EC2 ELB and DOS attacks

amazon ec2ddosload balancing

I'm using Amazon's ELB to load balance between servers,

When my site is under attack by bots, everything is exhausted, so here is the problem

I can't block IP addresses with Amazon's security groups, because they don't explicitly allow "deny", so deny one IP you have to allow every other IP address which is tedious.

I can't use iptables to block IP addresses because ELB obfuscates the public IP addresses and replaces them with its own IP address.

The actual IP address of the visitors can only be seen in X-FORWARDED-IP

Best Answer

I don't believe this is doable in any other way then the one you've described on ELB level.

You could use firewall on each instance (in e.g. iptables) to block certain IP addresses, or even to set limit of connections per minute/second for IP address.

This way you could block attackers automatically.

Also you could use tools like Chef/Puppet to propagate your firewall config to each instance.

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

If you can guarantee that all requests will be coming from ELB (I'm not familiar with it), you could try:

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;

That should tell nginx to trust an X-Forwarded-For header from anyone. The downside is that if anyone directly accesses your server, they would be able to spoof an X-Forwarded-For header and nginx would use the wrong client ip address.

Dealing with NTP reflection attacks in IPTables

Essentially, you're outta luck if the DDoS attack manages to fill whatever pipe you have to the Internet (which is the purpose of any UDP reflection attack -- to fill the pipe). If your upstream link can take 1Gbps of traffic, and there's (say) 2Gbps of traffic total to go down the link, then half of it is going to be dropped by the router or switch that's putting the packets down the link. The attacker doesn't care that half of their attack traffic gets dropped, but your customers do: 50% packet loss in a TCP connection is going to do terrible, terrible things to the performance and reliability of those connections.

There are only ~~two~~ three ways to stop a volumetric DDoS attack:

Have a big enough pipe that the attack traffic doesn't fill it.
Stop the attack packets before they go down the pipe.
Shift to a different IP address that isn't under NTP reflection attack.

Blocking them in iptables won't do squat, because by then the attack traffic has already squeezed out the legit traffic and caused it to be dropped on the floor, so the attacker has won. Since you (presumably) don't control the upstream router or switch that is forwarding the attack traffic, yes, you'll have to get in touch with your upstream network provider and have them do something to stop the attack traffic from reaching your network link, whether that be

block all traffic on the attack port (not something most ISPs are willing to do on their colo customer access routers, for $REASONS)
filter out the source IP addresses of the attack (more plausible, with S/RTBH, but not something that every provider already has available)
worst case, blackhole the destination IP address

Note that blackholing the IP only works if you've got other IP addresses that can continue operating -- if your provider blackholes your only IP address, the attacker has succeeded because you're off the Internet, which is what they were trying to achieve in the first place.

Best Answer

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

Dealing with NTP reflection attacks in IPTables

Related Topic