AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.
All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.
AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on an Elastic IP or Elastic Load Balancing (ELB) in the following AWS Regions - Northern Virginia, Ohio, Oregon, Northern California, Montreal, São Paulo, Ireland, Frankfurt, London, Paris, Stockholm, Singapore, Tokyo, Sydney, Seoul, and Mumbai.
Seamless integration and deployment
Your AWS resources automatically have AWS Shield Standard and are protected from common, most frequently occurring network and transport layer DDoS attacks. You can achieve a higher level of defense by simply enabling AWS Shield Advanced protection for Elastic IP, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53 resources you want to protect using the management console or APIs. No routing changes are required for enabling these protections.
With AWS Shield Advanced, you have the flexibility to choose the resources to protect for infrastructure (Layer 3 and 4) protection. You can write customized rules with AWS WAF to mitigate sophisticated application layer attacks. These customizable rules can be deployed instantly, allowing you to quickly mitigate attacks. You can set up rules proactively to automatically block bad traffic, or respond to incidents as they occur. You also have 24x7 access to the AWS DDoS Response Team (DRT), who can write rules on your behalf to mitigate application layer DDoS attacks.
Managed Protection and Attack Visibility
With AWS Shield Standard you get always-on heuristics-based network flow monitoring and inline mitigation against common, most frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced provides enhanced resource specific detection and employs advanced mitigation and routing techniques for sophisticated or larger attacks. You also get 24x7 access to the AWS DDoS Response Team (DRT) for manual mitigation of edge cases affecting your availability. AWS Shield Advanced also provides visibility and insights into all your DDoS incidents through AWS CloudWatch metrics and attack diagnostics. Finally, you can also see the DDoS threat environment on AWS with the Global threat environment dashboard.
With AWS Shield Standard is automatically enabled for all AWS customers at no additional cost. With AWS Advanced, customers get AWS WAF and AWS Firewall Manager at no additional cost for usage on resources protected by AWS Shield Advanced. Additionally, you get "DDoS cost protection for scaling", a feature that protects your AWS bill from usage spikes on your AWS Shield Advanced protected EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources as a result of a DDoS attack.
Protection use cases
Web applications and APIs
When using Amazon CloudFront, AWS Shield Standard automatically provides comprehensive protection against infrastructure layer attacks like SYN floods, UDP floods, or other Reflection attacks. AWS Shield Standard’s always-on detection and mitigation systems automatically scrubs bad traffic at Layer 3 and 4 to protect your application. Over 99% of infrastructure layer attacks detected by AWS Shield Standard are automatically mitigated in less than 1 second for attacks on Amazon CloudFront.
Learn how to use Amazon CloudFront to Protect your Dynamic applications from DDoS attacks.
For additional protection against large and sophisticated DDoS attacks, you can also use AWS Shield Advanced on Amazon CloudFront. With Shield Advanced, customers get 24X7 access to the AWS DDoS Response Team (DRT), who proactively apply any mitigations necessary for any sophisticated infrastructure layer (Layer 3 or 4) attacks using additional techniques like traffic engineering. In addition, AWS Shield Advanced also protects you against application layer attacks, like HTTP floods. AWS Shield Advanced’s always-on built-in detection system baseline’s customer’s stead state application traffic and monitors for any anomalies. AWS Shield Advanced includes AWS WAF at no additional cost allowing you to customize any application layer mitigation.
Alex Graham, Sr. Operations Engineer, Slack Technologies, Inc.
AWS Shield Standard automatically protects your Amazon Route 53 Hosted Zones from infrastructure layer DDoS attacks at no additional cost. This includes attacks like Reflection attacks or SYN floods that frequently target your DNS. AWS Shield Standard automatically uses various techniques like header validations and priority-based traffic shaping to automatically mitigate these DDoS attacks.
In addition, AWS Shield Advanced provides additional protection for extreme scenarios when manual intervention via the 24x7 access to the AWS DDoS Response Team is required. Further, AWS Shield Advanced also provides visibility into the attacks on your Route 53 infrastructure.
Learn more about How to Reduce DDoS Risks Using Amazon Route 53 and AWS Shield.
Other applications (like UDP-based applications)
For other custom applications, which are not based on TCP (like UDP, SIP, etc.), you cannot use services like Amazon CloudFront or Elastic Load Balancing. In these cases, you often need to run your applications directly on internet-facing Amazon EC2 instances. AWS Shield Standard also protects your Amazon EC2 instance from common infrastructure layer (Layer 3 and 4) DDoS attacks like UDP reflection attacks, like DNS reflection, NTP reflection, SSDP reflection, etc. AWS Shield Standard uses various techniques like priority-based traffic shaping which are automatically engaged when a well-defined DDoS attack signature is detected.
You can also get advanced protection against large and sophisticated DDoS attacks for these applications by enabling AWS Shield Advanced on Elastic IP address. AWS Shield Advanced’s enhanced DDoS detection automatically detects the type of AWS Resource and size of EC2 instance and applies appropriate pre-defined mitigations. With AWS Shield Advanced, customers can also create their own custom mitigation profiles by engaging the 24X7 AWS DDoS Response Team (DRT). AWS Shield Advanced also ensures that, during a DDoS attack, all your Amazon VPC Network Access Control Lists (ACLs) are automatically enforced at the border of the AWS network giving you access to additional bandwidth and scrubbing capacity to mitigate large volumetric DDoS attacks. With AWS Shield Advanced, you can get additional protection against DDoS attacks like SYN floods or other vectors like UDP floods.
Learn more about Attaching Elastic IP to an Amazon EC2 Instance.
Case study: High-performance DDoS Protection
William Hill has built a high-performance DDoS and Edge Protection platform using AWS services - (Amazon CloudFront, AWS Shield Advanced, AWS WAF, Amazon EC2 R5 Instances, AWS Lambda, Amazon DynamoDB and Amazon Kinesis Data Streams). The solution has been effective in mitigating a 177 Gbps DDoS attack and 48 million attempted exploits (so far in 2019) from across 121,000 IP addresses and 196 countries. In addition, their build successfully blocked 63 million requests from 180,000 IP addresses from 202 countries - all trying to scrape pricing and event data, which if successful would have been highly detrimental to the business and customer experience.
Ryan Algar, Technical Specialist, William Hill
Peter Tilsen, Sr. Solutions Architect, AWS