Rename "mitigations" to "mitigation tactics"

astro.config.mjs

@@ -32,9 +32,9 @@ export default defineConfig({
           link: '/mitigation',
         },
         {
-          label: 'All mitigations',
+          label: 'Mitigation tactics',
           autogenerate: {
-            directory: 'mitigations',
+            directory: 'tactics',
           },
           collapsed: true,
         },

src/content/docs/index.md

@@ -33,12 +33,12 @@ from [hobbyists](https://news.ycombinator.com/item?id=39520776) to [Fortune 500
 can be a target.
 Furthermore, they pose a threat to the decentralisation of the Internet,
 as only well-resourced companies can afford to operate and protect
-the [public goods](./systems/public-goods.md) on which we all depend.
+the [public goods](./mitigation.md#public-goods) on which we all depend.
 
 Fortunately,
 **although developers and operators can't _avoid_ DDoS attacks,
 they can _greatly minimise_ the impact of such attacks**.
-[Reverse proxies](./mitigations/reverse-proxies.md) (aka _CDNs_) are a great starting point,
+[Reverse proxies](tactics/reverse-proxies.md) (aka _CDNs_) are a great starting point,
 but they should be part of a [broader strategy](mitigation.md).
 
 ## Help wanted

src/content/docs/mitigation.md

@@ -29,12 +29,12 @@ systems like intranet servers and mesh networks are outside the scope of this do
 
 ### Static websites
 
-The following mitigations should prove very effective against DDoS attacks on static websites that don't require [authentication](./mitigations/authentication.md):
+The following mitigations should prove very effective against DDoS attacks on static websites that don't require [authentication](tactics/authentication.md):
 
-- [Reverse proxy](./mitigations/reverse-proxies.md). Make sure to host the static content on a service like Amazon S3 or GitHub Pages, and enable caching in your reverse proxy.
-- [Unmetered DNS lookups](./mitigations/unmetered-dns.md).
-- [Cloud resource limits](./mitigations/resource-limits.md). [Static websites are very much susceptible to DoW attacks](https://news.ycombinator.com/item?id=39520776).
-- [Attack detection](./mitigations/detection.md).
+- [Reverse proxy](tactics/reverse-proxies.md). Make sure to host the static content on a service like Amazon S3 or GitHub Pages, and enable caching in your reverse proxy.
+- [Unmetered DNS lookups](tactics/unmetered-dns.md).
+- [Cloud resource limits](tactics/resource-limits.md). [Static websites are very much susceptible to DoW attacks](https://news.ycombinator.com/item?id=39520776).
+- [Attack detection](tactics/detection.md).
 
 ### API servers
 
@@ -46,22 +46,22 @@ It includes, but isn't limited to, Web-based APIs.
 
 Adoption of the following mitigations will typically involve breaking changes to the protocol:
 
-- [Client authentication](./mitigations/authentication.md).
-- [Cryptographic challenges](./mitigations/crypto-challenges.md).
-- [Client-based rate limiting](./mitigations/rate-limiting.md).
-- [App attestation](./mitigations/app-attestation.md).
-- [Humanity verification](./mitigations/humanity-verification.md).
-- [Client reputation scoring](./mitigations/client-reputation.md).
+- [Client authentication](tactics/authentication.md).
+- [Cryptographic challenges](tactics/crypto-challenges.md).
+- [Client-based rate limiting](tactics/rate-limiting.md).
+- [App attestation](tactics/app-attestation.md).
+- [Humanity verification](tactics/humanity-verification.md).
+- [Client reputation scoring](tactics/client-reputation.md).
 
 #### Mitigations available to operators
 
 The following can be adopted without breaking changes to the protocol:
 
-- [Reverse proxy](./mitigations/reverse-proxies.md). If the system is Web-based and aimed at humans, consider a proxy that enforces [cryptographic challenges](./mitigations/crypto-challenges.md) and [CAPTCHAs](./mitigations/humanity-verification.md) for the most suspicious clients; for example, [Cloudflare Turnstile](https://developers.cloudflare.com/turnstile/).
-- [Unmetered DNS lookups](./mitigations/unmetered-dns.md), if the protocol uses DNS.
-- [Cloud resource limits](./mitigations/resource-limits.md).
-- [Attack detection](./mitigations/detection.md).
-- [Abuse reporting](./mitigations/abuse-reporting.md).
+- [Reverse proxy](tactics/reverse-proxies.md). If the system is Web-based and aimed at humans, consider a proxy that enforces [cryptographic challenges](tactics/crypto-challenges.md) and [CAPTCHAs](tactics/humanity-verification.md) for the most suspicious clients; for example, [Cloudflare Turnstile](https://developers.cloudflare.com/turnstile/).
+- [Unmetered DNS lookups](tactics/unmetered-dns.md), if the protocol uses DNS.
+- [Cloud resource limits](tactics/resource-limits.md).
+- [Attack detection](tactics/detection.md).
+- [Abuse reporting](tactics/abuse-reporting.md).
 
 ### Public goods
 
@@ -83,22 +83,22 @@ Examples include:
 
 Adoption of the following mitigations will typically involve breaking changes to the protocol:
 
-- [Cryptographic pseudonymous authentication](./mitigations/authentication.md#cryptographic-pseudonymous-authentication).
-- [Cryptographic challenges](./mitigations/crypto-challenges.md).
-- [Client-based rate limiting](./mitigations/rate-limiting.md).
-- [App attestation](./mitigations/app-attestation.md).
-- [Humanity verification](./mitigations/humanity-verification.md).
-- [Client reputation scoring](./mitigations/client-reputation.md).
+- [Cryptographic pseudonymous authentication](tactics/authentication.md#cryptographic-pseudonymous-authentication).
+- [Cryptographic challenges](tactics/crypto-challenges.md).
+- [Client-based rate limiting](tactics/rate-limiting.md).
+- [App attestation](tactics/app-attestation.md).
+- [Humanity verification](tactics/humanity-verification.md).
+- [Client reputation scoring](tactics/client-reputation.md).
 
 #### Mitigations available to operators
 
 The following can be adopted without breaking changes to the protocol:
 
-- [Reverse proxy](./mitigations/reverse-proxies.md).
-- [Unmetered DNS lookups](./mitigations/unmetered-dns.md), if the protocol uses DNS.
-- [Cloud resource limits](./mitigations/resource-limits.md).
-- [Attack detection](./mitigations/detection.md).
-- [Abuse reporting](./mitigations/abuse-reporting.md).
+- [Reverse proxy](tactics/reverse-proxies.md).
+- [Unmetered DNS lookups](tactics/unmetered-dns.md), if the protocol uses DNS.
+- [Cloud resource limits](tactics/resource-limits.md).
+- [Attack detection](tactics/detection.md).
+- [Abuse reporting](tactics/abuse-reporting.md).
 
 ### Peer-to-peer networks
 
@@ -108,13 +108,13 @@ Examples include BitTorrent and (P2P)SIP.
 
 As the developer of a P2P protocol, you should consider the following mitigations:
 
-- [Authentication](./mitigations/authentication.md). Consider using long-term identity keys if pseudonymity is needed, or [VeraId](https://veraid.net) when the identity of the user is relevant.
-- [Cryptographic challenges](./mitigations/crypto-challenges.md).
-- [Client-based rate limiting](./mitigations/rate-limiting.md).
-- [Client reputation scoring](./mitigations/client-reputation.md).
+- [Authentication](tactics/authentication.md). Consider using long-term identity keys if pseudonymity is needed, or [VeraId](https://veraid.net) when the identity of the user is relevant.
+- [Cryptographic challenges](tactics/crypto-challenges.md).
+- [Client-based rate limiting](tactics/rate-limiting.md).
+- [Client reputation scoring](tactics/client-reputation.md).
 
 The mitigations above work on the application layer,
-but since you can't place [proxies](./mitigations/reverse-proxies.md) between peers,
+but since you can't place [proxies](tactics/reverse-proxies.md) between peers,
 the P2P application itself should also be able to mitigate attacks on the [transport layer](https://en.wikipedia.org/wiki/Transport_layer) (e.g. TCP),
 such as [SYN floods](https://en.wikipedia.org/wiki/SYN_flood).
 In lieu of a reverse proxy, you should consider using a P2P library that offers some DDoS defence, like [libp2p](https://docs.libp2p.io/concepts/security/dos-mitigation/).

src/content/docs/overview.md

@@ -66,7 +66,7 @@ absorb the DDoS traffic,
 which can be exceptionally complex and expensive to implement in-house.
 In most cases,
 the only practical way to protect this layer is to use a
-[reverse proxy](./mitigations/reverse-proxies.md).
+[reverse proxy](tactics/reverse-proxies.md).
 
 ### Protocol attacks
 
@@ -104,7 +104,7 @@ This layer is also susceptible to slow and low attacks,
 such as [Slowloris](https://www.cloudflare.com/en-gb/learning/ddos/ddos-attack-tools/slowloris/) and [RUDY](https://www.imperva.com/learn/ddos/rudy-r-u-dead-yet/).
 
 App developers and operators share the responsibility of protecting this layer,
-and nearly all the [DDoS mitigations](./mitigations/index.md) are implemented at this level.
+and nearly all the [DDoS mitigations](tactics/index.md) are implemented at this level.
 Where it can be used,
 a reverse proxy is the most effective way to protect the application layer,
 especially when the application uses a protocol supported by the proxy (e.g. HTTP).
@@ -218,7 +218,7 @@ the potential for larger DDoS attacks increases.
 
 As devices, such as smartphones and laptops, get better CPUs and more storage,
 they become more capable of reducing the effectiveness of certain DDoS mitigation mechanisms,
-like [cryptographic challenges](./mitigations/crypto-challenges.md).
+like [cryptographic challenges](tactics/crypto-challenges.md).
 
 ### Expanding IoT botnets
 
@@ -259,7 +259,7 @@ Developers and operators must work together to fortify all network layers agains
 Whilst avoiding or stopping DDoS attacks may not be possible,
 their impact can be greatly minimised.
 Understanding attack vectors, delivery methods and new threats
-helps in implementing preemptive [mitigation techniques](./mitigations) to reduce impact.
+helps in implementing preemptive [mitigation tactics](./tactics) to reduce impact.
 
 ## Further reading
 

src/content/docs/mitigations/detection.md → src/content/docs/tactics/detection.md

@@ -7,6 +7,12 @@ sidebar:
     variant: caution
 ---
 
+
+## Instrumentation
+
 - Telemetry (logs, metrics, events, traces) to detect surges in resource utilisation, error rates, etc.
+- OpenTelemetry.
+
+## Monitoring and alerting
 - Security Information and Event Management (SIEM)
 - Alerting, including budget alerts.

src/content/docs/mitigations/index.md → src/content/docs/tactics/index.md

@@ -1,12 +1,12 @@
 ---
-title: Mitigations
+title: DDoS mitigation tactics
 sidebar:
   label: Overview
   order: 0
 ---
 
-No mitigation will be enough on its own,
-but a combination of mitigations can make it more difficult for abusers to exploit your service.
+No single tool or technique will be enough on its own,
+but a combination of them can make it more difficult for abusers to exploit your service.
 This section aims to describe all the possible mitigations against DDoS attacks.
 If you are aware of a strategy that we don't explicitly recommend or advise against,
 please [let us know](https://github.com/relaycorp/ddos-report/discussions).