AWS Shield
AWS Cloud

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.

For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53 charges.

AWS Shield Advanced is available globally on all Amazon CloudFront and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on an Elastic IP or Elastic Load Balancing (ELB) in the following AWS Regions - Northern Virginia, Oregon, Ireland, Tokyo, and Northern California.

100x100_benefit_ingergration

With AWS Shield Standard your AWS resources are automatically protected from common, most frequently occurring network and transport layer DDoS attacks. You can achieve a higher level of defense by simply enabling AWS Shield Advanced protection for Elastic IP, Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53 resources you want to protect using the management console or APIs.

100x100_benefit_customize

With AWS Shield Advanced, you have the flexibility to write customized rules to mitigate sophisticated application layer attacks. These customizable rules can be deployed instantly, allowing you to quickly mitigate attacks. You can set up rules proactively to automatically block bad traffic, or respond to incidents as they occur. You also have 24x7 access to the AWS DDoS Response Team (DRT), who can write rules on your behalf to mitigate application layer DDoS attacks.

100x100_benefit_lowcost-affordable

As an AWS customer, you automatically get network layer protection against the most common DDoS attacks with AWS Shield Standard. This protection does not require additional cost, resources, or time to initiate. With AWS Shield Advanced, you get "DDoS cost protection", a feature that protects your AWS bill from EC2, Elastic Load Balancing (ELB), Amazon CloudFront and Amazon Route 53 usage spikes as a result of a DDoS attack.

Quick Detection

AWS Shield Standard provides always-on network flow monitoring which inspects incoming traffic to AWS and uses a combination of traffic signatures, anomaly algorithms and other analysis techniques to detect malicious traffic in real-time

Inline Attack Mitigation

Automated mitigation techniques are built-into AWS Shield Standard, giving you protection against common, most frequently occurring infrastructure attacks. Automatic mitigations are applied inline to your applications so there is no latency impact. AWS Shield Standard uses several techniques like deterministic packet filtering, and priority based traffic shaping to automatically mitigate attacks without impact to your applications. You can also mitigate application layer DDoS attacks by writing rules using AWS WAF. With AWS WAF you only pay for what you use.

Always-on detection and inline mitigation minimize application downtime and you do not need to engage AWS Support to receive DDoS protection


Enhanced Detection

With AWS Shield Advanced you have 24x7 access to the AWS DDoS Response Team (DRT), who can be engaged before, during, or after a DDoS attack. The DRT will help triage the incidents, identify root causes, and apply mitigations on your behalf. You can also engage with the DRT for any post attack analysis.

Advanced Attack Mitigation

AWS Shield Advanced provides you with more sophisticated automatic mitigations. Using advanced routing techniques, AWS Shield Advanced automatically provides additional mitigation capacity to protect against larger DDoS attacks. The AWS DDoS Response Team (DRT) also applies manual mitigations for more complex and sophisticated DDoS attacks. For application layer attacks, you can use AWS WAF to respond to incidents. With AWS WAF you can set up proactive rules like Rate Based Blacklisting to automatically block bad traffic, or respond immediately to incidents as they happen. There is no additional charge for using AWS WAF for application layer protection. You can also engage directly with the DRT to place AWS WAF rules on your behalf, in response to an application layer DDoS attack. The DRT will diagnose the attack and, with your permission, apply mitigations on your behalf.

Visibility and Attack Notification

AWS Shield Advanced gives you complete visibility into DDoS attacks with near real-time notification via Amazon CloudWatch and detailed diagnostics on the “AWS WAF and AWS Shield” Management Console. Working with the DDoS Response Team (DRT) you can access post-event analysis and investigation. You can also view a summary of prior attacks from the “AWS WAF and AWS Shield” Management Console.

Specialized Support

AWS Shield Advanced provides enhanced detection, inspecting network flows and also monitoring application layer traffic to your Elastic IP address, Elastic Load Balancing (ELB), Amazon CloudFront, or Amazon Route 53 resources. Using additional techniques like resource specific monitoring, AWS Shield Advanced provides granular detection of DDoS attacks. AWS Shield Advanced detects application layer DDoS attacks like HTTP floods or DNS query floods by baselining traffic on your resource and identifying anomalies.

DDoS Cost Protection

AWS Shield Advanced comes with “DDoS cost protection”, a safeguard from scaling charges as a result of a DDoS attack that cause usage spikes on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53. If any of these services scale up in response to a DDoS attack, AWS will provide AWS Shield service credits for charges due to usage spikes. For more details on how to request service credits, please go to AWS WAF and AWS Shield Advanced Documentation.

DNS

Using Amazon Route 53

AWS Shield Standard automatically protects your Amazon Route 53 Hosted Zones from infrastructure layer DDoS attacks at no additional cost. This includes attacks like Reflection attacks or SYN floods that frequently target your DNS. AWS Shield Standard automatically uses various techniques like header validations and priority based traffic shaping to automatically mitigate these DDoS attacks.

In addition, AWS Shield Advanced provides additional protection for extreme scenarios when manual intervention via the 24x7 access to the AWS DDoS Response Team is required. Further, AWS Shield Advanced also provides visibility into the attacks on your Route 53 infrastructure.

Learn more about How to Reduce DDoS Risks Using Amazon Route 53 and AWS Shield.


Web Applications and APIs
Using Amazon CloudFront or Application Load Balancer

When using Amazon CloudFront, AWS Shield Standard automatically provides comprehensive protection against infrastructure layer attacks like SYN floods, UDP floods, or other Reflection attacks. AWS Shield Standard’s always-on detection and mitigation systems automatically scrubs bad traffic at Layer 3 and 4 to protect your application. Over, 99% of infrastructure layer attacks detected by AWS Shield Standard are automatically mitigated in less than 1 second for attacks on Amazon CloudFront.

Learn how to use Amazon CloudFront to Protect your Dynamic applications from DDoS attacks.

Learn how Slack uses Amazon CloudFront to protect against DDoS attacks.

Speaker:
Alex Graham, Sr. Operations Engineer, Slack Technologies, Inc.

Alex Graham, Sr. Operations Manager, Slack

For additional protection against large and sophisticated DDoS attacks, you can also use AWS Shield Advanced on Amazon CloudFront. With Shield Advanced, customers get 24X7 access to the AWS DDoS Response Team (DRT), who proactively apply any mitigations necessary for any sophisticated infrastructure layer (Layer 3 or 4) attacks using additional techniques like traffic engineering. In addition, AWS Shield Advanced also protects you against application layer attacks, like HTTP floods. AWS Shield Advanced’s always-on built-in detection system baseline’s customer’s stead state application traffic and monitors for any anomalies. AWS Shield Advanced includes AWS WAF at no additional cost allowing you to customize any application layer mitigation.


Other Applications (like UDP-based Applications)
Using Elastic IP Address

For other custom applications, which are not based on TCP (like UDP, SIP, etc.), you cannot use services like Amazon CloudFront or Elastic Load Balancing. In these cases, you often need to run your applications directly on internet-facing Amazon EC2 instances. AWS Shield Standard also protects your Amazon EC2 instance from common infrastructure layer (Layer 3 and 4) DDoS attacks like UDP reflection attacks, like DNS reflection, NTP reflection, SSDP reflection, etc. AWS Shield Standard uses various techniques like priority based traffic shaping which are automatically engaged when a well-defined DDoS attack signature is detected.

You can also get advanced protection against large and sophisticated DDoS attacks for these applications by enabling AWS Shield Advanced on Elastic IP address. AWS Shield Advanced’s enhanced DDoS detection automatically detects the type of AWS Resource and size of EC2 instance and applies appropriate pre-defined mitigations. With AWS Shield Advanced, customers can also create their own custom mitigation profiles by engaging the 24X7 AWS DDoS Response Team (DRT). AWS Shield Advanced also ensures that, during a DDoS attack, all your Amazon VPC Network Access Control Lists (ACLs) are automatically enforced at the border of the AWS network giving you access to additional bandwidth and scrubbing capacity to mitigate large volumetric DDoS attacks. With AWS Shield Advanced, you can get additional protection against DDoS attacks like SYN floods or other vectors like UDP floods.

Learn more about Attaching Elastic IP to an Amazon EC2 Instance.

Your web applications running on AWS are already protected by AWS Shield Standard. To enable AWS Shield Advanced go to the “AWS WAF and AWS Shield” Management console and select the resources for which you want to enable Advanced protection.

Get Started with AWS Shield