Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DDoS Response Team - Engagement, Advanced Countermeasures and Capabilities

132 views

Published on

The AWS DDoS Response Team (DRT) is responsible for automating thousands of mitigation actions every day, however sometimes customer require direct action or assistance. In this session, you will learn how to engage the DRT as well as some of the advanced capabilities of the DRT. You will also get a look into some of the advanced use cases and countermeasures the DRT can deploy to protect customers on AWS.

  • Be the first to comment

DDoS Response Team - Engagement, Advanced Countermeasures and Capabilities

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shawn Marck, AWS Perimeter Protection March, 2019 DDoS Response Team (DRT) Engagement, Advanced Countermeasures and Capabilities
  2. 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What does the DRT do? • Own and execute DDoS mitigation runbook for supporting Amazon properties, AWS Services and AWS Shield Advanced Customers. • Build automation which reduce or time to respond. • Create tools to aid in swift mitigation of attacks. • Provide training to AWS Support and technical field community to share best practices and domain expertise on DDoS mitigation in AWS.
  3. 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Engagement
  4. 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Types of Engagement • DDoS Architecture Review • Operational Readiness Inquiry (Prior to IEM) • Custom mitigation templates for EIPs (EC2/NLBs) Pre-emptive Engagements • Automatically engaged for availability impacting L3/L4 events against AWS infrastructure or impacting to AWS Services • Customer driven support cases through AWS Support or AWS Shield Engagement Lambda • Manual traffic engineering and assessment of traffic patterns 24x7 Incident Response
  5. 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to engage the DRT? • Open an AWS Support case • serviceCode = ‘distributed-denial-of-service’ • severityCode = ‘urgent’ or ‘critical’ depending on Support level
  6. 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to engage the DRT? • Open an AWS Support case • serviceCode = ‘distributed-denial-of-service’ • severityCode = ‘urgent’ or ‘critical’ depending on Support level A better way…
  7. 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to engage the DRT? • Open an AWS Support case • serviceCode = ‘distributed-denial-of-service’ • severityCode = ‘urgent’ or ‘critical’ depending on Support level A better way… • Use ShieldEngagementLambda.js • Opens AWS Support case for you. • Pages Primary DRT on call operator into your case. • Bypasses AWS Support escalation SLA
  8. 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ShieldEngagementLambda.js // ShieldEngagementLambda.js // Source https://s3.amazonaws.com/aws-shield-lambda/ShieldEngagementLambda.js // User configurable options var config = { // Change this to "critical" if you are subscribed to Enterprise Support severity: 'urgent', // Change this to 'advanced' if you are subscribed to AWS Shield Advanced shield: 'standard', // Change this to 'off' after testing test: 'on', // Modify subject and message if not subscribed to AWS Shield Advanced // Change subject and message to the path of a .txt file that you created in S3 standardSubject: 'http://s3.amazonaws.com/aws-shield-lambda/EngagementSubject.txt', standardMessage: 'http://s3.amazonaws.com/aws-shield-lambda/EngagementBody.txt' }
  9. 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to expect? • Is the right resource on the call? • Have someone who understands the application and understands the architecture. • Am I prepared to make Changes? • Expect that some countermeasures will be more effective when coupled with scaling techniques and sometimes additional state or request handling layers such as CloudFront or Load Balancers. • What is my applications health? • Be prepared to check key health metrics for your application.
  10. 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Countermeasures
  11. 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Countermeasures BGP traffic engineering Custom BlackWatch mitigations •Pattern matching, Geo-shaping, NACLs AWS WAF Rules •Log Parsing to map a botnet •DRT Managed WAF rules (A list of high severity bot IP addresses generated from retail) Architecture GAP analysis
  12. 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example: Pattern Matching iptables -m u32 --u32 "16=0xE0000001" The u32 module matches arbitrary byte patterns iptables -m length --length 256:65535 The iptables length module matches packet size Stateless filtering is powerful because AWS Shield can scale it • Be familiar with your packet format on the wire Implement restrictive always-on filtering using iptables • Ensures that filtering is safe and helps you survive the first few minutes of an attack
  13. 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Q&A
  14. 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! https://aws.amazon.com/shield/

×