78 comments

[ 7.2 ms ] story [ 181 ms ] thread
Finally. The basic offer is something a lot of other providers already have. Not sure about the advanced one. Sounds quite expensive. $3,000/month plus extra traffic costs.

And I don't understand which traffic they bill. Usually AWS bills outgoing traffic, but for DDOS costs only occur ingress, or am I wrong? Can't see from the price list what they'll actually bill (ingress or egress).

Pricing Example 4: AWS Shield Advanced For Amazon CloudFront

Let’s assume that you deploy an Amazon CloudFront Distribution in front of the Application Load Balancer from Example 3. You then enable AWS Shield Advanced protection for your Amazon CloudFront Distribution, and remove it from your Application Load Balancer. (If you have deployed Amazon CloudFront in front of Application Load Balancer, you only need to enable protection for Amazon CloudFront).

Under this scenario, at the end of the month, you will pay the AWS Shield Advanced monthly fee of $3,000. In addition to the monthly fee, you will be charged the AWS Shield Advanced usage based fee of $25 for the 1,000 GB of Regional Data Transfer out at $0.025 per GB. Your total AWS Shield charges for the month will be $3,000 + $25 = $3,025.

In addition, you will pay standard Application Load Balancer and Amazon CloudFront fees as described in the Application Load Balancer Pricing and Amazon CloudFront Pricing pages.

> $3,000/month plus extra traffic costs.

As if their existing margins on bandwidth aren't high enough.

> Finally. The basic offer is something a lot of other providers already have.

Sure, protections like what OVH "already offers" when a DDOS attack downs their entire administrative portal?

It's clear to heavy AWS users that Amazon was already providing certain DDoS protections before this announcement.

Was more thinking of ovh, in the recent attack the admin interface and network weren't affected as it seems.
That's $2000/month cheaper than Cloudflare Enterprise. I imagine they have the same target customer?
This seems to be only for people on AWS, which is why Amazon can charge less for it: they're already making a profit on you elsewhere.

For people who host their own servers or systems (or who cloud but not on AWS), this doesn't appear to be an option and you still have to go with Cloudflare.

I've been saying for years that AWS has secret DDOS protection. Never confirmed, but I'm pretty sure the basic level is just them admitting that they've always had that service.
I wondered about this as well. At the very least, AWS provided admin protection during a DDOS attack. Unlike other providers their administration portion of the website was always online and accessible. This was an important and unsung benefit to using AWS.
This is not true. The reality is that they have never had a "secret strat" for dealing with DDoS attacks except to pass the buck to their customers. And the lack of a clearly defined policy, combined with their exorbitant bandwidth costs, has made it far too dangerous to anyone without a massive budget to build services on their infrastructure.

They have decided to "resolve" this problem by using it as an opportunity to further gouge their customers on bandwidth (which is already 12x+ more expensive than market rate for IP transit), instead of absorbing it into their existing cost structure. Which still would have meant their bandwidth was overpriced, and still would be way higher than what you can get pretty much everywhere else.

For a contrast, OVH provides this protection as an included feature in all of their offerings. Before everyone writes it off as junk in comparison to the glorious AWS black box (AWS is amazing at marketing), bear in mind that the OVH scrubber just took a terabit DDoS attack against it and survived: http://www.securityweek.com/hosting-provider-ovh-hit-1-tbps-...

OVH correctly realizes that the only way to solve this problem is to make sure everybody gets access to it. Otherwise you're just encouraging the democratization of censorship for those without the means to protect themselves against it. I hope the "cloud" providers follow their example.

Your comment was addressed in the session on Shield at AWS re:Invent. You were indeed correct they've been doing it for a while.
One obvious thing they've always had is monstrous amounts of bandwidth. That will help with some attacks.

But yeah, it's interesting to learn there's a baseline anti-DDoS thing that's on by default.

I think so too. In the past, I'd get frequent DDOS attacks against my site, and the dedicated hosts I was with would null route my account, or tell me to take a hike, even though I was paying them $1k+/mo.

I switched to AWS 1.5 years ago, and all my DDOS issues magically disappeared overnight.

Most DOS/DDOS attacks you need to stop as soon as possible, so the kit to do it has to be on the edge, and they don't want to be doing 'who is this for and what plan are they on' provisioned onto all of their edge kit - they may as well just nuke everything that looks bad.
> AWS Shield Advanced comes with “DDoS cost protection”, a safeguard from scaling charges as a result of a DDoS attack that cause usage spikes on Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53. If any of these services scale up in response to a DDoS attack, AWS will provide service credits for charges due to usage spikes.

This is a very big deal!

AWS Shield Advanced though...so what does this mean if you are on Standard? One of the biggest fears is launching an EC2 instance (or some other service) only to get hit at some random point in time with a DDoS attack and a large bill at the end of the month. I've read stories of AWS forgiving events like this, but are you now up a creek if you don't subscribe to their "Advanced" tier?
Precisely. The majority of people who are be afraid of using AWS services for the risk of a bill shock due to a DDoS would be small customers who won't be able to afford the 3,000$ per month price tag for the advanced shield anyways. For them, it's still risky to use AWS.
Unless you're spending $xx,xxx or above monthly with AWS, you're probably better off using Cloudflare for DDOS protection.

EDIT: Number is professional opinion from my experience running large AWS accounts over the last 10 years.

(comment deleted)
I hear this all the time, people being surprised by an $80k bill when they're used to $5k. Step one of using any of these services, whether it's AWS, GCP, Azure, etc. ENABLE BILLING ALERTS. You can be notified as soon as you're being charged x%, or $x over last months bill, or set your own amounts and hop on and investigate what's going on. Please set this up. If you don't have this on right now, stop what you're doing and turn it on.

This is the first thing that I do any time I'm involved with a new infrastructure.

Not really. Now your $1K DDOS bill is a $1K AWS credit. Hardly any better.

AWS desperately needs a way to turn off pay-by-use services through billing alerts. I don't believe this is possible right now.

>Now your $1K DDOS bill is a $1K AWS credit.

Nice!

>Hardly any better.

...what?

Cash is king. Loaning money to Amazon you could be using to pay suppliers or salaries or returning to investors is a cost.
You appear to be assuming that the credit applies after they charge your card, which is not what it reads as to me. The process sounds like "$1k line item for traffic -> $1k credit -> $0 charged to card".

Additionally: you can totally set up CloudWatch Alarms for billing events, it's one of the categories they provide out-of-the-box, and alarms can trigger notifications, lambdas, SQS, etc. So you can totally wire alarm -> lambda and have lambda spin down the thing costing you the money.

Right, I see how I could have been wrong about that assumption. I assumed it would be after-the-fact credits.

And doing it through Lambda is possible, but the friction there almost feels deliberate. They should make it a first-class option you don't need to wire together yourself.

They should make it a first class option - to spend less money with them?

AWS is the ultimate "wire it together yourself" tool. If that's _not_ what you're after, there are many other vendors eager to take your money.

This is really just apologizing for bad UX. Bad UX in the best case, dark pattern in the worst case.
I don't think so - from my perspective it's more like a misunderstanding on some people's part of what AWS is.

It's a practically unlimited scale-to-the-moon platform that allows you to provision hundreds or thousands of virtualised bits of internet infrastructure in seconds or minutes - and automate it all.

All their "light pattern" UX is laser focused on allowing you to instantly provision all the capacity you ask for.

If you expect a UX oriented to "cost minimisation" or "potential user error protection", AWS is the wrong choice of tool. You can still use it, but what seems to you to be "Bad UX" or "dark patterns" can easily be explained as "you chose the wrong tool" if you view AWS from a different angle (and I'd argue, that angle is the one all AWS's 7 digit per month customers see it from, and hence the way the AWS team builds and prioritises everything)

Billing alerts are Cloudwatch alarms, capable of queueing SNS events. You can use those to scale down.
Hetzner has this for quite a while now.
The problem is that the whole Hetzner network is only 1.4tbit/s. Recent attacks were large than that and would've likely saturated their network.
Source? When I search for 'hetzner tbps' I only see one unsubstantiated forum post claiming 1.2 Tbps [1]. There are other reports about new peering arrangements, submarine cables, etc. so I'm curious if you have something more concrete.

Disclosure: I work at Google Cloud (but not in networking / would know the answer)

[1] https://www.lowendtalk.com/discussion/70274/hetzner-new-ex41...

They state it on their homepage, it's 1.46Tbps [1]. They upgraded a bit recently, still too small to handle attacks that are unfortunately common nowadays. I don't have numbers for OVH, but they should be closer to 5-10Tbps, as they stated that their scrubbing centres will be able to handle 5Tbps in the next months.

[1] https://www.hetzner.de/en/hosting/unternehmen/rechenzentrum

I am surprised to hear someone saying anything positive about Hetzner. My only experience with them was a nightmare with terrible support and very inconsistent network performance.
I've never heard anything bad about them

Been a Hetzner customer for years now

Most of the histories about Hetzner I've read could be divided to PEBKAC and Service Information is tl;dr problems.
They have incredibly cheap dedicated servers (something like 50 Euros for quad core, 64GB ram, 2TB disk/500gb ssd with traffic included!).

I had several servers from them over the years without issues and great performance.

Never been DDOSed though...

So many new named services. AWS will soon get to a point where their product dropdown wont fit on a laptop screen. Maybe it's time to consolidate some of these services into more general products.
They did just re-organize that dropdown in AWS, it's actually much easier to search and find things. You can also pin commonly-used services to the top menu bar too.
For someone familiar with the products, yes. But for someone new to AWS most of these options don't make sense. I'm looking at a menu with hundreds of options like Snowglobe and Beanstalk and I have no idea where to start. Are they trying to brand their trademarks as the defacto name for the service (like Kleenex and ChapStick have done)?
99% of their products aren't useful to the individual computer guy, and are geared toward enterprise. Ignore them and use the specific ones you need.
I hate the new dropdown. The old one had brightly-coloured icons that were an easy visual search. The new one is a wall of text you have to parse.
Completely agree on this point! Also wish there was a way to remove Resource Groups from the top bar.
I have a lot of questions/problems with this. Here are two.

1.) They mention in the compare tiers "Application traffic monitoring" for Advanced. However in the FAQ: "In addition, customers can also use AWS WAF to protect against Application layer attacks". WAF is only available through CloudFront, and CloudFront charges 600 dollars a month for a custom SSL certificate with dedicated IP.

So do they have "Application traffic monitoring" outside of WAF? I'm lead to believe not.

2.) They mentioned multiple times you can call on the DRT team to help you. However buried in the FAQ is this little gem: "Response times for DRT depends on the AWS Support plan you are subscribed to".

So for 3k/mo I can't get better than 24/hr turnaround when I'm under attack without ALSO having a business/enterprise support plan?

As per the pricing page, looks like you _do_ need support plan:

"AWS Shield Advanced is available to customers who are enrolled in either the Enterprise or Business Support levels of AWS Premium Support."

https://aws.amazon.com/shield/pricing/

Oh wow, thanks! I hadn't noticed that yet :| So many caveats to this thing.

Look like I'd need to pony up >1k/mo on top of 3k to get access to the service then...

AWS is not the place to be if you're on a budget
How often are people on a budget the target of serious ddos attacks?
A better question would be, "How often are people on a budget the target of a budget DDOS attack?" I think we've long since entered the era where DDOS attacks don't have to be "serious" to be massive.
Pretty often, especially in the realm of journalism (Wikileaks et al) and especially in network-security journalism. (Imagine writing exposés about botnet-owners. Imagine what kind of DDoS results from that.)
Yes and Amazon is the company to go running to if you are doing things that the establishment does not like. I don't think so.
A lot of game servers (eg Minecraft) get DDoSed by competitor servers or players as revenge
More generally: I think a decent fraction of the people who think DDoSing is an appropriate way to deal with personal vendettas are kids. The targets of kids' vendettas are often also kids. Kids tend to have low budgets. (The budget required to launch a DDoS, through one of the many commercial websites that sell them, is pretty low.)
See above, business level support 24/7 with phones is $100/month.
For people paying less than 1k on their bill, or am I missing something? I feel pretty confident in the layout I... Laid out.
Hmmm, reading further, there is a 12-month commitment on the $3,000/month plan.

So if you get hit by DDOS, you can't just pay $3,000 and hope that DDOS is gone within a month. Looks like you have to sign up for a year's worth of protection.

for $3k/month i wouldn't expect a competent human being to be on call 24/7, which is what you're asking for.

this is one thing that does not enjoy economies of scale. competent people working under pressure at 3AM on a holiday are extremely expensive.

would _you_ do that job? and how much do you get paid?

Why? It isn't dedicated support. A single support rep could have hundreds of theoretical clients.

Amazon.com manages to have 24/7 chat support and they certainly aren't charging $3K/month. That's just the power of multi-tasking.

sounds like you've stumbled onto a fantastic entrepreneurial business opportunity. i say you should go for it!
I think you're being rather uncharitable to the GP. Essentially no host, managed or unmanaged, has a 1 engineer:1 customer ratio.

Most of the big names in DDoS protection, looking only at enterprise tier support, have tens of clients per network support tech minimum.

What, clone aws and offer better support?

I feel like you're trying to mock him for being so self evidently wrong that it's (apparently) funny, but I don't see it. How does criticism of a support model lead to "then you do it"?

Or are you implying something else? That's what I hate about these coy between-the-lines replies in chat forums. It's not obvious and I don't know what to reply to! Just say what's on your mind, don't play games. Give the rest of us a chance to reply to something.

/rant, sorry :)

Rackspace and DosArrest are two companies that currently provide me with competent support 24/7 for products that cost less than $3k/month.

They're out there, you just have to look.

No one in this thread bothered to check Amazon support pricing. It's $100/month.

https://console.aws.amazon.com/support/plans/home?region=us-...

$100/month is the MINIMUM for Business tier support. If you spend $2K on AWS services then it is $200, $3K is $300, $4K is $400, and so on... Up until $10K total AWS spend then it drops from 10% of spend to 7%, and from 7% to 5% over $80K.[0]

Enterprise tier's minimum is $15K by the way.

And the Business Tier lacks "Business-critical system down" support with a 15 minute response time. But it does have the "Production system down" level with a "less than 1 hour" response.[1]

AWS's support isn't cheap. And it isn't simply "$100/month" that's the minimum for real support (and no, developer tier isn't real support for production systems).

[0] https://aws.amazon.com/premiumsupport/pricing/

[1] https://aws.amazon.com/premiumsupport/compare-plans/

That's not that expensive.

If you bought a rack of servers and storage from HP, IBM or Dell and wanted a tier that got you to an engineer in <15m, that would cost far more.

So credits are limited to specific services

> usage spikes on Elastic Load Balancing (ELB)

If traffic has reached the load balancer than it's probably reached your app. No ec2 / storage / traffic credits here.

> Amazon CloudFront

Neat. Like cloudflare but with less features though.

> or Amazon Route 53

DNS... Not really sure what to make of this one.

> DNS... Not really sure what to make of this one.

You only have to think back a couple of weeks to recall the DDos that took down Dyn:

https://news.ycombinator.com/item?id=12759697

DDos attacks DNS servers are pretty common, not least because a lot of hosting companies regard DNS as low priority.

I have an interest in Amazon's DNS setup, as I use it to provide my own git-based DNS hosting <https://dns-api.com> so I'll be curious to see how this works in practice myself.

you don't have to do anything to get this, right? it is on by default?
If you are willing to pay $thousands per month for DDOS protection, do yourself a favor and talk to DOSArrest. They have been specializing in DDOS protection since 2007, always answer tickets in minutes, and are aggressively committed to beating DDOS attacks. Not sure of their current pricing but I think it is in this range or lower.
A lot of people are missing the point. AWS has the ability to handle the largest attacks like the one that took out dns for half the net. Its not meant to be compared with the smaller players with limited abilities such as dosarrest and what not.

If you are on AWS, you are already protected up to a certain size for free. This you can compare to a dosarrest, small 10,20,30 gbps attacks and yet you are getting it for free, at no cost! The advance opens you up to a team of actual ddos experts 24/7, this is meant for the serious players that cant afford interuptions or downtime.

If your worried about blogs and wiki stuff, use google's ddos shield which is free for bloggers and news outfits.

This is a huge deal people, i cant understand why there are people out here bashing it, what a joke.

I'm reading all the recent new product announcements from Amazon and can't stop thinking that AWS is what IBM should have been. AWS is becoming "everything IT that a business needs".