Every provider of web-based services knew they needed to beef-up security against DDoS (Distributed Denial of Service) attacks after a successful hack against DNS provider Dyn caused huge disruptions of several sites including Twitter, Spotify, and Netflix. As far as No. 1 cloud-service provider Amazon Web Services is concerned, they strengthened their AWS Shield service to safeguard their web applications from DDoS attacks.
If you’re unsure exactly what a DDoS attack is, there are three common types:
- Application-Layer Attacks: These attempt to consume all resources of the application through malicious (although well-formed) requests, such as HTTP GETs.
- State-Exhaustion Attacks: These consume a high number of per-connection resources and put stress on firewalls and load balancers by abusing stateful protocols.
- Volumetric/Reflection Attacks: These flood the network with excessive traffic or they issue fake queries to return multiple low-level “surprise” replies to disrupt the network.
AWS has created their shield, a protection service made to safeguard all web applications running on AWS, to deal with these and less common DDoS attacks depending on the tier you buy.
It does this for all customers by providing “always-on detection and automatic inline mitigations that minimize application downtime and latency, so there’s no need to engage AWS Support to benefit from DDoS protection.”
Every single customer automatically has the AWS Shield Standard, the first tier offered, at no additional charge. This standard shield helps defend against all of the most common network and transport layer DDoS attacks that target websites and applications.
The AWS Advanced Shield comes with many more features, although at a much higher price point.
Comparing Shield Standard and Shield Advanced
AWS Shield Standard (free)
There are two strong key features of the standard shield. These include quick detection and inline mitigation attack.
With the shield that comes with no extra charge (Standard), you have nonstop, 24/7 network flow monitoring. This inspects incoming traffic to AWS and uses multiple analysis techniques so it’s able to detect any malicious traffic immediately.
Additionally, AWS immediately protects all of its users against the most common infrastructure (layer 3 and 4) attacks. According to Amazon, “Automatic mitigations are applied inline to your applications so there is no latency impact.” You’ll have almost no application downtime and the protection comes automatically as constant detection and inline mitigation.
How does it automatically mitigate attacks without impacting your applications? By using multiple techniques, such as deterministic packet filtering. Additionally, it’s possible to write rules using AWS WAF (Web Application Firewall) to mitigate application layer DDoS attacks.
AWS Shield Advanced ($3,000/month)
Sometimes, the standard shield just isn’t enough. Besides a fairly hefty price tag, what features does AWS Advanced Shield have that the standard version doesn’t?
- All common network and transport layer protections that come with AWS Shield Standard
- Protects web applications running on Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53 resources against attacks and DDoS related spikes
- DDoS cost protection so your bill doesn’t spike after a DDoS attack
- Additional detection and mitigation against large and sophisticated DDoS attacks, including volumetric attacks, intelligent attack detections, and mitigation for attacks at the application and network layers
- Advanced, real-time visibility into attacks, metrics, and reports
- Integration with AWS WAF, a web application firewall
- 24/7 access to the AWS DDoS Response Team (DRT)
- Protection against DDoS-related spikes in your ELB, CloudFront, or Route 53 charges
Let’s talk about a few of these in more detail.
- Enhanced Detection: AWS Shield Advanced monitors application-layer traffic to your ELB, Amazon CloudFront, or Amazon Route 53 resources and inspects network flows. It uses resource-specific monitoring, among other things, to provide granular detection of DDoS attacks. It baselines traffic on your resource and identifies abnormalities, detecting attacks like HTTP floods or DNS query floods.
- Advanced Attack Mitigation: Amazon Web Services DRT applies manual mitigations for more complex and sophisticated DDoS attacks that can’t be handled by the AWS Shield Standard, as well as additional mitigation capacity to protect you from large attacks. Users have AWS Web App Firewall to respond to incidents from application layer attacks for no additional charge. Immediately block or respond to bad traffic and other incidents by setting up proactive rules through AWS WAF, such as Rate-Based Blacklisting. There is the additional possibility for Advanced clients to have the DRT diagnose the attack and apply mitigations, with permission given per-incident or through prior authorization.
- Visibility and Attack Notification: With Amazon CloudWatch, you have full visibility and real-time alerts of DDoS attacks, as well as the ability to access post-event analysis and investigation with the DRT. The “AWS WAF and AWS Shield” Management Console also gives users a summary of prior attacks.
- DDoS Cost Protection: This could potentially be a great cost-saving mechanism. The DDoS cost protection is a “safeguard from scaling charges as a result of a DDoS attack that caused usage spikes on Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53.” Requesting service credits from these events can be found on their website.
Here’s a concise checklist of what’s offered in the standard and advanced shields.
Is it worth it to buy AWS Shield Advanced?
The short answer: probably not.
All of the most common attacks will be protected against by AWS Shield Standard. If you already have a computer security team with expertise, the standard shield combined with deploying additional Web Application Firewalls is an extensive defense, sufficient for most businesses.
It’s important to point out again that you must purchase AWS WAF separately and design your own layer 7 protection and mitigation processes with the standard shield. AWS WAF is included if you purchase AWS Shield Advanced, as well as DRT assistance for layer 7 attacks.
With the standard shield, you have full control over monitoring and mitigating layer 7 attacks. If instead you don’t have a security team or want to handle the defense against attacks yourself, AWS Shield Advanced might be the choice for you. They’ll handle the DDoS protection and mitigation responsibility for layer 3, layer 4, and layer 7 attacks.
AWS Shield Standard is great protection for almost all users, especially those with an expert security team. If you want AWS to handle almost everything on the security side for you, or if your business is a likely DDoS attack target, springing for the $3,000/month service will cover these bases.
So, generally speaking, the free AWS Shield Standard is the way to go, unless you really feel you are a prime DDoS target and need the extra features.