Mitigation Techniques - AWS Best Practices for DDoS Resiliency

Mitigation Techniques

Some forms of DDoS mitigation are included automatically with AWS services. You can further improve your DDoS resilience by using an AWS architecture with specific services and by implementing additional best practices.

All AWS customers benefit from the automatic protections of AWS Shield Standard at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. This is offered on all AWS services and in every AWS Region at no additional cost. In AWS Regions, DDoS attacks are detected by a system that automatically baselines traffic, identifies anomalies, and, as necessary, creates mitigations. This mitigation system provides protection against many common infrastructure layer attacks. You can use AWS Shield Standard as part of a DDoS-resilient architecture to protect both web and non-web applications.

Additionally, you can leverage AWS services that operate from edge locations, like Amazon CloudFront and Amazon Route 53, to build comprehensive availability protection against all known infrastructure layer attacks. Using these services—which are part of the AWS Global Edge Network—can improve the DDoS resilience of your application when you serve web application traffic from edge locations distributed around the world.

Benefits from using Amazon CloudFront and Amazon Route 53 include:

  • AWS Shield DDoS mitigation systems that are integrated with AWS edge services, reducing time-to-mitigate from minutes to sub-second.

  • Stateless SYN Flood mitigation techniques that proxy and verify incoming connections before passing them to the protected service.

  • Automatic traffic engineering systems that can disperse or isolate the impact of large volumetric DDoS attacks.

  • Application layer defense when combined with AWS WAF that does not require changing your current application architecture (for example, in an AWS Region or on-premises datacenter).

There is no charge for inbound data transfer on AWS and you do not pay for DDoS attack traffic that is mitigated by AWS Shield. Figure 5 shows a DDoS-resilient reference architecture that includes AWS Global Edge Network services.

DDoS-resilient reference architecture

Figure 5: DDoS-resilient reference architecture

This reference architecture includes several AWS services that can help you improve your web application’s resiliency against DDoS attacks. Table 2 provides a summary of these services and the capabilities that they can provide. We’ve tagged each service with a best practice indicator (BP1, BP2, etc.) for easier reference within this document. For example, an upcoming section discusses the capabilities provided by Amazon CloudFront and includes the best practice indicator—BP1.

Table 2: Summary of Best Practices

AWS Edge Locations AWS Regions

Amazon CloudFront (BP1) with AWS WAF (BP2)

Amazon Route 53 (BP3)

Elastic Load Balancing (BP6)

Amazon API Gateway (BP4)

Amazon VPC (BP5)

Amazon EC2 with Auto Scaling (BP7)

Layer 3 (for example, UDP reflection) attack mitigation
Layer 4 (for example, SYN flood) attack mitigation
Layer 6 (for example, TLS) attack mitigation
Reduce attack surface
Scale to absorb application layer traffic
Layer 7 (application layer) attack mitigation ✔(*) ✔(*) ✔(*) ✔(*)
Geographic isolation and dispersion of excess traffic, and larger DDoS attacks
✔(*): if used with AWS WAF

Another way that you can improve your readiness to respond to and mitigate DDoS attacks is by subscribing to AWS Shield Advanced. This optional DDoS mitigation service helps you protect an application hosted on any AWS Region. The service is available globally for Amazon CloudFront and Amazon Route 53. It’s also available in select AWS Regions for Classic Load Balancer (CLB), Application Load Balancer (ALB), and Elastic IP Addresses (EIPs). Using AWS Shield Advanced with EIPs allows you to protect Network Load Balancer (NLBs) or Amazon EC2 instances.

Benefits from using AWS Shield Advanced include:

  • Access to the AWS DDoS Response Team (DRT) for assistance in mitigating DDoS attacks that impact application availability.

  • DDoS attack visibility by using the AWS Management Console, API, and Amazon CloudWatch metrics and alarms.

  • Access to the Global Threat Environment dashboard, which provides an overview of DDoS attacks observed and mitigated by AWS.

  • Access to AWS WAF, at no additional cost, for the mitigation of application layer DDoS attacks (when used with Amazon CloudFront or ALB).

  • Automatic baselining of web traffic attributes, when used with AWS WAF.

  • Access to AWS Firewall Manager, at no additional cost, for automated policy enforcement.

  • Sensitive detection thresholds which routes traffic into DDoS mitigation system earlier and can improve time-to-mitigate attacks against Amazon EC2 or NLB, when used with EIP.

  • Cost protection that allows you to request a limited refund of scaling-related costs that result from a DDoS attack.

  • Enhanced service level agreement that is specific to AWS Shield Advanced customers.

For a complete list of AWS Shield Advanced features and to learn more about AWS Shield, see AWS Shield—Managed DDoS Protection.

In the following sections, we’ll describe each of the recommended best practices for DDoS mitigation in more depth. For a quick and easy-to-implement guide on building a DDoS mitigation layer for static or dynamic web applications, see How to Help Protect Dynamic Web Applications Against DDoS Attacks by Using Amazon CloudFront and Amazon Route 53.