Menu

Ways to Mitigate and Prevent DDOS Attacks on AWS

ddos-attack-aws

There is growing need for ways to Mitigate and Prevent DDOS attacks on AWS, I have put down 10 ways to make sure that the infrastructure is safe from DDOS atttacks

Here is the detailed list of best practices Mitigate and Prevent DDOS attacks on AWS :




Step 1Move any web servers/services behind CloudFront

CloudFront owns the layer 7 view of the traffic, meaning you can do layer 7 mitigations, which are likely to be more effective than our rate limiting and prioritization. CloudFront has more locations and might be able to move traffic around to help isolate the attack and use geographic location to isolate an attack to a specific region. http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html Most of the time I suggest this, people respond with something like “that will work great for their static sites but what about their dynamic content?” but CF supports dynamic content: http://aws.typepad.com/aws/2012/05/amazon-cloudfront-support-for-dynamic-content.html

Step 2 : Move to ELB

ELBs can scale to absorb certain attacks like SYN floods, though it might be expensive and reserved for certain customers. ELB terminates TCP connections so someday you might be able to do layer 7 mitigations (BF is purely a layer 2/3/4 device). http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/SvcIntro.html

Step 3 : Scale up your fleet and run it “cold”

Running your fleet at 99% utilization might be frugal but it makes your customer’s experience really bad when traffic jumps by even a small amount. Be prepared to scale up on any increase in traffic, legitimate or not. One example is DNS resolver fleets. These are often run at extremely low utilization levels, due to the importance of DNS and the fact that they are often the targets of DDoS attacks.

 

Step 4 : Move any instances to Enhanced Networking

Shift your instance to Enhanced Networking underlying host(ex: c3.* instances) Even if you aren’t using SRIOV but are using VPC and c3.* instances, the underlying host will do the work of applying Network ACLs and Security Groups. If you are using SRIOV, you will see a much higher rate of PPS before the instance is unreachable.

Step 5 : Auto Scaling

It is going to help at any layer to use Auto Scaling, whether you are running your own load balancer instances, application servers, backend servers, etc. Sometimes attacks are very sudden, however, so auto scaling might not be able to easily see the ramp up in traffic in a natural way. http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/WhatIsAutoScaling.html

Step 6 : Move to a larger instance size

This might help you to absorb more PPS, but more importantly (for EC2), it will decrease the impact of the attack on neighboring instances.




Step 7 : Separate the public traffic from administrative traffic

This configuration helps because we will need to rate limit traffic to the public interface, often dropping 99% or more of the traffic. Management traffic will likely be dropped too. But the instance will (hopefully) be alive. With separate interfaces, you can easily bypass the rate limiting mitigation and determine what is happening (tcpdump on the public interface, for instance). One option is to create two separate network interfaces, one that handles the public (web, DNS, etc) traffic and another that handles management traffic (ssh). The public interface is published in obvious DNS records (www.company.com) but the management interface either is only accessible via a bastion host within the same VPC or via a tunnel or DirectConnect, or simply has a different public IP address.

Step 8 : Network ACL best practices

If you have a web server and want to create a Network ACL where it only allows TCP port 80 in, with a default rule of DROP. Ideally, you would set things up so any outgoing connections the web servers needs to make go through a separate path (see previous item re: separate public traffic and administrative traffic) If you can’t do that, you might need to also allow ephemeral ports (1024-65535) through. If you do this, it will block many attacks, such as UDP port 80 attacks, attacks to other non-ephemeral ports, ICMP, etc You can also add DROP rules before the TCP port 80 rule to drop any subnets that you see sending traffic, which is something our customers already do frequently.

For more info you can contact at mail@bhargavamin.com

Feel free to comment your view below as well.

-Bhargav Amin

 

Blogger & Assc Cloud Architect

Post Navigation

Portugal crowned Euro 2016 Champions

Connect to Private Subnet Windows instance using Linux NAT AWS

Related Posts:

Banner-NAT-instance

Create NAT instance in Amazon VPC (AWS)

How to create CloudFront Distribution & test its latency

CI-CD-TomcatApp-Architecture

Deploy Java Web App Using CI/CD tools on AWS

Site Footer

Bhargav Amin © 2019-20

Sliding Sidebar

Categories

Guest Post (14) Health & Fitness (2) How-to-do's (47) Sports (8) Tech Articles (23)

Topics

amazon certificate manager amazon linux apache web server aws bitcoin bookreview cassandra cloudformation cloudfront cloudwatch cricket database DevOps ebs ec2 ELB ethereum fitness football general Git IAM java Jenkins keylogger linux linux partitions lvm migration mysql networking route53 s3 security smartphone ssh tech timetracker travelblog vpc vpc-peering vpn windows wordpress workspaces

Social Profiles

Ads

Categories

Recent Posts

Featured Post

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 66 other subscribers

Blog Stats

  • 306,843 hits

My Social Profiles

Twitch Streams

Twitch stream of Bhrgv7
Bhrgv7 Bhrgv7
Offline 0

Legal

Privacy Policy Cookie Policy
Terms and Conditions