Web attacks like SQL injection and Cross-Site Scripting can be devastating, resulting in massive data breaches, customer turnover, notification costs, lawsuits, and fines.\n
How to protect your site from DDoS
Web attacks like SQL injection and Cross-Site Scripting can be devastating, resulting in massive data breaches, customer turnover, notification costs, lawsuits, and fines.
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront and lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from, or the values of query strings, CloudFront responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked
The first illustration shows an infrastructure trying to respond to all requests, an approach that exhausts the web server’s resources. The second illustration shows a resilient infrastructure that uses AWS WAF, which blocks requests originating from blacklisted sources.
AWS WAF is a relatively new service only recently brought out of Beta. This service is tightly coupled to the CloudFront CDN service. The WAF service reviews traffic that is passing through the CDN and, based off defined rules, tells the CDN to either block or allow the traffic. To use this service, all site traffic must pass through a CloudFront CDN.
AWS WAF helps in preventing from a lot of attacks, but DDoS is the most common form of attack and also the most difficult to curb, let us start with what exactly is a DDoS attack.
A Denial of Service (DoS) attack is an attack that can make your website or application unavailable to end users. To achieve this, attackers use a variety of techniques that consume network or other resources, disrupting access for legitimate end users.
In its simplest form, a DoS attack against a target is executed by a lone attacker from a single source, as shown below:
In the case of a Distributed Denial of Service (DDoS) attack, an attacker uses multiple sources—which may be compromised or controlled by a group of collaborators—to orchestrate an attack against a target. As illustrated below, in a DDoS attack, each of the collaborators or compromised hosts participates in the attack, generating a flood of packets or requests to overwhelm the intended target.
DDoS attacks are most common at layers 3, 4, 6, and 7 of the Open Systems Interconnection (OSI) model, which is described in the above table. Layer 3 and 4 attacks correspond to the Network and Transport layers of the OSI model. This distinction is important because the attack types directed at these layers are different and so different techniques are used to build resiliency.
WAF can be implemented as a CloudFormation stack as illustrated in the image below:
Traffic filtering is accomplished by creating specific web request conditions, which are then grouped into rules. These rules are then associated with a CloudFront distribution through a web access control list.
Some conditions take multiple values. For example, you can specify up to 1000 IP addresses or IP address ranges in an IP condition.
You combine conditions into rules to precisely target the requests that you want to allow or block.
When a rule includes multiple conditions, AWS WAF looks for requests that match all those conditions — it ANDs the conditions together.
Finally, you combine rules into a Web ACL. This is where you define an action for each rule—allow, block, or count—and a default action. A Web ACL is also associated to a CloudFront resource. This allows you to have a set of rules and actions for multiple web sites.
When a web request matches all of the conditions in a rule, AWS WAF can either allow the request to be forwarded to CloudFront or block the request. For testing purposes, you can instruct WAF to count the requests and evaluate their behaviour later. You specify the action that you want AWS WAF to perform for each rule.
Combining the core WAF Web Traffic Filtering features with some of the AWS services you can make the rules dynamic. For example, it is possible to temporarily block IP Addresses based off request volume – shutting down bots or screen scraping processes.
There are several CloudFormation templates that can jump-start setting up some of these dynamic rules.
You can view the AWF pricing list and limits on entities here and here.