Google Cloud Account Registration: Easily Defend Millions of Distributed Denial of Service (DDoS) with Google Cloud Armor
Friends who do independent stations, cross-border e-commerce, or go to sea App in the open sea do not belong to the "network underworld" they are most afraid of encountering.
DDoS (Distributed Denial-of-Service attack)
.
A traditional DDoS attack might just brutally fill up your server bandwidth with massive amounts of junk traffic. But today, hackers' methods have evolved long ago: they will manipulate thousands of real overseas broiler IP, disguise themselves as normal users, and refresh the most powerful pages on your independent website (such as commodity search and shopping cart settlement pages) with high frequency and frantically. This is terrible
CC attack (Layer 7 application layer attack)
. Under this million-level concurrent distributed bombing, ordinary firewalls are useless, and the CPU of the back-end server will be instantly full within a few seconds, resulting in total paralysis.
What is even more disgusting is that hackers often pick your "black five" big promotion, or Facebook the golden moment of advertising, and then leave a bitcoin wallet address to blackmail you. At this time, one more minute of paralysis means that countless advertising expenses have been burned in vain.
In the ecology of Google Cloud(GCP, Google Cloud), there is a high-security gate specially used to physically override these malicious traffic, called
Google Cloud Armor
.
Its core is very hard:
Edge networks that rely directly on Google Global Load Balancing (Global LB)
. This means that millions of concurrent hacker attack traffic has been blocked and cleaned in Google's edge computer rooms all over the world before you touch your server network card.
Today we reject any official didactic rhetoric and do not back boring network protocols. Starting directly from pure actual combat, hand-in-hand will take you with a set of Cloud Armor defense system at the level of a large factory, and weld a set of bulletproof vests to your sailing business.
Stage 1: Deep Dismantling, Cloud Armor's "Dimensionality Reduction Strike" World Model
Before you start with the console, you have to build the underlying physical running model of Cloud Armor in your head, otherwise it's hard to understand why it can handle the million-level concurrency that even big factories have a headache.
The underlying data flow of the entire defense system can be summarized as two layers of defense circles:
First circle: Google global load balancing (front door): When global users visit your website, the traffic first enters Google's global external application load balancer (Global External Application Load Balancer). This gate naturally has the unlimited flood protection capability of Layer 3/4 (network layer/transport layer). The traditional SYN Flood and UDP amplification attacks are directly digested by Google's underlying hardware network here, and you don't need to pay a penny more.
Circle 2: Cloud Armor Security Strategy
Slightly (Core Cleaning Disk): When rough traffic is blocked by the gate, L7 application layer (HTTP/HTTPS) malicious requests disguised as normal users will still drill in. At this time, Cloud Armor mounted on the load balancer officially opened its eyes. According to the rules you have written or Google's self-developed ML model, it will return the junk request to 403 and reject it on the spot within a few milliseconds, and only allow the real buyer traffic to enter the back-end virtual machine or container.
Phase II: Practical Exercise-Hand-in-Hand Configuration of Cloud Armor Core Strategy Group
Make sure that your standalone or web application is already set up in GCP's
External Application Load Balancer (Load Balancer)
Back end. Next, let's go to the front end to build a high defense gate.
Log in
GCP Console
,Find it in the navigation menu at the top left
"Network Security (Network Security)"-> "Cloud Armor"
.
Click the top
"Create policy"
Enter the core battlefield.
Step 1: Establish a security policy outline
Name: Name prod-anti-ddos-policy.
Policy Type: Select Backend Security Policy (Backend security policy) ".
Default action (Default action): Allow must be selected ". Architect Technical Hidden Rule: This represents "default release". In other words, unless the traffic hits the blacklist rules we will write next, it will be regarded as a good person and put it in the past.
Step 2: Weld and kill the first barbed wire-the world's martial arts, but the "current limit" is not broken (Rate Limiting)
The most effective physical means to deal with the CC attack of millions of broiler high-frequency brush search pages is
Rate Limiting
.
On the policy page, click Add rule ".
Type: Select Rate limiting ".
match condition: enter true (this indicates that the current limit rule is effective for all incoming traffic in the world).
Current Limit Threshold Setting (Emphasis): Number of Requests: Enter 100. Interval: Select 1 minute. Key: Select Client IP ". Actions after the threshold is exceeded: Select 429(Too Many Requests) ". The underlying logic is simply explained: this rule translates to: "if any IP in the world dares to send more than 100 HTTP requests to my load balancer in one minute, I think he is not a normal human being, and the next request directly returns to the 429 to report an error, locking him out of the door and preventing his requests from entering my server."
Step 3: Weld the second wire mesh to death-a key to block high-risk
National or malicious IP segment
Sometimes during the big promotion period, you will find that all the garbage traffic that hits the wall crazily comes from a specific country that has nothing to do with your business (such as a specific black IP cluster).
Click Add Rule again and select Security Policy (Security policy) as the type ".
Operation: Select Deny and 403 status code.
Matching mode: select advanced mode and enter Google's built-in geographic location function in the expression: Plaintextorigin.region_code = = 'CN' | | origin.region_code = = 'RU' (note: this line of rules means that if your core buyers are all in Europe and the United States, you can choose to physically block all requests from other high-risk regions with one key.)
Priority (Priority): Enter 900.
Insider on Big Factory Operations: Cloud Armor's rule is that the smaller the number, the higher the priority. The default rule is 2147483647 (last executed). We set the priority of a specific blacklist to 900 and the current limit to 1000. In this way, the traffic in high-risk areas will be directly physically evaporated by the 900 interception network before entering the current limit check.
Step 4: Activate Big Factory Moat-Bai Piao WAF Rule (Defending SQL Injection and XSS)
Many hackers will try to detect vulnerabilities in your website with automated scripts while performing DDoS on you. Cloud Armor internally integrates industry benchmark-level
OWASP Top 10 Predefined WAF Rule Sets
.
Click Add Rule to directly call Google's encapsulated secret code in the matching expression: PlaintextevaluatePreconfiguredExpr('sqli-v33-stable') | | evaluatePreconfiguredExpr('xss-v33-stable')
Action: Select Deny (403) ".
Priority: Set to 800. With this line of code, all cross-site scripting attacks (XSS) and SQL injection probes will be intercepted instantly at the edge node, and you don't even need to write a line of protection code.
Step 5: Fit-Mount the policy to your load balancer
After all the rules are completed, click Next. In
"Apply to targets"
tab, click Add Target,
Accurately select the back-end service of the external HTTP(S) load balancer that you are opening the door to pick up customers.
.
Click Create. After waiting for about 1 to 2 minutes, the full set of high-security rules will be synchronized to all edge PoP nodes of Google worldwide in a lightning-fast manner.
The third stage: real field exercise-"body hit the wall" test
In order to verify the defense is not really born
Effective, we don't need to hire hackers, we can use stress testing tools locally (such
ab
or
hey
) to simulate high-frequency attacks.
In your local computer terminal, launch a wave of fierce contract charging for your independent station domain name (simulate sending 200 requests continuously within 1 second):
Bash
hey -n 200 -c 10 https://www.yourshop.com/
Witness the moment of miracle
When the tool runs out, you will find that in the returned results report, the first 100 requests are returned neatly.
200 OK
(on behalf of you as a normal user to get the page); and
For the last 100 requests, 100 per cent were returned to 429 Too Many Requests or 403 Forbidden.
.
At this time you look at your back-end independent station server CPU monitoring indicators, as steady as Mount Tai, not even a redundant fluctuation curve. Because those last 100 junk requests that are enough to drag down your server have been mercilessly slapped to death on the beach by Cloud Armor at Google's edge gateway.
The fourth stage: the history of avoiding the pit and tears of the commercial-level high-defense structure.
After this scheme is configured, ordinary hackers and thieves will basically retreat when they see you hanging Cloud Armor. However, in a truly cross-border high-traffic environment, operations architects usually have to solve the following two reality pits:
1. accidentally injuring a large water pipe-be wary of treating "payment gateways" and "well-known crawlers" as hackers
After turning on the global client IP limit, you will soon receive a bunch of paranormal errors: for example, PayPal and Stripe's payment callback occasionally fails, or Google's official search engine crawler suddenly fails to crawl your product page.
Reason dismantling: because payment gateways and Google crawlers are also sending requests to your website frequently. In Cloud Armor's eyes, the characteristics of these "big water pipes" are very similar to hacker's broilers, which can easily trigger 429 flow restriction and cause the order status to be out of sync.
Architect Standard No Death Gold Medal: Create a whitelist rule at the top of Cloud Armor's rule (the 100 with the highest priority set). Use Google's built-in expression evaluatePreconfiguredExpr('sourceip-search-engines') to release official compliance crawlers such as Google and Bing with one click. The IP network segments officially announced by Stripe or PayPal are included in this white list, giving them the highest privilege of "not kneeling when meeting officials.
2. Advanced hacker's ultimate bypass pit-protect your "back-end origin IP"
This is the lesson of blood and tears that countless overseas teams have paid millions of advertising fees to buy back. Your front end is equipped with invincible load balancing.
and Cloud Armor, but if your back-end virtual machine (Compute Engine) accidentally binds a
Public network IP
, and did not turn off the 80/443 global public network inbound.
Dimensional Strike: Sophisticated hackers don't touch your domain at all. They will use the global IP scanning tool to directly detect the real public network IP of your back-end server. Then bypass Google's front-end gate and smash millions of traffic directly into your server's real IP. Your Cloud Armor doesn't even have a chance to shoot, and the back end will be paralyzed in situ.
Hardcore security specification: the back-end source station must be fully enclosed. Remove all external public IP addresses of backend virtual machines and allow them to run in pure intranet. In the VPC firewall rule, configure "only allow inbound requests from the leading-edge proxy segment of Google load balancer (such as 130.211.0.0/22 and 35.191.0.0/16)". Turn the rear into a monolithic block, forcing all the traffic in the world to pass through the Cloud Armor filter in a proper way.
Summary
Using Google Cloud Armor to defend against millions of DDoS attacks, the core industrial-grade essence lies in 16 words:
Edge cleaning, current limiting, accurate features, source station blocked
.
You have completely got rid of the passive beating state that you used to spend sky-high prices to buy a third party to clean high-security IP, or to change the server firewall with your flesh. The heavy responsibility of high defense and flood fighting is directly entrusted to the physical defense ceiling of Google's global backbone network. No matter how choppy the hackers are ahead, your independent station and sailing business will be as stable as Mount Tai in the rear, and your silky cash will be realized.
