EDGE PROTECTION FOR PRODUCTION WEBSITE 1

Edge Protection for Production Website

Travis C. Flatt

Western Governors University

EDGE PROTECTION FOR PRODUCTION WEBSITE 2

Table of Contents

Proposal Overview…………………………………………………………………………………………………3

Problem Summary……………………………………………………………………………………….3

IT Solution…………………………………………………………………………………………………..4

Implementation Plan……………………………………………………………………………………4

Review of Other Work…………………………………………………………………………………………….5

Project Rationale……………………………………………………………………………………………………7

Current Project Environment………………………………………………………………………………….8

Methodology………………………………………………………………………………………………………….9

Project Goals, Objectives, and Deliverables……………………………………………………………..10

Goals, Objectives, and Deliverables Table……………………………………………………..10

Goals, Objectives, and Deliverables Descriptions…………………………………………...12

Project Timeline with Milestones…………………………………………………………………………..15

Outcome………………………………………………………………………………………………………………17

References……………………………………………………………………………………………………………18
EDGE PROTECTION FOR PRODUCTION WEBSITE 3

Proposal Overview

Vote Smart is currently experiencing recurring attacks upon its website, causing

outages and unacceptably slow server response times. Tarvos Web Services has been

asked to investigate the issue and offer a viable solution. TWS will work with Vote Smart

in order to determine the best path forward in mitigating the damage from these hostile

actions.

Problem Summary

Vote Smart is a venerable non-profit organization with the stated mission of

providing free unbiased information regarding US political candidates and elected

officials. They have recently deployed a newer cloud-based infrastructure for their

primary website, which has been serving a steadily increasing number of users.

Recently, they have been experiencing a rise in downtime and performance dips due to

hostile actions against their site. This has ranged from attacks on particular pages of

information to an election day distributed denial of service (DDoS) attack which brought

down their site entirely. They are seeking options to mitigate incoming DDoS attacks on

their website and minimize performance and availability issues. As they are a non-profit

organization, they are hoping to minimize maintenance or knowledge requirements with

any potential solution due to budget and staffing limitations. The solution should be

flexibly scalable, as Vote Smart has a wide range of seasonal traffic which is fairly

predictable.
EDGE PROTECTION FOR PRODUCTION WEBSITE 4

IT Solution

Tarvos Web Services has proposed the implementation of an edge network

service with Artificial Intelligence DDoS Mitigation in order to resolve Vote Smart’s

problems with denial of service attacks on its website. With a DDoS Mitigation service

in place, the AI is able to analyze incoming traffic in real time and respond to malicious

patterns and prevent negative impacts upon Vote Smart’s web architecture. TWS has

selected Fastly’s DDoS Protection and Mitigation Service and SLA for this purpose.

Implementation Plan

The implementation of these services will proceed according to the following

steps:

I. Tarvos Web Services and Vote Smart will work together in order to determine the

scope and timeline of the project. Assets which need to be protected from DDoS attacks

will be identified. Vote Smart’s IT staff will be consulted regarding their role in the

implementation and trained regarding the use of new services.

II. Fastly DDoS Service will be activated and Vote Smart’s web traffic will be

redirected through Fastly’s edge network. Tarvos Web Services will verify all traffic is

traveling through Fastly’s edge locations as necessary and that website performance is

not impacted.
EDGE PROTECTION FOR PRODUCTION WEBSITE 5

III. New procedures will be implemented and responsibility for the monitoring of the

DDoS mitigation services will be handed off to Vote Smart IT staff. All relevant accounts

and access to Fastly’s console will be transferred.

VI. Vote Smart IT will continue to monitor Fastly’s edge network DDoS mitigation

service and respond to alerts as advised.

Review of Other Work

I. According to Radware’s recent study, “Quarterly DDoS Attack Report”, Vote

Smart is not alone in their suffering from DDoS attacks. Relative to the previous

quarter, the number of attacks has increased dramatically (Radware, 2021). Radware

speculates that the increase in pressure from bad actors using DDoS strategies is related

to an attempt to benefit from the steady increase in Bitcoin value (Radware, 2021).

Comparing to the previous quarter, the total attack volume in the first quarter of 2021

has increased by 31% (Radware, 2021). While the majority of attacks seem to be

targeting biotechonolgy and pharmaceutical organizations, Vote Smart’s focus on

government education seems to have made them a target. North America-based

government institutions and related organizations suffered a much higher percentage of

attacks than those targeting Euorpean, Asian, or Latin American organizations.

( Radware, 2021). More than half of the attacks targeted HTTPS points, making both

Vote Smart’s website and API particularly vulnerable (Radware, 2021). Radware’s report

indicates a clear and ongoing threat to which Vote Smart’s assets are vulnerable.
EDGE PROTECTION FOR PRODUCTION WEBSITE 6

II. DDoS attacks make use of botnets, which are comprised of several infected

systems working in tandem to disable web infrastructure with a high volume of

malicious activity. With the rise of Internet of Things devices, a new type of DDoS

strategy has arisen, making use of compromised IoT devices as attackers ( Bhardwaj et

al, 2018). The volume of traffic generated by these attacks makes the cost of mitigation

unfeasibly high for a small non-profit such as Vote Smart. According to the Georgia

Institute of Technology ( Bhardwaj et al, 2018 ), leveraging edge networking can help

accelerate the mitigation of DDoS attacks in a cost-effective manner. The emergence of

this tier of “edge” network infrastructure, including mobile edge computing, access

points, fog computing gateways, and like devices, is presenting new opportunities to

handle this vast amount of network traffic closer to the attack source ( Bhardwaj et al,

2018 ).

III. There are several challenges particular to protecting a REST API similar to the

one employed by Vote Smart. Among these are an exposure to a wider range of inbound

network traffic, access points with direct access to the back-end server and database, the

ability to download high volumes of data, and a high variability in data usage patterns

( Serota & Irom, 2017 ). As in DDoS attacks on other infrastructure, attacks targeting an

API will slow or disable services for all users. Strategies such as rate limiting are able to

shut down DDoS attacks ( CloudFlare, 2021 ). By dropping or otherwise blocking the

invalid requests, particularly on the edge network access points, DDoS mitigation can

prevent Vote Smart’s API from becoming overwhelmed. Due to the cost and

computational overhead traditional DDoS mitigation strategies entail, it is ideal to make

the mitigation strategy automated, lightweight, scalable, and easily manageable. The
EDGE PROTECTION FOR PRODUCTION WEBSITE 7

recent developments in the field of Software-Defined Networking, particularly when

deployed among edge locations, aid in these goals by allowing the management and

maintenance of DDoS protection without the need for direct human intervention

( Sahay et al, 2015 ).

IV. Web infrastructure downtime is costly. According to a report by Veeam Software,

an hour of downtime for a High Priority application is estimated to cost an organization

$67,651, and that number is only slightly lower with a normal application at $61,642

(Veeman, 2020). Vote Smart’s entire organization relies on the availability of their

research data, and downtime with their website as well as their API grind the

organization to a halt. Recovering from systems failure during and after an attack bring

on additional remediation labor costs as well as strain relationships with existing API

subscribers and other members. Damage to Vote Smart’s reputation as a reliable source

of available data suffers from delays and outages. In the face of either small or large

dedicated DDoS attacks, quick detection and mitigation are vital, and only possible

through automated real-time DDoS solutions ( Sansone, 2021).

Project Rationale

Considering that Vote Smart is experiencing recurring DDoS attacks targeting

their website and API, implementing a complete edge network DDoS mitigation strategy

is the most reasonable step to take. DDoS attacks are definitely on the rise in frequency,

number, and severity ( Radware, 2021 ). DDoS attacks are known to impact the ability of
EDGE PROTECTION FOR PRODUCTION WEBSITE 8

an organization to deliver web-based services ( Bhardwaj et al, 2018 ). These attacks

incur costs that are difficult to bear for a non-profit organization like Vote Smart. These

costs include actual loss of subscriber revenue as well as increased workload for an

understaffed IT department and damage to their reputation for reliably available data. A

functional solution like Fastly’s comprehensive DDoS protection fulfills the need for a

solution that is always on with low administrative overhead.

Current Project Environment

Presently, Vote Smart’s infrastructure resides on an Amazon Web Services Virtual

Private Cloud. Outside of their predictable busy season, the website is hosted on a single

EC2 instance. When traffic spikes around major national elections, an elastic load

balancer is employed to distribute traffic among three active instances. The large

database resides on a m4.10xlarge instance with a mirror instance for hot backups. The

API also resides on an EC2 instance with separate smaller instances being cloned for

particularly large-volume API subscribers such as Google. There are a handful of

development instances for the website, database, and API which are simply clones of the

production instances with significantly decreased resources. Static assets are hosted in

Amazon Web Services S3. DNS services for the domain are provided through Amazon

Web Services Route 53.

EDGE PROTECTION FOR PRODUCTION WEBSITE 9

Methodology

Tarvos Web Services will be using the JPACE project management template for

Vote Smart’s implementation plan. The steps involved are as follows:

I. Justify: This is the stage at which we frame the challenges faced by Vote Smart as

an organization and offer a solution within their means. TWS will describe and suggest

options which fall within Vote Smart’s budget and staffing capabilities and demonstrate

their value to the organization.

II. Plan: In this stage, TWS will determine which of Vote Smart’s assets are

vulnerable to DDoS attack as well as which assets can be protected by Fastly’s edge

network DDoS mitigation services. TWS will lay out a schedule presenting the project in

small verifiable steps and provide Vote Smart staff with information regarding how the

implementation will proceed.

III. Activate: In this step, TWS will set up a Fastly account of an appropriate tier and

bandwidth for Vote Smart’s needs. It is during the activate stage in which a significant

portion of the necessary training for Vote Smart’s IT staff will take place, demonstrating

along the way necessary knowledge for monitoring and maintaining their new edge

network.
EDGE PROTECTION FOR PRODUCTION WEBSITE 10

IV. Control: During this stage, Vote Smart’s web assets will come under the umbrella

of Fastly’s edge network DDoS protection services. TWS will monitor the progress as the

project develops, ensuring progress in line with the project timeline. TWS will take

corrective action as necessary should the project drift off schedule.

V. End: TWS will provide a documented summary of the project, verify functionality

of the project assets, and hand off all resources and oversight to Vote Smart.

Project Goals, Objectives, and Deliverables

Goals, Objectives, and Deliverables Table

Goal Supporting Deliverables

Objectives Enabling the Project
Objectives

1 Implement Fastly 1.a. Determine the 1.a.i. Review with

DDoS Mitigation for scope of project, Vote Smart staff the
Vote Smart assess requirements vulnerable
and relevant endpoints to be
infrastructure. covered.

1.a.ii. Catalog
vulnerable
infrastructure and
network traffic
( Server instances,
VPC, API endpoints,
etc. )
EDGE PROTECTION FOR PRODUCTION WEBSITE 11

1.b. Procure and 1.b.i. Present

configure Fastly justification and
edge network. obtain approval
from Vote Smart
board of directors.

1.b.ii. Configure
Fastly account and
set up
administration
dashboard.

1.c. Redirect all 1.c.i. Redirect

website, network, website URLs to
and API traffice to Fastly edge
Fastly edge nodes. locations.

1.c.ii. Redirect API

endpoints to Fastly
edge locations.

1.d. Vote Smart IT 1.d.i. Provide

staff is trained to documentation on
maintain and the usage of Fastly
monitor edge edge networking
network. management.

1.d.ii. Vote Smart IT

staff is able to
navigate Fastly
administration
dashboard.

1.d.iii. Vote Smart IT

staff is able to set up
and monitor alerts.
EDGE PROTECTION FOR PRODUCTION WEBSITE 12

1.d.iv. Vote Smart

IT staff is able to
recognize and react
to alerts in real time.

Goals, Objectives, and Deliverables Descriptions

The primary goal of the project is to implement a low-maintenance DDoS

mitigation strategy in order to reduce or eliminate Vote Smart’s challenges with regard

to malicious denial-of-service attacks. This will improve the reliability and availability of

Vote Smart’s public facing website and their subscription API. Additionally, it will help

reduce the mitigation workload currently experienced by an understaffed IT

department. This goal will be met through completion of these four objectives:

• Objective 1.a.: Determine the full scope of the project. This objective can be

considered a success when Vote Smart is able to provide thorough documentation

outlining their current infrastructure and Tarvos Web Services can take account

of all assets to be protected by the edge network.

◦ Deliverable 1.a.i.: In order to provide an overview of the assets to be

protected, Vote Smart and TWS must review all endpoints that are vulnerable

to DDoS attacks. This includes both website and API endpoints.

EDGE PROTECTION FOR PRODUCTION WEBSITE 13

◦ Deliverable 1.a.ii.: In order to properly protect all public-facing endpoints,

TWS needs to be provided documentation listing all assets involved. This

includes listing all AWS instances and network topography for Vote Smart’s

website and API.

• Objective 1.b.: Before getting Vote Smart’s assets under the coverage of an edge

network DDoS mitigation solution, justification must be provided to Vote Smart’s

Board of Directors in order to obtain approval to proceed with the purchase of a

Fastly account. Once approved, TWS will purchase the subscription and perform

account setup and basic configuration.

◦ Deliverable 1.b.i.: Vote Smart operates under a Board of Directors who

convene regularly to discuss operations and make major decisions. TWS will

assist Vote Smart staff in documenting justifications to present to the board in

order to obtain the necessary approval to prceed.

◦ Deliverable 1.b.ii.: Once approved, TWS will procure a Fastly edge network

and perform basic configuration based upon information obtained in

objective 1.a.ii., enabling appropriate services and/or functions to suit Vote

Smart’s requirements.

• Objective 1.c.: Once the basic account has been configured, TWS will begin

redirecting traffic through Fastly’s edge network nodes for the votesmart.org

domain. This will include all traffic directed toward the primary website as well as

requests made to the API’s subdomain.

◦ Deliverable 1.c.i.: CNAME records will be added to Vote Smart’s AWS Route

53 domain name service directing all website traffic to Fastly’s edge nodes for

DDoS mitigation service protection.

EDGE PROTECTION FOR PRODUCTION WEBSITE 14

◦ Deliverable 1.c.ii.: CNAME records will be added to Vote Smart’s AWS Route

53 domain name service directing all API requests to Fastly’s edge nodes for

DDoS mitigation service protection.

• Objective 1.d.: Once Vote Smart’s internet traffic has been forwarded to the edge

network nodes, TWS will begin the handoff process. TWS will provide

documentation outlining the management and maintenance of their new DDoS

mitigation service and answer any questions Vote Smart’s IT staff may have. Vote

Smart’s IT staff will have opportunities to demonstrate understanding of

necessary processes and procedures.

◦ Deliverable 1.d.i.: In addition to being guided through Fastly’s

documentation, TWS will provide additional written direction catered

specifically to Vote Smart’s edge network implementation.

◦ Deliverable 1.d.ii.: With minimal supervision from TWS staff, Vote Smart’s IT

staff will demonstrate an ability to navigate Fastly’s administrative dashboard

and demonstrate understanding of configuration settings.

◦ Deliverable 1.d.iii.: With minimal supervision from TWS staff, Vote Smart’s

IT staff will demonstrate an ability to create, alter, and interpret alerts in

Fastly’s administrative system.

◦ Deliverable 1.d.iv.: With minimal supervision from TWS staff, Vote Smart’s

IT staff will demonstrate an ability to recognize and respond to alerts

indicating active malicious traffic in a controlled environment.

EDGE PROTECTION FOR PRODUCTION WEBSITE 15

Project Timeline with Milestones

Milestone or Duration ( Hours Projected Start Anticipated End

Deliverable or Days ) Date Date

Project kickoff with 4h Aug 02, 2021 Aug 02,2021

Vote Smart staff.

Review with Vote

Smart staff the
vulnerable 2d Aug 03, 2021 Aug 05, 2021
endpoints to be
covered

Catalog vulnerable
infrastructure and 1d Aug 06, 2021 Aug 06, 2021
network traffic

Present justification
and obtain approval 1d Aug 09, 2021 Aug 09, 2021
from Vote Smart
board of directors

Configure Fastly
account and set up 2d Aug 10, 2021 Aug 12, 2021
administration
dashboard

Redirect website
URLs to Fastly edge 4h Aug 13, 2021 Aug 13, 2021
locations
EDGE PROTECTION FOR PRODUCTION WEBSITE 16

Redirect API
endpoints to Fastly 4h Aug 13, 2021 Aug 13, 2021
edge locations

Provide
documentation on
the usage of Fastly 2h Aug 16, 2021 Aug 16, 2021
edge networking
management

Vote Smart IT staff

is able to navigate
Fastly 4h Aug 17, 2021 Aug 17, 2021
administration
dashboard

Vote Smart IT staff

is able to set up and 4h Aug 17, 2021 Aug 17, 2021
monitor alerts

Vote Smart IT staff

is able to recognize 2d Aug 18, 2021 Aug 19, 2021
and react to alerts in
real time

Outcome

The edge network DDoS mitigation service implementation for Vote Smart will

minimize downtime for Vote Smart’s API and primary website. This will improve the

user experience for Vote Smart’s users and API subscribers, as well as decrease

remediation time required by Vote Smart’s IT staff. The project will be considered a
EDGE PROTECTION FOR PRODUCTION WEBSITE 17

success when Vote Smart’s API endpoints and website URLs are 100% served via

Fastly’s edge node locations and covered by the DDoS mitigation service. Expected

uptime for the first calendar year following implementation is 99.9%, which equates to a

maximum of 8 hours and 45 minutes of downtime due to DDoS attack for the calendar

year.

References

Radware ( May, 2021 ). Quarterly DDoS Attack Report. Radware.

https://www.radware.com/quarterly-ddos-report/
EDGE PROTECTION FOR PRODUCTION WEBSITE 18

Bhardwaj, K., Miranda, J.C., Gavrilovska, A. (2018). Towards IoT-DDoS Prevention

Using Edge Computing. Georgia Institute of Technology.

https://www.usenix.org/system/files/conference/hotedge18/hotedge18-papers-

bhardwaj.pdf

Serota, J. & Irom, A. ( Aug, 2017 ) Best Practices for Securing Your API. Imperva.

https://www.imperva.com/blog/best-practices-for-securing-your-api/

CloudFlare ( 2021 ). What is API Security? Cloudflare.

https://www.cloudflare.com/learning/security/api/what-is-api-security/

Sahay, R., Blanc, G., Zhang, Z., Debar, H. ( Feb, 2015 ) Towards autonomic DDoS

mitigation using Software Defined Networking. HAL. https://hal.archives-

ouvertes.fr/hal-01257899/document

Sansone, I., (2021). The Damaging Impacts of DDoS Attacks. Corero.

https://www.corero.com/blog/the-damaging-impacts-of-ddos-attacks/

Veeam Software., ( Jun, 2020 ). Veeam 2020 Data Protection Trends Report…, Veeam

Software. https://www.veeam.com/news/cxo-research-legacy-technology-and-lack-of-

skills-hindering-digital-transformation-and-it-modernization.html