2

I have a small but popular local website, it is a nonprofit venture. We arrange programming contest. But randomly in some contest our servers goes down. For example in last contest, we had around 300 users and we deployed 12 C4Large grade servers (when site went down, we increased server to tackle it) but still the site was down for 2 hours (even though after 1 hour most of the contestants left seeing the site not working). All our servers are accessed through AWS Load balancer and we use SSL in the load balancer level. I think due to using load balancer, IIS can't differentiate upcoming traffic by IP so i can't apply the IIS built in dynamic IP based restriction for such attack. Is there a way to do these from AWS?

Is this an issue of DDos/Dos attack on our server? We use the same server and same code but in some contest we face this issue but in some other we do not face this issue. But I do not know how to track this to be sure whether we are under DDos or not. What can we do to protect ourselves?

Thanks

Jalal Uddin
  • 35
  • 1
  • 4
  • If it is a DDoS, it is hard to detect since it is many IP addresses anyway sending requests to your site. However, most load balancers can be configured to send the original IP address of the request in an HTTP header to the backend. You can use this header information in the backend then instead of the TCP connection origination IP. I don't know the details how these work in AWS and IIS, but it should be possible. – Tero Kilkanen Jul 17 '17 at 06:43
  • ELB mediates *some* DDoS tactics by providing a scalable front-end tier that can absorb some nonsense so your servers don't have to... but you'll need to review the logs of the web server and of the ELB itself. If you haven't yet done these things, any further attempt at troubleshooting or explain this amounts to unproductive guesswork. It's impossible to accurately speculate with regard to the nature or existence of malicious or disruptive activity, without correlating and analyzing the logs. – Michael - sqlbot Jul 17 '17 at 08:57
  • You might benefit from using [AWS WAF](https://aws.amazon.com/waf/) (Web Application Firewall) and [CloudFront CDN](https://aws.amazon.com/cloudfront/). Alternately you could use [CloudFlare](https://www.cloudflare.com/), which has free and cheap plans, but will only stand up to a DDOS if you're on a paid plan. Advantage of CloudFlare is it's easy to configure your NACL or security groups to only accept traffic from their limited IP ranges, so a DDOS can't hit your server directly. – Tim Jul 17 '17 at 19:08

2 Answers2

1

As @Tim said, AWS offers AWS Shield, so it’s advanced option provides some basic protection. They also have a basic WAF. I would suggest deploying that as a minimum - but it might not be enough, depending on site traffic and where any attacks are actually originating from.

If it’s a small enough site, that’s probably enough but I would recommend doing some research to see if your problem is failover / some other attack or a DDoS attack.

If it’s more complex, you’re going to want a WAF and DDoS protection on top of your AWS server such as Incapsula (apologies: this is a link to a product page) - this will protect against Layer 3 and Layer 7 attacks. This might not be needed on your website but it is something for your servers and for the higher level infrastructure. Most importantly, it’s not just DDoS protection (but the DDoS protection is always-on, unlike something like Cloudflare, where you have to turn it on if you get attacked) but also protection against other web threats.

I don’t want to advertise for any service, but if you’re not sure what’s causing an attack, one of the bigger benefits of a paid service is going to be the NOC so they can monitor the activity that you’re not so sure about.

Tim
  • 31,888
  • 7
  • 52
  • 78
avi
  • 26
  • 1
  • As far as I'm aware CloudFlare does [DDOS protection](https://www.cloudflare.com/ddos/) all the time, but if you manually tell it you're under DDOS attack it's a hint that helps improve your protection. – Tim Jul 18 '17 at 08:56
  • They do for CDN caching but for DDoS protection you need to turn on "I'm under attack" mode. – avi Jul 18 '17 at 09:08
  • Based on [this page](https://support.cloudflare.com/hc/en-us/articles/200170186-Does-Cloudflare-offer-DDoS-protection-to-Free-and-Pro-plans-) I think that's partly true. For free and pro plans I think you need to manually enable DDOS protection. Business and Enterprise plans have more advanced functionality and operate all the time. – Tim Jul 18 '17 at 18:53
0

Elastic load balancer's are not DDoS protection, and actually are very susceptible to DDoSes themselves.

There's nothing really magic about them at all, they are just dumb machines running Linux forwarding traffic.

Cherona
  • 101
  • 2