Unfortunately, not everyone on the Internet is using it for good. There are bad actors – typically automated processes that can harm your systems, like content scrapers and bots – whose main goal is to access and misuse content.
These bad actors can lead to distributed denial of services (DDoS) attacks on your infrastructure. But all is not lost. You can protect yourself with a number of tools and services that will help you build DDoS-resilient applications. AWS recently released an updated version of its AWS Best Practices for DDoS Resiliency Whitepaper, which is helpful for anyone looking for DDoS guidance, or who’s unsure if their architecture is optimized for DDoS resiliency.
First, let’s take a look at the two most common DDoS attacks: User Datagram Protocol (UDP) reflection attacks and synchronize (SYN) floods, which are both infrastructure layer attacks. An attacker can use both of these methods to generate large volumes of traffic that overflows the capacity of a network or system, such as a server, firewall, IPS, or load balancer. Fortunately, these attacks have clear signatures that make them easier to detect. To effectively combat these attacks, network or system resources must exceed the volume that’s generated by the attacker.
SYN floods in particular exhaust the available resources of any given system by leaving connections in a perpetually half-open state. Typically, when an end user connects to something like a web server, the client will send a SYN packet. The server then returns SYN-ACK, and the client ends the process by returning ACK. In a SYN flood, however, the ACK never gets returned, so the server is left waiting for a response. This can prevent new users from connecting to and accessing the server.
While less frequent, application layer attacks also occur. In these cases, an attacker is trying to over-exercise certain functions of an application to render it unavailable. Sometimes, such as in HTTP floods, cache-busting attacks, and WordPress XML-RPC floods, an attacker makes very low request volumes, which makes an attack more difficult to detect and address. Application layer attacks can also go after domain name system (DNS) services. A DNS query flood, where an attacker uses several well-formed DNS queries that exhaust the resources of a DNS server, is the most common of this attack type.
For AWS users, you’re already a step ahead: AWS infrastructure is DDoS-resilient by design and is supported by DDoS mitigation systems that automatically detect and filter excess traffic. However, to make sure you’re getting the most out of this infrastructure, you must implement an architecture where you can utilize these capabilities.
An extremely common use case for AWS is a web app that serves both static and dynamic content to users over the Internet. The below is a reference architecture for web applications:
Services available within AWS Regions, such as Elastic Load Balancing, Amazon VPC, and Amazon Elastic Compute Cloud (EC2), will allow you to build DDoS resiliency, as well as scale to handle unexpected volumes of traffic within a specific region. Services available in AWS edge locations, like Amazon CloudFront, AWS WAF, and Amazon API Gateway, let you utilize a global network of edge locations that provide your application with greater fault tolerance and increase scale for managing those larger volumes of traffic. The table below is a summary of best practices for each service and region:
It’s also important to limit the opportunities an attacker may have to target your application. If you don’t want an end user directly interacting with specific resources, simply make sure you can’t access those resources from the Internet. Along the same lines, don’t accept traffic to ports or protocols that you don’t want end-users or external applications communicating with. This attack surface reduction will limit the extent to which an application is exposed to the Internet, which in turn makes your resources more difficult to attack.
It’s also helpful to know when DDoS attacks are actually happening to your application, so you can take action. A managed service provider is great for advanced monitoring and detecting and alerting to threats, as well as reviewing the architecture of any application. In addition, an MSP can architect and recommend supported third-party DDoS protection services that complement AWS’s security and can offer even higher levels of protection. For example, Incapsula’s DDoS protection for AWS is available on the AWS Marketplace and offers enhanced protection using advanced traffic inspection and detects and mitigates volumetric network (Layer 3) and sophisticated application (layer 7) DDoS attacks.
The bottom line is that being proactive is only going to benefit your business in both the short and long term. Make sure you’re up to date on the latest attacks and ways to combat them. For more information on DDoS resiliency, check out the AWS whitepaper on the subject, or visit our DDoS protection services page.