Do TCP and HTTPS load balancers provide SYN flood protection?

[Niklas Hambüchen]

Hi,

from the docs about TCP Proxy load balancing and SSL Proxy load balancing I cannot conclude in what order the TCP connections are established.

Does the global load balancing layer first do a full TCP handshake with the client before it establishes the connection with (or really, sends any traffic to) the machines behind the load balancer? If yes, that would provide e.g. SYN flood protection.

Or are SYNs directly forwarded to the internal nodes on arrival at the load balancing layer (no SYN flood protection)?

Thanks!

[Kamran (Google Cloud Support)]

Hello Niklas,

When you enable HTTP(S) Load Balancing or SSL/TCP proxy Load Balancing, Google infrastructure mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc. For more information about best practices for DDoS protection and mitigation on Google Cloud Platform please visit this article.

Sincerely,

[Niklas Hambüchen]

Hey Kamran,

thanks for your reply. I had read that article before asking the question.

The point in the article says "When you enable HTTP(S) Load Balancing or SSL proxy Load Balancing" and specifically does not mention TCP load balancing, that's what made me wonder if TCP proxy load balancing is somehow excluded from this guarantee.

Is TCP proxy load balancing accidentally missing from that statement, or perhaps the feature is newer than that document?

Thanks!

[Kamran (Google Cloud Support)]

Hi Niklas,

TCP load balancing is a layer 3 load balancing. As mentioned in the document GCP mitigates and absorbs "many Layer 4 and below" attacks, such as SYN floods. This includes the Network Load Balancing.

I hope this helps.

[Niklas Hambüchen]

OK great, thanks a lot!

--
© 2017 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-discussion@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to a topic in the Google Groups "gce-discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/gce-discussion/g0hdn-cyYi4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to gce-discussion+unsubscribe@googlegroups.com.
To post to this group, send email to gce-discussion@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/7493fecd-736a-4660-b0d4-00a3b8df9ddd%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.