How to prevent Ddos attacks from producing costs for small websites


I have the following pattern/architecture to deploy a website with CDK:

  • WAF with a custom IP-based ratelimit for a Cloudfront Distribution with Api Gateway as Origin.
  • a default ratelimit at the Api Gateway additionally.

I would use this pattern to deploy potentially multiple web apps for small hobby projects in the future.

But a weak point of this architecture would be WAF. WAF does produce costs: 60 Cents per million requests.

So the costs for a small hobby project could explode in theory, if it gets hit by a DDOS attack. What could I do here to prevent this? It would be really nice, if AWS had some base protection against DDOS where Shield Advanced is not well suited price-wise.

The last thing I could do, I could set up a Budget alarm and trigger some action to take all web apps offline, if the budget gets hit. Otherwise I would be afraid that costs could explode anytime, if there were small web apps of hobby scale publicly available in the internet.

Thank you

1 Answer
Accepted Answer

As you said, without Shield advanced it's hard to control the cost for DDoS attacks, there are AWS best practices for DDoS- • Always prefer AWS Services that operate at Edge Locations (CloudFront, Route53 and Global Accelerator) as an entry point for your applications. Provides a better DDoS resiliency (always-on mitigation for fastest detection and mitigation, distributed mitigation capacity and automatic traffic engineering) • Protect your DNS infrastructure: Using Amazon Route53, your application will be protected against DNS application layer attacks as the responsibility for serving authoritative DNS answers is outsourced AWS. Attackers will be unable to affect your application availability by targeting your DNS resolvers. • Protect your Origins § Use custom header or CloudFront prefix-list (if your origin is behind CloudFront) to protect against any direct to origin attacks § Protect against Security-Groups Connection Tracking exhaustion in case of DDoS event, by using untracked connections SG with managed services like ALB or CLB. • Scalable architecture § Using autoscaling and load balancing to dynamically increase your application capacity for instance

profile pictureAWS
answered 5 months ago
profile pictureAWS
reviewed 5 months ago
  • Thanks for the suggstions :)

    It does help. So in the end one cannot deploy a webapp and be 100% sure that costs dont spike up to high numbers, if there were any attacks.

    Will try to set up a budget alarm then, which will take my hobby projects offline.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions