Stop DDoS Attacks with AWS WAF
Introduction
The digital world demands constant vigilance against ever-evolving threats. Nowadays, Distributed Denial-of-Service (DDoS) attacks, particularly the HTTP Flood variety, pose a significant risk. These attacks overwhelm applications with a flood of illegitimate requests, effectively shutting them down for legitimate users.
This blog post delves into the world of DDoS attacks and equips you with a powerful defense, the AWS Web Application Firewall (WAF).
What Are DDoS Attacks?
A Distributed Denial-of-Service (DDoS) attack constitutes a malicious attempt to disrupt the normal operations of a targeted server, service, or network. Perpetrators unleash a deluge of illegitimate internet traffic, overwhelming the target's resources and rendering it inaccessible or sluggish for legitimate users. Unlike traditional denial-of-service attacks, DDoS attacks leverage compromised devices spread across the internet, often referred to as a botnet. This distributed nature allows attackers to generate a much larger volume of traffic, making them significantly harder to detect and mitigate. DDoS attacks can target any online entity, posing a major threat to businesses, government institutions, and critical infrastructure. The consequences of a successful attack can be severe, leading to downtime, financial losses, and reputational damage.
​
DDoS attacks can leverage various methods to overwhelm a target. Some prevalent techniques include:
​
-
HTTP Floods: Bombarding the target with a massive amount of seemingly legitimate HTTP requests, exhausting server resources.
-
SYN Floods: Exploiting vulnerabilities in TCP connection establishment to overwhelm the target with incomplete connection requests.
-
DNS Amplification: Abusing DNS servers to amplify the volume of traffic directed at the target.
What is an HTTP Flood DDoS Attack?
HTTP Flood DDoS Attacks target web applications by flooding them with a massive volume of seemingly legitimate HTTP requests. These requests originate from compromised devices, often part of a botnet. The sheer number of requests overwhelms the server's resources, particularly those dedicated to processing complex database queries or other resource-intensive tasks. This ultimately renders the web application unavailable to legitimate users, causing a denial-of-service (DDoS) attack.
​
AWS WAF integrates seamlessly with several AWS services, including:
​
-
Amazon CloudFront
-
Application Load Balancer
-
AWS AppSync
.png)
AWS WAF Security Automations streamline configuration by leveraging AWS CloudFormation to automatically deploy pre-built rules that block common attacks like:
​
-
HTTP Floods
-
SQL Injection
-
Cross-site Scripting (XSS)
-
Scanners and Probes
-
Malicious IP Addresses
-
Bots and Scrapers
​
By looking at the diagram below, you can see the place of AWS WAF in the serverless architecture. It meticulously examines all incoming requests, filtering out malicious traffic before it can reach your system.
Prevent HTTP Flood DDoS Attack on API Gateway with AWS WAF
Here's a step-by-step guide on creating a web ACL in AWS WAF:
​
1. Access the AWS WAF console and initiate the process of creating a new web ACL.
​
2. Assign a descriptive name to your web ACL, such as ApiGateway-HTTP-Flood-Prevention.
​
3. Select the appropriate region for your deployment. In this case, choose US East (N. Virginia).
​
4. Click "Next" to proceed to the "Add rules and rule groups" step. Opt to "Add my own rules and rule groups" here.
-
Rule Type: Choose "Rule Builder".
-
Rule Name: Enter a descriptive name like "HTTP-Flood-Prevent".
-
Rule Type: Select "Rate-based rule".
-
Rate Limit: Set the desired rate limit (e.g., 2000 requests per second).
-
Action: Click "Add Rule" to finalize rule creation.
​
5. Once you've finished adding rules, proceed by clicking "Next" until you reach the "Review and create web ACL" step.
​
6. Carefully review the configuration details of your web ACL. If everything appears correct, proceed with creating the web ACL by selecting the appropriate button (typically labeled "Create web ACL").
​
Now you've successfully created a web ACL in AWS WAF with a rate-based rule to mitigate HTTP flood attacks.
​​
.png)
To further enhance security, let's enable the created WAF web ACL on existing APIs in API Gateway:
​
1. Accessing the API Gateway Stage:
Open the Amazon API Gateway console and navigate to the desired API. Locate the Stages section and select the relevant stage (e.g., "prod").
​
2. Associating the Web ACL:
Within the stage details, locate the section labeled Web Application Firewall (WAF). From the dropdown menu, select the newly created web ACL, ApiGateway-HTTP-Flood-Prevent.
​
3. Save Changes:
Click "Save Changes" to apply the WAF web ACL association.
After enabling the WAF Web ACL, conduct thorough testing to ensure your APIs remain secure.
​
Normal API Call: First, make a regular call to your API Gateway endpoint. It should respond successfully, indicating WAF allows legitimate traffic.
​
Simulating an Attack: To test the rate-limiting rule, use a tool like Artillery to bombard your API with a large number of requests within a short timeframe (e.g., 2000 requests from 10 users). This should trigger the rule within the 5-minute window.
​
Expected Blocking: After Artillery finishes, re-run the API call. This time, WAF should block the request, returning a "Forbidden" response. Your IP address will automatically be unblocked once it falls below the allowed request rate.
.png)
Conclusion
In conclusion, DDoS attacks, particularly HTTP floods, pose a significant threat to online applications. Fortunately, AWS WAF offers a robust defense mechanism. By integrating WAF with your serverless architecture and implementing rate-based rules, you can effectively shield your APIs from malicious traffic and ensure their continued availability for legitimate users. Remember, consistent vigilance and proactive security measures are essential for maintaining a resilient online presence.
​
This blog post has equipped you with the knowledge and step-by-step guidance to create and deploy a WAF web ACL. We encourage you to explore the AWS WAF documentation for further details on advanced configuration options and explore additional security best practices to build a comprehensive security posture for your applications.
About The Author
Pouya Nourizadeh
AWS Enterprise Solutions Architect
Founder, Bringdev
