AWS Network Firewall to protect against DDoS layer 7 attacks

Question

Hello,
We have a public API (many of them) and I am looking into how we can protect against large scale layer 7 DDoS type attacks, for example a HTTP GET. The proposed architecture that we have come up with involves asynchronously detecting bad IP addresses based on signals (web server logs), and blocking by IP at network level (osi 3). We want to block at network level as it’s likely to be much more performant and cost effective than attempting to do it at application/compute level.

We already have AWS Shield Advanced.

We have identified the AWS Network Firewall as a possible place to enforce the blocking of these bad IPs. However, I have a question about the scale in which the AWS Network Firewall can block bad IP addresses. In the FAQ (https://aws.amazon.com/network-firewall/faqs/) it says:

> Q: Can I use AWS Network Firewall for protection against DDoS attacks?

> AWS Network Firewall is designed to protect and control access to and from your VPC, but not to mitigate volumetric attacks, like distributed denial of service (DDoS), that can impact the availability of your application. To protect against DDoS attacks and ensure application availability, we recommend customers review and adhere to our AWS Best Practices for DDoS Resiliency, and also explore AWS Shield Advanced, which offers managed DDoS protection customized to your specific application traffic.

My question is this: is this recommendation based on the AWS Network Firewalls inability to apply rules (I.e. block by IP address’) at a large scale, or is this specifically the **volumetric** attacks.

To clear some things up:
* We have AWS shield advanced - so I expect that we have most volumetric type attacks covered
* The DDoS attacks we are trying to protect against are mostly layer 7 targeted (e.g. HTTP GET index.html)  
* Ability to detect bad IP addresses based on signals is out of scope, assume we have a 3rd party OTT product that can detect bad IP’s from our web server logs and apply custom rules managed by us
* We cannot use cloudflare/fastly etc
* Scale of layer 7 DDoS that we are likely to want to protect against: ~10k source ip addresses each doing around 1k HTTP requests per second, (total  ~10M http requests p/s) - typically any ip doing over 1k requests per second would be a strong signal and we would likely want to block that IP for some time. Sorry, I don’t know how to translate the volume of http layer 7 requests into volume of layer 3 packets I can only comprehend it in http requests per second.

Sedat SALMAN · Answer

its primary purpose is not to mitigate large-scale DDoS attacks, especially volumetric attacks that can impact the availability of your application. AWS Network Firewall is designed to provide fine-grained control over network traffic, and it can be used to block specific IP addresses.

For Layer 7 DDoS protection, you can consider a combination of AWS Shield Advanced and AWS WAF (Web Application Firewall). AWS Shield Advanced provides DDoS protection at the network and transport layers (Layers 3 and 4). AWS WAF, on the other hand, offers Layer 7 protection by allowing you to create custom web access control rules based on various parameters such as IP addresses, HTTP headers, query strings, etc.

romerogt · Answer

Hello.

For layer-7 protection for an API the recomended service is [Web Application Firewall, WAF ](https://aws.amazon.com/waf/features/?nc1=h_ls)protection is improved when integrated with [Shield Advanced](https://aws.amazon.com/es/shield/features/).

For using WAF (L7) with Shield Standard (L3-4) I would suggest you check the [WAF Security Automation solution](https://aws.amazon.com/es/solutions/implementations/security-automations-for-aws-waf/) that using WAF and integrating other serverless technologies has bot protection, https-flood prevention and ease use of block/allow ip-lists.  Deployment is straight forward following the deployment guided and using CloudFormation

To read about Shield Advanced (L7 plus other features) protections with WAF you can look [at this page](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary-capabilities.html).

Addingt to my response:
There are several layers of protection you can use, Network Firewall is not designed for large DDoS as AWS Shield Advanced is pre-existing service for this purpose and has other important benefits as incident response team.  Customers can take advantage of Shield Advanced even when choosing other firewall or perimeter protection solutions from recognized security partners.

Joanna K · Answer

While you can use Amazon Network Firewall (ANF) for IP blocking, be aware that it does have a per-AZ maximum capacity.

We would recommend using AWS WAF (with Cloudfront for optimum scale) as WAF is designed to deal with layer 7 HTTP Request Flood attacks,  in particular:
- rate-based rules
- IPDDoSList rule within IPReputation rulegroup - created from IPs that have recently been seen participating at volume in L7 DDoS
- the L7 anti-DDoS managed rulegroup (included with Shield Advanced subscription) which detects and mitigates in single-digit seconds

The recommendation is because Network firewall does not have these features - AWS WAF does.

AWS Network Firewall to protect against DDoS layer 7 attacks

답변 추가

관련 콘텐츠