Ddos_protection
Chapter 39: DDoS Protection & WAF
Section titled βChapter 39: DDoS Protection & WAFβDefending Against Distributed Attacks
Section titled βDefending Against Distributed Attacksβ39.1 Understanding DDoS Attacks
Section titled β39.1 Understanding DDoS AttacksβDDoS (Distributed Denial of Service) attacks overwhelm your infrastructure with malicious traffic.
DDoS Attack Impact =================
Normal Traffic: DDoS Attack: ================ ==============
1,000 users/day 100,000 malicious requests/sec
Server handles fine Server becomes unreachable
All users served No users can access
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Real Example: GitHub (2018) - 1.35 Tbps attack Largest recorded DDoS ever Mitigated by Akamai in 10 minutesTypes of DDoS Attacks
Section titled βTypes of DDoS Attacksβ| Layer | Attack Type | Target | Example |
|---|---|---|---|
| L3/L4 | Volumetric | Network bandwidth | UDP flood |
| L3/L4 | Protocol | Server resources | SYN flood |
| L7 | Application | Specific app | HTTP flood |
1. Volumetric Attacks (L3/L4) ============================
Goal: Consume all bandwidth
Techniques: β’ UDP Flood - Send thousands of UDP packets β’ ICMP Flood - Ping flood β’ Amplification - DNS/NTP reflection
Scale: Up to 100+ Gbps
βββββββββββββββββββββββββββββββββββββββββ
2. Protocol Attacks (L3/L4) =========================
Goal: Exhaust server resources
Techniques: β’ SYN Flood - Half-open connections β’ SYN-ACK Flood β’ TCP Connection exhaustion
Scale: Millions of packets/sec
βββββββββββββββββββββββββββββββββββββββββ
3. Application Layer Attacks (L7) ==============================
Goal: Crash specific application
Techniques: β’ HTTP Flood - GET/POST flood β’ Slowloris - Slow headers β’ ReDoS - Regex exhaustion
Scale: Harder to detect, looks like real traffic39.2 DDoS Mitigation Strategy
Section titled β39.2 DDoS Mitigation StrategyβDefense in Depth
Section titled βDefense in Depthβ Multi-Layer DDoS Protection ==========================
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Layer 1: Edge/Network Protection β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ CDN (Cloudflare, Fastly, CloudFront) β β β’ Anycast network β β β’ Massive bandwidth capacity β β β’ Scrubbing centers β β β β Blocks: Volumetric attacks (100+ Gbps) β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βΌ Traffic filtered βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Layer 2: DDoS Protection Service β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ AWS Shield (Standard/Advanced) β β β’ Cloudflare DDoS Protection β β β’ Akamai Prolexic β β β’ Google Cloud Armor β β β β Blocks: Protocol + some L7 attacks β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βΌ Further filtered βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Layer 3: WAF (Web Application Firewall) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ AWS WAF β β β’ Cloudflare WAF β β β’ ModSecurity β β β β Blocks: Application attacks, SQLi, XSS β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βΌ Clean traffic βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Layer 4: Application Protection β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Rate limiting β β β’ API gateways β β β’ Authentication β β β β Blocks: Specific abuse patterns β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ39.3 AWS DDoS Protection
Section titled β39.3 AWS DDoS ProtectionβAWS Shield
Section titled βAWS Shieldβ AWS Shield Options =================
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β AWS Shield Standard (FREE) β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Always-on DDoS mitigation β β β’ Protection against common L3/L4 attacks β β β’ SYN floods, UDP floods, reflection attacks β β β’ Integrates with CloudFront, Route 53, API Gateway β β β β Automatic with AWS services! β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β AWS Shield Advanced ($3,000/month) β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ DDoS response team (24/7) β β β’ Financial protection (up to $300K) β β β’ Real-time visibility via CloudWatch β β β’ Advanced attack mitigation β β β’ Protection for EIP, ALB, CloudFront, Route 53 β β β β Recommended for production apps β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ39.4 WAF (Web Application Firewall)
Section titled β39.4 WAF (Web Application Firewall)βWAF protects against application-layer attacks by filtering malicious requests.
WAF Protection =============
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Common WAF Rules β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β 1. SQL Injection Protection β β Block: ' OR '1'='1 β β β β 2. XSS Protection β β Block: <script>alert(1)</script> β β β β 3. Path Traversal β β Block: ../../../etc/passwd β β β β 4. Rate Limiting β β Block: >100 requests/minute from single IP β β β β 5. Geo Blocking β β Block: Traffic from certain countries β β β β 6. IP Reputation β β Block: Known malicious IPs β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββAWS WAF Example
Section titled βAWS WAF Exampleβ# AWS WAF Web ACLAWSTemplateFormatVersion: '2010-09-09'Resources: MyWebACL: Type: AWS::WAFv2::WebACL Properties: Name: my-web-acl Scope: CLOUDFRONT DefaultAction: Allow: {} Rules: - Name: SQLInjectionRule Priority: 0 Statement: SqliMatchStatement: FieldToMatch: QueryString: {} TextTransformations: - Type: LOWERCASE - Type: URL_DECODE Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: SQLInjectionRule
- Name: RateLimitRule Priority: 1 Statement: RateBasedStatement: Limit: 1000 EvaluationWindowSec: 60 AggregateKeyType: IP Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: RateLimitRule
- Name: XSSRule Priority: 2 Statement: XssMatchStatement: FieldToMatch: Body: {} TextTransformations: - Type: URL_DECODE - Type: HTML_ENTITY_DECODE Action: Block: {}39.5 DDoS Protection Best Practices
Section titled β39.5 DDoS Protection Best Practicesβ DDoS Protection Checklist =========================
β Use CDN (Cloudflare, CloudFront) β Enable AWS Shield (Standard is free) β Configure WAF rules β Implement rate limiting at API gateway β Enable auto-scaling β Use multiple availability zones β Set up monitoring and alerts β Create incident response plan β Test DDoS resilience regularly
βββββββββββββββββββββββββββββββββββββββββ
Application Best Practices: βββββββββββββββββββββββββββ
β Minimize exposed surfaces β Use authentication everywhere β Implement rate limiting β Validate all input β Use secure headers β Set appropriate timeoutsArchitecture Example
Section titled βArchitecture Exampleβ Protected Architecture =====================
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Internet β ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ β βΌ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Cloudflare (Edge) β β β’ DDoS protection β β β’ WAF β β β’ CDN β β β’ SSL/TLS termination β ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ β βΌ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β AWS Shield + WAF β β β’ Layer 3/4 protection β β β’ Application rules β β β’ Rate limiting β ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ β βΌ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ALB + Auto Scaling Group β β β’ Distributes traffic β β β’ Scales with load β ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ β βΌ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Application Servers (Multiple AZs) β β β’ Protected core application β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββSummary
Section titled βSummaryβ- DDoS attacks - Volumetric, Protocol, Application layer
- Layered defense - CDN β Shield β WAF β Rate limiting
- AWS Shield - Standard (free) + Advanced (paid)
- WAF - Blocks SQLi, XSS, rate limit
- CDN - Absorbs volumetric attacks
- Auto-scaling - Handles traffic spikes
- Monitoring - Detect and respond to attacks