How to Protect Dynamic web contents against DDoS attack using Route 53, CloudFront ,WAF and AWS shield
DDoS (Distributed Denial of Service) specifically means an attack that is aimed at disrupting a service say for example an apache serving website. This is planned and the main goal would be to make the website unavailable to the end users. These attacks are carried by a large cluster of devices like pc, phones etc and so the attack will come from plenty of IPs. Due to this, it will be very difficult for a simple firewall to block them. AWS has services dedicated to preventing DDOS and other attacks. Here in this blog, I have explained the services and the steps on how to achieve this.
AWS CloudFront has been an integral part in hosting e-commerce websites mostly using plenty of images or the contents that needs to be projected without any latency to the end users. Using AWS CloudFront will improve website loading times, decrease the load on servers and mitigate attacks such as Distributed Denial Of services (DDOS). There is a service named AWS WAF (Web application Firewall) which is implemented in CloudFront to tackle the DDOS attacks by blocking a certain type of traffic and allowing the ones we need by defining certain rules. When the end users access the web application, the DNS (domain name server), here we have AWS Route53 converts the human readable address (eg www.example123.com ) to machine readable one (eg: 192.168.0.34) which routes the request to CloudFront which proxies the requests for the dynamic content to the hosting like S3 or EC2.
Here we can see how we can implement WAF with Coudfront and Route 53 to help protect dynamic applications or content ( such as response to a user input) against DDOS attacks.
AWS services like CloudFront and Route 53 are hosted on a network of distributed proxy servers across the globe called Edge Locations.By using this Edge location and Route 53 it builds a good defense against DDOS attacks for the Dynamic content.
The map shown below is the total Edge locations across the globe to server the web content back to the origin
Using AWS shield, Route53, and CloudFront to protect against DDOS attacks
Here we can see how our Dynamic content/web content is kept alive even if it’s under a DDOS attack by enabling AWS shield by configuring the applications behind Route53 and CloudFront. An AWS shield can protect the contents against frequently occurring DDOS attacks in the network and transport network level. If we need more protection an advanced AWS shield should be purchased. Also, we can restrict regions from access to locations mentioned CloudFront from accessing the contents. Thus decreasing the traffic.
The CloudFront request-routing technology connects each end users to connect to their nearest edge locations based on updated latency measurements. Using AWS WAF , HTTPS and HTTP requests sent to cloudfront can be controlled. Using specific rules in AWS WAF, we can allow traffic, query strings or block them and can be then counted for further investigation and research. The diagram below explains how static and dynamic contents originate from resources or the Data center.
First we need to create a cloudfront distribution and configure origins to mitigate DDOS attacks at the edge locations.
- Login to the AWS management console and click on Cloudfront to open the console.
- Create Distribution
- Web Section > Get Started
- Provide the ‘Origin’ settings. In the following screenshot, we have set it to an ELB. If we want we can set it to an S3 or any other resource which is our choice.
- You can set the cache behavior as shown in the below screenshot. For Dynamic applications, set the TTL value to 0.
- For ensuring all traffic to cloudfront we can set the Viewer protocol Policy to ‘Redirect HTTP to HTTPS. For Dynamic contents set the Allowed HTTP methods to all methods, Set forward Headers to All
- Set the distribution in the distribution settings. You can enter in your domain name in the Alternate Domain Name .This can be used as a CNAME to the cloudfront domain name. Then choose Custom SSL certificate.
- Create the distribution. You need to note down the cloudfront domain name as this should be given in the Route53 to route it to the alternate domain we used.
Configuring Route 53
When we created the distribution , we got a cloudfront domain name or URL like d111111abcdegh8.cloudfront.net .Using this domain name, we can put these in the web content like d111111abcdegh8.cloudfront.net/test.png .Or the best way would be to use our own domain name like example1234.com/test.png .You can achieve this by creating a Route 53 alias record so that it routes dynamic content traffic to the cloudfront distribution using the domain name.
The following screenshot displays this :
Enabling AWS WAF
So for inspecting and mitigating DDOS traffic in the web application layer, we can enable AWS WAF. We can set certain rules or conditions in the WAF which is also called Web ACL to control the traffic. Once the ACL is set, we can configure it in the cloudfront distribution.
We can configure WAF to in conjunction to the geo restriction in Cloudfront settings to block users in specific locations to access the application contents. WAF has the feature to block IP addresses which is useful to mitigating HTTP attacks
If there is a very high volume of traffic or data, we need to enable Shield Advanced protection.
Let’s Wrap It
By using these services, we can avoid a large amount of attacks to the website and the related services. By default using Shield protection is enabled and will be able to block a considerable amount of DDOS traffic, however if you need more protection, you need to purchase Shield Advanced protection which will protect you against a high DDOS traffic .