Questions tagged with DDOS Protection

Hi , how large traffic can ddos shield defend? 500Gbps offen occurs in games industry. I can not find any information about it . thanks

Hello, I have a S3 bucket with images that should be accessible to an email template which will be sent via AWS Pinpoint. The public access to this S3 bucket is blocked ON. I have created an OAI with CloudFront with which I can access the S3 bucket images on the Pinpoint email template. In the AWS documentation, I see that AWS provides DDoS protection with AWS Shield. Now, there are two options AWS Shield Standards and AWS Shield Advanced. Standard is free of charge for everybody and it says tht it is by default availale to everybody. My question is, does the fact that AWS Shield Standard is free and by default used by everybody, mean that I won't get any DDoS attacks by people trying to access the images from the S3 bucket hidden behind CloudFront distribution? Do I need to explicitly do something with AWS Shield Standard of the protection comes by itself? Thanks you in advance.

I want to secure API Gateway (HTTP) with Cloudfront + WAF. After reading [docs](https://wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/) I think that API Gateway endpoint is still exposed to the Internet. The only thing that protects API Gateway is verification of Header in WAF. Attacker can still find API Gateway in the Internet and perform DDOS attack directly to API Gateway endpoint without going through Cloudfront. Is this approach considered as secure? Cloudflare is using [Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/) to make sure that your infrastructure is not exposed to the Internet. I think this approach is much more secure. Is something like this available in AWS?

Has anybody had experience with the Amazonbot web crawler? (especially with it looking like a DOS incident) We have a client where their service (hosted on AWS) kept going down until we identified an unusual amount of traffic from an Amazonbot with the User-Agent of "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML\, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)", after blocking it at an Application Load Balancer level via User-Agent Header rules (since modifying the "robots.txt" did not work / wasn't read) the response time of the clients service dropped significantly and has remained up. If anybody knows what generally causes Amazonbot to crawl sites, or how I can identify the cause for this specific client's site, that would be extremely useful, cheers.

How are DDoS costs handled on regional API Gateway public endpoints? In the event of DDoS would there be a charge for the additional caching?