Friday, September 13, 2019

linux - How can I prevent a DDOS attack on Amazon EC2?



One of the servers I use is hosted on the Amazon EC2 cloud. Every few months we appear to have a DDOS attack on this sever. This slows the server down incredibly. After around 30 minutes, and sometimes a reboot later, everything is back to normal.



Amazon has security groups and firewall, but what else should I have in place on an EC2 server to mitigate or prevent an attack?




From similar questions I've learned:




  • Limit the rate of requests/minute (or seconds) from a particular IP address via something like IP tables (or maybe UFW?)

  • Have enough resources to survive such an attack - or -

  • Possibly build the web application so it is elastic / has an elastic load balancer and can quickly scale up to meet such a high demand)

  • If using mySql, set up mySql connections so that they run sequentially so that slow queries won't bog down the system




What else am I missing? I would love information about specific tools and configuration options (again, using Linux here), and/or anything that is specific to Amazon EC2.



ps: Notes about monitoring for DDOS would also be welcomed - perhaps with nagios? ;)


Answer



A DDOS (or even a DOS), in its essence, is a resource exhaustion. You will never be able to eliminate bottlenecks, as you can only push them farther away.



On AWS, you are lucky because the network component is very strong - it would be very surprising to learn that the upstream link was saturated. However, the CPU, as well as disks I/O, are way easier to flood.



The best course of action would be by starting some monitoring (local such as SAR, remote with Nagios and/or ScoutApp) and some remote logging facilities (Syslog-ng). With such setup, you will be able to identify which resources get saturated (network socket due to Syn flood ; CPU due to bad SQL queries or crawlers ; ram due to …). Don’t forget to have your log partition (if you don’t have remote logging enable) on an EBS volumes (to later study the logs).




If the attack come through the web pages, the access log (or the equivalent) can be very useful.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...