Advanced DDoS Mitigation (Layer 7) - AWS Shield
AWS offers a free Denial of Service Attack Protection service called AWS Shield Standard, which is enabled on all accounts (even those that only use the Free tier). The service protects you against layer 3-4 volumetric attacks such as SYN floods and UDP reflection.
Optionally, customers can choose to enable AWS Shield Advanced for greater protection of their cloud loads.
AWS Shield Standard vs AWS Shield Advanced
AWS Shield Advanced complements the standard service by adding multiple capabilities:
Benefits of using AWS Shield Advanced
- Protection against attacks in the application layer (Layer 7) such as HTTP Floods, DNS Query Floods, and in the presentation layer (Layer 6) as TLS Abuse.
- Access to an incident response team (24x7) that helps them filter malicious traffic and add appropriate protections, including manual traffic analysis. The team also provides preventive support by analyzing their architectures to assess its resilience to denial-of-service attacks and propose improvements for them.
- If your infrastructure (load balancers, instances, etc.) scale as a result of a denial of service attack, AWS Shield Advanced allows you to recover that cost.
- It provides metrics that can be analyzed with Amazon CloudWatch, and visualization of the current global status of DDoS attacks.
- Includes unlimited use of AWS WAF and AWS Firewall manager (restrictions apply, see more details here )
Alternatives to AWS Shield Advanced
For mitigation of Layer 7 DDoS attacks we strongly recommend you to use an elastic service, and not deploying virtual appliances in your account as the volume of a DDoS attack can overwhelm the autoscaling capacity. If you wish to use a third party service such as CloudFlare or Akamai, make sure that the DDoS Mitigation capabilities are included in your service and keep in mind that when configuring a 3rd party Content Distribution Network you will be pointing your domain names there, and if their service goes down or is unable to mitigate a large DDoS, the traffic will not get to your AWS account.
Risk Mitigation
- Reduces cost impact if adversaries do Cryptomining, or launch resources to join into a botnet.
Guidance for assessments
- It’s valid to use a third party solution to mitigate L7 DDoS attacks, provided that there are controls in place to ensure that all the workloads in the organization are protected by that service (consistency), and that you have the DDoS mitigation features contracted, as often are licensed separately from the CDN
- Have you enabled Shield Advanced ?
- Do you have business or enterprise support ?
- Have you configured healthchecks on important applications ?
- Have you added all resources (ALB/APIGW…) as protected resources for Shield Advanced ? (note: you can use AWS Firewall Manager to do this without additional cost)
- Have you configured Automatic remediation ?