Deno suffered a distributed denial of service (DDoS) attack earlier this week, impacting its module registry as well as its website, and is promising to review how it hosts module code in the light of the incident.
On August 22nd the deno.com and deno.land sites were down for between 90 minutes and two hours, meaning users could not access the main web site or dashboards on Deno Deploy, the distributed hosting system operated by the company, though deployed applications continued to run. The outage though did break any developer operations attempting to retrieve Deno’s modules in order to build applications.
According to the incident report, “A DDoS attack was mounted against deno.com, which is hosted on Deno Deploy. The very large volume of requests exceeded the ability of Deno Deploy to scale up and allocate more resources to this application, causing server errors that made web pages and modules hosted on deno.com and deno.land unavailable.” The incident was resolved by blocking the IP addresses responsible for the attacks.
One of the impacted services was Edge functions in Supabase, a web database platform, when used in local development. “Deno.land is down, which means Supabase functions are down locally,” complained one user.
Deno is a TypeScript/JavaScript runtime which is open source and free to use, with the company (Deno Land Inc) business model depending largely on serverless edge hosting, advertised as “minimal latency worldwide, with no single point of failure.”
A DDoS attack can happen to any service, but the team is nevertheless apologetic and promises “swift action to ensure that this type of incident is not possible in future.” Steps planned include scalability improvements, faster incident escalation, more timely status reports, and “changing how we host Deno module code to prevent incidents on deno.com and Deno Deploy impacting dependency management for other Deno programs.”
The Deno hosting service is generally reliable, though it also suffered degraded performance on August 8th, and deployment errors on August 1st because of a faulty code change. There was a major outage of the Deno edge network on June 25th, according to the status pages.
Two weeks ago, a customer asked “how can we prevent DDoS attacks automatically so it will not affect any service deployed in Deno Deploy,” but were told by Deno inventor Ryan Dahl, “that’s not possible right now.”
Deno usage is tiny compared to that of its older cousin Node.js, but growing, and making the platform more resilient will be important to its future.
More positively, the Deno team has also released an update to its Fresh framework, version 1.4, with ahead of time compilation for faster page loads, a new ability to add custom HTML code, and other improvements.