Ddos_protection
Chapter 39: DDoS Protection & WAF
Section titled “Chapter 39: DDoS Protection & WAF”Defending Against Distributed Attacks
Section titled “Defending Against Distributed Attacks”39.1 Understanding DDoS Attacks
Section titled “39.1 Understanding DDoS Attacks”DDoS (Distributed Denial of Service) attacks overwhelm your infrastructure with malicious traffic.
DDoS Attack Impact =================
Normal Traffic: DDoS Attack: ================ ==============
1,000 users/day 100,000 malicious requests/sec
Server handles fine Server becomes unreachable
All users served No users can access
─────────────────────────────────────────────────────────
Real Example: GitHub (2018) - 1.35 Tbps attack Largest recorded DDoS ever Mitigated by Akamai in 10 minutesTypes of DDoS Attacks
Section titled “Types of DDoS Attacks”| Layer | Attack Type | Target | Example |
|---|---|---|---|
| L3/L4 | Volumetric | Network bandwidth | UDP flood |
| L3/L4 | Protocol | Server resources | SYN flood |
| L7 | Application | Specific app | HTTP flood |
1. Volumetric Attacks (L3/L4) ============================
Goal: Consume all bandwidth
Techniques: • UDP Flood - Send thousands of UDP packets • ICMP Flood - Ping flood • Amplification - DNS/NTP reflection
Scale: Up to 100+ Gbps
─────────────────────────────────────────
2. Protocol Attacks (L3/L4) =========================
Goal: Exhaust server resources
Techniques: • SYN Flood - Half-open connections • SYN-ACK Flood • TCP Connection exhaustion
Scale: Millions of packets/sec
─────────────────────────────────────────
3. Application Layer Attacks (L7) ==============================
Goal: Crash specific application
Techniques: • HTTP Flood - GET/POST flood • Slowloris - Slow headers • ReDoS - Regex exhaustion
Scale: Harder to detect, looks like real traffic39.2 DDoS Mitigation Strategy
Section titled “39.2 DDoS Mitigation Strategy”Defense in Depth
Section titled “Defense in Depth” Multi-Layer DDoS Protection ==========================
┌─────────────────────────────────────────────────────────────┐ │ Layer 1: Edge/Network Protection │ │ ────────────────────────────────────────────────────────│ │ │ │ • CDN (Cloudflare, Fastly, CloudFront) │ │ • Anycast network │ │ • Massive bandwidth capacity │ │ • Scrubbing centers │ │ │ │ Blocks: Volumetric attacks (100+ Gbps) │ └─────────────────────────────────────────────────────────────┘
▼ Traffic filtered ▼
┌─────────────────────────────────────────────────────────────┐ │ Layer 2: DDoS Protection Service │ │ ────────────────────────────────────────────────────────│ │ │ │ • AWS Shield (Standard/Advanced) │ │ • Cloudflare DDoS Protection │ │ • Akamai Prolexic │ │ • Google Cloud Armor │ │ │ │ Blocks: Protocol + some L7 attacks │ └─────────────────────────────────────────────────────────────┘
▼ Further filtered ▼
┌─────────────────────────────────────────────────────────────┐ │ Layer 3: WAF (Web Application Firewall) │ │ ────────────────────────────────────────────────────────│ │ │ │ • AWS WAF │ │ • Cloudflare WAF │ │ • ModSecurity │ │ │ │ Blocks: Application attacks, SQLi, XSS │ └─────────────────────────────────────────────────────────────┘
▼ Clean traffic ▼
┌─────────────────────────────────────────────────────────────┐ │ Layer 4: Application Protection │ │ ────────────────────────────────────────────────────────│ │ │ │ • Rate limiting │ │ • API gateways │ │ • Authentication │ │ │ │ Blocks: Specific abuse patterns │ └─────────────────────────────────────────────────────────────┘39.3 AWS DDoS Protection
Section titled “39.3 AWS DDoS Protection”AWS Shield
Section titled “AWS Shield” AWS Shield Options =================
┌─────────────────────────────────────────────────────────────┐ │ AWS Shield Standard (FREE) │ │ ─────────────────────────────────────────────────────────│ │ │ │ • Always-on DDoS mitigation │ │ • Protection against common L3/L4 attacks │ │ • SYN floods, UDP floods, reflection attacks │ │ • Integrates with CloudFront, Route 53, API Gateway │ │ │ │ Automatic with AWS services! │ └─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐ │ AWS Shield Advanced ($3,000/month) │ │ ─────────────────────────────────────────────────────────│ │ │ │ • DDoS response team (24/7) │ │ • Financial protection (up to $300K) │ │ • Real-time visibility via CloudWatch │ │ • Advanced attack mitigation │ │ • Protection for EIP, ALB, CloudFront, Route 53 │ │ │ │ Recommended for production apps │ └─────────────────────────────────────────────────────────────┘39.4 WAF (Web Application Firewall)
Section titled “39.4 WAF (Web Application Firewall)”WAF protects against application-layer attacks by filtering malicious requests.
WAF Protection =============
┌─────────────────────────────────────────────────────────────┐ │ Common WAF Rules │ │ ─────────────────────────────────────────────────────────│ │ │ │ 1. SQL Injection Protection │ │ Block: ' OR '1'='1 │ │ │ │ 2. XSS Protection │ │ Block: <script>alert(1)</script> │ │ │ │ 3. Path Traversal │ │ Block: ../../../etc/passwd │ │ │ │ 4. Rate Limiting │ │ Block: >100 requests/minute from single IP │ │ │ │ 5. Geo Blocking │ │ Block: Traffic from certain countries │ │ │ │ 6. IP Reputation │ │ Block: Known malicious IPs │ └─────────────────────────────────────────────────────────────┘AWS WAF Example
Section titled “AWS WAF Example”# AWS WAF Web ACLAWSTemplateFormatVersion: '2010-09-09'Resources: MyWebACL: Type: AWS::WAFv2::WebACL Properties: Name: my-web-acl Scope: CLOUDFRONT DefaultAction: Allow: {} Rules: - Name: SQLInjectionRule Priority: 0 Statement: SqliMatchStatement: FieldToMatch: QueryString: {} TextTransformations: - Type: LOWERCASE - Type: URL_DECODE Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: SQLInjectionRule
- Name: RateLimitRule Priority: 1 Statement: RateBasedStatement: Limit: 1000 EvaluationWindowSec: 60 AggregateKeyType: IP Action: Block: {} VisibilityConfig: SampledRequestsEnabled: true CloudWatchMetricsEnabled: true MetricName: RateLimitRule
- Name: XSSRule Priority: 2 Statement: XssMatchStatement: FieldToMatch: Body: {} TextTransformations: - Type: URL_DECODE - Type: HTML_ENTITY_DECODE Action: Block: {}39.5 DDoS Protection Best Practices
Section titled “39.5 DDoS Protection Best Practices” DDoS Protection Checklist =========================
✓ Use CDN (Cloudflare, CloudFront) ✓ Enable AWS Shield (Standard is free) ✓ Configure WAF rules ✓ Implement rate limiting at API gateway ✓ Enable auto-scaling ✓ Use multiple availability zones ✓ Set up monitoring and alerts ✓ Create incident response plan ✓ Test DDoS resilience regularly
─────────────────────────────────────────
Application Best Practices: ───────────────────────────
✓ Minimize exposed surfaces ✓ Use authentication everywhere ✓ Implement rate limiting ✓ Validate all input ✓ Use secure headers ✓ Set appropriate timeoutsArchitecture Example
Section titled “Architecture Example” Protected Architecture =====================
┌─────────────────────────────────────────────────────────────┐ │ Internet │ └────────────────────────────┬────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ Cloudflare (Edge) │ │ • DDoS protection │ │ • WAF │ │ • CDN │ │ • SSL/TLS termination │ └────────────────────────────┬────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ AWS Shield + WAF │ │ • Layer 3/4 protection │ │ • Application rules │ │ • Rate limiting │ └────────────────────────────┬────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ ALB + Auto Scaling Group │ │ • Distributes traffic │ │ • Scales with load │ └────────────────────────────┬────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ Application Servers (Multiple AZs) │ │ • Protected core application │ └─────────────────────────────────────────────────────────────┘Summary
Section titled “Summary”- DDoS attacks - Volumetric, Protocol, Application layer
- Layered defense - CDN → Shield → WAF → Rate limiting
- AWS Shield - Standard (free) + Advanced (paid)
- WAF - Blocks SQLi, XSS, rate limit
- CDN - Absorbs volumetric attacks
- Auto-scaling - Handles traffic spikes
- Monitoring - Detect and respond to attacks