Protecting Hour of Code from DDoS events using AWS Shield with Code.org

Code.org is on a mission to make computer science and artificial intelligence (AI) a core part of every student’s kindergarten through twelfth-grade (K–12) education. Every year, millions of students participate in Hour of Code, which is instrumental to demystifying computer science topics. To scale in response to demand, Code.org uses Amazon CloudFront, a service for securely delivering content with low latency and high transfer speeds.

Because of the organization’s short URL and its visibility in the education sector, Hour of Code is a prominent target for cybersecurity events. As such, Code.org wanted to strengthen its networking security without denying service to students. “Because we’re a nonprofit, we want to serve students all over the world,” says Suresh Chanmugam, lead software engineer at Code.org. “We’re deliberately open to anyone, anywhere, at any time, and we can’t simply block users who aren’t paying customers.”

However, Code.org found that traditional IP-based solutions were insufficient, as many students use classroom computers that share the same IP address. Additionally, many participants are non-English speakers, making CAPTCHA an ineffective measure for filtering web traffic.

So, Code.org began exploring AWS edge services. “We’ve made specific configurations in Amazon CloudFront to handle our traffic,” says Darin Webb, infrastructure engineering manager at Code.org. “Being able to control our code is super valuable. Plus knowing that AWS services integrate with each other seamlessly is a huge win.”

Code.org adopted pre-configured rules for specific workloads offered through AWS Web Application Firewall (AWS WAF), which protects web applications from common exploits. Code.org then developed custom rules for phase-based routing and filtering of its web traffic.

Next, Code.org automated the deployment of its custom rules using infrastructure templates in Amazon CloudFormation, which speeds up cloud provisioning with infrastructure as code. “As we’ve had more time to understand how rules affect our users, we’re able to pull more of that into infrastructure as code, which makes it simpler for our engineers to deploy and maintain in the future,” says Webb.

Code.org also adopted AWS Shield Advanced, which offers always-on automatic mitigation of sophisticated DDoS events to minimize application downtime and latency. Using this service, Code.org receives support from the Shield Response Team (SRT), which specializes in DDoS event response. “Now, our team doesn’t have to run to their computers in the middle of the night if a security event happens,” says Webb. “By using AWS Shield Advanced, we’re able to focus on building and improving learning experiences rather than constantly defending our infrastructure.”

Since deploying these services, Code.org has been able to mitigate DDoS events proactively. In the past, Code.org would experience series of repeated DDoS events during Hour of Code. However, the organization has seen a decrease in the severity and frequency of such attempts. “The duration of the DDoS events is now relatively short because bad actors very quickly see that the resources they’re spending on bots are ineffective,” says Webb.

Code.org has also improved the reliability and accessibility of its online courses. During an Hour of Code event, the company experienced a DDoS event that increased its web traffic requests by ten times. Code.org was able to automatically detect the incident and block the requests without any disruption to students. “When we deliver a flawless experience during a high-profile event, then more students and teachers choose to make Code.org a regular part of their classroom experience,” says Chanmugam.

Although Code.org initially deployed AWS edge security services for its Hour of Code preparations, it has since adopted the services year-round, which has helped it maintain 99.99 percent uptime. In one school year, Code.org mitigated 19 DDoS events with virtually zero downtime for students.

For future events, Code.org plans to use AWS Countdown, a service that helps optimize business-critical events, product launches, migrations, and modernizations on AWS. “We’ve really valued our relationships with our account managers and the experts from AWS,” says Webb. “They’ve been excited to dive in and help us out with challenges. That support really comes in handy as we prepare our systems for an event.”

Code.org is also excited to launch a new global event, Hour of AI, which will help prepare students to become AI leaders. “The success that we’ve had over the past decade helps position us as stable, reliable, and trustworthy within the educational space,” says Webb. “We’re in strong position to continue to be educational leaders and help pave the way in this area because of the foundation we’ve built on AWS.”