Pallavi Dhamal
CS615 - Meetup Report : Building DDoS resilient applications using AWS Shield


Speakers:  
Justin Kurpius, Edge Security GTM Specialist AWS 
Chido Chemambo, Shield Response Team (SRT) Engineer AWS 

On April 19, 2022, I attended a AWS Online Tech Talk! The speakers disscussed 
about how the applications can be protected from DDoS attack using the AWS 
shield.AWS shield advance is a managed Distributed Denial of Service (DDoS) 
protection that safeguards the application running on AWS. It has a feature of
detection and automatic mitigation hence minimizing the downtime and latency.
The AWS advance shield basically stands on three main pillars: 
Protection, Scale on demand, Compliance 
 
Points covered up with the meetup: 
1. Overview 
2. Shield Service Tiers 
3. How to Deploy Shield Advanced 
4. Automatic application Layer DDoS mitigation 
5. Demo 


The speaker discussed the differences between the AWS standard and advance shield
The AWS shield standard just works behind the screen with no configuration. In 
case of downtime, it just works in the background user can’t do anything. This 
is not the case with AWS Shield Advanced, it is specifically useful in mission 
critical applications where downtime will be a horrible situation. It offers you
the visibility to make configurations which are discussed later in the document. 

It has a DDoS threat environment dashboard, which states what's happening globally 
and with specific resources. Apart from this, it has 24*7 access to Shield Response 
Team (SRT) which helps in case of any potential problem with DDoS, both reactive and
proactive. The SRT team also helps in discussing the problems and applying the best 
practices and offering solutions. Additionally, it gives the automatic layer 7 mitigation
comprised of Adaptive L3-4 protection, L7 anomaly detection via AWS WAF, Health-based
detection, and Proactive event response.  


Shield advanced setup has the following steps to be completed - 
Subscribe to Shield advance – Must pay $3000/month for the entire organization. 
Add resources to protect – AWS shield is used to protect the various resources such as 
Cloudflare distribution, Route 53 hosted zone, Application load balancer, Elastic IP 
address, etc. Next, we need to create a WebACL to protect the selected resources.
A rate-based role is added with the value of the rate limit and action as block/count.
For example, if a particular IP address has 1000 hits within a 5minute rolling window. 
Configure AWS SRT support – Once the resources are protected and the rule is added, 
next the SRT configuration takes place. SRT access settings have three categories which 
are- Do not grant SRT access to the account, Create a new role, and Choose an existing role. 

Once all the above steps are configured, under the overview section one can set up the 
proactive engagement and contacts. It notifies contacts about the escalations to AWS SRT 
and initiates proactive customer support. The contact person can be the Application manager,
Development team, Security team, Application owner, etc. 

Next, AWS advance shield also has a separate section for “Events”. It allows the user to 
view any ongoing or past occurred DDoS events. It shows information like AWS resource type, 
Current status such as mitigation-in-progress or mitigated, Attack vectors like UDP traffic,
Start date, and Duration.  

 
To summarize, the steps below are carried out in order to protect the application form DDoS attack - 

Subscribe to AWS resource -> Select resources to protect -> Assign or choose existing WebACL -> 
Create and assign Route53 health checks -> Create alarms and notifications -> Enable proactive DDoS response