Mitigating DDoS with AWS Shield Standard vs. Advanced
Quick Answer: AWS Shield provides robust protection against Distributed Denial of Service (DDoS) attacks that can cripple your cloud infrastructure and applications. AWS offers a free service by default, and a premium service that includes AWS Web Application Firewall (WAF) and 24/7 support.
Before online shopping became popular, Black Friday was often a mad dash. Retail stores often became overwhelmed with people congesting aisles and even trampling others in their rush to get a good deal. That’s similar to how a Denial of Service (DoS) attack works. When an online resource becomes flooded with requests from a global army of bots in a Distributed Denial of Service (DDoS) attack, a web service may become totally inoperable.
Bad actors implement DDoS attacks by controlling computing devices on a large scale. Users may unwittingly install malware (“bots”) on their computers to make them part of a coordinated “botnet” in preparation for an attack. Bots can overwhelm websites and take them down.
How Amazon Protects You From DDoS
Every cloud customer should be prepared for a denial-of-service attack (DDoS). A DDoS attack can take down an entire network, causing users to lose service and potentially significant financial and reputational losses for the company—not to mention the stresses on IT personnel.
Amazon Web Services (AWS) offers a managed DDoS protection service called AWS Shield, which is dedicated to preventing or mitigating the effects of such attacks. By default, AWS Shield automatically detects and responds to DDoS attacks. AWS Shield Advanced offers a more extended service, including a support team, AWS Wireless Application Firewall (WAF), and AWS Firewall Manager.
AWS Shield Advanced comes at an additional cost, so it pays to compare and weigh the pros and cons of the two offerings when planning your DDoS protection strategy.
With AWS Shield Standard, you are protected against all known Layer 3 and Layer 4 attacks. AWS Shield Advanced is a subscription service that provides a higher level of protection, including Layer 7 attacks. Web Application Firewall (WAF) provides additional security by filtering application requests based on configurable rules.
The decision to subscribe to the extra protections of AWS Shield Advanced or WAF will depend on the extent of your organization’s digital footprint, the sensitivity of the data and applications in use, and your budget constraints. The good thing is that AWS Shield Standard is implemented by default at no additional cost to you.
What is AWS Shield Standard?
AWS Shield Standard is a managed service. That means it’s hands-off – AWS handles all of the DDoS protection for you. It protects your whole cloud infrastructure and provides comprehensive protection against all known network or infrastructure layer attacks for Amazon Route 53 hosted zones, Amazon CloudFront distributions, and AWS Global Accelerator standard accelerators.
Using always-on network flow monitoring, AWS Shield Standard includes anomaly algorithms and other techniques to detect malicious traffic in real-time. The protection thresholds set for each AWS service are static and do not allow customization.
While AWS Shield Standard comes at no additional cost, there is no guarantee that a robust DDoS attack will be stopped. If you are looking for advanced threat protection and response, it’s time to look beyond Shield Standard. The following graphic provides a quick overview of both levels of service.
What is AWS Shield Advanced?
If you need premium protection for critical applications, AWS Shield Advanced might be a better solution. In addition to network and transport layer protection, Shield Advanced extends protection to the higher layers of the OSI Model. And the list of services in focus is broader than with AWS Shield Standard, including:
Elastic Load Balancing (ELB)
Amazon CloudFront
AWS Global Accelerator
AWS Shield Advanced also automatically mitigates DDoS attacks against applications, using advanced routing techniques to deploy additional mitigation capacity where necessary. You can also bundle your resources into groups for specific protection customization and get enhanced visibility of DDoS attacks using AWS CloudWatch.
AWS Shield Advanced includes Web Application Firewall (WAF) and AWS Firewall Manager at no additional cost. It can even add firewall rules on the fly during an attack. These core components provide centralized management to apply protections to new cloud accounts and resources.
Shield Advanced's DDoS attack mitigation addresses vulnerabilities at layers 7, 3, and 4. It can also automatically deploy a Web Application Firewall (WAF) to deal with a DDoS attack in real-time.
Understanding AWS Web Application Firewall (WAF)
AWS Shield Advanced can automatically deploy Web Application Firewall (WAF) to deal with a DDoS attack in real-time. Suppose your CloudFront distribution suffers an HTTP flood attack. Shield Advanced can automatically analyze traffic patterns and identify an attack signature, such as malformed requests or specific IP addresses. Then, it creates rules in a WAF access control list (ACL) to filter the malicious traffic. And this is all done without human intervention.
You can customize WAF with Shield Advanced rather than wait for the automation to kick in. If you know you don’t want traffic from a certain area of the world, you can block it. But you can do that with standalone WAF as well. But while the inclusion of WAF in AWS Shield Advanced is a great benefit, you can certainly choose to purchase it separately.
Real-Time Support
If AWS Shield Advanced automation can't protect you, it’s time to call for some additional human support from their 24/7 DDoS response team (DRT) support. When DDoS attacks result in elevated resource usage charges, the cost protection element of Shield Advanced can make the service well worth the price.
As shown on the AWS Shield Pricing page, AWS charges a flat monthly fee per organization. (At the time of this writing, the monthly fee is $3,000.) There are also AWS Shield Advanced data transfer usage fees dependent on region, usage, and service. A proper cost-benefit analysis is required to determine whether your organization should invest in the premium service.
Comparison: Shield Standard vs. Shield Advanced
The following table provides a quick comparison of the two AWS Shield offerings:
| Shield Standard | Shield Advanced |
Cost | No additional cost | Monthly subscription |
OSI layers | Network and transport | Network, transport, and application |
AWS resources | Elastic Load Balancing Amazon CloudFront Amazon Route 53 AWS Global Accelerator. | Elastic Load Balancing (ELB) Amazon CloudFront Amazon Route 53 AWS Global Accelerator Amazon Elastic IP Address |
Types of attack | SYN floods UDP floods Reflection attacks | SYN floods UDP floods Reflection attacks TCP-state exhaustion attacks HTTP/HTTPS floods WordPress XML-RPC floods DNS query floods |
Automatic mitigation | Common DDoS attacks | Sophisticated DDoS attacks |
Additional benefits | None | 24/7 DRT support WAF integration Firewall Manager integration Cost protection Route 53 health checks Real-time metrics and reports Protection groups Enhanced visibility |
Who Should Invest in AWS Shield Advanced?
The decision to upgrade to AWS Shield Advanced will hinge on many factors. But first, let’s consider some good candidates for selecting the service:
Organizations in healthcare, financial services, or government may seek enhanced DDoS protections for their mission-critical applications.
Large streaming video providers may be ripe targets for DDoS attacks.
E-commerce platforms could suffer significant reputational damage if they become overwhelmed by a DDoS attack.
High-profile product launches or marketing campaigns could benefit from enhanced protection.
Time-critical gaming services that can easily be thwarted by a DDoS attack.
Going with Shield Advanced over Shield Standard may depend on your organization's size, the extent of the potential attack surface, the desired enhanced DDoS mitigation capabilities, and whatever regulatory or compliance requirements you face. If you need more than the infrastructure layer support offered by Shield Standard, you may want to consider Shield Advanced. It all depends on your risk profile.
Conclusion
DDoS protection from AWS Shield is robust by default. You don’t have to pay extra for Shield Standard, and infrastructure-layer resources are comprehensively protected. For larger organizations, mission-critical applications, or those with significant compliance requirements, Shield Advanced might be a good option. The inclusion of WAF and Firewall Manager could save your business.
Finally, be aware of your risks. The financial costs and damage to reputation resulting from an intractable DDoS attack can be devastating. It’s well worth doing a full cost-benefit analysis.
To learn more about securing AWS networking and other advanced topics, check out the CBT Nuggets course AWS Certified Advanced Networking - Specialty (ANS-C01) Online Training.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.