Do we lose any DDoS protections from CloudFront by turning caching off and forwarding all headers to origin?

Question

We are trying to best protect our backend service from DDoS attacks and have setup WAF in front of CloudFront in front of our service.

A few AWS white papers (such a [this](https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf)) mention using CloudFront as a way to improve DDoS resiliency:

```
 Benefits of using CloudFront, AWS Global Accelerator, and Amazon Route 53 include:

• Access to internet and DDoS mitigation capacity across the AWS Global Edge
Network. This is useful in mitigating larger volumetric attacks, which can reach
terabit scale.

• AWS Shield DDoS mitigation systems are integrated with AWS edge services,
reducing time-to-mitigate from minutes to sub second.

• Stateless SYN Flood mitigation techniques proxy and verify incoming
connections before passing them to the protected service. This ensures that only
valid connections reach your application while protecting your legitimate end
users against false positives drops.
```

We want to disable caching and forward all headers from the original request that hits CloudFront to our backend service, basically using CloudFront as a reverse proxy. Do we still maintain the AWS Global Edge Network DDoS mitigation and protections of CloudFront by doing this?

Accepted Answer

In short: If you disable caching you lose very little protection. Perhaps a tiny bit but not that much.

Regardless of whether caching is enabled or not, CloudFront terminates the request from the browser and then performs a new request towards the origin - assuming all things go well: WAF; Lambda@Edge; CloudFront Functions; etc. So if there is some sort of mailicious activity or DDoS event happening CloudFront will see that traffic first and you can choose to (say) block it using WAF or have the other mechanisms in CloudFront (such as SYN flood mitigation) protect you.

Caching helps here because it means that requests that are cached don't hit your origin. In a "high load" event this can reduce the amount of traffic that is sent to your application which is (in general) always a good thing. With caching disabled, all valid requests will be handled by the origin - increasing load, cost and delays to the original requester. Of course, that's up to you but if you can cache things in CloudFront it is well worth it.

Do we lose any DDoS protections from CloudFront by turning caching off and forwarding all headers to origin?

関連するコンテンツ