Distributed Denial of Amazon Web Services: What Kind Of Protection is Your Website Really Getting?

Distributed Denial of Amazon Web Services: What Kind Of Protection is Your Website Really Getting?
Distributed Denial of Amazon Web Services: What Kind Of Protection is Your Website Really Getting?

Distributed Denial of Amazon Web Services: what kind of protection is your website really getting?

Amazon Web Services (AWS) is a major player in cloud infrastructure, accounting for over 1/3 of the entire market. That’s a serious number of websites and applications relying on AWS for services ranging from hosting, storage and networking to developer tools and deployment.
With so much of the cloud infrastructure market to worry about, AWS understandably goes to great lengths to protect itself from the pervasive threat of DDoS attacks, and many owners of websites and applications using AWS assume those sites and apps must be protected too. Just like ordering a steak at a restaurant means a diner gets a side, drink and dessert for free, or buying a car means a customer gets insurance as well. Which is to say here’s what you need to know about protecting your website from DDoS attacks if you’re using Amazon Web Services.

The DDoS problem

Distributed denial of service or DDoS attacks are cyberattacks that take aim at websites and online services with the intention of making them unavailable to users, either by taking them offline or slowing them down greatly. In order to achieve this, attackers use a large collection of infected internet-connected devices called a botnet to direct massive amounts of traffic or requests at the target, overwhelming the server or eating up other network resources.
DDoS attacks have become a major problem over the last few years. This is largely due to a combination of DDoS for hire services that make it possible for pretty much anyone to launch an attack, DDoS ransom notes which demand – and often garner – sums of money in exchange for not launching an attack, the attention gained on social media and even in traditional media when a popular site is hit by an attack, and the ease of which a big botnet can be assembled from Internet of Things (IoT) devices with weak security.

Advanced protection

The last publicly released numbers, which came in a letter from Amazon CEO Jeff Bezos to shareholders in April of 2016, stated that AWS has over one million customers. Among those one million customers are over 2000 government agencies, 5000 education institutions and 17,500 non-profit organizations. So is Amazon’s cloud infrastructure tightly protected from the threat of DDoS attacks of all types and sizes? Yes, absolutely. Are AWS customers inherently protected from those threats as well? Not necessarily.
AWS does have a managed DDoS protection service – Amazon Shield. The advanced version of Shield protects against both network layer and application layer attacks – even complex application layer attacks – and provides cost protection so users won’t be hit with bigtime bills in the face of a network layer attack that consumes a lot of bandwidth. For users that don’t have premium business or enterprise level support plans, Amazon Shield Advanced starts at $3000/year.

‘Free’ has its issues

The free version of Amazon Shield is available to all Amazon Web Services, but the problems begin when an application layer attack has multiple vectors, switches attack strategies or is bigger than the average attack. Sophisticated application layer attacks will not be adequately handled by the free version of Shield, so for anyone in a competitive industry or who has been targeted by such attacks before, this level of protection won’t do.
Furthermore, there’s a reason the advanced version of Shield offers cost protection for network layer attacks. If your site, service or application is nailed with a network layer attack, you’ll be on the hook for the bandwidth that is chewed up by the attack. Perhaps it goes without saying, but a big attack equals a big bill.
Another issue with the built-in DDoS protection provided by AWS is that it is able to absorb traffic up to a limit, and beyond that, traffic is simply dropped. This includes traffic from legitimate users who will be unable to access the website or service, essentially suffering the consequences of a DDoS attack.
Lastly, while the advanced version of Shield offers 24/7 support to DDoS mitigation experts for serious or complex attacks, the free version offers no such thing and instead provides access to best practices and tools for users to build their own DDoS resilient architecture. While this is certainly a viable option for those with the knowledge and ability to do just that, it essentially negates the benefits of a managed service.

Enhanced mitigation

DDoS mitigation is a serious endeavor, and comprehensive protection simply isn’t something Amazon can offer for free. This is unfortunate for users, however, as almost every website or online service or application now requires comprehensive DDoS protection. That’s where professional DDoS mitigation comes in, filling the gaps left by AWS’s built-in protection.
Professional DDoS mitigation can have either on-demand or always-on deployment, depending on the client’s requirements.

As a truly managed service it is built to handle even the biggest or most complex attacks, including sophisticated application layer attacks. Cloud-based mitigation is easily scalable and can handle network layer attacks of all sizes without the staggering bandwidth bills, and this protection can be positioned at the perimeter of the client’s network ensuring that attack traffic never reaches it, which means legitimate traffic is unaffected by mitigation efforts during attack attempts.
Amazon Web Services offer tremendous cloud services to a huge number of customers. However, AWS just can’t offer a side of full distributed denial of service protection to customers who haven’t purchased an enterprise-level steak. To keep your site or service safe, supplementary protection may be necessary.