Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

How to prevent Ddos attacks from producing costs for small websites

0

I have the following pattern/architecture to deploy a website with CDK:

  • WAF with a custom IP-based ratelimit for a Cloudfront Distribution with Api Gateway as Origin.
  • a default ratelimit at the Api Gateway additionally.

I would use this pattern to deploy potentially multiple web apps for small hobby projects in the future.

But a weak point of this architecture would be WAF. WAF does produce costs: 60 Cents per million requests.

So the costs for a small hobby project could explode in theory, if it gets hit by a DDOS attack. What could I do here to prevent this? It would be really nice, if AWS had some base protection against DDOS where Shield Advanced is not well suited price-wise.

The last thing I could do, I could set up a Budget alarm and trigger some action to take all web apps offline, if the budget gets hit. Otherwise I would be afraid that costs could explode anytime, if there were small web apps of hobby scale publicly available in the internet.

Thank you

Themen
Sicherheit, Identität & KonformitätCloud-Finanzmanagement
Tags
AWS WAFAWS ShieldAWS AbrechnungDDOS-Schutz
Sprache
English
mampf
gefragt vor 6 Monaten366 Aufrufe
1 Antwort
0
Akzeptierte Antwort

As you said, without Shield advanced it's hard to control the cost for DDoS attacks, there are AWS best practices for DDoS- • Always prefer AWS Services that operate at Edge Locations (CloudFront, Route53 and Global Accelerator) as an entry point for your applications. Provides a better DDoS resiliency (always-on mitigation for fastest detection and mitigation, distributed mitigation capacity and automatic traffic engineering) • Protect your DNS infrastructure: Using Amazon Route53, your application will be protected against DNS application layer attacks as the responsibility for serving authoritative DNS answers is outsourced AWS. Attackers will be unable to affect your application availability by targeting your DNS resolvers. • Protect your Origins § Use custom header or CloudFront prefix-list (if your origin is behind CloudFront) to protect against any direct to origin attacks § Protect against Security-Groups Connection Tracking exhaustion in case of DDoS event, by using untracked connections SG with managed services like ALB or CLB. • Scalable architecture § Using autoscaling and load balancing to dynamically increase your application capacity for instance

profile pictureAWS
SUPPORT-TECHNIKER
Ravid_G
beantwortet vor 6 Monaten
profile pictureAWS
EXPERTE
Didier_Durand
überprüft vor 6 Monaten
  • mampf
    vor 6 Monaten

    Thanks for the suggstions :)

    It does help. So in the end one cannot deploy a webapp and be 100% sure that costs dont spike up to high numbers, if there were any attacks.

    Will try to set up a budget alarm then, which will take my hobby projects offline.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt