Article

Layered distributed denial of service protection in Pega Cloud Services

This content applies only to Pega Cloud Services environments.

Pega Cloud Services provides effective counterstrategies to protect against Distributed Denial of Service (DDoS) attacks. The Pega Cloud infrastructure architecture is designed to prevent and mitigate DDoS attacks in a multilayered approach that includes auto-scaling of Pega Cloud environments and direct management of DNS inside of our environments.

DDoS attacks try to make targeted websites unavailable, thereby preventing anyone from using those websites. The attacker does this by exhausting the network’s resources that would be needed to reach a specific webpage, application or its data, through sending enough false or high-volume traffic that it overwhelms the system’s capability to respond. DDoS is not a security or data breach—it even denies the attacker actual access—but it prevents the use of the system and its data. DDoS is not capable of taking down the application and database servers that would be situated behind the web servers used as access points, nor can DDoS be used to extract or expose data.

Pega Cloud does not publish our customer’s DNS information, or use public DNS resolution services, which also prevent the use of public DNS spoofing, or cache poisoning, types of DDoS attacks. Active network management (by use of sub-netting) avoids single points of failure (and DDoS congestion), and prevents the DDoS attack from concentrating on a single target.

Additionally, Pega Cloud provides the following layered DDoS mitigation services as part of your private Pega Cloud Service:

  • Non-public customer access points and segregated networks, including:
    • A customer-unique access URL
    • A customer-unique and private IP /20-/24 address range
    • Use of dynamic high-level DNS canonical names (DNS CNAME records)
  • Network Security Groups and Access Control Lists (firewall and router equivalents)
  • Host-based IDS on every computing resource
  • Active system health and activity monitoring with selected real-time alarms
  • Available options, including a customer-requested Allowed List

Based on these techniques, the Pega Cloud managed service offering provides DDoS resistant hosting services. DDoS protection is a shared responsibility between Pega Cloud and you, the customer. Pega Cloud provides a layer of DDoS protection that is—in part—also dependent on you, the customer, keeping connections to the Pega Cloud private. Depending on your risk and exposure to that risk, especially if you choose to make connections available to a public or external network, you might find it beneficial to consider the services of a third party specializing in DDoS protection.

Published August 31, 2017 — Updated May 22, 2019


100% found this useful

Have a question? Get answers now.

Visit the Pega Support Community to ask questions, engage in discussions, and help others.