How to defend against DDoS attacks in AWS

Introduction :

AWS Shield Standard is a managed threat protection service that protects the perimeter of your application. Shield Standard provides automatic threat protection at no additional charge. You can use Shield Standard to protect your application at the edge of the AWS network using Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. These AWS services receive protection against all known network and transport layer attacks. To defend against layer 7 DDoS attacks, you can use AWS WAF.

To protect your application from DDoS attacks with Shield Standard, it’s a best practice to follow these guidelines for your application architecture:

• Reduce the attack area surface
• Be ready to scale and absorb the attack
• Safeguard exposed resources
• Monitor application behavior
• Create a plan for attacks

Reduce the attack surface area :

• To make sure that only expected traffic reaches your application, use network access control lists (network ACLs) and security groups.
• Use the AWS-managed prefix list for CloudFront. You can limit the inbound HTTP or HTTPS traffic to your origins from only the IP addresses that belong to CloudFront origin-facing servers.
• Deploy the backend resources hosting your application inside private subnets.
• To reduce the likelihood of malicious traffic reaching your application directly, avoid allocating Elastic IP addresses to your backend resources.

For more information, see Attack surface reduction.

Be ready to scale and absorb the DDoS attack :

• Protect your application at the edge of the AWS network using CloudFront, Global Accelerator, and Route 53.
• Absorb and distribute excess traffic with Elastic Load Balancing.
• Scale horizontally on-demand with AWS Auto Scaling.
• Scale vertically by using the optimal Amazon Elastic Compute Cloud (Amazon EC2) instance types for your application.
• Activate enhanced networking on your Amazon EC2 instances.
• Activate API caching to enhance responsiveness.
• Optimize caching on CloudFront.
• Use CloudFront Origin Shield to further reduce requests for caching content to the origin.

For more information, see Mitigation Techniques.

Safeguard exposed resources :

• Configure AWS WAF with a rate-based rule in block mode to defend against request flood attacks.
  Note: You must have CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync configured to use AWS WAF.
• Use CloudFront geographic restrictions to prevent users originating from countries where you don’t want to access your content.
• Use burst limits for each method with your Amazon API Gateway REST APIs to protect your API endpoint from being overwhelmed by requests.
• Use origin access identity (OAI) with your Amazon Simple Storage Service (Amazon S3) buckets.
• Set up the API key as the X-API-Key header of each incoming request to protect your Amazon API Gateway against direct access.

Monitor application behaviour:

• Create Amazon CloudWatch dashboards to establish a baseline of your application’s key metrics such as traffic patterns and resource use.
• Enhance the visibility of your CloudWatch logs with the Centralized Logging solution.
• Configure CloudWatch alarms to automatically scale the application in response to a DDoS attack.
• Create Route 53 health checks to monitor the health of your application and manage traffic failover for your application in response to a DDoS attack.

For more information, see AWS Application Auto Scaling monitoring.

Create a plan for DDoS attacks :

• Develop a runbook in advance so that you can respond to DDoS attacks in an efficient and timely manner. For guidance on creating a runbook see the AWS security incident response guide. You can also review this example runbook.
• Use the aws-lambda-shield-engagement script to quickly log a ticket to AWS Support during an impacting DDoS attack.
• Shield Standard offers protection against infrastructure-based DDoS attacks occurring at layers 3 and 4 of the OSI model. To defend against layer 7 DDoS attacks, you can use AWS WAF.

Conclusion :

Defending against DDoS attacks in AWS involves blocking harmful traffic, preparing for traffic spikes with AWS services like CloudFront, safeguarding your resources using AWS Web Application Firewall (WAF), monitoring your app’s behaviour, and having a pre-made plan to respond to attacks. By filtering out bad traffic, scaling your infrastructure, securing your resources, and staying vigilant, you can protect your AWS applications from DDoS threats and ensure they remain accessible and secure during potential attacks.