Wikipedia defines Captain America’s shield as virtually indestructible under normal conditions; the shield proves strong enough to absorb Hulk’s strength, and repel an attack from Thor’s mystical hammer Mjölnir without any visible damage.. The same can be said about the new service that AWS announced at Re:Invent 2016 – AWS Shield.
But, before getting into the weeds about AWS Shield, lets first talk a little about Distributed Denial of Service(DDoS) Attacks. In layman’s terms, a DDoS attack is simply an attack on your application/system from multiple sources (usually part of a single BotNet) that will flood your system, making it unavailable for legitimate users who are trying to access those resources. If you think DDoS attacks aren’t a big deal, you should check out the following link, which lists the top 5 DDoS attacks just for the past year:
The attack against Dyn was so significant that it brought additional sites like Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US to its knees. So now that we know that DDoS attacks are kind of a big deal, let’s talk about how AWS Shield can help your applications protect against such attacks. AWS Shield is a managed DDoS Protection service that safeguards your web applications that are running on the AWS Cloud. Shield provides 24 X 7 detection and inline mitigation that will help minimize your application downtime and maintains your end-user experience by keeping the latency in check. There are two flavors for AWS Shield: Standard and Advanced Protection.
The Standard protection is a free of cost service that you can enable right away. Using just the standard protection, you can protect your applications from the most common DDoS attacks like SYN/UDP Floods, Reflection attacks etc. Standard protection protects against almost 96% of DDoS attacks out there. It improves mitigation using AWS’s proprietary BlackWatch systems. AWS Shield Standard uses several techniques like deterministic packet filtering, and priority based traffic shaping to automatically mitigate attacks without impacting your applications.
The AWS Shield Advanced protection is a paid service. It requires 1-year commitment, and costs $3k per month along with other Data transfer fees. But it does offer you additional capabilities as compared to the Standard protection. The first additional capability it offers is:
- Always On Monitoring and Detection: This means that AWS is continuously inspecting network flows and monitoring application layer traffic to your ELB, CloudFront or Route 53 resources. It uses signature based and Heuristics-based anomaly detection and also Baselining to detect attacks.
- Advanced Mitigation: This includes Layer 3/4 Infrastructure Protection and Layer 7 Application protection. Infrastructure protection is achieved using Deterministic filtering, Traffic prioritization based on scoring and Advanced routing policies. Application protection is done using self-service (you write your own rules for AWS WAF), Engaging AWS DDoS experts to assist you write the WAF rules, and last but not the least, Proactive AWS DDoS Response Team engagement.
- Attack notification and reporting: Using AWS Shield Advanced protection, you get real-time notifications using Amazon CloudWatch. You can set up alarms that get triggered when you are under attack.
- 24X7 access to DDoS Response Team(DRT): You get access to the DRT, for all the three stages of your attack. Before, During and After. You can consult with them Before to get best practice guidance, During the attack to help you mitigate the attack and After the attack to help you perform an analysis on why the attack happened and how you can prevent it from happening again.
- Bill Protection: This is the best feature in my opinion. AWS will absorb all the scaling costs for CloudFront, ELB, ALB and Route 53 during a DDoS Attack. If none of the above benefits sound good enough to you, you can just use this as an argument to get started with Shield.
Now that we have gone through the nitty-gritty details about AWS Shield, let’s go back to the analogy with Captain America’s Shield. If you have read the Comics, you might know that cosmic and magical or godly opponents have broken his shield, but nothing else has even come close to getting a crack in his shield. The same thing can be inferred for AWS Shield. Having AWS Shield in front of your applications running on AWS enables you to avoid and mitigate almost all kinds of DDoS attacks without any application downtime.
To learn more about AWS Shield, you can go to: