Layered distributed denial of service protection in Pega Cloud Services

This content applies only to Cloud environments.

This article is part of the Pega Cloud Services Subscription Documentation.

Pega Cloud Services provides counterstrategies to help protect against Distributed Denial of Service (DDoS) attacks. The Pega Cloud Services infrastructure architecture is designed to prevent and mitigate DDoS attacks in a multilayered approach that includes auto-scaling of Pega Cloud Services environments and direct management of DNS inside of those environments.

DDoS attacks try to make targeted websites unavailable, thereby preventing anyone from using those websites. The attacker does this by exhausting the network’s resources that would be needed to reach a specific webpage, application or its data, through sending enough false or high-volume traffic that it overwhelms the system’s capability to respond. DDoS is not a security or data breach—it even denies the attacker actual access—but it prevents the use of the system and its data. DDoS is not capable of taking down the application and database servers that would be situated behind the web servers used as access points, nor can DDoS be used to extract or expose data.

Pega Cloud Services does not publish our client’s DNS information, or use public DNS resolution services, which also prevents the use of public DNS spoofing (cache poisoning) types of DDoS attacks. Active network management (by use of sub-netting) avoids single points of failure (and DDoS congestion), and prevents the DDoS attack from concentrating on a single target.

Additionally, Pega Cloud Services provides the following layered DDoS mitigation services as part of clients' private Pega Cloud Service:

  • Non-public client access points and segregated networks, including:
    • A client-unique access URL
    • A client-unique and private IP /20-/24 address range
    • Use of dynamic high-level DNS canonical names (DNS CNAME records)
  • Network Security Groups and Access Control Lists (firewall and router equivalents)
  • Host-based IDS on every computing resource
  • Active system health and activity monitoring with selected real-time alarms
  • Available options, including a client-requested Allowed List

DDoS protection is a responsibility not only of Pega Cloud Services, but also of the client. Pega Cloud Services provides a layer of DDoS protection that is—in part—also dependent on the client keeping connections to the Pega Cloud Services network private. Depending on clients' risk and exposure to that risk, especially if they choose to make connections available to a public or external network, they might find it beneficial to consider the services of a third party specializing in DDoS protection.