How can I prevent a DDOS attack on Amazon EC2?
Solution 1
A DDOS (or even a DOS), in its essence, is a resource exhaustion. You will never be able to eliminate bottlenecks, as you can only push them farther away.
On AWS, you are lucky because the network component is very strong - it would be very surprising to learn that the upstream link was saturated. However, the CPU, as well as disks I/O, are way easier to flood.
The best course of action would be by starting some monitoring (local such as SAR, remote with Nagios and/or ScoutApp) and some remote logging facilities (Syslog-ng). With such setup, you will be able to identify which resources get saturated (network socket due to Syn flood ; CPU due to bad SQL queries or crawlers ; ram due to …). Don’t forget to have your log partition (if you don’t have remote logging enable) on an EBS volumes (to later study the logs).
If the attack come through the web pages, the access log (or the equivalent) can be very useful.
Solution 2
You can also further isolate your EC2 instances by putting them behind an Elastic Load Balancer and only accepting traffic from the ELB instance. This puts more of the onus on Amazon to manage DDOS attacks.
I assume that you'll still have SSH open to all, so it's likely you'll still see some rogue traffic coming in there, unless you can lock down that port to some static IPs. You could change the SSHd port to something more obscure (i.e., something other than 22) to further reduce DDOS hits (most bots only check known ports).
I'll also mention fail2ban, which can monitor logs and temporarily modify your ip tables to block specific IPs (for instance, if there have been 6 failed attempts to SSH into your host from a single IP address, it can block that IP for 30 minutes or so). Keep in mind that (as Jordan astutely commented) fail2ban is probably not appropriate for blocking proxied traffic (e.g., that from an ELB) because it will block the IP of the proxy, not necessarily the original remote IP.
I haven't used it, but Apache mod_evasive may also be worth investigating; however, it may have the same weakness as fail2ban when it comes to IP-based blocking.
Solution 3
If you are using Apache, I suggest using mod_security. Packaged by most vendors, the core rules set does a fantastic job.
Another hardening step is limiting the requests at the webserver level. Nginx., Apache can throttle and limit incoming requests.
Solution 4
The solution I use for blocking realtime bad activity IP's coming out of AWS and others is this... In my CSF Firewall in the config for LFD Blocklists I use a list found here - http://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time
Download Blacklist for CSF Firewall » http://myip.ms/files/blacklist/csf/latest_blacklist.txt
No more outrageously obnoxious AWS traffic.
Solution 5
I am biased, as I work for a content delivery network as a security Presales engineer.
However, leveraging a Ddos mitigation solution on a content delivery network ensures that you never run out of resources at the origin. It's similar to putting an F5 load balancer in front of your site, but spread to thousands of locations around the world.
A good cdn will allow you to cloak the origin with a whitelist which you install on the aws firewall. So when attackers perform their reconnaissance on Amazon, your IP address will come up empty as everything will be blocked.
So the Ddos attacks are blocked when the traffic hits a node as close as possible to the attacker. This ensures you mitigate Ddos attacks as far away from the asset you are trying to protect.
A good cdn can also perform health checks and failover traffic to other locations eg another ego on in ass, Azure, rack space, soft layer, a physical dc etc. It should also have a WAF to ensure you can block application layer exhaustion attacks like RUDY, slowpost, slowloris as well as sqli, xss, rfi, lfi etc.
By default the cdn also blocks network layer attacks like teardrop, icmp attacks, synfloods etc. A cdn is able to mitigate Ddos attacks because trey have vast amounts of capacity to accept the requests, filter out bad traffic and pass on the good traffic. So amplifying attacks like ntp, DNS, ssdp, chargen and snmp volumetric attacks can be blocked.
The largest attack I have seen to date has been 321gbps in July 2014. During this attack there was also a DNS protocol attack at 20gbps. So you will need to ensure you DNS infrastructure is also resilient to withstand a huge number of requests.
From the description you provided, it looks like you were subject to an exhaustion attack, where thr attacker opened up lots of threads such that all the threads were consumed up on the web server, app server or firewall. It's similar to something like a slowpost, slowloris or RUDY.
To block against application layer exhaustion attacks you will need to get a web application firewall (WAF). A typical network firewall (including amazons firewall and next generation firewalls) won't be able to block it. Sent work firewalls these days can only block about 30% of all the attacks these days (Nov 2014).
Related videos on Youtube
14 : 55
46 : 16
04 : 08
05 : 30
05 : 26
cwd
Updated on September 18, 2022Comments
-
cwd over 1 year
One of the servers I use is hosted on the Amazon EC2 cloud. Every few months we appear to have a DDOS attack on this sever. This slows the server down incredibly. After around 30 minutes, and sometimes a reboot later, everything is back to normal.
Amazon has security groups and firewall, but what else should I have in place on an EC2 server to mitigate or prevent an attack?
From similar questions I've learned:
- Limit the rate of requests/minute (or seconds) from a particular IP address via something like IP tables (or maybe UFW?)
- Have enough resources to survive such an attack - or -
- Possibly build the web application so it is elastic / has an elastic load balancer and can quickly scale up to meet such a high demand)
- If using mySql, set up mySql connections so that they run sequentially so that slow queries won't bog down the system
What else am I missing? I would love information about specific tools and configuration options (again, using Linux here), and/or anything that is specific to Amazon EC2.
ps: Notes about monitoring for DDOS would also be welcomed - perhaps with nagios? ;)
-
NukaRakuForgotEmail over 12 yearsPreventing it is nearly impossible but you could certainly decrease your vulnerability.
-
cwd over 12 yearsVery true. And I would be happy with answers that discuss decreasing vulnerability :)
-
stew over 12 yearsIn order to know how to prevent it, one would need to know more about the nature of the attack. Was it a syn-flood? Was there a web page that is expensive that was being hit? was it some other service?
-
cwd over 12 yearsI think it was a webpage but am not sure. I would also welcome tips on monitor and investigating these. Some of the access logs have already been deleted - what else should I be looking for?
-
stew over 12 yearsand actually, if a reboot fixes the problem, then I don't know what it could be, except perhaps your server has a resource leak somewhere. A reboot certainly cannot stop a DDoS on its own. How do you know this is a DDoS at all?
-
cwd over 12 years+1 thank you. actually i did have ssh closed down ;)
-
cwd about 12 yearsawesome - those look like fantastic options thanks!
-
Scott Pack over 10 yearsWelcome to Server Fault! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
-
kasperd over 9 yearsThis does not answer the question. -
Pacerier over 9 yearsYou may want to check out the "load-based" section of serverfault.com/a/531942/87017
-
Jordan Reiter almost 8 yearsNote that if you are behind an ELB, fail2ban will not work — because it generally functions by blocking an IP in iptables. But the IP is always going to be that of your ELB. I realized that after trying to add fail2ban to my setup. It doesn't work if the user is only accessing via the ELB.
