AWS – Protecting applications from DDoS

A distributed denial of service (DDoSattack can be a real nightmare for network administrators. Attackers send malicious commands to an application from a huge number of sources, often compromised computers all over the world, in an attempt to disable the application. Individually, the requests might seem innocuous, as it might be something like asking for the contents of a single web page. But, on aggregate, the requests can put enough of a strain on servers to bring an application to its knees.

Since the requests originate from so many sources all over the world, it’s not as simple as configuring an access control list (ACL) to block the traffic. To mitigate these types of attacks, you need a much more intelligent and reactive service. AWS Shield does this job for you, and comes in two varieties—AWS Shield Standard and Advanced.

How to do it…

Luckily for you, there is nothing that you have to do in order to enable AWS Shield Standard, if you are using Amazon Route 53 and Amazon CloudFront to publish your content on the web. Basic DDoS protection is built into those services by default.

How it works…

AWS Shield Standard works in combination with Amazon CloudFront and Amazon Route 53, in order to protect against attacks at Layers 3 and 4 of the Open Systems Interconnection (OSI) stack. At the application layer, AWS Web Application Firewall (WAF) can be used, by writing custom rules to handle these kinds of attacks.

AWS Shield Advanced extends protection to individual elastic IP addresses, without any need to make changes to your application’s routing. It can also automatically mitigate things, such as HTTP and DNS query floods, at the application level. AWS Shield Advanced is another good reason to have at least Business-level support on your AWS account. With Business or Enterprise support, you get quick access to the AWS DDoS Response Team (DRT), which will help you to deal with sudden, large-scale attacks.

AWS Shield Advanced also gives you detailed visibility into attacks as they happen, either via the console or CloudWatch.

There’s more…

AWS Shield Advanced also comes with a potentially huge cost-savings benefit. If your resources scale up in response to a DDoS attack, you are eligible for credits to offset the costs that you incur during the scale-out.

At the time of writing, AWS Shield Advanced costs $3,000 per month, in addition to support contract fees. For a large application or enterprise running on AWS, this fee pales in comparison to the damage that can be done by an extended outage due to a DDoS attack. If you are managing any mission-critical application that might attract the attention of malicious users who are intent on taking you down, you should give AWS Shield Advanced some serious consideration.

Comments are closed.