Sometimes the culprit is simply a university student doing research, or someone putting up a hobby site, with just enough PHP or Python experience to be dangerous—it's incompetence much more often than malice.
I’m sure you know this but the days of a single hobbyist affecting a properly built large scale website were over ten or more years ago.
Many thousands of hobbyists, perhaps.
Modem CDNs (Content Delivery Networks) and server auto-scaling can handle DDoS attacks by nation-states these days.
I suspect NWS is just ten years behind the curve of modem tech usage like most government websites. They probably have some small sub-set of the normal tools deployed and are adding one everyone else did a decade ago now.
Like you said, no big deal. Number of connections isn’t how CDNs do it now — it’s smarter and more distributed than that and a crap-load more complex.
They’ll learn connections doesn’t work like we did. I can get all the IP addresses I want and get around that limit even as a home gamer, let alone how bad I could pound them from work resources.
Anybody actually making money off that data who needs it already coded around the connection problem within 24 hrs of them announcing it and bought enough public IPs that they’ll never know, for less than the cost of a steak dinner out. LOL.
With our work tools I could automate creating and destroying as many machines on as many random public IPs as I needed, each one grabbing whatever they could, and a new ten or twenty globally every hour, if I absolutely had to have their data. Just scaling what you’re doing to be “nice” to that one website.
Easy peasy to beat anything that’s only counting connections. Really cheap too. Yay “cloud”. LOL.
Anybody with $10K to blow can take down any website that doesn’t live behind a well run CDN and load balancers these days. Even then depending on design, the site will struggle.
Maybe it’ll help that they’ll probably require user auth for all of it so the coder would have to code the downloader to apply for a pile of new user accounts, but that can also be automated. Captchas don’t all work anymore. There’s code to get around those, too. Ha.
One of our customers mandated we add captchas. We contracted it to Google, integrated it, and said if that ain’t good enough, we certainly won’t do better. Have fun with that. They’re mostly useless now. But they do require extra coding and CPU cycles so it raises the cost of making thousands of fake accounts. Still not that hard though.
