As cloud computing rapidly grows and spreads across all forms of businesses and enterprises, it has also boosted the world of IT to a whole new level. With the cloud's flexible costs, always-on availability, and improved collaboration, it's no wonder many organizations both large and small are using it for growth and efficiency.
But there’s a darker flip side to the benefits. The popularity of the cloud has also attracted hackers who have launched several kinds of cyberattacks and threats to cloud-based businesses. A massive Distributed Denial of Service (DDoS) attack in October against leading cloud-based DNS provider Dyn brought down much of America’s Internet for few hours. This attack, one of the most destructive of its kind, brought down sites including Netflix, Reddit, CNN, Twitter, and The Guardian. The primary source of this attack was orchestrated using Mirai botnets, which are made up of Internet of Things (IoT), unlike other botnets, which are made up of regular computers. And since the Mirai botnets involve Internet-connected devices, attacks from Mirai are much stronger and disastrous from what normal DDoS attacks could previously achieve.
As a countermove and a defensive measure to such DDoS attacks, Amazon’s cloud-computing division unveiled a new service called the AWS Shield, equipped with DDoS attack-mitigation technology.
Why AWS Shield?
Amazon Web Services introduced AWS Shield to protect and safeguard web applications running on AWS against the growing cyberattacks on the cloud. AWS Shield provides automatic inline mitigation from DDoS based cyberattacks to reduce the downtime and latency. Moreover, it comes with an always-on detection mechanism, which supports and benefits its users from cyberattacks. According to a recent survey, there was a 73 percent increase in 2016’s peak attack size over 2015. The survey also stated that an average of 124,000 attacks occurred every week for the past 18 months.
How does AWS Shield work?
In a DDoS attack, hackers target a single system at a time causing the denial of service. A DDoS attack is made in an attempt to make an online service such as a website or web service unavailable by overwhelming it with junk traffic. There are different kinds of DDoS attacks. Here are the most common:
- Volumetric attacks: A website or a web service is disrupted by flooding it with heavy traffic beyond the website’s capacity. This is done by issuing fake queries, saturating the bandwidth with UDP floods, ICMP floods, and spoofed packet floods.
- Application and network attacks: In this type of DDoS attack, the attackers target the web servers and crash the servers by flooding them with GET/POST requests or DNS queries.
- State-exhaustion or protocol attacks: This attack consumes all the resources from the servers by abusing protocols such as Ping of Death, Smurf DDoS, and fragmented packet attacks. This type of attack causes a load on firewalls and load balancers, which results in the victim website’s crash.
And this is where AWS Shield steps in. AWS Shield works in conjunction with most of AWS products such as Amazon Cloud Front, Amazon Route 53, and Elastic Load Balancing. And, according to Amazon, it will protect its customers from these DDoS network threats.
As a countermeasure to these attacks, AWS’s infrastructure is designed in such a way to be DDoS-resilient and is bolstered with DDoS mitigation systems that can automatically detect and filter excess traffic 24/7. Moreover, AWS Shield also allows you to deploy a web application firewall alongside for enhanced security.
Launched in two versions
AWS Shield provides you with managed DDoS protection of all your web applications and services. The service has two tiers:
AWS Shield Standard
AWS Shield Standard is the free variant of AWS Shield, and it is available to all existing AWS customers. This variant is said to protect users from almost 96 percent of DDoS attacks, including SYN/ACK floods, HTTP slow reads, and reflection attacks. This service is transparent and is automatically applied to almost all AWS services such as Elastic Load Balancers, CloudFront distributions, and Route 53 resources.
AWS Shield Advanced
This version of AWS Shield, as the name suggests, provides an advanced level of security from more sophisticated DDoS attacks, most prominently volumetric attacks. The Advanced service is available only to the customers who are enrolled in the Enterprise or Business Support levels of AWS Premium Support.
AWS Shield Advanced is a paid service and comes with a subscription commitment of at least one year at $3,000 per month. You'll also have to pay data-transfer usage costs, which vary with the data-transmission speeds and package. It also offers 24/7 access to the DDoS Response Team (DRT) for dealing with custom mitigations during attacks. Another feature is what Amazon calls “DDoS cost protection,” which is meant to safeguard users against unexpected billing spikes. It also offers an intelligent attack detection mechanism and can mitigate DDoS attacks against application and network layers.
By default, AWS Shield Advanced allows you to enable up to 100 resources. If you wish to add more than 100 resources, you can always increase the limit at a cost. For more information on costs of AWS Shield, click here.
Advantages and benefits
By using AWS Shield, you not only protect your website or web service from all forms of DDoS attacks, you also get these advantages and benefits:
Easy to use
Like most AWS products, Shield is an easy-to-use service that is designed to allow application providers, ISVs, and vendors to quickly and easily host your applications. AWS Shield can be used on an existing application or on a new Software as a Service-based application using the AWS management console.
As mentioned earlier, AWS Shield Standard is a completely free service that is automatically applied to all existing customers. Though the Advanced version is a paid service, you only pay for what you use. AWS Shield doesn't involve any long-term contracts or up-front commitments. It initially comes with a one-year commitment, and its monthly payment structure and options to extend the resources makes it cost effective.
AWS Shield is very flexible and customizable. It allows the user to select the operating system, web application platform, database, and programming language based on the user’s comfort level. One can always choose specific components and resources in their AWS environment to be protected using AWS Shield. In addition to that, the migration process for existing applications is very easy and it also preserves existing options for building new solutions.
Since attackers have already started using the Internet of Things as a weapon for DDoS attacks, the security of the cloud-based IT industry is facing enormous risks. AWS Shield offers all the mitigation techniques to deal with these kinds of attacks. While Google already has its own DDoS protection service called Project Shield, it is limited only to few websites. AWS Shield, however, can be used across any website or service, making it universal across all AWS services and products. But with hackers learning new tricks and techniques every day, will this be sufficient to safeguard cloud-based services completely? We’ll have to wait and watch.
Photo credit: Wikipedia