Does Heroku protect individual sites from DoS / DDoS attacks?

Question

Heroku is, it seems, under a DDoS attack right now, which is causing intermittent availability issues across the site manifesting themselves on (of course!) my app.

I have seen a number of these kinds of attacks recently, including the huge DDoS attack on Register.com a few months ago.

My question is, what were to happen if attackers zero'ed in on one of Heroku's clients?

Does Heroku protect individual apps from DoS and DDoS attacks?

Answer 1

Short answer: Yes. Heroku's dynos are protected by the fact they each have their own file-system and their own user, etc.

Long answer: Depending on the severity of the (D)DoS attack, there can be a point were the load of requests from a DoS attack will require more resources than are available to heroku's cloud. You may experience delayed requests and application responsiveness may be reduced. It is important though to understand this 'lack of performance' does not indicate a breach of security . Heroku's, (iirc from a couple convos I've had with employees) has a pretty robust routing layer which helps to balance the load and avoid using troubleshome and/or unresponsive dynos (instances of your application), but then again, a truly Distributed Denial of Service attack, with it's ludicrous amount of load on the server may eventually hit a point where the resources in the cloud are simply not enough.

<speculating> It is at that point that the providers (Heroku in this case) usually only have the option of trying to isolate the attack, usually done by 'holding the line' if you will at the dns-level and (temporarily) rejecting requests to the domain/s under attack. Not to say this is the only way, but one way. Very dependent on the specifics of the attack, which of course as an outsiders, I don't know. </speculating>

ref: http://www.heroku.com/how/dynos

I am not an employee or representative of Heroku, just a user-- talk to them for more specifics

Answer 2

This question may be older but it's shown on a high position in search results.

Heroku states on their security page:

DDoS Mitigation

Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.

Source: https://www.heroku.com/policy/security

Also interesting when testing a DDoS load:

Request queueing

Each router maintains an internal per-app request counter. For Cedar apps, routers limit the number of active requests per dyno to 50. There is no coordination between routers however, so this request limit is per router. If the request counter on a particular router fills up, subsequent requests to that router will immediately return an H11 (Backlog too deep) response.

Source: https://devcenter.heroku.com/articles/http-routing#request-queueing