Amazon has unveiled AWS Shield, a DDoS protection service for apps running on AWS, putting the largest public cloud in competition with the likes of CloudFlare. It’s free and automatically available for web apps that run on Amazon’s cloud computing service. AWS Shield features always-on detection and automatic inline mitigations that reduce latency, offering seamless and automatic protection against the bulk of the most common web threats, including network and transport layer DDoS attacks. The majority of attacks are volumetric assaults that seek to exhaust server resources, followed by state exhaustion and application layer attacks.
“It protects you from 96 percent of the most common attacks today, including SYN/ACK floods, Reflection attacks, and HTTP slow reads,” AWS exec Jeff Barr writes in a blog post.
While the standard service is free, the for-pay advanced version builds on Amazon’s previous work on Elastic Load Balancing, CloudFront CDN, and Route 53 DNS service to offer greater protection. AWS Shield Advanced has more sophisticated detection and mitigation capabilities, and AWS WAF. It also offers access to an around the clock DDoS response team, real-time visibility into ongoing assaults, and comes with cost protections to prevent massive spikes in fees incurred as a result of DDoS attacks. The base fee for AWS Shield Advanced starts at $3000 per year, not including data transfer charges applied for use of ELB, CDN, and Route 53.
One other feature of AWS Shield Advanced that bears mentioning is customizable rules that allow customers to calibrate sophisticated attack mitigation protocols. These rules are instantly deployable, and can be proactive (e.g. automatically blocking bad traffic) or passive (e.g. responding to incidents in progress).
When the service detects an attack, it works “together with DDoS protection teams to create the right level of protection using WAF. We will also keep an eye on cost, making sure you don’t incur any additional cost by using our service,” Amazon vice president and chief technology officer Werner Vogels said.