AWS News Blog

AWS Shield – Protect your Applications from DDoS Attacks

The online world can be an unfriendly place! As soon as you put a web site online, it can become the target of many different types of attacks, all aimed at causing trouble and taking the site offline. DDoS (Distributed Denial of Service) attacks are one very common trouble spot. They draw on compromised resources all over the web and focus their activities on a designated target.

There are three common types of DDoS attacks:

Application-Layer Attacks consist of well-formed but malicious requests (HTTP GETs and DNS queries are popular) that are designed to consume application resources. For example, opening up multiple HTTP connections and reading the responses over the course of many seconds or minutes will consume excessive memory and prevent legitimate requests from being serviced.

State-Exhaustion Attacks abuse stateful protocols and cause stress on firewalls and load balancers by consuming large numbers of per-connection resources.

Volumetric Attacks disrupt networks by flooding them with more traffic than they can handle or by issuing fake queries that will flood an unsuspecting victim with a surprising amount of low-level “surprise” replies (also known as Reflection attacks).

New – AWS Shield
AWS Shield is a new managed service that protects your web applications against DDoS (Distributed Denial of Service) attacks. It works in conjunction with Elastic Load Balancing, Amazon CloudFront, and Amazon Route 53 and protects you from DDoS attacks of many types, shapes, and sizes. There are two tiers of service:

AWS Shield Standard is available to all AWS customers at no extra cost. It protects you from 96% of the most common attacks today, including SYN/ACK floods, Reflection attacks, and HTTP slow reads. This protection is applied automatically and transparently to your Elastic Load Balancers, CloudFront distributions, and Route 53 resources.

AWS Shield Advanced provides additional DDoS mitigation capability for volumetric attacks, intelligent attack detection, and mitigation for attacks at the application & network layers. You get 24×7 access to our DDoS Response Team (DRT) for custom mitigation during attacks, advanced real time metrics and reports, and DDoS cost protection to guard against bill spikes in the aftermath of a DDoS attack.

To learn more, read about AWS Shield or Get Started with AWS Shield Advanced, or register for our webinar on December 15th.



Jeff Barr

Jeff Barr

Jeff Barr is Chief Evangelist for AWS. He started this blog in 2004 and has been writing posts just about non-stop ever since.