Configuring custom mitigations with the Shield Response Team (SRT)
For your Elastic IPs (EIPs) and your Amazon Global Accelerator standard accelerators, you can work with the Shield Response Team (SRT) to configure custom mitigations. This is useful in case you know of specific logic that should be enforced when a mitigation is placed. For example, you may wish to only allow traffic from certain countries, enforce specific rate limits, configure optional validations, disallow fragments, or only allow traffic that matches a specific pattern in the packet payload.
Examples of common custom mitigations include the following:
-
Pattern matching – If you operate a service that interacts with client-side applications, you can choose to match on known patterns that are unique to those applications. For example, you may operate a gaming or communications service that requires the end-user to install specific software that you distribute. You can include a magic number in every packet sent by the application to your service. You can match on up to 128 bytes (separate or contiguous) of a non-fragmented TCP or UDP packet payload and headers. The match can be expressed in hexadecimal notation as a specific offset from the beginning of the packet payload or a dynamic offset following a known value. For example, the mitigation can look for the byte
0x01and then expect0x12345678as the next four bytes. -
DNS specific – If you operate your own authoritative DNS service using services like Global Accelerator or Amazon Elastic Compute Cloud (Amazon EC2), you can request a custom mitigation that validates packets to ensure that they are valid DNS queries and apply suspicion scoring that evaluates attributes that are specific to DNS traffic.
To inquire about working with SRT to build custom mitigations, create a support case under Amazon Shield. To learn more about creating Amazon Web Services Support cases, see Getting started with Amazon Web Services Support.