How to defend your games against DDoS attacks
Distributed Denial of Service (DDoS) attacks are a common threat that online services have faced for multiple decades. As DDoS attacks continue to grow more powerful, it becomes increasingly important to ensure that companies are protecting their infrastructure. This especially applies to games operating as live services and need to ensure a good launch & patch experience to retain players. In this post we will detail a variety of services available on AWS to help game studios combat the threat of DDoS attacks.
First, what exactly is a DDoS attack? A DDoS attack is a deliberate attempt to make a website or application unavailable to users. This is often achieved by flooding a target with a large amount of traffic from multiple sources attempting to overload your server capacity and prevent actual user traffic from getting through and engaging with your application. There are many different types of DDoS attacks and mitigation methods can vary per type, but all share the same goal of making an application unusable for the duration of the attack.
On AWS, your first line of defense against DDoS attacks is AWS Shield Standard. AWS Shield Standard provides protection against common and most frequent Layer 3 & 4 attacks like SYN/UDP Floods, reflection attacks, and others. AWS Shield Standard does this by providing always-on network flow monitoring to detect malicious traffic in real-time. AWS Shield Standard will automatically mitigate attacks inline so there is minimal latency impact. AWS Shield Standard comes with no additional cost and is automatically applied to supported AWS services.
Another mitigation technique available is to utilize the scale of AWS’s Edge services. Using AWS CloudFront, with its more than 275 points of presence, will distribute and assist in mitigating incoming DDoS attacks across the AWS Global Edge Network. This will be useful in mitigating larger scale attacks, reducing the time-to-mitigate, isolating DDoS attacks close to their source, and preventing many malicious connections from reaching your applications origin. This is all in addition to more general benefits that CloudFront has with gaming workloads such as caching game downloads, user content, and patches for faster and more reliable delivery to players.
In addition to the lower-level mitigations we’ve discussed, the primary application layer defense for applications on AWS is AWS Web Application Firewall (WAF). AWS WAF protects applications deployed on Amazon CloudFront, Application Load Balancer (ALB), Amazon API Gateway, and AWS AppSync from common web exploits such as SQL injection and cross-site scripting. In addition to custom WAF rules to protect your game and/or associated applications, AWS WAF also offers managed rules written by security experts which make it easy to get started. AWS WAF also offers Bot Control to monitor and protect your game against common bot traffic. For a deeper dive into automated bot detection and protection using WAF, see the following blog post.
Beyond AWS Shield Standard, AWS offers AWS Shield Advanced for customers interested in higher levels of protection. AWS Shield Advanced provides customers with application layer attack detection via anomaly detection on baseline traffic, automatic deployment of additional mitigation capacity, DDoS cost protection, and AWS WAF and Firewall Manager included in the cost of AWS Shield Advanced. In addition to the above functionality, AWS Shield Advanced also includes access to the AWS Shield Response Team (SRT). The SRT can be engaged before, during, or after a DDoS event and, if you allow them, can apply custom WAF rules and other manual mitigations during an event to reduce the amount of time your application is impacted. The SRT will work with you to build mitigations that are customized to your game logic and protect traffic that is most likely to have originated from your actual players.
As we’ve seen games be a more frequent target of DDoS attacks, it is increasingly important to have a mitigation strategy for your application. AWS has offerings to protect your application at layers 3 & 4 with AWS Shield Standard, distribute your application to the edge with AWS CloudFront, protect against application layer attacks with AWS WAF, and provide enhanced attack detection, response, and cost mitigation with AWS Shield Advanced.
If you are looking for additional steps that can be taken to protect against DDoS attacks, please see the AWS Best Practices for DDoS Resiliency whitepaper which goes over additional techniques beyond what were mentioned in this blog post. Similarly, if you are looking for further information on the services discussed in this blog, please follow the service links included for additional documentation and Getting Started guides.