I have a question that is an extension of this one: Examples where an AWS Security Group is not sufficient as a firewall?. Initially, the answer in that question made sense to me and I was working with the assumption that the firewall that is an AWS Security Group is good enough for now for my app infrastructure (AWS VPC with public/private subnets + Internet Gateway + NAT Device + Elastic Load Balancer).
However, this morning when I woke up and checked my server logs, I saw that I had received approx. a thousand spam GET requests overnight to paths that don't exist, which resulted in 404 responses from my server. The requests kept coming and showed no signs of stopping. The IP addresses for the requests were different but within a specific range. So, I update the Network ACL Inbound rules on my Elastic Load Balancer and added one to DENY access to IP addresses from that range. At this point, the requests stopped hitting my app server.
I don't know if the attacker was trying to DOS me or if this is just standard spamming. I have been getting requests similar to this, here and there every few hours, over the past few weeks since my system went online, but the quantity/frequency of these requests was something that I've never seen. I am relatively new to server ops. I'm happy that I was able to block the attack from continuing to load my app servers, but I'm wondering if I had had a Web Application Firewall in place (implemented as a WAF sandwich: Load Balancer-WAF-Load Balancer), if the whole situation would have been taken care of for me.
As I'm new to this space, the answer is not clear to me when I read the product marketing details of different WAF products here: https://aws.amazon.com/marketplace/search/results/ref=srh_navgno_search_box?page=1&searchTerms=web+application+firewall. I'm really looking for practical advice on whether I need a WAF in my infrastructure (i.e. I can't actually rely on AWS Security Groups to protect my system from spam/DDOS) and what basic features I need in the product. Thanks in advance!
P.S. My app is NOT built on SQL, so I'm not worried about SQL injection attacks.
Best Answer
If you need something that will be inspecting the content of the HTTP requests and making inferences from that, deciding whether to block the request or not (perhaps based on requests over a period of time), then yes you need something other than AWS Security Groups. The Security Groups are effectively just iptables-type firewall rules, looking at allowing/denying individual connections based only on source/dest IP addresses + ports.
Choosing what sort of WAF is appropriate is a much bigger question. You could go anywhere from using something installed directly on your webserver (e.g. mod_security on Apache), through to a separate appliance. Deciding what to use will depend entirely on the nature of the threats you want to protect yourself from.