Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use Cases (SEC310)

3,360 views

Published on

Distributed denial of service (DDoS) attack mitigation has traditionally been a challenge for those hosting on fixed infrastructure. In the cloud, users can build applications on elastic infrastructure that is capable of mitigating and absorbing DDoS attacks. What once required overprovisioning, additional infrastructure, or third-party services is now an inherent capability of many cloud-based applications. This session explains common DDoS attack vectors and how AWS customers with different use cases are addressing these challenges. As part of the session, we show you how to build applications that are resilient to DDoS and demonstrate how they work in practice.

Published in: Technology

AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use Cases (SEC310)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adrian Newby, CTO, CrownPeak David Grampa, Founder, TypeFrag.com Andrew Kiggins, AWS Solutions Architect Jeffrey Lyon, AWS Operations Manager November 29, 2016 SEC310 Mitigating DDoS Attacks on AWS Five Vectors and Four Use Cases
  2. 2. In this session, you will learn about … Five DDoS Attack Vectors 1. UDP reflection attacks 2. UDP floods 3. TCP SYN floods 4. Web application layer attacks 5. DNS query floods Four AWS Use Cases 1. Common web application 2. Highly-resilient web application 3. Video game development 4. Voice communication
  3. 3. DDoS attacks
  4. 4. DDoS attacks can … • Target networks with large volumes of traffic • Target systems with large volumes of connections • Target services with large volumes of requests
  5. 5. Vector #1: UDP Reflection Attacks • Attacker sends spoofed request to UDP service • Spoofed IP is that of the victim • Asymmetric: UDP service responds with large payload Network Traffic | System Connections | Service Requests
  6. 6. 20:07:45.918266 IP 192.0.2.2.1900 > server.example.com.http: UDP, length 274 20:07:45.918271 IP 198.51.100.3.1900 > server.example.com.http: UDP, length 320 20:07:45.918275 IP 203.0.113.7.1900 > server.example.com.http: UDP, length 307 20:07:45.918279 IP 192.0.2.5.1900 > server.example.com.http: UDP, length 326 20:07:45.918283 IP 198.51.100.12.1900 > server.example.com.http: UDP, length 300 20:07:45.918287 IP 203.0.113.58.1900 > server.example.com.http: UDP, length 307 20:07:45.918291 IP 192.0.2.33.1900 > server.example.com.http: UDP, length 302 20:07:45.918294 IP 198.51.100.113.1900 > server.example.com.http: UDP, length 323 20:07:45.918301 IP 203.0.113.90.1900 > server.example.com.http: UDP, length 268 Vector #1: UDP Reflection Attacks Clear signature Many requests from suspicious source port Large packet size Flood of traffic is easy to generate UDP protocol Clear indicator of suspicious activity if destination does not use UDP Network Traffic | System Connections | Service Requests
  7. 7. 20:07:45.918266 IP 192.0.2.2.51523 > server.example.com.http: UDP, length 1024 20:07:45.918271 IP 198.51.100.3.23769 > server.example.com.http: UDP, length 1024 20:07:45.918275 IP 203.0.113.7.4655 > server.example.com.http: UDP, length 1024 20:07:45.918279 IP 192.0.2.5.13002 > server.example.com.http: UDP, length 1024 20:07:45.918283 IP 198.51.100.12.52670 > server.example.com.http: UDP, length 1024 20:07:45.918287 IP 203.0.113.58.21266 > server.example.com.http: UDP, length 1024 20:07:45.918291 IP 192.0.2.33.7940 > server.example.com.http: UDP, length 1024 20:07:45.918294 IP 198.51.100.113.35950 > server.example.com.http: UDP, length 1024 20:07:45.918301 IP 203.0.113.90.62370 > server.example.com.http: UDP, length 1024 Vector #2: UDP floods Ambiguous Source port may be difficult to distinguish Packet size Defined by attacker UDP protocol Clear indicator of suspicious activity if destination does not use UDP Network Traffic | System Connections | Service Requests
  8. 8. Vector #3: TCP SYN Floods • Flood of many connections targeting a system • Very small packets • Connections are left half-open, state table exhaustion Network Traffic | System Connections | Service Requests
  9. 9. tcp 0 0 192.0.2.1:80 91.64.4.146:64979 SYN_RECV - tcp 0 0 192.0.2.1:80 84.24.103.112:4005 SYN_RECV - tcp 0 0 192.0.2.1:80 79.223.69.239:61510 SYN_RECV - tcp 0 0 192.0.2.1:80 67.86.135.44:43312 SYN_RECV - tcp 0 0 192.0.2.1:80 86.88.67.226:50600 SYN_RECV - tcp 0 0 192.0.2.1:80 173.20.137.110:3813 SYN_RECV - tcp 0 0 192.0.2.1:80 84.58.10.121:4878 SYN_RECV - tcp 0 0 192.0.2.1:80 91.37.40.151:2408 SYN_RECV - tcp 0 0 192.0.2.1:80 173.20.137.110:3441 SYN_RECV - Vector #3: TCP SYN Floods Half-open connections We sent SYN-ACK, ACK never received TCP protocol Many connections destined to HTTP service Network Traffic | System Connections | Service Requests
  10. 10. Vector #4: Web Application Layer Attacks • Malicious web requests that look like real users • Impact availability or scrape site content • Mitigate using a WAF • Block abusive IP’s, user agents, etc. • Rate-based blacklisting Network Traffic | System Connections | Service Requests
  11. 11. Vector #5: DNS Query Floods • Many legitimate DNS queries can exhaust host capacity • Random queries can “cache bust” recursive DNS (eg. ezspobmzlanungyp.www.example.com) • Authoritative DNS compelled to respond Network Traffic | System Connections | Service Requests
  12. 12. DDoS Mitigation on AWS
  13. 13. Conventional DDoS Mitigation Conventional data center DDoS attack Users DDoS mitigation service
  14. 14. DDoS Mitigation on AWS • Built into the AWS global infrastructure • Fast mitigation without external routing • Protection of availability, latency, and throughput
  15. 15. DDoS Attacks and Mitigation • “BlackWatch” systems protect AWS, mitigate large volume attacks • Methods: • Allow only traffic valid for the service • SYN proxy/cookies when high levels of SYN==1 detected • Suspicion-based traffic shaping
  16. 16. Suspicion-Based Traffic Shaping • Prioritize reliable traffic • Deprioritize spikes of traffic: • Abnormal sources (networks, geos) • Abnormal ports and protocols • Abnormal packet or request characteristics • Leverage AWS scale, minimize false positives
  17. 17. Suspicion-Based Traffic Shaping
  18. 18. Protecting Web Applications
  19. 19. Common Web Application ALB security group Amazon EC2 instances Application Load Balancer Public subnet Web application security group Private subnet DDoS attack Users
  20. 20. ALB Scaling and Mitigation ALB security group Application Load Balancer Public subnet DDoS attack Users Application Load Balancer Application Load Balancer Application Load Balancer BlackWatch DDoS mitigation
  21. 21. Transit Diversity and Redundancy Internet exchange Internet exchange Internet exchange us-east-1 DDoS-resilient web application
  22. 22. Highly Resilient Web Application Amazon Route 53 ALB security group Amazon EC2 instances Application Load Balancer Amazon CloudFront Public subnet Web application security group Private subnet AWS WAF Amazon API Gateway DDoS attack Users
  23. 23. Mitigate closer to the source Internet exchange Tokyo Singapore Hong Kong Dublin London Milan Internet exchange Internet exchange Internet exchange Internet exchange Internet exchange us-east-1 BlackWatch DDoS mitigation DDoS attack DDoS resilient web services
  24. 24. Globally Distributed Capacity
  25. 25. Case Study: Crownpeak / BNY Mellon
  26. 26. Introduction to Crownpeak • Crownpeak has pioneered the SaaS model for web content management systems since 2001 • We provide a full digital experience management suite, delivered entirely using Amazon Web Services • We are headquartered in Los Angeles, CA, with offices in Denver, CO, and London, UK
  27. 27. Introduction to the Case Study • Bank of New York Mellon at a glance: • $29.5 trillion assets under custody and/or administration • $1.7 trillion assets under management • 100+ markets worldwide • Many websites managed and hosted by Crownpeak • Committed to best-in-class cyber defense and threat protection
  28. 28. Baseline Architecture Amazon Route 53 ELB security group Amazon EC2 instances ELB load balancer Amazon CloudFront Public subnet Web application security group Private subnet DDoS attack Users
  29. 29. Hardened Architecture Amazon Route 53 ELB security group Amazon EC2 instances Elastic Load Balancing Amazon CloudFront Public subnet Web application security group Private subnet AWS WAFDDoS attack Users AWS Lambda Amazon S3
  30. 30. DDoS Testing Test Description HTTP GET baseline Basic load test to establish thresholds at which mitigation devices activate WILD HULK DDoS Obfuscation of source client, reference forgery, stickiness, URL transformation WAF overload Parallel SQL injection and vulnerability scans Metric Ave / Peak Concurrent attack vectors 200 Requests sent 200 K/second (ave), 1 M+/second (peak) Data volume returned 35-40 Gb/second (ave), 52 Gb/second (peak) Data volume sent 2.5-3.5 Gb/second (ave), 4.4 Gb/second (peak)
  31. 31. Test Results
  32. 32. How Far Can You Push These Technologies?
  33. 33. Conclusions and Final Recommendations • Amazon CloudFront, AWS WAF are a highly effective defense against the most sophisticated Layer 7 attacks • Best practices for best defense: Eliminates many common attacks Invest time in limiting query string and header forwarding Shields the origin from redirect floods Deploy HTTP->HTTPS redirect at the edge Many DDoS toolkits fail TLS handshake Implement an SNI-based infrastructure
  34. 34. DDoS-Resilient Architecture on Amazon EC2
  35. 35. VPC Flow Logs, Security Groups, Network ACLs Primer VPC public subnet VPC private subnet 10.200.0.0/16 10.200.150.0/2410.200.99.0/24 Route table Route table Flow logs Instance Instance Application Security Group WebServer Security Group Ingress Rule 0.0.0.0/0 : 80 Egress Rule 0.0.0.0/0 : ANY ApplicationSecurityGroup:8443 Ingress Rule WebServerSecurityGroup: ANY Egress Rule 0.0.0.0/0 : ANY Works like a firewall Internet gateway NAT gateway
  36. 36. VPC Flow Logs, Security Groups, Network ACLs Primer Internet gateway VPC public subnet VPC private subnet 10.200.0.0/16 10.200.150.0/2410.200.99.0/24 Route table Route table Instance Application Security Group WebServer Security Group NAT gateway Flow logs Instance Works like NetFlow srcIP, dstIP, srcPort, dstPort, protocol, accept/reject
  37. 37. VPC Flow Logs, Security Groups, Network ACLs Primer Internet gateway VPC public subnet VPC private subnet 10.200.0.0/16 Route table NAT gateway Route table Flow logs Application Security Group WebServer Security Group 10.200.150.0/2410.200.99.0/24 Instance Instance Works like router ACLs
  38. 38. Amazon EC2 for Game Developers • Web portals • Game servers • Matching servers • Relay servers
  39. 39. Web Portal = The Usual Suspects Amazon Route 53 ELB security group Amazon EC2 instances ELB / ALB Amazon CloudFront Public subnet Web application security group Private subnet AWS WAF Amazon API Gateway DDoS attack Users
  40. 40. Game Servers, Match Servers, Relays • UDP vs TCP • Latency • Scaling
  41. 41. Options • Reduce your attackable surface area • Filter unwanted traffic • DNS protection • Protect API endpoint • Restrict access • Scale to absorb • Size appropriately • Reduce blast radius • Move the target
  42. 42. Reduce the Blast Radius Security group Subnet Players Instance Players Players Players DDoS attack
  43. 43. Security group Security group Security group Reduce the Blast Radius Security group Subnet Players Instance Players Players Players Players DDoS attack Instance Instance Instance Instance Security group
  44. 44. Restrict Access – Security Groups Subnet Players Players Players Players Players DDoS attack Instance Security group
  45. 45. Restrict Access – Host-Based Subnet Players Players Players Players Players DDoS attack Instance Security group
  46. 46. Security group Security group Security group Move the Target • Use elastic IP addresses • Don’t use contiguous IP addresses Instance Elastic IP SubnetPlayers Players DDoS attack Instance Elastic IP Instance
  47. 47. TeamSpeak3 on EC2 • TeamSpeak3 is voice communication software • Popular with online computer gamers • Common DDoS target
  48. 48. TeamSpeak3 on EC2
  49. 49. Resiliency 1. Leverage AWS global infrastructure 2. Minimize attack surface 3. Reduce blast radius 4. Automatically mitigate attacks 5. Analyze and learn from attacks
  50. 50. Attack Surface Amazon Route 53 Users Instance Subnet One network ACL per VPC subnet One VPC subnet per instance Elastic IP NetworkACL
  51. 51. Attack Surface
  52. 52. Blast Radius Amazon Route 53 Users AZ #1 AZ #2 AZ #3
  53. 53. Blast Radius Amazon Route 53 Users AZ #1 AZ #2 AZ #3 Attack
  54. 54. Attack Mitigation Attack Amazon Route 53 Users Instance Subnet NetworkACL Elastic IP DDoS attack begins CloudWatch AWS Lambda
  55. 55. Attack Mitigation Attack Amazon Route 53 Users Instance Subnet NetworkACL Elastic IP CloudWatch AWS Lambda 1 DDoS attack detected
  56. 56. Attack Mitigation Attack Amazon Route 53 Users Instance Subnet NetworkACL Elastic IP CloudWatch AWS Lambda 1 2 Elastic IP address changed Elastic IP
  57. 57. Attack Mitigation Attack Amazon Route 53 Users Instance Subnet NetworkACL Elastic IP CloudWatch AWS Lambda 1 2 Elastic IP 3 Route 53 DNS updated
  58. 58. Attack Mitigation Amazon Route 53 Users Instance Subnet NetworkACL Elastic IP CloudWatch AWS Lambda DDoS attack mitigated
  59. 59. Demo: Attack Mitigation with EIP Swapping
  60. 60. Results Before After 50 attacks per month 2000 users affected per attack 15 minutes per attack 5 attacks per month 200 users affected per attack 90 seconds per attack 1,500,000 user minutes 1,500 user minutes
  61. 61. Attack Analysis Amazon S3 Amazon CloudFront Amazon SimpleDB Amazon S3 Amazon API Gateway Amazon Lambda VPC Flow Logs Single-page app REST-based API User
  62. 62. Attack Analysis
  63. 63. DDoS Mitigation Support
  64. 64. Need Help? Step 1 Click “Create Case” Step 2 Select “Distributed Denial of Service (DDoS)” Step 3 Select the category and severity and write a subject and description Step 4 Talk to a DDoS expert
  65. 65. AWS Best Practices for DDoS Resiliency • Types of DDoS attacks • Mitigation techniques • Attack surface reduction • Operational techniques Download from https://aws.amazon.com/security AWS Best Practices for DDoS Resiliency June 2016
  66. 66. Thank you! Learn more about DDoS mitigation on AWS at https://aws.amazon.com/security
  67. 67. Remember to complete your evaluations! Remember to complete your evaluations!

×