Professional Documents
Culture Documents
Travis C. Flatt
Table of Contents
Proposal Overview…………………………………………………………………………………………………3
Problem Summary……………………………………………………………………………………….3
IT Solution…………………………………………………………………………………………………..4
Implementation Plan……………………………………………………………………………………4
Project Rationale……………………………………………………………………………………………………7
Methodology………………………………………………………………………………………………………….9
Outcome………………………………………………………………………………………………………………17
References……………………………………………………………………………………………………………18
EDGE PROTECTION FOR PRODUCTION WEBSITE 3
Proposal Overview
Vote Smart is currently experiencing recurring attacks upon its website, causing
outages and unacceptably slow server response times. Tarvos Web Services has been
asked to investigate the issue and offer a viable solution. TWS will work with Vote Smart
in order to determine the best path forward in mitigating the damage from these hostile
actions.
Problem Summary
officials. They have recently deployed a newer cloud-based infrastructure for their
primary website, which has been serving a steadily increasing number of users.
Recently, they have been experiencing a rise in downtime and performance dips due to
hostile actions against their site. This has ranged from attacks on particular pages of
information to an election day distributed denial of service (DDoS) attack which brought
down their site entirely. They are seeking options to mitigate incoming DDoS attacks on
their website and minimize performance and availability issues. As they are a non-profit
any potential solution due to budget and staffing limitations. The solution should be
flexibly scalable, as Vote Smart has a wide range of seasonal traffic which is fairly
predictable.
EDGE PROTECTION FOR PRODUCTION WEBSITE 4
IT Solution
service with Artificial Intelligence DDoS Mitigation in order to resolve Vote Smart’s
problems with denial of service attacks on its website. With a DDoS Mitigation service
in place, the AI is able to analyze incoming traffic in real time and respond to malicious
patterns and prevent negative impacts upon Vote Smart’s web architecture. TWS has
selected Fastly’s DDoS Protection and Mitigation Service and SLA for this purpose.
Implementation Plan
steps:
I. Tarvos Web Services and Vote Smart will work together in order to determine the
scope and timeline of the project. Assets which need to be protected from DDoS attacks
will be identified. Vote Smart’s IT staff will be consulted regarding their role in the
II. Fastly DDoS Service will be activated and Vote Smart’s web traffic will be
redirected through Fastly’s edge network. Tarvos Web Services will verify all traffic is
traveling through Fastly’s edge locations as necessary and that website performance is
not impacted.
EDGE PROTECTION FOR PRODUCTION WEBSITE 5
III. New procedures will be implemented and responsibility for the monitoring of the
DDoS mitigation services will be handed off to Vote Smart IT staff. All relevant accounts
VI. Vote Smart IT will continue to monitor Fastly’s edge network DDoS mitigation
Smart is not alone in their suffering from DDoS attacks. Relative to the previous
quarter, the number of attacks has increased dramatically (Radware, 2021). Radware
speculates that the increase in pressure from bad actors using DDoS strategies is related
to an attempt to benefit from the steady increase in Bitcoin value (Radware, 2021).
Comparing to the previous quarter, the total attack volume in the first quarter of 2021
has increased by 31% (Radware, 2021). While the majority of attacks seem to be
( Radware, 2021). More than half of the attacks targeted HTTPS points, making both
Vote Smart’s website and API particularly vulnerable (Radware, 2021). Radware’s report
indicates a clear and ongoing threat to which Vote Smart’s assets are vulnerable.
EDGE PROTECTION FOR PRODUCTION WEBSITE 6
II. DDoS attacks make use of botnets, which are comprised of several infected
malicious activity. With the rise of Internet of Things devices, a new type of DDoS
strategy has arisen, making use of compromised IoT devices as attackers ( Bhardwaj et
al, 2018). The volume of traffic generated by these attacks makes the cost of mitigation
unfeasibly high for a small non-profit such as Vote Smart. According to the Georgia
Institute of Technology ( Bhardwaj et al, 2018 ), leveraging edge networking can help
this tier of “edge” network infrastructure, including mobile edge computing, access
points, fog computing gateways, and like devices, is presenting new opportunities to
handle this vast amount of network traffic closer to the attack source ( Bhardwaj et al,
2018 ).
III. There are several challenges particular to protecting a REST API similar to the
one employed by Vote Smart. Among these are an exposure to a wider range of inbound
network traffic, access points with direct access to the back-end server and database, the
ability to download high volumes of data, and a high variability in data usage patterns
( Serota & Irom, 2017 ). As in DDoS attacks on other infrastructure, attacks targeting an
API will slow or disable services for all users. Strategies such as rate limiting are able to
shut down DDoS attacks ( CloudFlare, 2021 ). By dropping or otherwise blocking the
invalid requests, particularly on the edge network access points, DDoS mitigation can
prevent Vote Smart’s API from becoming overwhelmed. Due to the cost and
the mitigation strategy automated, lightweight, scalable, and easily manageable. The
EDGE PROTECTION FOR PRODUCTION WEBSITE 7
deployed among edge locations, aid in these goals by allowing the management and
maintenance of DDoS protection without the need for direct human intervention
$67,651, and that number is only slightly lower with a normal application at $61,642
(Veeman, 2020). Vote Smart’s entire organization relies on the availability of their
research data, and downtime with their website as well as their API grind the
organization to a halt. Recovering from systems failure during and after an attack bring
on additional remediation labor costs as well as strain relationships with existing API
subscribers and other members. Damage to Vote Smart’s reputation as a reliable source
of available data suffers from delays and outages. In the face of either small or large
dedicated DDoS attacks, quick detection and mitigation are vital, and only possible
Project Rationale
their website and API, implementing a complete edge network DDoS mitigation strategy
is the most reasonable step to take. DDoS attacks are definitely on the rise in frequency,
number, and severity ( Radware, 2021 ). DDoS attacks are known to impact the ability of
EDGE PROTECTION FOR PRODUCTION WEBSITE 8
incur costs that are difficult to bear for a non-profit organization like Vote Smart. These
costs include actual loss of subscriber revenue as well as increased workload for an
understaffed IT department and damage to their reputation for reliably available data. A
functional solution like Fastly’s comprehensive DDoS protection fulfills the need for a
Private Cloud. Outside of their predictable busy season, the website is hosted on a single
EC2 instance. When traffic spikes around major national elections, an elastic load
balancer is employed to distribute traffic among three active instances. The large
database resides on a m4.10xlarge instance with a mirror instance for hot backups. The
API also resides on an EC2 instance with separate smaller instances being cloned for
development instances for the website, database, and API which are simply clones of the
production instances with significantly decreased resources. Static assets are hosted in
Amazon Web Services S3. DNS services for the domain are provided through Amazon
Methodology
Tarvos Web Services will be using the JPACE project management template for
I. Justify: This is the stage at which we frame the challenges faced by Vote Smart as
an organization and offer a solution within their means. TWS will describe and suggest
options which fall within Vote Smart’s budget and staffing capabilities and demonstrate
II. Plan: In this stage, TWS will determine which of Vote Smart’s assets are
vulnerable to DDoS attack as well as which assets can be protected by Fastly’s edge
network DDoS mitigation services. TWS will lay out a schedule presenting the project in
small verifiable steps and provide Vote Smart staff with information regarding how the
III. Activate: In this step, TWS will set up a Fastly account of an appropriate tier and
bandwidth for Vote Smart’s needs. It is during the activate stage in which a significant
portion of the necessary training for Vote Smart’s IT staff will take place, demonstrating
along the way necessary knowledge for monitoring and maintaining their new edge
network.
EDGE PROTECTION FOR PRODUCTION WEBSITE 10
IV. Control: During this stage, Vote Smart’s web assets will come under the umbrella
of Fastly’s edge network DDoS protection services. TWS will monitor the progress as the
project develops, ensuring progress in line with the project timeline. TWS will take
V. End: TWS will provide a documented summary of the project, verify functionality
of the project assets, and hand off all resources and oversight to Vote Smart.
1.a.ii. Catalog
vulnerable
infrastructure and
network traffic
( Server instances,
VPC, API endpoints,
etc. )
EDGE PROTECTION FOR PRODUCTION WEBSITE 11
1.b.ii. Configure
Fastly account and
set up
administration
dashboard.
mitigation strategy in order to reduce or eliminate Vote Smart’s challenges with regard
to malicious denial-of-service attacks. This will improve the reliability and availability of
Vote Smart’s public facing website and their subscription API. Additionally, it will help
department. This goal will be met through completion of these four objectives:
• Objective 1.a.: Determine the full scope of the project. This objective can be
outlining their current infrastructure and Tarvos Web Services can take account
protected, Vote Smart and TWS must review all endpoints that are vulnerable
includes listing all AWS instances and network topography for Vote Smart’s
• Objective 1.b.: Before getting Vote Smart’s assets under the coverage of an edge
Fastly account. Once approved, TWS will purchase the subscription and perform
convene regularly to discuss operations and make major decisions. TWS will
◦ Deliverable 1.b.ii.: Once approved, TWS will procure a Fastly edge network
Smart’s requirements.
• Objective 1.c.: Once the basic account has been configured, TWS will begin
redirecting traffic through Fastly’s edge network nodes for the votesmart.org
domain. This will include all traffic directed toward the primary website as well as
◦ Deliverable 1.c.i.: CNAME records will be added to Vote Smart’s AWS Route
53 domain name service directing all website traffic to Fastly’s edge nodes for
◦ Deliverable 1.c.ii.: CNAME records will be added to Vote Smart’s AWS Route
53 domain name service directing all API requests to Fastly’s edge nodes for
• Objective 1.d.: Once Vote Smart’s internet traffic has been forwarded to the edge
network nodes, TWS will begin the handoff process. TWS will provide
mitigation service and answer any questions Vote Smart’s IT staff may have. Vote
◦ Deliverable 1.d.ii.: With minimal supervision from TWS staff, Vote Smart’s IT
◦ Deliverable 1.d.iii.: With minimal supervision from TWS staff, Vote Smart’s
◦ Deliverable 1.d.iv.: With minimal supervision from TWS staff, Vote Smart’s
Catalog vulnerable
infrastructure and 1d Aug 06, 2021 Aug 06, 2021
network traffic
Present justification
and obtain approval 1d Aug 09, 2021 Aug 09, 2021
from Vote Smart
board of directors
Configure Fastly
account and set up 2d Aug 10, 2021 Aug 12, 2021
administration
dashboard
Redirect website
URLs to Fastly edge 4h Aug 13, 2021 Aug 13, 2021
locations
EDGE PROTECTION FOR PRODUCTION WEBSITE 16
Redirect API
endpoints to Fastly 4h Aug 13, 2021 Aug 13, 2021
edge locations
Provide
documentation on
the usage of Fastly 2h Aug 16, 2021 Aug 16, 2021
edge networking
management
Outcome
The edge network DDoS mitigation service implementation for Vote Smart will
minimize downtime for Vote Smart’s API and primary website. This will improve the
user experience for Vote Smart’s users and API subscribers, as well as decrease
remediation time required by Vote Smart’s IT staff. The project will be considered a
EDGE PROTECTION FOR PRODUCTION WEBSITE 17
success when Vote Smart’s API endpoints and website URLs are 100% served via
Fastly’s edge node locations and covered by the DDoS mitigation service. Expected
uptime for the first calendar year following implementation is 99.9%, which equates to a
maximum of 8 hours and 45 minutes of downtime due to DDoS attack for the calendar
year.
References
https://www.radware.com/quarterly-ddos-report/
EDGE PROTECTION FOR PRODUCTION WEBSITE 18
https://www.usenix.org/system/files/conference/hotedge18/hotedge18-papers-
bhardwaj.pdf
Serota, J. & Irom, A. ( Aug, 2017 ) Best Practices for Securing Your API. Imperva.
https://www.imperva.com/blog/best-practices-for-securing-your-api/
https://www.cloudflare.com/learning/security/api/what-is-api-security/
Sahay, R., Blanc, G., Zhang, Z., Debar, H. ( Feb, 2015 ) Towards autonomic DDoS
ouvertes.fr/hal-01257899/document
https://www.corero.com/blog/the-damaging-impacts-of-ddos-attacks/
Veeam Software., ( Jun, 2020 ). Veeam 2020 Data Protection Trends Report…, Veeam
Software. https://www.veeam.com/news/cxo-research-legacy-technology-and-lack-of-
skills-hindering-digital-transformation-and-it-modernization.html