Login/Register
Can CloudFront protect EC2 server from DDOS?
Asked Answered
Solved amazon-web-servicesamazon-ec2ddos
S

1

5

I am maintaining an embedded database for a web app on an EC2 instance. Since this central server is single-threaded, it's very susceptible to DDOS (even a non-distributed attack would cripple it).

AWS has DDOS protection for its CDN CloudFront, so I am wondering if I can use CloudFront as a layer of indirection around my EC2 instance for DDOS protection.

The problem is figuring out how to effectively prevent users from bypassing CloudFront and hitting the server directly. My questions:

  • Will users be able to trace the network path to get the IP of my EC2 instance, or will they only be able to see the API url for Cloudfront?
  • Is there a way to prevent traffic from reaching my EC2 instance if it didn't come through Cloudfront? I see that there is an option to send a custom origin header from Cloudfront, but this doesn't solve the problem--I'd still have to process each request in my EC2 instance. Is there a way to configure input rules to my server which prevent it from processing non Cloudfront requests?

I am new to thinking about network architecture and security, so any and all advice is appreciated!

Sjambok answered 4/7, 2018 at 22:19 Comment(1)
Questions on professional server- or networking-related infrastructure administration are off-topic for Stack Overflow unless they directly involve programming or programming tools. You may be able to get help on Server Fault.Polynuclear
C
12

AWS Shield Standard is included automatically and transparently to Amazon CloudFront distributions providing,

  • Active Traffic Monitoring with Network flow monitoring and Automatic always-on detection.
  • Attack Mitigations with Protection from common DDoS attacks (e.g. SYN floods, ACK floods, UDP floods, Reflection attacks), Automatic inline mitigation and you can use AWS WAF in conjunction to mitigate Layer 7 attacks.

To prevent, users from bypassing CloudFront and directly accessing your EC2 instance, you can use security groups whitelisting the AWS CloudFront IP address list. Since this list suspects to change, you can setup a Lambda function to update it automatically once AWS changes CloudFront IPs. For more information about this refer the article How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda.

If you are using Application Load Balancer, you can whitelist a header and add it to the CloudFront origin so that the requests are only accepted if the header is present. (This could also be added to the Web Server header whitelisting but then the HTTP requests will be rejected only at the Web Server level as you clearly identified).

Also, you can include an AWS WAF configuration (At ALB or CloudFront whichever you use as the external interface) with rate limiting to prevent any abuse which is easy to setup and the cost-effective.

Cuneate answered 5/7, 2018 at 1:58 Comment(3)
Thanks Ashan, this is really helpful. One clarifying question: if I use the security group whitelisting approach, does this completely prevent my EC2 instance from doing any processing from illegal requests? (In other words, where does the request get intercepted and blocked, and will it take up any CPU time?)Sjambok
Security groups are associated with network interfaces. Therefore the requests get intercepted and blocked without using the resources of the EC2 instance.Cuneate
Gotcha. I tried implementing the WAF rate limit as you suggested, but it doesn't seem to work. In case you have any thoughts on this, I posted this as a separate question: #51195719. Thanks again for your help.Sjambok

© 2022 - 2024 — McMap. All rights reserved.