How to protect EC2 against intermittent DDos attack


Hi, I currently have 4x EC2 instances, each host around 70-80 websites. They each run WHM/cPanel software so that I can split accounts between customers.

I am having an issue with one of those instances, whereby 2 specific websites on 1 account keep getting targeted and a DDOS type attack increases the server load to 100+ to the point that services crash and forces other websites offline. I have dealt with this for about 6 months but my customers are now getting annoyed.

The attack occurs 3-4 times per day, last for around 1 hour (unless I notice first and deny the IP in the WHM firewall software) and it is multiple POST requests per second on each of the 2 websites.

I cannot use Cloudflare for these websites, because the domain names use the suffix which cloudflare sees as a subdomain and Enterprise account is required which is $1000+/year which is well above what these 2 customers pay for their account.

I am wondering if AWS had any solution that would help me to protect my instance from these attacks, or prevent them from happening. Thank you.

2 Answers

We can make use of ALB (Application Load Balancer) and/or CloudFront to mitigate DDoS. Please refers the the whitepaper for more details:

answered 2 years ago

Suggest looking to front your application with CloudFront or AWS Global Accelerator or Amazon Route 53 as applicable. Some important points when you leverage these services:

Benefits of using CloudFront, AWS Global Accelerator, and Amazon Route 53 include:

• Access to internet and DDoS mitigation capacity across the AWS Global Edge Network. This is useful in mitigating larger volumetric attacks, which can reach terabit scale.

AWS Shield DDoS mitigation systems are integrated with AWS edge services, reducing time-to-mitigate from minutes to sub second.

• Stateless SYN Flood mitigation techniques proxy and verify incoming connections before passing them to the protected service. This ensures that only valid connections reach your application while protecting your legitimate end users against false positives drops.

• Automatic traffic engineering systems that disperse or isolate the impact of large volumetric DDoS attacks. All of these services isolate attacks at the source before they reach your origin, which means less impact on systems protected by these services.

• Application layer defense when combined with AWS WAF that does not require changing current application architecture (for example, in an AWS Region or on-premises data center).

There is no charge for inbound data transfer on AWS and you do not pay for DDoS attack traffic that is mitigated by AWS Shield

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions