- Newest
- Most votes
- Most comments
Enabling Shield Advanced is one step on your journey to ddos protection. You also have to protect your resources by configuring Shield so that it knows which resources it has to protect. The documentation is comprehensive and must be carefully followed to make sure you protect your resources : https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-ddos.html
Just in terms of potential quick mitigations, while I don't know what kind of service you're running, have you considered adding rules at the top of your web ACL to block or rate-limit access from IP addresses that belong to known botnet nodes, data centre providers, anonymiser VPN services, the TOR network, and other sources that generally don't need to access sites meant for human users? https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html
Notably, the service provider list will also likely block most search engines, so you might want to create exceptions for them if search engine visibility is important. Also note that in the AWSManagedRulesAmazonIpReputationList
rule group, the rule AWSManagedIPDDoSList
that might be particularly relevant has the default action of Count, so you'll need to override it to Block.
Another simple mitigation that works well for some sites while being next to useless for others is geo-blocking or geo-based rate limiting. For example, if the site is mainly for an audience in certain parts of the world, simply rate-limiting all traffic from outside your main operating areas, or specifically from certain large countries or entire continents from which minimal legitimate traffic is expected, can be very powerful defence. You can scope down a rate-limiting rule based on geolocation and apply a single rate limit to the aggregate traffic originating in those countries, rather than doing per-IP rate limiting which may not be useful against a distributed attack: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based-aggregation-instances.html
The two-letter country codes are grouped by continent here: https://en.wikipedia.org/wiki/List_of_sovereign_states_and_dependent_territories_by_continent_(data_file)
I assume this is a Layer 7 application attack on your website.
These attacks can be mitigated with AWS WAF (Web Application Firewall)
Do refer to How do I use AWS WAF to mitigate DDoS attacks?
We have cranked up AWS WAF as much as we can, but still a lot is coming through.
Assuming you are talking about a layer 7 HTTP Request flood attack (these are the most common attack type). If you already have had an AWS WAF WebACL associated with the CloudFront or ALB resource in question for a period of time prior to the attack (in which case Shield would already have a layer 7 traffic baseline), then subscribing to Shield Advanced, adding the resource in question as Protected, and enabling Automating application layer DDoS mitigation, could result in some immediate relief.
If you had Business or Enterprise Support then you could also engage the Shield Response team (SRT) to assist you to configure your WebACL., however you are not entitled to [cost protection](Requesting a credit in AWS Shield Advanced after an attack) from Shield Advanced, if you subscribe or add a resources as 'Protected' while already in the middle of an attack.
The 2 most effective rules to add to yur WebACL to protect against traditional DDoS botnets, regardless of Shield Advanced Protection status are:
- The 'AWSManagedRulesAmazonIpReputationList' rulegroup, with the rule 'AWSManagedIPDDoSList' in Block mode
- A rate-based rule with custom aggregation key of Header(Host) + URI + IP, with as low a limit as possible. This rule blocks requests from IPs behaving in a DDoS-like fashion by hitting the same URL over and over - what legitimate IP is going to request your homepage 50 times in a minute??
Relevant content
- AWS OFFICIALUpdated 23 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
In the event of a DDoS attack targeting AWS resources, AWS Shield Advanced can provide immediate mitigation assistance. Here's how AWS Shield Advanced can help: Automatic DDoS Attack Detection and Mitigation: When an attack is detected, AWS Shield Advanced automatically triggers mitigation actions to protect your resources. 24/7 Support and Incident Management:AWS Shield Advanced provides you with access to a dedicated DDoS response team that is available 24/7.This team works closely with you to analyze the attack, identify the root cause, and implement the appropriate mitigation strategies.