HN has not been hosted on infrastructure that would be particularly resistant to DDoS attacks, nobody has been DDoSing it.