What is a DDoS attack? Google Cloud’s Zombie Apocalypse risk mitigation and protection mechanism

While watching The Walking Dead, have you ever wondered that sometimes these guys could have been a little bit smarter. They know zombies are out there and could have planned a better way to not die. But many seasons later when Judith grew up they knew how to fight them systematically. The same way we have these DDoS attacks that are out there attempted every minute in coordinated groups.

DDoS attacks are classified as a federal crime in the USA under the Computer Fraud and Abuse Act (CFAA). These attacks have increased in COVID times. Lets see what is DDoS and how Google Cloud handles that attack.

What is DDoS?

DDoS is basically a denial of Service(DoS) . As the name suggests the attempt is distributed across many connected online devices know as a botnet. Botnet is a group of devices runs from a Command and Control Center (C&C). Devices like laptops, computers, IOT devices are used to organize a coordinated attack from multiple locations. Sometimes even identifying the DDoS attacks can take time and by the time the damage is already done since traffic is uniform. Zeus botnet infected over 3.6 million PCs.
As in the Open Systems Interconnection (OSI) model, there are 2 categories where DDoS attacks can happen:

1. Application layer (7th layer).
2. Network layer (3 and 4 th layer).

How does DDoS attack happen?

• Take advantage of a design failure or vulnerability.
• Cause a system to be unavailable.
• Turn off the power in the room or building.
• Traffic spike by doing a ‘Zombie attack’.
• Attack and abuse older protocols like NTS, DNS, ICMP since they have little security

Google’s mechanism for DDoS Mitigation

1. Protecting Shared Infrastructure: Google has protection in place to ensure no single service can overwhelm the shared infrastructure. Shared responsibility model: Best practices to be followed by client implementing Google Cloud so that risk can be further reduced.
2. DDoS defense: Preventing ‘bad actors’ from overtaking the systems, ensuring scaling works effectively, implement barriers.
3. Protection and Mitigation for GCP Deployments: Reduce the attack surface for your GCE deployment, Isolate firewall rules, tags, IAM, subnets, networks. By default, GCP provides anti-spoofing protection for private IP address. Automatic isolation of networks.
4. Separate traffic and hide the traffic: Public IP instances should be deployed only if necessary. Set up NAT gateway or SSH bastion to limit the number of instances of Internal client. Internal client should have an internal load balancer.
5. Enable Proxy-based load Balancing: HTTP (S) or SSL proxy load balancing, allows Google infrastructure to mitigate and absorb many Layer 4 and below attacks such as SYN floods, IP fragment floods, port exhaustion. Disperse attacks across instances throughout the world with HTTP (S) LB to instances in multiple region.

Summing up DDoS best practices

1. Scale to absorb the attack: Google’s frontend infrastructure which terminates user traffic, automatically scale attacks like SYN floods before they reach compute instances.
2. Protection with CDN Offloading: Google Cloud CDN acts as a proxy client and the original server. For CDN interconnect, leverage the additional DDoS Protection provided by our CDN interconnect partners here partner page f
3. Deploy third-party DDoS protection solutions: Purchase third part party DDoS
4. App Engine deployment: App Engine sits behind the Google Front End which mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc. ○ You can also specify a set of IPs/IP networks via a DOS.YAML file to block them from accessing your application(s).
5. Google Cloud Storage: Signed URLs are effective
6. Resource Quotas: Compute Engine quotas help to protect against any traffic spike by DDoS

References

• Whitepaper by Google — Best Practices for DDoS Protection and Mitigation on Google Cloud Platform.
• The Walking Dead show reference
• Zeus Botnet Disrupted