WS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS from network and application layer attacks. AWS Shield helps protect applications against the most common types of DDoS attacks, ensuring that your applications remain available and performant even during large-scale attacks.
AWS Shield offers two levels of protection: AWS Shield Standard and AWS Shield Advanced. Both levels offer robust DDoS protection, with AWS Shield Advanced providing enhanced features like real-time attack visibility, advanced detection, and mitigation capabilities, and protection against larger and more sophisticated attacks.
How AWS Shield Works:
DDoS Attack Detection:
AWS Shield uses a combination of traffic monitoring and machine learning algorithms to detect DDoS attacks in real time. These tools identify abnormal traffic patterns, such as sudden surges in incoming requests or traffic from known bad actors.
Automatic Mitigation:
Upon detecting an attack, AWS Shield automatically starts mitigating the attack by rerouting traffic to AWS’s global DDoS mitigation infrastructure. This network includes AWS Edge Locations and AWS Scrubbing Centers that are designed to absorb attack traffic and remove malicious requests.
Traffic Filtering and Rate Limiting:
AWS Shield applies filtering techniques to remove malicious traffic and only allow legitimate traffic to reach your AWS resources. For larger DDoS attacks, it can dynamically scale resources to handle the excess load.
Scaling with AWS Resources:
AWS Shield helps prevent the need for manual intervention during an attack, automatically scaling the infrastructure to handle additional traffic. Elastic Load Balancing (ELB), for example, can scale based on increased demand due to attack traffic.
Incident Response Support (Shield Advanced):
If you are subscribed to AWS Shield Advanced, you can contact the AWS DDoS Response Team (DRT) for expert assistance during an attack. The DRT can help you fine-tune protections, implement custom rules in AWS WAF, and analyze attack traffic to ensure a comprehensive response.
Benefits of AWS Shield:
Automated DDoS Protection:
AWS Shield provides automated and near-instantaneous protection against DDoS attacks without requiring manual intervention, allowing you to focus on business operations.
Comprehensive Protection:
Shield offers both network-level protection (against volumetric attacks) and application-level protection (against HTTP floods, DNS reflection, and other sophisticated attacks).
Global DDoS Mitigation Infrastructure:
Leveraging AWS’s global infrastructure, Shield ensures that DDoS attack traffic is absorbed and mitigated in edge locations, reducing the impact on your application’s availability.
Advanced Threat Intelligence and Support (Shield Advanced):
Shield Advanced provides access to AWS DDoS Response Team (DRT) support, enabling you to customize protections and manage complex attack scenarios with expertise.
Cost Protection During Attacks (Shield Advanced):
In case of a DDoS attack, Shield Advanced offers DDoS Cost Protection, which covers the costs of scaling AWS resources during the attack.
Real-Time Monitoring:
With CloudWatch integration, you get real-time metrics and automated alerts on potential DDoS attack activity, allowing you to track and respond quickly.
Protection for Non-AWS Resources:
With Shield Advanced, you can also integrate and protect on-premises or hybrid cloud resources if needed.
Reduced Risk of Service Interruptions:
AWS Shield reduces the risk of downtime due to DDoS attacks, ensuring that your web application stays operational even under large-scale attack conditions.
Shield Standard vs Advanced
| Feature | AWS Shield Standard | AWS Shield Advanced |
|---|---|---|
| Cost | Free | Paid (Additional costs apply) |
| DDoS Protection Level | Basic protection for AWS services (network layer) | Advanced protection for both network & application layers |
| Protection Coverage | Protects AWS resources like CloudFront, ELB, Route 53 | Protects additional resources like EC2, Elastic IPs, Global Accelerator, etc. |
| Attack Detection | Automated detection of common DDoS attacks | Advanced detection with deeper visibility and automatic mitigation of sophisticated DDoS attacks |
| Real-Time Attack Visibility | Basic visibility via CloudWatch metrics | Enhanced visibility with detailed attack diagnostics, CloudWatch metrics, and alerts |
| DDoS Cost Protection | Not available | Provides cost protection for increased AWS resource usage during an attack |
| Advanced Threat Intelligence | Not available | Access to AWS DDoS Response Team (DRT) and threat intelligence |
| Application Layer (Layer 7) Protection | Not available | Protection against sophisticated application layer attacks (e.g., HTTP floods, SSL attacks) |
| Access to AWS DDoS Response Team (DRT) | Not available | 24/7 access to DRT for attack analysis and support |
| Global Attack Mitigation | Uses AWS global network for basic protection | Enhanced global attack mitigation with advanced scrubbing capabilities |
| WAF Integration | Not available | Fully integrated with AWS WAF for custom protection rules |
| Rate Limiting and Web Application Protection | Limited protection for basic attacks | Full rate limiting and comprehensive protection from application-layer DDoS attacks |
| Automatic Attack Mitigation | Yes (basic automatic protection) | Yes (advanced automatic and custom mitigations) |
Key Differences:
- Cost: Shield Standard is free, while Shield Advanced incurs additional costs.
- Protection Level: Shield Standard provides basic network-level protection, while Shield Advanced offers both network and application-layer protection.
- Attack Visibility: Shield Advanced provides enhanced visibility and real-time attack diagnostics, whereas Shield Standard offers only basic monitoring.
- Advanced Features: Shield Advanced includes DDoS cost protection, AWS DRT support, and integration with AWS WAF for custom protections.
AWS Shield Advanced offers DDoS protection for a range of AWS resources, specifically designed to protect web applications from distributed denial-of-service (DDoS) attacks. The resources covered by AWS Shield Advanced include:
- Amazon CloudFront – AWS’s Content Delivery Network (CDN), which helps in distributing content globally. Shield Advanced protects CloudFront distributions from DDoS attacks targeting application layer and network layer.
- Elastic Load Balancing (ELB) – Shield Advanced helps protect load balancers from DDoS attacks by detecting and mitigating large-scale volumetric attacks and other malicious traffic.
- Amazon Route 53 – AWS’s DNS service, which is protected against DNS-based DDoS attacks, such as those targeting the availability of DNS services.
- Amazon Global Accelerator – Helps in optimizing the path for global traffic. Shield Advanced provides protection against DDoS attacks targeting Global Accelerator endpoints.
- Amazon Elastic IPs (EIP) – If an Elastic IP address is associated with an EC2 instance, Shield Advanced can protect it from attacks aimed at your EC2 instances.
- AWS Direct Connect – If you use Direct Connect for dedicated network connections, Shield Advanced offers protection for that traffic from DDoS attacks.