This document outlines the Distributed Denial-of-Service (DDoS) protection strategy for services provided to package−client. The purpose of this policy is to ensure the availability, performance, and resilience of package−client's services by implementing a multi-layered approach to mitigate DDoS attacks.
This policy applies to all network infrastructure, application services, and cloud environments that host or support package−client's operations.
The following protections are applied to the network infrastructure hosting package−client's services:
- IP Whitelisting: All exposed services are protected by strict IP whitelisting using UFW and Apache configurations. Only authorized IP ranges belonging to package−client and their trusted partners are permitted access.
- Rate Limiting: The Apache reverse proxy enforces request rate limits per IP address and per endpoint to prevent abuse and volumetric flooding of package−client's services.
- Connection Throttling: ModSecurity rules and Apache modules (e.g.,
mod_ratelimit, mod_evasive) are used to slow down or block excessive connections that could impact service availability.
We implement the following safeguards to protect the applications used by package−client:
- WAF Enforcement: ModSecurity, with the OWASP Core Rule Set (CRS), is deployed to block common attack patterns, including HTTP floods, malformed requests, and malicious bot traffic targeting package−client's applications.
- Payload Validation: All incoming requests are validated for structure, size, and content type. Webhooks and APIs reject oversized or malformed payloads to prevent application-layer attacks.
- MQTT Rate Control: The MQTT broker enforces topic-level rate limits and connection quotas to prevent flooding from compromised clients or devices.
To ensure the resilience of package−client's services against large-scale attacks, we have the following measures in place:
- AWS Shield: For high-risk deployments, AWS Shield Standard provides automatic protection against common DDoS vectors. AWS Shield Advanced is available as an optional service for enhanced protection.
- Cloudflare/CDN Integration: For public-facing assets, Cloudflare or a similar CDN service can be integrated to absorb traffic spikes and filter malicious requests before they reach package−client's infrastructure.
- Auto-Scaling & Failover: EC2 instances and RDS databases are deployed across multiple Availability Zones with auto-recovery enabled to ensure high availability and failover capacity.
We have a clear incident response plan for DDoS attacks affecting package−client's services:
- Telemetry Integration: DDoS-related events, such as rate limit triggers and WAF blocks, are logged via MQTT and stored in InfluxDB for analysis.
- Alerting: Threshold-based alerts are configured to notify the operations team of unusual traffic patterns, connection spikes, or a high number of blocked IPs.
- Containment Workflow: In the event of an attack, automated scripts can update UFW rules or block IPs via AWS WAF or the Cloudflare API, based on the severity of the attack.
- Communication: In the event of a significant DDoS attack impacting package−client's services, a designated point of contact will be notified, and regular updates will be provided.
This policy will be reviewed annually, or in the event of a significant security incident, to ensure its continued effectiveness in protecting package−client's services.