Introduction

This article aims to assist users in implementing comprehensive Distributed Denial of Service (DDoS) protection using AWS utilities. It serves as a hands-on implementation manual aligned with the AWS DDoS mitigation strategy. Users are encouraged to read the AWS DDoS mitigation strategy document prior to this guide. The following sections detail the implementation of various AWS components and include specific recommendations based on practical experience.

Key AWS Features Covered

• Association of Shield Advanced with relevant resources.

• Configuring rules to prevent Direct-to-Origin attacks.

• Configuring CloudFront caching policies.

• Configuring geo-restriction policies.

• Configuring a web-ACL with WAF rules and rate limit policies.

Architecture Designing

The recommended AWS DDoS architecture incorporates a CloudFront distribution that routes traffic to an Application Load Balancer (ALB). The ALB is secured with Security Groups that deny incoming traffic not routed through CloudFront. Both the CloudFront distribution and ALB should be associated with Shield Advanced for enhanced protection 4.

Shield Advanced Configuration

Steps to Apply Shield Advanced

1. Subscribe to Shield Advanced through the AWS dashboard.

2. Add resources to protect.

3. Configure AWS Shield Response Team (SRT) support.

4. Activate Proactive Engagement.

5. Configure Route53 Health checks.

By following these steps, the AWS Shield Response team will assist in mitigating DDoS attacks in case of downtime 5.

Adding Resources to Protect

To add resources:

1. Press "Add resources to protect".

2. Choose the regions and resource types to include and load relevant resources that are not yet associated with Shield Advanced 6.

   

Configuring AWS SRT Support

Granting access to the SRT optimizes assistance during a DDoS event:

1. Press "Edit SRT access".

2. Create a new role for SRT to access your account 6.

   

Activating Proactive Engagement

Enable the proactive engagement feature to allow SRT to contact the appropriate person in case of an attack 7.

Configuring Route53 Health Checks

1. Press "Create health check" in Route53.

2. Fill in details, ensuring to monitor the root (/) by default if no specific URI path is provided 8.

   

Monitoring

Once health checks are configured, users can monitor their health status through the AWS dashboard, where alarms will notify users of any issues 10.

Preventing Direct-to-Origin Attacks

To prevent attacks targeting origin servers:

1. Configure a Security Groups policy (recommended method).

2. Configure an internal header sent from CloudFront to the ALB 12.

   

Security Groups Policy Configuration

1. Create a new security group allowing HTTP and HTTPS traffic from CloudFront PoPs only 12.

   

Internal Header Configuration

1. In the ALB, manage rules to add a condition based on the HTTP header 15.

   

Caching Configuration

Utilize CloudFront to cache applicable content. Managed caching policies include:

• CachingOptimized: Caches mostly static content.

• CachingDisabled: Disables caching entirely.

For custom policies, specify TTL values and cache key settings 22.

Geo-Restriction Configuration

To enforce geo-restrictions, configure settings in the CloudFront distribution to allow or block requests from specific countries 23.

Creating a Web-ACL

1. Create a web-ACL in WAF & Shield.

2. Associate it with the desired resource (CloudFront or ALB).

3. Add rules and configure metrics 24.

   

WAF Rules Configuration

Configure custom WAF rules to enhance security, focusing on:

1. Custom rules.

2. Managed rules.

3. Rate limit rules 26.

    

   

Rate Limit Rules Configuration

Implement rate limit rules to manage traffic effectively:

1. Counting per source IP with a “Block” action.

2. Counting total requests to a specific hostname with a “Challenge” action 29.

   

Conclusion

Implementing these best practices will enhance your AWS architecture's resilience against DDoS attacks. Ensure you regularly review and update your configuration to adapt to evolving threats.