web security

DDoS attack mitigation: Using Cloudflare and AWS Autoscaling Group in our work

Now security issues call a lot of worries. Being under constant threat of losing money, customers, and even reputation, companies and organizations have to establish strong safeguards and use reliable security tools.

Recently, Distributed Denial of Service (DDoS) attacks has become a hot topic of discussion. By infecting computer systems with malware and overwhelming the targeted service with a flood of traffic, they degrade its performance, in some cases making the website/application completely unavailable.

According to surveys, the average hourly cost of being offline because of an infrastructure failure is about $100,000 per hour. What’s more, you lose customer credibility to your brand and clients as a consequence.

Unfortunately, today the frequency and strength of DDoS attacks are on the rise. Plus, by reason of using multiple insecure IoT devices, the development of botnets waging distributed volumetric attacks is easier than ever before. All of it makes the use of DDoS mitigation solutions a real necessity.  

In one of our recent posts, we’ve considered the types of DDoS attacks and strategies to protect against them. In this article, we’ll show you the best tools for DDoS attack mitigation, sharing also those we use in our work.


Cloudflare for DDoS attack mitigation

Cloudflare is one of the best DDoS mitigation solutions, enjoyed and appreciated by web development teams. In December 2017, Forrester independent research firm named Cloudflare a leading tool for DDoS attack protection.

In this survey, Cloudflare showed itself as the most successful solution based on the analysis of various criteria, involving its pricing model, DDoS mitigation capacity, scalability, implementation length, and mitigation of application Layer 3 and Layer 4 attacks, DNS attacks, as well as volumetric, multi-vector, and other types of DDoS attacks.

Cloudflare enables to secure, optimize, and speed up any web properties (websites, SaaS services, APIs, and other Internet-connected properties) with no need in installing software or making code changes.

Protected by Cloudflare, all web traffic is flown through an intelligent and safe global network. What’s more, the network becomes smarter with each new online service added and gets improved thanks to increased site performance, optimized traffic, and decreased spam level.

Protection against the largest DDoS attacks with Anycast
Cloudflare’s Anycast network capacity is 15 times bigger than the largest DDoS attack ever recorded. With 15 Tbps of capacity, it can easily handle and protect against modern and large DDoS attacks, involving those that target DNS infrastructure.

Anycast works as follows: representing an addressing and routing tool, it enables inbound requests to be distributed to a plenty of locations.

After other DDoS mitigation solutions filter out some of the attack traffic, Anycast allocates the remaining traffic across multiple data centers, preventing locations from being overwhelmed with thousands of requests. Anycast network allows to distribute attack traffic to the point where it can be easily managed.

What’s important, by checking more than 300B request per day – 10% of the world’s HTTP Internet traffic – Cloudflare tool learns from attacks targeting customers on the network and prevents upcoming threats as a result.

Cloudflare enables to block malicious bot abuse and prevent
Today the frequency and sophistication of malicious bot abuse are increasing, therefore the number of impacted companies is also increasing, including their losses in clients, operational costs, revenues, and credibility.

The targeted services require the resilience of a scalable network to fight against malicious bot abuse. By using Cloudflare, you can avert bots from excessive usage across web properties (SaaS, APIs, websites, etc.) and protect businesses from damages.

Server load optimization with Load Balancing
By preventing access to websites and applications, misconfigured and poorly performed servers completely degrade the user experience, which directly affects company revenue and customer loyalty. As a result, businesses lose clients and reputation.

That’s why it’s so important to balance the server load and optimize their work. For this purpose, we use Cloudflare Load Balancing tool, enabling us to minimize latency by load balancing traffic across many servers or by pushing traffic to the nearest geolocation region.

In addition, Load Balancing allows you to make health checks and smart routing with a failover in order to quickly route website/app visitors away from any failures and bad user experience.

Also, learn more about DDoS attack mitigation with Cloudflare WAF and Rate Limiting.


DDoS mitigation with AWS Autoscaling Group

Amazon Web Services offer flexible reliable infrastructure and various services helping developers protect against DDoS and build high-scalable architectures following AWS Best Practices for DDoS attack mitigation.

There are a lot of AWS services you can use for DDoS resiliency: Amazon CloudFront, AWS WAF, AWS Elastic Load Balancing, Amazon Route 53, aimed at managing traffic, rejecting unacceptable requests, and reducing application downtime and latency.

AWS Shield, a DDoS attack mitigation service, integrates with Amazon Web Services and allows instant detection and automatic inline mitigation techniques to protect the targeted service that runs on AWS.

Amazon Route 53 for smart routing and DNS protection
Amazon Route 53 is a highly available cloud DNS service created for routing user requests to infrastructure that runs on AWS, for example, to Amazon EC2 instances, Elastic Load Balancing load balancers or Amazon S3 baskets. Besides, you can use Route 53 to redirect users to the infrastructure outside the AWS.

Also, the service enables developers to control traffic with the help of various types of routing and defend domain names against DNS attacks. Amazon Route 53 can be used for connecting only to “healthy” addresses (using DNS checks), as well as monitoring the application status.

Amazon CloudFront for safe content delivery
Amazon CloudFront is a global content delivery network (CDN) service that ensures secure delivery of data, video files, applications, and APIs with low latency and high transfer rates. CloudFront provides geoblocking support, used by developers to prevent multiple requests from particular geographic locations from being served.

Incoming traffic distribution with Amazon Elastic Load Balancing
Elastic Load Balancing serves for automatic distribution of incoming traffic across various targeted services like Amazon EC2 instances, containers, and IP addresses.

Also, it can distribute application traffic with a varying load in one availability zone or between multiple AZs. This way, Load Balancing allows to remove risks of website/app overloading.

Elastic Load Balancing offers three types of load balancers (Application Load Balancer, Network Load Balancer, and Classic Load Balancer) that provide high availability, auto-scaling, and reliable protection required to ensure application resiliency.

AWS Web Application Firewall (WAF)
AWS WAF (web application firewall) is a firewall for websites/applications that defends them against common network attacks that can impact the service availability, lead to security breaches, or use extreme resources.

With the help of customizable security rules, AWS WAF allows you to determine which traffic for a certain application is legitimate and which one should be blocked.

Developers can use AWS WAF to create custom rules that block common attack patterns (SQL injection, cross-site scripting, etc.), as well as individual rules for specific applications.

New rules can be deployed within a few minutes, which enables to quickly respond to changes in traffic patterns. AWS WAF also offers a full-featured API that automates the creation, deployment, and maintenance of security rules.
Hope, the article has been useful to you. Here at Smartym, we use effective DDoS mitigation solutions to deliver secure applications with high resiliency to DDoS attacks.
If you have some questions or a project idea, you’re welcome to apply to our company and get a free consultation! Having extensive expertise in building web applications, we’are always ready to help you with your project.