Are there any inherent advantages or disadvantages when it comes to handling DDoS attacks on an application running a non-blocking framework like node.js?
As I understand it, these attacks overload the system resources with a ton of requests – causing it to fail. Non-blocking frameworks are able to handle many more concurrent requests than blocking ones. Shouldn’t that mean that using non-blocking frameworks by nature help mitigate these types of attacks?
I realize there are other factors involved in mitigating these attacks, but with all other things equal, is this a correct assumption?
A non-blocking service will generally make more system resources available to users than a blocking service. Until all system resources are used up by the attack a non-blocking service will perform better in that legitimate users can still fulfill requests while the attack is happening. That is, real users will not have to wait for the attackers bogus requests to complete before the system starts processing legitimate requests. But given the greater exposure to system resources a DDoS attack can be more effective on a non-blocking service.
Say for example the limiting factor is database access. A non-blocking service has a greater ability to make more DB requests than the blocking service. So while the non-blocking service may still accept legitimate user requests, they will have a harder time completing the database access because the attackers requests are better able to keep the DB under load.
So I’d say yes – non-blocking is better – but only if you can make sure that downstream resources are sized appropriately.