11

We usually blacklist IPs address with iptables. But in Amazon EC2, if a connection goes through the Elastic Load Balancer, the remote address will be replaced by the load balancer's address, rendering iptables useless. In the case for HTTP, apparently the only way to find out the real remote address is to look at the HTTP header HTTP_X_FORWARDED_FOR. To me, blocking IPs at the web application level is not an effective way.

What is the best practice to defend against DoS attack in this scenario?

In this article, someone suggested that we can replace Elastic Load Balancer with HAProxy. However, there are certain disadvantages in doing this, and I'm trying to see if there is any better alternatives.

starball
  • 20,030
  • 7
  • 43
  • 238
netvope
  • 7,647
  • 7
  • 32
  • 42
  • The following thread over here in the AWS forums may also be useful for seeing what people in similar situations have done: https://forums.aws.amazon.com/message.jspa?messageID=212411#212411 – jm3 Nov 14 '11 at 20:35

5 Answers5

3

I think you have described all the current options. You may want to chime in on some of the AWS forum threads to vote for a solution - the Amazon engineers and management are open to suggestions for ELB improvements.

sehugg
  • 3,615
  • 5
  • 43
  • 60
2

If you deploy your ELB and instances using VPC instead of EC2-classic, you can use Security Groups and Network ACLs to restrict access to the ELB.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/USVPC_ApplySG.html

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • 1
    Is there a way to add ACL network rules programmatically? I.e once something like fail2ban has picked up a troublesome IP, run some script that will add it as an ACL rule? – Aphire Mar 31 '16 at 14:05
  • @Aphire Yes, the [cli](https://docs.aws.amazon.com/cli/latest/userguide/cli-ec2-sg.html) and the [API](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/EC2.html#authorizeSecurityGroupEgress-property)'s support creating and modifying security groups – Matt Sep 19 '17 at 05:09
1

It's common to run an application server behind a reverse proxy. Your reverse proxy is layer you can use to add DoS protection before traffic gets to your application server. For Nginx, you can look at the rate limiting module as something that could help.

Mark Stosberg
  • 12,961
  • 6
  • 44
  • 49
0

You could set up an EC2 host and run haproxy there by yourself (that's what Amazon is using anyways!). Then you can apply your iptables-filters on that system.

Craig
  • 165
  • 6
0

Here's a tool I made for those looking to use Fail2Ban on aws with apache, ELB, and ACL: https://github.com/anthonymartin/aws-acl-fail2ban

Anthony Martin
  • 403
  • 1
  • 5
  • 13