DDoS Protection - Multi-Layer Defense Design and Operations with AWS Shield
Learn about DDoS protection with AWS Shield Standard and Shield Advanced. This guide covers integration with CloudFront, Route 53, and ALB, combining with WAF, and cost protection features.
DDoS Attack Threats and AWS Multi-Layer Defense
DDoS (Distributed Denial of Service) attacks are attack methods that flood a service with massive traffic to make it unavailable. Attacks are broadly categorized into L3/L4 (SYN flood, UDP reflection, DNS amplification) and L7 (HTTP flood, Slowloris). AWS Shield is a managed service dedicated to DDoS protection, offering two tiers: Standard and Advanced. Shield Standard is automatically applied to all AWS accounts at no cost, automatically detecting and mitigating common L3/L4 DDoS attacks. AWS's global network has bandwidth of several Tbps, absorbing large-scale volumetric attacks at the edge. Shield Advanced is a paid service at $3,000 per month (1-year commitment), providing advanced L7 attack protection, real-time attack visibility, and 24/7 incident response support from the Shield Response Team (SRT).
Shield Standard Automatic Protection
Shield Standard is applied to all AWS resources without additional configuration. It continuously monitors CloudFront, Route 53, ALB, NLB, and Elastic IP (EC2) for L3/L4 attacks, automatically executing mitigation measures when abnormal traffic patterns are detected. CloudFront and Route 53 operate on AWS's global edge network (400+ PoPs), so attack traffic is processed at the edge before reaching origin servers. This absorbs large-scale attacks without placing load on origin infrastructure. Shield Standard's protection is completely transparent with no impact on legitimate traffic. SYN proxy is automatically applied for SYN flood attacks, and traffic scrubbing for UDP reflection attacks. Shield Standard alone can defend against the majority of DDoS attacks observed on the internet.
Shield Advanced - Advanced Protection Features
Shield Advanced provides the following capabilities in addition to Shield Standard protection. L7 (application layer) DDoS detection and mitigation detects attacks disguised as legitimate requests, such as HTTP floods and mass API requests. Integration with WAF enables automatic application of rate-based rules and custom rules based on attack patterns. The SRT (Shield Response Team) is an AWS security expert team that provides 24/7 support during attacks. The SRT has authority to directly modify your WAF rules to mitigate attacks, significantly improving emergency response speed. Attack visualization provides real-time attack status (attack vectors, traffic volume, mitigation status) through CloudWatch metrics and dashboards. Cost protection is a key Shield Advanced feature, providing reimbursement for AWS resource scaling costs caused by DDoS attacks (EC2 Auto Scaling, CloudFront data transfer, Route 53 queries, ALB). This mitigates the risk of sudden cost spikes from attacks. To deepen your practical knowledge of DDoS defense, specialized books (Amazon) can be helpful.
Combining with WAF and Best Practices
Combining Shield Advanced with WAF achieves multi-layer defense covering all layers from L3 to L7. The Shield Advanced subscription includes WAF usage fees for protected resources (no additional WAF charges). Rate-based rules limit request counts from specific IPs, and geo-match rules can block access from specific countries. Enabling Shield Advanced's automatic L7 mitigation feature automatically creates and applies WAF rules upon attack detection. As a best practice, place CloudFront as the entry point for all traffic and block direct access to origins with security groups. Combining Route 53 health checks with Shield Advanced improves attack detection accuracy. Shield Advanced integrates with Organizations, so a single subscription from the management account applies to all accounts in the organization.
Shield Pricing
Shield Standard is automatically enabled at no cost for all AWS accounts. Shield Advanced has a fixed monthly fee of $3,000 plus additional charges based on data transfer volume for protected resources. A 1-year commitment is required. When enabled through Organizations, the $3,000 monthly fee is charged only once for the entire organization. Advanced's cost protection reimburses scaling cost increases caused by DDoS attacks, making it a high-ROI investment for services at high risk of attack.
Summary - Shield Usage Guidelines
AWS Shield is a service that automates DDoS attack protection. Shield Standard is applied to all accounts at no cost, automatically mitigating the majority of L3/L4 attacks. Consider Shield Advanced for mission-critical workloads. The $3,000 monthly investment provides L7 defense, SRT support, cost protection, and attack visibility. Placing CloudFront as the frontline edge defense and combining WAF with Shield Advanced for multi-layer defense is the best practice for DDoS protection on AWS.