AWS DDoS Resiliency Best Practices – Whitepaper

Whitepaper on AWS DDoS Resiliency
A single attacker can carry out a denial of service (DoS) attack to make a website, or an application unavailable to its users.
Distributed Denial-of-Service (DDoS), an attack that is carried out by multiple attackers or controlled or compromised by a group, generates a flood request to the application, making it unavailable to legitimate end usersMitigation techniques
Reduce the Attack Surface Area
This is all about reducing the attack surface and the various Internet entry points that allow access to your application.
To minimize the Attack surface, we reduce the number of required Internet entry points.
Do not expose end servers to the public.
Eliminate non-critical Internet access points
Separate end user traffic and management traffic
You hide Internet access points so that only trusted end users can access them.
To minimize the impact of attacks, decouple Internet access points.
There is less to monitor and protect
AWS Virtual Private Cloud helps to create a logically isolated virtual network within AWS.
Allows you to create Public & Private Subnets that can launch both public and private internet-facing instances.
Provides NAT gateway that allows instances in the private network to have internet access without them needing to be launched in public subnets with Public Ips
Bastion hosts can be created and used to connect to instances within the private subnets
Allows you to create security groups for instances or NACLs for subnets. These acts as a firewall to limit and control outbound and inbound traffic.
Be ready to scale to absorb the attack
DDOS primarily targets systems until they are unable to handle the load and are rendered inoperable.
Scaling out Benefitshelps build a resilient architecture
Makes the attacker work harder
Gives you time to think, analyze, and adapt
AWS services include:-Auto Scaling & ELBHorizontal Scaling using Auto Scaling with ELB
Auto Scaling allows for instances to be added or removed as demand changes
ELB distributes traffic between multiple EC2 instances and acts as a single point of contact.
Auto Scaling registers and deregisters EC2 cases with the ELB automatically during scale out or scale in events
EC2 InstanceVertical scaling is possible by using the appropriate EC2 instance types, for e.g. EBS optimized instances or ones with 10 gigabytes network connectivity are better suited to handle the load.
Enhanced NetworkingUse instances with enhanced networking capabilities that can provide high packet-per second performance, low latency network and improved scaling
Amazon CloudFrontCloudFront acts as a proxy between end-users and Origin servers and distributes content to end users without sending traffic directly to Origin servers.
CloudFront can help protect against DDoS attacks on infrastructure and application layers by spreading traffic to multiple locations.
AWS has multiple Internet connections at each location for capacity and redundancy. This allows it to isolate malicious traffic while still serving content to legitimate users.
CloudFront has the ability to filter requests so that only valid TCP connections are made and HTTP requests are sent. It also allows for the dropping of invalid requests. This removes the responsibility of handling invalid traffic, which is common in UDP & SYN floods and slow reads.
Route 53DDOS attacks also target DNS. If the DNS is down, your application will be rendered inaccessible.
AWS Route 53 is a highly available and scalable DNS service that can provide access to the application even under DDOS attackShuffle Shading – Shuffle sharding is similar in concept to database sharding.