This document discusses mitigating DDoS attacks on AWS. It outlines five common DDoS attack vectors: UDP reflection attacks, UDP floods, TCP SYN floods, web application layer attacks, and DNS query floods. It then discusses four AWS use cases for DDoS mitigation: protecting common web applications, highly resilient web applications, video game development applications, and voice communication applications. The document provides details on how AWS security services like AWS WAF, CloudFront, and Route 53 can help detect and mitigate DDoS attacks. It also includes a case study of how Crownpeak implemented DDoS resiliency for the Bank of New York Mellon websites.
2. In this session, you will learn about …
Five DDoS Attack Vectors
1. UDP reflection attacks
2. UDP floods
3. TCP SYN floods
4. Web application layer attacks
5. DNS query floods
Four AWS Use Cases
1. Common web application
2. Highly-resilient web application
3. Video game development
4. Voice communication
4. DDoS attacks can …
• Target networks with large volumes of traffic
• Target systems with large volumes of connections
• Target services with large volumes of requests
5. Vector #1: UDP Reflection Attacks
• Attacker sends spoofed request to UDP service
• Spoofed IP is that of the victim
• Asymmetric: UDP service responds with large payload
Network Traffic | System Connections | Service Requests
6. 20:07:45.918266 IP 192.0.2.2.1900 > server.example.com.http: UDP, length 274
20:07:45.918271 IP 198.51.100.3.1900 > server.example.com.http: UDP, length 320
20:07:45.918275 IP 203.0.113.7.1900 > server.example.com.http: UDP, length 307
20:07:45.918279 IP 192.0.2.5.1900 > server.example.com.http: UDP, length 326
20:07:45.918283 IP 198.51.100.12.1900 > server.example.com.http: UDP, length 300
20:07:45.918287 IP 203.0.113.58.1900 > server.example.com.http: UDP, length 307
20:07:45.918291 IP 192.0.2.33.1900 > server.example.com.http: UDP, length 302
20:07:45.918294 IP 198.51.100.113.1900 > server.example.com.http: UDP, length 323
20:07:45.918301 IP 203.0.113.90.1900 > server.example.com.http: UDP, length 268
Vector #1: UDP Reflection Attacks
Clear signature
Many requests from suspicious
source port
Large packet size
Flood of traffic is easy to
generate
UDP protocol
Clear indicator of suspicious activity if
destination does not use UDP
Network Traffic | System Connections | Service Requests
7. 20:07:45.918266 IP 192.0.2.2.51523 > server.example.com.http: UDP, length 1024
20:07:45.918271 IP 198.51.100.3.23769 > server.example.com.http: UDP, length 1024
20:07:45.918275 IP 203.0.113.7.4655 > server.example.com.http: UDP, length 1024
20:07:45.918279 IP 192.0.2.5.13002 > server.example.com.http: UDP, length 1024
20:07:45.918283 IP 198.51.100.12.52670 > server.example.com.http: UDP, length 1024
20:07:45.918287 IP 203.0.113.58.21266 > server.example.com.http: UDP, length 1024
20:07:45.918291 IP 192.0.2.33.7940 > server.example.com.http: UDP, length 1024
20:07:45.918294 IP 198.51.100.113.35950 > server.example.com.http: UDP, length 1024
20:07:45.918301 IP 203.0.113.90.62370 > server.example.com.http: UDP, length 1024
Vector #2: UDP floods
Ambiguous
Source port may be difficult to
distinguish
Packet size
Defined by attacker
UDP protocol
Clear indicator of suspicious activity if
destination does not use UDP
Network Traffic | System Connections | Service Requests
8. Vector #3: TCP SYN Floods
• Flood of many connections targeting a system
• Very small packets
• Connections are left half-open, state table exhaustion
Network Traffic | System Connections | Service Requests
9. tcp 0 0 192.0.2.1:80 91.64.4.146:64979 SYN_RECV -
tcp 0 0 192.0.2.1:80 84.24.103.112:4005 SYN_RECV -
tcp 0 0 192.0.2.1:80 79.223.69.239:61510 SYN_RECV -
tcp 0 0 192.0.2.1:80 67.86.135.44:43312 SYN_RECV -
tcp 0 0 192.0.2.1:80 86.88.67.226:50600 SYN_RECV -
tcp 0 0 192.0.2.1:80 173.20.137.110:3813 SYN_RECV -
tcp 0 0 192.0.2.1:80 84.58.10.121:4878 SYN_RECV -
tcp 0 0 192.0.2.1:80 91.37.40.151:2408 SYN_RECV -
tcp 0 0 192.0.2.1:80 173.20.137.110:3441 SYN_RECV -
Vector #3: TCP SYN Floods
Half-open connections
We sent SYN-ACK, ACK never received
TCP protocol
Many connections destined to HTTP service
Network Traffic | System Connections | Service Requests
10. Vector #4: Web Application Layer Attacks
• Malicious web requests that look like real users
• Impact availability or scrape site content
• Mitigate using a WAF
• Block abusive IP’s, user agents, etc.
• Rate-based blacklisting
Network Traffic | System Connections | Service Requests
11. Vector #5: DNS Query Floods
• Many legitimate DNS queries can exhaust host capacity
• Random queries can “cache bust” recursive DNS (eg.
ezspobmzlanungyp.www.example.com)
• Authoritative DNS compelled to respond
Network Traffic | System Connections | Service Requests
14. DDoS Mitigation on AWS
• Built into the AWS global
infrastructure
• Fast mitigation without external
routing
• Protection of availability, latency, and
throughput
15. DDoS Attacks and Mitigation
• “BlackWatch” systems protect AWS, mitigate large
volume attacks
• Methods:
• Allow only traffic valid for the service
• SYN proxy/cookies when high levels of SYN==1 detected
• Suspicion-based traffic shaping
19. Common Web Application
ALB security group
Amazon
EC2
instances
Application
Load Balancer
Public subnet
Web application
security group
Private subnet
DDoS
attack
Users
20. ALB Scaling and Mitigation
ALB security group
Application
Load
Balancer
Public subnet
DDoS
attack
Users
Application
Load
Balancer
Application
Load
Balancer
Application
Load
Balancer
BlackWatch
DDoS
mitigation
21. Transit Diversity and Redundancy
Internet
exchange
Internet
exchange
Internet
exchange
us-east-1
DDoS-resilient web
application
22. Highly Resilient Web Application
Amazon
Route 53
ALB security group
Amazon
EC2
instances
Application
Load Balancer
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
AWS WAF
Amazon
API Gateway
DDoS
attack
Users
23. Mitigate closer to the source
Internet
exchange
Tokyo Singapore Hong Kong Dublin London Milan
Internet
exchange
Internet
exchange
Internet
exchange
Internet
exchange
Internet
exchange
us-east-1
BlackWatch
DDoS
mitigation
DDoS attack
DDoS resilient web
services
26. Introduction to Crownpeak
• Crownpeak has pioneered the SaaS model for web
content management systems since 2001
• We provide a full digital experience management suite,
delivered entirely using Amazon Web Services
• We are headquartered in Los Angeles, CA, with offices
in Denver, CO, and London, UK
27. Introduction to the Case Study
• Bank of New York Mellon at a
glance:
• $29.5 trillion assets under custody
and/or administration
• $1.7 trillion assets under
management
• 100+ markets worldwide
• Many websites managed and
hosted by Crownpeak
• Committed to best-in-class cyber
defense and threat protection
28. Baseline Architecture
Amazon
Route 53
ELB security group
Amazon
EC2
instances
ELB load
balancer
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
DDoS
attack
Users
29. Hardened Architecture
Amazon
Route 53
ELB security group
Amazon
EC2
instances
Elastic Load
Balancing
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
AWS WAFDDoS
attack
Users
AWS
Lambda
Amazon
S3
30. DDoS Testing
Test Description
HTTP GET baseline Basic load test to establish thresholds at which
mitigation devices activate
WILD HULK DDoS Obfuscation of source client, reference forgery,
stickiness, URL transformation
WAF overload Parallel SQL injection and vulnerability scans
Metric Ave / Peak
Concurrent attack vectors 200
Requests sent 200 K/second (ave), 1 M+/second (peak)
Data volume returned 35-40 Gb/second (ave), 52 Gb/second (peak)
Data volume sent 2.5-3.5 Gb/second (ave), 4.4 Gb/second (peak)
33. Conclusions and Final Recommendations
• Amazon CloudFront, AWS WAF are a highly effective
defense against the most sophisticated Layer 7 attacks
• Best practices for best defense:
Eliminates many common attacks
Invest time in limiting query
string and header forwarding
Shields the origin from redirect floods
Deploy HTTP->HTTPS
redirect at the edge
Many DDoS toolkits fail TLS handshake
Implement an SNI-based
infrastructure
41. Options
• Reduce your attackable surface area
• Filter unwanted traffic
• DNS protection
• Protect API endpoint
• Restrict access
• Scale to absorb
• Size appropriately
• Reduce blast radius
• Move the target
42. Reduce the Blast Radius
Security group
Subnet
Players
Instance
Players
Players
Players
DDoS
attack
43. Security group
Security group Security group
Reduce the Blast Radius
Security group
Subnet
Players
Instance
Players
Players
Players
Players
DDoS
attack
Instance
Instance
Instance
Instance
Security group
44. Restrict Access – Security Groups
Subnet
Players
Players
Players
Players
Players
DDoS
attack
Instance
Security group
46. Security group
Security group Security group
Move the Target
• Use elastic IP
addresses
• Don’t use
contiguous IP
addresses
Instance
Elastic IP
SubnetPlayers
Players
DDoS
attack
Instance
Elastic IP
Instance
47. TeamSpeak3 on EC2
• TeamSpeak3 is voice communication software
• Popular with online computer gamers
• Common DDoS target
60. Results
Before After
50 attacks per month
2000 users affected per attack
15 minutes per attack
5 attacks per month
200 users affected per attack
90 seconds per attack
1,500,000
user minutes
1,500
user minutes
64. Need Help?
Step 1
Click “Create Case”
Step 2
Select “Distributed Denial of Service
(DDoS)”
Step 3
Select the category and severity and write a
subject and description
Step 4
Talk to a DDoS expert
65. AWS Best Practices for DDoS Resiliency
• Types of DDoS attacks
• Mitigation techniques
• Attack surface reduction
• Operational techniques
Download from
https://aws.amazon.com/security
AWS Best Practices for DDoS Resiliency
June 2016
66. Thank you!
Learn more about DDoS mitigation on AWS
at https://aws.amazon.com/security