"In this session, we will address the current threat landscape, present DDoS attacks that we have seen on AWS, and discuss the methods and technologies we use to protect AWS services. You will leave this session with a better understanding of:
DDoS attacks on AWS as well as the actual threats and volumes that we typically see.
What AWS does to protect our services from these attacks.
How this all relates to the AWS Shared Responsibility Model."
6. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGAATTACKS ARE ON THE RISE
7. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGAATTACKS ARE ON THE RISE
8. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGAATTACKS ARE ON THE RISETHE NEW NORMAL: 200 – 400 GBPS DDOS ATTACKS
9. 1.04 39
Average size of a DDoS
attack
Source: Arbor Networks
Average duration of
> 10 Gbps attacks
DDoS attacks that
target network and
service
infrastructure
85%
Gbps Minutes
11. Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)
12. Types of DDoS attacks
State-exhaustion DDoS attacks
Type of protocol abuse that stresses systems
like firewalls, IPS, or load balancers (e.g.,
TCP SYN flood)
13. Types of DDoS attacks
Application-layer DDoS attacks
Less frequently, an attacker will use well-
formed connections to circumvent mitigation
and consume application resources (e.g.,
HTTP GET, DNS query floods)
14. DDoS attack trends
Volumetric State exhaustion Application layer
65%
Volumetric
20%
State exhaustion
15%
Application layer
15. DDoS attack trends
Volumetric State exhaustion Application layer
SSDP reflection attacks are very
common
Reflection attacks have clear signatures, but
can consume available bandwidth.
65%
Volumetric
20%
State exhaustion
15%
Application layer
16. DDoS attack trends
Volumetric State exhaustion Application layer
65%
Volumetric
20%
State exhaustion
15%
Application layer
Other common volumetric attacks:
NTP reflection, DNS reflection, Chargen
reflection, SNMP reflection
17. DDoS attack trends
Volumetric State exhaustion Application layer
SYN floods can look like real
connection attempts
And on average, they’re larger in volume.
They can prevent real users from
establishing connections.
65%
Volumetric
20%
State exhaustion
15%
Application layer
18. DDoS attack trends
Volumetric State exhaustion Application layer
DNS query floods are real DNS
requests
They can also go on for hours and exhaust
the available resources of the DNS server.
65%
Volumetric
20%
State exhaustion
15%
Application layer
19. DDoS attack trends
Volumetric State exhaustion Application layer
DNS query floods are real DNS
requests
They can also go on for hours and exhaust
the available resources of the DNS server.
65%
Volumetric
20%
State exhaustion
15%
Application layer
Other common application layer
attacks:
HTTP GET flood, Slowloris
21. Volumetric amplification factors
Vector Factor Common Cause
SSDP 30.8 uPnP services exposed to Internet
NTP 556.9 Time servers with monlist enabled
DNS 28 - 54 Open resolvers
Chargen 358.8 Enabled Chargen service
SNMP 6.3 Open SNMP services
Source: US-CERT
22. DDoS attacks with multiple vectors
Single vector Multi-vector
85%
Single vector
15%
Multi-vector
45. Target identification in shared space
• Each IP set has a
unique combination
Edge location
Users
Distribution Distribution Distribution
46. Target identification in shared space
• Each IP set has a
unique combination
Edge locationDDoS attack
Users
Distribution Distribution Distribution
47. Target identification in shared space
• Each IP set has a
unique combination
• Allows target
identification Edge locationDDoS attack
Users
Distribution Distribution
48. Target identification in shared space
• Each IP set has a
unique combination
• Allows target
identification
• Enables new
options for
mitigation
Edge location
Edge locationDDoS attack
Users
Users
Distribution
Distribution
Distribution
59. CloudFront – DNS reflection
• Simultaneous DNS reflection and UDP flood
• Automatically discarded by CloudFront
• No impact on CloudFront or CloudFront customers
60. CloudFront – DNS reflection
• Simultaneous DNS reflection and UDP flood
• Automatically discarded by CloudFront
• No impact on CloudFront or CloudFront customers
66. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53
67. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53
68. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53
69. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53
70. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53
71. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53
DDoS
72. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53
DDoS
73. Minimize the attack surface
Amazon Virtual Private Cloud (VPC)
• Allows you to define a virtual network in your own
logically isolated area on AWS
• Allows you to hide instances from the Internet using
security groups and network access control lists
(NACLs)
74. Security in your VPC
Security groups
• Operate at the instance level (first layer of defense)
• Supports allow rules only
• Stateful, return traffic is automatically allowed
• All rules are evaluated before deciding whether to allow traffic
Network ACLs
• Operate at the subnet level (second layer of defense)
• Supports allow and deny rules
• Stateless, return traffic must be explicitly allowed
• Rules are processed in order
75. Web app
server
DMZ public subnet
SSH
bastion
NAT
ELB
Amazon EC2
security group
security group
security group
security group
Front-end private subnet
Amazon EC2
Back-end private subnet
security group
MySQL db
Amazon VPC
76. Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Amazon EC2
security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
Amazon VPC
77. Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Admin Amazon EC2
security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
TCP: 22
Amazon VPC
78. Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Admin
Internet
Amazon EC2
security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
TCP: Outbound
TCP: 22
Amazon VPC
82. Be ready to scale and absorb
Route 53
• Highly available, scalable DNS service
• Uses anycast routing for low latency
83. Be ready to scale and absorb
Route 53
• Highly available, scalable DNS service
• Uses anycast routing for low latency
CloudFront
• Improves performance by caching content and
optimizing connections
• Disperses traffic across global edge locations
• DDoS attacks are absorbed close to the source
84. Be ready to scale and absorb
Elastic Load Balancing
• Fault tolerance for applications
• Automatic scaling
• Multiple Availability Zones
92. Route 53 anycast routing
How do I get to
example.com?
.org
.co.uk
This way!
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
93. Route 53 anycast routing
How do I get to
example.com?
.org
.co.uk
This way!
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
94. Route 53 anycast routing
How do I get to
example.com?
.org
.co.uk
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
This way!
.net
95. Route 53 anycast routing
How do I get to
example.com?
.org
.co.uk
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
This way!
.net
106. Route 53
• DNS query flood targeting 34 of our edge locations
• Peak volume was in top 4% of all DDoS attacks
• Automatically detected and mitigated with no impact to availability
107. Route 53
• DNS query flood targeting 34 of our edge locations
• Peak volume was in top 4% of all DDoS attacks
• Automatically detected and mitigated with no impact to availability
117. Help with architecture and mitigation
Resources
• Account manager, solutions architect
• Whitepaper: AWS Best Practices for DDoS
Resiliency
• AWS Security Blog
AWS Support
• Business – Technical assistance by phone, chat,
or email
• Enterprise – Fastest response time. Dedicated
technical account manager (TAM).
118. Information to provide AWS Support
• Instances (IPs help!), distributions, zones under attack
• Location
• Time
• Vector
• Sources
• Intel