9

I am currently running two containers on Cloud Run for my web app (React and Nodejs). I have been looking into how to prevent my apps from DDOS. Any suggestion?

Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
Communitarian
  • 95
  • 1
  • 5

2 Answers2

10

  1. Most GCP services sit behind Google Front End which mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc. I believe it's also the case for Cloud Run but don't have information to confirm that. You can enable HTTP(S) Load Balancing or SSL proxy Load Balancing as it provides this mechanism.

  2. Regarding payments due to increased treffic, best way to solve that is to set API rate-limiting and Resource Quotas

  3. Google Cloud Armor

  4. If possible you should isolate your internal traffic from the external world.

lukaszberwid
  • 1,097
  • 7
  • 19
  • 2
    I'd like to second this answer. If #1 is not enough, you can always use #3 (Cloud Armor) by creating a Cloud LB and putting Cloud Run behind it. As for #2, it doesn't apply to Cloud Run. However you can limit max instances on Cloud Run to prevent excess spending during an attack that's not absorbed. – ahmet alp balkan Sep 09 '20 at 16:55
  • 1
    For #2 you can now use API Gateway (a Cloud Endpoint like but fully manage by google!). Is your website open to unauthenticated users? – guillaume blaquiere Sep 09 '20 at 19:39
  • @guillaumeblaquiere yes. But I am also thinking if I can make that the backend container (Nodejs) can be accessed by the frontend container. – Communitarian Sep 10 '20 at 04:27
  • I'm not a react fan (even an user, I never develop with it), but AFAIK, it's a JS framework and nothing is processed by the container, all the JS is interpreted by the user browser. Thus, the Frontend container never requests the backend, it's the user browser that request the backend right? – guillaume blaquiere Sep 10 '20 at 07:53
1

For Cloud Run, you should use a global external HTTP(S) load balancer (classic) which provides automatic multi-tier, multi-layer DoS protections that further reduce the risk of "any DoS impact". In addition, you can use Cloud Armor to control access to your Google Cloud Platform resources by creating security policies and also Cloud Armor provides Layer 3 and 4 DoS attack protections and layer 7 DoS attack protection(Adaptive Protection) and more features(Managed Protection Plus).

*In detail, a global external HTTP(S) load balancer (classic) is based on Google Front End(GFE) which provides automatic multi-tier, multi-layer DoS protections that further reduce the risk of any DoS impact.

Actually, Google doesn't clearly mention which layers of DoS attacks a global external HTTP(S) load balancer (classic) can protect from. Google only says "any DoS impact". I guess "any DoS impact" can be layer 3, 4 and 7 DoS attacks.

I referred to:

Choosing a load balancer

feedbackGoogle Infrastructure Security Design Overview

DDoS protection and mitigation on GCP

Google Cloud Armor

Henry Ecker
  • 34,399
  • 18
  • 41
  • 57
Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129