Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are happening at an increasing frequency impacting public-facing web applications. A frightening aspect of a DDoS attack is the financial liability associated with carrying that sudden unwanted traffic associated with an attack. Luckily, Amazon Web Services (AWS) offers a number of options for architecting and hosting web applications with the ability withstand and manage such attacks. This blog post provides an overview of how to architect a DDoS resilient solution based on the AWS whitepaper on DDoS Resiliency. The whitepaper describes 7 best practices for architecting a hosting environment that has the ability to survive a DDoS attack. The following steps are helpful starting points.
Step 1: Understand the 7-layer OSI stack to understand how various layers of the application can be attacked and compromised and the corresponding attack vector.
Step 2: Review the available AWS services and their function and role in protecting various layers of the architecture. There are 7 best practices identified by AWS that can be leveraged to mitigate specific attack vectors.
Step 3: Implement the right architecture that best meets the specific deployment and threat scenario and is tailored to the specific application and data protection requirements.
Best Practice 1: Amazon CloudFront provides protection at the edge by content caching and the AWS Shield service that provided DDoS mitigation.
Best Practice 2: AWS Web-Application Firewall (WAF) provides the ability to setup web access control lists (Web ACLs) to filter and block requests based on request signatures. AWS WAF provides rate-based rules that automatically block IP addresses of bad actors when requests matching a rule exceed a threshold.
Best Practice 3: Amazon Route 53 provides highly available and scalable domain name system (DNS) service that can withstand a DDoS attack and still provide resolution and routing to the website.
Best Practice 4: Amazon API Gateway for protecting API end points by using it as a “front door” to applications running on Amazon EC2, AWS Lambda, or elsewhere and providing a layer of obfuscation.
Best Practice 5: Security Groups and Network Access Control Lists (NACLs) allow for explicit blocking of traffic and controlling network level access to specific ports and origination points. Security Groups allow controlling the traffic flow from and to instances thereby constricting the attack surface and making it more difficult to get through the various layers of the application.
Best Practice 6: Elastic Load Balancing allow managing the load to the underlying infrastructure by triggering a scale-up response. AWS offers various flavors of load balancers including Application Load Balancers (ALB) or Network Load Balancers (NLB). For example, for protecting a web application, an ALB can be used to accept only well-formed web requests and avoid common DDoS attacks, like SYN floods or UDP reflection attacks, which are blocked by ALB.
Best Practice 7: Selecting the right computing instance size and region can help with scaling vertically as well as provide network capacity to deal with DDoS attacks. Selecting a region with internet peering end-points; selecting instance sizes with larger network interfaces are just some of the facets of architecting for resiliency.
There are definitely a host of other ancillary services like AWS CloudWatch for monitoring, alerting and setting metrics for DDoS attack scenarios as well as AWS Firewall Manager for centralized management of AWS WAF services amongst others.
If you are interested in learning more about resiliency, security and compliance, please feel free to reach out and schedule a free consultation.