AWS Shield

The Amazon Web Services (AWS) Shield [8] provides protection against DDoS attacks (Figure 1). The Standard protection is available to any AWS customer. The product includes detection of network flow data and automatic mitigation of DDoS attacks against SYN flooding or UDP reflection attacks. However, you do not receive information about a successful defense. If you choose the AWS Shield Advanced product, you receive the following additional features for around $3,025 per month plus charges for data transfer:

• In addition to connection data at the network level, Amazon collects and analyzes transaction logs at the application level.
• Access to advanced scrubbing capacities.
• Notification of attacks on ISO Layers 3 and 4, as well as data about the type of attack.
• Reports for ISO Layers 3, 4, and 7.
• Incident management by the Amazon DDoS response team.
• If necessary, manual mitigation.
• Manual analysis after the attack.
• Reimbursement for costs incurred by the attack associated with CloudFront, Route 53, and ELB services.

Figure 1: Amazon protects customers against DDoS attacks – to an extent. For more protection, you will have to dig very deeply into your pockets.

Of import is that Amazon only protects what runs on Amazon. Although it is possible to protect data traffic on your own servers using services such as CloudFront or a reverse proxy and to protect your own network connection in another way, you cannot fight off targeted attacks.

Arbor Appliance

Arbor [9] produces DDoS detection and defense systems with its own hardware. The company provides traffic scrubbing systems in data centers in the US, Europe, and Asia. The service only defends against attacks detected by the customer.

Licensing depends on the bandwidth of clean traffic. If a customer has a 1Gbps line, they pay for the 1Gb package. Additionally, Arbor offers packages for a monthly fee or for defense against 12 attacks per year. The packages each include the protection of a /24 network, including five DNS names, and are expandable. Arbor lets you link triggering of the defenses to your appliance. If an attack is detected, the Cloud defense is triggered and provides reports for the attacks.

Link11

Link11 [10] also offers protection by BGP, by DNS redirection, and by connecting directly to host service provider data centers. The licensing differs in the DNS and BGP versions, but both define clean traffic as a 95th percentile of normal traffic (without attacks).

On DNS, Link11 counts how many IP addresses it protects on the original systems, with clean traffic speed levels of 25, 50, 100, 150, and 250Mbps. In the case of BGP, the size, in terms of a netmask, counts as a parameter, and the count starts with a /24 network as the first. The second is again the protected bandwidth (Link11 differentiates between symmetric and asymmetric routing); the scales are 250, 500, and 1,000Mbps.