Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC306) Defending Against DDoS Attacks

14,119 views

Published on

"In this session, we will address the current threat landscape, present DDoS attacks that we have seen on AWS, and discuss the methods and technologies we use to protect AWS services. You will leave this session with a better understanding of:


DDoS attacks on AWS as well as the actual threats and volumes that we typically see.
What AWS does to protect our services from these attacks.
How this all relates to the AWS Shared Responsibility Model."

Published in: Technology
  • Be the first to comment

(SEC306) Defending Against DDoS Attacks

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andrew Kiggins, AWS SDM Jeffrey Lyon, AWS Operations Manager October 2015 SEC306 Defending Against DDoS Attacks
  2. 2. Goals
  3. 3. Useful background
  4. 4. Common attacks
  5. 5. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS DDOS ATTACKS ARE GETTING MUCH MORE POWERFUL
  6. 6. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS DDOS ATTACKS ARE GETTING MUCH MORE POWERFUL MEGAATTACKS ARE ON THE RISE
  7. 7. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS DDOS ATTACKS ARE GETTING MUCH MORE POWERFUL MEGAATTACKS ARE ON THE RISE
  8. 8. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS DDOS ATTACKS ARE GETTING MUCH MORE POWERFUL MEGAATTACKS ARE ON THE RISETHE NEW NORMAL: 200 – 400 GBPS DDOS ATTACKS
  9. 9. 1.04 39 Average size of a DDoS attack Source: Arbor Networks Average duration of > 10 Gbps attacks DDoS attacks that target network and service infrastructure 85% Gbps Minutes
  10. 10. Types of DDoS attacks
  11. 11. Types of DDoS attacks Volumetric DDoS attacks Congest networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks)
  12. 12. Types of DDoS attacks State-exhaustion DDoS attacks Type of protocol abuse that stresses systems like firewalls, IPS, or load balancers (e.g., TCP SYN flood)
  13. 13. Types of DDoS attacks Application-layer DDoS attacks Less frequently, an attacker will use well- formed connections to circumvent mitigation and consume application resources (e.g., HTTP GET, DNS query floods)
  14. 14. DDoS attack trends Volumetric State exhaustion Application layer 65% Volumetric 20% State exhaustion 15% Application layer
  15. 15. DDoS attack trends Volumetric State exhaustion Application layer SSDP reflection attacks are very common Reflection attacks have clear signatures, but can consume available bandwidth. 65% Volumetric 20% State exhaustion 15% Application layer
  16. 16. DDoS attack trends Volumetric State exhaustion Application layer 65% Volumetric 20% State exhaustion 15% Application layer Other common volumetric attacks: NTP reflection, DNS reflection, Chargen reflection, SNMP reflection
  17. 17. DDoS attack trends Volumetric State exhaustion Application layer SYN floods can look like real connection attempts And on average, they’re larger in volume. They can prevent real users from establishing connections. 65% Volumetric 20% State exhaustion 15% Application layer
  18. 18. DDoS attack trends Volumetric State exhaustion Application layer DNS query floods are real DNS requests They can also go on for hours and exhaust the available resources of the DNS server. 65% Volumetric 20% State exhaustion 15% Application layer
  19. 19. DDoS attack trends Volumetric State exhaustion Application layer DNS query floods are real DNS requests They can also go on for hours and exhaust the available resources of the DNS server. 65% Volumetric 20% State exhaustion 15% Application layer Other common application layer attacks: HTTP GET flood, Slowloris
  20. 20. Volumetric: UDP amplification
  21. 21. Volumetric amplification factors Vector Factor Common Cause SSDP 30.8 uPnP services exposed to Internet NTP 556.9 Time servers with monlist enabled DNS 28 - 54 Open resolvers Chargen 358.8 Enabled Chargen service SNMP 6.3 Open SNMP services Source: US-CERT
  22. 22. DDoS attacks with multiple vectors Single vector Multi-vector 85% Single vector 15% Multi-vector
  23. 23. Attackers are persistent
  24. 24. Attackers are persistent UDP/161 – SNMP amplification
  25. 25. Attackers are persistent UDP/161 – SNMP amplification UDP fragments
  26. 26. Attackers are persistent UDP/161 – SNMP amplification UDP fragments UDP/1900 – SSDP reflection
  27. 27. Attackers are persistent UDP/161 – SNMP amplification UDP fragments UDP/1900 – SSDP reflection UDP/1900 – SSDP reflection
  28. 28. Attackers are persistent UDP/161 – SNMP amplification UDP fragments UDP/1900 – SSDP reflection UDP/1900 – SSDP reflection UDP/123 – NTP reflection
  29. 29. Attackers are persistent UDP/161 – SNMP amplification UDP fragments UDP/1900 – SSDP reflection UDP/1900 – SSDP reflection UDP/123 – NTP reflection 6 hours
  30. 30. Mitigations
  31. 31. AWS Shared Responsibility Model
  32. 32. Before DDoS mitigation Conventional data centerDDoS attack Users
  33. 33. Conventional DDoS mitigation services Conventional data center DDoS attack Users DDoS mitigation service
  34. 34. Resilient by design IP ICMP TCP UDP not DNS
  35. 35. Resilient by design IP ICMP TCP Elastic Load Balancing UDP not DNS Amazon CloudFront
  36. 36. Resilient by design IP ICMP TCP Elastic Load Balancing UDP not DNS Amazon CloudFront
  37. 37. Resilient by design IP ICMP TCP Elastic Load Balancing UDP not DNS Amazon Route 53 Amazon CloudFront
  38. 38. Resilient by design IP ICMP TCP Elastic Load Balancing UDP not DNS Amazon Route 53 Amazon CloudFront
  39. 39. DDoS mitigation for AWS infrastructure virtual private cloud AWS global infrastructure DDoS attack Users AWS DDoS mitigation AWS DDoS mitigation CloudFrontRoute 53
  40. 40. Basic hygiene Examples • IP • Checksum • TCP • Valid flags • UDP • Payload length • DNS • Request validation
  41. 41. Packet prioritization
  42. 42. Packet prioritization
  43. 43. Priority-based traffic shaping
  44. 44. Mitigation: Detection and traffic engineering
  45. 45. Target identification in shared space • Each IP set has a unique combination Edge location Users Distribution Distribution Distribution
  46. 46. Target identification in shared space • Each IP set has a unique combination Edge locationDDoS attack Users Distribution Distribution Distribution
  47. 47. Target identification in shared space • Each IP set has a unique combination • Allows target identification Edge locationDDoS attack Users Distribution Distribution
  48. 48. Target identification in shared space • Each IP set has a unique combination • Allows target identification • Enables new options for mitigation Edge location Edge locationDDoS attack Users Users Distribution Distribution Distribution
  49. 49. Traffic engineering
  50. 50. Traffic engineering DDoS attack
  51. 51. Traffic engineering Mitigate DDoS attack
  52. 52. Traffic engineering Isolate DDoS attack
  53. 53. Traffic engineering Isolate Vacate DDoS attack
  54. 54. Traffic engineering Disperse DDoS attack
  55. 55. Architecture
  56. 56. Architecting on AWS for DDoS resiliency
  57. 57. Architecture: Volumetric
  58. 58. Why does this matter?
  59. 59. CloudFront – DNS reflection • Simultaneous DNS reflection and UDP flood • Automatically discarded by CloudFront • No impact on CloudFront or CloudFront customers
  60. 60. CloudFront – DNS reflection • Simultaneous DNS reflection and UDP flood • Automatically discarded by CloudFront • No impact on CloudFront or CloudFront customers
  61. 61. Common vector – SSDP srcPort= 1900 Payload = HTTP/1.1…
  62. 62. Common vector – NTP Payload = MON_GETLIST srcPort= 123
  63. 63. Common vector – DNS reflection srcPort= 53 DNS response Larger payload
  64. 64. Other vectors – RIPv1, Chargen, SNMP • UDP based • Reflection • Amplification • Unusual sources • Abnormal payload
  65. 65. ELB Scaling ELBUsers Security group DMZ public subnet Security group Front-end server private subnet Instances
  66. 66. Route 53 health checks on ELB instances ELB Users Security group ELB instances Route 53
  67. 67. Route 53 health checks on ELB instances ELB Users Security group ELB instances Route 53
  68. 68. Route 53 health checks on ELB instances ELB Users Security group ELB instances Route 53
  69. 69. Route 53 health checks on ELB instances ELB Users Security group ELB instances Route 53
  70. 70. Route 53 health checks on ELB instances ELB Users Security group ELB instances Route 53
  71. 71. Route 53 health checks on ELB instances ELB Users Security group ELB instances Route 53 DDoS
  72. 72. Route 53 health checks on ELB instances ELB Users Security group ELB instances Route 53 DDoS
  73. 73. Minimize the attack surface Amazon Virtual Private Cloud (VPC) • Allows you to define a virtual network in your own logically isolated area on AWS • Allows you to hide instances from the Internet using security groups and network access control lists (NACLs)
  74. 74. Security in your VPC Security groups • Operate at the instance level (first layer of defense) • Supports allow rules only • Stateful, return traffic is automatically allowed • All rules are evaluated before deciding whether to allow traffic Network ACLs • Operate at the subnet level (second layer of defense) • Supports allow and deny rules • Stateless, return traffic must be explicitly allowed • Rules are processed in order
  75. 75. Web app server DMZ public subnet SSH bastion NAT ELB Amazon EC2 security group security group security group security group Front-end private subnet Amazon EC2 Back-end private subnet security group MySQL db Amazon VPC
  76. 76. Web app server DMZ public subnet SSH bastion NAT ELBUsers Amazon EC2 security group security group security group security group Front-end private subnet TCP: 8080 Amazon EC2 TCP: 80/443 Back-end private subnet security group TCP: 3306 MySQL db Amazon VPC
  77. 77. Web app server DMZ public subnet SSH bastion NAT ELBUsers Admin Amazon EC2 security group security group security group security group Front-end private subnet TCP: 8080 Amazon EC2 TCP: 80/443 Back-end private subnet security group TCP: 3306 MySQL db TCP: 22 Amazon VPC
  78. 78. Web app server DMZ public subnet SSH bastion NAT ELBUsers Admin Internet Amazon EC2 security group security group security group security group Front-end private subnet TCP: 8080 Amazon EC2 TCP: 80/443 Back-end private subnet security group TCP: 3306 MySQL db TCP: Outbound TCP: 22 Amazon VPC
  79. 79. Reference security groups
  80. 80. Reference security groups
  81. 81. Reference network ACL
  82. 82. Be ready to scale and absorb Route 53 • Highly available, scalable DNS service • Uses anycast routing for low latency
  83. 83. Be ready to scale and absorb Route 53 • Highly available, scalable DNS service • Uses anycast routing for low latency CloudFront • Improves performance by caching content and optimizing connections • Disperses traffic across global edge locations • DDoS attacks are absorbed close to the source
  84. 84. Be ready to scale and absorb Elastic Load Balancing • Fault tolerance for applications • Automatic scaling • Multiple Availability Zones
  85. 85. AWS global presence and redundancy
  86. 86. AWS global presence and redundancy Internet Connection C Internet Connection A Internet Connection B
  87. 87. AWS global presence and redundancy CloudFront Valid Object Request Invalid Protocol Invalid Object Request
  88. 88. AWS global presence and redundancy ELB TCP UDP
  89. 89. AWS global presence and redundancy Route A Route B Route C users
  90. 90. AWS global presence and redundancy ELB instances Availability Zone ELB instances Availability Zone ELB
  91. 91. Route 53 anycast routing How do I get to example.com?
  92. 92. Route 53 anycast routing How do I get to example.com? .org .co.uk This way! This way! This way! .com .net This way! .co.uk This way! .net .org This way! .com This way! This way!
  93. 93. Route 53 anycast routing How do I get to example.com? .org .co.uk This way! This way! This way! .com .net This way! .co.uk This way! .net .org This way! .com This way! This way!
  94. 94. Route 53 anycast routing How do I get to example.com? .org .co.uk This way! This way! .com .net This way! .co.uk This way! .net .org This way! .com This way! This way! This way! .net
  95. 95. Route 53 anycast routing How do I get to example.com? .org .co.uk This way! This way! .com .net This way! .co.uk This way! .net .org This way! .com This way! This way! This way! .net
  96. 96. Architecture: State exhaustion
  97. 97. Why does this matter?
  98. 98. Common vector – SYN flood Flags= SYN Cookie returned
  99. 99. SYN proxy and SYN cookies
  100. 100. SYN proxy and SYN cookies
  101. 101. SYN proxy and SYN cookies  
  102. 102. SYN proxy and SYN cookies  
  103. 103. Using custom proxies NGINX Security group DMZ public subnet Security group Front-end server private subnet Instances DDoS Users
  104. 104. Architecture: Application layer
  105. 105. Looks can be deceiving
  106. 106. Route 53 • DNS query flood targeting 34 of our edge locations • Peak volume was in top 4% of all DDoS attacks • Automatically detected and mitigated with no impact to availability
  107. 107. Route 53 • DNS query flood targeting 34 of our edge locations • Peak volume was in top 4% of all DDoS attacks • Automatically detected and mitigated with no impact to availability
  108. 108. Safeguard exposed resources
  109. 109. Resilient architecture Web app server
  110. 110. Resilient architecture Users Web app server
  111. 111. Resilient architecture DDoS Users Web app server
  112. 112. Resilient architecture DDoS Users Auto Scaling Web app server
  113. 113. Resilient architecture Security group DDoS Users Auto Scaling Front-end servers private subnet Web app server
  114. 114. Resilient architecture ELB Security group DMZ public subnet Security group WAF/proxy private subnet DDoS Users WAF Auto Scaling ELB Security group Auto Scaling Security group Front-end servers private subnet Web app server
  115. 115. Resilient architecture ELB Security group DMZ public subnet CloudFront edge location Security group WAF/proxy private subnet DDoS Users WAF Auto Scaling ELB Security group Auto Scaling Security group Front-end servers private subnet Web app server
  116. 116. Under attack?
  117. 117. Help with architecture and mitigation Resources • Account manager, solutions architect • Whitepaper: AWS Best Practices for DDoS Resiliency • AWS Security Blog AWS Support • Business – Technical assistance by phone, chat, or email • Enterprise – Fastest response time. Dedicated technical account manager (TAM).
  118. 118. Information to provide AWS Support • Instances (IPs help!), distributions, zones under attack • Location • Time • Vector • Sources • Intel
  119. 119. AWS Security Center To learn more, visit https://aws.amazon.com/security.
  120. 120. Thank you!
  121. 121. Remember to submit your evaluations by using the re:Invent app! https://reinvent.awsevents.com/mobile/
  122. 122. Related sessions • SEC323: Securing Web Applications with AWS WAF; Friday, 9:00–10:00 A.M.

×