4

I am building a Kickstarter / Indiegogo campaign. It's a budget sensitive project, with limited server / AWS understanding. On our demo website, we'll be displaying 360-degree videos that will come from Amazon S3 or CloudFront, ideally CloudFront.

We have total lack of knowledge about

1 - limiting our AWS bills in case someone (or a bot) has bad motives --> attacks our project

2 - understanding what exactly Ddos or other attacks can do to our CloudFront bandwidth

3 - how signed URL, WAF and other S3 or CloudFront protections can defend us?

4 - !!!

4A -- Let's assume I have one 300 MB video file on CLoudFront. If we use signed URL or other suggested protection, can the 300MB video file attacked and downloaded a zillion times, creating a massive bill?

4B - the fact that our webpage is not on Amazon AWS (it's on hostgator) and the user must click a button to start the CLoudFront video, is that a semi-protection against a zillion video download?

5 - If the video is on S3 and not CloudFront (which might happen for other reasons), how can we defend ourselves?

6 - I am dead scared of all this and I might actually go for another service where we can limit our pay-as-you-go usage, and stop everything if we cross a preset amount. Is there any AWS alternative that can do this and suitable for HD video playback?

7 - how to immediately stop CloudFront usage if we notice something is not right?

8 - How common are these attacks, how realistic is it? Bear in mind, the Kickstarter project does have a potential to take off.

ANY help is appreciated! Thank you!

James
  • 135
  • 1
  • 12
  • AWS has cumulative billing alerts, and services like CloudFront have logs. Turn them on and use them. – Michael - sqlbot Aug 04 '16 at 23:49
  • I am aware of the alert ---> 1) but it doesn't stop the service in case of the bill suddenly starts rocketing and reaches a predefined limit. 2) What if we are on location for 2-3 days while I receive this alert.. cannot do anything, maybe I won't even read the alert until it's way too late. AZURE SPENDING LIMIT--> I just read that Azure will implement spending limits even on Pay-as-you-go. When that happens, we will switch within a second from Amazon to Azure. But we need a peace of mind right now, so I am not sure what's the best. I don't even know how likely to get such attacks? Any idea? – James Aug 05 '16 at 08:34

2 Answers2

2

Amazon S3 does not provide any cost capping feature to protect against malicious actors. Any IP blocking solution will not work against DDOS which, by its nature, come from widely distributed IP addresses. In addition, the cost reporting and budget warnings features, available under S3, are ineffective against a syncronized DDOS that may download tens of thousand copies of you file in a few minutes.

The only reasonable solution that I can see is to gate the access to the video file through a download page on your web server as follows:

  1. Define Identity and Access Management (IAM ) policy for your video file to allow access only to requests coming from your web server. Use the IpAddress policy directive for that. See for details

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html

Note: you will probably spend a couple of days to understand and test IAM implementation details. There are some 3rd party utilities that might help in this regard.

  1. Put a Captcha on your download page
  2. The visitor solves the Captcha, and the web server then shows the link to the requested S3 video file.
Ninveh
  • 121
  • 1
  • Thanks! From your experience: A) how common are these attacks, how likely that crowdfunding project's home website gets attacked? B) (!!) do these attacks need the bad guys input, or automated bots can do this randomly, too (basically just randomly choosing websites) C) how the badguys target their next victim? They mainly attack larger institutions, known players, or they target smaller ones, too? – James Aug 15 '16 at 09:54
1

I will suggest you implement IP Blocking using Cloudfront and AWS WAF where you can limit or block IP address after it exceeds certain limits. Also signed urls is good strategy but the expiration time is there to limit the lifetime of the authorization to perform the allowed action by anyone in possession of the signed URL.

So AWS Cloud Front and WAF is your best shot agains the DDOS attack. Check this guide for more information to how to set it up.

https://docs.aws.amazon.com/waf/latest/developerguide/tutorials-rate-based-blocking.html

Piyush Patil
  • 14,512
  • 6
  • 35
  • 54