What are DDoS Attacks? | What is AWS Shield? | Benefits | Types | What does AWS Shield protect against? | Pricing | Difference between WAF & Shield | Frequently Asked Questions
AWS is committed to providing you with the tools, best practices, and services you need to maintain high availability, security, and resiliency in your online defence. This book is designed to assist IT decision-makers and security engineers in better understanding how to utilize Shield and Shield Advanced to protect their applications from DDoS attacks and other external threats.
When you develop your application on AWS, AWS protects you automatically against popular volumetric DDoS attack vectors such as UDP reflection assaults and TCP SYN floods.
AWS Shield is a managed Distributed Denial of Service (DDoS) prevention service for Amazon Web Services (AWS) applications.
What are DDoS Attacks?
The denial of service (DDoS) attack aims to overload IT resources where they cannot function properly. This form of attack is usually launched in one of the subsequent ways:
- The workload on cloud services is artificially increased with imitation messages or repeated communication requests.
- The network is overloaded with traffic, which reduces its responsiveness and cripples its performance.
- Multiple cloud service requests are sent to consume excessive memory and processing resources.
Check Also: Free AWS Training and Certifications
What is AWS Shield?
It is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on Amazon Web Services (AWS). It delivers always-on monitoring and automatic inline mitigations that reduce application downtime and latency, eliminating the requirement for AWS Support to benefit from DDoS protection.
Benefits of AWS Shield
- Seamless integration and deployment: Your AWS resources come with Standard protection and are protected against the most common network and transport layer DDoS attacks. Using the AWS Management Console or APIs, you can easily enable Advanced protection for Elastic IP, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53 resources you want to protect.
- Customizable protection: Advanced allows you to select which infrastructure resources to protect (Layers 3 and 4). You can use AWS WAF to set custom rules to protect against complex application-layer attacks. These adaptive rules can be activated in seconds, allowing attacks to be quickly mitigated.
- Managed Security and Attack Visibility: Standard usually includes heuristics-based network flow monitoring and inline mitigation against common network and transport layer DDoS threats. For complex or more severe attacks, the Advanced delivers increased resource-specific detection and applies advanced mitigation and routing strategies.
- Cost Efficient: Standard is automatically enabled for all AWS customers at no additional cost. With Advanced, customers get AWS WAF and AWS Firewall Manager at no additional cost for using resources protected by AWS Shield Advanced as described on the Shield pricing.
Types of AWS Shield
1. AWS Standard Shield
- All AWS customers benefit from its automatic protection of it.
- It provides always-on network flow monitoring, which inspects incoming traffic to AWS and detects malicious traffic in real time.
- You get extensive availability protection with CloudFront and Route 53 against all known infrastructure attacks.
- It combines multiple approaches, such as deterministic packet filtering and priority-based traffic shaping, to automatically mitigate threats without affecting your applications.
- You can also get a list of all the events that AWS Shield has detected and neutralized.
2. AWS Shield Advanced
- It provides enhanced detection, inspects network flows, and monitors application layer traffic to your Elastic IP address, Elastic Load Balancing, CloudFront, or Route 53 resources.
- It handles the majority of DDoS protection and mitigation responsibilities for layer 3, layer 4, and layer seven attacks.
- You have access to the 24×7 AWS DDoS Response Team.
- It automatically adds additional mitigation capacity to protect against increasingly severe DDoS attacks.
- It is available globally on all CloudFront and Route 53 edge locations.
- With this, you will see the history of all incidents in the trailing 13 months.
What does AWS Shield protect against?
1. AWS Shield Standard protects your applications and websites against the following types of DDoS attacks:
- State-Exhaustion Attacks (layer 4) – SYN Flood: TCP connection status tables are consumed by many network infrastructure and security devices, as well as application servers. The attacker quickly connects to a server but does not complete the connection. These assaults have the potential to prevent legitimate users from accessing data, making security systems vulnerable to data theft.
- Volumetric Attacks (layer 3): Referred to as network floods and include UDP floods (UDP reflection attacks) and ICMP floods. This type of attack occurs when a network is overwhelmed by malicious traffic, causing your applications or services to become unavailable.
2. AWS Shield Advanced protects your apps against the same attacks as the Standard version with some specific functions, but because it also includes AWS WAF, it protects against:
- Application-Layer Attacks (layer 7) – HTTP floods, DNS query floods: Comprised of popular requests (HTTP GETs and DNS queries) designed to consume application resources. An example is an attacker who continuously utilizes a website functionality (submitting a contact form or any API requests) where he knows that it causes database and application processing.
- Other Application-Layer Attacks: SQL injection (SQLi), Cross-site scripting (XSS), Remote file inclusion (RFI), and other web application attacks and threats from the OWASP Top 10 publication.
AWS Shield Pricing
There is no charge for inbound data transfer on AWS, and you do not pay for DDoS attack traffic that AWS Shield mitigates.
AWS Shield Standard
It is built into the AWS services that you can use for your web applications. There are no additional costs for Standard.
AWS Shield Advanced
It is a paid service that adds extra security to internet-facing applications. You’ll pay $3000 for every organisation that signs up for Advanced and commits to a one-year subscription. You will only have to pay the monthly cost once if your company has many AWS accounts.
Difference between AWS WAF and AWS Shield
These two services are part of the AWS Edge Services ecosystem and protect against DDoS attacks. The difference between both is that AWS WAF (Web Application Firewall) protects the application layer, whereas AWS Shield protects the OSI model’s infrastructure layers.
Frequently Asked Questions
Can you use AWS Shield to safeguard non-AWS applications or websites?
Yes, you may utilize AWS Shield and other AWS Edge services (Amazon Route 53, Amazon CloudFront, and AWS WAF) with custom origins because you can provide any public domain or IP address as the origin in CloudFront distribution settings or Route 53.
Do you require AWS Shield Standard or Advanced?
Standard protection is often enough to fulfill the needs of small businesses. The StormIT team recommends using a mixture of AWS WAF and other AWS services such as (Amazon CloudFront CDN and Route 53) as a strategy to complement this built-in protection that can often provide adequate attack protection and mitigation. If your company is a likely target of big DDoS attacks and you require particular control over the entire process, or if you choose to delegate the majority of DDoS protection and mitigation tasks to AWS for layer 3, layer 4, and layer 7 attacks, Advanced may be the best option. Advanced includes AWS WAF and DRT help for layer 7 attacks and layer 3 and layer 4 protection and mitigation. You must create your own layer 7 protection and mitigation processes if you deploy AWS WAF and AWS Shield Standard.
Does AWS Shield work automatically?
AWS Shield Standard is activated by default for all AWS customers at no additional charge.
Does AWS Shield alert me when an attack occurs?
Yes. DDoS attacks will be notified via CloudWatch metrics with AWS Shield Advanced.
Related Links/References
- AWS Free Tier Limits
- AWS Free Tier Account Details
- How to create a free tier account in AWS
- AWS Certified Solutions Architect Associate SAA-CO3
- Amazon Elastic File System User guide
- AWS Certified Solution Architect Associate SAA-C03 Step By Step Activity Guides (Hands-On Labs)
- AWS Free Tier Account Services
- AWS Route 53 Introduction
Next Task For You
Begin your journey towards an AWS Cloud by joining our FREE Informative Class on Amazon Cloud Free Class by clicking on the below image.
Leave a Reply