Currently under a DDoS attack. Does AWS Shield Advance instantly help?

0

Hi, currently under a DDoS attack going on for more than 2 hours. We are unsure whether taking the $3000 Shield advanced service instantly help us combat this attack. Since we need to commit for a year, this is a big decision. Any information or help would be greatly appreciated.

  • In the event of a DDoS attack targeting AWS resources, AWS Shield Advanced can provide immediate mitigation assistance. Here's how AWS Shield Advanced can help: Automatic DDoS Attack Detection and Mitigation: When an attack is detected, AWS Shield Advanced automatically triggers mitigation actions to protect your resources. 24/7 Support and Incident Management:AWS Shield Advanced provides you with access to a dedicated DDoS response team that is available 24/7.This team works closely with you to analyze the attack, identify the root cause, and implement the appropriate mitigation strategies.

asked 7 months ago323 views
4 Answers
3

Enabling Shield Advanced is one step on your journey to ddos protection. You also have to protect your resources by configuring Shield so that it knows which resources it has to protect. The documentation is comprehensive and must be carefully followed to make sure you protect your resources : https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-ddos.html

profile pictureAWS
answered 7 months ago
profile pictureAWS
EXPERT
reviewed 7 months ago
profile picture
EXPERT
reviewed 7 months ago
3

Just in terms of potential quick mitigations, while I don't know what kind of service you're running, have you considered adding rules at the top of your web ACL to block or rate-limit access from IP addresses that belong to known botnet nodes, data centre providers, anonymiser VPN services, the TOR network, and other sources that generally don't need to access sites meant for human users? https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html

Notably, the service provider list will also likely block most search engines, so you might want to create exceptions for them if search engine visibility is important. Also note that in the AWSManagedRulesAmazonIpReputationList rule group, the rule AWSManagedIPDDoSList that might be particularly relevant has the default action of Count, so you'll need to override it to Block.

Another simple mitigation that works well for some sites while being next to useless for others is geo-blocking or geo-based rate limiting. For example, if the site is mainly for an audience in certain parts of the world, simply rate-limiting all traffic from outside your main operating areas, or specifically from certain large countries or entire continents from which minimal legitimate traffic is expected, can be very powerful defence. You can scope down a rate-limiting rule based on geolocation and apply a single rate limit to the aggregate traffic originating in those countries, rather than doing per-IP rate limiting which may not be useful against a distributed attack: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based-aggregation-instances.html

The two-letter country codes are grouped by continent here: https://en.wikipedia.org/wiki/List_of_sovereign_states_and_dependent_territories_by_continent_(data_file)

EXPERT
answered 7 months ago
profile picture
EXPERT
reviewed 7 months ago
2

I assume this is a Layer 7 application attack on your website.

These attacks can be mitigated with AWS WAF (Web Application Firewall)

Do refer to How do I use AWS WAF to mitigate DDoS attacks?

AWS
EXPERT
answered 7 months ago
profile pictureAWS
EXPERT
reviewed 7 months ago
  • We have cranked up AWS WAF as much as we can, but still a lot is coming through.

0

Assuming you are talking about a layer 7 HTTP Request flood attack (these are the most common attack type). If you already have had an AWS WAF WebACL associated with the CloudFront or ALB resource in question for a period of time prior to the attack (in which case Shield would already have a layer 7 traffic baseline), then subscribing to Shield Advanced, adding the resource in question as Protected, and enabling Automating application layer DDoS mitigation, could result in some immediate relief.

If you had Business or Enterprise Support then you could also engage the Shield Response team (SRT) to assist you to configure your WebACL., however you are not entitled to [cost protection](Requesting a credit in AWS Shield Advanced after an attack) from Shield Advanced, if you subscribe or add a resources as 'Protected' while already in the middle of an attack.

The 2 most effective rules to add to yur WebACL to protect against traditional DDoS botnets, regardless of Shield Advanced Protection status are:

  1. The 'AWSManagedRulesAmazonIpReputationList' rulegroup, with the rule 'AWSManagedIPDDoSList' in Block mode
  2. A rate-based rule with custom aggregation key of Header(Host) + URI + IP, with as low a limit as possible. This rule blocks requests from IPs behaving in a DDoS-like fashion by hitting the same URL over and over - what legitimate IP is going to request your homepage 50 times in a minute??
AWS
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions