DISTRIBUTED DENIAL-OF-SERVICE PROTECTION — AWS
A Distributed Denial of Service (DDoS) attack is a malicious attempt to make a targeted system, such as a website or application, unavailable to end-users. To achieve this, attackers use a variety of techniques that consume network or other resources, interrupting access for legitimate end-users.
Mitigation Approaches
Secure approach for DDOS mitigation:
This approach uses Route 53, AWS WAF, CloudFront, and Elastic Load Balancing to control and distribute traffic. Security groups or origin access identity (OAI) can also help minimize the attack surface of backend load balancers, EC2 instances, or Amazon Simple Storage Service (Amazon S3) buckets because they require attackers to make requests through AWS WAF and CloudFront rather than directly from the website origin.
To exercise the incident response, load balance testing should be performed frequently.
Actions to perform under Denial of Service Attacks (DDoS)
- Identify the attack with SIEM alerts and cloud watch traffic.
- Verify the attack by looking into logs.
- Inform IT Head/Security Head for further communication to MAS and start the investigation by following the below steps:
- Raise the support ticket with ISP (AWS) for further investigation.
- Identifying an attack and block traffic via the Firewall app. Possible actions are :
- IP Access Rules
- blocking multiple IP addresses, /16 or /24 IP ranges, or Autonomous System Numbers (ASNs).
- Firewall Rules
- blocking a country, any valid IP range, or more complex attack patterns
- Zone Lockdown
- to allow only trusted IP addresses or ranges to a portion of your site.
- User Agent Blocking
- blocking suspicious User-Agent headers for your entire domain.
- Following the resolution of the attack, the following steps are required:
- Attack & Mitigation Analysis — review the impact of the intrusion to evaluate the effectiveness of your DDoS mitigation solution. Analyze security reports from WAF to investigate attack trends.
- Examine alert logs from your security information and event management system, and network monitoring tools to obtain information to assess the effectiveness of the current method of dealing with such attacks.
References:
