AWS Updates on Best Practices For DDoS Resiliency

AWS released an updated version of its AWS Best Practices for DDoS Resiliency Whitepaper, a guide for developers building new apps or looking to optimize their current architecture for DDoS resiliency. In addition, the whitepaper goes into detail to advise on how to develop best security practices and actionable steps against DDoS attacks in the AWS cloud platform.

The updated version adds a “Summary of Best Practices” checklist, builds upon the descriptions of various attack types such as volumetric attacks and application layer attacks, and explains which best practices are most effective at managing them. They also filled in more about which of their AWS products can work as DDoS mitigation methods and how they can be used to protect applications.


The whitepaper describes the two most common DDoS attacks: User Datagram Protocol (UDP) reflection attacks and synchronize (SYN) floods, both infrastructure layer attacks. In a DDoS attack, both of these methods to generate large volumes of traffic that overwhelms network capacity (e.g. server, firewall, IPS, load balancer). However, these attacks can be addressed quickly as they contain clear signatures that make for easier detection. To effectively combat UDP and SYN floods, network resources must have the ability to both absorb the entire attack and exceed the volume that’s generated by the attacker.

SYN floods in particular exhaust the available resources of any given system by leaving connections in a perpetually half-open state. Typically, when an end user connects to something like a web server, the client will send a SYN packet. The server then returns SYN-ACK, and the client ends the process by returning ACK. In a SYN flood, however, the ACK never gets returned, so the server is left waiting for a response. This can prevent new users from connecting to the server.

While not as common, layer 7 (L7) or application layer attacks also occur. In these instances, an attacker is trying to over-exercise certain functions of an application to render it unavailable. Sometimes in HTTP floods, WordPress XML-RPC floods, and cache-busting attacks, an attacker makes very low request volumes or stay hidden in an HTTP request that emulates a real user’s web application behavior and having an attack as more difficult to detect. Application layer attacks can also target domain name system (DNS) services where an attacker uses many well-formed DNS queries to exhaust the resources of a DNS server and cause downturn.

By scaling out, it would require more time and resources from the attacker thereby making the application resilient against DDoS. Services available within AWS assist with building DDoS resiliency, as well as scale to handle unforeseen spikes in traffic volumes:

  • Amazon Elastic Compute Cloud (EC2) is the web service to configure and obtain traffic capacity. Vertical scaling can be achieved by using appropriate EC2 instance types (e.g. EBS optimized or ones with 10 GB network connectivity) to handle the load.
  • Auto Scaling adds and removes number of EC2 instances as the demand changes according to user conditions so that the user can scale according to variability in usage.
  • Elastic Load Balancing (ELB) helps distribute the traffic across multiple EC2 instances while acting as a Single point of contact.
  • Amazon VPC Flow Logs monitors traffic targeting the application by recording information about the IP traffic going to and from network interfaces in a user’s VPC. This information can be used to help identify anomalies and DDoS attack vendors in network traffic.

Other AWS edge services allow users to leverage a global edge network to enable greater fault tolerance against infrastructure and application layer attacks and increase scale for managing those larger volumes of traffic:

  • Amazon CloudFront is their CDN, acting as a proxy between end users and the Origin server. They have the inherent ability to help mitigate against both infrastructure and some application layer DDoS attacks by dispersing the traffic across multiple locations. At each of these locations, AWS has multiple Internet connections for capacity and redundancy, which allows Amazon CloudFront to isolate attack traffic while serving content to legitimate end users. Also includes filtering capabilities to ensure that only valid TCP connections and HTTP requests are made while dropping invalid requests. This removes the burden of many SYN floods and UDP reflection attacks from reaching the origin server.
  • AWS WAF act as filters that applies rules and monitors HTTP and HTTPs requests based on source IP or more nuanced comparison to the values in various HTTP headers. This allows blocking cross-site scripting (XSS) and SQL injection (SQLi) and other common attack patterns. Rules can also be created for each user’s specific application. WAF also provides HTTP rate limiting (where only a certain number of requests are allowed per user in a timeframe), inspect and identify requests with abnormal patterns, CAPTCHA, etc.
  • Amazon Route 53 is their DNS service which include shuffle sharding, where horizontal partitions of data are spread across separate database servers to spread load and provide redundancy.  Shuffle sharding can also be used to spread DNS requests over numerous PoPs, thus providing multiple paths and routes for the application. Anycast routing increases redundancy by advertising the same IP address from multiple PoPs. In the event that a DDoS attack overwhelms one endpoint, shuffle sharding isolate failures while providing additional infrastructure routes..


AWS has hundreds of GB transit bandwidth available so they can easily absorb larger attacks and a backbone network which allows them to increase the surface area of attacks which increases the available bandwidth. They have also improved their DDoS services in the past year, but they have yet to stack competitively with the likes of CloudFlare and other DDoS protection services.

The current business model for using Amazon AWS DDoS mitigation is their vast bandwidth with the addition of a user’s ability to pay during an attack. DDoS attacks are volumetric in nature and an attack could go on for days. While larger businesses can certainly scale up to 1,000 instances to absorb a flood, the hosting costs can multiply quickly and that is not feasible for a majority of AWS users. AWS’s plan of $26/month for WAF is certainly in the right direction for DDoS protection, while CloudFlare charges a Pro Plan for $20/month and $5/month for WAF + Basic DDoS Mitigation, or a Business plan for $200/month/website for WAF + Advanced DDoS Mitigation, and both plans include unlimited bandwidth and rich with advanced DDoS features.

The updated whitepaper provides some solid AWS-specific guidance for users on how to buy more time since they describe how their services, tools and processes in anticipation to DDoS attacks. This is certainly an improvement since the introduction of their WAF firewall back in October 2015. For now, most should look into cost-effective alternatives such as CloudFlare that offer better DDoS mitigation features in tandem with AWS.

Digiprove sealCopyright secured by Digiprove © 2016