DDoS, short for Distributed Denial of Service, is a huge threat to our servers, web applications and other network resources causing outages in services in addition to associated financial implications as well. With the launch of AWS Shield, however, things have become far easier!
DDoS attacks, at the most basic level, work like this:
An attacker sends a flurry of packets – mostly garbage data – to an intended recipient.
The flood of incoming messages, connection requests or malformed packets slows down the target system or even crashes it, thereby denying service to legitimate users or systems.
Typically, the assailants begin by attacking a vulnerable computer system, making it the DDoS master – also known as a Zombie or a Bot. The attacker then sends out junk data to other systems, creating a network of bots, quite simply called, a botnet, controlling them via a command-and-control server. Botnets can be comprised of almost any number of bots. Once the botnet is assembled, the attacker can use the traffic generated by the compromised devices to flood the target domain and knock it offline.
Broadly there are three types of DDoS attacks:
Volumetric attacks: This method saturates the bandwidth with ICMP floods, UDP floods and spoofed-packet floods. The magnitude is measured in bits per second.
Application and Network Attacks: In this method, using HTTP Get or POST floods and other low and slow attacks, the attackers crash the server by targeting the Apache, OpenBSD and Windows vulnerabilities. The magnitude is measured in requests per second.
Protocol Attacks: This attack consumes resources of servers, firewalls and load balancers using Ping of Death, Smurf DDoS, SYN floods and fragmented packet attacks. The magnitude is measured in packets per second.
Traditional ways of protection from DDoS Attack
In traditional ways to prevent layer 3 (TCP, UDP or Syn) type DDoS attack we need to configure firewall or IP Table rules. We need to configure different IP table Anti-DDoS rules like Block Invalid Packets, Block New Packets that are not SYN, Block packets with Bogus TCP Flags etc. At the same, we need to configure kernel level rules also. For application layer, we need to configure Apache modules Mod_evasive and mod_security. To stop Dns injection attacks mod_spamhaus need to be configured on apache layer. The biggest worry is to scan and fix system vulnerabilities which can be used for DDoS attack. To perform these kinds of protection solutions on system & application layer, we need a System/ Network Administrator level expertise. One of our Partner, Imperva Incapsula, provides a cloud-based security solution (especially from DDoS attacks)
However, what if we get these features inbuilt by default.
What if, we do not need any additional configuration on web layer or Network layer.
What if, we do not need any domain/ system level expertise to manage them.
One Stop Solution to overcome all our worries is…AWS Shield.
AWS Shield detects almost 99% of all infrastructure layer attacks. DDoS Attacks on Amazon CloudFront and Amazon Route 53 are mitigated in less than 1 second, and attacks on Elastic Load Balancing in less than 5 minutes. The remaining 1% of infrastructure attacks are typically mitigated in under 20 minutes. Application layer attacks can be mitigated by writing rules on AWS WAF.
AWS Shield is a managed service that provides protection against DDoS attacks for web applications running on AWS. Any web application running on AWS will be using either CloudFront or Elastic Load Balancer or Route 53, and AWS Shield can be configured with these services to protect our web applications from the DDoS attack. AWS Shield helps protects your website from all types of DDoS attacks including attacks on infrastructure layer (like UDP floods), State exhaustion attacks (like TCP SYN floods), and attacks on application layer (like HTTP GET or POST floods).
There are 2 levels of service available with AWS Shield:
Protects your web applications from 96 percent of common DDoS attacks. It provides protection for all AWS customers against common and most frequently occurring Infrastructure (layer 3 and 4) attacks like SYN/UDP Floods, Reflection attacks, and others to support high availability of your applications on AWS.
It works in conjunction and is turned on by default with Amazon Cloud Front, Elastic Load Balancing and Amazon Route 53. It is very cost-effective as we need to pay for these services only and not for AWS Shield.
Websites that are not hosted on AWS can also use AWS Shield as it is integrated with Amazon CloudFront, which means custom origins outside AWS are supported as well. It works the same with IPv4 and IPv6 networks.
It monitors malicious traffic real-time using anomaly algorithms, traffic signatures and analysis techniques to provide quick detection and protection from most of the DDoS attacks.
This offers a higher level of protection for DDoS attacks including volumetric attacks, application, and network layer attacks, with intelligent attack detection. Here are a few other things it includes:
AWS Shield Advanced offers extra protection by closely monitoring the network flow and application layer traffic to Cloud Front, Route 53 and Elastic Load Balancing. It baselines traffic and identifies anomalies to protect the network from DNS query floods and HTTP floods. Resource-specific monitoring provides granular detection of attacks.
The advanced version offers specialized support 24/7 from the DDoS Response Team (DRT). DRT team will help you in triaging the cause, identify root issues and quickly resolve them using sophisticated automatic mitigations and advanced routing techniques. You can engage them in a post-attack analysis as well.
With AWS Shield Advanced, you can use the AWS Web Application Firewall to respond to incidents at the application layer with no additional cost. It helps in responding to the incidents or proactively blocking bad traffic, applying rules such as Rate based Blacklisting.
The advanced version provides real-time metrics and reports to get clear insights into DDoS attacks with post-event analysis and investigation. Real-time notifications are sent using Amazon CloudWatch. You can even view a summary of all attacks, via the management console.
While the outage caused by the DDoS attack is a huge loss, the bill spikes caused by the attack is another big concern. The DDoS cost protection feature is specially designed to safeguard the organization from these scaling charges. AWS provides service credits that can be used when DDoS attack scales up resources.
With all these features, AWS Shield surely packs a lot of punch and lets us breathe a sigh of relief. You won’t find yourself losing sleep over a probable DDoS attack!
Sourabh Datt Vishnoi works as Sr. Solution Architect AWS in BluePi Consulting Pvt. Ltd.