AWS now offers a DDOS service:
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield – Standard and Advanced.
All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications.
The features of the product are quite interesting since its inline and includes a WAF:
Automated mitigation techniques are built-into AWS Shield Standard, giving you protection against common, most frequently occurring infrastructure (Layer 3 and 4) attacks. Automatic mitigations are applied inline to your applications so there is no latency impact. Always-on detection and inline mitigation minimize application downtime and you don’t need to engage AWS Support to receive DDoS protection. AWS Shield Standard uses several techniques like deterministic packet filtering, and priority based traffic shaping to automatically mitigate attacks without impact to your applications. You can also mitigate application layer DDoS attacks by writing rules using AWS WAF. With AWS WAF you only pay for what you use.
Some bullet points:
- The basic service is free and this is removing the burden of handling DDOS yourself with a third-party for basic DDOS Protection
- Until today, DDOS attacks on your AWS costs you big money as your network bandwidth is spent.
- Put AWS on equal footing with Colocation providers who offer simple and easy to consume DDOS services removing a sales objection
- You can have an ” AWS Shield Advanced” if you are using Elastic Load Balancing, Amazon CloudFront, and Amazon Route 53 for your front end.
- You might see this a ‘lock-in’ forcing you to use more of AWS services. Not that many people do not use these services because their features are somewhat simple & limited. 1
- Advanced is $3000 per month plus consumption fees
- It could be painful to know when AWS DDOS is blocking your site for some reason. However, a Dedicated ‘DDOS Response Team’ has been created so this could work.
- DDOS providers will be reworking their budgets for 2017, a certain amount of business will likely migrate to AWS.
- The inline WAF will impact a number of load balancing companies who have been attempting to reposition as security appliances. Many ppl have WAFs in VM on their AWS setups.
- Any product at scale has limited features. AWS products are highly restricted to maximise revenue, minimise support, remove complexity. A complex product isn’t that great in the public cloud. ↩