Loading ...

Would you like to discuss your environment with a knowledgable engineer?

Preferred communication *

Thank you. We will be in touch with you shortly

aiProtect on AWS Configuration

Please read this first: Getting started with AWS Marketplace

Then for basic aiProtect configuration, please see aiProtect configuration. Below is the aiProtect tutorial for AWS, that sets up your security groups. The instruction below are not mandatory, but they will offer extra protection for AWS users.

Setting up the Security Groups

Log into the AWS console (https://console.aws.amazon.com) and navigate to EC2 and then Security Groups in NETWORK & SECURITY menu on the left hand side.

Screen Shot 2013-10-22 at 11.55.53 AM

We’re going to have 2 Security Groups – one for the aiProtect instance and the other one for the origin server(s).

Setting up the Security Group for aiProtect EC2 instance

We will use the “default” Security Group for this purpose. This Security Group comes with some pre-defined firewall rules. The rules permit ALL INBOUND traffic only within the Security Group (ie. if you use the default Security Group for 2 different instances, all of the traffic between them will be permitted). We obviously need to add an INBOUND rule to allow port 80 TCP to be available for everybody, so the users can reach the aiProtect instance. Port 22 TCP is optional and should only be allowed when the SSH access to the aiProtect server is needed.

The OUTBOUND traffic is permitted without restrictions.

The important part here is to make a note of the Security Group ID (sg-cd7387a2 in our example) as we will use it to set up the Security Group for the origin instances:


Screen Shot 2013-10-22 at 11.55.47 AM


Screen Shot 2013-10-22 at 11.56.20 AM

Setting up the Security Group for origin instances

Origin servers should be placed in a separate Security Group, as they should ONLY be accessible from the aiProtect instance. Let’s create the Security Group called origin-servers. Please make a note of the Security Group ID (sg-859f91e7 in our example):


Screen Shot 2013-10-22 at 12.11.23 PM

We allow all ICMP/TCP/UDP INBOUND traffic between the servers placed in the origin-servers (sg-859f91e7) Security Group  and TCP port 80 (HTTP) and 22 (SSH) ONLY from the default (sg-cd7387a2Security Group. None of the ports on the origin instances should be exposed to the public Internet.

The OUTBOUND traffic is permitted without restrictions:

Screen Shot 2013-10-22 at 12.13.23 PM

At this stage, you should subscribe (if you haven’t yet) for the aiProtect instance and boot it up in EC2. The aiProtect instance should run in VPC. Attach the default Security Group when provisioning the instance.

Your origin server should have the origin-servers Security Group attached. Change that if that’s not true, or modify as per earlier example.

Below is the screen shot with two instances running (see the Security Groups attached to each of them):

Screen Shot 2013-10-22 at 12.35.39 PM

Screen Shot 2013-10-22 at 12.36.03 PM

The final step will be adding an Elastic IP to the aiProtect instance. The origin server should only have a private IP.

Screen Shot 2013-10-22 at 12.38.25 PM

Now it’s the time to configure your aiProtect instance. For most aiProtect configuration see: Configuration of the DoS protection

In this document we are only focussing on setting up DDoS reporting . To make that work, all you need to do is to set up alert_email, origin and hostname variables in /etc/aicache/aicache.cfg file. We provide a template configuration file for DDoS protection, which we suggest you use for this purpose.

During an attack

Once aiProtect instance gets under a DDoS attack, you will get notified by email specified in /etc/aicache/aicache.cfg file (setting is alert_email). You can then view the files with offending ip-addresses in real time through your browser, either on  http://ip.address.of.ami/synflood_offenders.txt (for SYN flood attacks) or http://ip.address.of.ami/clip_offenders.txt (for all other DoS attacks).

If you don’t react by removing the offender files from the server manually, you’ll get notified again in 24 hours.

Here is an example of a warning email:

“Dear Admin,

Your aiProtect server running on the Amazon Web Services EC2 network with an IP address of has detected a Denial of Service attack. We are currently tracking the attacking addresses in a log file found here: (edit: this link is not live any more)

In order to begin mitigation work to end this attack the Network Operations Team at AWS needs to be alerted and will need access to this file. If you will please forward this email FROM THE EMAIL ADDRESS THAT IS REGISTERED ON YOUR AWS ACCOUNT, they will be able to use this data to being stopping the attack.

Please forward this email to: abuse@amazonaws.com”

Removing offender files manually

Log into the aiProtect instance via SSH and become the root. Then execute the following command:

root@aiProtect~# ddos_cleanup.sh
US (208) 948-9786‬   EU ‭+31 621302365