alt Hacker NewsIt seems like DDoS's are getting harder and harder to deal with. The tips that worked 10 years ago are now easily worked around. I keep seeing people on here say "just use TLS fingerprinting" like it's a panacea, but I can't remember the last time an attack didn't spoof their fingerprint.
It feels like, outside of custom behavior tracking, there's no good way to truly protect your site without making it more restrictive in general. Require JS, client side challenges, cloudflare.
Client side challenges would be fine when a DDoS is actually happening, but they're basically targeting certain platforms more than others right now. Not actually helping in keeping a site secure in that case and hurting user experience.