"In this session, we will address the current threat landscape, present DDoS attacks that we have seen on AWS, and discuss the methods and technologies we use to protect AWS services. You will leave this session with a better understanding of: DDoS attacks on AWS as well as the actual threats and volumes that we typically see. What AWS does to protect our services from these attacks. How this all relates to the AWS Shared Responsibility Model."

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Kiggins, AWS SDM
Jeffrey Lyon, AWS Operations Manager
October 2015
SEC306
Defending Against DDoS Attacks

2. Goals

3. Useful background

4. Common attacks

5. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL

6. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGAATTACKS ARE ON THE RISE

7. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGAATTACKS ARE ON THE RISE

8. CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGAATTACKS ARE ON THE RISETHE NEW NORMAL: 200 – 400 GBPS DDOS ATTACKS

9. 1.04 39
Average size of a DDoS
attack
Source: Arbor Networks
Average duration of
> 10 Gbps attacks
DDoS attacks that
target network and
service
infrastructure
85%
Gbps Minutes

10. Types of DDoS attacks

11. Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)

12. Types of DDoS attacks
State-exhaustion DDoS attacks
Type of protocol abuse that stresses systems
like firewalls, IPS, or load balancers (e.g.,
TCP SYN flood)

13. Types of DDoS attacks
Application-layer DDoS attacks
Less frequently, an attacker will use well-
formed connections to circumvent mitigation
and consume application resources (e.g.,
HTTP GET, DNS query floods)

14. DDoS attack trends
Volumetric State exhaustion Application layer
65%
Volumetric
20%
State exhaustion
15%
Application layer

15. DDoS attack trends
Volumetric State exhaustion Application layer
SSDP reflection attacks are very
common
Reflection attacks have clear signatures, but
can consume available bandwidth.
65%
Volumetric
20%
State exhaustion
15%
Application layer

16. DDoS attack trends
Volumetric State exhaustion Application layer
65%
Volumetric
20%
State exhaustion
15%
Application layer
Other common volumetric attacks:
NTP reflection, DNS reflection, Chargen
reflection, SNMP reflection

17. DDoS attack trends
Volumetric State exhaustion Application layer
SYN floods can look like real
connection attempts
And on average, they’re larger in volume.
They can prevent real users from
establishing connections.
65%
Volumetric
20%
State exhaustion
15%
Application layer

18. DDoS attack trends
Volumetric State exhaustion Application layer
DNS query floods are real DNS
requests
They can also go on for hours and exhaust
the available resources of the DNS server.
65%
Volumetric
20%
State exhaustion
15%
Application layer

19. DDoS attack trends
Volumetric State exhaustion Application layer
DNS query floods are real DNS
requests
They can also go on for hours and exhaust
the available resources of the DNS server.
65%
Volumetric
20%
State exhaustion
15%
Application layer
Other common application layer
attacks:
HTTP GET flood, Slowloris

20. Volumetric: UDP amplification

21. Volumetric amplification factors
Vector Factor Common Cause
SSDP 30.8 uPnP services exposed to Internet
NTP 556.9 Time servers with monlist enabled
DNS 28 - 54 Open resolvers
Chargen 358.8 Enabled Chargen service
SNMP 6.3 Open SNMP services
Source: US-CERT

22. DDoS attacks with multiple vectors
Single vector Multi-vector
85%
Single vector
15%
Multi-vector

23. Attackers are persistent

24. Attackers are persistent
UDP/161 –
SNMP
amplification

25. Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments

26. Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection

27. Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
UDP/1900 – SSDP reflection

28. Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
UDP/1900 – SSDP reflection
UDP/123 – NTP reflection

29. Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
UDP/1900 – SSDP reflection
UDP/123 – NTP reflection
6 hours

30. Mitigations

31. AWS Shared Responsibility Model

32. Before DDoS mitigation
Conventional data centerDDoS attack
Users

33. Conventional DDoS mitigation services
Conventional data center
DDoS attack
Users DDoS mitigation service

34. Resilient by design
IP ICMP
TCP
UDP
not
DNS

35. Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
CloudFront

36. Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
CloudFront

37. Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
Route 53
Amazon
CloudFront

38. Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
Route 53
Amazon
CloudFront

39. DDoS mitigation for AWS infrastructure
virtual private cloud
AWS global infrastructure
DDoS attack
Users
AWS
DDoS mitigation
AWS
DDoS mitigation
CloudFrontRoute 53

40. Basic hygiene
Examples
• IP
• Checksum
• TCP
• Valid flags
• UDP
• Payload length
• DNS
• Request validation

41. Packet prioritization

42. Packet prioritization

43. Priority-based traffic shaping

44. Mitigation: Detection and
traffic engineering

45. Target identification in shared space
• Each IP set has a
unique combination
Edge location
Users
Distribution Distribution Distribution

46. Target identification in shared space
• Each IP set has a
unique combination
Edge locationDDoS attack
Users
Distribution Distribution Distribution

47. Target identification in shared space
• Each IP set has a
unique combination
• Allows target
identification Edge locationDDoS attack
Users
Distribution Distribution

48. Target identification in shared space
• Each IP set has a
unique combination
• Allows target
identification
• Enables new
options for
mitigation
Edge location
Edge locationDDoS attack
Users
Users
Distribution
Distribution
Distribution

49. Traffic engineering

50. Traffic engineering
DDoS attack

51. Traffic engineering
Mitigate
DDoS attack

52. Traffic engineering
Isolate
DDoS attack

53. Traffic engineering
Isolate
Vacate
DDoS attack

54. Traffic engineering
Disperse
DDoS attack

55. Architecture

56. Architecting on AWS for DDoS resiliency

57. Architecture: Volumetric

58. Why does this matter?

59. CloudFront – DNS reflection
• Simultaneous DNS reflection and UDP flood
• Automatically discarded by CloudFront
• No impact on CloudFront or CloudFront customers

60. CloudFront – DNS reflection
• Simultaneous DNS reflection and UDP flood
• Automatically discarded by CloudFront
• No impact on CloudFront or CloudFront customers

61. Common vector – SSDP
srcPort=
1900
Payload =
HTTP/1.1…

62. Common vector – NTP
Payload =
MON_GETLIST
srcPort=
123

63. Common vector – DNS reflection
srcPort=
53
DNS
response
Larger
payload

64. Other vectors – RIPv1, Chargen, SNMP
• UDP based
• Reflection
• Amplification
• Unusual sources
• Abnormal payload

65. ELB Scaling
ELBUsers
Security group
DMZ
public subnet
Security group
Front-end server
private subnet
Instances

66. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53

67. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53

68. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53

69. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53

70. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53

71. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53
DDoS

72. Route 53 health checks on ELB instances
ELB
Users
Security group
ELB
instances
Route 53
DDoS

73. Minimize the attack surface
Amazon Virtual Private Cloud (VPC)
• Allows you to define a virtual network in your own
logically isolated area on AWS
• Allows you to hide instances from the Internet using
security groups and network access control lists
(NACLs)

74. Security in your VPC
Security groups
• Operate at the instance level (first layer of defense)
• Supports allow rules only
• Stateful, return traffic is automatically allowed
• All rules are evaluated before deciding whether to allow traffic
Network ACLs
• Operate at the subnet level (second layer of defense)
• Supports allow and deny rules
• Stateless, return traffic must be explicitly allowed
• Rules are processed in order

75. Web app
server
DMZ public subnet
SSH
bastion
NAT
ELB
Amazon EC2
security group
security group
security group
security group
Front-end private subnet
Amazon EC2
Back-end private subnet
security group
MySQL db
Amazon VPC

76. Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Amazon EC2
security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
Amazon VPC

77. Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Admin Amazon EC2
security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
TCP: 22
Amazon VPC

78. Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Admin
Internet
Amazon EC2
security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
TCP: Outbound
TCP: 22
Amazon VPC

79. Reference security groups

80. Reference security groups

81. Reference network ACL

82. Be ready to scale and absorb
Route 53
• Highly available, scalable DNS service
• Uses anycast routing for low latency

83. Be ready to scale and absorb
Route 53
• Highly available, scalable DNS service
• Uses anycast routing for low latency
CloudFront
• Improves performance by caching content and
optimizing connections
• Disperses traffic across global edge locations
• DDoS attacks are absorbed close to the source

84. Be ready to scale and absorb
Elastic Load Balancing
• Fault tolerance for applications
• Automatic scaling
• Multiple Availability Zones

85. AWS global presence and redundancy

86. AWS global presence and redundancy
Internet
Connection C
Internet
Connection A
Internet
Connection B

87. AWS global presence and redundancy
CloudFront
Valid
Object Request
Invalid
Protocol
Invalid
Object Request

88. AWS global presence and redundancy
ELB
TCP
UDP

89. AWS global presence and redundancy
Route A
Route B
Route C
users

90. AWS global presence and redundancy
ELB
instances
Availability Zone
ELB
instances
Availability Zone
ELB

91. Route 53 anycast routing
How do I get to
example.com?

92. Route 53 anycast routing
How do I get to
example.com?
.org
.co.uk
This way!
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!

93. Route 53 anycast routing
How do I get to
example.com?
.org
.co.uk
This way!
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!

94. Route 53 anycast routing
How do I get to
example.com?
.org
.co.uk
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
This way!
.net

95. Route 53 anycast routing
How do I get to
example.com?
.org
.co.uk
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
This way!
.net

96. Architecture: State exhaustion

97. Why does this matter?

98. Common vector – SYN flood
Flags=
SYN
Cookie
returned

99. SYN proxy and SYN cookies

100. SYN proxy and SYN cookies

101. SYN proxy and SYN cookies



102. SYN proxy and SYN cookies



103. Using custom proxies
NGINX
Security group
DMZ
public subnet
Security group
Front-end server
private subnet
Instances
DDoS
Users

104. Architecture: Application layer

105. Looks can be deceiving

106. Route 53
• DNS query flood targeting 34 of our edge locations
• Peak volume was in top 4% of all DDoS attacks
• Automatically detected and mitigated with no impact to availability

107. Route 53
• DNS query flood targeting 34 of our edge locations
• Peak volume was in top 4% of all DDoS attacks
• Automatically detected and mitigated with no impact to availability

108. Safeguard exposed resources

109. Resilient architecture
Web app
server

110. Resilient architecture
Users
Web app
server

111. Resilient architecture
DDoS
Users
Web app
server

112. Resilient architecture
DDoS
Users
Auto Scaling
Web app
server

113. Resilient architecture
Security group
DDoS
Users
Auto Scaling
Front-end servers
private subnet
Web app
server

114. Resilient architecture
ELB
Security
group
DMZ
public subnet
Security group
WAF/proxy
private subnet
DDoS
Users
WAF
Auto
Scaling
ELB
Security
group
Auto Scaling
Security
group
Front-end servers
private subnet
Web app
server

115. Resilient architecture
ELB
Security
group
DMZ
public subnet
CloudFront
edge location
Security group
WAF/proxy
private subnet
DDoS
Users
WAF
Auto
Scaling
ELB
Security
group
Auto Scaling
Security
group
Front-end servers
private subnet
Web app
server

116. Under attack?

117. Help with architecture and mitigation
Resources
• Account manager, solutions architect
• Whitepaper: AWS Best Practices for DDoS
Resiliency
• AWS Security Blog
AWS Support
• Business – Technical assistance by phone, chat,
or email
• Enterprise – Fastest response time. Dedicated
technical account manager (TAM).

118. Information to provide AWS Support
• Instances (IPs help!), distributions, zones under attack
• Location
• Time
• Vector
• Sources
• Intel

119. AWS Security Center
To learn more, visit https://aws.amazon.com/security.

120. Thank you!

121. Remember to submit
your evaluations
by using the re:Invent app!
https://reinvent.awsevents.com/mobile/

122. Related sessions
• SEC323: Securing Web Applications with AWS WAF;
Friday, 9:00–10:00 A.M.