Protecting from external threats at the edge
When your application runs on AWS, you can leverage both CloudFront and AWS WAF to help defend against application layer DDoS attacks.
By using AWS WAF, you can configure web access control lists (Web ACLs) on your CloudFront distributions to filter and block requests based on request signatures. Each Web ACL consists of rules that you can configure to string match or Regular Expression (regex) match one or more request attributes, such as the URI, query string, HTTP method, or header key.
By using AWS WAF's rate-based rules, you can automatically block the IP addresses of bad actors when requests matching a rule exceed a threshold that you define. Requests from offending client IP addresses will receive a “403 Forbidden” error response, and will remain blocked until request rates drop below the threshold. This is useful for mitigating HTTP flood attacks that are disguised as regular web traffic.
To block attacks from known bad-acting IP addresses, you can create rules using IP match
conditions. You can use AWS-managed WAF rules, or use Managed Rules for AWS WAF offered by
sellers in the AWS Marketplace
If you are subscribed to AWS Shield Advanced, you can engage the AWS DDoS Response Team (DRT) to help you create rules to mitigate an attack that is hurting your application’s availability. For more information, see Configure AWS DRT support.
You can use AWS Firewall Manager
-
To learn more about using geo-restriction to limit access to your CloudFront distribution, see Restricting the Geographic Distribution of Your Content.
-
To learn more about using AWS WAF, see Getting started with AWS WAF.
-
To learn more about configuring rate-based rules, see Protect Web Sites & Services Using Rate-Based Rules for AWS WAF
. -
To learn how to manage the deployment of AWS WAF rules across your AWS resources with AWS Firewall Manager, see Getting started with AWS Firewall ManagerAWS WAF policies.