Automated blocking of IPs using AWS Services: Managing load on your server

Amazon CloudFront is a widely used content delivery network (CDN) service utilized by multiple websites. It delivers web assets like HTML, jpeg, png, CSS, JS, and several other file types to the end-users worldwide with a very high transfer speed. When CloudFront receives requests from end-users it keeps a record of real-time logs. Once enough logs are generated, a zipped file is created and saved in the S3 bucket attached to the CloudFront distribution. Subsequently, a Lambda function gets triggered which filters IPs generating requests more than our defined threshold value and blocks the same using AWS WAF attached to the CloudFront distribution. These IPs remain blocked for a defined period of time. After the blocking period is expired and the lambda function is re-triggered, it reevaluates requests from the blocked IP list. If the request is below the threshold value the IP is unblocked else it continues to be blocked. At the time of blocking/unblocking an IP, a notification is sent to the site admins using the SNS service. This helps to automatically mitigate Denial-of-Service (DoS) attacks using AWS services.