1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shawn Marck, AWS Perimeter Protection
March, 2019
DDoS Response Team (DRT)
Engagement, Advanced Countermeasures
and Capabilities

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What does the DRT do?
• Own and execute DDoS mitigation runbook for supporting
Amazon properties, AWS Services and AWS Shield Advanced
Customers.
• Build automation which reduce or time to respond.
• Create tools to aid in swift mitigation of attacks.
• Provide training to AWS Support and technical field
community to share best practices and domain expertise on
DDoS mitigation in AWS.

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Engagement

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of Engagement
• DDoS Architecture Review
• Operational Readiness Inquiry (Prior to IEM)
• Custom mitigation templates for EIPs
(EC2/NLBs)
Pre-emptive
Engagements
• Automatically engaged for availability
impacting L3/L4 events against AWS
infrastructure or impacting to AWS Services
• Customer driven support cases through AWS
Support or AWS Shield Engagement Lambda
• Manual traffic engineering and assessment of
traffic patterns
24x7 Incident
Response

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to engage the DRT?
• Open an AWS Support case
• serviceCode = ‘distributed-denial-of-service’
• severityCode = ‘urgent’ or ‘critical’ depending on Support level

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to engage the DRT?
• Open an AWS Support case
• serviceCode = ‘distributed-denial-of-service’
• severityCode = ‘urgent’ or ‘critical’ depending on Support level
A better way…

7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to engage the DRT?
• Open an AWS Support case
• serviceCode = ‘distributed-denial-of-service’
• severityCode = ‘urgent’ or ‘critical’ depending on Support level
A better way…
• Use ShieldEngagementLambda.js
• Opens AWS Support case for you.
• Pages Primary DRT on call operator into your case.
• Bypasses AWS Support escalation SLA

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ShieldEngagementLambda.js
// ShieldEngagementLambda.js
// Source https://s3.amazonaws.com/aws-shield-lambda/ShieldEngagementLambda.js
// User configurable options
var config = {
// Change this to "critical" if you are subscribed to Enterprise Support
severity: 'urgent',
// Change this to 'advanced' if you are subscribed to AWS Shield Advanced
shield: 'standard',
// Change this to 'off' after testing
test: 'on',
// Modify subject and message if not subscribed to AWS Shield Advanced
// Change subject and message to the path of a .txt file that you created in S3
standardSubject: 'http://s3.amazonaws.com/aws-shield-lambda/EngagementSubject.txt',
standardMessage: 'http://s3.amazonaws.com/aws-shield-lambda/EngagementBody.txt'
}

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect?
• Is the right resource on the call?
• Have someone who understands the application and understands
the architecture.
• Am I prepared to make Changes?
• Expect that some countermeasures will be more effective when
coupled with scaling techniques and sometimes additional state or
request handling layers such as CloudFront or Load Balancers.
• What is my applications health?
• Be prepared to check key health metrics for your application.

10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced Countermeasures

11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced Countermeasures
BGP traffic engineering
Custom BlackWatch mitigations
•Pattern matching, Geo-shaping, NACLs
AWS WAF Rules
•Log Parsing to map a botnet
•DRT Managed WAF rules (A list of high severity bot IP addresses generated from retail)
Architecture GAP analysis

12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example: Pattern Matching
iptables -m u32 --u32 "16=0xE0000001"
The u32 module matches arbitrary byte patterns
iptables -m length --length 256:65535
The iptables length module matches packet size
Stateless filtering is powerful because AWS Shield can scale it
• Be familiar with your packet format on the wire
Implement restrictive always-on filtering using iptables
• Ensures that filtering is safe and helps you survive the first few minutes of an attack

13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
https://aws.amazon.com/shield/