1. EDoS in the Cloud(Economical Denial of Service)
Raluca Stanciu - BullGuard

2. So…
11 hours 1.2Tbps
Losses???

3. EDoS?

4. DDoS – a serious threat. Why?
2016: 1,5 million hijacked wireless
cameras  1-Tbps DDoS attack
In 2017: the first Android botnet
(WireX) = 150.000 infected devices
BOTNETS

5. Attack numbers?
20,000 daily attacks
source: DDoSMon (2017)
$2.5 million DDoS costs per company
source: Neustar (2016-2017)

6. Examples:
Victim company When Attack peak size Attack duration Other details
Undisclosed
customer of a U.S.-
based service
provider
March
2018
1.7Tbps _ • Largest attack known until now
• Amplification attack.
GitHub February
2018
1.35Tbps 10 minutes • Memcached-Servers amplification attack
Microsoft’s and
Sony’s online
gaming services
(PSN and Xbox)
Christmas
2014
_ 2 days for Microsoft
3 days for Sony
• The attack took down entirely Microsoft’s
and Sony’s online gaming services.
• Millions of users were unable to play online
games or access entertainment channels
Runescape, a
gaming platform
2014 _ _ • Spent £6 million trying to defend against
the DDOS attack.
Rackspace, a Cloud
service provider
2014 _ 11 hours

7. http://www.digitalattackmap.com

8. Ok. DDoS. Methods?
Log-in attacks Egress data attacks

9. Reflection attacks
2018 : GitHub attack - 1.35 Tbps
Unprecendented amplication
factor  51,000x

10. DDoS attack strategy
*source: DDOSMON

11. DDoS protection in Cloud. How?
1h of downtime = How much revenue loss ?
NO ACCESS to
the physical
network
infrastructure
DDoS
Protection
as a Service

12. What’s the best you can do
with DDoSPaaS?
1.Reduce attack surface
2.Be ready to scale
3.Architect for resilience.
4. Register for live support service
Time-to-mitigation
= MONEY

13. 1. Reduce attack surface Expose ONLY if necessary
If exposed, protect, protect,
PROTECT!Cloud storage resources
 Access Control Lists Ports
 Firewall rules
Anti-spoofing protection
VPC network configuration
VPC Administrative Console
 Identity Access Management
Internal traffic
 Isolated:
• Public IP only if needed
• NAT Gateway
• Internal Load Balancing: for your internal client
instances accessing internally deployed services
thereby avoiding exposure to the external world.
You have API Frontend exposed to the
public
 The API frontend is can be DDoS
attacked and expose resources
also => use the Cloud provider’s
API Gateway as a “front door”

14. 2. Be ready to scale Elastic Load Balancing
 scales automatically at need => can manage larger volumes
1. Application Load Balancer  routes traffic based on its
content and accepts only well-formed web requests => it
blocks SYN floods, UDP reflection attacks and others
2. Network Load Balancer  For TCP-based applications,
you can use NLB to route traffic to Amazon EC2 instances
at ultralow latency
Elastic IP Addresses
 Static IPv4 address designed for
dynamic cloud computing. If the
assigned instance fails, it is remapped
to another instance
Proper Elastic Computer type (resources-wise)
 ex: 25Gb NIC & Enhanced Networking
Choose a SLA with automatic scaling
 horizontally: add instances;
vertically: use larger instances

15. 3. Architect for resiliance

16. Limit, limit, limit!!!
per-IP request count
per-IP connection count
count of users who can make requests to your application
Choose a product which can properly
protect detect both bad AND GOOD
traffic (what if your web service has
a legit spike of clients?)
Costs!!!! Hidden or not!!! In the Cloud, even a sneeze costs!
Cloud-provided regions  performance,
data sovereignty, optimal latency
Shared Responsibility Model !!!
Differences between the
DDoS protection products
DDoSPaaS – Other MUSTS

17. • Understand the differences
between Cloud DDoS
protection services

18. *Third party DDoSPaaS
Akamai  helped protect against the
2018 1.35 TB attack against GitHub
Blockchain DDoS
mitigation

19. Conclusion? Anything which has an
IP address CAN and WILL be used
against you!