| Attack Layer | Attack Types | Volume Range | Protection Method |
|---|---|---|---|
| Network (Layer 3-4) | UDP Flood ICMP Flood SYN Flood | Up to 2.54 Tbps | Automatic |
| Protocol (Layer 4) | TCP SYN TCP ACK TCP RST | Up to 500 Mpps | Automatic |
| Application (Layer 7) | HTTP Flood Slowloris HTTP POST | Up to 100M rps | Policy-Based |
# Create load balancer with DDoS protection
gcloud compute forwarding-rules create ddos-protected-lb \
--global \
--target-http-proxy my-http-proxy \
--ports 80
# Create HTTPS forwarding rule with enhanced protection
gcloud compute forwarding-rules create ddos-protected-https-lb \
--global \
--target-https-proxy my-https-proxy \
--ports 443
# Verify forwarding rule configuration
gcloud compute forwarding-rules describe ddos-protected-lb \
--global \
--format="table(name,target,portRange,IPAddress)"
# Configure backend service with connection draining
gcloud compute backend-services create ddos-resilient-backend \
--protocol HTTP \
--port-name http \
--health-checks ddos-health-check \
--connection-draining-timeout 300 \
--global
# Set session affinity for DDoS resilience
gcloud compute backend-services update ddos-resilient-backend \
--session-affinity CLIENT_IP \
--global
# Configure timeout settings for DDoS protection
gcloud compute backend-services update ddos-resilient-backend \
--timeout 30 \
--global
# Reserve static IP for DDoS protection
gcloud compute addresses create ddos-protected-ip \
--global \
--ip-version IPV4
# Get the reserved IP address
gcloud compute addresses describe ddos-protected-ip \
--global \
--format="value(address)"
# Update forwarding rule to use reserved IP
gcloud compute forwarding-rules update ddos-protected-lb \
--global \
--address ddos-protected-ip
# Configure DNS with multiple A records for resilience
# (Example DNS configuration - not gcloud command)
# A record: example.com -> 34.102.136.180 (Primary)
# A record: example.com -> 34.102.136.181 (Secondary)
# Create security policy with adaptive protection
gcloud compute security-policies create adaptive-ddos-policy \
--description "Adaptive DDoS protection policy" \
--type "CLOUD_ARMOR" \
--enable-layer7-ddos-defense
# Configure adaptive protection settings
gcloud compute security-policies update adaptive-ddos-policy \
--layer7-ddos-defense-enable \
--layer7-ddos-defense-rule-visibility STANDARD
# Enable JSON parsing for enhanced detection
gcloud compute security-policies update adaptive-ddos-policy \
--json-parsing STANDARD
# Create adaptive protection rule for HTTP floods
gcloud compute security-policies rules create 1000 \
--security-policy adaptive-ddos-policy \
--expression "evaluatePreconfiguredExpr('rce-stable')" \
--action "deny-403" \
--description "Block RCE attempts during DDoS"
# Create anomaly detection rule
gcloud compute security-policies rules create 2000 \
--security-policy adaptive-ddos-policy \
--expression "origin.region_code != '' && request.headers['user-agent'] == ''" \
--action "deny-429" \
--description "Block requests without user-agent"
# Create rate-based anomaly detection
gcloud compute security-policies rules create 3000 \
--security-policy adaptive-ddos-policy \
--expression "true" \
--action "throttle" \
--rate-limit-threshold-count 1000 \
--rate-limit-threshold-interval-sec 60 \
--rate-limit-ban-duration-sec 600 \
--description "Adaptive rate limiting"
# Create behavioral analysis rule
gcloud compute security-policies rules create 4000 \
--security-policy adaptive-ddos-policy \
--expression "request.headers['accept'].contains('*/*') && request.headers['accept-language'] == '' && request.headers['accept-encoding'] == ''" \
--action "deny-403" \
--description "Block bot-like behavior patterns"
# Create geographic anomaly detection
gcloud compute security-policies rules create 5000 \
--security-policy adaptive-ddos-policy \
--expression "origin.region_code == 'XX' && inIpRange(origin.ip, '0.0.0.0/0')" \
--action "throttle" \
--rate-limit-threshold-count 100 \
--rate-limit-threshold-interval-sec 60 \
--description "Throttle traffic from suspicious regions"
# Enable preview mode for testing
gcloud compute security-policies rules create 6000 \
--security-policy adaptive-ddos-policy \
--expression "evaluatePreconfiguredExpr('methodenforcement-v33-stable')" \
--action "deny-403" \
--preview \
--description "Test method enforcement rule"
# Tier 1: Global rate limiting
gcloud compute security-policies rules create 1000 \
--security-policy adaptive-ddos-policy \
--expression "true" \
--action "throttle" \
--rate-limit-threshold-count 10000 \
--rate-limit-threshold-interval-sec 60 \
--rate-limit-ban-duration-sec 300 \
--rate-limit-ban-threshold-count 15000 \
--rate-limit-ban-threshold-interval-sec 60 \
--rate-limit-exceed-action "deny-429" \
--description "Global rate limiting for DDoS protection"
# Tier 2: Per-IP rate limiting
gcloud compute security-policies rules create 2000 \
--security-policy adaptive-ddos-policy \
--expression "true" \
--action "throttle" \
--rate-limit-threshold-count 100 \
--rate-limit-threshold-interval-sec 60 \
--rate-limit-ban-duration-sec 300 \
--rate-limit-ban-threshold-count 200 \
--rate-limit-ban-threshold-interval-sec 60 \
--rate-limit-exceed-action "deny-429" \
--description "Per-IP rate limiting"
# Tier 3: Critical endpoint protection
gcloud compute security-policies rules create 3000 \
--security-policy adaptive-ddos-policy \
--expression "request.uri.path.startsWith('/api/') || request.uri.path.startsWith('/login')" \
--action "throttle" \
--rate-limit-threshold-count 50 \
--rate-limit-threshold-interval-sec 60 \
--rate-limit-ban-duration-sec 600 \
--rate-limit-ban-threshold-count 100 \
--rate-limit-ban-threshold-interval-sec 60 \
--description "Critical endpoint rate limiting"
# Create dynamic rate limiting based on request patterns
gcloud compute security-policies rules create 4000 \
--security-policy adaptive-ddos-policy \
--expression "request.method == 'POST' && request.uri.path.contains('search')" \
--action "throttle" \
--rate-limit-threshold-count 20 \
--rate-limit-threshold-interval-sec 60 \
--rate-limit-ban-duration-sec 900 \
--description "Dynamic rate limiting for search endpoints"
# Progressive penalty system
gcloud compute security-policies rules create 5000 \
--security-policy adaptive-ddos-policy \
--expression "request.headers['user-agent'].contains('bot') && !request.headers['user-agent'].contains('googlebot')" \
--action "throttle" \
--rate-limit-threshold-count 10 \
--rate-limit-threshold-interval-sec 60 \
--rate-limit-ban-duration-sec 1800 \
--description "Strict limiting for bot traffic"
# Enable detailed logging for DDoS monitoring
gcloud compute security-policies update adaptive-ddos-policy \
--log-level "VERBOSE" \
--enable-logging
# Create log sink for DDoS events
gcloud logging sinks create ddos-events-sink \
bigquery.googleapis.com/projects/PROJECT_ID/datasets/ddos_logs \
--log-filter='resource.type="gce_backend_service" AND jsonPayload.securityPolicyDecision="DENY"'
# Create custom metrics for DDoS detection
gcloud logging metrics create ddos_blocked_requests \
--description="DDoS blocked requests counter" \
--log-filter='resource.type="gce_backend_service" AND jsonPayload.securityPolicyDecision="DENY"'
# Create alerting policy for DDoS attacks
gcloud alpha monitoring policies create \
--policy-from-file=- <
# Query for DDoS attack patterns gcloud logging read ' resource.type="gce_backend_service" AND jsonPayload.securityPolicyName="adaptive-ddos-policy" AND jsonPayload.securityPolicyDecision="DENY" AND timestamp>="2024-01-01T00:00:00Z" ' --limit=100 --format=json # Query for rate limiting events gcloud logging read ' resource.type="gce_backend_service" AND jsonPayload.securityPolicyAction="throttle" AND timestamp>="2024-01-01T00:00:00Z" ' --limit=50 --format="table(timestamp,jsonPayload.clientIp,jsonPayload.userAgent)" # Query for geographic attack patterns gcloud logging read ' resource.type="gce_backend_service" AND jsonPayload.securityPolicyDecision="DENY" AND jsonPayload.clientCountry!="" AND timestamp>="2024-01-01T00:00:00Z" ' --format="value(jsonPayload.clientCountry)" | sort | uniq -c | sort -nr
# Create emergency DDoS response policy
gcloud compute security-policies create emergency-ddos-policy \
--description "Emergency DDoS response policy" \
--type "CLOUD_ARMOR" \
--default-rule-action "deny-403"
# Emergency IP blocking rule
gcloud compute security-policies rules create 1000 \
--security-policy emergency-ddos-policy \
--expression "inIpRange(origin.ip, 'ATTACK_IP_RANGE/24')" \
--action "deny-403" \
--description "Emergency IP range block"
# Emergency geographic blocking
gcloud compute security-policies rules create 2000 \
--security-policy emergency-ddos-policy \
--expression "origin.region_code == 'ATTACK_COUNTRY'" \
--action "deny-403" \
--description "Emergency country block"
# Quick policy switch during attack
gcloud compute backend-services update TARGET_BACKEND \
--security-policy emergency-ddos-policy \
--global
# Emergency rate limiting activation
gcloud compute security-policies rules create 9999 \
--security-policy emergency-ddos-policy \
--expression "true" \
--action "throttle" \
--rate-limit-threshold-count 10 \
--rate-limit-threshold-interval-sec 60 \
--rate-limit-ban-duration-sec 3600 \
--description "Emergency rate limiting"
# Block specific attack patterns immediately
gcloud compute security-policies rules create 9998 \
--security-policy emergency-ddos-policy \
--expression "request.headers['user-agent'].contains('ATTACK_SIGNATURE')" \
--action "deny-403" \
--description "Emergency signature block"
# Real-time attack analysis gcloud logging read ' resource.type="gce_backend_service" AND timestamp>="'$(date -u -d "5 minutes ago" +%Y-%m-%dT%H:%M:%SZ)'" ' --format="csv(timestamp,jsonPayload.clientIp,jsonPayload.userAgent,jsonPayload.requestUrl)" \ | head -1000 > attack_analysis.csv # Top attacking IPs gcloud logging read ' resource.type="gce_backend_service" AND jsonPayload.securityPolicyDecision="DENY" AND timestamp>="'$(date -u -d "10 minutes ago" +%Y-%m-%dT%H:%M:%SZ)'" ' --format="value(jsonPayload.clientIp)" \ | sort | uniq -c | sort -nr | head -20 # Attack vector analysis gcloud logging read ' resource.type="gce_backend_service" AND jsonPayload.securityPolicyDecision="DENY" AND timestamp>="'$(date -u -d "15 minutes ago" +%Y-%m-%dT%H:%M:%SZ)'" ' --format="value(jsonPayload.requestMethod,jsonPayload.requestUrl)" \ | sort | uniq -c | sort -nr | head -50
# Create baseline security policy
gcloud compute security-policies create baseline-ddos-policy \
--description "Baseline DDoS protection policy" \
--type "CLOUD_ARMOR" \
--enable-layer7-ddos-defense
# Implement progressive rate limiting
for priority in 1000 2000 3000; do
limit=$((1000 - (priority - 1000) / 10))
gcloud compute security-policies rules create $priority \
--security-policy baseline-ddos-policy \
--expression "true" \
--action "throttle" \
--rate-limit-threshold-count $limit \
--rate-limit-threshold-interval-sec 60 \
--description "Progressive rate limiting tier $((priority/1000))"
done
# Regular policy testing
gcloud compute security-policies rules create 9000 \
--security-policy baseline-ddos-policy \
--expression "request.headers['x-test-ddos'] == 'true'" \
--action "deny-403" \
--preview \
--description "DDoS protection testing rule"
# Optimize backend service for DDoS resilience
gcloud compute backend-services update resilient-backend \
--connection-draining-timeout 30 \
--timeout 10 \
--enable-cdn \
--global
# Configure health check for rapid failover
gcloud compute health-checks create http ddos-resilient-health \
--port 80 \
--request-path "/health" \
--check-interval 10s \
--timeout 5s \
--unhealthy-threshold 2 \
--healthy-threshold 1
# Set up auto-scaling for traffic spikes
gcloud compute instance-groups managed set-autoscaling ddos-resilient-ig \
--max-num-replicas 100 \
--min-num-replicas 3 \
--target-cpu-utilization 0.7 \
--zone us-central1-a
# Automated policy backup
gcloud compute security-policies describe baseline-ddos-policy \
--format="export" > "ddos-policy-backup-$(date +%Y%m%d).yaml"
# Performance metrics collection
gcloud monitoring metrics list \
--filter="metric.type:compute.googleapis.com/https/request_count" \
--format="table(metric.type,metric.displayName)"
# Regular rule effectiveness analysis
gcloud logging read '
resource.type="gce_backend_service" AND
jsonPayload.securityPolicyDecision="DENY" AND
timestamp>="'$(date -u -d "24 hours ago" +%Y-%m-%dT%H:%M:%SZ)'"
' --format="value(jsonPayload.securityPolicyRuleNumber)" \
| sort | uniq -c | sort -nr