If we can get a notification for an attack, we can set up and do the following:
- Call an AWS Lambda function
- Send the attacker's IP address information to this AWS Lambda function endpoint
- Use the code deployed in the Lambda function to call the VPC network access list API and block the attacker's IP address
To ensure that we don't fill up the ACLs with attacker IPs, we can combine this approach with AWS DynamoDB to store this information for a short duration and remove it from the block list.
As soon as an attack is detected, the alerter sends the IP to the blacklist lambda endpoint via an HTTPS request. The IP is blocked using the network ACL and the record of it is maintained in DynamoDB. If the IP is currently blocked already, then the expiry time for the rule will be extended in the DynamoDB.
An expiry handler function is periodically triggered, which removes expired rules from DynamoDB and ACL accordingly.