This is a work in progress and not a release. We're looking for volunteers. See Issues to know how to collaborate.

DDoS Protection

tag: [Engineer/Developer, Security Specialist, Operations & Strategy, Devops, Cloud, SRE]

Distributed Denial of Service (DDoS) attacks are a pervasive threat that can disrupt your services by overwhelming them with excessive traffic.

Best Practices

  • Use Cloud Provider Solutions: Utilize DDoS protection services offered by your cloud provider:

    AWS

    • AWS Shield Standard and Advanced:
      • Shield Standard: Basic DDoS protection at no extra cost.
      • Shield Advanced: Enhanced protection with real-time visibility and access to AWS DDoS Response Team (DRT).
    • Amazon CloudFront and AWS WAF:
      • CloudFront: Distributes traffic globally to mitigate DDoS attacks.
      • AWS WAF: Protects against application layer attacks.

    Azure

    • Azure DDoS Protection Basic and Standard:
      • DDoS Protection Basic: Automatic protection against common attacks.
      • DDoS Protection Standard: Advanced protection with real-time monitoring.
    • Azure Front Door and Azure Application Gateway with WAF:
      • Front Door: Global application delivery with DDoS mitigation.
      • Application Gateway with WAF: Protects against various attacks.

    GCP

    • Google Cloud Armor: Provides DDoS protection and WAF capabilities.
    • Load Balancing: Distributes traffic to mitigate DDoS attacks.
    • VPC Flow Logs and Stackdriver Logging: Monitors and logs traffic patterns for effective response.

External DDoS Protection Providers

In addition to cloud provider solutions, consider external DDoS protection services:

  • Cloudflare: Offers comprehensive DDoS protection and mitigation services.
  • Akamai: Provides scalable DDoS protection solutions.
  • Imperva: Specializes in DDoS protection and mitigation.