0

I have a questions (hopefully not dumb). I am the IT guy of a business hosting various applications with AWS and we currently have a Classic Load Balancer sitting in front of 2 to 3 EC2 instances which handle all our web traffic. It's a pretty straight forward configuration. In the past 13 hours, we are being hit with what we believe is malicious activity. A single person (I think) is trying to send more than 500 requests per second, I guess a bad actor. Unfortunately, I am not well equipped with devops skills but I know that's one area I need to invest in after this.

At the moment, I am looking to block/rate limit these requests as soon as possible. I have read online that an API gateway can do this. I would appreciate any advice on what type of API gateway to create. Is it also possible to create an API gateway and route all requests to that gateway to the Load Balancer? And is it also possible to limit requests based on the request body and not only IP address? Thanks and I do appreciate any response to this. I am also happy to improve on my question where necessary.

realnsleo
  • 117
  • 4
  • 1
    What are you protecting? Web servers, API servers, something else? AWS WAF v2 is probably going to be a better product for you. Also if it's coming from one IP or small set just add that to the NACLs as an deny on the inbound NACL, it'll be dropped by the hypervisor. If you had CloudFront it can run NACLs on the edge if you're under DDOS but you might have to pay for shield advanced for that, can't recall exactly. – Tim Sep 09 '21 at 07:49
  • Hi @Tim, thank you for your response. Yes, I am protecting the EC2 web servers sitting behind the load balancer. Unfortunately the applications working in the web servers were built by someone else who left and we are currently in the process of changing them. AWS WAF seems to be something that can help. The requests are coming from 5 specific IPs. I am going to read up more on AWS WAF and see how I can deploy that quickly. CloudFront seems an interesting topic. Thanks! Let me get on it. – realnsleo Sep 09 '21 at 08:12

1 Answers1

1

Given you have a very small set of IP addresses hitting your server I suggest you add deny rules on your public subnet Network Access Control List (NACL). It's in the EC2 console.

If it were a DDOS then AWS Shield (free) would probably have taken care of it, and if not AWS WAF may also help.

Tim
  • 30,383
  • 6
  • 47
  • 77
  • Thank you!! AWS WAF worked wonders for me. The standard Shield too. I will keep monitoring and also playing around with custom rules. And also employ a devops engineer. Thanks! – realnsleo Sep 09 '21 at 17:16