Distributed Denial of Service (DDoS) attacks have been around since decades. And NexusGuard research quoting 83% increase in DDoS attacks in 2Q2016 compared to 1Q2016, these attacks seems to continue being prevalent even beyond 2017. Thanks to proliferation of IoT devices using web applications: the volume and velocity of these attacks have reached a soaring high. Despite stringent measures, these attacks have been bringing down web applications and denying service availability to its users with botnets. Remember Mirai, Mega-D, Zeus Trojan, Kraken, etc.? Without a doubt, DDoS mitigation is pivotal. Otherwise, get ready for a panic attack (some day).
If you’re a security engineer from an organization hosting Web Application Workloads on AWS, then bookmark this blog.
The Backdrop: What DDoS holds and how to go about DDoS protection
DDoS is one of the most sophisticated and famed web attacks known to software industry till date. A typical DDoS attack can be simulated from a handful of machines to large network of bots spread across the world. It can be simulated at different OSI stack layers. Like network to session to application layers with attack throughputs ranging from tens of Mbps at application level to tens of Gbps at network level.
In the recent times, hundreds of popular web applications as well as enterprise businesses have been victims of several DDoS attacks. Some of the common DDoS attacks known are XOR.DDoS, SYN floods, SSL floods, large set of HTTP 500 errors, slow upload connections, large number of file downloads, etc.
Image Source: CDNetworks/ XOR.DDoS Infographics/ 2016
Due to the nature of DDoS attacks at different layers, developing and deploying a good defense protection against DDoS attacks demands a scalable and cost effective approach. If you are using AWS cloud to host your web applications, then there are a variety of effectual solutions that help protect your web applications and counteract these DDoS attacks using industry leading solutions.
Here’re the top options and cost effective strategy for DDoS protection and mitigation for web application workloads on AWS, using industry-standard solutions:
- Big-IP F5 Advanced Firewall Manager(AFM)
Big-IP F5 AFM provides DDoS protection services from network layer to application level. F5 is one of the popular traditional vendors and are deployed by many enterprises. You can install F5 virtual application with AFM in AWS EC2 and create a cluster of them with DNS level load balancing to protect your web applications and services. F5 is a good option if you have an existing license and have already migrated workloads to AWS Cloud.
However, managing and scaling F5 AFM nodes and protecting against large DDoS attacks are generally cost prohibitive due to licensing & operational expenses burden. The best way forward is to start using F5 from the AWS Marketplace and it’s a good solution for customer hosted DDoS protection. To date, F5 is building application security for the digital economy.
If you are looking for a cheaper alternative to F5 then aiProtect is a good solution for customer hosted DDoS protection.
- aiScaler aiProtect
If you have hosted your web applications on public cloud service like AWS or private virtual environments, use can opt for aiScaler’s aiProtect. It is known to protect web applications and infrastructure against DDoS attacks by limiting the number of requests from particular IP address, providing protection against SYN floods and URL based attacks, etc.
It protects your application from Denial of Service and other web based attacks as well, by pre-processing all HTTP traffic. It then isolates more vulnerable components at the network layer. It also provides detailed reporting that help end attacks permanently. Above all, its PCI compliant multi-level defense enforces sanity rules on incoming requests and isolates the origin environment protecting valuable assets while eliminating most common online attacks.
This product is available from AWS Marketplace with hourly or annual billing. You can easily configure aiProtect on AWS too.
- Incapsula by Imperva
Imperva is an established player in traditional enterprises. Its Incapsula is a cost effective solution for startup & SME customers to protect their workloads in Cloud. It is one of the most popular SaaS solution for DDoS protection. It also offers standard web application firewall along with CDN capabilities.
Moreover, InCapsula offers global CDN to offload caching needs of many web applications. It manages the DNS for applications to protect against attacks. It also has a large DDoS protection networks spread across different geographies with attack protection ranging upto 10 Gbps to 100s of Gbps.
If you’d like to check your DDoS mitigation strategy, they have a free online tool called DDoS Resiliency Score (DRS) calculator that can evaluate the effectiveness of your strategy.
If you think all the above DDoS prevention solutions are not for you, then try Reblaze. They have great DDoS support for AWS Cloud. Their service is available as a SaaS platform and can be deployed as a hosted solution in customer VPC to protect variety of applications.
To Wrap-up: All solutions are good; evaluate your needs first to get the idle option
So it’s better late than never. As a premier AWS Technology partner, we recommend evaluating InCapsula or Reblaze for cost effective solution. If you have an existing license from F5 already, it’s a good option for DDoS protection of your AWS cloud applications. In regards to aiProtect, it works best with respect to the price compared to F5 if you are deploying multiple nodes DDoS protection in AWS.
If you still want to know more about the DDoS, give us a shout in the comment section below or Tweet to us @BotmetricHQ. We’d love to help you!
Editorial Note: This blog is an adaptation of Minjar’s earlier blog post ‘DDoS Prevention and Security for Web Application Workloads on AWS Cloud.’
Latest posts by Editor (see all)
- May Roundup @ Botmetric: Deeper AWS Cost Analysis and Continuous Security - May 31, 2017
- What is NoOps, Is it Agile Ops? - May 25, 2017
- Why Botmetric Chose InfluxDB — A Real-Time Metrics Data Store That Works - May 18, 2017