Search code examples
amazon-web-servicesddos

AWS Shield standard not preventing DDOS?


My website under Route 53 and ALB was flooded once on 12 May but seemed AWS Shield Standard version (free) didn't do anything to prevent?

Showing 1000 of 9,828,102 records matched:

2022-05-12T08:01:25.024+08:00   51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"

2022-05-12T08:01:25.024+08:00   51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" "-"

2022-05-12T08:01:25.024+08:00   51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"

2022-05-12T08:01:25.024+08:00   51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3599.0 Safari/537.36" "-"

2022-05-12T08:01:25.024+08:00   51.15.0.133 - - [12/May/2022:00:01:24 +0000] "GET http://www.1980mu.com:89/ HTTP/1.1" 200 8216 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko" "-"


enter image description here


Solution

  • Shield standard only protects Layer 3 and 4 of your application network stack - so its expected it would allow valid web traffic through. You would need to use Shield Advanced or WAF to gain greater control and Cloud Front to provide a caching layer (all paid services) to better protect your instances.

    My advice is to follow the principle of least privilege at each layer in terms of firewall ports open and what hostnames you allow. You can use rate limiting via WAF to avoid getting flooded, and using CloudFront to intercept requests and return cached responses where possible to reduce load on your instances.