Are you sure it's really possible to just weather DDoS ? I think that this would play out like in the middle ages with forts and castles getting besieged.
>more bandwidth and hardware
It's probably possible to tank it, however it's also really inefficient. On the level of society as a hole, you'd have a huge number of computers and network switches just turning electricity into waste-heat without any benefit, you want to maximize the compute and network resources dedicated to hosting content for actual users.
>correctly configured fail2ban and maybe changing the DNS protocol to run over TCP to make the DNS traffic amplification attack impossible.
Good for harm-reduction but not cures.
>I bet most serious DDoS attacks are done by the NSA in order to coerce companies to use fuckflare.
There could be a protection racket going on, but you probably are also underestimating the amount of determined people with petty motivations and the means to act on them.
To go back to my medieval metaphor. If your village gets besieged, Cloudflare is like a giant that comes and sits on the siege-forces until they give up. The giant is really effective at that but also big and scary.
Cloudflare might also have done something that benefits web-privacy recently:https://farside.link/invidious/watch?v=vKc1w58nlvw
Let me know what you think about that.
It's my intuition that it should be possible to make a network protocol that stacks the decks against ddos. By that i mean that it imposes a big resource multiplier penalty. So for example if you need 1 network/compute-resource to host your site, it will take a attacker 100 network/compute-resources to ddos it. I've tried to search for something like academic papers that have analyzed this problem in depth, but i don't know what keywords to type into a search engine to find those. As soon as you add "ddos" to your search-query it'll just give you a million website-setup-tutorials. Such a hypothetical network-protocol would obviously not entirely prevent ddos attacks but it would negate the possibility to flood-fuck the entire network into systemic failure, which is theoretically possible with the current protocols. It would reduce ddos attacks in general too because many petty-actors would get priced out entirely.