Ec2 Denial of Service: Securing cloud based website from DOS attack
How can I prep up my website infrastructure running on an EC2 instance against DOS attacks? I run apache with nginx as reverse proxy
You can't prevent DOS attacks, you can only mitigate them.
- Keep a small attack surface. Turn off services you aren't using, block access to ports that only need to be accessed from specific locations, make sure your daemons have sensible defaults about how many threads they run and how to behave when system resources run low.
- Monitor traffic. Know when an attack starts because you got a notice about the traffic or resource load spike. Notice when your ssh daemons or other secure ports get scanned. Notice repetitive patterns of requests. Be able and ready analyze them in depth when things go haywire, but keep a pulse on things all the time.
- Dodge or block whatever traffic makes up an attack as soon as possible. Figure out a way to fingerprint the attack and throttle those types of requests down. Prioritize services, shot off low priority ones if you have to. Hunker down and serve everything from a CDN until the coast is clear.
First off, you need to distinguish between "Denial of Service (DoS)" attack and "Distributed Denial of Service (DDoS)" attacks.
Since your question is about DoS, you generally protect against DoS attacks by:
Keeping your operating system, web servers, mail servers etc updated, so that there aren't any well known remote DoS attacks against the underlying OS & services.
Performing a security audit of your own webapp code, and having secure development practices in place for your own webapp code. You want to be sure that there aren't any remote crash / remote resource starvation / buffer overflow / etc attacks against your own webapp code.
Have a small "attack surface" as Caleb mentions. Have as few services responding to Internet traffic as possible. Have a firewall in place with a default deny all rule, and only open up needed ports (Amazon EC2's "Security Groups" can do this for you).
There is an almost unlimited number of things you can do to raise security against DoS attacks. The real trick is to make a sound judgement on what you should do. My above list is a reasonable starting point, but you can learn much more about this topic if you want. Security.stackexchange.com is not a bad place to start.
I've been considering using CloudFlare for this. All trafic is routed through them and they watch for malicious requests and block them. The main selling point is that because they are in the business of watching for bad traffic from various sources they can identify potential threats before you'd be able to do so by yourself.
It seems to be a very cost effective alternative to setting up your own infrastructure, but I'm not sure whether routing all my traffic through a third party will slow things down.