(sec306) defending against ddos attacks

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Andrew Kiggins, AWS SDM

Jeffrey Lyon, AWS Operations Manager

October 2015

SEC306

Defending Against DDoS Attacks

Goals

Useful background

Common attacks

CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS

DDOS ATTACKS ARE GETTING MUCH

MORE POWERFUL

CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS

DDOS ATTACKS ARE GETTING MUCH

MORE POWERFUL

MEGA ATTACKS ARE ON THE RISE

CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS

DDOS ATTACKS ARE GETTING MUCH

MORE POWERFUL

MEGA ATTACKS ARE ON THE RISE

CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS

DDOS ATTACKS ARE GETTING MUCH

MORE POWERFUL

MEGA ATTACKS ARE ON THE RISETHE NEW NORMAL: 200 – 400 GBPS DDOS ATTACKS

1.04 39

Average size of a DDoS

attack

Source: Arbor Networks

Average duration of

> 10 Gbps attacks

DDoS attacks that

target network and

service

infrastructure

85%Gbps Minutes

Types of DDoS attacks

Types of DDoS attacks

Volumetric DDoS attacks

Congest networks by flooding them with

more traffic than they are able to handle

(e.g., UDP reflection attacks)

Types of DDoS attacks

State-exhaustion DDoS attacks

Type of protocol abuse that stresses systems

like firewalls, IPS, or load balancers (e.g.,

TCP SYN flood)

Types of DDoS attacks

Application-layer DDoS attacks

Less frequently, an attacker will use well-

formed connections to circumvent mitigation

and consume application resources (e.g.,

HTTP GET, DNS query floods)

DDoS attack trends

Volumetric State exhaustion Application layer

65%Volumetric

20%State exhaustion

15%Application layer

DDoS attack trends

Volumetric State exhaustion Application layer

SSDP reflection attacks are very

common

Reflection attacks have clear signatures, but

can consume available bandwidth.

65%Volumetric

20%State exhaustion

15%Application layer

DDoS attack trends

Volumetric State exhaustion Application layer

65%Volumetric

20%State exhaustion

15%Application layer

Other common volumetric attacks:

NTP reflection, DNS reflection, Chargen

reflection, SNMP reflection

DDoS attack trends

Volumetric State exhaustion Application layer

SYN floods can look like real

connection attempts

And on average, they’re larger in volume.

They can prevent real users from

establishing connections.

65%Volumetric

20%State exhaustion

15%Application layer

DDoS attack trends

Volumetric State exhaustion Application layer

DNS query floods are real DNS

requests

They can also go on for hours and exhaust

the available resources of the DNS server.

65%Volumetric

20%State exhaustion

15%Application layer

DDoS attack trends

Volumetric State exhaustion Application layer

DNS query floods are real DNS

requests

They can also go on for hours and exhaust

the available resources of the DNS server.

65%Volumetric

20%State exhaustion

15%Application layer

Other common application layer

attacks:

HTTP GET flood, Slowloris

Volumetric: UDP amplification

Volumetric amplification factors

Vector Factor Common Cause

SSDP 30.8 uPnP services exposed to Internet

NTP 556.9 Time servers with monlist enabled

DNS 28 - 54 Open resolvers

Chargen 358.8 Enabled Chargen service

SNMP 6.3 Open SNMP services

Source: US-CERT

DDoS attacks with multiple vectors

Single vector Multi-vector

85%Single vector

15%Multi-vector

Attackers are persistent

Attackers are persistent

UDP/161 –

SNMP

amplification

Attackers are persistent

UDP/161 –

SNMP

amplification UDP

fragments

Attackers are persistent

UDP/161 –

SNMP

amplification UDP

fragments

UDP/1900 –

SSDP reflection

Attackers are persistent

UDP/161 –

SNMP

amplification UDP

fragments

UDP/1900 –

SSDP reflection

UDP/1900 – SSDP reflection

Attackers are persistent

UDP/161 –

SNMP

amplification UDP

fragments

UDP/1900 –

SSDP reflection

UDP/1900 – SSDP reflection

UDP/123 – NTP reflection

Attackers are persistent

UDP/161 –

SNMP

amplification UDP

fragments

UDP/1900 –

SSDP reflection

UDP/1900 – SSDP reflection

UDP/123 – NTP reflection

6 hours

Mitigations

AWS Shared Responsibility Model

Before DDoS mitigation

Conventional data centerDDoS attack

Users

Conventional DDoS mitigation services

Conventional data center

DDoS attack

Users DDoS mitigation service

Resilient by design

IP ICMP

TCP

UDP

not

DNS

Resilient by design

IP ICMP

TCP

Elastic Load

Balancing

UDP

not

DNS

Amazon

CloudFront

Resilient by design

IP ICMP

TCP

Elastic Load

Balancing

UDP

not

DNS

Amazon

CloudFront

Resilient by design

IP ICMP

TCP

Elastic Load

Balancing

UDP

not

DNS

Amazon

Route 53

Amazon

CloudFront

Resilient by design

IP ICMP

TCP

Elastic Load

Balancing

UDP

not

DNS

Amazon

Route 53

Amazon

CloudFront

DDoS mitigation for AWS infrastructure

virtual private cloud

AWS global infrastructure

DDoS attack

Users

AWS

DDoS mitigation

AWS

DDoS mitigation

CloudFrontRoute 53

Basic hygiene

Examples

• IP

• Checksum

• TCP

• Valid flags

• UDP

• Payload length

• DNS

• Request validation

Packet prioritization

Packet prioritization

Priority-based traffic shaping

Mitigation: Detection and

traffic engineering

Target identification in shared space

• Each IP set has a

unique combination

Edge location

Users

Distribution Distribution Distribution

Target identification in shared space

• Each IP set has a

unique combination

Edge locationDDoS attack

Users

Distribution Distribution Distribution

Target identification in shared space

• Each IP set has a

unique combination

• Allows target

identification Edge locationDDoS attack

Users

Distribution Distribution

Target identification in shared space

• Each IP set has a

unique combination

• Allows target

identification

• Enables new

options for

mitigation

Edge location

Edge locationDDoS attack

Users

Users

Distribution

Distribution

Distribution

Traffic engineering

Traffic engineering

DDoS attack

Traffic engineering

Mitigate

DDoS attack

Traffic engineering

Isolate

DDoS attack

Traffic engineering

Isolate

Vacate

DDoS attack

Traffic engineering

DisperseDDoS attack

Architecture

Architecting on AWS for DDoS resiliency

Architecture: Volumetric

Why does this matter?

CloudFront – DNS reflection

• Simultaneous DNS reflection and UDP flood

• Automatically discarded by CloudFront

• No impact on CloudFront or CloudFront customers

CloudFront – DNS reflection

• Simultaneous DNS reflection and UDP flood

• Automatically discarded by CloudFront

• No impact on CloudFront or CloudFront customers

Common vector – SSDP

srcPort=

1900

Payload =

HTTP/1.1…

Common vector – NTP

Payload =

MON_GETLIST

srcPort=

123

Common vector – DNS reflection

srcPort=

53

DNS

response

Larger

payload

Other vectors – RIPv1, Chargen, SNMP

• UDP based

• Reflection

• Amplification

• Unusual sources

• Abnormal payload

ELB Scaling

ELBUsers

Security group

DMZ

public subnet

Security group

Front-end server

private subnet

Instances

Route 53 health checks on ELB instances

ELBUsers

Security group

ELB

instances

Route 53

Route 53 health checks on ELB instances

ELBUsers

Security group

ELB

instances

Route 53

Route 53 health checks on ELB instances

ELBUsers

Security group

ELB

instances

Route 53

Route 53 health checks on ELB instances

ELBUsers

Security group

ELB

instances

Route 53

Route 53 health checks on ELB instances

ELBUsers

Security group

ELB

instances

Route 53

Route 53 health checks on ELB instances

ELBUsers

Security group

ELB

instances

Route 53

DDoS

Route 53 health checks on ELB instances

ELBUsers

Security group

ELB

instances

Route 53

DDoS

Minimize the attack surface

Amazon Virtual Private Cloud (VPC)

• Allows you to define a virtual network in your own

logically isolated area on AWS

• Allows you to hide instances from the Internet using

security groups and network access control lists

(NACLs)

Security in your VPC

Security groups• Operate at the instance level (first layer of defense)

• Supports allow rules only

• Stateful, return traffic is automatically allowed

• All rules are evaluated before deciding whether to allow traffic

Network ACLs• Operate at the subnet level (second layer of defense)

• Supports allow and deny rules

• Stateless, return traffic must be explicitly allowed

• Rules are processed in order

Web app

server

DMZ public subnet

SSH

bastion

NAT

ELB

Amazon EC2security group

security group

security group

security group

Front-end private subnet

Amazon EC2

Back-end private subnet

security group

MySQL db

Amazon VPC

Web app

server

DMZ public subnet

SSH

bastion

NAT

ELBUsers

Amazon EC2security group

security group

security group

security group

Front-end private subnet

TCP: 8080

Amazon EC2

TCP: 80/443

Back-end private subnet

security group

TCP: 3306

MySQL db

Amazon VPC

Web app

server

DMZ public subnet

SSH

bastion

NAT

ELBUsers

Admin Amazon EC2security group

security group

security group

security group

Front-end private subnet

TCP: 8080

Amazon EC2

TCP: 80/443

Back-end private subnet

security group

TCP: 3306

MySQL db

TCP: 22

Amazon VPC

Web app

server

DMZ public subnet

SSH

bastion

NAT

ELBUsers

Admin

Internet

Amazon EC2security group

security group

security group

security group

Front-end private subnet

TCP: 8080

Amazon EC2

TCP: 80/443

Back-end private subnet

security group

TCP: 3306

MySQL db

TCP: Outbound

TCP: 22

Amazon VPC

Reference security groups

Reference security groups

Reference network ACL

Be ready to scale and absorb

Route 53

• Highly available, scalable DNS service

• Uses anycast routing for low latency

Be ready to scale and absorb

Route 53

• Highly available, scalable DNS service

• Uses anycast routing for low latency

CloudFront

• Improves performance by caching content and

optimizing connections

• Disperses traffic across global edge locations

• DDoS attacks are absorbed close to the source

Be ready to scale and absorb

Elastic Load Balancing

• Fault tolerance for applications

• Automatic scaling

• Multiple Availability Zones

AWS global presence and redundancy

AWS global presence and redundancy

InternetConnection C

InternetConnection A

InternetConnection B

AWS global presence and redundancy

CloudFront

ValidObject Request

InvalidProtocol

InvalidObject Request

AWS global presence and redundancy

ELB

TCP

UDP

AWS global presence and redundancy

Route A

Route B

Route C

users

AWS global presence and redundancy

ELB

instances

Availability Zone

ELB

instances

Availability Zone

ELB

Route 53 anycast routing

How do I get toexample.com?

Route 53 anycast routing

How do I get toexample.com?

.org

.co.uk

This way!

This way!

This way!

.com

.net

This way!

.co.uk

This way!

.net

.org

This way!

.com

This way!

This way!

Route 53 anycast routing

How do I get toexample.com?

.org

.co.uk

This way!

This way!

This way!

.com

.net

This way!

.co.uk

This way!

.net

.org

This way!

.com

This way!

This way!

Route 53 anycast routing

How do I get toexample.com?

.org

.co.uk

This way!

This way!

.com

.net

This way!

.co.uk

This way!

.net

.org

This way!

.com

This way!

This way!

This way!

.net

Route 53 anycast routing

How do I get toexample.com?

.org

.co.uk

This way!

This way!

.com

.net

This way!

.co.uk

This way!

.net

.org

This way!

.com

This way!

This way!

This way!

.net

Architecture: State exhaustion

Why does this matter?

Common vector – SYN flood

Flags=

SYN

Cookie

returned

SYN proxy and SYN cookies

SYN proxy and SYN cookies

SYN proxy and SYN cookies

SYN proxy and SYN cookies

Using custom proxies

NGINX

Security group

DMZ

public subnet

Security group

Front-end server

private subnet

InstancesDDoS

Users

Architecture: Application layer

Looks can be deceiving

Route 53

• DNS query flood targeting 34 of our edge locations

• Peak volume was in top 4% of all DDoS attacks

• Automatically detected and mitigated with no impact to availability

Route 53

• DNS query flood targeting 34 of our edge locations

• Peak volume was in top 4% of all DDoS attacks

• Automatically detected and mitigated with no impact to availability

Safeguard exposed resources

Resilient architecture

Web app

server

Resilient architecture

UsersWeb app

server

Resilient architecture

DDoS

UsersWeb app

server

Resilient architecture

DDoS

Users

Auto Scaling

Web app

server

Resilient architecture

Security group

DDoS

Users

Auto Scaling

Front-end servers

private subnet

Web app

server

Resilient architecture

ELB

Security

group

DMZ

public subnet

Security group

WAF/proxy

private subnet

DDoS

Users

WAF

Auto

ScalingELB

Security

group

Auto Scaling

Security

group

Front-end servers

private subnet

Web app

server

Resilient architecture

ELB

Security

group

DMZ

public subnet

CloudFront

edge location

Security group

WAF/proxy

private subnet

DDoS

Users

WAF

Auto

ScalingELB

Security

group

Auto Scaling

Security

group

Front-end servers

private subnet

Web app

server

Under attack?

Help with architecture and mitigation

Resources

• Account manager, solutions architect

• Whitepaper: AWS Best Practices for DDoS

Resiliency

• AWS Security Blog

AWS Support

• Business – Technical assistance by phone, chat,

or email

• Enterprise – Fastest response time. Dedicated

technical account manager (TAM).

Information to provide AWS Support

• Instances (IPs help!), distributions, zones under attack

• Location

• Time

• Vector

• Sources

• Intel

AWS Security Center

To learn more, visit https://aws.amazon.com/security.

Thank you!

Remember to submit

your evaluations

by using the re:Invent app!https://reinvent.awsevents.com/mobile/

Related sessions

• SEC323: Securing Web Applications with AWS WAF; Friday, 9:00–10:00 A.M.