- Newest
- Most votes
- Most comments
As you said, without Shield advanced it's hard to control the cost for DDoS attacks, there are AWS best practices for DDoS- • Always prefer AWS Services that operate at Edge Locations (CloudFront, Route53 and Global Accelerator) as an entry point for your applications. Provides a better DDoS resiliency (always-on mitigation for fastest detection and mitigation, distributed mitigation capacity and automatic traffic engineering) • Protect your DNS infrastructure: Using Amazon Route53, your application will be protected against DNS application layer attacks as the responsibility for serving authoritative DNS answers is outsourced AWS. Attackers will be unable to affect your application availability by targeting your DNS resolvers. • Protect your Origins § Use custom header or CloudFront prefix-list (if your origin is behind CloudFront) to protect against any direct to origin attacks § Protect against Security-Groups Connection Tracking exhaustion in case of DDoS event, by using untracked connections SG with managed services like ALB or CLB. • Scalable architecture § Using autoscaling and load balancing to dynamically increase your application capacity for instance
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
Thanks for the suggstions :)
It does help. So in the end one cannot deploy a webapp and be 100% sure that costs dont spike up to high numbers, if there were any attacks.
Will try to set up a budget alarm then, which will take my hobby projects offline.