Prevent DDoS with AWS Network Load Balancer

in eos •  last year  (edited)

Good morning.

Inspired by EOS 42's Charles H (telegram: ankh2054) DDOS mitigation for EOS Block producers and with Jae Chung (telegram: jaechung) of @hkeos We tested AWS NLB (Network Load Balancer), which was not covered in the article. This article discusses how to prevent DDoS with AWS NLB which is able to filter invalid connections like UDP and spoofed TCP.

AWS NLB allows only TCP connections which means it filters out invalid connections. Using these features, we tested whether AWS NLB could effectively prevent DDoS attacks. I hope Jae Chung who has been testing with a different configuration also shares the results of his testing.

The test environment was configured as follows:

  • One Producer Node (t2.large) that is connected with a Fullnode within the VPC.
  • One fullnode (m5.large) directly connected to LB
  • 9876 and one random port was used for DDoS traffic
  • Connected as BP peer of JungleTestnet


DDoS attacks were performed on 9876 ports and one random port.
The AWS NLB was able to effectively stop DDoS attacks from the BotNet.


Below is a record of the state changes of the EC2 Instance during the test period. Testing was conducted for about an hour from 17:20 UTC on May 10th. One peculiarity is that from the start of the test to the end of it for 2 hours, the CPU utilization was lower than usual. When I looked at this metric alone, I guessed that the nodeos process had died or was not working properly. However when I saw the log, I could see that the blocks were synchronized properly. I suspect that if the load balancer is overloaded, the priority of the VM's computing resources will increase in order to guarantee the availability of the instances connected to it. If you have any comments on this, please let me know.



A spike was observed in the Network In / Out chart at around the test period, but it was at a level that the instance could afford.





The instances were functioning normally during all time periods, including the test period.


This is a chart showing the number of TCP connections coming into the LB.


In the LB you can see that most of the attacks were filtered out and the offending traffic never reached the target instance.


When you review the ConsumedLBCapacityUnits, you can see that the usage of LB units has increased due to the DDoS attack. However, given the current pricing for ConsumedLBCapacityUnit (LCU) which stands at 1LCU = 0.008 USD, we anticipate that this protection will be very affordable.


We further confirmed that the producer node that was connected to fullnode in the VPC operated uniterrupted during this DDoS attack.



Charles H's benchmark results showed that the Google Network Load Balancer effectively prevented SSDP DDoS attacks. Here we showed that the AWS's Network Load Balancer can also effectively mitigate SSDP attacks at a very affordable price. We hope that this test allows BP candidates to consider using the AWS NLB for p2p traffic within their infrastructure plans. In the next test, we hope to further verify if the LB affects the response speed of the node and also if this hybrid configuration can be used when the Producer node lives in a seperate IDC while the fullnode is hosted on the AWS cloud.

Korean Version

Feel free to find me on telegram. (telegram id: aweekago)

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!