DDOS prevention on GCE

1,768 views
Skip to first unread message

Mati

unread,
Feb 10, 2015, 1:58:12 PM2/10/15
to gce-dis...@googlegroups.com
Hello all,

I'm running a landing pages service on GCE, and recently we've been under DDOS attack.
Is there a way to mitigate DDOS attacks on my GCE network? Besides of course purchasing external service (such as Incapsula).
I found something that looked promising, announced by Google themselves, called Andromeda. But since it was announced (April 2014) I couldn't find anything about it.

I would appreciate any assistance.
Thanks,
Mati

Kaj Magnus Lindberg

unread,
May 2, 2016, 9:55:43 PM5/2/16
to gce-discussion
Hi Mati,

I don't have any answers to any of your questions.
Instead I wonder — if you have time — what kind of instances did you use (CPU & RAM), and how many, when you got DDoS'ed?
Were they load balanced by you (e.g. HAProxy)?
Or were they load balanced by Google Cloud Engine's load balancer? Did DDoS then attack the load balancer's IP, or was it directed to your own servers' IPs?

Did your website / app continue to function during the DDoS, or did the DDoS break it? (until the DDoS stopped)
(What tech stack? if it's OK for me to ask)

In the end did you buy Incapsula or some other external DDoS protection?
Did you test to add more GCE server instances or auto scaling, and in that way be more prepared for a DDoS?

I'm asking since I just started using GCE, and I wonder what'd happen if I god DDoS'ed & how likely to survive.

Best regards & thanks for reading,
KajMagnus

George

unread,
May 3, 2016, 4:49:34 PM5/3/16
to gce-discussion
Hello KajMagnus,

As all the questions are dedicated to Mati and the setup he had, I can only answer the last question you asked should you get a DDOS attack which is where the Andromeda zone comes in place.

Andromeda's goal is to expose the raw performance of the underlying network while simultaneously exposing network function virtualization (NFV). This functionality includes distributed denial of service (DDoS) protection, transparent service load balancing, access control lists, and firewalls. This kind of protection is built-in to everything inside Google's network, including your virtual machines running on Google Compute Engine.


However, you still need to take care of the following:

  • O/S regular patching
  • Protection using O/S level firewall (IPtables...)
  • Configure Google Firewall and open only used ingress ports
  • Secure the SSH on your instance
  • Apply application patches regularly
You can have more information on how to design robust systems on Google Cloud Platform in this Help Center article.

I hope this helps.

Sincerely,
George

Kaj Magnus Lindberg

unread,
May 21, 2016, 1:25:59 PM5/21/16
to gce-discussion
Hi George,

Thanks for the docs & the links about Andromeda. What I was wondering, and trying to figure out by asking those questions, was how all that stuff works practice:

I might be wrong, but I'm thinking that Andromeda might not work well both for 1) tiny systems with one or two small instances, and 2) for large clusters with 9999 instances (like Spotify), at the same time. And I'm wondering: When does Andromeda start working well:

1) I would think that if I have Ningx serving static pages on a single f1-micro, g1-small or n1-standdard-1, then someone will be able to DDoS it, without Andromeda noticing. Because not much traffic will be required to DDoS such small instances, so Andromeda thinks "this is not much traffic, not a DDoS", and does nothing. Still the g1-small gets "drowned" in requests and in effect goes offline.

2) But if I have 10 x n1-highcpu-32, then if someone generates enough traffic to DDoS them, I suppose Andromeda is going to notice this huge amount of traffic, and do something.

If you (or someone else) have any information about where the limit is between 1 and 2 above, that'd be interesting.

For example, how many Nginx high-cpu instances serving static pages, do I need, to force someone who attempts to DDoS them, to generate so much traffic, so Andromeda will notice this and do something.

Best regards
KajMagnus



On Tuesday, May 3, 2016 at 10:49:34 PM UTC+2, George (Google Cloud Support) wrote:
Hello KajMagnus,

As all the questions are dedicated to Mati and the setup he had, I can only answer the last question you asked should you get a DDOS attack which is where the Andromeda zone comes in place.

Andromeda's goal is to expose the raw performance of the underlying network while simultaneously exposing network function virtualization (NFV). This functionality includes distributed denial of service (DDoS) protection, transparent service load balancing, access control lists, and firewalls. This kind of protection is built-in to everything inside Google's network, including your virtual machines running on Google Compute Engine.


However, you still need to take care of the following:

  • O/S regular patching
  • Protection using O/S level firewall (IPtables...)
  • Configure Google Firewall and open only used ingress ports
  • Secure the SSH on your instance
  • Apply application patches regularly
You can have more information on how to design robust systems on Google Cloud Platform in this Help Center artiforcle.
Reply all
Reply to author
Forward
0 new messages