0

The following are my assumptions based on AWS docs. It's only because the docs do not precisely address my questions that I'm here asking.

  1. AWS WAF (whether used directly or via Shield Advanced) is what AWS provides as a service.

  2. The pricing structure of WAF means every request incurs a cost, even from IPs that it may decide to block, as it still needs to process and respond. Hence a DDoS attack can result in a cost spike.

  3. Services like Route53 and CloudFront have AWS Shield Standard enabled by default, which only protects from layer 3/4 DDoS attacks.

Questions:

  1. Are my assumptions correct?
  2. I have read articles where customers have mentioned using external services like CloudFlare to provide authoritative DNS, as their layer 7 DDoS protection is far more cost effective. However, wouldn't that only protect from attacks needing IP resolution? I.e., if an attacker has the IP to the AWS service (like Global Accelerator) resolved, can't they attack it directly without needing to go via CloudFlare?
  3. Are there any other options for layer 7 protection?

Reflections (no need to read if don't need to):

  1. My application (API) would 100% be a candidate for DDoS. I've coded it to be resilient to fraudulent requests that actually make it to the API (SQL injection, etc), as that's on me the application developer's responsibility. What I don't find fair is the customer having to pay for inherent problems with the internet (DDoS protection). AWS (and any cloud provider really) ought to be responsible for controlling DDoS attacks at all levels and integrating this for free to protect their own infra. But what it feels like is making customers share this cost.
  2. For normal traffic, the costs of AWS WAF is quite reasonable but if it were just normal traffic, I would not be here concerned. What concerns me is spikes due to layer 7 DDoS attacks where requests are from changing IPs but otherwise seem genuine. 10 billion requests overnight (easily accomplishable via botnets) and I wake up to a 6k bill. So while my application is secure, cost to safeguard (the infra, not the app, the infra) from DDoS makes it virtually impossible for sole-operators/startups like myself to be sustainable.
2
  • Didn't take long for a totally legitimate question to get downvoted. Ah, god bless the stack exchange network.
    – Ash
    Commented Apr 28 at 8:09
  • 1
    Tell me about it…
    – Hman66
    Commented Apr 29 at 3:25

1 Answer 1

1

All of three of your assumptions are correct.

Maybe the reason your question got down-voted is because, like you literally said, all of this information is widely available on the internet, like from their Docs.

As for your questions, there is AWS shield advanced, which is also probably stated in their Docs, and this is considered 'better' in terms of 7 layer protection, but obviously more expensive. There are plenty of theird party WAF solutions like Cloudflare (like you said), Akamai, Imperva, and F5 Networks, all of which have options and extras to protect against all attacks. There are also ADC, which are Application Delivery Controllers, and work in a similar way to WAF solutions, but differentiate by a few small differences.

Ultimately, the best 7 layer protection method will depend on factors specific to your needs, such as budget and your level of expertise. So unless your provide much more information on the specific requirements you have for 7 layer, it is hard to decide from so many different approaches and services.

9
  • thanks for the answer. I've edited my question to better define 'assumptions'. I'm not concerned at all with things like SQL injection or XSS. Got all things specific to my application covered. But what does concern me is DDoS attack with changing IPs but otherwise legitimate looking request. This would obviously slip past layer 3/4 defences, correct? And if proxying via CF (or such), wouldn't that a) add extra latency and b) offload costs onto my AWS ELB to check ever request against CF whitelisted IPs?
    – Ash
    Commented Apr 29 at 4:06
  • My application would defs be target for DDoS but AWS costs also make it near impossible for sole operators/startups like myself to operate. I've covered fraudulent requests that actually hit my API - they don't get anywhere. That's on me, my responsibility, and I have it covered. What I don't find fair is me having to pay for inherent problems with the internet that affect all users, not just me. As a cloud provider, I expect it should be AWS's job to have all layer DDoS protection in place for no charge since it affects their infra.
    – Ash
    Commented Apr 29 at 4:10
  • Anyways, thanks for answer. Upvoted.
    – Ash
    Commented Apr 29 at 4:11
  • Good practice is to use Route53, CloudFront, AWS WAF, and a load balancer. I also use CloudFlare in front of my personal EC2 instance, the free plan is sufficient for small sites and the higher plans are not particularly expensive.
    – Tim
    Commented Apr 29 at 4:39
  • @Tim using CloudFlare would add proxy latency and offload costs to your ELB, as I've stated ^. AWS 'Good practice' here is essentially making customer pay a tonne of money for what ought to be AWS problems to address, not the customer's, as I've described.
    – Ash
    Commented Apr 29 at 5:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .