Please enable JavaScript.
Coggle requires JavaScript to display documents.
26.309: DDoS best practices - Coggle Diagram
26.309: DDoS best practices
CloudFront
Web app delivery at edge
Shield
Protect from DDoS Common Attacks (SYN floods, UDP reflection..)
Global Accelerator
Access your app from the edge
Integrate with Shield for DDoS protection
Helpful if your backend is not compatible with CloudFront
Route53
Domain Name Resolution at the edge
DDoS Protection mechanism
DDoS mitigation
Infrastructure layer defense (CloudFront, GlobalAccelerator, Route53, ELB)
Protect EC2 against high traffic
Using Global Accelerator, Route53, CloudFront, ELB
EC2 with Auto Scaling Group
Scale in case of sudden traffic surges including a flash crowd or DDoS attack
ELB
Scales with traffic increase and will distribute the traffic to many EC2 instances
App layer defense
Detect and filter malicious web request (CloudFront, Global Accelerator, WAF)
CloudFront cache static content and serve it from edge locations, protect your backend
WAF used on top CloudFront and ALB to filter and block requests based on request signatures
WAF rate based rules can auto block IP of bad actors
Used managed rules on WAF to block attacks based on IP reputation or block anonymous Ips
CloudFront can block specific geographies
Shield Advanced
Auto app layer DDoS mitigation auto create, evaluate, deploy AWS WAF rules to mitigate layer 7 attacks
Attack surface reduction
Obfuscating AWS resource (CloudFront, GlobalAccelerator, API Gateway, ELB)
Use CloudFront, API Gateway, ELB to hide backend resources (Lambda functions, EC2)
Security groups and Network ACLs (VPC)
Use security groups and NACLs to filter traffic based on specific IP at the subnet or ENI level
Elastic IP protected by AWS Shield Advanced
Protect API endpoint (API Gateway)
Hide EC2, Lambda
Edge optimize mode, CloudFront + regional mode (more control for DDoS)
WAF + API Gateway, burst limits, headers filtering, use API Keys