
AWS Shield – Managed DDoS Protection - irs
https://aws.amazon.com/shield/
======
Rapzid
I have a lot of questions/problems with this. Here are two.

1.) They mention in the compare tiers "Application traffic monitoring" for
Advanced. However in the FAQ: "In addition, customers can also use AWS WAF to
protect against Application layer attacks". WAF is only available through
CloudFront, and CloudFront charges 600 dollars a month for a custom SSL
certificate with dedicated IP.

So do they have "Application traffic monitoring" outside of WAF? I'm lead to
believe not.

2.) They mentioned multiple times you can call on the DRT team to help you.
However buried in the FAQ is this little gem: "Response times for DRT depends
on the AWS Support plan you are subscribed to".

So for 3k/mo I can't get better than 24/hr turnaround when I'm under attack
without ALSO having a business/enterprise support plan?

~~~
beachstartup
for $3k/month i wouldn't expect a competent human being to be on call 24/7,
which is what you're asking for.

this is one thing that does not enjoy economies of scale. competent people
working under pressure at 3AM on a holiday are extremely expensive.

would _ _you_ _ do that job? and how much do you get paid?

~~~
Someone1234
Why? It isn't dedicated support. A single support rep could have hundreds of
theoretical clients.

Amazon.com manages to have 24/7 chat support and they certainly aren't
charging $3K/month. That's just the power of multi-tasking.

~~~
beachstartup
sounds like you've stumbled onto a fantastic entrepreneurial business
opportunity. i say you should go for it!

~~~
nothrabannosir
What, clone aws and offer better support?

I feel like you're trying to mock him for being so self evidently wrong that
it's (apparently) funny, but I don't see it. How does criticism of a support
model lead to "then you do it"?

Or are you implying something else? That's what I hate about these coy
between-the-lines replies in chat forums. It's not obvious and I don't know
what to reply to! Just say what's on your mind, don't play games. Give the
rest of us a chance to reply to something.

/rant, sorry :)

------
Artemis2
> AWS Shield Advanced comes with “DDoS cost protection”, a safeguard from
> scaling charges as a result of a DDoS attack that cause usage spikes on
> Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53. If any
> of these services scale up in response to a DDoS attack, AWS will provide
> service credits for charges due to usage spikes.

This is a very big deal!

~~~
nilved
Not really. Now your $1K DDOS bill is a $1K AWS credit. Hardly any better.

AWS desperately needs a way to turn off pay-by-use services through billing
alerts. I don't believe this is possible right now.

~~~
akerl_
You appear to be assuming that the credit applies _after_ they charge your
card, which is not what it reads as to me. The process sounds like "$1k line
item for traffic -> $1k credit -> $0 charged to card".

Additionally: you can totally set up CloudWatch Alarms for billing events,
it's one of the categories they provide out-of-the-box, and alarms can trigger
notifications, lambdas, SQS, etc. So you can totally wire alarm -> lambda and
have lambda spin down the thing costing you the money.

~~~
nilved
Right, I see how I could have been wrong about that assumption. I assumed it
would be after-the-fact credits.

And doing it through Lambda is possible, but the friction there almost feels
deliberate. They should make it a first-class option you don't need to wire
together yourself.

~~~
bigiain
They should make it a first class option - to spend less money with them?

AWS is the ultimate "wire it together yourself" tool. If that's _not_ what
you're after, there are many other vendors eager to take your money.

~~~
nilved
This is really just apologizing for bad UX. Bad UX in the best case, dark
pattern in the worst case.

~~~
bigiain
I don't think so - from my perspective it's more like a misunderstanding on
some people's part of what AWS is.

It's a practically unlimited scale-to-the-moon platform that allows you to
provision hundreds or thousands of virtualised bits of internet infrastructure
in seconds or minutes - and automate it all.

All their "light pattern" UX is laser focused on allowing you to instantly
provision all the capacity you ask for.

If you expect a UX oriented to "cost minimisation" or "potential user error
protection", AWS is the wrong choice of tool. You can still use it, but what
seems to you to be "Bad UX" or "dark patterns" can easily be explained as "you
chose the wrong tool" if you view AWS from a different angle (and I'd argue,
that angle is the one all AWS's 7 digit per month customers see it from, and
hence the way the AWS team builds and prioritises everything)

------
jedberg
I've been saying for years that AWS has secret DDOS protection. Never
confirmed, but I'm pretty sure the basic level is just them admitting that
they've always had that service.

~~~
kyledrake
This is not true. The reality is that they have never had a "secret strat" for
dealing with DDoS attacks except to pass the buck to their customers. And the
lack of a clearly defined policy, combined with their exorbitant bandwidth
costs, has made it far too dangerous to anyone without a massive budget to
build services on their infrastructure.

They have decided to "resolve" this problem by using it as an opportunity to
further gouge their customers on bandwidth (which is already 12x+ more
expensive than market rate for IP transit), instead of absorbing it into their
existing cost structure. Which still would have meant their bandwidth was
overpriced, and still would be way higher than what you can get pretty much
everywhere else.

For a contrast, OVH provides this protection as an _included feature_ in all
of their offerings. Before everyone writes it off as junk in comparison to the
glorious AWS black box (AWS is _amazing_ at marketing), bear in mind that the
OVH scrubber just took a terabit DDoS attack against it and survived:
[http://www.securityweek.com/hosting-provider-ovh-
hit-1-tbps-...](http://www.securityweek.com/hosting-provider-ovh-hit-1-tbps-
ddos-attack)

OVH correctly realizes that the only way to solve this problem is to make sure
everybody gets access to it. Otherwise you're just encouraging the
democratization of censorship for those without the means to protect
themselves against it. I hope the "cloud" providers follow their example.

------
dx034
Finally. The basic offer is something a lot of other providers already have.
Not sure about the advanced one. Sounds quite expensive. $3,000/month plus
extra traffic costs.

And I don't understand which traffic they bill. Usually AWS bills outgoing
traffic, but for DDOS costs only occur ingress, or am I wrong? Can't see from
the price list what they'll actually bill (ingress or egress).

~~~
dangrossman
That's $2000/month cheaper than Cloudflare Enterprise. I imagine they have the
same target customer?

~~~
dx034
Do you have a source for the $5000 number? Heard it's more around 3k. But
guess it's on an individual basis.

And at Amazon that's just the ddos costs, the cdn and traffic cost extra.

~~~
dangrossman
[https://support.cloudflare.com/hc/en-
us/articles/200170326-H...](https://support.cloudflare.com/hc/en-
us/articles/200170326-How-much-does-the-Enterprise-Plan-cost-)

------
nate_martin
So many new named services. AWS will soon get to a point where their product
dropdown wont fit on a laptop screen. Maybe it's time to consolidate some of
these services into more general products.

~~~
mifreewil
They did just re-organize that dropdown in AWS, it's actually much easier to
search and find things. You can also pin commonly-used services to the top
menu bar too.

~~~
nate_martin
For someone familiar with the products, yes. But for someone new to AWS most
of these options don't make sense. I'm looking at a menu with hundreds of
options like Snowglobe and Beanstalk and I have no idea where to start. Are
they trying to brand their trademarks as the defacto name for the service
(like Kleenex and ChapStick have done)?

~~~
madeofpalk
Oh, all of AWS is terribly not-intuitive to use. Just creating an EC2 instance
is amazingly complicated.

~~~
bloomark
Made so much easier with lightsail -
[https://lightsail.aws.amazon.com/ls/webapp/home/resources](https://lightsail.aws.amazon.com/ls/webapp/home/resources)

------
snowwrestler
If you are willing to pay $thousands per month for DDOS protection, do
yourself a favor and talk to DOSArrest. They have been specializing in DDOS
protection since 2007, always answer tickets in minutes, and are aggressively
committed to beating DDOS attacks. Not sure of their current pricing but I
think it is in this range or lower.

------
foobar16372883
So credits are limited to specific services

> usage spikes on Elastic Load Balancing (ELB)

If traffic has reached the load balancer than it's probably reached your app.
No ec2 / storage / traffic credits here.

> Amazon CloudFront

Neat. Like cloudflare but with less features though.

> or Amazon Route 53

DNS... Not really sure what to make of this one.

~~~
stevekemp
> DNS... Not really sure what to make of this one.

You only have to think back a couple of weeks to recall the DDos that took
down Dyn:

[https://news.ycombinator.com/item?id=12759697](https://news.ycombinator.com/item?id=12759697)

DDos attacks DNS servers are pretty common, not least because a lot of hosting
companies regard DNS as low priority.

I have an interest in Amazon's DNS setup, as I use it to provide my own git-
based DNS hosting <[https://dns-api.com>](https://dns-api.com>) so I'll be
curious to see how this works in practice myself.

------
bigjohn99
A lot of people are missing the point. AWS has the ability to handle the
largest attacks like the one that took out dns for half the net. Its not meant
to be compared with the smaller players with limited abilities such as
dosarrest and what not.

If you are on AWS, you are already protected up to a certain size for free.
This you can compare to a dosarrest, small 10,20,30 gbps attacks and yet you
are getting it for free, at no cost! The advance opens you up to a team of
actual ddos experts 24/7, this is meant for the serious players that cant
afford interuptions or downtime.

If your worried about blogs and wiki stuff, use google's ddos shield which is
free for bloggers and news outfits.

This is a huge deal people, i cant understand why there are people out here
bashing it, what a joke.

------
dgudkov
I'm reading all the recent new product announcements from Amazon and can't
stop thinking that AWS is what IBM should have been. AWS is becoming
"everything IT that a business needs".

------
benevol
Hetzner has this for quite a while now.

~~~
tbarbugli
I am surprised to hear someone saying anything positive about Hetzner. My only
experience with them was a nightmare with terrible support and very
inconsistent network performance.

~~~
warrenm
I've never heard anything bad about them

Been a Hetzner customer for years now

~~~
chupasaurus
Most of the histories about Hetzner I've read could be divided to PEBKAC and
Service Information is tl;dr problems.

------
mrwnmonm
you don't have to do anything to get this, right? it is on by default?

