Things I learned from DDoS attack against AWS CloudFront and WAF

Some things I learned as an AWS customer from a moderately sized (350k req/sec) DDoS attack against AWS CloudFront and WAF.

• AWS may not proactively do anything about a DDoS attack¹, even if it runs for many hours and is an extremely anomalous amount of traffic
• There are no default alarms or notifications that will notify about a DDoS¹, including if you have enabled security anomaly detection services
• Report DDoS issues via the AWS report abuse form not via support tickets, even if you’re paying for support
• The managed WAF rule group “Amazon IP reputation list” (AWSManagedRulesAmazonIpReputationList) may not actually block any DDoS traffic
• In particular, the AWSManagedIPDDoSList rule that matches DDoS traffic sources may not block any traffic because it’s action defaults to Count not Block, unlike the other rules in the group that do Block – it sure may count a lot of requests though
• Rate limiting rules may not do much when a DDoS is sufficiently distributed unless you reduce the rate to a level that could impact users
• Adding more specific WAF rules can protect your service and preserve your uptime, but they don’t reduce AWS costs from CloudFront, WAF, and CloudWatch (if WAF is logging there) for handling the traffic
• CloudWatch Log Insights queries bill per Gb of logs examined, so if querying across multiple Tb of logs you should build queries using a small sample of data and only run across the larger data with a finished query
• Billing budget alerts fire the day after charges are incurred

1. Unless you subscribe to AWS’ Shield Advanced DDoS protection service for $3k/month ↩ ↩²