Logo
hhlee
2024-11-12 21:55:20

Behind
Defending Against DDoS with AWS WAF: Focusing on User Experience

Running a website inevitably means facing abnormal traffic attacks. Especially when aiming for global services, the domain itself becomes more exposed, increasing the likelihood of becoming a target.

To ensure safe website operations, Videostew uses AWS WAF. Before accessing Videostew, you must first pass through the gatekeeper called WAF. After that, Videostew itself employs several mechanisms to verify and filter out incorrect requests.

< Traces of brute force attacks that sneak in as effortlessly as breathing >

Attack patterns are varied, and we defend against various types through numerous settings. In this post, however, we'll focus solely on the indiscriminate DDoS attacks.

DDoS Attack

A DDoS attack is a method of sending multiple requests simultaneously to cause server downtime. The downtime itself is critical, but it can also be exploited for additional attacks through unexpected error messages or settings caused by server overflow.

Several reasons make DDoS attacks challenging to prevent:

  • They don't originate from a single computer. IPs and agents vary, and infected zombie PCs are controlled to appear as genuine users.
  • Because of the above, it's hard to set a threshold for DDoS. Setting it too low might block legitimate users or cause them the inconvenience of constantly proving they're not robots.
  • Simulating such attacks is difficult. General stress tests focus on simple throughput, which shows a different pattern from DDoS.
  • Due to sudden surges in traffic, if it's not a serverless firewall like a WAF, the firewall server itself might crash.

  • At Videostew, we have a two-tier defense setup to block DDoS attacks while minimizing user inconvenience. It's structured with a non-bypassable Stage 1 block with loose conditions, and a bypassable Stage 2 block with sensitive conditions.

    WAF's Rate Limit Blocking (Stage 1)

    The very first step is to filter out large volumes of traffic at the WAF level. If attack requests reach the actual web server, the burden of verification increases, so it's best to cut off the attack at the WAF.

    The issue, as mentioned earlier, is that once a request is blocked at the WAF, it's difficult to handle afterward. Since access itself is blocked at the source, if legitimate customer traffic is mistakenly blocked, it can be somewhat challenging to rectify. Therefore, we set slightly looser criteria (judging that it's truly, truly abnormal traffic).

    The number of requests accepted within a specified time is added through [Rules > Add rules > Add my own rules and rule groups].

    The important thing is the Rate-limiting criteria, and there is no one-size-fits-all answer. This is because access patterns differ for each service. You can set it tightly and relax it if unintended blocks occur, or approach it the other way around. The time can also be set freely, but if you set it to 5 minutes, you need to increase the Rate Limit accordingly (since legitimate traffic shouldn't be blocked), which means the impact window for a malicious attacker is also extended.

    The point here is that the settings are kept very loose. The purpose of this setting is not to block all DDoS attacks, but to initially filter out only the excessively heavy traffic.

    Backend & WAF CAPTCHA (Step 2)

    This second stage is where malicious attacks and high-traffic users ambiguously mix. A tighter criterion than the first one should be applied (since filtering is still necessary), and at the same time, a means to request removal should be provided since they might be legitimate users.

    The setup is simple. Manage a blacklist of IPs using the IP Sets feature on WAF, and instead of blocking the IPs on this blacklist, offer a CAPTCHA feature.

    In the backend code, if a user from a specific IP connects excessively within a minute, triggers multiple CSRF errors, repeatedly fails form validations, or continuously requests non-existent pages, the IP is dynamically added to the IP Sets using the WAF SDK.

    When this happens, the user encounters Amazon's awkwardly designed CAPTCHA. Until they pass this, the WAF will not allow them to reach the web server. If the user proves they are human, an `aws-waf-token` cookie is created, allowing them access to the web server. As long as this cookie is valid, the user can normally use the service again.

    However, the user is still on the blacklist IP. This means that if the allowed token cookie expires or is lost, the CAPTCHA will appear again. Therefore, when a user with an `aws-waf-token` accesses, they are encouraged to "request to unblock the IP" once more through guidance.

    < Mistaken for an attack IP but confirmed as human, here's your disassembly guide >

    After clicking the guide message, you can verify your humanity once more using Google CAPTCHA. Once verified, an API request will be triggered using the AWS SDK to remove the respective IP.

    On the frontend, display the "Manual Disassembly Request" guide message only to users with `aws-waf-token` and without `aws-waf-verified`.

    Effect

    This is a graph of actual DDoS traffic. DDoS attacks show such spikes because they flood traffic from various IPs at specific times. You can see that a significant portion is filtered out by the set rules. However, some unfiltered traffic still escapes... Tightening the first condition could inconvenience regular users, so enhancing the second condition adjusted in the backend seems necessary.

    And More...

    Here, we only covered CAPTCHA blocking using WAF's Rate Limit Rule and IP Sets. Our team also uses AWS Managed Rules (blocking methods provided by Amazon). There's no one-size-fits-all in WAF settings, so we believe that customizing it gradually as you apply it to your service is the best approach.

    Go to Article
    πŸ“£ The Real Solution for Automated Press Release Videos: Videostew Automation API Over the past year, Videostew has been partnering with the Korea Press Foundation (KPF) as part of the News Content Infrastructure Project, delivering a variety...
    The Real Solution for Automated Press Release Videos: Videostew Automation API
    Junwoo 2025-08-05
    πŸ—žοΈ [Updates] New File Editing Tools Added (Reverse Playback, Background Removal, Quality Enhancement) Introducing our brand-new AI Editing Tools for your uploaded media files! Now, when you edit a file, every instance of it throughout your project will be update...
    [Updates] New File Editing Tools Added (Reverse Playback, Background Removal, Quality Enhancement)
    Junwoo 2025-07-29
    πŸŽ“ Creating an Automated Video Generation Workflow with Videostew API on Make.com In this post, we'll walk you through building an automated video creation process using Make and the Videostew API. Buckle up—automation magic ahead!Getting Sta...
    Creating an Automated Video Generation Workflow with Videostew API on Make.com
    Junwoo 2025-07-22
    πŸ—žοΈ [Update] Introducing AI Voice with Emotion Control We’ve added AI voices capable of expressing five different emotions: ‘Neutral’, ‘Joy’, ‘Sadness’, ‘Anger’, and ‘Calm’.You can listen and choose your preferred v...
    [Update] Introducing AI Voice with Emotion Control
    Junwoo 2025-07-17
    πŸ—žοΈ [Update] Adding Multiple BGM Tracks to a Single Project We've jazzed things up a bit! Now, instead of having just one background music track for an entire project, you can set different tunes for different sections. ...
    [Update] Adding Multiple BGM Tracks to a Single Project
    Junwoo 2025-07-11
    πŸ€” YouTube's July 15 YPP Policy Update and Three Messages I Got From It Creators in Panic ModeStarting last week, posts like "AI videos will be blocked by July 15th" and "You won't earn ad revenue unless you use your own voice" have...
    YouTube's July 15 YPP Policy Update and Three Messages I Got From It
    Junwoo 2025-07-10
    πŸŽ“ A Comprehensive Guide to Features Frequently Used by Videostew Creators How are creators making the most of Videostew? πŸ€”By exploring use cases of Videostew, we've gathered insights from various creators, leading us to identify four ...
    A Comprehensive Guide to Features Frequently Used by Videostew Creators
    Junwoo 2025-06-24
    πŸ“£ Videostew Team Members Share the Journey of Our 500K Creator Client's YouTube Growth At Videostew, we run an online chat service where real humans are ready to assist you. Among our team, whenever we talk about memorable customers, the nickname ...
    Videostew Team Members Share the Journey of Our 500K Creator Client's YouTube Growth
    Junwoo 2025-06-16
    [Stop]