How can I defend against DDoS attacks with Shield Standard?
Last updated: 2022-08-17
I want to protect my application from Distributed Denial of Service (DDoS) attacks with AWS Shield Standard. How can I do this?
AWS Shield Standard is managed threat protection service that protects the perimeter of your application. Shield Standard provides automatic threat protection at no additional charge. You can use Shield Standard to protect your application at the edge of the AWS network using Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. These AWS services receive protection against all known network and transport layer attacks. To defend against layer 7 DDoS attacks, you can use AWS WAF.
To protect your application from DDoS attacks with Shield Standard, it's a best practice to follow these guidelines for your application architecture:
- Reduce the attack area surface
- Be ready to scale and absorb the attack
- Safeguard exposed resources
- Monitor application behavior
- Create a plan for attacks
Reduce the attack area surface
- To make sure that only expected traffic reaches your application, use network access control lists (ACLs) and security groups.
- Use the AWS managed prefix list for CloudFront. You can limit the inbound HTTP/HTTPS traffic to your origins from only the IP addresses that belong to CloudFront origin-facing servers.
- Deploy the backend resources hosting your application inside private subnets.
- To reduce the likelihood of malicious traffic reaching your application directly, avoid allocating Elastic IP addresses to your backend resources.
For more information, see Attack surface reduction.
Be ready to scale and absorb the DDoS attack
- Protect your application at the edge of the AWS network using CloudFront, Global Accelerator, and Route 53.
- Absorb and distribute excess traffic with Elastic Load Balancing.
- Scale horizontally on-demand with AWS Auto Scaling.
- Scale vertically by using the optimal Amazon Elastic Compute Cloud (Amazon EC2) instance types for your application.
- Activate enhanced networking on your Amazon EC2 instances.
- Activate API caching to enhance responsiveness.
- Optimize caching on CloudFront.
- Use CloudFront Origin Shield to further reduce requests for caching content to the origin.
For more information, see Mitigation techniques.
Safeguard exposed resources
- Configure AWS WAF with a rate-based rule in block mode to defend against request flood attacks.
Note: You must have CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync configured to use AWS WAF.
- Use CloudFront geographic restrictions to prevent users originating from countries that you don't want to access your content.
- Use burst limits for each method with your Amazon API Gateway REST APIs to protect your API endpoint from being overwhelmed by requests .
- Use origin access identity (OAI) with your Amazon Simple Storage Service (Amazon S3) buckets.
- Set up the API key as the X-API-Key header of each incoming request to protect your Amazon API Gateway against direct access.
Monitor application behavior
- Create Amazon CloudWatch dashboards to establish a baseline of your application's key metrics such as traffic patterns and resource use.
- Enhance the visibility of your CloudWatch logs with the Centralized Logging solution.
- Configure CloudWatch alarms to automatically scale the application in response to a DDoS attack.
- Create Route 53 health checks to monitor the health of your application and manage traffic failover for your application in response to a DDoS attack.
For more information, see AWS Application Auto Scaling monitoring.
Create a plan for DDoS attacks
- Develop a runbook in advance so that you can respond to DDoS attacks in an efficient and timely manner. For guidance on creating a runbook see the AWS Security Incident Response Guide. You can also review this example runbook.
- Use the aws-lambda-shield-engagement script to quickly log a ticket to AWS Support during an impacting DDoS attack.
- Shield Standard offers protection against infrastructure-based DDoS attacks occurring at layers 3 and 4 of the OSI model. To defend against layer 7 DDoS attacks, you can use AWS WAF.
For more information on how to protect your application from DDoS attacks, see AWS best practices for DDoS resiliency.