If there is a Distributed Denial of Service (DDoS) alert in Icinga this means that AWS have detected a probable DDoS attack on one or more of the AWS Shield Advanced protected resources.
If the alert is
UNKNOWN, this means that the alert is not working properly.
If the alert is
CRITICAL, you should take the following actions to investigate the issue:
- Check the CloudWatch dashboard. This should show the rate of DDoS requests, data throughput and packets which Amazon is detecting.
- The dashboard might not display any graphs at all if no DDoS activity has been detected recently. This is a known issue and there is a support ticket open with Amazon about it. If the DDoSDetected alert is firing and the graphs are still not displayed, contact AWS support.
- If the attack is ongoing, contact AWS support: https://console.aws.amazon.com/support/home
- Inform them that the DDOSDetected alarm has been triggered.
- Enquire about the nature of the attack.
- Follow their instructions (if any).
The alert will appear on the Icinga dashboard for 24 hours after it was first triggered due to the sparse metrics.
AWS Shield Response Team (SRT)
We have pre-configured an IAM role for the SRT team to use.
It is currently not assigned to any resources, but when activated will allow the SRT to view our shielded resources and edit things such as Web Application Firewall (WAF) rules, Access Control Lists (webacls), Shield and CloudFront configurations.
We should not enable the role unless we are engaged with the team as a result of an incident.
To enable the role:
- Open the AWS console for the affected environment, eg
gds aws govuk-integration-poweruser -l
- Navigate to the Edit AWS Shield Response Team (SRT) access page
- In the AWS Shield Response Team (SRT) access section, select the “Choose an existing role for the SRT to access my accounts.” radio button.
- From the role name drop down, select “shield-response-team-access”.
- Click Save to apply the changes.