Successfully reported this slideshow.
Your SlideShare is downloading. ×

Economical Denial of Sustainability in the Cloud (EDOS)

Economical Denial of Sustainability in the Cloud (EDOS)

Download to read offline

Raluca Stanciu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on

Raluca Stanciu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on


More Related Content

Similar to Economical Denial of Sustainability in the Cloud (EDOS)


Related Books

Free with a 30 day trial from Scribd

See all

Economical Denial of Sustainability in the Cloud (EDOS)

  1. 1. EDoS in the Cloud(Economical Denial of Service) Raluca Stanciu - BullGuard
  2. 2. So… 11 hours 1.2Tbps Losses???
  3. 3. EDoS?
  4. 4. DDoS – a serious threat. Why? 2016: 1,5 million hijacked wireless cameras  1-Tbps DDoS attack In 2017: the first Android botnet (WireX) = 150.000 infected devices BOTNETS
  5. 5. Attack numbers? 20,000 daily attacks source: DDoSMon (2017) $2.5 million DDoS costs per company source: Neustar (2016-2017)
  6. 6. Examples: Victim company When Attack peak size Attack duration Other details Undisclosed customer of a U.S.- based service provider March 2018 1.7Tbps _ • Largest attack known until now • Amplification attack. GitHub February 2018 1.35Tbps 10 minutes • Memcached-Servers amplification attack Microsoft’s and Sony’s online gaming services (PSN and Xbox) Christmas 2014 _ 2 days for Microsoft 3 days for Sony • The attack took down entirely Microsoft’s and Sony’s online gaming services. • Millions of users were unable to play online games or access entertainment channels Runescape, a gaming platform 2014 _ _ • Spent £6 million trying to defend against the DDOS attack. Rackspace, a Cloud service provider 2014 _ 11 hours
  7. 7.
  8. 8. Ok. DDoS. Methods? Log-in attacks Egress data attacks
  9. 9. Reflection attacks 2018 : GitHub attack - 1.35 Tbps Unprecendented amplication factor  51,000x
  10. 10. DDoS attack strategy *source: DDOSMON
  11. 11. DDoS protection in Cloud. How? 1h of downtime = How much revenue loss ? NO ACCESS to the physical network infrastructure DDoS Protection as a Service
  12. 12. What’s the best you can do with DDoSPaaS? 1.Reduce attack surface 2.Be ready to scale 3.Architect for resilience. 4. Register for live support service Time-to-mitigation = MONEY
  13. 13. 1. Reduce attack surface Expose ONLY if necessary If exposed, protect, protect, PROTECT!Cloud storage resources  Access Control Lists Ports  Firewall rules Anti-spoofing protection VPC network configuration VPC Administrative Console  Identity Access Management Internal traffic  Isolated: • Public IP only if needed • NAT Gateway • Internal Load Balancing: for your internal client instances accessing internally deployed services thereby avoiding exposure to the external world. You have API Frontend exposed to the public  The API frontend is can be DDoS attacked and expose resources also => use the Cloud provider’s API Gateway as a “front door”
  14. 14. 2. Be ready to scale Elastic Load Balancing  scales automatically at need => can manage larger volumes 1. Application Load Balancer  routes traffic based on its content and accepts only well-formed web requests => it blocks SYN floods, UDP reflection attacks and others 2. Network Load Balancer  For TCP-based applications, you can use NLB to route traffic to Amazon EC2 instances at ultralow latency Elastic IP Addresses  Static IPv4 address designed for dynamic cloud computing. If the assigned instance fails, it is remapped to another instance Proper Elastic Computer type (resources-wise)  ex: 25Gb NIC & Enhanced Networking Choose a SLA with automatic scaling  horizontally: add instances; vertically: use larger instances
  15. 15. 3. Architect for resiliance
  16. 16. Limit, limit, limit!!! per-IP request count per-IP connection count count of users who can make requests to your application Choose a product which can properly protect detect both bad AND GOOD traffic (what if your web service has a legit spike of clients?) Costs!!!! Hidden or not!!! In the Cloud, even a sneeze costs! Cloud-provided regions  performance, data sovereignty, optimal latency Shared Responsibility Model !!! Differences between the DDoS protection products DDoSPaaS – Other MUSTS
  17. 17. • Understand the differences between Cloud DDoS protection services
  18. 18. *Third party DDoSPaaS Akamai  helped protect against the 2018 1.35 TB attack against GitHub Blockchain DDoS mitigation
  19. 19. Conclusion? Anything which has an IP address CAN and WILL be used against you!

Editor's Notes

  • Ok, probably you all have heard about DDoS,
    But what kind of animal is EDoS then?

    What can become unavailable? In a very simplistic image,
    they can target …
  • Today, ANYONE can launch a crippling attack for virtually
    no money. Do you know why? Because of botnets.

    DDoS-for-hire botnets - subscription-based model
  • Analytics company – analyze DDoS data around the world
  • Let me give you a few more examples so that you can better understand
    THE SEVERITY of the problem

    Do you guys like your Xbox? Do you remember the Christmas of 2014 when the
    online service was down? Guess why.

    How many of you are dependent on GitHub?
    This year, luckily, Github was down only for 10 minutes. But what if it was
    down for a couple of days?

  • Interesting fact? Do you want to see how a live DDoS looks like?
    Well, here’s a preview.

    You can go to and see ACTUAL attacks
    happening right now!!
  • Now let’s better understand how a DDoS is created.

  • Analytics

    The latest strategy for attacks is to create a diversion by
    having low-impact attacks just to test the waters and in the background

    Network mapping - data breaches - infection with malware
  • If you think that protecting against DDoS was complicated on prems, well,
    the cherry on top in Cloud

    ONE QUESTION FOR YOU: If an un-mitigated attack costs 1 hour
  • Health Checks and Monitoring

    AWS Shield Standard  default, free

    DNS at the Edge  Amazon Route 53  DNS service with Traffic Flow, Latency Based Routing, Geo DNS, and Health Checks and Monitoring
    Amazon CloudFront (CDN with caching  takes load from EC2 instances + better internet speed and bandwidth to users at Amazon Edge Locations). distributes traffic across multiple edge locations and filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts. CloudFront also supports geoblocking, which you can use to prevent requests from particular geographic locations from being served.

    AWS WAF  A "regular" firewall typically only looks at layers 3 and 4 of the OSI model. For instance, to allow TCP port 80, allow UDP port 53 from only specific IP addresses, or deny TCP port 25.
    For HTTP requests, once the "allow TCP port 80" hurdle is cleared, the firewall is uninterested in what's passed via that connection.
    A Web Application Firewall works almost exclusively at layer 7, dealing with security in terms of the content of HTTP requests.
    Mainly, they're looking to prevent requests that are outside what should be expected for your web application, using rules applied to incoming HTTP requests to prevent attacks like cross-site scripting, SQL injection, directory traversal, or brute-force authentication attempts. Essentially, their whole purpose is shielding the web server from the kinds of manipulated and malicious requests that attackers might use to compromise your web application.

    Firewall - A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.
    Intrusion Detection System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event.
    Intrusion Prevention System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected the packet is rejected.

    Most cloud providers have DDoS resilience infrastructure architecture recommandations for different types of applications. For example:
    Web applications
    Non-web load-balanceable apps
    Non-web non-load balanceable apps

  • DDoS Telemetry   analyze the digital fingerprint, and gather intelligence

    Regions  Being close to exchanges where international carriers and large peers