Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Amazon Announces AWS Shield for DDoS Protection

Amazon Announces AWS Shield for DDoS Protection

This item in japanese

At the recent AWS re:Invent 2016 event, Amazon announced a new service called AWS Shield, which provides customers with protection from Distributed Denial of Service (DDoS) attacks.

This announcement comes just over a month after Amazon was impacted by a DDoS attack on a DNS provider that Amazon used, Dynamic Network Services (Dyn).  That particular attack impacted some AWS services at data centers in northern Virginia and Ireland.  In order to limit the impact to Amazon’s customers, they rerouted their traffic through other DNS providers.

DDoS attacks continue to rise in frequency.  In Akamai’s Q1 State of the Internet Security Report, Akamai cites:

There's been a 125 percent increase in distributed denial of service (DDoS) attacks year over year.   

In a recent blog post, Jeff Barr, chief evangelist at AWS, describes three common DDoS attacks which impact organizations, including:

  • Application-Layer Attacks consist of well-formed but malicious requests (HTTP GETs and DNS queries are popular) that are designed to consume application resources. For example, opening up multiple HTTP connections and reading the responses over the course of many seconds or minutes will consume excessive memory and prevent legitimate requests from being serviced.
  • State-Exhaustion Attacks abuse stateful protocols and cause stress on firewalls and load balancers by consuming large numbers of per-connection resources.
  • Volumetric Attacks disrupt networks by flooding them with more traffic than they can handle or by issuing fake queries that will flood an unsuspecting victim with a surprising amount of low-level “surprise” replies (also known as Reflection attacks).

In the re:Invent Keynote, Werner Vogels, CTO at Amazon, broke down the distribution of these attacks as:

  • 64% of DDoS attacks are Volumetric
  • 18% are Application-Layer
  • 18% are State-Exhaustion

Image Source: (screenshot)

In order to protect customers from these types of DDoS attacks, Amazon has released AWS Shield as a managed service that comes in two tiers:

  • AWS Shield Standard which is available to all customers at no additional charge.  Amazon claims that AWS Shield Standard will “protect you from 96% of the most common attacks today, including SYN/ACK floods, Reflection attacks, and HTTP slow reads. This protection is applied automatically and transparently to your Elastic Load Balancers, CloudFront distributions, and Route 53 resources.”
  • AWS Shield Advanced is a paid service that provides additional protection over AWS Shield Standard including intelligent DDoS attack detection for network layer (layer 3), transport layer (layer 4) and application layer (layer 7).  In addition, customers also get access to 24x7 DDoS response team during a DDoS attack and additional real-time metrics and reports.  The advanced service also provides cost protection for your Elastic Load Balancing resources CloudFront and Amazon Route 53 hosted zones.

Image Source: (screenshot)

Amazon has provided customers with some guidance about which level of service may be appropriate for them. For customers with existing security expertise, choosing AWS Shield Standard may be appropriate if you are comfortable deploying additional Web Application Firewalls (WAF) as part of a defense-in-depth strategy.  It may also be appropriate for customers if they have an established monitoring and notification platform in place.

For customers who are in industries often targeted by DDoS attacks, such as media and entertainment, and want additional protection offered as a managed service, AWS Shield Advanced may be a better choice. As part of the advanced service, WAF is provided at no additional cost.  Advanced customers will also receive extensive reporting, notifications and post-attack analysis about layer 3, layer 4 and layer 7 DDoS attacks in addition to avoiding unexpected consumption charges related to DDoS attacks.

Rate this Article