AWS DDoS Protection Overview

DDoS (Distributed Denial-of-Service) attacks aim to overwhelm application servers with excessive requests, rendering the application inaccessible to legitimate users. AWS provides several services and tools to protect against such attacks, ensuring application availability and security.

Key AWS Services for DDoS Protection

• AWS Shield: Offers two levels of protection.
  • Shield Standard: Automatically enabled for all AWS customers at no extra cost, offering basic protection against common DDoS attack types.
  • Shield Advanced: Provides enhanced protection against more sophisticated DDoS attacks for a fee, including 24/7 access to the AWS DDoS Response Team (DRT) and financial shielding against DDoS-related costs.
• AWS WAF (Web Application Firewall): Allows the creation of custom rules (Web ACLs) to filter traffic based on conditions such as IP addresses, HTTP headers, and body content, protecting against common web exploits like SQL injection and Cross-Site Scripting.
• Amazon CloudFront and Route 53: Utilize AWS's global edge network to mitigate attacks closer to their source, reducing the attack surface and improving the resilience of your application.

Sample Reference Architecture for DDoS Protection

1. Route 53: Serves as the DNS service, protected by AWS Shield, ensuring DNS availability.
2. CloudFront: Distributes content with caching at edge locations, integrated with Shield for DDoS mitigation.
3. AWS WAF: Positioned to filter and protect against specific web attacks.
4. Load Balancer: Sits in the public subnet, distributing incoming application traffic across multiple EC2 instances, enabling scalability.
5. Auto Scaling: Automatically adjusts the number of EC2 instances according to the load, ensuring the application can scale during an attack.

Detailed Service Insights

• Shield Standard vs. Shield Advanced:
  • Standard: Free, protects against common network and transport layer attacks.
  • Advanced: Costs around $3000/month, covers more sophisticated attacks and includes cost protection and access to the DRT.
• Web Application Firewall (WAF):
  • Operates at Layer 7 (HTTP/S), deployable on CloudFront, API Gateway, and Application Load Balancers.
  • Supports creating Web ACLs for detailed traffic filtering, including protection against specific attack vectors and rate-based rules for DDoS mitigation.

Conclusion

Combining AWS Shield, WAF, CloudFront, and Route 53 provides comprehensive protection against DDoS attacks. This multi-layered approach ensures both the availability and security of web applications hosted on AWS, offering both automatic defenses and customizable options for advanced protection needs.

AWS WAF (Web Application Firewall) can be applied to the following resources to protect your web applications from common web exploits and attacks:

• Amazon CloudFront: An AWS content delivery network service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. WAF can be used with CloudFront to protect your distributed content.