Would you like to discuss your environment with a knowledgable engineer?
Please read this first: Getting started with AWS Marketplace
Then for basic aiProtect configuration, please see aiProtect configuration. Below is the aiProtect tutorial for AWS, that sets up your security groups. The instruction below are not mandatory, but they will offer extra protection for AWS users.
Log into the AWS console (https://console.aws.amazon.com) and navigate to EC2 and then Security Groups in NETWORK & SECURITY menu on the left hand side.
We’re going to have 2 Security Groups – one for the aiProtect instance and the other one for the origin server(s).
We will use the “default” Security Group for this purpose. This Security Group comes with some pre-defined firewall rules. The rules permit ALL INBOUND traffic only within the Security Group (ie. if you use the default Security Group for 2 different instances, all of the traffic between them will be permitted). We obviously need to add an INBOUND rule to allow port 80 TCP to be available for everybody, so the users can reach the aiProtect instance. Port 22 TCP is optional and should only be allowed when the SSH access to the aiProtect server is needed.
The OUTBOUND traffic is permitted without restrictions.
The important part here is to make a note of the Security Group ID (sg-cd7387a2 in our example) as we will use it to set up the Security Group for the origin instances:
Origin servers should be placed in a separate Security Group, as they should ONLY be accessible from the aiProtect instance. Let’s create the Security Group called origin-servers. Please make a note of the Security Group ID (sg-859f91e7 in our example):
We allow all ICMP/TCP/UDP INBOUND traffic between the servers placed in the origin-servers (sg-859f91e7) Security Group and TCP port 80 (HTTP) and 22 (SSH) ONLY from the default (sg-cd7387a2) Security Group. None of the ports on the origin instances should be exposed to the public Internet.
The OUTBOUND traffic is permitted without restrictions:
At this stage, you should subscribe (if you haven’t yet) for the aiProtect instance and boot it up in EC2. The aiProtect instance should run in VPC. Attach the default Security Group when provisioning the instance.
Your origin server should have the origin-servers Security Group attached. Change that if that’s not true, or modify as per earlier example.
Below is the screen shot with two instances running (see the Security Groups attached to each of them):
The final step will be adding an Elastic IP to the aiProtect instance. The origin server should only have a private IP.
Now it’s the time to configure your aiProtect instance. For most aiProtect configuration see: Configuration of the DoS protection
In this document we are only focussing on setting up DDoS reporting . To make that work, all you need to do is to set up alert_email, origin and hostname variables in /etc/aicache/aicache.cfg file. We provide a template configuration file for DDoS protection, which we suggest you use for this purpose.
Once aiProtect instance gets under a DDoS attack, you will get notified by email specified in /etc/aicache/aicache.cfg file (setting is alert_email). You can then view the files with offending ip-addresses in real time through your browser, either on http://ip.address.of.ami/synflood_offenders.txt (for SYN flood attacks) or http://ip.address.of.ami/clip_offenders.txt (for all other DoS attacks).
If you don’t react by removing the offender files from the server manually, you’ll get notified again in 24 hours.
Here is an example of a warning email:
Your aiProtect server running on the Amazon Web Services EC2 network with an IP address of 18.104.22.168 has detected a Denial of Service attack. We are currently tracking the attacking addresses in a log file found here:
In order to begin mitigation work to end this attack the Network Operations Team at AWS needs to be alerted and will need access to this file. If you will please forward this email FROM THE EMAIL ADDRESS THAT IS REGISTERED ON YOUR AWS ACCOUNT, they will be able to use this data to being stopping the attack.
Please forward this email to: firstname.lastname@example.org”
Log into the aiProtect instance via SSH and become the root. Then execute the following command:
root@aiProtect~# ddos_cleanup.sh root@aiProtect~#