At this point in time pretty much everyone knows that the cloud offers huge advantages over traditional data centers on, well, pretty much everything!
Cost ✓
Flexibility ✓
Scalability ✓
High availability ✓
Security ✓.
I think you get the idea!
However, even the cloud isn’t bullet proof and if you don’t put the right precautions in place, one of the areas of susceptibility is malicious traffic from bots, namely scrapers, scanners and crawlers.
Every server instance with a publicly facing IP address is constantly targeted by network scanning bots that have the potential to be malicious and start a DDoS attack or discover a vulnerability. Even if they are harmless they are obfuscating the access logs and using up precious server resources.
AWS makes it very easy to get a web server running on an EC2 instance and point the DNS to its public IP. This works very well until your IP inevitably gets scanned and then anything can happen.
We have helped numerous clients deal with malicious traffic over the years, but 2021 has been the worst so far. We have seen malicious traffic bring down many countless websites because they were not configured or secured correctly.
However, it doesn’t have to be this way as AWS has all the tools available to fully protect your site and applications.
Elastic Load Balancers
As the name suggests, load balancers can perform load balancing and are great for auto-scaling your applications. But they can do so much more.
You can attach certificates to your load balancers to handle HTTPS traffic and SSL/TLS decryption. Load balancers also create a barrier between your web server and the internet and when used in conjunction with Amazon CloudFront and Amazon Route 53 you receive comprehensive protection free of charge from the AWS Shield Standard service.
AWS Shield
As mentioned, AWS Shield Standard comes free of charge with Amazon CloudFront and Amazon Route 53. It’s a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS and you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
AWS Shield Advanced offers enhanced levels of protection against attacks targeting your applications and 24×7 access to the AWS DDoS Response Team. It is expensive, but you get “DDoS cost protection for scaling”, a feature that protects your AWS bill from usage spikes on your AWS Shield Advanced protected resources. So if your websites generate high revenues, this service is basically a cheap insurance policy.
AWS WAF
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. The service gives you control over the traffic that can reach your applications so that you can protect against DDoS, SQL injection and other common attack patterns.
You can create rules yourself or use one of the many managed rules that are provided by AWS and AWS Marketplace Sellers.
Additionally, AWS WAF allows you to easily define the countries from which traffic is allowed to access your site. This makes it very easy to block traffic from countries in which you do not operate and from countries where most of the malicious bot traffic originates from.
AWS WAF Bot Control
This new service gives you visibility and control over common and pervasive bot traffic that can consume excess resources, skew metrics or cause downtime. You can use managed rule groups to block or rate-limit bots, scrapers, scanners and crawlers to ensure the uptime of your applications and the reduction of your costs.
So there you have it, the tools to stop bots ruining your websites and applications are widely available. Most of these tools have been developed by Amazon as they try to protect their sites and keep one step ahead of the bots.
Please reach out to databasable if you would like more information about AWS Load Balancers, AWS Shield, AWS WAF or any other AWS service.