How can I prevent a DDOS attack on Amazon EC2?

linux configuration firewall ddos amazon-ec2

A DDOS (or even a DOS), in its essence, is a resource exhaustion. You will never be able to eliminate bottlenecks, as you can only push them farther away.

On AWS, you are lucky because the network component is very strong - it would be very surprising to learn that the upstream link was saturated. However, the CPU, as well as disks I/O, are way easier to flood.

The best course of action would be by starting some monitoring (local such as SAR, remote with Nagios and/or ScoutApp) and some remote logging facilities (Syslog-ng). With such setup, you will be able to identify which resources get saturated (network socket due to Syn flood ; CPU due to bad SQL queries or crawlers ; ram due to …). Don’t forget to have your log partition (if you don’t have remote logging enable) on an EBS volumes (to later study the logs).

If the attack come through the web pages, the access log (or the equivalent) can be very useful.


You can also further isolate your EC2 instances by putting them behind an Elastic Load Balancer and only accepting traffic from the ELB instance. This puts more of the onus on Amazon to manage DDOS attacks.

I assume that you'll still have SSH open to all, so it's likely you'll still see some rogue traffic coming in there, unless you can lock down that port to some static IPs. You could change the SSHd port to something more obscure (i.e., something other than 22) to further reduce DDOS hits (most bots only check known ports).

I'll also mention fail2ban, which can monitor logs and temporarily modify your ip tables to block specific IPs (for instance, if there have been 6 failed attempts to SSH into your host from a single IP address, it can block that IP for 30 minutes or so). Keep in mind that (as Jordan astutely commented) fail2ban is probably not appropriate for blocking proxied traffic (e.g., that from an ELB) because it will block the IP of the proxy, not necessarily the original remote IP.

I haven't used it, but Apache mod_evasive may also be worth investigating; however, it may have the same weakness as fail2ban when it comes to IP-based blocking.


If you are using Apache, I suggest using mod_security. Packaged by most vendors, the core rules set does a fantastic job.

Another hardening step is limiting the requests at the webserver level. Nginx., Apache can throttle and limit incoming requests.

Related

Is it okay to use a SSH key with an empty passphrase?
How to VNC into an existing X session?
Difference between SSLCertificateFile and SSLCertificateChainFile?
Linux/Windows/Unix/... file names: Which characters are allowed? Which are unescaped?
ipmitool - can't find /dev/ipmi0 or /dev/ipmidev/0
How do I make Apache Web Server listen on two different ports?
How to split a PEM file
Can a CNAME DNS record point to a subdirectory
Learning to compile things from source (on Unix/Linux/OSX)
Gmail Error :The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required
How to select a drop-down menu value with Selenium using Python?
How to "log in" to a website using Python's Requests module?