Oliver Berger | Fri, 27 Sep 2019
Recently we've had a number of customers ask us if they can use our Real Time Events product to detect the creation of new resources and immediately add them to Shield, to which the answer is a resounding yes. We've seen a couple of users try this already with the resulting enablement of Distributed Denial of Service (DDoS) protection within seconds of spinning up resources. The user simply uses GorillaStack to detect the CloudTrail event that is triggered by the creation of a new resource. It then triggers a Lambda function to add that resource to AWS Shield.
DDoS attacks are designed to make a service unavailable by sending so much traffic to it that it does not have the capacity to cope. This is usually achieved using multiple compromised machines (collectively known as a botnet) to send huge volumes of requests to the victim's infrastructure. Shield is a service provided by Amazon Web Services that is constantly monitoring to protect and actively mitigate against DDoS attacks as they take place.
All AWS customers are automatically protected by Shield Standard for no additional cost. Shield standard does most of its work protecting against network and transport layer attacks in CloudFront and Amazon Route53.
Customers can opt into Shield Advanced, which provides deeper DDoS protection for web applications that use Elastic Load Balancers (ELB) and EC2 instances. Customers also get some protection around costs incurred during DDoS attacked.
Shield Advanced customers with Business or Enterprise support plans also get access to a 24x7 DDoS Response Team (DRT), advanced visibility, metrics, reports and better attack detection and mitigation.
AWS WAF is also included to Shield Advanced customers at no extra cost. We explore WAF below.
AWS Shield observes traffic at the network and transport layers (OSI levels 3 and 4 respectively) to protect AWS resources from DDoS attacks. The protection for Shield Standard is available as a part of the CloudFront and Route53 products.
Shield Advanced customers register their AWS Resources (Elastic IPs, Load Balancers) with Shield. Then, customers create web ACLs with rate-based rules and WAF rules to protect their resources. Shield Advanced also monitors application layer (layer 7) DDoS attacks like HTTP or DNS flooding, with customers notified of attacks through a CloudWatch Alarm.
Optionally, Shield Advanced customers can allow the AWS DDoS Response Team (DRT) access to their account to modify WAF rules and web ACLs in response to attacks.
With Shield Advanced, it is important to continue to register resources that you want protected, while also remaining conscious of limits (1000 resource limit for each resource type covered).
If you are interested in how to automatically register resources with Shield as they are created, see our Real Time Events product.
AWS Shield Standard is automatically enabled and according to AWS is appropriate for 97% of attacks. That being said, if you're using Standard or Advanced, Amazon still recommends that you think about using CloudTrail and CloudWatch to closely monitor your services.
Outside of AWS, Akamai and CloudFlare have well-regarded DDoS protection services and could be considered.
AWS WAF is a web-application firewall that is used to allow or block incoming requests, based on configured rules. WAF sits in front of an API Gateway API, a CloudFront distribution or an Application Load Balancer and allows customers to filter inbound traffic based on IP Address, country,bad headers or requests that likely contain an XSS or SQL injection attack.
AWS Shield and WAF are closely related in their purpose and how they are presented commercially. A subscription for Shield Advanced even includes AWS WAF at no extra cost.
Let’s try to categorize these in a table.
|Purpose||Prevent Distributed Denial of Service (DDoS) attacks||Block malicious or unauthorized requests to your resources|
|Layer||Network (3), Transfer (4) and for Shield Advanced customers Application (7)||Application layer (7)|
|Typical attack types prevented||UDP Reflection, SYN flood, DNS flood, HTTP flood||SQL Injection (SQLi), Cross Site Scripting (XSS), untrusted IPs or geographies|
As mentioned above, if you have Shield Advanced, all resources aren’t necessarily covered automatically - you have to opt them in. You’ll want to ensure that you automatically cover all relevant services with Shield as soon as they’re created. GorillaStack’s Real Time Events product can automatically detect the event that is emitted when a resource is created and trigger the coverage within seconds. Give it a try today.