Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

What You Need to Know about AWS Shield

What You Need to Know about AWS Shield

Amazon just took the wraps off its new DDoS fighting platform, AWS Shield. Here's what you need to know.

Credit: ShutterstockCredit: ShutterstockThe recent DDoS attack on the cloud-based Internet Performance Management Company Dyn. Inc in October 2016 reminded everyone about the alarming losses caused by DDoS attacks across the globe. The company was bombarded with multiple DDoS attacks using Mirai botnet which brought down Internet services across US and Europe for some time. Large internet sites that run on the DNS services of Dyn such as Netflix, CNN, Reddit, Twitter and Guardian had to shut down their services for a few hours. This DDoS attack was different from the regular ones as it involved botnets made of Internet of Things (IoT) such as cameras and DVRs instead of regular computers which made the attack two times stronger.

MORE: DDoS Attacks: What You Need to Know

Dyn is one of the several providers of Domain-name services for Amazon. After the attack, Amazon quickly redirected all its servers to other providers to restore full service. However, this large network threat emphasizes the importance of a powerful DDoS protection system. Amazon's recently announced a potential new solution: AWS Shield.

Why Do I Need AWS Shield?

DDoS is a commonly used attack type owing to the availability of free tools and online services. According to Arbor Networks survey 2016, an average of 124,000 events per week were recorded over the last 18 months. And, 274 attacks were recorded over 100 Gbps while 46 attacks were related to 200 Gbps. This is a 73 percent increase in the peak attack size over 2015.

Types of DDoS attacks

Distributed Denial of Service (DDoS) is a method used by attackers wherein several compromised systems are used to target a single system causing a denial of service. There are different types of DDoS attacks. Some of them include:

Volumetric attacks: This method saturates the bandwidth with ICMP floods, UDP floods and spoofed-packet floods. The magnitude is measured in bits per second.

Application and Network Attacks: In this method, attackers crash the server by targeting the Apache, OpenBSD and Windows vulnerabilities using GET/POST floods and low and slow attacks. The magnitude is measured in requests per second.

Protocol Attacks: This attack consumes resources of servers, firewalls and load balancers using Ping of Death, Smurf DDoS, SYN floods and fragmented packet attacks. The magnitude is measured in packets per second.

What Does AWS Shield Do?

AWS Shield is a powerful managed service offered by AWS that protects your web applications or sites from many types and sizes and shapes of DDoS attacks. It works in conjunction with Amazon Cloud Front, Elastic Load Balancing and Amazon Route 53. With AWS Shield, you don't have to worry about network threats.

By enabling the DDoS protection from the APIs or the management console, you get seamless integration and resource deployment. Basic protection is available for all AWS users with no additional costs, network security costs are optimized. AWS Shield is integrated with Amazon CloudFront, which means custom origins outside AWS are supported as well. It works the same with IPv4 and IPv6 networks. AWS Shield is available in two tiers:

AWS Shield Standard: The standard version is available to all AWS customers by default without any extra cost. It protects your web applications from 96 percent of common DDoS attacks such as HTTP slow reads, Volumetric attacks and Syn/ACK floods. AWS Shield is turned on by default on Elastic Load Balancing, Amazon Cloud Front and Amazon Route 53 resources. It monitors malicious traffic real-time using anomaly algorithms, traffic signatures and analysis techniques to provide quick detection and protection from most of the DDoS attacks. With automatic mitigations applied inline, network latency is not impacted. There is no limit on the number of resources that can be enabled for DDoS protection.

AWS Shield Advanced: The advanced version of the Shield offers a higher level of protection for DDoS attacks including Volumetric attacks, intelligent attack detection and the application and network layer attacks.

There is a subscription commitment for 1 year and the pricing is $3,000 per month. Additionally, you have to pay the data transfer usage fees that varies with the package and the data transmission. To use the advanced option, you should have an AWS Enterprise Support of the AWS Business Support. With AWS Shield Advanced, you can enable up to 100 resources. If you wish to add more resources, you can request for an increase in this limit. Here are some of the benefits that come with the AWS Shield Advanced version:

  • Advanced DDoS Protection: AWS Shield Advanced offers extra protection by closely monitoring the network flow and application layer traffic to Cloud Front, Route 53 and Elastic Load Balancing. It baselines traffic and identifies anomalies to protect the network from DNS query floods and HTTP floods. Resource specific monitoring provides granular detection of attacks.
  • Exclusive Support 24/7: The advanced version offers specialized support 24/7 from the DDoS Response Team (DRT). The DRT team will help you in triaging the cause, identify root issues and quickly resolving them using sophisticated automatic mitigations and advanced routing techniques. They provide manual mitigations for complex attacks. You can engage them in post-attack analysis as well.
  • AWS Web Application Firewall: Web Application Firewall is a powerful feature from AWS that enables you to protect web applications from common web exploits. With AWS Shield Advanced, you can use the AWS WAF to respond to incidents at the application layer with no additional cost. Using WAF, you can respond to the incidents or proactively block bad traffic applying rules such as Rate based Blacklisting.
  • Real-time Metrics and Reports: The advanced version provides real-time metrics and reports to get clear insights into DDoS attacks and the post-event analysis and investigation. Real-time notifications are sent using the Amazon CloudWatch. Using the management console, you can view a summary of all attacks.

DDoS Cost Protection

While the outage caused by the DDoS attack is a huge loss, the aftermath bill spikes caused by the attack is another big concern. The DDoS cost protection feature is specially designed to safeguard the organization from these scaling charges. AWS provides service credits that can be used when DDoS attack scales up resources.