DDoS attacks, the most lethal way to knock a site offline, are an unfortunate reality of the cloud era. The attacks...
that cause these service interruptions hurt businesses via the significant economic and reputational consequences they face when they lose connectivity for extended periods of time.
Naturally, cloud providers look to mitigate these distributed denial-of-service attacks with what is effectively network access insurance. AWS provides one such tool in AWS Shield, which protects against the most frequent types of Layer 3 and 4 network attacks, such as UDP (User Datagram Protocol) traffic floods, SYN/ACK (synchronization acknowledged) resource exhaustion floods and reflection attacks.
Unfortunately, there are many network protocol holes and too many tools that aim to exploit them, which has created an arms race between increasingly sophisticated attacks and methods to stop them. To keep up, AWS has augmented Shield with additional DDoS attack protection features, including an advanced service tier that defends HTTP applications. The vendor also recently added support for instances accessed via Amazon CloudFront, Route 53 or AWS load balancers.
Shield vs. Shield Advanced
AWS Shield comes in two service tiers. AWS includes the basic Shield tier with all of its services. Shield Advanced is a premium add-on that includes additional features, customization options and support.
The basic version is an innate feature of AWS infrastructure; AWS customers get it whether they realize it or not. While AWS documentation doesn't detail how the basic tier works, AWS claims that it uses resources in all 16 AWS regions and 100-plus CloudFront edge locations.
As mentioned, AWS Shield automatically defends against the most common network and transport layer attacks -- known as Layers 3 and 4 -- and AWS also claims that it protects against all known attacks on those layers when you use CloudFront and Route 53, with more than 99% of attacks mitigated in under one second.
AWS Shield protection gets better when you use Route 53 as a domain name system (DNS) and CloudFront as a content delivery network (CDN). Specifically, Route 53 performs DNS header validation and maintains a list of known good and bad resolvers to blacklist open DNS sites commonly used in DNS amplification attacks. The service also uses techniques like shuffle sharding and anycast striping to increase DNS fault tolerance, spread load and reduce latency.
CloudFront has a similar set of included features. The service only accepts valid HTTP and TCP requests and automatically drops off traffic on non-HTTP ports that can be abused for traffic floods. Additionally, using Shield with CloudFront protects against slow-reading or -writing attackers and collapses multiple page requests -- many of which will miss the CDN cache in a DDoS attack -- into a single request to avoid blocking legitimate requests in a long cache queue.
Shield Advanced features
AWS Shield Advanced adds application layer protection to resources, along with enhanced detection and visibility features. For example, to protect an Elastic IP, Shield Advanced will move network access control lists (ACLs) out of your Amazon Virtual Private Cloud (VPC) to the AWS border network. This helps provide more capacity to handle massive DDoS attacks and enables the VPC -- which typically has ingress capacities in the range of 1 to 10 Gbps -- to process ACLs using the multi-Tbps AWS edge network, all without saturating your link.
Shield Advanced also uses customer-specific traffic analysis to identify anomalies and provide further DDoS attack protection. Additionally, the service provides cost protection against usage spikes in EC2, load balancers, CloudFront and Route 53 that result from a DDoS attack.
Furthermore, Shield Advanced adds AWS Web Application Firewall (WAF), which you can customize via rule sets at no cost. AWS offers preconfigured WAF rules that block a variety of different DDoS and malware attacks, including bots, SQL injection, cross-site scripting and HTTP floods. AWS Marketplace also offers managed WAF rules that are selected, written and managed by security experts at firms like Alert Logic, F5 Networks, Fortinet, Imperva and Trend Micro.
Shield Advanced also provides access to an AWS DDoS Response Team (DRT) to help with complicated, sustained attacks. The DRT develops custom DDoS attack protection techniques, such as tightening ACLs or deploying new WAF rules.
Third-party DDoS attack protection tools
DDoS mitigation services have been around for more than a decade. Companies like Prolexic pioneered the concept of specialized network services and operations teams designed to thwart burgeoning DDoS threats. The market now includes firms like Cloudflare, Verisign, Akamai, Incapsula and Sucuri, along with services from the other major cloud vendors and network carriers, such as Level 3, Verizon and AT&T.
Google's Project Shield offers perhaps the most effective DDoS defense in the market due to Google's massive network infrastructure. Project Shield is free, but it's only available to high-profile targets, like news, human rights and election monitoring organizations, as well as individual journalists and some political organizations.
Third-party DDoS mitigation services can help organizations host applications and sites on their own infrastructure or at colocation facilities without a carrier-provided DDoS mitigation service. Organizations that host vulnerable applications on self-managed infrastructure might use third-party services to migrate their sites, where they can take advantage of its scalable infrastructure, network capacity, global content delivery footprint and built-in DDoS protection.
That said, AWS Shield's competitive features, backed by Amazon's advanced infrastructure, give AWS customers little reason to look elsewhere.