AWS Shield

 Distributed denial-of-service attacks can be defined as cyberattacks in which many different compromised sources generate traffic intended to make a computer or network resource unavailable to its originally intended users. Classic firewalling techniques are challenged by DDoS attacks for two main reasons: blocking traffic requires the characterization of all sources, and firewall capacity may also be at risk when dealing with a high number of connections.

To protect applications deployed in the AWS Cloud from such attacks, Amazon offers AWS Shield. This service provides constant detections and automatic inline mitigations that minimize application downtime or performance degradation against DDoS attacks at two different levels: AWS Shield Standard and AWS Shield Advanced.

AWS Shield Standard is a no-cost version that defends your environment against the most common network (layer 3) and transport (layer 4) known infrastructure attacks. It relies on detection techniques such as network flow monitoring, a combination of traffic signatures, and anomaly algorithms. Additionally, it mitigates attacks through inline mechanisms, which include deterministic packet filtering, priority-based traffic shaping, and rules in AWS WAF. And more importantly, AWS Shield Standard is activated by default in all AWS accounts, without any configuration required. On the other hand, AWS Shield Advanced requires a subscription and configuration. Displays the AWS Shield Advanced Overview page, where you can find guidance for service setup and additional configuration options that facilitate more effective collaboration with the AWS Shield Response Team (SRT).

Shield Advanced General view

Note: AWS Shield Advanced is not activated by default. As of this writing, AWS charges $3,000 per month, including all accounts on AWS Organizations (with a 12-month commitment), plus additional data transfer fees for AWS Shield Advanced.

AWS Shield Advanced enables additional detection and mitigation against larger and more sophisticated DDoS attacks on Amazon EC2, ELB, Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. AWS Shield Advanced provides the following distinct features:

• Near Real-Time Visibility and Reporting: With layers 3 and 4 attack notifications and attack forensic reports as well as layers 3, 4, and 7 attack historical reports.
• Integration with AWS WAF: You can respond to incidents as they occur via customizable rules that you can deploy instantly in AWS WAF (which is also included in AWS Shield Advanced at no extra cost) to quickly mitigate attacks.
• 24/7 Access to the AWS Shield Response Team (SRT): For manual mitigation of edge cases affecting your availability, such as custom rules intended to mitigate application layer DDoS attacks in your environments.
• Cost Protection: Against DDoS-related cost spikes in AWS Shield Advanced protected resources, with service credits related to increased utilization of Amazon EC2, ELB, Amazon Route 53, Amazon CloudFront, and AWS Global Accelerator.

Shield Advanced protected resources.

AWS Shield Advanced provides enhanced detection through network flow inspection, resource specific monitoring, resource and region-specific granular detection of DDoS attacks, application layer DDoS attacks like HTTP floods or DNS query floods by baselining traffic, and identification of anomalies. It offers advanced attack mitigation via routing techniques, SRT manual mitigations, and attack notifications via Amazon CloudWatch, as well as post-attack analysis.

Thant Zin Phyo@Cracky (MCT, MCE, MVP, AWS CB)