Shielding Your Business with AWS’s Defenses Against DDoS Attacks

Overview

A pivotal real-world challenge is introduced, highlighting the evolving sophistication of DDoS attacks, including emerging threats such as HTTP/2 rapid reset attacks. The blog emphasizes the tangible impact of such attacks on the availability of specific systems like websites and applications, accentuating the necessity for proactive security measures.

This comprehensive blog explores Amazon Web Services (AWS) state-of-the-art strategies and tools to safeguard businesses from the escalating threat of Distributed Denial of Service (DDoS) attacks. By delving into real-world challenges, the blog unveils AWS’s commitment to fortifying customer applications and provides actionable insights into the innovative solutions and best practices AWS advocates.

Beginning with an overview of the DDoS landscape, it delves into the intricacies of emerging threats such as HTTP/2 rapid reset attacks. The blog then highlights the robust security features inherent in AWS’s global cloud infrastructure, including the proactive monitoring systems that enable the rapid detection of strange activities.

Introduction

In this blog, we delve into the robust mechanisms and strategic measures offered by Amazon Web Services (AWS) to protect customers from the debilitating impact of DDoS events. By exploring the innovative solutions and best practices recommended by AWS, businesses can proactively secure their digital infrastructures and ensure seamless operations even in the face of relentless cyber-attacks.

AWS has identified and defended customer applications against a novel distributed denial of service (DDoS) incident. These attacks are designed to disrupt the availability of a specific system, like a website or application, causing reduced performance for genuine users. Some common forms of DDoS events include:

• HTTP request floods,
• Reflection/amplification attacks, and
• Packet floods

Note: The DDoS incidents observed by AWS were specifically characterized as an HTTP/2 request flood, wherein an excessive volume of unauthorized web requests overloads the web server, hampering its ability to handle valid client requests.

• Through proactive monitoring, AWS identified an anomalous surge in HTTP/2 requests directed at Amazon CloudFront, reaching a peak of more than 155 million requests per second (RPS).
• While quickly recognizing the activity’s abnormal nature, AWS discovered that Amazon CloudFront had autonomously countered a novel form of HTTP request flood DDoS event, subsequently named an HTTP/2 rapid reset attack.
• Over two days, AWS intercepted and addressed over a dozen instances of HTTP/2 rapid reset events, with similar incidents persisting throughout September. Customers who had established resilient DDoS architectures with services like Amazon CloudFront and AWS Shield effectively shielded their applications, ensuring sustained availability.

An introduction to HTTP/2 rapid reset attacks

HTTP/2 protocol facilitates the multiplexing of multiple distinct logical connections within a single HTTP session, unlike the previously used HTTP 1.x, where each session was separately distinct.

The HTTP/2 rapid reset attacks involve the rapid sequence of multiple HTTP/2 connections, comprising a series of requests and immediate resets.

In this scenario, the targeted system processes each request, generating corresponding logs that the client subsequently resets or cancels. Despite not requiring any data transmission back to the client, the system expends resources in generating these logs. Malicious actors exploit this mechanism by orchestrating a massive influx of HTTP/2 requests, ultimately overwhelming the system, whether a website or application.

It is crucial to recognize that HTTP/2 rapid reset attacks are a variation of the common HTTP request flood. To effectively counter such DDoS assaults, it is advisable to design an architecture that enables the specific identification of unwanted requests and the ability to scale resources to absorb and block these malevolent HTTP requests.

Creating DDoS-Resistant AWS Architectures: Best Practices and Tools

Being an AWS user, one can not only leverage the inherent security features within the global AWS cloud infrastructure but also benefit from our steadfast commitment to enhancing the security, efficacy, and resilience of AWS services.

AWS has developed tools like the AWS Best Practices for DDoS Resiliency to provide actionable insights on bolstering DDoS resilience. This resource outlines a comprehensive DDoS-resilient reference architecture aimed at assisting in safeguarding the application’s continuous availability.

While AWS services come equipped with several integrated DDoS mitigation mechanisms by default, one can further fortify the DDoS resilience by implementing an AWS architecture that incorporates specific services and adheres to supplementary best practices across each aspect of the network flow between users and applications.

To enhance your application’s availability protection against known infrastructure layer attacks, AWS offers a range of services operating from edge locations, including:

• Amazon CloudFront,
• AWS Shield,
• Amazon Route 53, and
• Amazon Route 53 Application Recovery Controller

These services bolster the DDoS resilience of your application, particularly when managing diverse application traffic from globally distributed edge locations.

By leveraging these AWS services, you can effectively prevent unwarranted requests from reaching your origin servers, whether your application is on-premises or hosted on AWS.

Adhering to best practices, deploying your applications on AWS can significantly minimize your application endpoints’ susceptibility to DDoS attacks, ensuring optimal availability and performance for legitimate users.

Note: Utilizing tools such as Amazon CloudFront with its HTTP caching capability, AWS WAF, and AWS Shield Advanced automatic application layer protection can further prevent superfluous requests from reaching your origin, especially during application layer DDoS attacks.

Conclusion

As digital landscapes evolve, businesses must remain vigilant in protecting their online assets from malicious cyber activities. AWS’s proactive approach to DDoS resilience is a testament to its unwavering commitment to customer security and satisfaction. By adhering to the recommended best practices and leveraging the advanced tools offered by AWS, organizations can fortify their defenses, ensuring unwavering protection against DDoS events and sustaining seamless operations even in the face of adversities.

Drop a query if you have any questions regarding AWS’s Defenses Against DDoS Attacks and we will get back to you quickly.

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.