How to improve resilience to DDoS attacks with Cloud Armor Advanced rate limiting capabilities

In recent years, we've been seeing an exponential surge in the number, volume, and complexity of distributed denial-of-service (DDoS) attacks. In September 2023, we saw the largest DDoS attack to date, which peaked at 398 million requests per second. As the threat landscape evolves, enterprises face a pressing need for effective measures to mitigate these attacks. Google Cloud Armor's always-on Layer 3 and Layer 4 DDoS defense, Web Application Firewall (WAF), Adaptive Protection, bot management, threat intelligence, and rate-limiting capabilities can help enterprises build a comprehensive DDoS mitigation strategy. 

Internet-facing applications are vulnerable to application layer DDoS attacks (such as HTTP Flood) where the intent is to make the service unavailable by flooding it with a large volume of requests, or to gain access to applications using lower-volume attacks that carry out exploits like credential stuffing. With Cloud Armor’s rate limiting, customers can curtail traffic to backend resources based on request volume, and prevent unwelcome traffic from affecting service availability.

One of the many companies that relies on modern strategies and tools to defend against DDoS attacks is Uber Technologies, which has adopted a comprehensive approach to mitigate the impact of DDoS attacks on its business operations.

"Uber employs a multi-pronged approach to reduce disruption to its business due to DDoS attacks. Cloud Armor's rate limits have been an effective part of our toolkit that we've employed in past incidents,” said Avinash Palayadi, senior engineering manager, Uber. 

Safeguarding your applications with Cloud Armor Rate Limiting 

Cloud Armor’s rate limiting capability addresses key customer use cases such as preventing misconfigured trusted clients from overwhelming the backends, preventing malicious clients from sending large numbers of requests, and limiting requests from each client or from a specific region. 

Cloud Armor has two types of actions it can take for rate-based rules - 

1. Throttle: Enforces a maximum request limit per client, or across all clients using rate-limit threshold. 

2. Rate-based ban: Bans clients that exceed a user configured ban threshold for a specific period of time. 

Planning your rate limiting deployment

Throttle action is useful to address service-wide rate limiting and to protect against volumetric attacks that are significantly above your baseline traffic volume. As a best practice, set the request count in the range of 10% to 30% above your baseline traffic volume. We recommend temporarily raising rate-limit thresholds in anticipation of high traffic events, such as a new product promotion or special sales events. Alternatively, you could use the rate-based ban action with a longer ban duration to prevent malicious clients from being reused.

Rate-based ban action with a different value for ban threshold and rate-limit threshold can be used to protect against misconfigured trusted clients’ requests unintentionally overwhelming backend servers. Using a combination of throttle and rate-based ban action, requests are throttled at the rate-limit threshold and then temporarily banned when the request rate exceeds the ban threshold. As a best practice, we suggest setting a high ban limit, approximately 10 times the rate limit and to keep the ban duration short. This ensures that short bursts from trusted clients are permitted, and that we do not penalize good clients by banning them for an extended period of time. 

Finally, we recommend using Adaptive Protection with rate limiting for manual or automated malicious activity where the incoming traffic looks just like legitimate traffic at similar volumes.Cloud Armor Adaptive Protection uses machine learning to protect applications against Layer 7 DDoS attacks and helps block high volume traffic coming from single or distributed sources. 

How it works: Combining throttle with rate-based ban

The rate-based ban rules can be fine tuned to your use cases by combining throttle with rate-based ban parameters like the rate limit threshold, duration for evaluation of the rate limit, ban threshold, ban duration and the action to take when the rate limit is exceeded. Below is a sample gcloud command that of a rate-based-ban rule with both rate-limit and ban threshold specified -

The following graphs describes the action taken by Cloud Armor when you use rate-based ban with both rate-limit and ban threshold specified:

For simplicity, interval_sec and ban_interval_sec were chosen to be identical in this graph. For every interval_sec window, Cloud Armor counts the cumulative incoming requests:

• Allow Action (1) - If the number of cumulative requests from the client during interval_sec doesn’t cross the rate_limit_threshold, Cloud Armor allows the client request to your backend.

• Throttle Action (2) - If the number of cumulative requests during interval_sec crosses the rate_limit_threshold, any exceeding request will be denied (or as specified by exceed_action). Once interval_sec ends, the cumulative requests count goes back to 0, and new requests will be allowed (Allow Action - 1).

• Rate-based-ban Action (3) - If the number of cumulative requests during interval_sec crosses the rate_limit_threshold, any exceeding request will be denied (or according to chosen exceed_action). During ban_interval_sec every ‘extra’ request will be denied (same as Throttle Action - 2) and then after ban_interval_sec is complete the client will be banned for the full duration of ban_duration_sec. Only once ban_duration_sec has ended, the request evaluation will start again (Allow Action - 1).

What you can do next

Rate limiting is an important tool for proactively protecting your application from DDoS attacks. Here is a recommended summary of which Cloud Armor capabilities that you can use based on your use cases:

By following the best practices outlined in this blog post for your specific use cases, you can ensure that your application is protected from malicious traffic while still providing a good user experience for legitimate users. You can learn more about Cloud Armor and Rate limiting here.