Guidance

DoS Guidance - Scaling

Created:  31 Jan 2018
Updated:  31 Jan 2018
Ensure your service can scale to deal with surges in concurrent sessions.

To deal with attacks which can’t be handled up-stream, or which can be, but only once detected and blocked, it is desirable for your service to be able to rapidly scale.

In the ideal scenario, you will be able to scale all aspects of your application and the infrastructure supporting it. Horizontal scaling, as this is known, is most easily accomplished with new, cloud-native applications. These services can run on flexible infrastructure, with managed databases, which can be automatically scaled using the cloud providers' APIs.

In private data centres, some level of automated scaling is possible using modern virtualisation, but this will require you to have spare hardware capacity to deal with the additional load.

For pre-existing applications, not developed in a cloud-native manner, it may be possible to undertake a small amount of re-engineering to allow some automated scaling, though this will likely be less-responsive than an application developed in a cloud-native way.

When using cloud services to scale, we recommend that you:

  • Consider how much you are willing to spend to scale during an attack. Scaling up can be costly, and you should consider the threshold at which you would choose to gracefully degrade, offering a reduced service.
  • Consider the geographic deployment of your service. Some regions may take the brunt of an attack, and thoughtful service design can improve your chances of being able to successfully operate from other regions when necessary. 
  • Understand the level of capacity that your service provider has. Even though cloud services can appear to have infinite capacity, they don't. Additionally, you may be limited as to how many instances you are allowed to start on the cloud platform. This can often be increased, but requires submitting manual requests. The available capacity may vary by region, so again, consider this aspect when choosing which regions to deploy into. Also, consider that some providers may choose to terminate your service if it is creating a material effect on their business. Be sure to understand contractual clauses and termination statements.
  • Understand when the service provider may choose to throttle your service in order to keep offering a good service to their other customers. 
  • Be aware that the security properties of cloud services can vary greatly, and there is always a division of responsibility between the customer and the supplier to secure the service. We recommend you use our Cloud Security Principles to help you choose a suitable service.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No