Shield advanced - Thresholds

Question

HI,

as per the docs, AWS Shield Advanced will calculate some "capacity" from a protected resource to basically understand "what it can handle" and fine-tune some thresholds for DDoS mitigation I assume.

For NLB via EIP it says:

EIPs attached to Network Load Balancers – Shield retrieves capacity from the targeted load balancer. The capacity is independent of the target load balancer's group configuration.

In my understanding, this will looks at the NLB capacity (which is nearly unlimited) and not care about the actual target group (that will have much much less capacity).

So how can this protect my target group then if mitigation would not kick in soon enough?

Riku_Kobayashi · Answer

Hello.

As you are aware, AWS Shield cannot protect against all DDoS attacks.  
This is also mentioned in the following document.  
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-event-detection-infrastructure.html  
> Mitigations placed by Shield will reduce DDoS traffic, but may not eliminate it. You can augment Shield with solutions like AWS Network Firewall or an on-host firewall like iptables to prevent your application from processing traffic that is not valid for your application or was not generated by legitimate end users.

Therefore, it is necessary to further mitigate attacks by implementing additional protections beyond AWS Shield.  
For example, this could involve using AWS WAF by implementing CloudFront, or configuring settings at the EC2 OS layer (such as iptables) to mitigate DDoS attacks.  
https://docs.aws.amazon.com/waf/latest/developerguide/waf-anti-ddos.html

Shield advanced - Thresholds

Add your answer

Relevant content