Layered distributed denial of service protection in Pega Cloud
This content applies only to Pega Cloud environments
This article is part of the Pega Cloud Subscription Documentation.
Pega Cloud provides counterstrategies to help protect against Distributed Denial of Service (DDoS) attacks.
DDoS attacks attempt to make targeted websites unavailable, thereby preventing anyone from using those websites. The attacker does this by exhausting the network’s resources that would be needed to reach a specific webpage, application or its data, through sending enough false or high-volume traffic that it overwhelms the system’s capability to respond. DDoS is not a security or data breach—it even denies the attacker actual access—but it prevents the use of the system and its data. DDoS is not capable of taking down the application and database servers that would be situated behind the web servers which are used as access points, nor can DDoS be used to extract or expose data.
The Pega Cloud architecture is designed to prevent and mitigate DDoS attacks in a multi-layered approach that includes but is not limited to the following areas:
- Scalability of Pega Cloud Environments and edge resources such as load balancers, and DNS infrastructure.
- Edge services providing always-on detection and automatic inline mitigations that minimize application downtime and latency.
- A web application as an application level mitigation.
- Host based IPS.
- Active system health and activity monitoring with selected real-time alarms.
- Network ACLs and Firewall rules following least-privileged model to limit threat surface.
- A client-defined allow list.
From these capabilities, the Pega Cloud service implements mitigations for the following critical areas:
- Layer 7 (application layer) attack mitigation
- Layer 6 (presentation layer - for example, TLS) attack mitigation
- Layer 4 (transport layer - for example, SYN flood) attack mitigation
- Layer 3 (network layer - for example, UDP reflection) attack mitigation
- Scaling to absorb application layer traffic
- Geographic isolation and dispersion of excess traffic and larger DDoS attacks
Based on these mechanisms and solutions, Pega Cloud provides significant DDoS mitigations.
DDoS protection is a responsibility not only of Pega Cloud, but also of the client. Pega Cloudprovides a layer of DDoS protection that is—in part—also dependent on the client keeping connections to the Pega Cloud network private. Depending on clients’ risk and exposure to that risk, especially if they choose to make connections available to a public or external network, they might find it beneficial to consider the services of a third party specializing in DDoS protection.