Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019

364 views

Published on

Distributed Denial of Service (DDoS) attacks seek to affect the availability of applications through network congestion, connection state exhaustion, and application stress. AWS distills exabytes of NetFlow data, application logs, and service health metrics to inform DDoS attack detection, reporting, and mitigation systems. In this session, learn how to access insights about the DDoS threat environment and attacks against your specific AWS resources through the AWS Management Console, API, and Amazon CloudWatch. Finally, learn how to use this information to automate notification and response.

  • Be the first to comment

DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DDoS attack detection at scale John Krah Senior Software Development Engineer Amazon Web Services S D D 4 0 8
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What is DDoS? Who can be affected? How we collect data and create insight? Where can you access these insights? Why do you need a response plan?
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Tuesday, June 25 SDD316 - How Dow Jones uses AWS to create a secure perimeter around its web properties (Kamal Verma, Dow Jones) 1:45 PM – 2:45 PM | Level 3, Ballroom East Wednesday, June 26 FND305-R1 - Supercharging your workload defenses with AWS WAF, Amazon Inspector, AWS Systems Manager (Cameron Worrell) 12:30 PM – 1:30 PM | Level 1, Room 151B, Table 5
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DDoS? Service Networking, infrastructure, applications Several links in a chain Denial of Network congestion, connection state exhaustion, application stress Knock out any one link Distributed Multiple sources focusing on one target DDoS attacks the availability of a service or application to prevent its providers giving the desired value to its consumers
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VisualizeDDoS attacks Network congestion Flood volume of requests through various internet transit, peers, and exchanges to overwhelm the capacity at a single target Congestion degrades availability of all communication across that link UDP reflection amplification can dramatically increase bitrate
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VisualizeDDoS attacks Transport exhaustion Spoof connections to the infrastructure to exhaust its memory and network stack TCP handshake is an expensive single packet, we use custom infrastructure and software to proxy connections for Amazon CloudFront
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VisualizeDDoS attacks Application stress Send ostensibly real requests to consume application effort without intending to use the direct product Expensive result to stress E.g. login page to deny access
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DDoS? Network Sheer volume to overwhelm physical links and network devices Transport Connection state exhaustion Application Simulate legitimate application interaction
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Who can be affected? Network Any internet facing system Transport Both TCP and UDP can be affected by exhaustion attacks Application HTTP applications present unique and varied surface area
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Who can be affected? Amazon Virtual Private Cloud (Amazon VPC) Use security groups and network access control lists EC2 Instances Limit surface area exposed and use elastic IP address Amazon Route 53 hosted zones Take advantage of specialized always-on DNS protection AWS Global Accelerator Use multiple regions to minimize latency and maximize availability Classic/Network/Application Load Balancers Build to easily scale up and scale out Amazon API Gateways and Amazon CloudFront distributions Use AWS WAF to build custom rules or deploy partner rules
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Act, react, and create insight Network Collect netflow aggregated logs from routers and switches Collect vector/shaper aggregated logs from custom in-line scrubbing devices Prioritizing effort Lossy count of highest contributing factors Becomes more efficient with greater volume Special attention for resources identified as likely targets Calculate population stability Profile network and transport attributes over time lockstep increase in UDP port 11211 volume + dramatic change in stability of source IP addresses => UDP flood
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Act, react, and create insight Transport & service health Track connection initialization Monitor health metrics Speculating on imperfect data Use availability scrubbing capacity to act on suspicious events Quickly even before impact is observed Upgrade from lossy to complete data Correlate volume and impact Dramatic increase in network SYN packets + connection errors => SYN flood
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Act, react, and create insight Application logs Collect w3c logs from AWS WAF and/or CloudWatch logs for CloudFront, Application Load Balancer, API Gateway Model application traffic volumes by select HTTP headers E.g. URI: home page -> login -> search -> cart -> payment -> thank you -> logout Drastic change in ratio of login page => login denial and/or credential attack Profile top contributing attribute(s) For all the login requests yesterday and now / during the anomaly Difference
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Act, react, and create insight Always-on actions Network, transport, and protocol protection for Route 53 and CloudFront Automatic reactive measures The most common network and transport attacks for EC2, Network LB, and Global Accelerator Notification suggesting particular reaction HTTP floods for CloudFront, Application Load Balancer, and API Gateway suggest web log deep dive Notification suggesting intervention As a last resort use the event to begin expert intervention
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Accessing reports and insights AWS Management Console and API Shield Advanced AWS WAF CloudWatch Global Threat Environment Dashboard Daily - biweekly views Quarterly Security Report Metrics on all of AWS ecosystem
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Advanced Quarterly Security Report “Dear John, Thank you for being a customer of AWS Shield Advanced. This quarterly report provides an overview of the global DDoS threat environment, significant events that we have observed, and recommendations that you may want to consider to improve your configuration and architecture to help prevent and mitigate DDoS threats.” Automatic DDoS Protection Threat Environment Summary and Analysis New Features and Capabilities Conclusion & Recommendations
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Global Threat Environment
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Global Threat Environment
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Global Threat Environment
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Console summary
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield API $ aws shield list-attacks { "NextToken": ”xxx=", "AttackSummaries": [ { "EndTime": 1534529765.0, "ResourceArn": "arn:aws:ec2:us-west- 2:671090893150:eip-allocation/eipalloc-9a7556a6", "AttackId": "c04ab40d-a8e4-47c8-a132- ccccff3a22dd", "AttackVectors": [ { "VectorType": "UDP_TRAFFIC" } ], "StartTime": 1534529460.0 }, ... } $ aws shield describe-attack --attack-id c04ab40d-a8e4-47c8-a132- ccccff3a22dd { "Attack": { "Mitigations": [“us-west-2_20180817181136833_3925”], "ResourceArn": "arn:aws:ec2:us-west-2:671090893150:eip- allocation/eipalloc-9a7556a6", "AttackId": "c04ab40d-a8e4-47c8-a132-ccccff3a22dd", "SubResources": [ { "Type": "IP", "Id": "1.2.3.4", "AttackVectors": [ { "VectorCounters": [ { "Name": "NA", "Max": 5000000000.0, "Average": 5000000000.0, "N": 5, "Sum": 25000000000.0, "Unit": "BPS" } ], "VectorType": "UDP_TRAFFIC" }]}], "StartTime": 1534529460.0, "EndTime": 1534529765.0 }}
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield console
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Console
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS WAF console Gamma Gamma Gamma
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Accessing reports and insights Amazon CloudWatch alarms and Amazon Simple Notification Service (Amazon SNS) Automate response such as auto scaling Or email, chat, text, page, phone your personnel Collect logs proactively Push into Amazon Simple Storage Service (Amazon S3), query with Amazon Athena Send to DRT during an event At least save them for a rainy day Contact DRT Review your posture Plan response Practice / game day
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudWatch metrics
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudWatch dashboards
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Planning for DDoS response Shared responsibility We’re in this together What can you do to be prepared? Architect with security and availability in mind from the beginning Architect for scale Use auto scaling resources to scale up instance sizes and scale out quantity Automate to scale static resources And document intervention plans Automate notification and response Proactively collect full or sampled web logs Pre-calculate profiles to compare against anomalies Enable DRT access for assistance
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS WAF console
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS WAF API $ aws shield list-web-acls { "WebACLs": [ { "WebACLId": " 4881aa42-de4a-4b6d-9792- 63fc34a72946", "Name": ”gokuHealthCheck" }, ... ]} $ aws waf list-rules { "Rules": [ { "Name": ”blockHealthyUri", "RuleId": " fec390cb-95f3-40cc-9549- 5e85f1894f7f" }, ... ]} $ aws waf get-sampled-requests --web-acl-id 4881aa42-de4a-4b6d- 9792-63fc34a72946 --rule-id fec390cb-95f3-40cc-9549-5e85f1894f7f --time-window StartTime=2019-06-24T14:30,EndTime=2019-06-24T14:40 --max-items 10 { "TimeWindow": { "EndTime": 1561402967.702, "StartTime": 1561402800.0}, "SampledRequests": [{ "Action": "BLOCK", "Timestamp": 1561402929.913, "Request": { "Country": "BR", "URI": "/block.txt", "Headers": [ {"Name": "Host", "Value": "nrt20.health.kurir.in"}, {"Name": "User-Agent", "Value": "Amazon-Route53-Health-Check-Service (ref 622c4bdb-7a31-45ef-afbb-bd1d67696611; report http://amzn.to/1vsZADi)"}, {"Name": "Accept", "Value": "*/*"}, {"Name": "Accept-Encoding", "Value": "*"}], "ClientIP": "54.232.40.97", "Method": "GET", "HTTPVersion": "HTTP/1.1"}, "Weight": 3 }, ... }
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS WAF console
  37. 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudWatch alarms
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudWatch alarms
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield engagement If all else fails call for help Via Cloud support to DDoS response team Via AWS IoT Button! https://s3.amazonaws.com/aws-shield-lambda/ShieldEngagementLambda.pdf
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Remember to store metrics and logs Amazon VPC & Global Accelerator Flow logs EC2 Instances Status checks, enable detailed monitoring, host logs Route 53 hosted zones Query logging via CloudWatch Classic/Network/Application Load Balancers Access logs via S3/Athena Application Load Balancers & API Gateways & CloudFront distributions Access or platform specific logs via AWS WAF or direct
  41. 41. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. John Krah johnkrah@amazon.com

×