(sec306) defending against ddos attacks
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Kiggins, AWS SDM
Jeffrey Lyon, AWS Operations Manager
October 2015
SEC306
Defending Against DDoS Attacks
Goals
Useful background
Common attacks
CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGA ATTACKS ARE ON THE RISE
CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGA ATTACKS ARE ON THE RISE
CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGA ATTACKS ARE ON THE RISETHE NEW NORMAL: 200 – 400 GBPS DDOS ATTACKS
1.04 39
Average size of a DDoS
attack
Source: Arbor Networks
Average duration of
> 10 Gbps attacks
DDoS attacks that
target network and
service
infrastructure
85%Gbps Minutes
Types of DDoS attacks
Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)
Types of DDoS attacks
State-exhaustion DDoS attacks
Type of protocol abuse that stresses systems
like firewalls, IPS, or load balancers (e.g.,
TCP SYN flood)
Types of DDoS attacks
Application-layer DDoS attacks
Less frequently, an attacker will use well-
formed connections to circumvent mitigation
and consume application resources (e.g.,
HTTP GET, DNS query floods)
DDoS attack trends
Volumetric State exhaustion Application layer
65%Volumetric
20%State exhaustion
15%Application layer
DDoS attack trends
Volumetric State exhaustion Application layer
SSDP reflection attacks are very
common
Reflection attacks have clear signatures, but
can consume available bandwidth.
65%Volumetric
20%State exhaustion
15%Application layer
DDoS attack trends
Volumetric State exhaustion Application layer
65%Volumetric
20%State exhaustion
15%Application layer
Other common volumetric attacks:
NTP reflection, DNS reflection, Chargen
reflection, SNMP reflection
DDoS attack trends
Volumetric State exhaustion Application layer
SYN floods can look like real
connection attempts
And on average, they’re larger in volume.
They can prevent real users from
establishing connections.
65%Volumetric
20%State exhaustion
15%Application layer
DDoS attack trends
Volumetric State exhaustion Application layer
DNS query floods are real DNS
requests
They can also go on for hours and exhaust
the available resources of the DNS server.
65%Volumetric
20%State exhaustion
15%Application layer
DDoS attack trends
Volumetric State exhaustion Application layer
DNS query floods are real DNS
requests
They can also go on for hours and exhaust
the available resources of the DNS server.
65%Volumetric
20%State exhaustion
15%Application layer
Other common application layer
attacks:
HTTP GET flood, Slowloris
Volumetric: UDP amplification
Volumetric amplification factors
Vector Factor Common Cause
SSDP 30.8 uPnP services exposed to Internet
NTP 556.9 Time servers with monlist enabled
DNS 28 - 54 Open resolvers
Chargen 358.8 Enabled Chargen service
SNMP 6.3 Open SNMP services
Source: US-CERT
DDoS attacks with multiple vectors
Single vector Multi-vector
85%Single vector
15%Multi-vector
Attackers are persistent
Attackers are persistent
UDP/161 –
SNMP
amplification
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
UDP/1900 – SSDP reflection
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
UDP/1900 – SSDP reflection
UDP/123 – NTP reflection
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
UDP/1900 – SSDP reflection
UDP/123 – NTP reflection
6 hours
Mitigations
AWS Shared Responsibility Model
Before DDoS mitigation
Conventional data centerDDoS attack
Users
Conventional DDoS mitigation services
Conventional data center
DDoS attack
Users DDoS mitigation service
Resilient by design
IP ICMP
TCP
UDP
not
DNS
Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
CloudFront
Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
CloudFront
Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
Route 53
Amazon
CloudFront
Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
Route 53
Amazon
CloudFront
DDoS mitigation for AWS infrastructure
virtual private cloud
AWS global infrastructure
DDoS attack
Users
AWS
DDoS mitigation
AWS
DDoS mitigation
CloudFrontRoute 53
Basic hygiene
Examples
• IP
• Checksum
• TCP
• Valid flags
• UDP
• Payload length
• DNS
• Request validation
Packet prioritization
Packet prioritization
Priority-based traffic shaping
Mitigation: Detection and
traffic engineering
Target identification in shared space
• Each IP set has a
unique combination
Edge location
Users
Distribution Distribution Distribution
Target identification in shared space
• Each IP set has a
unique combination
Edge locationDDoS attack
Users
Distribution Distribution Distribution
Target identification in shared space
• Each IP set has a
unique combination
• Allows target
identification Edge locationDDoS attack
Users
Distribution Distribution
Target identification in shared space
• Each IP set has a
unique combination
• Allows target
identification
• Enables new
options for
mitigation
Edge location
Edge locationDDoS attack
Users
Users
Distribution
Distribution
Distribution
Traffic engineering
Traffic engineering
DDoS attack
Traffic engineering
Mitigate
DDoS attack
Traffic engineering
Isolate
DDoS attack
Traffic engineering
Isolate
Vacate
DDoS attack
Traffic engineering
DisperseDDoS attack
Architecture
Architecting on AWS for DDoS resiliency
Architecture: Volumetric
Why does this matter?
CloudFront – DNS reflection
• Simultaneous DNS reflection and UDP flood
• Automatically discarded by CloudFront
• No impact on CloudFront or CloudFront customers
CloudFront – DNS reflection
• Simultaneous DNS reflection and UDP flood
• Automatically discarded by CloudFront
• No impact on CloudFront or CloudFront customers
Common vector – SSDP
srcPort=
1900
Payload =
HTTP/1.1…
Common vector – NTP
Payload =
MON_GETLIST
srcPort=
123
Common vector – DNS reflection
srcPort=
53
DNS
response
Larger
payload
Other vectors – RIPv1, Chargen, SNMP
• UDP based
• Reflection
• Amplification
• Unusual sources
• Abnormal payload
ELB Scaling
ELBUsers
Security group
DMZ
public subnet
Security group
Front-end server
private subnet
Instances
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
DDoS
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
DDoS
Minimize the attack surface
Amazon Virtual Private Cloud (VPC)
• Allows you to define a virtual network in your own
logically isolated area on AWS
• Allows you to hide instances from the Internet using
security groups and network access control lists
(NACLs)
Security in your VPC
Security groups• Operate at the instance level (first layer of defense)
• Supports allow rules only
• Stateful, return traffic is automatically allowed
• All rules are evaluated before deciding whether to allow traffic
Network ACLs• Operate at the subnet level (second layer of defense)
• Supports allow and deny rules
• Stateless, return traffic must be explicitly allowed
• Rules are processed in order
Web app
server
DMZ public subnet
SSH
bastion
NAT
ELB
Amazon EC2security group
security group
security group
security group
Front-end private subnet
Amazon EC2
Back-end private subnet
security group
MySQL db
Amazon VPC
Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Amazon EC2security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
Amazon VPC
Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Admin Amazon EC2security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
TCP: 22
Amazon VPC
Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Admin
Internet
Amazon EC2security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
TCP: Outbound
TCP: 22
Amazon VPC
Reference security groups
Reference security groups
Reference network ACL
Be ready to scale and absorb
Route 53
• Highly available, scalable DNS service
• Uses anycast routing for low latency
Be ready to scale and absorb
Route 53
• Highly available, scalable DNS service
• Uses anycast routing for low latency
CloudFront
• Improves performance by caching content and
optimizing connections
• Disperses traffic across global edge locations
• DDoS attacks are absorbed close to the source
Be ready to scale and absorb
Elastic Load Balancing
• Fault tolerance for applications
• Automatic scaling
• Multiple Availability Zones
AWS global presence and redundancy
AWS global presence and redundancy
InternetConnection C
InternetConnection A
InternetConnection B
AWS global presence and redundancy
CloudFront
ValidObject Request
InvalidProtocol
InvalidObject Request
AWS global presence and redundancy
ELB
TCP
UDP
AWS global presence and redundancy
Route A
Route B
Route C
users
AWS global presence and redundancy
ELB
instances
Availability Zone
ELB
instances
Availability Zone
ELB
Route 53 anycast routing
How do I get toexample.com?
Route 53 anycast routing
How do I get toexample.com?
.org
.co.uk
This way!
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
Route 53 anycast routing
How do I get toexample.com?
.org
.co.uk
This way!
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
Route 53 anycast routing
How do I get toexample.com?
.org
.co.uk
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
This way!
.net
Route 53 anycast routing
How do I get toexample.com?
.org
.co.uk
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
This way!
.net
Architecture: State exhaustion
Why does this matter?
Common vector – SYN flood
Flags=
SYN
Cookie
returned
SYN proxy and SYN cookies
SYN proxy and SYN cookies
SYN proxy and SYN cookies
SYN proxy and SYN cookies
Using custom proxies
NGINX
Security group
DMZ
public subnet
Security group
Front-end server
private subnet
InstancesDDoS
Users
Architecture: Application layer
Looks can be deceiving
Route 53
• DNS query flood targeting 34 of our edge locations
• Peak volume was in top 4% of all DDoS attacks
• Automatically detected and mitigated with no impact to availability
Route 53
• DNS query flood targeting 34 of our edge locations
• Peak volume was in top 4% of all DDoS attacks
• Automatically detected and mitigated with no impact to availability
Safeguard exposed resources
Resilient architecture
Web app
server
Resilient architecture
UsersWeb app
server
Resilient architecture
DDoS
UsersWeb app
server
Resilient architecture
DDoS
Users
Auto Scaling
Web app
server
Resilient architecture
Security group
DDoS
Users
Auto Scaling
Front-end servers
private subnet
Web app
server
Resilient architecture
ELB
Security
group
DMZ
public subnet
Security group
WAF/proxy
private subnet
DDoS
Users
WAF
Auto
ScalingELB
Security
group
Auto Scaling
Security
group
Front-end servers
private subnet
Web app
server
Resilient architecture
ELB
Security
group
DMZ
public subnet
CloudFront
edge location
Security group
WAF/proxy
private subnet
DDoS
Users
WAF
Auto
ScalingELB
Security
group
Auto Scaling
Security
group
Front-end servers
private subnet
Web app
server
Under attack?
Help with architecture and mitigation
Resources
• Account manager, solutions architect
• Whitepaper: AWS Best Practices for DDoS
Resiliency
• AWS Security Blog
AWS Support
• Business – Technical assistance by phone, chat,
or email
• Enterprise – Fastest response time. Dedicated
technical account manager (TAM).
Information to provide AWS Support
• Instances (IPs help!), distributions, zones under attack
• Location
• Time
• Vector
• Sources
• Intel
AWS Security Center
To learn more, visit https://aws.amazon.com/security.
Thank you!
Remember to submit
your evaluations
by using the re:Invent app!https://reinvent.awsevents.com/mobile/
Related sessions
• SEC323: Securing Web Applications with AWS WAF; Friday, 9:00–10:00 A.M.