Waf Charm

Blog

AWS WAF

L7 DDoS mitigation feature is available in AWS Shield Advanced

This post was originally written in Japanese in the past.

Table of Contents

  1. 1. Introduction
  2. 1. What is AWS Shield Advanced?
  3. 3. Changes
  4. 4. Other possible actions for mitigation
  5. 5. Conclusion

1. Introduction

On December 1st, 2021 (PTD), AWS announced that AWS Shield Advanced has a new feature that automatically protects Web applications by blocking DDoS events in the application layer (Layer 7).

AWS Shield Advanced introduces automatic application-layer DDoS mitigation

1. What is AWS Shield Advanced?

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that protects applications running on AWS. You can use AWS Shield Standard protection automatically free of charge. When used with Amazon CloudFront and Amazon Route 53, you can comprehensively protect against all known attacks that target infrastructure (Layer 3 and 4).

You can also upgrade the service to AWS Shield Advanced for $3,000/month. By attaching the resources, you can receive further DDoS protection services like the below.

Services you can receive

  • AWS Shield Response Team (SRT) can be contacted 24/7 for DDoS attack countermeasures support. It includes intelligent detection and mitigation of DDoS attacks for the network and transport layer (Layer 3 and 4) as well as the application layer (Layer 7).
  • Access to high-level real-time metrics and reports to extensively visualize attacks on AWS resources.

Supported Resources

  • Amazon CloudFront distributions
  • Amazon Route 53 hosted zones
  • Amazon Global Accelerator standard accelerators
  • Application Load Balancer
  • Elastic Load Balancing (ELB) load balancer
  • Amazon Elastic Compute Cloud (Amazon EC2) Elastic IP addresses

3. Changes

Up until now, just using AWS Shield Advanced did not provide features of countermeasures for DDoS attacks in the application layer (Layer 7). From now on, if you are using AWS Shield Advanced, the rules for the attacks will be automatically applied to AWS WAF for CloudFront.

This feature will check for trends of spikes in access and automatically create and apply a rule to block suspicious accesses, which is useful as a countermeasure for DDoS attacks that happen at unexpected times.

You could also experience attacks again even after the first attack is over. This service will consider such situations and change the timing for the rule to be applied.

You can use this feature in an environment that uses CloudFront with AWS WAF (not AWS WAF Classic).

4. Other possible actions for mitigation

You may think that the price might be high for DDoS attacks where timing can’t be predicted, or that may not even happen.

A countermeasure you could take with the existing AWS WAF feature is to use rate-based rules. For more information on rate-based rules, please see the blog post below.

How to use rate-based rules

Thresholds differ depending on websites’ characteristics, so administrators have to decide the thresholds to set in the rule. Since rate-based rules limit accesses that come from the same IP address in short periods of time, so it is more suitable for DoS attacks than DDoS attacks. However, you can expect it to mitigate the impact of DDoS attacks effectively.

If your website does not expect access from foreign countries, you could also create a rule to restrict access based on which country it is coming from. You could lower the possibility of DDoS attacks by limiting the countries you allow to access your website.

There are many cases for attackers to use a certain tool, which presents characteristics in User-Agent or referer. You can use this information and create a rule based on that, but you need a designated staff to handle the situation. It is best to be able to deploy a signature beforehand, but because it is difficult to do so, Bot mitigations are high in demand.

5. Conclusion

From the cost perspective, AWS Shield Advanced is not for everyone to use. You might want to consider the benefits of support from the AWS Shield Response Team (SRT) and the effectiveness of the service against the labor cost and availability to monitor websites before deciding to implement the service.