I’m currently researching the best options for mitigating and avoiding HTTP flood attacks while hosting infrastructure on AWS.
Here’s an article published from cloudflare.com recently discussing this matter
Based on my understanding, AWS Shield standard may not cover something like HTTP flood attacks on a web app. Using AWS Shield Advanced is a cost-prohibitive option for startups, as it costs $36,000 per year and requires a one-year commitment. Using firewalls and implementing rate limiting mechanisms are options, but even when blocking an IP address via the AWS Web Application Firewall, charges still accrue on a per-request basis, even for requests from blocked IPs.
It is suggested that using Nginx at the network level, one can effectively rate limit known malicious IPs to zero requests per minute. Here is a sample configuration in the nginx.conf file:
# Define a rate limiting zone for the IP address.
limit_req_zone $binary_remote_addr zone=blocked:1m rate=1r/m;
server {
listen 80;
server_name yourdomain.com;
# Rate limit requests from the specified IP address.
location / {
limit_req zone=blocked burst=1 nodelay;
# Add other Nginx configuration directives here.
}
# Block requests from the specific IP address.
location /block-ip {
deny all;
return 403;
}
# Add other server configuration here.
}
}
Could someone please confirm if this would indeed keep my bill down to zero dollars beyond the normal monthly cost of the EC2 instance, in case of an HTTP flood attack?
I am running an EC2 instance with a static IP address running a Node.js application using Express.js. This application acts as a reverse proxy and communicates with a serverless database using Prisma for each request. It might be worth noting that the Express app is manually configured to operate over HTTPS on Port 443.
Furthermore, I’m interested in understanding the trade-offs with this approach as opposed to using AWS Web Application Firewall. Specifically, I’m curious about how the server performance would be impacted during an attack when using the Nginx approach. Would there be increased latency or other performance degradation? I am trying to figure out the unknowns! Are there better options out there I am missing?
Any advice or insights are greatly appreciated! Thanks in advance for your time.
2
Answers
You’re correct in that Shield Advanced is not within the budget of all AWS customers, however running a single instance that is internet exposed is not DDoS Resilient. For adequate layer 7 protection you must have CloudFront or ALB (the latter recommended as you are cost sensitive) with an AWS WAF WebACL associated. If your content is cacheable, then source it from S3 via a VPC-endpoint.
Without ALB (or CF) with WAF, Shield Standard layer 3/4 mitigations will eventually kick in which may finish the job the attackers started. ALB/CF scale to meet demand. Your AWS WAF WebACL should have (at a minimum):
ALB itself is provide ddos protection and also have standard shield but not this is for l3 and l4 attacks. For layer7 you needs waf.
I can help in complete setup and gudence on zoom.