Resistance to open web services based on war stories of DDOS attacks is limiting what my government agency is prepared to release. Any suggestions on how to reduce the risk?
So, I’m assuming that your concern is that a hacker will be upset by what you release and then will flood your site with traffic. (If not, please clarify.)
To handle this case, usually an organization will pay a company that does content distribution professionally to handle this issue for them. Cloudflare and Akamai are some examples, but there are literally dozens to choose from.
If you want to do this with no cost, some document hosting providers (like DropBox or Google Drive) will distribute your content for you, so long as it meets their guidelines and is relatively small in size.
Another option is to make the documents available for download via BitTorrent. This will have those who download your documents help to pay the bandwidth cost of serving them. While setting this up may make your IT staff and lawyers cringe due to BitTorrent’s association with piracy, it’s quite a popular way to distribute legitimate large, static content.
Ultimately though, if what you release is something hackers are not happy with they may target your organization. The attack last week on Dyn shows that even if the attackers cannot stop the message from getting out, they may retaliate against the group performing the release.