In this video, take a look at how AWS performs in standard Distributed Denial of Service protection. Discover what is and what is not protected by AWS.
- [Instructor] If you're a customer of Amazon, you're being protected by a service called AWS Shield. There's an additional version of shield called Advanced that you probably want to know about as well. So the concept here is, infrastructure protection and what Amazon is doing for us automatically. AWS Shield Standard is basic DDoS protection. That's the Denial of Service protection that all cloud providers are actually providing for their customers. After all, it's the cloud and it's not our data center. So they have to protect their resources. Now keep in mind, we're talking about public-facing resources. Shield is automatically enabled for all AWS customers at no additional cost. So the idea with shield is to help protect website attacks. Some examples of what Shield can help with is layer 3 and layer 4 infrastructure attacks, sometimes called UDP floods or reflection attacks. What's happening here is that this communication from an attacker attempting to overwhelm the server by having the server respond so many times, it's exhausted. And sometimes if the attacks are reflected, then they're reflected from a third party and it actually hides the actual origin of the attack. You may find out it's potentially coming from a certain country, but we can't get much more detail. Now the idea of an exhaustion attack such as a TCP SYN or DNS query flood, you've got a relationship with a server from the client to the server, so the client wants to access the server, so client makes a connection to the server with a SYN packet. The server returns an acknowledgement and if everything's working correctly, and it's a true client, the client will return it's own acknowledgement. So we've basically had a three-way handshake. Hey are you there? Yes I am. Okay great, now we're going to talk. In a SYN flood, that third acknowledgement, now we're going to talk, is never returned and the server's left hanging. Well if the server's left hanging in a lot of communication, it's kind of stuck, it can't continue. A DNS query flood, the attacker will use multiple DNS queries just to exhaust the resources of the server. And remember, in this case, with DNS, I'm asking DNS, where is this resource? Well, you could overwhelm even a DNS service like Route 53. It has happened in the past. So Route 53 is protected by Shield. We could also have an application-layer attack like HTTP GET or POST floods. And in this case, multiple HTTP requests that appear to be from a real user from a web app. So again, we're trying to overwhelm the server with requests and the server is too busy to respond, therefore, it's not working for anybody, any real users that are trying to connect to that server. So we want to cut down these attacks as much as possible. And Shield is giving us a baseline of protecting these attacks. So number one, if you have a web app where people are connecting to across the internet, if you are connecting to public S3 buckets behind CloudFront, you're probably happy with Shield because it's at least giving a baseline of protection for those public resources. Shield Standard, the goal is to protect against all known infrastructure Layer 3 and Layer 4 attacks. It's almost an impossible statement isn't it? But the goal of Amazon is to continually update the attacks that are out there in the real world so Shield can handle them.