AWS Shield Standard not preventing DDOS?

Question

My website under Route 53 and ALB was flooded once on 12 May but seemed Shield Standard didn't do anything to prevent?

Showing 1000 of 9,828,102 records matched:

```
2022-05-12T08:01:25.024+08:00	51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"

2022-05-12T08:01:25.024+08:00	51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" "-"

2022-05-12T08:01:25.024+08:00	51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"

2022-05-12T08:01:25.024+08:00	51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.024+08:00	51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko" "-"

2022-05-12T08:01:25.274+08:00	163.172.215.59 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.274+08:00	209.250.242.153 - - [12/May/2022:00:01:25 +0000] "GET http://www.shuishantang88.com/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.274+08:00	51.15.0.133 - - [12/May/2022:00:01:25 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.274+08:00	51.15.0.133 - - [12/May/2022:00:01:25 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.274+08:00	51.15.0.133 - - [12/May/2022:00:01:25 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36" "-"

2022-05-12T08:01:25.274+08:00	51.15.0.133 - - [12/May/2022:00:01:25 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1 (compatible; AdsBot-Google-Mobile; +http://www.google.com/mobile/adsbot.html)" "-"

2022-05-12T08:01:25.274+08:00	175.178.1.47 - - [12/May/2022:00:01:25 +0000] "GET http://azenv.net/ HTTP/1.1" 200 8216 "-" "Go-http-client/1.1" "-"

2022-05-12T08:01:25.274+08:00	20.231.61.213 - - [12/May/2022:00:01:25 +0000] "CONNECT aj-https.my.com:443 HTTP/1.1" 400 157 "-" "-" "-"

2022-05-12T08:01:25.274+08:00	163.172.215.59 - - [12/May/2022:00:01:25 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" "-"

2022-05-12T08:01:25.274+08:00	163.172.215.59 - - [12/May/2022:00:01:25 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.274+08:00	163.172.215.59 - - [12/May/2022:00:01:25 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Linux; Android 5.0; SM-G920A) AppleWebKit (KHTML, like Gecko) Chrome Mobile Safari (compatible; AdsBot-Google-Mobile; +http://www.google.com/mobile/adsbot.html)" "-"

2022-05-12T08:01:25.274+08:00	163.172.215.59 - - [12/May/2022:00:01:25 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.274+08:00	209.250.242.153 - - [12/May/2022:00:01:25 +0000] "GET http://www.shuishantang88.com/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "-"

2022-05-12T08:01:25.274+08:00	209.250.242.153 - - [12/May/2022:00:01:25 +0000] "GET http://www.shuishantang88.com/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.274+08:00	209.250.242.153 - - [12/May/2022:00:01:25 +0000] "GET http://www.shuishantang88.com/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" "-"

2022-05-12T08:01:25.274+08:00	209.250.242.153 - - [12/May/2022:00:01:25 +0000] "GET http://www.shuishantang88.com/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.524+08:00	209.250.242.153 - - [12/May/2022:00:01:25 +0000] "GET http://www.shuishantang88.com/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.18247" "-"

2022-05-12T08:01:25.524+08:00	209.250.242.153 - - [12/May/2022:00:01:25 +0000] "GET http://www.shuishantang88.com/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like 
```

JaccoPK · Answer

It seems to me that this would be a layer 7 attack. Just repeatedly doing http requests. AWS Shield Standard does not protect against this kind of attack.

You can easily implement protection for this kind of attack by attach a WAFv2 rule to the ALB blocking too many requests from the same IP to the ALB.

For additional support and automatic mitigation of these kind of attack you can implement AWS Shield Advanced. This is not free though and the price might not fit your business case.

Timothy_M · Answer

It's important to understand that Shield itself only protects L3/L4 DDoS attacks and it doesn't apply with L7 DDoS Attacks. Shield relies on AWS WAF for mitigation of L7 DDoS.

For a Cloudformation Stack to deploy AWS WAF please refer to the solution below, please read the implementation guide to know the nitty gritty details of this solution.
https://aws.amazon.com/solutions/implementations/aws-waf-security-automations/

AWS Shield Standard not preventing DDOS?

新增您的答案

相關內容