Bigger and more sophisticated distributed denial of service (DDoS) attacks are targeting the Internet’s Domain Name System (DNS) causing significant downtime to websites and application. Amazon Route 53, the AWS DNS service, integrates tightly with AWS Shield, the AWS service that provides managed DDoS protection, to safeguard your web applications and protect against large scale attacks. Techniques Amazon Route 53 employs to thwart DDoS attacks including Anycast Striping, Shuffle Sharding and a global network of 56 points of presence. Mitigation strategies AWS Shield provides including inline mitigations, visibility and cost protection.
Learning Objectives:
• Learn how Amazon Route 53 scales against DDoS attacks
• Learn about the advanced features like Anycast Striping and traffic shaping mitigates DDoS risks
• Learn how always-on inline mitigation techniques protects against advanced attacks
• Learn how AWS Shield integrates with Amazon Route53 to monitor traffic signatures and undertakes deterministic packet filtering to minimize application downtime
• Learn why customers should use Amazon Route 53 and AWS Shield to protect against DNS DDoS attacks
6. Types of DNS DDoS attacks
Volumetric DDoS attacks
Congest DNS networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)
7. DDoS attack trends - volumetric
Volumetric Application layer
Volumetric attacks using
amplification and reflection
techniques are very common
47%
Volumetric
53%
Application layer
9. Types of DNS DDoS attacks
Application-layer DDoS attacks
target DNS by using well-formed but
malicious queries to circumvent mitigation
and consume application resources – These
are known as query floods
10. DDoS attack trends – query floods
Volumetric Application layer
DNS query floods are real DNS requests
These can continue for hours and exhaust the
available memory/cpu resources of the DNS
server
47%
Volumetric
53%
Application layer
11. DNS query floods
Few Good Actors
Thousands of Bad Bots
Recursive
DNS servers
Authoritative
DNS Service
13. Traditional challenges in mitigating DNS DDoS attacks
Difficult to enable
Zone isolation Over-provisioned
bandwidth capacity
Redundancy and scale
14. Traditional challenges in mitigating DNS DDoS attacks
Traditional
Datacenter
Manual involvement
Operator involvement to
initiate mitigation
Re-route traffic to scrubbing
location
Increased time to mitigate
15. Traditional challenges in mitigating DNS DDoS attacks
Traditional
Datacenter
Traffic re-routing = Increased latency for users
16. Traditional challenges in mitigating DNS DDoS attacks
Expensive to use
• DDoS mitigation service cost
• Cost of maintaining scrubbing devices
• Paying for bandwidth
• Personnel cost
24. Amazon Route 53 always runs at scale
Network runs at
Scale
Infrastructure runs
at scale
100% SLA
25. Customers keep asking …
Does AWS protect me
from DDoS attacks?
What about large
DDoS attacks?
How can I get visibility
when I get attacked?
Does AWS protect
me from application
layer attacks?
Scaling for
DDoS attacks is
expensive.
I want to talk to
DDoS experts.
27. AWS Shield
Standard Protection Advanced Protection
Available to all customers at no
additional cost
Paid service that provides additional,
comprehensive protections from large
and sophisticated attacks
29. DDoS protections built into AWS
Integrated into the AWS global infrastructure
Always-on, fast mitigation without external routing
Redundant Internet connectivity in AWS data
centers
31. Low suspicion attributes
• Normal packet or request header
• Traffic composition and volume is
typical given its source
• Traffic valid for its destination
High suspicion attributes
• Suspicious packet or request headers
• Entropy in traffic by header attribute
• Entropy in traffic source and volume
• Traffic source has a poor reputation
• Traffic invalid for its destination
• Request with cache-busting attributes
Layer 3/4 infrastructure protection
Traffic prioritization based on scoring
32. Layer 3/4 infrastructure protection
• Inline inspection and scoring
• Preferentially discard lower priority (attack) traffic
• False positives are avoided and legitimate viewers are protected
Traffic prioritization based on scoring
High-suspicion
packets dropped
Low-suspicion
packets retained
35. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection
36. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection
37. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection
38. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection
39. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection
40. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection
41. Always-on monitoring and detection
Signature based detection Heuristics-based
anomaly detection
Baselining
42. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
Cost protection
43. Advanced Layer 3/4 infrastructure protection
• Distributed scrubbing and bandwidth
capacity
• Automated routing policies to absorb large
attacks
• Manual traffic engineering
Advanced routing policies
44. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
Cost protection
45. Attack notification and reporting
• Real-time notification of attacks via
Amazon CloudWatch
• Near real-time metrics for attack
forensics
• Historical attack reports
65. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
Cost protection
66. 24x7 access to DDoS response team
• Critical and urgent priority cases
are answered quickly and routed
directly to DDoS experts
• Complex cases can be escalated
to the AWS DDoS Response
Team (DRT), who have deep
experience in protecting AWS as
well as Amazon.com and its
subsidiaries
67. 24x7 access to DDoS response team
Before attack
Proactive consultation and
best practice guidance
During attack
Attack mitigation
After attack
Post-mortem
analysis
68. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
Cost protection