2

I have web application (NodeJS) and I plan to deploy it to AWS. To minimize the cost it will run on single EC2 instance. I'm worried though about what will happen if someone decides to bless me with DDOS attack and hence have few questions. Now, I did quite a bit of research, but as my understanding is clearly lacking I apologise if some of the questions are plain stupid:

  1. I want to avoid people flooding my site with layer 4 attacks. Would it be sufficient to set my Security Group to accept traffic only (in additions to SSH port 22) from:

    Type HTTP

    Protocol TCP

    Port Range 80

Would above stop UDP flood and others from hitting my EC2 instance?

  1. Via Security Group I would allow SSH connections to port 22 only from my static IP address. Would that keep attackers away from trying to attack port 22 completely?

  2. My EC2 instance will run Ubuntu. I want to avoid application layer attacks (layer 7) and was planning to do it directly from my application, so somehow detect if certain IP floods particular URLs and block them if necessary. This however seems a bit late as the traffic already hits my web server and my server have to do the work anyway. So instead of doing this directly from my application I was thinking if that was possible to use IP tables to block any dodgy traffic before it comes to my web server. Is there set of some common settings that would be able to recognise rogue behaviour and block offenders? I was planning to look into fail2ban in hope this would simplify the process. Now, I do understand if it gets that far it will hit my EC2 instance anyway, but I want to protect my application also from e.g. brute force attacks.

  3. Would AWS CloudFront take care of most DDOS Layer 4 attacks? If not then using free CloudFlare would make any difference?

  4. Say that someone floods my website anyway and this results in more traffic then I anticipated. Is there any way to stop charges at some point? There are billing alerts but I cannot see any way to set hard limits on AWS and say get instance offline if bandwidth exceeded.

I also do realise that there is now way to completely prevent DDOS attacks but I want to protect at least against basic attempts. Thank you in advance for any help.

spirytus
  • 197
  • 2
  • 4
  • 3
    Why do you not hide it totally? Put it behind a CDN (Cloudflare is available for cheap) and you have no issues on AWS at all ;) You even name it. It als can help you reduce traffic costs through better and distributed caching - all a good reason to use CloudFlare. – TomTom Dec 27 '15 at 18:54
  • You can also check ddos best practices whitepaper from AWS: https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf – dsmsk80 Dec 28 '15 at 15:21

2 Answers2

3

1) Setting Security Group is easy and important layer of security. If you are running any web app than port 80/443 are one that to be open to the world and 22 for accessing server remotely via ssh should be allowed from a particular IP address only. Other than these 3 ports all traffic will be blocked. You can test with Port Scanning or NMAP tool.

2) Limit access for SSH to a your static IP address only and also for accessing EC2 Instance via ssh you need a key. If attacker somehow get to know your IP address he/she cannot access your server without key.

Note :- If you are using CDN(CloudFlare) than your EC2 Static IP is already hidden.

3) You can limit the amount of concurrent connections from the same IP address to your server.

You can use linux firewall rules for that :- 

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables-save >/etc/iptables.up.rules

The first line will Watch the IP connecting to your eth0 interface. The second line will Check if the connection is new within the last 60 seconds and if the packet flow is higher than ten and if so it will drop the connection. The third line will Make the rules persistent in case of a reboot.

To verify the number of concurrent connections from all clients that are connected to your server :- 

 netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

It will show a list of the current active connections by IP address and the offending IP is usually the one with a high number of connections. 

12  10.1.1.1
160 162.19.17.93

In the example above the first number is the number of connections followed by the Originating IP address.

Note :- In a heavily loaded server the number of connections may be above 100, but during DDOS attack the number will go even higher. For an average host, if you have more than 30 connections from a single IP, chances are you are under attack. If more than 5 such IP/Host connected from same network , that's a very clear sign of DDOS attack.

Output of lsof,netstat and tcpdump are very useful in detecting such type of issues.

Now you get the IP address of the client you can use IPtables to block that IP or tcpkill command to do so. TCPKILL is part of dsniff package.

apt-get install dsniff

Then issue :-

tcpkill host x.x.x.x

The above method is good and it will help you to mitigate small DDOS Attack if applied correctly. Now if you are using CDN ( CloudFlare ) than you can block the attacker at that level only. You can use CloudFlare API to block the IP address. In this traffic will not come to you server.

Read more at CloudFlare API Doc

Refer to above method and create a script that will help you in automation.

4) In my opinion CloudFlare is better than CloudFront. CloudFlare is easy to setup and from one control panel you can handle everything. Even if you find heavy amount of unnecessary traffic than cloudflare "I am Under Attack" mode will mitigate it in under 5-10 seconds.

Read more about DDOS and I'm Under attack mode in Cloudflare Blogs.

5) You can setup AWS Alarms to stop/Terminate EC2 instance if your Network Bandwidth exceeds the limit.

AWS Alarm Sample

Edit:- One important thing is try to setup Monitoring tool (Like Nagios) and Log Management tool of web app access. This will help you to find the bottleneck.

Siddharth sharma
  • 366
  • 1
  • 5
  • Nagios site is down, maybe they're under DDoS :) Anyway not really a good advertisement for technology that is supposed to protect sites. – Ska Nov 22 '16 at 18:40
0

DDOS attacks can be mitigated in alot of ways :

  1. By modifying architecture (AWS Resources)
  2. By using tools and utilities (inbuilt tools on ec2 instances)

Now, When you have a complex architecture for you webserver than I would suggest to go by modifying you architecture. I have written a details blog on which services you should use to mitigate DDOS attacks on AWS

If your having such problem with single instance and you dont want to spend alot on other AWS resources then I have written a another blog which will demonstrate ways to prevent DDOS on an EC2 instance without using any third party tools.

I hope this helps, let me know if you need more insight on same topic.

Bhargav Amin
  • 113
  • 1
  • 6
  • 2
    Whilst this may theoretically answer the question, [it would be preferable](//meta.stackoverflow.com/q/8259) to include the essential parts of the content from the blog posts here, and provide the link for reference. – Frederik Dec 01 '16 at 12:08