Recently, a friend asked about how to handle ddos attacks on AWS. We discussed and theses are some pointers.
Lets say there are 3 components; nodejs api, redis, mysql which we need to setup for our web stack in AWS.
Basic architectures setup:
- register the domain with route53 name servers for highly available dns.
- point route53 to elastic load balancer.
- elb points to nodejs servers.
- nodejs api servers should sit in private subnet routed to NAT gateway. ( for outbound http calls to other services or downloading of apt / yum packages.
- each components should have its own security groups; nodejs, redis, mysql.
Mitigate ddos attacks:
- ensure nodejs web apps is design to be horizontally scalable. ( follow 12factor app design https://12factor.net )
- use auto scaling group to take traffic spike.
- use durable message queues in the architecture to smoothen the spike requests to other backend services.
- use aws sheid for ddos protection; to detect ddos traffic patterns.
- authenticate caller, and rate limit the api per caller.
- enable vpc flow log to detect anomaly
- use monitoring tools to detect attacks and trigger off alerts. ( elastalert, prometheus/grafana )
- only exposing route53 and elastic load balancer to be public facing allow aws to take care of infrastructure availability.
Accessing the servers:
- using either vpn and bastion, they would sit in the public subnet allowing ssh. then ssh agent forward to access web, mysql, redis servers.