How do I defend against DDoS attacks with Shield Standard?

4 minute read

I want to protect my application from Distributed Denial of Service (DDoS) attacks with AWS Shield Standard.

Short description

AWS Shield Standard is active by default for your AWS account at no additional charge. The following services have ‘always on’ Shield standard mitigations against common network and transport layer attacks:

Amazon CloudFront for HTTP and gRPC Remote Procedure Call workloads
Amazon Route 53 for DNS

Resolution

To protect your application from DDoS attacks with Shield Standard, it's a best practice to follow these guidelines for your application architecture:

Use services designed to scale.
Reduce the attack area surface.
Detect and filter malicious traffic.
Monitor application behavior.
Create a plan for DDoS attacks.

Use services designed to scale

Design for large-scale traffic with the following best practices:

Protect your application at the edge of the AWS network with CloudFront, Global Accelerator, and Route 53.
Distribute traffic with Elastic Load Balancing, and for Application Load Balancer, reserve a minimum capacity with [Capacity reservations](http://Capacity reservations for your Application Load Balancer).
Scale horizontally or vertically on-demand with Application Auto Scaling, which integrates with multiple services.

Reduce the attack area surface

Reduce the attack surface area with the following best practices:

Restrict access to CloudFront origins. For an Amazon S3 origin, use Origin Access Control (OAC). For an origin that's an Elastic Load Balancer, Network Load Balancer, or EC2 instance, use VPC origins. If you currently use a CloudFront-managed prefix list without VPC origins, then implement VPC origins.
To make sure that only expected traffic reaches your application, use network access control lists (network ACLs) and security groups.
To reduce the likelihood of malicious traffic to your application, don't allocate public Elastic IP addresses to your backend resources.

For more information, see Attack surface reduction.

Detect and filter malicious traffic

Detect and filter malicious traffic with the following best practices:

Use AWS WAF Best practices outlined in DDoS Resilience - Using AWS WAF to protect against DDoS Botnets.
Note: You must use Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync or Amazon Cognito, to use AWS WAF.
Use CloudFront CDN caching to reduce cacheable requests to your origin - see DDoS Resilience - the unbelievable importance of HTTP caching.
Activate API caching on API Gateway where appropriate and use burst limits for each method with your Amazon API Gateway REST APIs.

For more information, see Mitigation techniques.

Monitor application behavior

Monitor application behavior with the following best practices:

Create Amazon CloudWatch dashboards to establish a baseline of your application's key metrics such as traffic patterns and resource use.
Enhance the visibility of your CloudWatch logs with the [Centralized Logging solution](http:// https//docs.aws.amazon.com/solutions/latest/centralized-logging-with-opensearch/solution-overview.html).
Configure CloudWatch alarms to automatically scale the application in response to a DDoS attack.

For more information, see Monitoring Application Auto Scaling.

Create a plan for DDoS attacks

Develop a runbook in advance so that you can respond to DDoS attacks in an efficient and timely manner. For guidance on how to create a runbook see the AWS Security Incident Response Technical Guide.

For more information on how to protect your application from DDoS attacks, see AWS best practices for DDoS resiliency.

Related information

How to help protect dynamic web applications against DDoS attacks by using CloudFront and Route 53

How to protect your web application against DDoS attacks by using Route 53 and an external content delivery network

How to protect a self-managed DNS service against DDoS attacks using AWS Global Accelerator and AWS Shield Advanced

Testing and tuning your AWS WAF protections

Topics: Security, Identity, & Compliance
Tags: AWS Shield
Language: English

AWS OFFICIALUpdated 4 months ago

1 Comment

Currently there is another way to protect environments against DDoS protection using AWS WAF Distributed Denial of Service (DDoS) prevention rule group.

You can use the existing WAF ACL by selecting the existing Web ACL and adding the managed "AntiDDoS Protection for Layer 7 attacks" rule, or enabling the WAF and creating a new Web ACL with the same rule.

Please find the links to the rule definition as well as a blog post.

https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-anti-ddos.html https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-the-aws-waf-application-layer-ddos-protection/

rePost-User-7892803

replied 9 months ago

Relevant content

Are Lightsail instances protected against DDOS by default using AWS Shield Standard ?
Accepted Answer
rePost-User-2758834
asked 3 years ago
how large traffic can ddos shield defend? 500Gbps offen occurs in games industry.
AWS-User-1002523
asked 4 years ago
AWS Network Firewall to protect against DDoS layer 7 attacks
rePost-User-2820918
asked 3 years ago
Is there any visibility into if a DDoS attack occurs on an API Gateway using WAF & Shield Standard?
Accepted Answer
rePost-User-2581820
asked 3 years ago
Understanding AWS Shield Advanced Protection for Layer 7 DDoS Attacks
Accepted Answer
ShreyasD
asked a year ago
How do I check if Shield Advanced is protecting my resources from DDoS attacks?
AWS OFFICIALUpdated a year ago
How many resources can Shield Advanced protect?
AWS OFFICIALUpdated 8 months ago
How do I protect my web application from web threats with CloudFront and AWS WAF?
AWS OFFICIALUpdated 8 months ago
How do I use AWS WAF to mitigate DDoS attacks?
AWS OFFICIALUpdated 8 months ago
Leveraging CloudWatch and AWS Shield for Effective DDoS Monitoring: A Technical Guide
EXPERT
Mateus Prado
published 7 months ago