In my experience, safeguarding your applications against DDoS attacks can prove to be quite challenging. Even if you employ AWS along with AWS’s WAF, mitigating DDoS attacks solely through their firewall is not straightforward. Blocking a specific IP address requires creating matching conditions, which needs constant updates as the attacking IP addresses change. If the attack targets a specific URL, setting up rate-limiting rules for that URL can be an option, but keep in mind that the targeted URL can easily change. While employing tools like IP tables to block IP addresses at the server level is possible, it demands continuous monitoring to add new attacking IP addresses.
AWS does offer AWS Shield, a service that provides DDoS attack protection at the network and transport layers. However, for comprehensive DDoS protection, their advanced AWS Shield subscription must be purchased, entailing a yearly commitment and a subscription cost of $3,000. Additionally, access to AWS Shield Response Team requires Enterprise or Business Support levels of AWS Premium Support.
In our scenario, immediate and effective DDoS attack mitigation was essential, along with ensuring long-term protection for our applications. As a solution, we turned to Cloudflare’s DDoS protection. The initial setup process is straightforward: added your domains, update DNS records, and redirect domain nameservers to Cloudflare from Route53. It’s important to enable DNS record proxying to activate DDoS protection.
DDoS Protection Alternatives
Numerous WAF and DDoS protection providers exist, with some of the most prominent being Cloudflare, Sucuri, Akamai, and Imperva. We opted for Cloudflare due to its robust DDoS protection capabilities. They cover DDoS attacks on both L3/4 and L7 layers of the OSI model, including Network-layer DDoS Attack Protection, Advanced TCP Protection, and HTTP DDoS Attack Protection. Cloudflare utilizes an in-house software called Cloudflare Autonomous Edge, powered by a denial-of-service daemon (dosd), which runs on each of their servers. Additionally, Cloudflare employs dosd as a centralized DDoS system to oversee and safeguard its network.
Cloudflare’s DDoS Mitigation Approach
Cloudflare employs traffic samples to detect and counter DDoS attacks without impacting application performance. These samples encompass:
- Packet fields: source and destination IP addresses, source and destination ports, protocols, etc.
- HTTP request metadata: HTTP headers, host, TLS cipher version, user agent, HTTP version, etc.
- HTTP response metrics: origin server’s error codes
When attack traffic matches a rule, the system tracks the traffic and generates a signature that matches the attack’s pattern. This signature is used to mitigate the attack without blocking legitimate traffic. Cloudflare’s rules can dynamically generate various signatures based on the type of attack. Once a signature is created, it becomes a mitigation rule, which expires after the attack concludes and traffic no longer matches the pattern.
Added Protection Measures
For enhanced application protection, various WAF rules can be created to block requests based on different parameters such as Cookie, Request Method, HTTP Version, User Agent, Header, etc. Cloudflare also offers Bot protection, automatically identifying and blocking suspicious requests. Additionally, rate-limiting rules can be implemented.
Cloudflare provides Managed Rulesets that encompass checks for a wide range of vulnerabilities, including:
- Anomaly:Header:User-Agent – Fake Baidu Bot
- Anomaly:Header:User-Agent – Empty
- Anomaly:Header:Content-Type – Missing
- Anomaly:Header:Accept – Invalid
- Apache Struts – Code Injection – CVE:CVE-2013-2251
- Anomaly:URL:Query String – Relative Paths
- Anomaly:Method – Unusual HTTP Method
- 920100: Invalid HTTP Request Line
And many more. You can review, enable, or disable each rule as needed.
Our Experience with Cloudflare
Since migrating to Cloudflare, we have experienced highly effective DDoS protection, along with the added benefits of their features. We employ a combination of rate-limiting rules, Geo-Location Blocks, and Cloudflare’s DDoS protection rules. Rate limiting rules are configured to block IP addresses that make 100 requests within 10 seconds. In the Geo-location block, we’ve restricted access to specific countries, except those directly involved in our project. For external access, a separate rule whitelists specific IP addresses. Our DDoS protection rules trigger Cloudflare’s managed challenges when legitimate traffic is detected as part of a DDoS attack.
Since implementing Cloudflare, we have not experienced any downtime or noticed any adverse effects on our environment during DDoS attacks. Cloudflare promptly notifies us of attacks, detailing the attack type, the number of blocked requests, and the targeted endpoint. While we encountered several DDoS attacks after adopting Cloudflare, most resulted in 50 to 60 million blocked requests. The largest attack, which we were alerted to, saw 219.65 million requests blocked by Cloudflare’s DDoS protection, yet our applications remained unaffected.
If you require guidance on integrating Cloudflare with your AWS-hosted applications, we offer a comprehensive tutorial outlining the process.