DDoS Protection

[gandalf.co...@gmail.com]

How Google Cloud DNS managed DDoS? What If my own domain is being attacked with millions of queries ? Should I pay for this attack traffic ?

[Harry Wang]

Dear Gandalf,

Successfully thwarting and handling DDoS attacks for your GCP deployment is a shared responsibility between Google Cloud Platform and your organization. DDoS defense involves deploying detection systems, implementing barriers and being able to absorb attacks by scaling in order to prevent attackers from overwhelming or disabling access to your services or applications. Google Cloud Platform provides several of these mechanisms automatically and you can follow the best practices detailed here https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf.

To your question re: Cloud DNS specifically, yes, you will be billed for all DNS traffic including presumably the attach traffic. To balance your needs between absorbing attack traffic and managing budgets, we recommend managing DNS resources in a DNS-specific project in GCP such that you can set specific billing budget and alerts for the DNS usage.   

Cheers,

Harry

[Gandalf Corvotempesta]

Thank you for the response
What's happens in case of out of credits? Zones will stop to resolve?

This is bad because a huge ddos attack could produces many hundreds of millions requests that will cost too much to me

Can i filter or rate limit this traffic in some way or i can only receive and pay?

[glencoe...@gmail.com]

On Monday, November 28, 2016 at 6:28:03 AM UTC-6, Gandalf Corvotempesta wrote:
> How Google Cloud DNS managed DDoS? What If my own domain is being attacked with millions of queries ? Should I pay for this attack traffic ?

I asked this question of the Google Cloud Platform Billing Support team. The reply from an Escalation Manager named Mark said:

"I understand that the DDoS attack had a huge financial impact to your account and also threatens your services. I know that pursuing the culprit is a logical action and it's good that you already reached out to the proper authorities. Going back to the financial impact of the DDoS attack, I am sad to inform you that charges caused by a DDoS attack are deemed due on the account and are not eligible for adjustments."

My rebuttal: The DDoS attack on my static website occurred during my Free Trial of Google Cloud Platform. The Free Trial gives you $300 worth of free credits, and offers this iron-clad protection: You place a credit-card on file simply to prove you are "not a robot," but the credit-card will not get billed unless you positively opt-in after the trial ends. At least 7 tutorial pages affirm this policy.

But Google sent my free credits into limbo, instead of into the account I created for my website Tuum Est. That account is the only one I created, and "Tuum-Est" was the only project (bucket) that I created. Google ignored their responsibility for the free credits, then billed my credit card DURING the free trial for a massive DDoS attack. The cost was over $4000. My credit-card company reported suspicious demand, and declined payment. Correspondence with Google Billing Support continues.

[Gandalf Corvotempesta]

Il giorno lunedì 19 dicembre 2016 16:32:12 UTC+1, glencoe...@gmail.com ha scritto:

But Google sent my free credits into limbo, instead of into the account I created for my website Tuum Est. That account is the only one I created, and "Tuum-Est" was the only project (bucket) that I created. Google ignored their responsibility for the free credits, then billed my credit card DURING the free trial for a massive DDoS attack. The cost was over $4000. My credit-card company reported suspicious demand, and declined payment. Correspondence with Google Billing Support continues.

Currently, Amazon offer DDoS protection FOR FREE. 

https://aws.amazon.com/en/shield/

[mailt...@gmail.com]

Thanks for posting this. I was considering switching to Google Cloud DNS (actually I was just in the process of moving everything), but if that's the experience you get after a DDoS attack I'd rather stay with Cloudflares free DNS.