Protecting Cat Memes from DDoS - DEF CON 33

• Written by Spencer Koch and Pratik Lotia. • https://preview.redd.it/64cne7jctm4g1.png?width=1600&format=png&auto=webp&s=ee1af9952a1c42786d982f7df0e18a03db27bd4b Hey everyone! • Spencer Koch here, a Principal Security Engineer at Reddit. • My colleague, Pratik Lotia , Senior Security Engineer, and I recently gave a talk at DEF CON 33 on how we protect cat memes from DDoS. • You might be wondering why we’re so concerned about cat memes. • Well, when you’re managing a platform that handles over 1.3 trillion requests and serves up 175 petabytes of bandwidth every week, even something as simple as a GIF of a grumpy cat can become a target in a massive Distributed Denial of Service (DDoS) attack.

Article Summaries:

• Reddit’s senior engineers, Spencer Koch and Pratik Lotia, presented at DEF CON 33 how the platform defends even low‑value content-like cat memes-from large‑scale DDoS attacks. Handling over 1.3 trillion requests weekly, Reddit relies on custom, cost‑effective defenses rather than commercial WAFs. Their strategy layers highly specific signals (TLS and request‑header fingerprints, behavioral patterns) to detect malicious traffic, then applies a two‑tier rate‑limiting system: cheap edge filtering at the CDN and deeper application‑level controls for per‑user requests. To raise attackers’ costs, they isolate bad traffic into constrained “slowlane” pools and inflate response sizes, forcing attackers to waste bandwidth. The talk highlighted Reddit’s bespoke, scalable approach to maintaining reliability and performance.

Sources:

• https://www.reddit.com/r/RedditEng/comments/1pbjv5m/protecting_cat_memes_from_ddos_def_con_33/