How can I defend against DDoS attacks with Shield Standard?

4 minute read

I want to protect my application from Distributed Denial of Service (DDoS) attacks with AWS Shield Standard.

Short description

AWS Shield Standard is a managed threat protection service that protects the perimeter of your application. Shield Standard provides automatic threat protection at no additional charge. You can use Shield Standard to protect your application at the edge of the AWS network using Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. These AWS services receive protection against all known network and transport layer attacks. To defend against layer 7 DDoS attacks, you can use AWS WAF.

To protect your application from DDoS attacks with Shield Standard, it's a best practice to follow these guidelines for your application architecture:

Reduce the attack area surface
Be ready to scale and absorb the attack
Safeguard exposed resources
Monitor application behavior
Create a plan for attacks

Resolution

Reduce the attack area surface

To make sure that only expected traffic reaches your application, use network access control lists (network ACLs) and security groups.
Use the AWS managed prefix list for CloudFront. You can limit the inbound HTTP or HTTPS traffic to your origins from only the IP addresses that belong to CloudFront origin-facing servers.
Deploy the backend resources hosting your application inside private subnets.
To reduce the likelihood of malicious traffic reaching your application directly, avoid allocating Elastic IP addresses to your backend resources.

For more information, see Attack surface reduction.

Be ready to scale and absorb the DDoS attack

Protect your application at the edge of the AWS network using CloudFront, Global Accelerator, and Route 53.
Absorb and distribute excess traffic with Elastic Load Balancing.
Scale horizontally on-demand with AWS Auto Scaling.
Scale vertically by using the optimal Amazon Elastic Compute Cloud (Amazon EC2) instance types for your application.
Activate enhanced networking on your Amazon EC2 instances.
Activate API caching to enhance responsiveness.
Optimize caching on CloudFront.
Use CloudFront Origin Shield to further reduce requests for caching content to the origin.

For more information, see Mitigation techniques.

Safeguard exposed resources

Configure AWS WAF with a rate-based rule in block mode to defend against request flood attacks.
Note: You must have CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync configured to use AWS WAF.
Use CloudFront geographic restrictions to prevent users originating from countries that you don't want to access your content.
Use burst limits for each method with your Amazon API Gateway REST APIs to protect your API endpoint from being overwhelmed by requests .
Use origin access identity (OAI) with your Amazon Simple Storage Service (Amazon S3) buckets.
Set up the API key as the X-API-Key header of each incoming request to protect your Amazon API Gateway against direct access.

Monitor application behavior

Create Amazon CloudWatch dashboards to establish a baseline of your application's key metrics such as traffic patterns and resource use.
Enhance the visibility of your CloudWatch logs with the Centralized Logging solution.
Configure CloudWatch alarms to automatically scale the application in response to a DDoS attack.
Create Route 53 health checks to monitor the health of your application and manage traffic failover for your application in response to a DDoS attack.

For more information, see AWS Application Auto Scaling monitoring.

Create a plan for DDoS attacks

Develop a runbook in advance so that you can respond to DDoS attacks in an efficient and timely manner. For guidance on creating a runbook see the AWS security incident response guide. You can also review this example runbook.
Use the aws-lambda-shield-engagement script to quickly log a ticket to AWS Support during an impacting DDoS attack.
Shield Standard offers protection against infrastructure-based DDoS attacks occurring at layers 3 and 4 of the OSI model. To defend against layer 7 DDoS attacks, you can use AWS WAF.

For more information on how to protect your application from DDoS attacks, see AWS best practices for DDoS resiliency.

Related information

How to help protect dynamic web applications against DDoS attacks by using CloudFront and Route 53

How to protect your web application against DDoS attacks by using Route 53 and an external content delivery network

How to protect a self-managed DNS service against DDoS attacks using AWS Global Accelerator and AWS Shield Advanced

Testing and tuning your AWS WAF protections

How can I simulate a DDoS attack to test Shield Advanced?

Topics

Security, Identity, & Compliance

Relevant content

Are Lightsail instances protected against DDOS by default using AWS Shield Standard ?
Accepted Answer
rePost-User-2758834
asked a year ago
AWS SHIELD STANDARD LOGGING
Accepted Answer
rePost-User-4631519
asked a year ago
how large traffic can ddos shield defend? 500Gbps offen occurs in games industry.
AWS-User-1002523
asked 2 years ago
AWS Shield Standard not preventing DDOS?
ondemand
asked 2 years ago
Baby DDOS Attacks Triggering AWS Shield Standard Throttling ? Causing ICMP to Fail.
stumped
asked 10 months ago
How do I protect my AWS resources from DDoS attacks?
AWS OFFICIALUpdated 3 months ago
How do I mitigate DDoS attacks using AWS WAF?
AWS OFFICIALUpdated 2 years ago
How can I simulate a DDoS attack to test Shield Advanced?
AWS OFFICIALUpdated 2 years ago
How many resources can Shield Advanced protect?
AWS OFFICIALUpdated a year ago
Preparing for Election Season with AWS Countdown Premium
EXPERT
Atul Anand
published 6 days ago