Tuesday, April 4, 2017

What is AWS Shield & How Can It Save Your Website from DDoS Attacks?

The 3 Types of Attacks & Is It Worth Paying for Advanced DDOS Protection?


If you run a website that helps you turn a profit in business, then your website availability has a direct impact on your financial health. That's not news, but the number attacks against website availability are growing very quickly and getting more sophisticated every week, and every single website is a potential target.


Yours is no exception, so you must be proactive in defending your website's availability.

Now, notice I said "availability" as opposed to "uptime". Uptime is more a measure of a web server being on and running, which is from your internal perspective, but "availability" is from your external customers perspective. Just because your web servers are "up" and on doesn't mean that they're functional for your customers or end users.

And that's why Distributed Denial of Service(DDOS) attacks hurt you - they prevent your customers from resolving your domain name or URL to an I.P. address of your web servers.

If this happens, in the best case scenario, your site won't load. Worst case scenario, attackers redirect your URL to their own bogus servers, which at that point is a site hijack, not a DDOS attack, but that's a blog post for another day.
Preventing DDOS attacks
There are 3 types of DDOS attacks: Volumetric, meaning your servers get overwhelmed with DNS query traffic - drowned in a flood of DNS lookups.

Then there are Application Layer attacks, in which valid, but malicious, HTTP queries also overwhelm the server, causing it to not be able to respond to valid requests from real users.

And then there are State Exhaustion attacks, described by Amazon as "abuse of stateful protocols that causes stress on firewalls and load balancers by consuming large numbers of per-connection resources". Think "Ping of Death" attacks, which send very large chunk ping requests that overwhelm your servers.

Most attacks are volumetric: 60-68%, with the other two types each getting 16-20% of market share (depending on who is reporting the stats). It's a constantly evolving landscape of threats.

So how to prevent a DDOS attack? Well, start by realizing that you need to protect yourself from all three kinds of attacks. Yes, that's more work for you and for the security pros your employ or contract with. But now for some good news...

If you're a customer of Amazon AWS, and you host your static files on S3, or use Route 53 DNS services, then Amazon is already helping you, for free!

At re:Invent 2016, Amazon announced the roll out of AWS Shield which is a set of tools to help prevent DDOS attacks.

AWS Shield at the standard level of service is a free new tool from AWS that is "already on" helping to protect your site. According to Amazon "AWS Shield Standard will protect you from 96% of the most common attacks today, including SYN/ACK floods, Reflection attacks, and HTTP slow reads. This protection is applied automatically and transparently to your Elastic Load Balancers, CloudFront distributions, and Route 53 resources.”

But what about the other 4% of attacks, you ask? 

Well, you could upgrade to the Advanced (paid) level of shield, but that's where performing a risk/reward analysis comes into play.  

As a site owner, it's your responsibility to figure out what level of risk is acceptable to you, and how much you want to invest in reducing that risk. Failure to undertake this analysis is a failure that rests squarely on your shoulders, so don't avoid it.

How to properly perform risk analysis is too big of a topic to cover in this short article, but think about how much revenue comes in via your website.

Now imagine losing all that traffic for a day or two, and think about whether or not you are willing to risk that revenue.

For some companies, we could be talking about millions of dollars. And if advanced DDoS protection like Shield Advanced only costs you a couple of hundred dollars per month, then that's some pretty cheap insurance!

Here's how they describe the Advanced level of Shield "...provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall."

It also provides "additional detection and mitigation against large and sophisticated DDoS attacks plus additional protection over AWS Shield Standard including intelligent DDoS attack detection for network layer (layer 3), transport layer (layer 4) and application layer (layer 7).  In addition, customers also get access to 24x7 DDoS response team during a DDoS attack and additional real-time metrics and reports. The advanced service also provides cost protection for your Elastic Load Balancing resources CloudFront and Amazon Route 53 hosted zones".

For more information about both level of AWS Shield and how they can help you against DDos attacks, here's the link to Amazon's official page about the new services:

And for more information on DDoS attacks and security threats in the wild, here's a link to Akamai's 2016 Q2 State of the Internet / Security report. it has more great stats and trends on these types of threats to your website, so it's worth reading.

-Ryan

1 comment:

Unknown said...


This is an excellent tip especially to those new to the blogosphere. Short however exact data… Thank you for sharing this one. An unquestionable requirement read post!


best interiors

Feeling Firewall Friendly? Azure Virtual Machine Protection With NSGs Explained

Let's talk cloud security best practices for Azure - Microsoft's cloud.  Do you like keeping the bad guys out? So do I... That...