Once upon a time, Distributed Denial of Service (DDoS) attacks were rare. Now, DDoS assaults are common and are increasing by 125 percent year over year. Attackers can create 100 Gbps attacks, enough to knock off any undefended website, just by running scripts. Amazon introduced an answer: AWS Shield.
Werner Vogels, Amazon CTO, in announcing Shield at AWS re:Invent, claimed, “I think this will really help you protect yourselves even against the largest and most sophisticated attacks that we’ve seen out there.”
I wish them luck with that. Even AWS might shake some with an assault of the magnitude that took down the Dyn Domain Name System (DNS) provider earlier this year. 1.2 Terabits per second (Tbps), which is estimated to be the attack’s high point, would be enough to wreck anyone’s day.
That said, since all AWS customers receive AWS Shield Standard automatic protections free of charge, your cloud instances should be safe from most such attacks. According to Amazon, “Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications.”
AWS Shield Advanced is available to Enterprise or Business Support levels of AWS Premium Support customers. In addition, it requires a 1-year subscription commitment and charges a $3,000 monthly fee. On top of this, there’s a data transfer usage fee from Amazon CloudFront and ELB. In short, this is a service that only enterprise-level businesses can afford.
On the other hand, if you need this level of protection, you probably really need it.
Amazon claims Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. IT also provides you with access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your ELB, CloudFront, or Route 53 data transfer charges.
With AWS Shield Advanced, you can also write customized rules to mitigate sophisticated application layer attacks. These customizable rules can be deployed instantly, allowing you to quickly mitigate attacks. You can set up proactive rules to automatically block bad traffic, or respond to incidents as they occur.
For most AWS customers, Amazon is offering good basic DDoS prevention for free. For enterprises, it’s offering sophisticated DDoS mitigation methods for a hefty price-tag. That said, it’s a heck of a lot cheaper than battling a serious DDoS attack on your own.