- Newest
- Most votes
- Most comments
Shield Advanced has additional mitigation features as listed at AWS Shield detection logic for infrastructure layer threats (layer 3 and layer 4).
There are
- Lower detection thresholds – Shield Advanced places mitigations at one half of the calculated capacity. This can provide faster mitigations for attacks that ramp up slowly and mitigation of attacks that have a more ambiguous volumetric signature
- Intermittent attack protection – Shield Advanced places mitigations with an exponentially increasing time to live (TTL), based on the frequency and duration of attacks. This keeps mitigations in place longer when a resource is frequently targeted and when an attack occurs in short burst
- Health-based detection – When you associate a Route 53 health check with a Shield Advanced protected resource, the status of the health check is used in the detection logic. During a detected event, if the health check is healthy, Shield Advanced requires greater confidence that the event is an attack before placing a mitigation. If instead the health check is unhealthy, Shield Advanced might place a mitigation even before confidence has been established. This feature helps avoid false positives and provides quicker reactions to attacks that affect your application.
Configuring accurate heath checks will improve Shield Advanced mitigation capability. You can refer to guidance at Health-based detection using health checks with Shield Advanced and Route 53. If possible, configure calculated health check that monitors the following:
- State of a CloudWatch alarm that measures the number of new connections established by clients to the load balancer. You can set the alarm threshold for the average number of new connections at some degree higher than your every day average ( Network Load Balancer: ActiveFlowCount)
- State of a CloudWatch alarm that measures the number of load balancers that are considered healthy. You can set the alarm threshold either on Availability Zone or on the minimum number of healthy hosts that your load balancer requires (Network Load Balancer: HealthyHostCount)
More details from Health check examples for Shield Advanced
see this answer similar to your question https://repost.aws/questions/QUTKp1debUTxmhzT1xljB8_w/how-can-we-add-nlb-s-eip-for-shield-advanced-protection-for-aws-auto-assigned-ips
Additional resources https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary-protected-resources.html https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-health-checks.html https://docs.aws.amazon.com/waf/latest/developerguide/associate-health-check.html
Shield Advanced for EIPs on NLBs
- Limited additional configurations are available for L3/4 protection
- Automatic enhanced protection against large and sophisticated DDoS attacks
Route 53 Health Checks
- Can improve responsiveness and accuracy of attack detection
- Allow Shield Advanced to react more quickly to potential DDoS attacks
- Don't directly trigger DDoS responses but inform detection mechanisms
Health Check Configuration
- Can create health checks for both NLB (protected resource) and NVAs (backend resources)
- Calculated health checks can combine status of multiple NVAs
- Associating health checks with Shield Advanced provides more context about application health
So "Don't directly trigger DDoS responses but inform detection mechanisms" mean that the "aws magic algorithm" will take this into consideration when deciding if this is actually a DDoS or not? Thats all? So "maybe" it will react quicker?
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 6 months ago
