Cloud computing offers a convenient way to use resources with “pay-as-you-go” model, which has led to wider adoption of cloud services. However, even the cloud is not safe from security threats, and the wider adoption of cloud becomes a potential larger playground for hackers. Perhaps this is why cloud security is of paramount importance for organizations.
Recently released Verizon Data Breach Investigations Report 2020 states nearly 80% of companies experienced a cloud data breach in past 18 months. The report highlighted that followed by misconfigurations, hacking was the biggest factor for data breaches. One among the most common security threats for cloud deployments is Distributed Denial of Service (DDoS) attacks.
DDoS Attack – A common security concern for cloud users
A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted network with a flood of useless traffic. DDoS is a cloud-specific attack that involves multiple sources. Multiple sources send large data packets to users to ensure that entire infrastructure is unable to provide relevant information to the user.
Over the past few years, DDoS attacks have become the first choice for hackers targeting cloud infrastructures. Therefore, we have complied the list of best practices that GCP users can adopt for preventing such attacks.
Isolate Network for minimal attack surface
Isolating virtual networks is recommended to ensure minimal entry points for hackers. GCP offers isolation between virtual networks via Google Cloud Virtual Network. Anti-spoofing is present by default to secure isolated networks from further vulnerabilities. Other than this, users can also enable firewall rules and implement tagging as well as IAM practices.
Not just network, isolate traffic too!
Users need to ensure minimal exposure to internet (or external world) for maximum traffic isolation. There are a few basic steps to do the same — users can either deploy instances without public IPs unless necessary, or limit the number of instances exposed to internet by setting up NAT gateway.
Enable Proxy-based load balancing
DDoS is all about traffic, if users know how to manage that unnecessary traffic, they can buy some time to neutralize the attack. There are two ways to do that – proxy-based load balancing and HTTP(S) load balancing. Proxy-based load balancing allows GCP to mitigate and neutralize many Layer 4 and below attacks. Whereas HTTP(S) load balancing enables user to disperse traffic across various instances in multiple regions.
Scale your infrastructure when under DDoS attack
Load balancing allows traffic dispersion and scaling is the most common approach to balance load. Scaling means provisioning enough hardware to absorb the attack. Google Frontend infrastructure automatically terminates user traffic and absorbs attack even before it targets any instance. In the event of sudden surge in traffic (which is DDoS’ main objective), users can also enable autoscaling to manage any flow of traffic.
Find the right third-party DDoS protection solutions
GCP recommends that a user can opt for third party solutions if there are specific needs regarding DDoS mitigation. To make the entire process easy, GCP offers Google Cloud Launcher to deploy any DDoS solutions available in the market.
Start using GCP’s App Engine
App Engine is multi-tenant system that enables various precautionary measures to prevent any malicious app affecting other applications. It provides support to Google Front End that mitigates and absorbs Layer 4 and below attacks. Another way of ensuring that hackers do not access your applications is to block access by specifying a set of IPs via dos.yaml file.
Set limitations for different resources
When there are infinite number of resources available, there must be a healthy limit to provision various resources. This always helps in better control over infrastructure and minimizes complexity. To prevent DDoS attack, one can set API rate limits that define the number of requests that can be made to Google Compute Engine API. Fewer or controlled requests will always leads to less or no incident for overflow of useless traffic. Similarly, GCP users can also smartly leverage resource quotas. However, GCP compute engine leverages resource quotas by default to prevent any unusual usage spikes.
GCP’s security has always been adequate. Whether it is DDoS attacks or any other security concern, there are several tools available to secure the cloud parameters. It is also recommended that users always focus on implementing best practices to prevent minute errors. Relevant tools and a regular check-up whether best practices are in place can really level up an organization’s security posture.