Which aws service can be used to mitigate a distributed denial of service (ddos) attack?
Distributed Denial of Service (DDoS) attacks are attempts by a malicious actor to flood a network, system, or application with more traffic, connections, or requests than it is able to handle. To protect your web application against DDoS attacks, you can use AWS Shield, a DDoS protection service that AWS provides automatically to all AWS customers at no additional charge. You can use AWS Shield in conjunction with DDoS-resilient web services such as Amazon CloudFront and Amazon Route 53 to improve your ability to defend against DDoS attacks. Learn more about architecting for DDoS resiliency by reading the AWS Best Practices for DDoS Resiliency whitepaper. Show
You also have the option of using Route 53 with an externally hosted content delivery network (CDN). In this blog post, I show how you can help protect the zone apex (also known as the root domain) of your web application by using Route 53 to perform a secure redirect to prevent discovery of your application origin. BackgroundWhen browsing the Internet, a user might type example.com instead of www.example.com. To make sure these requests are routed properly, it is necessary to create a Route 53 alias resource record set for the zone apex. For example.com, this would be an alias resource record set without any subdomain (www) defined. With Route 53, you can use an alias resource record set to point www or your zone apex directly at a CloudFront distribution. As a result, anyone resolving example.com or www.example.com will see only the CloudFront distribution. This makes it difficult for a malicious actor to find and attack your application origin. You can also use Route 53 to route end users to a CDN outside AWS. The CDN provider will ask you to create a CNAME alias resource record set to point www.example.com to your CDN distribution’s hostname. Unfortunately, it is not possible to point your zone apex with a CNAME alias resource record set because a zone apex cannot be a CNAME. As a result, users who type example.com without www will not be routed to your web application unless you point the zone apex directly to your application origin. The benefit of a secure redirect from the zone apex to www is that it helps protect your origin from being exposed to direct attacks. Solution overviewThe following solution diagram shows the AWS services this solution uses and how the solution uses them. Here is how the process works:
Note: All of the steps in this blog post’s solution use example.com as a domain name. You must replace this domain name with your own domain name. AWS services used in this solutionYou will use three AWS services in this walkthrough to build your zone apex–to–external CDN distribution redirect:
PrerequisitesThe solution in this blog post assumes that you already have the following components as part of your architecture:
Deploy the solutionIn this solution, you:
Step 1: Create an S3 bucket with HTTP redirectionThe following steps show how to configure your S3 bucket as a static website that will perform HTTP redirects to your www URL:
Note: At the top of this tab, you will see an endpoint. Copy the endpoint because you will need it in Step 2 when you configure the CloudFront distribution. In this example, the endpoint is example-com.s3-website-us-east-1.amazonaws.com. Step 2: Create and configure a CloudFront web distributionThe following steps show how to create a CloudFront web distribution that protects the S3 bucket:
Step 3: Configure an alias resource record set in your hosted zoneIn this step, you use Route 53 to configure an alias resource record set for your zone apex that resolves to the CloudFront distribution you made in Step 2:
Step 4: Validate that the redirect is workingTo confirm that you have correctly configured all components of this solution and your zone apex is redirecting to the www domain as expected, open a browser and navigate to your zone apex. In this walkthrough, the zone apex is http://example.com and it should redirect automatically to http://www.example.com. SummaryIn this post, I showed how you can help protect your web application against DDoS attacks by using Route 53 to perform a secure redirect to your externally hosted CDN distribution. This helps protect your origin from being exposed to direct DDoS attacks. If you have comments about this blog post, submit them in the “Comments” section below. If you have questions about implementing the solution in this blog post, start a new thread in the Route 53 forum. – Shawn Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter. Which Amazon service can help protect you from a Distributed Denial of Service DDoS attack?AWS Shield and AWS Shield Advanced
All customers benefit from AWS Shield Standard. AWS Shield Advanced can be added to protect Amazon CloudFront distributions and Amazon Route 53 hosted zones, providing additional protections against DDoS attacks.
How do you mitigate a DDoS attack in AWS?DDoS Protection Techniques. Reduce Attack Surface Area. ... . Plan for Scale. ... . Know what is normal and abnormal traffic. ... . Deploy Firewalls for Sophisticated Application attacks.. Which of the following AWS services can be used to prevent Distributed Denial of Service DDoS attack select three?Benefits of using Amazon CloudFront, Global Accelerator, and Amazon Route 53 include: Access to internet and DDoS mitigation capacity across the AWS Global Edge Network. This is useful in mitigating larger volumetric attacks, which can reach terabit scale.
What are three services that help mitigate a DDoS?Enterprises can choose from three major approaches to mitigate DDoS attacks on their networks: Buy from an ISP, do it themselves or use a CDN service.
|