Shield Advanced customers and the L7 anti-DDoS managed rulegroup

*** This article is under development ***

The new anti-DDoS managed rulegroup aka 'AWS-AWSManagedRulesAntiDDoSRuleSet' aka 'L7AMR' is a layer 7 'Request Flood' attack detection and mitigation rulegroup. It is a pay-as-you-go alternative to the Shield Advanced subscription model of $3000 per month and also included in current pricing for Shield Advanced Protected Resources.

It's the future of AWS layer 7 detection and mitigation, and is ultimately intended to replace the current Shield layer 7 detection and mitigation (aka automatic application layer protection) features.

Please see the following public resources for reference - this article needs to be read in conjunction with these sources:

• AWS Public Docs - Managed rulegroups listing
• AWS Public Docs - Intelligent Threat Protection
• Blog

Differences between Shield Advanced detection/ShieldMitigation rulegroup, and WAF L7AMR:

• L7AMR has a design goal to detect and mitigate an attack in less than 10s, while Shield Advanced layer 7 requires a few minutes to detect
• minimal setup required
• Shield Advanced detection is recommended to be improved by customer-configured Route53 health-checks, which customers find to be an ongoing configuration overhead, however new L7AMR requires no healthchecks
• L7AMR is able to distinguish flash-crowd from DDoS traffic whereas Shield detection does not
• you can enable 'Challenge' responses for L7AMR and configure a Challenge 'exclusion' list via a URI path regex, to identify paths that will not be able to acquire a Challenge token (see documentation for more information) - the default exclusion list provided in the console is /api/|.(acc|avi|css|gif|ico|jpe?g|js|json|mp[34]|ogg|otf|pdf|png|tiff?|ttf|webm|webp|woff2?|xml)$. This is a game changer as it allows for more aggressive mitigations with 'Challenge' responses. 'Challenge' responses have a high efficacy rate with DDoS botnets at preventing malicious requests to web pages - DDoS botnets are built to perform maximum damage to targets, at the least cost to the botnet operator - they are generally unsophisticated script-based bots who cannot process javascript.
• L7AMR baseline is formed within 15mins (however creation goes on for up to 1 hour), whereas Shield detection (which is a dependency for L7AM) requires a minimum of 24 hours (up to 30 days)
• DDoS events detected by the new rulegroup are **not **displayed in the Shield Advanced console. If you are a Shield Advanced customer and would like to see these events in your Shield console, please raise a support case to have your influence added to a feature request and/or reachout to your TAM or Solution Architect (SA) to do so.
• there is no concept of Shield Advanced 'Proactive engagement' where SRT reach out to you when under attack, however if you are impacted by an attack

Both L7AMR rulegroup and ShieldMitigation rulegroup can co-exist in same WebACL - L7AMR as close to the top of the WebACL as possible, and 'ShieldMitigation_' rulegroup near the bottom - they will not interfere with each other, apart from L7AMR likely blocking all malicious requests so that L7AM will have nothing to do, even when traffic signatures have been identified and rules have been deployed. It's not anticipated the customer would do this for any length of time - L7AMR is intended to replace L7AM.

If you do have both rulegroups deployed, and L7AMR is not in 'Count', and you notice that the 'ShieldMitigation_' rulegroup is blocking requests during an event - please raise a support case so that we can ascertain whether the L7AMR rulegroup configuration needs to be tweaked or AWS Premium Support needs to send feedback to the WAF service team.

Best practices include:

• deploy L7AMR as close as possible to the top of the WebACL - do not deploy below any 'Block' rules
• don't deploy while under attack as an accurate baseline will not be formed
• only have 'Allow' lists above the rulegroup
• continue on with all other WAF best practices for DDoS resiliency such as rate-based rules and 'AWSManagedIPDDoSList' rule (from the 'AWSManagedIPReputation' rulegroup, below L7AMR