AWS Serverless Security: Preventing HTTP Flood DDoS Attack

Introduction

In this article, we will talk about how to make your serverless application security stronger. Nowadays many different types of Distributed Denial of Service (DDoS) attacks are happening on applications, one of them is the HTTP Flood DDoS Attack. This article will explain how to Prevent HTTP Flood DDOS attacks for serverless applications to make your serverless security stronger.

What is a DDoS Attack?

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
The attacker does floods of fake requests on target, and due to that, the target goes slow or down completely and it is not able to serve the requests of valid users.

Few General DDoS Attacks Type

• HTTP Flood DDoS Attack
• SYN Flood DDoS Attack
• DNS Amplification DDoS Attack

What is HTTP Flood DDoS Attack?

HTTP Flood DDoS Attack is a kind of attack that loads web applications again and again on many different systems at once (sometimes referred to as a botnet), due to the huge number of HTTP requests flooding on servers consuming more resources, and in the end, web applications are not available to real users & denial-of-service (DDoS) occurs. In short, each HTTP request does an expensive database query (and other logical operations on the server) so when lots of HTTP requests hit the server at the same time then it will go down due to the heavy resource consumption; which then creates a DDoS.

Preventing HTTP Flood DDoS Attack in Serverless Applications with AWS WAF

What is AWS WAF?

AWS WAF is a web application firewall that helps protect your web applications / APIs against common web exploits and bots. Attacks may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns.

AWS WAF is possible to deploy on:

• Amazon CloudFront
• Application Load Balancer
• Amazon API Gateway
• AWS AppSync

AWS WAF Security Automations use AWS CloudFormation to quickly configure AWS WAF rules that help block these common types of attacks:

• HTTP floods
• SQL injection
• Cross-site scripting
• Scanners and probes
• Known attacker origins (IP reputation lists)
• Bots and scrapers

In the diagram below, we can see where the AWS WAF sits in our serverless architecture. Basically, it’s our shield in front of all requests coming into our system. But, don’t confuse this service with AWS Shield (lol, AWS has everything).

Preventing HTTP Flood DDoS Attack on API Gateway using AWS WAF with Rate-based rule

Follow the below steps to create a web ACL in AWS WAF:

1. Open the AWS WAF console.
2. Choose to Create web ACL.
3. For Web ACL Name, enter ApiGateway-HTTP-Flood-Prevent.

4. For Region, choose US East (N. Virginia).
   

5. Choose Next and you will see Add rules and rule groups step.

6. Choose Add rule, Further, Choose to Add my own rules and rule groups

• Rule type: Rule builder
• Rule builder - Rule Name: HTTP-Flood-Prevent
• Rule builder - Rule Type: Rate-based rule
• Rate limit: 2000
• choose Add Rule.

• For Default action, choose ’Allow’ for Default web ACL action for requests that don't match any rules

Do Next till you see Review and create web ACL Step
Do select create web ACL

That’s it!! You are done with creating an AWS WAF Web ACL along with a rate-based rule to prevent HTTP Flood attacks 🔥🔥

Now, We need to enable WAF web ACL on existing APIs in API Gateway to make it more secure:

1. Go to the Amazon API Gateway console.
2. Select Stages, prod.
3. Under Web Application Firewall (WAF), select ApiGateway-HTTP-Flood-Prevent which we already created
4. Choose Save Changes.

Test your WAF Web ACL Enabled Secure APIs

• Do a normal call to your API Gateway APIs endpoint and it should give success response

WAF Allows:

{"statusCode":200,"body":"\"Hello from Lambda!\""}

• Use Artillery to send a large number of requests in a short period to trigger your rate limit rule:

$artillery quick -n 2000 --count 10 
https://XXXXXXXXXX.execute-api.us-east-1.amazonaws.com/prod/gettodos

• Using this command, Artillery sends 2000 requests to your API from 10 concurrent users. By doing this, you trigger the rate limit rule in less than the 5-minute threshold. Once Artillery finishes its execution, re-running the API and API response will be:

WAF Blocked:

{"message":"Forbidden"}

You can see the API response is Forbidden, as the request was blocked by AWS WAF. Your IP address will remove from the blocked list after it falls below the request limit rate.

Same as AWS API Gateway, you are also able to associate AWS WAF Web ACL with regional resources like Amazon Application Load Balancer, AWS AppSync, and Global resources like CloudFront Distributions.

For the CloudFront Distributions case you need to create AWS WAF Web ACL of Global type instead of the regional resource type.

Conclusion

Using the AWS WAF service as part of your Serverless Application Architecture helps to prevent HTTP Flood DDoS Attacks while also making the Serverless Application more secure through its many other security features provided.

In this article we:

• Gave a high level of DDoS and HTTP Flood DDoS Attacks
• Showed how to use AWS WAF to prevent this attack vector
• Demonstrated how we can load test our serverless application and see the requests be blocked past a specific threshold

Thank you for reading :)

Sources
[1] https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
[2] https://aws.amazon.com/waf/
[3] https://docs.aws.amazon.com/solutions/latest/aws-waf3-security-automations/overview.html