Introduction
The idea behind a Denial of Service attack is to make your service or application unavailable to your users.
When an attacker conducts a Distributed Denial of Service attack, they use multiple resources (often a large number of compromised hosts/instances) to overwhelm a target.
This article outlines the best practices for preventing and reducing such DDoS attacks for your Cloud Platform deployment.
Different types of DDoS attacks
- Volumetric attacks:
Network layers are flooded with a large volume of apparently legitimate traffic. These include UDP floods, amplification floods, and spoofed packet floods.
- Protocol attacks:
Layer 3 and layer 4 protocol stack weaknesses are exploited to render targets unreachable. Protocol attacks include SYN floods, reflection attacks, and others.
- Resource (application) layer attacks:
Data packets between hosts are disrupted in these attacks, which target web application packets. There are many types of layer 7 attacks, such as HTTP protocol violations, SQL injections, cross-site scripting, and others.
DDoS Protection and Mitigation for your Cloud Deployment
DDoS attacks are common in cloud deployments, so you and your cloud provider must take steps to prevent them. In order to protect your systems and applications from DDoS attacks, you need to run detection systems, erect barriers, and scale to absorb attacks in order to prevent the attackers from overwhelming or disabling your services or applications.
Using these best practices on your end will help you secure your cloud deployment.
Make your cloud deployment more secure by reducing the attack surface
- A Cloud Virtual Network allows you to create a secure, isolated part of the Cloud.
- Ensure your deployment is isolated and secure with subnetworks, firewall rules, tags, and Identity and Access Management (IAM).
- Use firewall rules and/or protocol forwarding to open up ports and protocols you need.
- Make sure the private network (IP addresses) is protected by default with the anti-spoofing protection offered by cloud vendors.
- Virtual networks are automatically isolated by cloud vendors.
Don’t let the outside world see your internal traffic
- Deploy instances without public IPs unless necessary.
- You can set up a NAT gateway or SSH bastion to limit the number of instances that are exposed to the internet.
- If available, deploy Internal Load Balancing for your internal client instances accessing internally deployed services thereby avoiding exposure to the external world.
Protect your website from DDoS attacks by enabling proxy-based load balancing
- When you enable HTTP(S) Load Balancing or SSL proxy Load Balancing, Cloud infrastructure mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc.
- If you have HTTP(S) Load Balancing with instances in multiple regions, you are able to disperse your attack across instances around the globe.
Attacks can be absorbed by scaling up
- Protection by Global Load Balancing automatically scales to absorb certain types of attacks (e.g., SYN floods) before they reach your compute instances.
- Anycast-based Load Balancing: HTTP(S) Load Balancing and SSL proxy enable a single anycast IP to front-end your deployed backend instances in all regions. Normally your user traffic is directed to the closest backend with capacity; in the event of a DDoS attack, the additional advantage of this approach is that it increases the surface area to absorb this attack by moving traffic to instances with available capacity in any region where backends are deployed.
- Autoscaling: When you configure HTTP(S)or SSL Proxy Load Balancing, Cloud frontend infrastructure that terminates your user traffic protects your backends. You should also provide a sufficient number of instances
CDN offloading provides protection
You can use a CDN to act as a proxy between your clients and your origin servers. Rather than sending cacheable content to backend servers (instances), Cloud CDN caches and serves it closer to your users.
When a DDoS attack occurs on cacheable content, the requests are sent to POPs around the world instead of your origin servers, allowing a larger area to absorb the attack.
Deploy third-party DDoS protection solutions
To address your specific DDoS attack prevention/mitigation needs, you might want to consider purchasing specialized DDoS protection solutions from a third party.
API rate-limiting
It’s recommended to define how many requests you allow per hour with your API rate limits.
Why rate limiting is used
Rate limiting is generally used as a defensive measure. In order to ensure service availability, shared services need to be protected from excessive use, whether intended or unintended. It is recommended that even highly scalable systems have some limits on consumption. It is essential to design clients with rate limiting in mind to reduce the chances of cascading failures. cascading failure Using rate limiting allows for optimal throughput and minimal latency across large distributed systems.
Preventing resource starvation
In most cases, API-based services are rate limited in order to prevent resource starvation, thereby improving their availability. Many load-based denial-of-service incidents happen unintentionally due to software or configuration errors, not malicious attacks (like distributed denial-of-service attacks). Friendly-fire denial of service (DoS) is when resources are starved without malicious intent .friendly-fire denial of service (DoS).
Conclusion
Cloud Platform provides a number of features to defend against DDoS attacks. You can use these in conjunction with the above-mentioned best practices and other measures tailored to your requirements to make your cloud deployment resilient to DDoS attacks.
Google Cloud — Cloud Armor features include rate limiting, adaptive protection, and bot defense
AWS Cloud — AWS Shield Maximize application availability and responsiveness with managed DDoS protection
Azure Cloud — Azure DDoS Protection
Through reading this post, I hope you gain a better understanding of how to protect your cloud infrastructure from DDoS attacks
I encourage you to check out my website to read more articles like this on a variety of topics related to information technology
Thank you
Meni Tasa
