Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AWS re:Invent 2014

7,113 views

Published on

In this session, we'll give an overview of Distributed Denial of Service (DDoS) and discuss techniques using AWS and security solutions from AWS Marketplace to help build services that are resilient in the face of DDoS attacks. We'll discuss anti-DDoS features available in AWS, such as Route 53's Anycast Routing, Auto Scaling for EC2, and CloudWatch's alarms, and how these features can be used jointly to help protect your services. Also, you'll hear from CrownPeak, an AWS Technology Partner, on how it used techniques discussed in the presentation to help mitigate an actual DDoS attack.

Published in: Technology

(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AWS re:Invent 2014

  1. 1. •Infrastructure attacks (Layer 3 / 4) –Average attack size is 900Mbps (50% under 500Mbps) –78% of attacks are infrastructure (simple to launch) •Application attacks (Layer 7) –22% of all attacks target port 80 & 443 (more complex) •Multi-vector –different attack types simultaneously •Amplification (NTP, SSDP, DNS, Chargen, SNMP) •Hit and run DDoS (91% < 1hour) and smokescreens (16-18%)
  2. 2.  X
  3. 3. GET GET GET GET GET GET G -E -T
  4. 4. web app server DMZ public subnet ssh bastion NAT users ELB admin internet Amazon EC2 security group security group security group security group frontend private subnet TCP: 8080 Amazon EC2 TCP: 80/443 backend private subnet security group TCP: 1433; 3306 MySQL db TCP: Outbound TCP: 22
  5. 5. ELB users security group DMZ public subnet Amazon Route 53 CloudFront Edge Location security group web app server Frontend server private subnet DDoS
  6. 6. ELB users security group DMZ public subnet Amazon Route 53 CloudFront Edge Location security group web app server Frontend server private subnet DDoS
  7. 7. Internet Connection C Internet ConnectionA Internet Connection B CloudFront Valid Object Request Invalid Protocol Invalid Object Request Country B Country A Country C Route A Route B Route C users
  8. 8. Security Group Auto Scaling 1:1 WAF Master Auto Scaling WAF Worker Admin Auto Scaling Web Application Management / Monitoring Custom Profile Configuration ELB ELB ELB Amazon S3 Web Traffic Unauthorized Web Traffic
  9. 9. ELB security group DMZ public subnet CloudFront Edge Location security group web app server Frontend server private subnet DDoS users
  10. 10. ELB security group DMZ public subnet CloudFront Edge Location security group web app server frontend server private subnet DDoS users
  11. 11. ELB security group DMZ public subnet CloudFront Edge Location security group WAF / Proxy private subnet DDoS users WAF Auto Scaling ELB security group Auto Scaling security group frontend servers private subnet web app server
  12. 12. 9:30 pm PDT Traffic analysis suggests opportunity to mitigate attack by revising configuration. We also decide to disable auto- scaling to preserve data for FBI forensic analysis. 10:34 am PDT First indications of impaired response from monitors. Traffic ramps dramatically. 12:30 pm PDT Attack initially targets IP addresses of A record. Switch to Route53 CNAME as cutout eliminates traffic. 6:24 pm PDT Attack resumes (targeting CNAME this time). Traffic ramps dramatically.
  13. 13. 2:15 am PDT Bad guys give up. Attack stops … Hah! 9:30 pm PDT Traffic analysis suggests opportunity to mitigate attack by revising configuration. We also decide to disable auto- scaling to preserve data for FBI forensic analysis. 10:34 am PDT First indications of impaired response from monitors. Traffic ramps dramatically. 12:30 pm PDT Attack initially targets IP addresses of A record. Switch to Route53 CNAME as cutout eliminates traffic. 6:24 pm PDT Attack resumes (targeting CNAME this time). Traffic ramps dramatically. 1:00 am PDT Revised configuration in place. The arms race begins … 7:17 pm PDT Peak capacity deployed: -17 c3.8xlarge HA proxies -34 m3.large web servers Bad guys run out of gas … traffic plateaus. 1-3 second response times.
  14. 14. Per-instance metric First attack: IP specific Second attack: arms race Sigh of relief …
  15. 15. Customer CIO “Team -I have been sitting here in my hotel room thinking about what this team has been able to accomplish over the past 2 days and it has been amazing. Not really my style to think we are out of the woods yet...but the level of effort and coordination has been world class. To the CrownPeak/AWS team... Thank you for all of your efforts to assist our organization. You should know that it has been greatly appreciated at all levels.”
  16. 16. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

×