Bigger and more sophisticated distributed denial of service (DDoS) attacks are targeting the Internet’s Domain Name System (DNS) causing significant downtime to websites and application. Amazon Route 53, the AWS DNS service, integrates tightly with AWS Shield, the AWS service that provides managed DDoS protection, to safeguard your web applications and protect against large scale attacks. Techniques Amazon Route 53 employs to thwart DDoS attacks including Anycast Striping, Shuffle Sharding and a global network of 56 points of presence. Mitigation strategies AWS Shield provides including inline mitigations, visibility and cost protection. Learning Objectives: • Learn how Amazon Route 53 scales against DDoS attacks • Learn about the advanced features like Anycast Striping and traffic shaping mitigates DDoS risks • Learn how always-on inline mitigation techniques protects against advanced attacks • Learn how AWS Shield integrates with Amazon Route53 to monitor traffic signatures and undertakes deterministic packet filtering to minimize application downtime • Learn why customers should use Amazon Route 53 and AWS Shield to protect against DNS DDoS attacks

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sergey Royt, Jeffrey Lyon
Amazon Route 53 and AWS Shield
DDoS Protection and Risk Mitigation

2. DDoS 101

3. What is DDoS?
Distributed Denial of Service

4. DDoS attacks target DNS in two layers

5. Types of DDoS attacks

6. Types of DNS DDoS attacks
Volumetric DDoS attacks
Congest DNS networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)

7. DDoS attack trends - volumetric
Volumetric Application layer
Volumetric attacks using
amplification and reflection
techniques are very common
47%
Volumetric
53%
Application layer

8. Amplification/Reflection attacks

9. Types of DNS DDoS attacks
Application-layer DDoS attacks
target DNS by using well-formed but
malicious queries to circumvent mitigation
and consume application resources – These
are known as query floods

10. DDoS attack trends – query floods
Volumetric Application layer
DNS query floods are real DNS requests
These can continue for hours and exhaust the
available memory/cpu resources of the DNS
server
47%
Volumetric
53%
Application layer

11. DNS query floods
Few Good Actors
Thousands of Bad Bots
Recursive
DNS servers
Authoritative
DNS Service

12. Traditional challenges in mitigating
DNS DDoS attacks

13. Traditional challenges in mitigating DNS DDoS attacks
Difficult to enable
Zone isolation Over-provisioned
bandwidth capacity
Redundancy and scale

14. Traditional challenges in mitigating DNS DDoS attacks
Traditional
Datacenter
Manual involvement
Operator involvement to
initiate mitigation
Re-route traffic to scrubbing
location
Increased time to mitigate

15. Traditional challenges in mitigating DNS DDoS attacks
Traditional
Datacenter
Traffic re-routing = Increased latency for users

16. Traditional challenges in mitigating DNS DDoS attacks
Expensive to use
• DDoS mitigation service cost
• Cost of maintaining scrubbing devices
• Paying for bandwidth
• Personnel cost

17. Amazon Route 53
Highly resilient and fault tolerant DNS

18. Built-In redundancy
56 global edge locations

19. Network capacity
Tens of terabits of transit capacity

20. Network redundancy
Multiple transit and peering providers

21. Name server redundancy
4 name servers for each
hosted zone

22. Resiliency and availability : Anycast DNS
Anycast striping

23. Fault tolerance and zone isolation
Zone Isolation

24. Amazon Route 53 always runs at scale
Network runs at
Scale
Infrastructure runs
at scale
100% SLA

25. Customers keep asking …
Does AWS protect me
from DDoS attacks?
What about large
DDoS attacks?
How can I get visibility
when I get attacked?
Does AWS protect
me from application
layer attacks?
Scaling for
DDoS attacks is
expensive.
I want to talk to
DDoS experts.

26. AWS Shield
A managed DDoS protection service

27. AWS Shield
Standard Protection Advanced Protection
Available to all customers at no
additional cost
Paid service that provides additional,
comprehensive protections from large
and sophisticated attacks

28. AWS Shield Standard

29. DDoS protections built into AWS
Integrated into the AWS global infrastructure
Always-on, fast mitigation without external routing
Redundant Internet connectivity in AWS data
centers

30. Layer 3/4 infrastructure protection
Automatically filters invalid traffic.
Examples of attributes include:
• IP checksum
• TCP valid flags
• Payload length
• DNS, HTTP request validation
Deterministic filtering

31. Low suspicion attributes
• Normal packet or request header
• Traffic composition and volume is
typical given its source
• Traffic valid for its destination
High suspicion attributes
• Suspicious packet or request headers
• Entropy in traffic by header attribute
• Entropy in traffic source and volume
• Traffic source has a poor reputation
• Traffic invalid for its destination
• Request with cache-busting attributes
Layer 3/4 infrastructure protection
Traffic prioritization based on scoring

32. Layer 3/4 infrastructure protection
• Inline inspection and scoring
• Preferentially discard lower priority (attack) traffic
• False positives are avoided and legitimate viewers are protected
Traffic prioritization based on scoring
High-suspicion
packets dropped
Low-suspicion
packets retained

33. AWS Shield Advanced
Managed DDoS protection

34. AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available today on..

35. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection

36. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection

37. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection

38. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection

39. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection

40. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response team
Cost protection

41. Always-on monitoring and detection
Signature based detection Heuristics-based
anomaly detection
Baselining

42. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
Cost protection

43. Advanced Layer 3/4 infrastructure protection
• Distributed scrubbing and bandwidth
capacity
• Automated routing policies to absorb large
attacks
• Manual traffic engineering
Advanced routing policies

44. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
Cost protection

45. Attack notification and reporting
• Real-time notification of attacks via
Amazon CloudWatch
• Near real-time metrics for attack
forensics
• Historical attack reports

46. Attack notification and reporting

47. Attack notification and reporting

48. Attack notification and reporting

49. Attack notification and reporting

50. Attack notification and reporting

51. Attack notification and reporting

52. Attack notification and reporting

53. Attack notification and reporting

54. Attack notification and reporting

55. Attack notification and reporting

56. Attack notification and reporting

57. Attack notification and reporting

58. Attack notification and reporting

59. Attack notification and reporting

60. Attack notification and reporting

61. Attack notification and reporting

62. Attack notification and reporting

63. Attack notification and reporting

64. Attack notification and reporting

65. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
Cost protection

66. 24x7 access to DDoS response team
• Critical and urgent priority cases
are answered quickly and routed
directly to DDoS experts
• Complex cases can be escalated
to the AWS DDoS Response
Team (DRT), who have deep
experience in protecting AWS as
well as Amazon.com and its
subsidiaries

67. 24x7 access to DDoS response team
Before attack
Proactive consultation and
best practice guidance
During attack
Attack mitigation
After attack
Post-mortem
analysis

68. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
Cost protection

69. Cost protection
AWS absorbs scaling cost due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancer
• Application Load Balancer
• Amazon Route 53

70. Thank you!

71. Questions ?
Useful Links –
Forums-
AWS Shield - https://forums.aws.amazon.com/forum.jspa?forumID=238
Amazon Route53 - https://forums.aws.amazon.com/forum.jspa?forumID=87
Whitepapers-
https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf