Back to AWS Solutions Page
Effective Cloud DDoS Protection
Context
With DDoS attacks becoming relatively inexpensive to launch and hire as a service, especially in relation to the amount of damage they can cause, many organizations with an online presence are researching financially feasible approaches to prepare for these kind of attacks.
What is a DDoS attack?
A DDoS (Distributed Denial-of-Service) attack aims to disrupt your normal business operations through overloading a network, system, application, application component in such a manner that legitimate users will not be able to use your service.
Compared to other malicious activities, for this type of attack the attacker doesn’t need to compromise credentials, elevate access or to gain any access to your network or systems. The traffic the attacker is sending shares common characteristics with the normal traffic
A DDoS attack is launched from multiple compromised devices (hence Distributed) and also from different network, geographies over the world.
Why should I care?
Business Reputation With your services being slow to respond, entirely down for minutes, hours or even days your business would loose trust among his partners and employees.
Attacks can last for days During this time, your users will not be able to use your service.
Financial Impact In multiple dimensions your business will be impacted. Starting from lost revenue, loss of productivity of your staff, extra costs for infrastructure, costs to recover (some solutions without the proper architecture in place to scale under load will crash under DDoS attack)
Data Security DDoS attacks can lead to data loss in the context of solutions that do not offer the expected protection under excessive load.
Why would an attacker care to target my business? For a variety of reasons ranging from state-sponsored disruption, competitors not playing fare to activism to name a few.
Challenges
Cannot Use Firewalls to mitigate a DDoS attack When you are under attack you cannot use firewalls to block IP addresses or CIDR blocks as the incoming traffic is received from multiple networks. Also the attacker can saturate your bandwidth so even if you could DROP the packet…
Asymmetry of costs The attacker has lower cost to attack than you have to protect your resources.
Difficult to test All the implemented protection are expected to work under attack. For DDoS attacks is complex and expensive to organize valuable DDoS Test exercises.
The Temperfield Solution
At Temperfield, we have extensive experience with All the AWS services in the Edge Services family, such as Amazon Route 53, Amazon CloudFront and AWS Shield.
Benefits
Take a proactive approach to DDoS Protection and implement our solution with minimal disruption to existing services setup. Migration to AWS is optional.
Be protected for most common attacks
AWS Shield Standard is available at no extra cost and protects you from +95% of the most common attacks, up to layer 4 of the OSI stack.
Simple - Seamless integration and deployment
This protection is applied automatically and transparently to your DNS services hosted with AWS Route 53, Amazon CloudFront and your Elastic Load Balancers.
Cost Efficient
AWS Shield Standard is automatically enabled for all AWS customers at no additional cost.
Benefits of AWS Shield Advanced
For higher levels of protection against attacks targeting your applications, in addition to the network and transport layer protections that come with Shield Standard, Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall.
Mitigate complex application-layer attacks
With AWS Shield Advanced you get protection up to layer 7 by setting up rules proactively in AWS WAF to automatically block the undesired traffic.
Expand your team with AWS experts
With AWS Shield Advanced you get 24×7 access to AWS Shield Response Team (SRT) for help and custom mitigation techniques during attacks.
Available with AWS Enterprise or Business Support Plans
Health-based detection
AWS Shield Advanced uses the health of your applications to improve responsiveness and accuracy in attack detection and mitigation.
Advanced Protection
AWS Shield Advanced provides more sophisticated automatic mitigations for attacks targeting your applications.
For customers with Business or Enterprise support, the SRT also applies manual mitigations for more complex and sophisticated DDoS attacks that might be unique to your application.
Cost protection for scaling
DDoS cost protection, a safeguard from scaling charges as a result of a DDoS attack that causes usage spikes on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53.
Features
Managed Protection and Attack Visibility
With AWS Shield Standard you get always-on heuristics-based network flow monitoring and inline mitigation against common, most frequently occurring network and transport layer DDoS attacks.
No latency impact for protected services
Automatic mitigations are applied inline to protect AWS services, so there is no latency impact. Shield Standard uses techniques such as deterministic packet filtering and priority-based traffic shaping to automatically mitigate basic network layer attacks.
You got questions? We have answers
Do I need to migrate my application to AWS to benefit the DDoS protection?
It is not required to migrate your workloads to AWS to benefit the AWS Cloud DDoS protection.
How many resources can I enable for AWS Shield Standard protection?
There is no limit on the number of resources subject to AWS Shield Standard protection.
Still have questions?
Get in touch to Talk to one of our Cloud Specialists.
