In some cases, an attacker may try to target your service with a sophisticated attack.
The two most common attacks are:
- Volumetric attacks: Where an attacker takes advantage of a botnet and overloads your servers with thousands and thousands of concurrent requests to the point that your servers are saturated.
- Layer 7 attacks: Where an attacker tries to find a vulnerability in your application code and exploit it. The most common examples of Layer 7 attacks are SQL injection and cross-site scripting (XSS) attacks.
To protect your application against these types of attack, AWS provides a web application firewall (WAF) which monitors the requests sent to your ALB and Amazon CloudFront distribution. On top of that, AWS also offers a service called AWS Shield which protects your service against volumetric attacks.
At a high level, AWS WAF works as follows:
- You define a certain number of conditions, which describe the requests you want to watch. This includes filtering based on HTTP header information (such as user agent, for example), content-based conditions such as malicious-looking SQL code, XSS, specific IP ranges, and so on.
- You combine those conditions under a concept of rules. Requests coming from this set of IPs AND with that particular HTTP header or Requests with a body greater than 8192 bytes, for example.
- You then create a Web ACL that describes the default action (allow traffic) and the different actions to perform when your other rules are matched (reject, count, or allow) for each rule matched.
You can read more about the service and the different conditions and actions available in the AWS documentation at http://amzn.to/2suvS3R.
To turn on AWS WAF, we can once again use CloudFormation. If you are interested in deploying a standard set of rules for AWS WAF, you can use the following template:
The template takes two arguments, a name (WebACLName) and the ARN of your ALB. It protects against the most common attacks.
The last topic we will cover is protecting against ransomware.