This document discusses mitigating DDoS attacks on AWS. It outlines five common DDoS attack vectors: UDP reflection attacks, UDP floods, TCP SYN floods, web application layer attacks, and DNS query floods. It then discusses four AWS use cases for DDoS mitigation: protecting common web applications, highly resilient web applications, video game development applications, and voice communication applications. The document provides details on how AWS security services like AWS WAF, CloudFront, and Route 53 can help detect and mitigate DDoS attacks. It also includes a case study of how Crownpeak implemented DDoS resiliency for the Bank of New York Mellon websites.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Adrian Newby, CTO, CrownPeak
David Grampa, Founder, TypeFrag.com
Andrew Kiggins, AWS Solutions Architect
Jeffrey Lyon, AWS Operations Manager
November 29, 2016
SEC310
Mitigating DDoS Attacks on AWS
Five Vectors and Four Use Cases

2. In this session, you will learn about …
Five DDoS Attack Vectors
1. UDP reflection attacks
2. UDP floods
3. TCP SYN floods
4. Web application layer attacks
5. DNS query floods
Four AWS Use Cases
1. Common web application
2. Highly-resilient web application
3. Video game development
4. Voice communication

3. DDoS attacks

4. DDoS attacks can …
• Target networks with large volumes of traffic
• Target systems with large volumes of connections
• Target services with large volumes of requests

5. Vector #1: UDP Reflection Attacks
• Attacker sends spoofed request to UDP service
• Spoofed IP is that of the victim
• Asymmetric: UDP service responds with large payload
Network Traffic | System Connections | Service Requests

6. 20:07:45.918266 IP 192.0.2.2.1900 > server.example.com.http: UDP, length 274
20:07:45.918271 IP 198.51.100.3.1900 > server.example.com.http: UDP, length 320
20:07:45.918275 IP 203.0.113.7.1900 > server.example.com.http: UDP, length 307
20:07:45.918279 IP 192.0.2.5.1900 > server.example.com.http: UDP, length 326
20:07:45.918283 IP 198.51.100.12.1900 > server.example.com.http: UDP, length 300
20:07:45.918287 IP 203.0.113.58.1900 > server.example.com.http: UDP, length 307
20:07:45.918291 IP 192.0.2.33.1900 > server.example.com.http: UDP, length 302
20:07:45.918294 IP 198.51.100.113.1900 > server.example.com.http: UDP, length 323
20:07:45.918301 IP 203.0.113.90.1900 > server.example.com.http: UDP, length 268
Vector #1: UDP Reflection Attacks
Clear signature
Many requests from suspicious
source port
Large packet size
Flood of traffic is easy to
generate
UDP protocol
Clear indicator of suspicious activity if
destination does not use UDP
Network Traffic | System Connections | Service Requests

7. 20:07:45.918266 IP 192.0.2.2.51523 > server.example.com.http: UDP, length 1024
20:07:45.918271 IP 198.51.100.3.23769 > server.example.com.http: UDP, length 1024
20:07:45.918275 IP 203.0.113.7.4655 > server.example.com.http: UDP, length 1024
20:07:45.918279 IP 192.0.2.5.13002 > server.example.com.http: UDP, length 1024
20:07:45.918283 IP 198.51.100.12.52670 > server.example.com.http: UDP, length 1024
20:07:45.918287 IP 203.0.113.58.21266 > server.example.com.http: UDP, length 1024
20:07:45.918291 IP 192.0.2.33.7940 > server.example.com.http: UDP, length 1024
20:07:45.918294 IP 198.51.100.113.35950 > server.example.com.http: UDP, length 1024
20:07:45.918301 IP 203.0.113.90.62370 > server.example.com.http: UDP, length 1024
Vector #2: UDP floods
Ambiguous
Source port may be difficult to
distinguish
Packet size
Defined by attacker
UDP protocol
Clear indicator of suspicious activity if
destination does not use UDP
Network Traffic | System Connections | Service Requests

8. Vector #3: TCP SYN Floods
• Flood of many connections targeting a system
• Very small packets
• Connections are left half-open, state table exhaustion
Network Traffic | System Connections | Service Requests

9. tcp 0 0 192.0.2.1:80 91.64.4.146:64979 SYN_RECV -
tcp 0 0 192.0.2.1:80 84.24.103.112:4005 SYN_RECV -
tcp 0 0 192.0.2.1:80 79.223.69.239:61510 SYN_RECV -
tcp 0 0 192.0.2.1:80 67.86.135.44:43312 SYN_RECV -
tcp 0 0 192.0.2.1:80 86.88.67.226:50600 SYN_RECV -
tcp 0 0 192.0.2.1:80 173.20.137.110:3813 SYN_RECV -
tcp 0 0 192.0.2.1:80 84.58.10.121:4878 SYN_RECV -
tcp 0 0 192.0.2.1:80 91.37.40.151:2408 SYN_RECV -
tcp 0 0 192.0.2.1:80 173.20.137.110:3441 SYN_RECV -
Vector #3: TCP SYN Floods
Half-open connections
We sent SYN-ACK, ACK never received
TCP protocol
Many connections destined to HTTP service
Network Traffic | System Connections | Service Requests

10. Vector #4: Web Application Layer Attacks
• Malicious web requests that look like real users
• Impact availability or scrape site content
• Mitigate using a WAF
• Block abusive IP’s, user agents, etc.
• Rate-based blacklisting
Network Traffic | System Connections | Service Requests

11. Vector #5: DNS Query Floods
• Many legitimate DNS queries can exhaust host capacity
• Random queries can “cache bust” recursive DNS (eg.
ezspobmzlanungyp.www.example.com)
• Authoritative DNS compelled to respond
Network Traffic | System Connections | Service Requests

12. DDoS Mitigation on AWS

13. Conventional DDoS Mitigation
Conventional data center
DDoS attack
Users DDoS mitigation service

14. DDoS Mitigation on AWS
• Built into the AWS global
infrastructure
• Fast mitigation without external
routing
• Protection of availability, latency, and
throughput

15. DDoS Attacks and Mitigation
• “BlackWatch” systems protect AWS, mitigate large
volume attacks
• Methods:
• Allow only traffic valid for the service
• SYN proxy/cookies when high levels of SYN==1 detected
• Suspicion-based traffic shaping

16. Suspicion-Based Traffic Shaping
• Prioritize reliable traffic
• Deprioritize spikes of traffic:
• Abnormal sources (networks, geos)
• Abnormal ports and protocols
• Abnormal packet or request characteristics
• Leverage AWS scale, minimize false positives

17. Suspicion-Based Traffic Shaping

18. Protecting Web Applications

19. Common Web Application
ALB security group
Amazon
EC2
instances
Application
Load Balancer
Public subnet
Web application
security group
Private subnet
DDoS
attack
Users

20. ALB Scaling and Mitigation
ALB security group
Application
Load
Balancer
Public subnet
DDoS
attack
Users
Application
Load
Balancer
Application
Load
Balancer
Application
Load
Balancer
BlackWatch
DDoS
mitigation

21. Transit Diversity and Redundancy
Internet
exchange
Internet
exchange
Internet
exchange
us-east-1
DDoS-resilient web
application

22. Highly Resilient Web Application
Amazon
Route 53
ALB security group
Amazon
EC2
instances
Application
Load Balancer
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
AWS WAF
Amazon
API Gateway
DDoS
attack
Users

23. Mitigate closer to the source
Internet
exchange
Tokyo Singapore Hong Kong Dublin London Milan
Internet
exchange
Internet
exchange
Internet
exchange
Internet
exchange
Internet
exchange
us-east-1
BlackWatch
DDoS
mitigation
DDoS attack
DDoS resilient web
services

24. Globally Distributed Capacity

25. Case Study:
Crownpeak / BNY Mellon

26. Introduction to Crownpeak
• Crownpeak has pioneered the SaaS model for web
content management systems since 2001
• We provide a full digital experience management suite,
delivered entirely using Amazon Web Services
• We are headquartered in Los Angeles, CA, with offices
in Denver, CO, and London, UK

27. Introduction to the Case Study
• Bank of New York Mellon at a
glance:
• $29.5 trillion assets under custody
and/or administration
• $1.7 trillion assets under
management
• 100+ markets worldwide
• Many websites managed and
hosted by Crownpeak
• Committed to best-in-class cyber
defense and threat protection

28. Baseline Architecture
Amazon
Route 53
ELB security group
Amazon
EC2
instances
ELB load
balancer
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
DDoS
attack
Users

29. Hardened Architecture
Amazon
Route 53
ELB security group
Amazon
EC2
instances
Elastic Load
Balancing
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
AWS WAFDDoS
attack
Users
AWS
Lambda
Amazon
S3

30. DDoS Testing
Test Description
HTTP GET baseline Basic load test to establish thresholds at which
mitigation devices activate
WILD HULK DDoS Obfuscation of source client, reference forgery,
stickiness, URL transformation
WAF overload Parallel SQL injection and vulnerability scans
Metric Ave / Peak
Concurrent attack vectors 200
Requests sent 200 K/second (ave), 1 M+/second (peak)
Data volume returned 35-40 Gb/second (ave), 52 Gb/second (peak)
Data volume sent 2.5-3.5 Gb/second (ave), 4.4 Gb/second (peak)

31. Test Results

32. How Far Can You Push These Technologies?

33. Conclusions and Final Recommendations
• Amazon CloudFront, AWS WAF are a highly effective
defense against the most sophisticated Layer 7 attacks
• Best practices for best defense:
Eliminates many common attacks
Invest time in limiting query
string and header forwarding
Shields the origin from redirect floods
Deploy HTTP->HTTPS
redirect at the edge
Many DDoS toolkits fail TLS handshake
Implement an SNI-based
infrastructure

34. DDoS-Resilient Architecture on
Amazon EC2

35. VPC Flow Logs, Security Groups, Network ACLs Primer
VPC public subnet VPC private subnet
10.200.0.0/16
10.200.150.0/2410.200.99.0/24
Route
table
Route
table
Flow
logs
Instance
Instance
Application
Security
Group
WebServer
Security
Group
Ingress Rule
0.0.0.0/0 : 80
Egress Rule
0.0.0.0/0 : ANY
ApplicationSecurityGroup:8443
Ingress Rule
WebServerSecurityGroup: ANY
Egress Rule
0.0.0.0/0 : ANY
Works like a firewall
Internet
gateway
NAT
gateway

36. VPC Flow Logs, Security Groups, Network ACLs Primer
Internet
gateway
VPC public subnet VPC private subnet
10.200.0.0/16
10.200.150.0/2410.200.99.0/24
Route
table
Route
table
Instance
Application
Security
Group
WebServer
Security
Group
NAT
gateway
Flow
logs
Instance
Works like NetFlow
srcIP, dstIP, srcPort, dstPort, protocol, accept/reject

37. VPC Flow Logs, Security Groups, Network ACLs Primer
Internet
gateway
VPC public subnet VPC private subnet
10.200.0.0/16
Route
table
NAT
gateway
Route
table
Flow
logs Application
Security
Group
WebServer
Security
Group
10.200.150.0/2410.200.99.0/24
Instance
Instance
Works like router ACLs

38. Amazon EC2 for Game Developers
• Web portals
• Game servers
• Matching servers
• Relay servers

39. Web Portal = The Usual Suspects
Amazon
Route 53
ELB security group
Amazon
EC2
instances
ELB / ALB
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
AWS WAF
Amazon
API Gateway
DDoS
attack
Users

40. Game Servers, Match Servers, Relays
• UDP vs TCP
• Latency
• Scaling

41. Options
• Reduce your attackable surface area
• Filter unwanted traffic
• DNS protection
• Protect API endpoint
• Restrict access
• Scale to absorb
• Size appropriately
• Reduce blast radius
• Move the target

42. Reduce the Blast Radius
Security group
Subnet
Players
Instance
Players
Players
Players
DDoS
attack

43. Security group
Security group Security group
Reduce the Blast Radius
Security group
Subnet
Players
Instance
Players
Players
Players
Players
DDoS
attack
Instance
Instance
Instance
Instance
Security group

44. Restrict Access – Security Groups
Subnet
Players
Players
Players
Players
Players
DDoS
attack
Instance
Security group

45. Restrict Access – Host-Based
Subnet
Players
Players
Players
Players
Players
DDoS
attack
Instance
Security group

46. Security group
Security group Security group
Move the Target
• Use elastic IP
addresses
• Don’t use
contiguous IP
addresses
Instance
Elastic IP
SubnetPlayers
Players
DDoS
attack
Instance
Elastic IP
Instance

47. TeamSpeak3 on EC2
• TeamSpeak3 is voice communication software
• Popular with online computer gamers
• Common DDoS target

48. TeamSpeak3 on EC2

49. Resiliency
1. Leverage AWS global infrastructure
2. Minimize attack surface
3. Reduce blast radius
4. Automatically mitigate attacks
5. Analyze and learn from attacks

50. Attack Surface
Amazon
Route 53
Users
Instance
Subnet
One network ACL per VPC subnet
One VPC subnet per instance
Elastic IP
NetworkACL

51. Attack Surface

52. Blast Radius
Amazon
Route 53
Users
AZ #1 AZ #2 AZ #3

53. Blast Radius
Amazon
Route 53
Users
AZ #1 AZ #2 AZ #3
Attack

54. Attack Mitigation
Attack
Amazon
Route 53
Users
Instance
Subnet
NetworkACL
Elastic IP
DDoS attack begins
CloudWatch AWS Lambda

55. Attack Mitigation
Attack
Amazon
Route 53
Users
Instance
Subnet
NetworkACL
Elastic IP
CloudWatch AWS Lambda
1 DDoS attack detected

56. Attack Mitigation
Attack
Amazon
Route 53
Users
Instance
Subnet
NetworkACL
Elastic IP
CloudWatch AWS Lambda
1
2
Elastic IP address changed
Elastic IP

57. Attack Mitigation
Attack
Amazon
Route 53
Users
Instance
Subnet
NetworkACL
Elastic IP
CloudWatch AWS Lambda
1
2
Elastic IP
3
Route 53 DNS updated

58. Attack Mitigation
Amazon
Route 53
Users
Instance
Subnet
NetworkACL
Elastic IP
CloudWatch AWS Lambda
DDoS attack mitigated

59. Demo: Attack Mitigation with EIP Swapping

60. Results
Before After
50 attacks per month
2000 users affected per attack
15 minutes per attack
5 attacks per month
200 users affected per attack
90 seconds per attack
1,500,000
user minutes
1,500
user minutes

61. Attack Analysis
Amazon S3
Amazon
CloudFront
Amazon
SimpleDB
Amazon S3
Amazon API
Gateway
Amazon
Lambda
VPC
Flow Logs
Single-page app REST-based API
User

62. Attack Analysis

63. DDoS Mitigation Support

64. Need Help?
Step 1
Click “Create Case”
Step 2
Select “Distributed Denial of Service
(DDoS)”
Step 3
Select the category and severity and write a
subject and description
Step 4
Talk to a DDoS expert

65. AWS Best Practices for DDoS Resiliency
• Types of DDoS attacks
• Mitigation techniques
• Attack surface reduction
• Operational techniques
Download from
https://aws.amazon.com/security
AWS Best Practices for DDoS Resiliency
June 2016

66. Thank you!
Learn more about DDoS mitigation on AWS
at https://aws.amazon.com/security

67. Remember to complete
your evaluations!
Remember to complete
your evaluations!