The following are my assumptions based on AWS docs. It's only because the docs do not precisely address my questions that I'm here asking.
AWS WAF (whether used directly or via Shield Advanced) is what AWS provides as a service.
The pricing structure of WAF means every request incurs a cost, even from IPs that it may decide to block, as it still needs to process and respond. Hence a DDoS attack can result in a cost spike.
Services like Route53 and CloudFront have AWS Shield Standard enabled by default, which only protects from layer 3/4 DDoS attacks.
Questions:
- Are my assumptions correct?
- I have read articles where customers have mentioned using external services like CloudFlare to provide authoritative DNS, as their layer 7 DDoS protection is far more cost effective. However, wouldn't that only protect from attacks needing IP resolution? I.e., if an attacker has the IP to the AWS service (like Global Accelerator) resolved, can't they attack it directly without needing to go via CloudFlare?
- Are there any other options for layer 7 protection?
Reflections (no need to read if don't need to):
- My application (API) would 100% be a candidate for DDoS. I've coded it to be resilient to fraudulent requests that actually make it to the API (SQL injection, etc), as that's on me the application developer's responsibility. What I don't find fair is the customer having to pay for inherent problems with the internet (DDoS protection). AWS (and any cloud provider really) ought to be responsible for controlling DDoS attacks at all levels and integrating this for free to protect their own infra. But what it feels like is making customers share this cost.
- For normal traffic, the costs of AWS WAF is quite reasonable but if it were just normal traffic, I would not be here concerned. What concerns me is spikes due to layer 7 DDoS attacks where requests are from changing IPs but otherwise seem genuine. 10 billion requests overnight (easily accomplishable via botnets) and I wake up to a 6k bill. So while my application is secure, cost to safeguard (the infra, not the app, the infra) from DDoS makes it virtually impossible for sole-operators/startups like myself to be sustainable.