Google Cloud DDoS Protection and Mitigation

Google Cloud DDoS Protection and Mitigation

  • A Denial of Service (DoS) attack is an attempt to render the service or application unavailable to the end-users.
  • With Distributed Denial of Service (DDoS) attacks, the attackers use multiple resources (often a large number of compromised hosts/instances) to orchestrate large-scale attacks against targets.
  • Successfully thwarting and handling DDoS attacks is a shared responsibility between Google Cloud Platform and you.
  • DDoS defense involves deploying detection systems, implementing barriers, and being able to absorb attacks by scaling in order to prevent attackers from overwhelming or disabling access to the services or applications

DDoS Protection and Mitigation Best Practices

Reduce the Surface Attack

  • Provision an isolated and secure piece using Google Cloud VPC
  • Isolate and secure using subnetworks and networks, firewall rules, tags, and IAM
  • Open access for only required ports and protocols using firewall rules
    and/or protocol forwarding.
  • Anti-spoofing protection for the private network (IP addresses) is provided by default.
  • GCP automatically provides isolation between virtual networks.

Isolate the internal traffic from the external world

  • Deploy instances without public IPs unless necessary.
  • Set up a NAT gateway or SSH bastion to limit the number of instances that are exposed to the internet.
  • Deploy Internal Load Balancing for the internal client instances accessing internally deployed services to avoid exposure to the external world

DDoS Protection using Proxy-based Load Balancing

Scale to Absorb the Attack

  • Google Frontend Infrastructure – GFE
    • With Google Global Cloud Load Balancing, the GFE terminates user traffic, automatically scales to absorb certain types of attacks (e.g., SYN floods) before they reach the compute instances
  • Anycast-based Load Balancing
    • HTTP(S) Load Balancing and SSL proxy Load Balancing enable a single anycast IP to front-end the deployed backend instances in all regions.
    • User traffic is directed to the closest backend with capacity
    • In the event of a DDoS attack, it increases the surface area to absorb this attack by moving traffic to instances with available capacity in any region where backends are deployed.
  • Autoscaling
    • A sufficient number of backend instances should be provisioned and autoscaling configured to handle spikes in traffic.
    • In the event of a sudden traffic spike, the load balancing proxy layer will distribute the traffic across all the backends with available capacity
    • In parallel, the autoscaler ramps up the backends inline with traffic that needs to be handled.

DDoS Protection with CDN Offloading

  • Cloud CDN acts as a proxy between the clients and the origin servers
  • For cacheable content, Cloud CDN caches and services this content from points-of-presence (POPs) closer to the users as opposed to sending them to backend servers (instances).
  • In the event of DDoS attack for cacheable content, the requests are sent to POPs all over the globe as opposed to the origin servers, thereby providing a larger set of locations to absorb the attack.

Deploy Third-party DDoS Protection Solutions

  • Third-party DDoS protection solutions can used used to protect against DDoS attacks.
  • DDoS solutions can be deployed using Google Cloud Launcher.

App Engine Deployment

  • App Engine is designed to be a fully multi-tenant system and implements a number of safeguards intended to ensure that a single bad application will not impact the performance or availability of other applications
  • App Engine sits behind the GFE which mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc.
  • A set of IPs/IP networks via a dos.yaml file can be specified to block them from accessing the application(s).

Google Cloud Storage

  • Use Signed URLs to control access and if the users are not needed a Google account in order to be able to access the Google Cloud Storage resources,

API rate-limiting

  • API rate limits define the number of requests that can be made to the Google Compute Engine API.
  • API rate limits apply on a per-project basis. Currently, projects are limited to an API rate limit of 20 requests/second.

Resource Quotas

  • Compute Engine enforces quotas on resource usage for a variety of
    reasons, as the quotas, protect the community of Google Cloud users by preventing unforeseen spikes in usage.

GCP Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.