Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Understanding AWS Shield Advanced Protection for Layer 7 DDoS Attacks

0

I’m evaluating AWS Shield services, specifically AWS Shield Advanced, to protect our web application from DDoS attacks. While I understand it offers protection against Layer 3 and Layer 4 attacks, I’m curious about its effectiveness and options for Layer 7 (application layer) DDoS protection.

My questions are: 1. Does AWS Shield Advanced natively protect against Layer 7 attacks, or do I need to pair it with AWS WAF? 2. What are the best practices for configuring Shield Advanced to ensure optimal protection for application-layer threats? 3. Are there specific metrics or monitoring practices recommended to detect and mitigate Layer 7 DDoS attempts?

Topics
Security, Identity, & Compliance
Tags
AWS ShieldDDOS Protection
Language
English
asked a year ago1.4K views
2 Answers
0
Accepted Answer

AWS Shield Advanced does offer protection against Layer 7 (application layer) DDoS attacks, but it works in conjunction with AWS WAF for optimal protection. Here's a detailed breakdown addressing your questions:

  1. AWS Shield Advanced does provide native protection against Layer 7 attacks, but it is designed to work seamlessly with AWS WAF for comprehensive application layer protection. When you subscribe to Shield Advanced, you get AWS WAF at no additional charge. This integration allows for more robust and customizable application layer defenses.

  2. Best practices for configuring Shield Advanced for optimal Layer 7 protection include:

    • Enable automatic application layer DDoS mitigation. This feature allows Shield Advanced to automatically respond to and mitigate application layer attacks against your protected resources.
    • Associate an AWS WAF web ACL with your protected resources (such as CloudFront distributions or Application Load Balancers) to enable web application layer detection.
    • Configure AWS WAF rules and rule groups to create custom layer 7 firewall rules that complement Shield Advanced's protections.
    • Utilize protection groups to logically group your resources for enhanced detection and mitigation.
    • Implement health-based detection using Amazon Route 53 health checks to inform event detection and mitigation, helping to prevent false positives and provide faster detection when a protected resource is unhealthy.

  3. For monitoring and detecting Layer 7 DDoS attempts, AWS Shield Advanced provides several tools and practices:

    • Use the enhanced visibility features of Shield Advanced, which offer advanced, real-time metrics and reports for extensive visibility into events and attacks on protected AWS resources.
    • Leverage the Global Threat Environment Dashboard, which shows DDoS trends and metrics across services like Amazon CloudFront, Elastic Load Balancing, and Amazon Route 53.
    • Monitor the "Threat level" indicator provided by Shield Advanced, which shows the severity of current DDoS threats.
    • Utilize AWS WAF's rate-based rules, which can mitigate attacks before they reach a detectable level.
    • Take advantage of the 24/7 AWS Shield Response Team (SRT) support for assistance during attacks and help with creating and managing custom mitigations.

By combining these configuration best practices and monitoring techniques, you can ensure that your web application is well-protected against Layer 7 DDoS attacks using AWS Shield Advanced in conjunction with AWS WAF.

Sources
AWS Shield Advanced capabilities and options - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
How AWS Shield mitigates events - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Global Threat Environment Dashboard: View DDoS Attack Trends Across AWS
Understanding DDoS simulation testing in AWS | AWS Security Blog

answered a year ago
EXPERT
reviewed a year ago
0

I would add to the above reading the AWS Best Practice for DDoS resiliency[1]. Within that document it outlines L7 Application layer Mitigation using AWS WAF & Shield, specifically;

  1. Rate Based Rules (at a low threshold) in block mode - An Aggregate key of Host+IP+URI path is particularly effective;
  2. IP reputation rules in block mode;
  3. As above enabling Shield Automatic application layer DDoS mitigation with a Rule group[2] ( You need to enable AWS Shield AND add its Auto mitigation rule group as per instructions).

To the OP's question - yes, you do need to pair Shield Advanced with WAF as Shield needs an ACL with the auto-matigation rule group applied (see links). However this should be considered a strength in depth approach as Rate Based Rules and IP reputation help significantly with L7 Request Floods DDoS events.

re Specific Metrics - AWS Shield Advanced gives you metrics around events which you can alert on. The Best Practice doc has more advice on this. Consider 5xx error rates, overall Request volume and number of Blocked request from the above RBR/IP rules as intel over and above the AWS Shield information. Create dashboards and set alarms. AWS CloudWatch can be helpful here with Anomaly detection.

As per above do not forget HealthChecks (e.g. 5xx error rate) and Emergency Contacts for SRT Proactive engagement.

  1. https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/aws-best-practices-ddos-resiliency.html
  2. https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response.html
AWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content