DDOS protection for your relay nodes

Hi everyone,
I recently considered moving my relay nodes to a different VPS provider.
the problem is - that VPS provider offers no DDOS protection.
Has anyone experimented with cloudflare’s DDOS protection for their nodes?

Do you guys think its important to have DDOS protection for relay nodes?

I know a good practice to prevent DDoS attacks, keep 1 relay private (don’t register it)

1 Like

I don’t quite understand how would that help against DDoS attacks?
It might not be registered to your pool, but it still has a port open to the world wide web hence it can get attacked.

I thought about only allowing the addresses in my topology file on the firewall but that would probably interfere with other relays trying to communicate with me.

In order to start a DDoS attack u will need to know the target/destination IP

I don’t think this is really anything to worry about. The purpose of a DDOS is generally to bring down a service. In the case of a single node, it would have zero impact on the overall network. The attack is pointless against a single node, except maybe if there was an extortion angle, but you could simply move your node to a new IP.

DDOS attacks are also somewhat expensive to launch, so there is always the option of just waiting it out as well.

Hostinger.com uses https://bitninja.io/

You want maximum reliability and disaster recovery for your delagators. Especially if they entrust you with staking their ADA. So I think having DDoS protection is important. https://bitninja.io/

Do u think someone can protect you against a real DDoS?

Every little bit helps… its only $10/month. Do I think somebody can bring down the Cardano network? No. Do I think somebody could bring down my servers? Yes. My liability is to my future investors (delegators) who trust my ability to maximize their return.

I hope you won’t mind my humor (it is late here), but I think KES rotation mix-ups harmed the cardano network far more than DDoS attacks so far


I just don’t see any pay off for launching a DDOS at any particularly pool. The only “useful” vector would be hitting the current leader to prevent minting a block, which would require some sophistication. Even then, I don’t know that it would even be useful in any real capacity.

I just don’t see the monetary reward for the attacker, so why would they waste resources on such an attack?

A sustained attack from a rival pool kinda makes sense if your goal was to force delegators to leave. It would have to last many epochs, so it’s highly cost prohibitive. Even if you could pull that off, delegators would migrate to many different other pools, so the payoff is zilch again.

1 Like

I do agree with @Alexd1985 it is the simplest and cheapest way to protect against DDOS.

1 Like

Optimize your firewall with rules and allow your nodes to accept traffic from each other only.

Ok, but the relays need to talk with other public nodes