DDoS (Distributed Denial of Service) attacks are still a big threat to online businesses. Attackers use millions of tonnes of traffic to bring down a victim’s web applications from multiple sources, which is known as DDoS extortion.
DDoS attack defense is one of the top security concerns on the web today, regardless of the attacker’s purpose, because disruption of availability can result in financial losses, reputational damage, and other undesirable repercussions.
There are basically 3 types of DDoS attacks –
Volume-based Attacks
These attacks, which are the most common sort of DDoS, use methods to create huge amounts of traffic in order to completely saturate bandwidth, causing a traffic jam that prevents genuine traffic from flowing into or out of the targeted site.
Protocol Based Attacks
By consuming enormous amounts of per-connection resources, these attacks misuse stateful protocols and therefore put a strain on firewalls and load balancers.
Application Layer Attacks
Some of the most advanced DDoS attacks take use of flaws in the application layer by establishing connections and launching process and transaction requests that consume finite resources such as disc space and memory.
In our last blog, we have discussed AWS WAF(Web Application Firewall) which is also used to protect web applications from threats by allowing you to set up rules that allow, reject, or count web requests based on parameters.
Here we will discuss another AWS security service i.e, AWS Shield.
What is AWS Shield?
AWS Shield is a managed solution for preventing DDoS attacks basically on AWS-hosted applications. It inspects traffic in real-time and applies mitigation strategies automatically in order to avoid performance degradation.
Meanwhile, It inspects incoming requests fast and blocks harmful traffic using a multivariate method (based on traffic signatures, anomaly algorithms, packet filtering, and other techniques).
There are basically 2 types of AWS Shields –
AWS Shield Standard (Free Service)
It is a free service offered to all AWS customers. It guards you against 96% of today’s most prevalent attacks, such as SYN/ACK floods, Reflection attacks, and HTTP slow reads.
This protection is deployed to your Elastic Load Balancers, CloudFront distributions, and Route 53 resources automatically and transparently.
AWS Shield Advanced (Paid Service)
It is a paid service that adds volumetric DDoS mitigation, sophisticated attack detection, and mitigation for attacks at the application as well as network layers to AWS Shield.
You also have access to DDoS Response Team (DRT) 24*7 for tailored mitigation during attacks.
Benefits of using AWS Shield
There are multiple benefits of using AWS Shield Standard and Advanced –
Benefits from AWS Shield Standard
- AWS Shield Standard provides automatic protections to all AWS users at no additional cost.
- However, this can be utilized on an existing application or a new Software as a Service-based application.
- Similarly, It protects your website or applications against the most typical and frequent network and transport layer DDoS attacks.
- However, It continuously analyses network traffic and, using traffic signatures, anomaly algorithms, and other techniques, detects malicious traffic in real-time.
- Focuses on many approaches to automatically mitigate attacks without affecting applications, such as deterministic packet filtering and priority-based traffic shaping.
Benefits from AWS Shield Advanced
You can further subscribe to AWS Shield Advanced for enhanced protection against threats aimed at your AWS applications –
- It is not free, unlike Shield Standard; users must sign a 1-year contract and pay both a fixed monthly charge and usage fees.
- Therefore, By integrating with AWS Load Balancers, Amazon CloudFront, Amazon Route 53, and Amazon EC2, customers may monitor network logs and enable better monitoring at the application layer.
- Shield Advanced also identifies application layer assaults like HTTP or DNS query floods by analyzing traffic in your application and looking for irregularities.
- Therefore, it automatically mitigates DDoS attacks for apps by allocating the appropriate infrastructure resources to manage large-scale DDoS attacks.
- Customers with AWS Shield Advanced have access to a DDoS response team (DRT) that is available 24*7. In short, DRT uses manual mitigations to counter such attacks if necessary.
- All resource types supported by Shield Advanced, including Elastic IP, ELB, CloudFront, Global Accelerator, as well as Route 53, can use health-based detection.
- In other words, Shield Advanced can now detect assaults affecting your application’s health more rapidly and at lower traffic levels.
- AWS Shield Advanced allows you to group resources into protection groups, therefore, allowing you to define the scope of detection and mitigation for your application by considering many resources as a single unit.
- You may always get a real-time report containing AWS CloudWatch data and attack diagnostics, as well as information about the current status of your DDoS protection.
How does AWS Shield work?
At the network and transport layers as well as the application layer, AWS Shield Standard and AWS Shield Advanced provide protection against DDoS attacks on resources.
Meanwhile, It provides automatic protection to all customers who use services like Amazon CloudFront, Amazon Route 53, and Elastic Load Balancer at no additional cost.
It enables organizations to build custom web access control lists (web ACLs) that can include traffic inspection conditions that become rules. There is a corresponding action for each rule (allow, block, or count).
The count mode can assist organizations in observing traffic patterns and determining whether to implement a given rule in allow or block mode.
The rate-limiting feature is one of the clearest examples of this. If an IP address receives more than 2,000 requests in a five-minute period, it will be automatically blocked using this feature.
AWS Shield Pricing
It is a paid service –
- It adds additional security to AWS EC2, Elastic Load Balancing (ELB), Amazon CloudFront, Global Accelerator, and Amazon Route 53 applications.
- Therefore, All customers have access to AWS Shield Advanced.
- Customers using the Enterprise or Business levels of AWS Premium Support will be able to contact the AWS Shield Response Team.
- It charges a monthly price as well as needs a one-year subscription commitment.
- It also charges a fee for data transfer out of Amazon CloudFront, Amazon Elastic Load Balancing (ELB), Amazon Elastic Compute (EC2), and Global Accelerator.
Note – These fees are in addition to the regular charges for Amazon CloudFront, Amazon Route 53, Amazon Elastic Compute Cloud (EC2), and Global Accelerator.
| Pricing | AWS Shield Standard | AWS Shield Advanced |
| Subscription | None | 1 Year |
| Monthly fees(*) | None | $3000 |
| Data Transfer Fees(**) | None | As per the table below(Data Transfer Out) |
Conditions –
(*) – Unless AWS Channel Resellers pay a separate monthly cost for each member account, if your company has several AWS accounts, you will only have to pay the monthly price once as long as your organization owns all of the AWS accounts and resources in those accounts.
(**) – In addition to the regular fees for Elastic Load Balancing (ELB), Amazon CloudFront, Amazon Route 53, Global Accelerator, and Amazon EC2.
Data Transfer out Fees
| AWS ELB | AWS Cloudfront | AWS Global Accelerator | Elastic IP (EC2 and Load Balancer) | AWS Route 53 | |
| First 100 TB | $0.05 | $0.025 | $0.025 | $0.05 | None |
| Next 400 TB | $0.04 | $0.02 | $0.02 | $0.04 | None |
| Next 500 TB | $0.03 | $0.015 | $0.015 | $0.03 | None |
| Next 4 PB | Support | $0.01 | $0.01 | Support | None |
| Above 5 PB | Support | Support | Support | Support | None |
For further details about pricing, please refer to AWS Shield Pricing.
AWS Shield vs AWS WAF
AWS WAF is also used to secure your web apps by filtering, monitoring, and as well as blocking threatening requests. Let’s discuss the differences between these services –
| AWS Shield | AWS WAF |
| The infrastructure layers of the OSI model are protected by AWS Shield. | The application layer of the OSI model is protected by AWS WAF (Web Application Firewall). |
| It protects against DDoS (Distributed Denial of Service) attacks. | It protects your resources from harmful or unauthorized access. |
| AWS Shield comes with two options. 1) Shield Standard – this is enabled by default and comes at no extra cost. 2) Shield Advanced – when you utilize Shield Advanced, there is a price associated with it. | When you utilize WAF, there is a cost associated with it; it is not turned on automatically. |
| Protects mostly UDP Reflection, SYN flood, DNS flood, HTTP flood | It safeguards against SQL Injection, Cross-Site Scripting, DDoS, and other typical web assaults. |
Which one to use: AWS Shield or AWS WAF?
As it turns out, both AWS WAF and AWS Shield should be used. Therefore, It is suggested that you do not use one over the other.
AWS WAF and AWS Shield can defend each other’s vulnerable areas from security threats.
It’s not that you’re safe because you’ve enabled one or the other; rather, employing both together provides the optimum cloud security.
How to setup AWS Shield
You can follow these steps in order to configure AWS Shield to your AWS account –
Step 1 – Sign in to your AWS Console and navigate for ‘AWS Shield’.
Step 2 – Under WAF&Shield Panel, on the left-hand side click on ‘Getting started’.
Then on the right-hand side, click on ‘Subscribe to Shield Advanced’.
Step 3 – Now, in order to Subscribe to AWS Shield Advanced, We need to accept all the terms & conditions.
Choose all checkboxes to proceed further and then click on the ‘Subscribe’ button.
Step 4 – As a result, you have successfully subscribed to Advanced protection.
Now, you can proceed further ‘Add resources to Protect’.
Step 5 – Now, Click on ‘Add resources to Protect’ to add resources.
Step 6 – Here, you can choose the Region and then can choose the Resources type that you want to protect and can click on Load more resources to add other resources.
Note –
Membership alone does not grant access to all of the features, such as the AWS SRT (Shield Response Team), which can provide immediate support during an assault (including proactive event response, i.e. they will start to mitigate the attack as soon as they notice it).
You must sign up for Enterprise or Business support to further receive SRT help.
Therefore, you can configure AWS Shield Advanced for your AWS resources.
Conclusion
Security is a process, not a product. Users who want to integrate security in their environments should start with AWS WAF and AWS Shield.
In many cases, the protection provided by AWS Shield Standard is adequate to meet the demands of organizations.
However, we suggest combining AWS WAF with additional AWS services (Amazon CloudFront CDN, Route 53) to strengthen the built-in protection, which can often provide appropriate attack prevention and mitigation.
Need Help?
Thank You for reading this Blog!
For further more interesting blogs, keep in touch with us. If you need any kind of support, therefore, simply raise a ticket at https://webkul.uvdesk.com/en/.
For Magento 2 Elastic search, please follow –
Our Cloudkul Blogs
Elasticsearch, Fluentd, and Kibana (EFK)
Setting up Elasticsearch, Logstash, and Kibana for centralized logging
Managing and Monitoring Magento 2 logs with Kibana
Our store modules –
You may also visit our Magento development services and quality Magento 2 Extensions.
For further help or query, please contact us or raise a ticket.