Layered Distributed Denial of Service protection in Pega Cloud for Government
This content applies only to Pega Cloud environments
This article is part of the Pega Cloud for Government Subscription Documentation.
Pega Cloud for Government (PCFG) provides counterstrategies to help protect against Distributed Denial of Service (DDoS) attacks. The PCFG infrastructure architecture is designed to prevent and mitigate DDoS attacks in a multi-layered approach that includes auto-scaling of PCFG environments and direct management of DNS inside of those environments.
DDoS attacks attempt to make targeted websites unavailable, thereby preventing anyone from using those websites. The attacker does this by exhausting the network’s resources that would be needed to reach a specific webpage, application or its data, through sending enough false or high-volume traffic that it overwhelms the system’s capability to respond. DDoS is not a security or data breach—it even denies the attacker actual access—but it prevents the use of the system and its data. DDoS is not capable of taking down the application and database servers that would be situated behind the web servers used as access points, nor can DDoS be used to extract or expose data.
PCFG does not publish our client’s DNS information, or use public DNS resolution services, which also prevent the use of public DNS spoofing (cache poisoning) types of DDoS attacks. Active network management (by use of sub-netting) avoids single points of failure (and DDoS congestion), and prevents the DDoS attack from concentrating on a single target.
Additionally, Pega Cloud for Government provides the following layered DDoS mitigation services as part of clients’ private PCFG service:
- Non-public client access points and segregated networks, including:
- A client-unique access URL
- A client-unique and private IP /20-/24 address range
- Use of dynamic high-level DNS canonical names (DNS CNAME records)
- Network Security Groups and Access Control Lists (firewall and router equivalents)
- Host-based IDS on every computing resource
- Active system health and activity monitoring with selected real-time alarms
- Available options, including a client-requested Allowed List
DDoS protection is a responsibility not only of PCFG, but also of the client. PCFGprovides a layer of DDoS protection that is—in part—also dependent on the client keeping connections to the PCFG network private. Depending on clients’ risk and exposure to that risk, especially if they choose to make connections available to a public or external network, they might find it beneficial to consider the services of a third party specializing in DDoS protection.