Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Do we lose any DDoS protections from CloudFront by turning caching off and forwarding all headers to origin?

0

We are trying to best protect our backend service from DDoS attacks and have setup WAF in front of CloudFront in front of our service.

A few AWS white papers (such a this) mention using CloudFront as a way to improve DDoS resiliency:

 Benefits of using CloudFront, AWS Global Accelerator, and Amazon Route 53 include:

• Access to internet and DDoS mitigation capacity across the AWS Global Edge
Network. This is useful in mitigating larger volumetric attacks, which can reach
terabit scale.

 • AWS Shield DDoS mitigation systems are integrated with AWS edge services,
reducing time-to-mitigate from minutes to sub second.

 • Stateless SYN Flood mitigation techniques proxy and verify incoming
connections before passing them to the protected service. This ensures that only
valid connections reach your application while protecting your legitimate end
users against false positives drops.

We want to disable caching and forward all headers from the original request that hits CloudFront to our backend service, basically using CloudFront as a reverse proxy. Do we still maintain the AWS Global Edge Network DDoS mitigation and protections of CloudFront by doing this?

Argomenti
Networking e distribuzione di contenuti
Tag
Amazon CloudFront
Lingua
English
rePost-User-2581820
posta un anno fa326 visualizzazioni
1 Risposta
1
Risposta accettata

In short: If you disable caching you lose very little protection. Perhaps a tiny bit but not that much.

Regardless of whether caching is enabled or not, CloudFront terminates the request from the browser and then performs a new request towards the origin - assuming all things go well: WAF; Lambda@Edge; CloudFront Functions; etc. So if there is some sort of mailicious activity or DDoS event happening CloudFront will see that traffic first and you can choose to (say) block it using WAF or have the other mechanisms in CloudFront (such as SYN flood mitigation) protect you.

Caching helps here because it means that requests that are cached don't hit your origin. In a "high load" event this can reduce the amount of traffic that is sent to your application which is (in general) always a good thing. With caching disabled, all valid requests will be handled by the origin - increasing load, cost and delays to the original requester. Of course, that's up to you but if you can cache things in CloudFront it is well worth it.

profile pictureAWS
ESPERTO
Brettski-AWS
con risposta un anno fa
profile picture
ESPERTO
Sedat Salman
verificato un anno fa
profile pictureAWS
ESPERTO
Tushar_J
verificato un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente