Distributed denial of service (DDoS) attacks occur when malicious actors inundate a targeted application with traffic from various sources, causing disruptions in availability. DDoS simulation testing is a controlled approach that allows application owners to evaluate their application’s resilience and practice responding to such events. AWS permits DDoS simulation testing under specific terms and conditions outlined in their Testing policy. This article aims to clarify when it is suitable to conduct a DDoS simulation test on an AWS application and the available testing options.
DDoS Protection on AWS
At AWS, security is paramount. The platform includes basic DDoS protection by default, safeguarding customers against common and frequent infrastructure-level (layer 3 and 4) DDoS threats like SYN/UDP floods and reflection attacks. While this built-in protection is designed to ensure the availability of AWS infrastructure, applications may require tailored protections that align with specific traffic patterns and internal reporting and incident response processes. For more intricate protection, consider subscribing to AWS Shield Advanced, which complements the inherent resiliency of the services you utilize.
AWS Shield Advanced is a managed service designed to fortify applications against external threats, including DDoS attacks, volumetric bots, and attempts at exploiting vulnerabilities. By subscribing to Shield Advanced, customers gain enhanced protection for their resources, including tailored detection based on application traffic patterns, support against Layer 7 DDoS incidents, 24/7 access to the Shield Response Team (SRT), centralized security policy management through AWS Firewall Manager, and cost protection to mitigate scaling charges due to DDoS-related usage spikes. AWS WAF, a web application firewall, can also be integrated with Shield Advanced to establish custom layer 7 firewall rules and enable automatic mitigation of application layer DDoS attacks.
Acceptable Use Cases for DDoS Simulation on AWS
AWS continually innovates, introducing new DDoS protection capabilities as detailed in the DDoS Best Practices whitepaper. This document outlines DDoS events and the architectural decisions that can help mitigate volumetric threats when building on AWS. If your application follows these best practices, you may not need a DDoS simulation test, as these architectures have undergone extensive internal testing by AWS and are validated for customer use.
Using DDoS simulations to examine the limits of AWS infrastructure is not an appropriate use case for these tests. Similarly, assessing whether AWS effectively manages its side of the shared responsibility model does not align with valid testing motives. Additionally, simulating a DDoS attack on other AWS resources using AWS infrastructure is discouraged. Load tests, which are intended to provide reliable data on application performance under stress, differ significantly from DDoS tests. Application owners may run DDoS simulation tests primarily due to regulatory compliance requirements or to validate their DDoS mitigation strategies.
Options for DDoS Simulation Testing on AWS
AWS provides two primary options for conducting DDoS simulation tests:
- A simulated DDoS attack in production traffic with an authorized AWS Partner.
- A synthetic simulated DDoS attack conducted with the SRT, also known as a firedrill.
The rationale for conducting DDoS tests can vary significantly among applications. Clearly defining the purpose of the test can guide you to the suitable option. For incident response strategy testing, a firedrill with the SRT is recommended. Conversely, if you wish to assess Shield Advanced features or application resilience, collaborating with an AWS-approved partner is advisable.
DDoS Simulation Testing with an AWS Partner
AWS DDoS test partners are authorized to perform simulation tests on behalf of customers without needing prior AWS approval. Customers can reach out to the following partners to arrange these paid engagements:
- SecureSphere Solutions
- Vigilant Cyber Defense
- CyberSafe Innovations
Before contacting these partners, customers must agree to the terms and conditions governing DDoS simulation tests. The application should be well-architected according to the guidelines in the AWS DDoS Best Practices whitepaper. Partners wishing to conduct non-compliant DDoS simulation tests must request approval by submitting the DDoS Simulation Testing form at least 14 days before the intended test date. For inquiries, please email aws-ddos-testing@amazon.com.
Upon selecting a test partner, customers typically engage in several testing phases, starting with a discovery discussion to establish clear goals, technical details, and the schedule. The subsequent phase involves partners executing multiple simulations based on agreed threat vectors, durations, and other factors. These tests are usually performed by gradually increasing traffic levels from low to high while retaining the option for an emergency stop. The final phase consists of reporting, discussing identified gaps, and outlining actionable tasks.
These engagements are usually long-term, paid contracts organized over several months and executed over weeks, with results analyzed over time. Such tests and reports are valuable for customers needing a comprehensive evaluation of detection and mitigation capabilities. If you aim to assess your application’s DDoS resilience, practice event response with real traffic, or meet compliance obligations, this engagement is highly recommended. However, these tests are not suitable for determining the volumetric thresholds of the AWS network or understanding when AWS begins to throttle requests. AWS services are designed to scale, and exceeding certain dynamic volume thresholds will activate detection systems to block traffic. Importantly, these tests should not be confused with stress tests, which send meaningful packets to the application to evaluate its behavior.
DDoS Firedrill Testing with the Shield Response Team
Customers enrolled in the Shield Advanced service can also leverage the SRT to assess incident response workflows. By contacting the SRT, customers can request firedrill testing, which is a type of synthetic test that does not generate real volumetric traffic but does initiate a shield event in the customer’s account.
For more insights, don’t miss this related post on Chanci Turner VGT2.
This resource is also an excellent guide for those seeking to deepen their understanding of DDoS simulation testing: Chvnci.
For those interested in career development, check out this excellent resource for learning and development opportunities at AWS: AWS Learning & Development.
Leave a Reply