Mitigation techniques - AWS Best Practices for DDoS Resiliency

Mitigation techniques

Some forms of DDoS mitigation are included automatically with AWS services. DDoS resilience can be improved further by using an AWS architecture with specific services, covered in the following sections, and by implementing additional best practices for each part of the network flow between users and your application.

All AWS customers can benefit from the automatic protections of AWS Shield Standard at no additional charge. AWS Shield Standard defends against the most common and frequently occurring network and transport layer DDoS attacks that target your website or applications. This protection is always on, pre-configured, static, and provides no reporting or analytics. It is offered on all AWS services and in every AWS Region. In AWS Regions, DDoS attacks are detected and the Shield Standard system automatically baselines traffic, identifies anomalies, and, as necessary, creates mitigations. You can use AWS Shield Standard as part of a DDoS-resilient architecture to protect both web and non-web applications.

You can also utilize AWS services that operate from edge locations, such as Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 to build comprehensive availability protection against all known infrastructure layer attacks. These services are part of the AWS Global Edge Network, and can improve the DDoS resilience of your application when serving any type of application traffic from edge locations distributed around the world. You can run your application in any AWS Region, and use these services to protect your application availability and optimize the performance of your application for legitimate end users.

Benefits of using Amazon CloudFront, Global Accelerator, and Amazon Route 53 include:

  • Access to internet and DDoS mitigation capacity across the AWS Global Edge Network. This is useful in mitigating larger volumetric attacks, which can reach terabit scale.

  • AWS Shield DDoS mitigation systems are integrated with AWS edge services, reducing time-to-mitigate from minutes to sub second.

  • Stateless SYN Flood mitigation techniques proxy and verify incoming connections before passing them to the protected service. This ensures that only valid connections reach your application while protecting your legitimate end users against false positives drops.

  • Automatic traffic engineering systems that disperse or isolate the impact of large volumetric DDoS attacks. All of these services isolate attacks at the source before they reach your origin, which means less impact on systems protected by these services.

  • Application layer defense when combined with AWS Web Application Firewall (AWS WAF) that does not require changing current application architecture (for example, in an AWS Region or on-premises data center).

There is no charge for inbound data transfer on AWS and you do not pay for DDoS attack traffic that is mitigated by AWS Shield. The following architecture diagram includes AWS Global Edge Network services.

      DDoS-resilient reference architecture.

DDoS-resilient reference architecture

This architecture includes several AWS services that can help you improve your web application’s resiliency against DDoS attacks. The Summary of Best Practices table provides a summary of these services and the capabilities that they can provide. AWS has tagged each service with a best practice indicator (BP1, BP2) for easier reference within this document. For example, an upcoming section discusses the capabilities provided by Amazon CloudFront and Global Accelerator that includes the best practice indicator BP1.

Table 2 - Summary of best practices

AWS Edge AWS Region

Using Amazon CloudFront (BP1) with AWS WAF (BP2)

Using Global Accelerator (BP1)

Using Amazon Route 53 (BP3)

Using Elastic Load Balancing (BP6) with AWS WAF (BP2)

Using Security Groups and network ACLs in Amazon VPC (BP5)

Using Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling (BP7)

Layer 3 (for example, UDP reflection) attack mitigation
Layer 4 (for example, SYN flood) attack mitigation
Layer 6 (for example, TLS) attack mitigation
Reduce attack surface
Scale to absorb application layer traffic
Layer 7 (application layer) attack mitigation ✔(*) ✔(*) ✔(*)
Geographic isolation and dispersion of excess traffic and larger DDoS attacks
✔(*): if used with AWS WAF with Application Load Balancer

Another way to improve your readiness to respond to and mitigate DDoS attacks is by subscribing to AWS Shield Advanced.

You receive tailored detection based on:

  • Specific traffic patterns of your application.

  • Protection against Layer 7 DDoS attacks including AWS WAF at no additional cost.

  • Access to 24x7 specialized support from the AWS Shield Response Team (AWS SRT).

  • Centralized management of security policies through AWS Firewall Manager.

  • Cost protection to safeguard against scaling charges resulting from DDoS-related usage spikes.

This optional DDoS mitigation service helps protect applications hosted on any AWS Region. The service is available globally for CloudFront, Route 53, and Global Accelerator. Using Shield Advanced with Elastic IP addresses allows you to protect Network Load Balancer (NLBs) or Amazon EC2 instances.

Benefits of using AWS Shield Advanced include:

  • Access to the AWS SRT for assistance with mitigating DDoS attacks that impact application availability.

  • DDoS attack visibility by using the AWS Management Console, API, and Amazon CloudWatch metrics and alarms.

  • Access to the history of all DDoS events from the past 13 months.

  • Access to AWS web application firewall (AWS WAF), at no additional cost for the mitigation of application layer DDoS attacks (when used with Amazon CloudFront or Application Load Balancer).

  • Automatic baselining of web traffic attributes, when used with AWS WAF.

  • Access to AWS Firewall Manager, at no additional cost, for automated policy enforcement.

  • Sensitive detection thresholds that route traffic into the DDoS mitigation system earlier and can improve time-to-mitigate attacks against Amazon EC2 or Network Load Balancer, when used with an Elastic IP address.

  • Cost protection that enables you to request a limited refund of scaling-related costs that result from a DDoS attack.

  • Enhanced service level agreement that is specific to AWS Shield Advanced customers.

  • Proactive engagement from the AWS SRT when a Shield event is detected.

  • Protection groups that enable you to bundle resources, providing a self-service way to customize the scope of detection and mitigation for your application by treating multiple resources as a single unit. Resource grouping improves the accuracy of detection, minimizes false positives, eases automatic protection of newly created resources, and accelerates the time to mitigate attacks against many resources that comprise a single application. For information about protection groups, refer to Shield Advanced protection groups.

For a complete list of AWS Shield Advanced features and for more information about AWS Shield, refer to How AWS Shield works.