This is just fucking weird, tell me I am not the only one feeling weird how the fascists decided to migrate to Lemmy of all places.
This is just fucking weird, tell me I am not the only one feeling weird how the fascists decided to migrate to Lemmy of all places.
Can you go a little more in depth? I'm curious because I'm studying web development.
Oh sure! This is a bit of an oversimplification but:
A DDoS is specifically crafted traffic that intends to cause problems (taking the site offline usually)
A web application will generally have 3 main components: the application server(s), the database, and the load balancer (or other configuration for routing requests between the application server and the end user. Any of them can be the bottleneck for load problems.
You identified problems that are mitigated with different infrastructure configurations, which I'd consider to be the load balancer or infrastructure layer. That would be like "you don't have enough servers to respond to requests" or "you set up a ddos prevention service (like cloudflare) to use as a CDN" — both of these can contribute to a site's DDoS hardiness.
At the application layer you can simply have code paths that are less performant than others — for example, a page that does a lot of compute-intensive operations like performing cryptographic functions will use more of your application server's resources than one that just loads simple text or something.
The same goes for pages that have expensive database queries — if you have a page that loads too many records into memory or does that unperformantly, that can overload the database so it can't serve responses to other pages.
So the application layer solution is simply code optimization?
Kind of — sometimes expensive routes are necessary (e.g. for operations interacting with passwords you will need to do cryptographic functions and the fact that they're compute intensive is a feature rather than a bug because that makes them take longer to brute-force).
Sometimes the solution there is to move expensive routes behind a login page (doesn't work for sign up/in pages of course.) If you can't do that (or even if you do) sometimes the solution is to stick a captcha on the page.
Depending on the system, sometimes the solution is to separate the expensive parts out into their own service so you can isolate failures — like if you're Netflix, you'd probably want the application responsible for streaming videos to be completely separate from the application responsible for logging users in, that way if your sign-ins go down the people who are already signed in can still watch their videos.