AWS Best Practice For DDoS Resiliency (BP1 & BP3) | Overview.

AWS Best Practice For DDoS Resiliency (BP1 & BP3) - Overview.

Scope:

• Intro,
• BP1: Web application delivery at the edge,
• BP3: Domain name resolution at the edge,
• The concept of AWS DDoS Resiliency Framework,
• BP1:  Using AWS Edge Services for CloudFront, Route 53, & Global Accelerator (Deep dive),
• Key Components: Amazon CloudFront,
• Key Components: Amazon Route 53,
• Key Components: AWS Global Accelerator,
• Table of How BP1 Mitigates DDoS (Attack types & Mitigation via BP1),
• Core Principle of How BP1 Mitigates DDoS,
• BP3: Protecting Infra with AWS Shield & WAF (Deep dive),
• Key Components of Protecting Infra with AWS Shield & WAF,
• Core Principle of How BP3 Mitigates DDoS,
• Architecture For Edge-to-Origin Flow (BP1 + BP3 Together)
• Implementation Best Practices,
• Summary Table for Layers, Services, Role In DDoS Mitigation & Best Practices,
• Insights.

Intro:

• In the AWS Best Practices for DDoS Resiliency, Best Practice 1 (BP1) and Best Practice 3 (BP3) focus on using the AWS Global Edge Network to scale and mitigate infrastructure-layer attacks. 

BP1: Web application delivery at the edge

• Amazon CloudFront: Use this to serve web traffic from edge locations. 
• Amazon CloudFront provides built-in protection against common layer 3 and 4 attacks like:
•  SYN floods
•  UDP reflection by absorbing and filtering traffic before it reaches twtech origin.
• AWS Global Accelerator: twtech uses this for non-HTTP workloads to route traffic through the AWS edge network.
• This helps twtech to mask its origin's IP address and provide access to the global scale of AWS for attack absorption.

BP3: Domain name resolution at the edge

• Amazon Route 53: This managed DNS service uses the edge network to provide high availability and resiliency against DNS-based DDoS attacks.
• Cost Protection: Route 53 can be configured to protect against NXDOMAIN attacks.
• This ensures twtech costs remain manageable even during high-volume query floods. 

NB:

• By implementing these edge-based services, twtech distributes its application's entry points across hundreds of AWS edge locations.
• These practicess (BP1 & BP3) significantly increases twtech capacity to absorb (mitigate) volumetric attacks.
• AWS edge infrastructure such as:
• CloudFront, 
• Route 53, 
• Global Accelerator, 
• AWS Shield, 
• WAF ...mitigated DDoS at scale.

The concept of AWS DDoS Resiliency Framework

• AWS recommends a layered approach for DDoS protection, typically mapped into Best Practices (BPs) that address resilience from edge to origin.
• The Edge layer is the first line of defense.
• The Edge layer is designed to absorb and mitigate volumetric and application-layer attacks before they ever reach twtech VPC or application servers.

 BP1:  Using AWS Edge Services for CloudFront, Route 53, & Global Accelerator (Deep dive) 

Objective

• To Reduce attack surface, then leverage AWS’s globally distributed edge network to absorb and filter DDoS attacks close to the source.

1. Key Components: Amazon CloudFront

• Global CDN with >400 edge locations.
• Absorbs volumetric attacks (e.g., UDP floods, TCP SYN floods, HTTP floods).
• Automatic scaling — CloudFront’s distributed architecture allows it to handle sudden traffic spikes (malicious or legitimate).
•  Connection Termination: CloudFront terminates TCP and TLS sessions at the edge, isolating your origin from direct traffic.
• Caching and Origin Shield: Cached objects reduce origin load; Origin Shield adds an additional centralized caching layer to further limit direct origin requests.
• Geo and ACL Filtering: Integrate with AWS WAF to drop unwanted requests by geography, IP reputation, or query patterns.

2.  Key Components: Amazon Route 53

• Authoritative DNS service that uses a globally distributed, anycast network.
• Resistant to DNS-based DDoS NXDOMAIN floods ...attack that overwhelms a Domain Name System (DNS) server with requests for invalid, non-existent domain names,... amplified attacks.
• Automatically scales to handle billions of queries per day.
• Provides alias records that integrate directly with CloudFront and other AWS resources.
• This pattern prevents exposure of public IPs.

3.  Key Components: AWS Global Accelerator

•  Provides static IP addresses that front twtech application endpoints (ALBs, EC2s, EKS services).
•  Uses the AWS global network backbone for deterministic routing and health-based traffic shifting.
•  Mitigates DDoS at the network and transport layers before it reaches twtech backend by terminating traffic at edge PoPs (Points of Presence) 
• These strategies locate facilities at network's periphery, then bring content, compute & connectivity closer to end-users (Points of Presence) 

Table of How BP1 Mitigates DDoS (Attack types & Mitigation via BP1) 

Attack Type	Mitigation via BP1
Volumetric (UDP floods, TCP SYN floods)	Distributed edge absorption and packet filtering at CloudFront/Route 53 edge locations.
Application Layer (HTTP floods)	CloudFront + WAF rate-based rules limit malicious requests before reaching origin.
DNS-based attacks	Route 53’s anycast network absorbs query floods, auto-scales response infrastructure.
Protocol exploitation (SYN/ACK reflection)	Edge TCP termination and Shield Standard’s SYN proxying block malformed traffic.

Core Principle of How BP1 Mitigates DDoS 

• Keep attack traffic away from twtech origin (VPC). 
• The more of the application logic is pushed to the AWS edge location, the less exposed twtech VPC & backend becomes.

 BP3: Protecting Infra with AWS Shield & WAF (Deep dive)

 Objective

•  Leverage (using) AWS Shield & AWS WAF to provide:
• Adaptive, 
• Automatic, 
• Application-aware DDoS protection.

 Key Components of Protecting Infra with AWS Shield & WAF

1. AWS Shield Standard

• Always-on, 
• No-cost protection,
• Included with:
• CloudFront, 
• Route 53, 
• Global Accelerator.
• Detects and automatically mitigates common network/transport-layer DDoS attacks.
• Uses flow-based detection and anomaly analysis from global traffic patterns.
• Transparent mitigation — no customer configuration required.

2. AWS Shield Advanced

• Adds enhanced DDoS detection, 24/7 DDoS Response Team (DRT) support, and cost protection against scaling-related expenses.
• Provides near real-time metrics, health-based detection, and per-resource anomaly baselining.
• Protects additional resources such as:
• ALBs, 
• NLBs, 
• EC2, 
• EKS beyond edge services.

3. AWS WAF (Web Application Firewall)

• Deployed at CloudFront, ALB, or API Gateway edge endpoints.
• Filters malicious HTTP requests based on custom or managed rule sets.
• Rate-based & anomaly rules throttle floods or bots that slip past volumetric defenses.
• Using AWS Managed Rules, for example:
• AWS Common Rule Set, 
• Known Bad Inputs, 
• Cover OWASP Top 10 attacks.

 Table of How BP3 Mitigates DDoS (Attack types & Mitigation Via BP)

Attack Type	Mitigation via BP3
Application-layer floods (HTTP POST/GET)	WAF rate limiting and behavioral analysis block repeated bad actors.
Slowloris / connection exhaustion	Shield Advanced uses early termination and connection tracking heuristics.
Bad bot traffic	WAF Bot Control and AWS Managed Rules stop scraper/flood behavior.
Multi-vector attacks	Shield coordinates multi-layer mitigation across CloudFront, Route 53, and origin services.

 Core Principle of How BP3 Mitigates DDoS

• Combining automatic network-layer mitigation (AWS Shield) with application-layer inspection (AWS WAF) ensures end-to-end resilience.

Architecture For Edge-to-Origin Flow (BP1 + BP3 Together)

     1. Traffic enters AWS edge network → Anycast routes it to nearest edge POP.
2. Shield Standard engages immediately for volumetric filtering.
3. CloudFront terminates connections and caches static content.
4.  WAF evaluates requests (rules, IP reputation, rate-limits).
5.  Legitimate traffic proceeds via AWS backbone → ALB/NLB → EC2/EKS.
6.  Shield Advanced protects backend layers if enabled.
7.  Distributed Routing Table (DRT monitoring) and health metrics detect ongoing or evolving threats.

 Implementation Best Practices.

• Always front public applications with CloudFront or Global Accelerator.
• Use Shield Advanced for mission-critical workloads (SLA-backed protection).
• Integrate WAF at the edge with rate-based and managed rules.
• Avoid exposing origin IPs — restrict inbound traffic to CloudFront or Global Accelerator IP ranges.
• Enable logging (CloudFront, WAF, Shield) for forensic visibility.
• Test with AWS’s DDoS Simulation Service (via Shield Advanced) to validate defenses.

 Summary Table for Layers, Services, Role In DDoS Mitigation & Best Practices

Layer	Service	Role in DDoS Mitigation	Best Practice
Edge	CloudFront / Route 53 / Global Accelerator.	Absorb & isolate traffic close to users.	BP1
Edge + Application	Shield Standard / Advanced + WAF.	Detect and block network + application attacks.	BP3
Origin	ALB / EC2 / EKS.	Protected only from legitimate filtered traffic.	BP1 + BP3 in effect

twtech-Insights:

AWS DDoS resiliency: BP1

• In the context of protecting against Distributed Denial of Service (DDoS) attacks, AWS defines several best practices.

BP1:  Has two related applications Practices: 

·       A,  Web application delivery at the edge: 

• AWS recommends using its edge locations to place the web application delivery as close as possible to the end users. 
• This minimizes latency and reduces the distance malicious traffic has to travel.

·        B, Protecting the origin: 

• AWS suggests protecting twtech main origin server from direct internet access. 
• By ensuring all web traffic passes through an AWS edge service like CloudFront or Global Accelerator, twtech can inspect and filter requests before they reach its origin. 

BP1: W3C Data on the Web Best Practices.

• The World Wide Web Consortium (W3C) also has a set of best practices for publishing data on the web. 
• In this W3C context, BP1 is a general guideline for providing metadata. 

·       NB:

• The W3C insists on Providing metadata for both human users and computer applications: 
• This means that when twtech publishes data, it should not only describe it in a way that people can understand but also provide machine-readable metadata. 
• This allows automated applications to more easily find, process, and understand the data

 AWS DDoS resiliency in : BP3.

• Amazon Web Services (AWS) also uses the abbreviation BP3 in its best practices for mitigating DDoS attacks, as it relates to DNS availability at the edge of the network. 

·        What BP3 is: 

• In this context, BP3 is a best practice that involves using a DNS service like Amazon Route 53 to protect against denial-of-service attacks at the domain name resolution level.

·        Purpose: 

• This practice is part of a larger infrastructure-layer defense strategy to ensure the availability of web applications even when under attack