0

I have created a Play web application which is now deployed on GCP. The application consists of two pods and a load balancer service.

I want to protect my application from DDOS attacks. Referring to this article - https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf, is the load balancer I have created using the following yaml files sufficient or is the document referring to some other type of infrastructure level load balancer?

Quote from the document

"DDoS Protection by enabling Proxy-based Load Balancing ○ When you enable HTTP(S) Load Balancing or SSL proxy Load Balancing, Google infrastructure mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc. ○ If you have HTTP(S) Load Balancing with instances in multiple regions, you are able to disperse your attack across instances around the globe. "

My current application is deployed using the following yamls.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: name
spec:
  replicas: 2
  selector:
    matchLabels:
      app: somename

and

apiVersion: v1
kind: Service
metadata:
  name: somename-service
spec:
  selector:
    app: somename
  ports:
    - protocol: TCP
      port: 9000
      targetPort: 9000
  type: LoadBalancer
Manu Chadha
  • 15,555
  • 19
  • 91
  • 184
  • 3
    1/2) Yes and No. For some types of DDoS: yes. For other types of DDoS the load is distributed to more instances of your service which might solve the DDoS but at an increased cost to you. There are many types of denial of service. You will need to consider the ones important to you and then compare to the load balancer features and possibly an application firewall such as Cloud Armor. You also need to design your applications to be resistant to denial of service. – John Hanley Dec 22 '20 at 19:12
  • 2
    2/2) There is no end-all solution. Depending on your requirements you will need application firewalls, load balancers and autoscaling services combined with monitoring and alerting. – John Hanley Dec 22 '20 at 19:12
  • 1
    I love the YES/NO answer of @JohnHanley. That's correct, all depends of your DDoS attack: OSI level 3? level 4? Level 7? Different attacks need different answers and services! – guillaume blaquiere Dec 22 '20 at 20:15
  • 1
    I agree with @JohnHanley response, this should be the answer – Frank Dec 22 '20 at 20:19

1 Answers1

4

Yes and No. For some types of DDoS: yes. For other types of DDoS the load is distributed to more instances of your service which might solve the DDoS but at an increased cost to you.

There are many types of denial of service. You will need to consider the ones important to you and then compare to the load balancer features and possibly an application firewall such as Cloud Armor. You also need to design your applications to be resistant to denial of service.

There is no end-all solution. Depending on your requirements you will need application firewalls, load balancers and autoscaling services combined with monitoring and alerting.

John Hanley
  • 74,467
  • 6
  • 95
  • 159