Application Security: Against DDoS attacks with AWS Shield
Public websites are open to DDoS (Distributed Denial-of-Service) attacks which are usually generated by Botnets with distributed traffic targeting a particular website or service. Conventional security firewalls may not be able to make a successful defense because of the following reasons:
-
Source IP: The bots which generate the traffic do not have the same IPs and are usually not even in the same IP block. Firewall source-IP-based traffic block rules would not be enough for such a distributed attack.
-
Dynamic Patterns: Smart DDoS attacks do not usually have the static request header and data, which makes rule-based firewalls vulnerable to such types of attacks.
-
Unicast traffic: Internet traffic is usually unicast which may possess the defender firewall under heavy traffic. Inbound network capacity may be saturated during a DDoS with unicast traffic.
In this blog post, I will explain how to protect your public service with AWS Shield.
What is AWS Shield?
AWS Shield is a managed threat protection management service that protects application traffic coming outside of the AWS network. AWS Shield protects against DDoS attacks for AWS resources at the network and transport layers (layers 3 and 4) and the application layer (layer 7).
AWS Shield has two tiers Standard and Advanced.
AWS Shield Standard
AWS Shield Standard is a free service offered by Amazon Web Services (AWS) that protects applications running on AWS against distributed denial of service (DDoS) attacks.
AWS Shield Standard provides always-on detection and automatic inline mitigations that protect against common DDoS attack methods, such as SYN/ACK floods, UDP floods, and reflective attacks.
The service is automatically enabled for all AWS customers, and it is designed to be simple to use, with no additional setup or configuration required.
If an attack is detected, AWS Shield Standard automatically mitigates it by filtering out the malicious traffic and allowing only legitimate traffic to reach the application.
While AWS Shield Standard provides basic protection against DDoS attacks, customers who require more advanced protection, such as protection against larger and more sophisticated attacks, can upgrade to AWS Shield Advanced, which provides additional features and support for custom rules and mitigations.
AWS Shield Advanced
AWS Shield Advanced is a premium DDoS protection service offered by Amazon Web Services (AWS) that provides enhanced protection against DDoS attacks for AWS customers.
In addition to the features provided by AWS Shield Standard, AWS Shield Advanced includes access to 24/7 support from AWS DDoS response team, as well as advanced mitigation techniques and custom mitigation controls that can be tailored to specific applications and workloads.
AWS Shield Advanced provides greater visibility into attacks and their mitigations, with access to real-time metrics and automated attack reports. Customers also have the ability to integrate AWS Shield Advanced with other AWS services, such as Amazon CloudFront, AWS Global Accelerator, and Elastic Load Balancing, to provide a comprehensive DDoS protection solution for their applications.
AWS Shield Advanced is available as a paid service, and pricing is based on a monthly subscription fee, as well as additional fees for data transfer and mitigation. The cost varies based on the level of protection required and the size and complexity of the customer's infrastructure. (as of April 2023)
Service |
AWS Shield Standard |
AWS Shield Advanced |
Subscription |
No |
1 Year |
Monthly Fee |
No Fee |
$3000 |
Data Transfer Fee |
No fee |
as in the table below |
NOTE: If your organization has multiple accounts, you only need to pay the monthly fee once for all accounts. Additional costs will apply for any data transfer that originates from Shield-protected services. You can view the additional fees for data transfer of each service below table.
Shield Advanced Data Transfer Out Usage Fees (per GB, as of April 2023)
Service |
Up to 100 TB |
Next 400 TB |
Next 500 TB |
Next 4 PB |
Above 5 PB |
CloudFront |
$0.025 |
$0.02 |
$0.015 |
$0.01 |
AWS Support |
ELB |
$0.05 |
$0.04 |
$0.03 |
AWS Support |
AWS Support |
Elastic IP |
$0.05 |
$0.04 |
$0.03 |
AWS Support |
AWS Support |
Global Accelerator |
$0.025 |
$0.02 |
$0.015 |
$0.01 |
AWS Support |
Route 53 |
No fee |
No fee |
No fee |
No fee |
No fee |
If the blue box in the picture below is examined, it represents the protection offered by AWS Shield Standard. By subscribing to AWS Shield Advanced and adding resources under its protection, you can start to baseline your traffic and gain an understanding of the throughput capacity of these protected resources. Based on this information, you can adjust the limits accordingly and provide mitigations against attacks targeting those resources much faster.
AWS Shield Advanced has these additional protection features:
Cloudwatch Event notification and DDoS Threat Dashboards
You can use Cloudwatch Event Notification to create rules that detect DDoS attacks and trigger automated responses. For example, you can create a rule that detects an increase in traffic to your EC2 instances or an increase in requests to your API Gateway endpoints. When the rule is triggered, you can use Cloudwatch to send a notification to your security team, trigger an AWS Lambda function that mitigates the attack, or initiate an automated response using AWS WAF (Web Application Firewall).
AWS Shield also provides a DDoS Threat Dashboard that you can use to monitor your AWS resources and detect potential DDoS attacks. The dashboard provides a real-time view of your AWS environment and displays metrics such as the number of requests, the size of requests, and the source of the traffic. You can use this information to identify patterns and anomalies in your traffic and take action to mitigate any potential DDoS attacks.
Both AWS Shield Standard and Advanced provide DDoS threat dashboards and also can be integrated with CloudWatch Event notification, but the level of detail and insights provided in the dashboard is greater for AWS Shield Advanced customers.
Shield Response Team
The AWS Shield Response Team is a specialized team within AWS that is responsible for responding to DDoS attacks against AWS customers.
The AWS Shield Response Team is staffed by security experts who have extensive experience in DDoS mitigation and network security. When an AWS customer experiences a DDoS attack, they can contact the AWS Shield Response Team for assistance. The team works with the customer to identify and mitigate the attack, using a combination of automated and manual techniques.
In addition to responding to DDoS attacks, the AWS Shield Response Team also provides proactive support to customers, helping them to configure their AWS environments for maximum security and resilience against DDoS attacks.
It's worth noting that the AWS Shield Response Team is only available to AWS customers who have subscribed to the AWS Shield service. If you are an AWS customer and you need assistance with DDoS protection, you can contact the AWS Shield Response Team through the AWS Support Center.
L7 Anomaly Detection via WAF
AWS Shield Adaptive Protection is a security feature that helps protect customers against Distributed Denial of Service (DDoS) attacks. This service is designed to provide automatic and scalable protection against DDoS attacks and can be used by any customer who is using Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), AWS Global Accelerator, or Amazon CloudFront.
AWS Shield Adaptive Protection:
- Automatic DDoS mitigation: AWS Shield Adaptive Protection automatically detects and mitigates DDoS attacks, without the need for customer intervention.
- Proactive protection: The service provides proactive protection against DDoS attacks by monitoring traffic patterns and looking for anomalies that could indicate an attack.
- Scalability: AWS Shield Adaptive Protection is designed to scale automatically to handle high-volume DDoS attacks.
- Integration: The service is integrated with other AWS services like Amazon CloudFront, Amazon Route 53, AWS Global Accelerator, and AWS Elastic Load Balancing.
- Real-time monitoring and reporting: AWS Shield Adaptive Protection provides real-time monitoring and reporting on DDoS attack activity and mitigation, allowing customers to stay informed about the status of their infrastructure.
- Advanced Protection: AWS Shield Advanced provides additional features such as 24/7 access to AWS DDoS Response Team, the ability to customize rules, and enhanced protection for Elastic IP addresses.
AWS Shield Adaptive Protection is a powerful security feature that provides automatic and scalable protection against DDoS attacks, allowing customers to focus on running their applications without worrying about DDoS attacks.
L7 Anomaly Detection via WAF
AWS Shield L7 Anomaly Detection via WAF (Web Application Firewall) is designed to protect web applications from Layer 7 DDoS attacks, which are attacks that target the application layer of the OSI model. These attacks can be difficult to detect and mitigate because they can mimic legitimate traffic, making it challenging to differentiate between malicious and non-malicious traffic.
The WAF component of AWS Shield L7 Anomaly Detection provides a set of rules that can be used to identify and block suspicious traffic, such as traffic from known malicious IP addresses, traffic that contains SQL injection or cross-site scripting (XSS) attacks, and traffic that contains unusual URL patterns. The WAF rules can also be customized to meet application-specific requirements.
When a Layer 7 DDoS attack is detected, AWS Shield L7 Anomaly Detection via WAF can automatically create and apply mitigation rules to block malicious traffic. The system can also send notifications to the AWS console and to the customer via Amazon SNS (Simple Notification Service).
AWS Shield L7 Anomaly Detection via WAF can be used with any web application running on AWS, including those hosted on Amazon EC2 instances, Amazon Elastic Load Balancing (ELB), and Amazon CloudFront. It can be enabled and configured through the AWS Management Console, AWS CLI, or AWS SDKs. There are no upfront costs to use AWS Shield L7 Anomaly Detection via WAF, and customers are only charged based on the volume of traffic protected.
Health Based Detection
Health-Based Detection uses a combination of machine learning algorithms and heuristics to monitor the health of an application and identify abnormal traffic patterns that may indicate a DDoS attack. The system analyzes a wide range of metrics, such as network traffic, application performance, and server resource utilization, to determine the normal behavior of an application under normal operating conditions.
Once the normal behavior of an application has been established, Health-Based Detection can monitor the application for any deviations from the expected behavior. If abnormal traffic patterns are detected, such as a sudden increase in traffic or a spike in server resource utilization, Health-Based Detection will automatically generate an alert in the AWS Management Console and send a notification to the email addresses specified by the customer.
The alert will include information about the type of attack, the affected AWS resources, and the recommended next steps for mitigating the attack. Customers can also configure Health-Based Detection to automatically initiate mitigations, such as blocking traffic from specific IP addresses or redirecting traffic to other AWS resources.
Health-Based Detection is a feature that is available with both AWS Shield Standard and AWS Shield Advanced, and it is automatically enabled for all AWS customers. There are no additional fees for using Health-Based Detection, and customers only pay for the traffic that is protected by AWS Shield.
Proactive Event Response
Proactive Event Response is a feature that is available with AWS Shield Advanced, which is a paid tier of AWS Shield that provides more advanced DDoS protection features than the basic AWS Shield offering. With Proactive Event Response, AWS Shield Advanced can detect potential DDoS attacks in real-time and automatically notify customers of the attack.
Cost Protection
When AWS Shield Advanced protection is enabled for your AWS resources, AWS WAF can be associated with your resources at no additional cost, except for cases where additional costs may apply, such as adding partner rules or using the bot control manage rule group. The baseline rules in the Firewall Manager can also be configured without incurring any additional costs.
AWS Shield Advanced uses automatic scaling tomitigate the effects of the attack during an attack. When an attack is detected, AWS Shield Advanced automatically scales up the resources that are under attack, which can help absorb the traffic and reduce the impact on your application. AWS Shield Advanced can also automatically notify AWS DRT(DDoS Response Team), which can work with you to mitigate the attack and provide guidance on how to prevent similar attacks in the future. Also, can be applied for reimbursement for those extra scaled resources during the mitigation of the DDoS attacks.
AWS Shield Protection
Conclusion
A high DDoS resiliency can be provided for your applications with AWS Shield. Below are some effective reasons to consider implementing AWS Shield as part of your overall security strategy;
- Protection against DDoS attacks: DDoS attacks are a growing threat to businesses of all sizes, and they can cause significant damage to your brand, reputation, and revenue. AWS Shield provides comprehensive protection against DDoS attacks, helping to keep your online applications and services up and running.
- Automated protection: AWS Shield provides automated protection against DDoS attacks, which means that you don't have to spend time monitoring and responding to attacks. Instead, AWS Shield takes care of this for you, freeing up your IT resources to focus on other critical tasks.
- Minimal latency impact: AWS Shield is designed to minimize latency impact, so your online applications and services continue to run smoothly even during an attack. This means that your customers can continue to access your services, which helps to maintain customer satisfaction and loyalty.
- Integration with other AWS services: AWS Shield integrates seamlessly with other AWS services, such as Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing, to provide a comprehensive security solution for your business. This makes it easy to implement and manage a security strategy that works for your unique needs.
- Access to 24/7 support: AWS Shield Advanced provides access to 24/7 support from AWS security experts, who can help you to optimize your security strategy and respond to any security incidents that may occur. This provides an additional layer of protection and peace of mind for your business.
Implementing AWS Shield as part of your overall security strategy protects your business against DDoS attacks, minimizes downtime and latency impact, and provides a comprehensive security solution that integrates seamlessly with other AWS services.
Halil Bozan
Infrastructure and Platform Developer at kloia