How Google Load Balancer handles DDoS

Question

When the loan balancer either http or network is utilized, how DDoS is handled? On compute engine level, you can place restriction on source ip and you can ensure that it does not affect your services. However that ip restriction comes after balancer and for each incoming data, there will be cost $. Is there any way of avoiding such unpredictable cost?

Answer 1

• GCP load balancing solution has DDoS mitigations built-in lowering the attack surface:
  • configure ingress firewall rules (like iptables)
  • network load balancing has port filtering. Any port that is not loadbalanced is dropped by GCP highly scaling frontend infrastructure
  • HTTP/HTTPS loadbalancing can absorb and protect from IP spoofing and large SYN flood attacks.
  • it has also fair-share allocation built-in

Answer 2

There is no way to prevent costs due to attacks, as the attacker can always just keep the attack at a level that looks like perfectly legitimate traffic. Making traffic look legitimate is usually a goal in all but the most primitive attacks.

In this case, you would normally not want your infrastructure provider to make a decision on what's deemed legitimate in any case, since that would potentially impact real users.

That being said, an infrastructure provider will usually take some measures to defend against attacks, dropping "bad" packets as close to the edge of their network as possible. For obvious reasons, providers are usually not sharing details on that mechanism.