- Newest
- Most votes
- Most comments
I'm going to disagree with the wording in the other answer - AWS Shield Standard forms an essential part of your defence against DDoS attacks but it will not do so automatically - you must configure it (and you can also configure it to automatically rate limit IP addresses that it detects as high traffic). That said, DDoS attacks that come from a wide range of IP addresses and appear to be valid requests are going to be difficult to defend against.
The other answer is correct: You can use AWS WAF with CloudFront; and you can also use AWS WAF with Application Load Balancer.
Please raise a support case and get the assistance of our support team.
Sounds like the attack is at the L7 level (given that the you can see more HTTP requests than expected) which AWS Shield Standard will not protect against [1]. You can use AWS WAF with your Cloudfront distribution [2] to block specific requests being made against it. Depending on how it should be accessed normally you can then add in specific rules to block bad traffic. You can also add rate based rules to limit the number of requests from each IP address [3]
[1] https://aws.amazon.com/shield/getting-started/ [2] https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html [3] https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
The requests don't reach my LB. They just hit the cloudfront and S3 which hosts the web content. Therefore, I don't have any IP of the attack sources.
Relevant content
- Accepted Answerasked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
AWS WAF doesn't seem to be the best solution. The DDOS attack targets only "/" address, and opens millions of distributed requests, which increased the AWS bill by ~$200 every month in the last couple of months. I checked AWS WAF pricing which is "$0.60 per 1 million requests" that is more expensive that the CloudFront cost. I didn't find any doc explaining how to enable Shield Standard and I saw somewhere saying that its protection comes by default. That wasn't the case either. I don't have was support unfortunately and the billing team is not going to set some cap to limit the request.
As above, if you have valid requests hitting your service you need a way to discriminate between valid but unwanted vs. valid but genuine requests. If you can do that then you can write a rule (in whatever tool you're using - WAF or otherwise) to discard the unwanted traffic. Not using WAF means that your back end has to deal with all requests. If it is cheaper to scale the back end servers so that they answer all requests (rather than using WAF) then that is definitely a better way to go - that is entirely your choice. Finally, as a motherhood statement: Our support team deals with security and DDoS-related incidents all the time. Consider carefully that the cost of support may well be exceeded by the value of keeping your website/service/business online.