Victim company When Attack peak size Attack duration Other details
customer of a U.S.-
1.7Tbps _ • Largest attack known until now
• Amplification attack.
1.35Tbps 10 minutes • Memcached-Servers amplification attack
(PSN and Xbox)
_ 2 days for Microsoft
3 days for Sony
• The attack took down entirely Microsoft’s
and Sony’s online gaming services.
• Millions of users were unable to play online
games or access entertainment channels
2014 _ _ • Spent £6 million trying to defend against
the DDOS attack.
Rackspace, a Cloud
2014 _ 11 hours
11. DDoS protection in Cloud. How?
1h of downtime = How much revenue loss ?
NO ACCESS to
as a Service
12. What’s the best you can do
1.Reduce attack surface
2.Be ready to scale
3.Architect for resilience.
4. Register for live support service
13. 1. Reduce attack surface Expose ONLY if necessary
If exposed, protect, protect,
PROTECT!Cloud storage resources
Access Control Lists Ports
VPC network configuration
VPC Administrative Console
Identity Access Management
• Public IP only if needed
• NAT Gateway
• Internal Load Balancing: for your internal client
instances accessing internally deployed services
thereby avoiding exposure to the external world.
You have API Frontend exposed to the
The API frontend is can be DDoS
attacked and expose resources
also => use the Cloud provider’s
API Gateway as a “front door”
14. 2. Be ready to scale Elastic Load Balancing
scales automatically at need => can manage larger volumes
1. Application Load Balancer routes traffic based on its
content and accepts only well-formed web requests => it
blocks SYN floods, UDP reflection attacks and others
2. Network Load Balancer For TCP-based applications,
you can use NLB to route traffic to Amazon EC2 instances
at ultralow latency
Elastic IP Addresses
Static IPv4 address designed for
dynamic cloud computing. If the
assigned instance fails, it is remapped
to another instance
Proper Elastic Computer type (resources-wise)
ex: 25Gb NIC & Enhanced Networking
Choose a SLA with automatic scaling
horizontally: add instances;
vertically: use larger instances
16. Limit, limit, limit!!!
per-IP request count
per-IP connection count
count of users who can make requests to your application
Choose a product which can properly
protect detect both bad AND GOOD
traffic (what if your web service has
a legit spike of clients?)
Costs!!!! Hidden or not!!! In the Cloud, even a sneeze costs!
Cloud-provided regions performance,
data sovereignty, optimal latency
Shared Responsibility Model !!!
Differences between the
DDoS protection products
DDoSPaaS – Other MUSTS
Ok, probably you all have heard about DDoS,
But what kind of animal is EDoS then?
What can become unavailable? In a very simplistic image,
they can target …
Today, ANYONE can launch a crippling attack for virtually
no money. Do you know why? Because of botnets.
DDoS-for-hire botnets - subscription-based model
Analytics company – analyze DDoS data around the world
Let me give you a few more examples so that you can better understand
THE SEVERITY of the problem
Do you guys like your Xbox? Do you remember the Christmas of 2014 when the
online service was down? Guess why.
How many of you are dependent on GitHub?
This year, luckily, Github was down only for 10 minutes. But what if it was
down for a couple of days?
Interesting fact? Do you want to see how a live DDoS looks like?
Well, here’s a preview.
You can go to digitalattackmap.com and see ACTUAL attacks
happening right now!!
Now let’s better understand how a DDoS is created.
The latest strategy for attacks is to create a diversion by
having low-impact attacks just to test the waters and in the background
Network mapping - data breaches - infection with malware
If you think that protecting against DDoS was complicated on prems, well,
the cherry on top in Cloud
ONE QUESTION FOR YOU: If an un-mitigated attack costs 1 hour
Health Checks and Monitoring
AWS Shield Standard default, free
DNS at the Edge Amazon Route 53 DNS service with Traffic Flow, Latency Based Routing, Geo DNS, and Health Checks and Monitoring
Amazon CloudFront (CDN with caching takes load from EC2 instances + better internet speed and bandwidth to users at Amazon Edge Locations). distributes traffic across multiple edge locations and filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts. CloudFront also supports geoblocking, which you can use to prevent requests from particular geographic locations from being served.
AWS WAF A "regular" firewall typically only looks at layers 3 and 4 of the OSI model. For instance, to allow TCP port 80, allow UDP port 53 from only specific IP addresses, or deny TCP port 25.
For HTTP requests, once the "allow TCP port 80" hurdle is cleared, the firewall is uninterested in what's passed via that connection.
A Web Application Firewall works almost exclusively at layer 7, dealing with security in terms of the content of HTTP requests.
Mainly, they're looking to prevent requests that are outside what should be expected for your web application, using rules applied to incoming HTTP requests to prevent attacks like cross-site scripting, SQL injection, directory traversal, or brute-force authentication attempts. Essentially, their whole purpose is shielding the web server from the kinds of manipulated and malicious requests that attackers might use to compromise your web application.
Firewall - A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.
Intrusion Detection System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event.
Intrusion Prevention System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected the packet is rejected.
Most cloud providers have DDoS resilience infrastructure architecture recommandations for different types of applications. For example:
Non-web load-balanceable apps
Non-web non-load balanceable apps
DDoS Telemetry analyze the digital fingerprint, and gather intelligence
Regions Being close to exchanges where international carriers and large peers