Skip to main content

DDoS Protection (Distributed Denial of Service) on AWS

DDoS

  • AWS Shield Standard: protects against DDOS attack for your website and applications, for all customers at no additional costs
  • AWS Shield Advanced: 24/7 premium DDoS protection
  • AWS WAF: Filter specific requests based on rules
  • CloudFront and Route 53:
    • Availability protection using global edge network
    • Combined with AWS Shield, provides attack mitigation at the edge
  • Be ready to scale - leverage AWS Auto Scaling

Shield

AWS Shield Standard:

  • Free service that is activated for every AWS customer
  • Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/layer 4 attacks

AWS Shield Advanced:

  • Optional DDoS mitigation service ($3,000 per month per organization)
  • Protect against more sophisticated attack on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53
  • 2417 access to AWS DDoS response team (DRP)
  • Protect against higher fees during usage spikes due to DDoS

WAF (Web Application Firewall)

  • Protects your web applications from common web exploits (Layer 7)
  • Layer 7 is HTTP (vs Layer 4 is TCP)
  • Deploy on Application Load Balancer, API Gateway, CloudFront
  • Define Web ACL (Web Access Control List):
    • Rules can include IP addresses, HTTP headers, HTTP body, or URI strings
    • Protects from common attack - SQL injection and Cross-Site Scripting (XSS)
    • Size constraints, geo-match (block countries)
    • Rate-based rules (to count occurrences of events) - for DDoS protection
Last updated on by kirbeee