(sec306) defending against ddos attacks
TRANSCRIPT
![Page 1: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Kiggins, AWS SDM
Jeffrey Lyon, AWS Operations Manager
October 2015
SEC306
Defending Against DDoS Attacks
![Page 2: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/2.jpg)
Goals
![Page 3: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/3.jpg)
Useful background
![Page 4: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/4.jpg)
Common attacks
![Page 5: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/5.jpg)
CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
![Page 6: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/6.jpg)
CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGA ATTACKS ARE ON THE RISE
![Page 7: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/7.jpg)
CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGA ATTACKS ARE ON THE RISE
![Page 8: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/8.jpg)
CRIMINALS EXTORT BUSINESSES VIA DDOS ATTACKS
DDOS ATTACKS ARE GETTING MUCH
MORE POWERFUL
MEGA ATTACKS ARE ON THE RISETHE NEW NORMAL: 200 – 400 GBPS DDOS ATTACKS
![Page 9: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/9.jpg)
1.04 39
Average size of a DDoS
attack
Source: Arbor Networks
Average duration of
> 10 Gbps attacks
DDoS attacks that
target network and
service
infrastructure
85%Gbps Minutes
![Page 10: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/10.jpg)
Types of DDoS attacks
![Page 11: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/11.jpg)
Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)
![Page 12: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/12.jpg)
Types of DDoS attacks
State-exhaustion DDoS attacks
Type of protocol abuse that stresses systems
like firewalls, IPS, or load balancers (e.g.,
TCP SYN flood)
![Page 13: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/13.jpg)
Types of DDoS attacks
Application-layer DDoS attacks
Less frequently, an attacker will use well-
formed connections to circumvent mitigation
and consume application resources (e.g.,
HTTP GET, DNS query floods)
![Page 14: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/14.jpg)
DDoS attack trends
Volumetric State exhaustion Application layer
65%Volumetric
20%State exhaustion
15%Application layer
![Page 15: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/15.jpg)
DDoS attack trends
Volumetric State exhaustion Application layer
SSDP reflection attacks are very
common
Reflection attacks have clear signatures, but
can consume available bandwidth.
65%Volumetric
20%State exhaustion
15%Application layer
![Page 16: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/16.jpg)
DDoS attack trends
Volumetric State exhaustion Application layer
65%Volumetric
20%State exhaustion
15%Application layer
Other common volumetric attacks:
NTP reflection, DNS reflection, Chargen
reflection, SNMP reflection
![Page 17: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/17.jpg)
DDoS attack trends
Volumetric State exhaustion Application layer
SYN floods can look like real
connection attempts
And on average, they’re larger in volume.
They can prevent real users from
establishing connections.
65%Volumetric
20%State exhaustion
15%Application layer
![Page 18: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/18.jpg)
DDoS attack trends
Volumetric State exhaustion Application layer
DNS query floods are real DNS
requests
They can also go on for hours and exhaust
the available resources of the DNS server.
65%Volumetric
20%State exhaustion
15%Application layer
![Page 19: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/19.jpg)
DDoS attack trends
Volumetric State exhaustion Application layer
DNS query floods are real DNS
requests
They can also go on for hours and exhaust
the available resources of the DNS server.
65%Volumetric
20%State exhaustion
15%Application layer
Other common application layer
attacks:
HTTP GET flood, Slowloris
![Page 20: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/20.jpg)
Volumetric: UDP amplification
![Page 21: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/21.jpg)
Volumetric amplification factors
Vector Factor Common Cause
SSDP 30.8 uPnP services exposed to Internet
NTP 556.9 Time servers with monlist enabled
DNS 28 - 54 Open resolvers
Chargen 358.8 Enabled Chargen service
SNMP 6.3 Open SNMP services
Source: US-CERT
![Page 22: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/22.jpg)
DDoS attacks with multiple vectors
Single vector Multi-vector
85%Single vector
15%Multi-vector
![Page 23: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/23.jpg)
Attackers are persistent
![Page 24: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/24.jpg)
Attackers are persistent
UDP/161 –
SNMP
amplification
![Page 25: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/25.jpg)
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
![Page 26: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/26.jpg)
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
![Page 27: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/27.jpg)
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
UDP/1900 – SSDP reflection
![Page 28: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/28.jpg)
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
UDP/1900 – SSDP reflection
UDP/123 – NTP reflection
![Page 29: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/29.jpg)
Attackers are persistent
UDP/161 –
SNMP
amplification UDP
fragments
UDP/1900 –
SSDP reflection
UDP/1900 – SSDP reflection
UDP/123 – NTP reflection
6 hours
![Page 30: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/30.jpg)
Mitigations
![Page 31: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/31.jpg)
AWS Shared Responsibility Model
![Page 32: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/32.jpg)
Before DDoS mitigation
Conventional data centerDDoS attack
Users
![Page 33: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/33.jpg)
Conventional DDoS mitigation services
Conventional data center
DDoS attack
Users DDoS mitigation service
![Page 34: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/34.jpg)
Resilient by design
IP ICMP
TCP
UDP
not
DNS
![Page 35: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/35.jpg)
Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
CloudFront
![Page 36: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/36.jpg)
Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
CloudFront
![Page 37: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/37.jpg)
Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
Route 53
Amazon
CloudFront
![Page 38: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/38.jpg)
Resilient by design
IP ICMP
TCP
Elastic Load
Balancing
UDP
not
DNS
Amazon
Route 53
Amazon
CloudFront
![Page 39: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/39.jpg)
DDoS mitigation for AWS infrastructure
virtual private cloud
AWS global infrastructure
DDoS attack
Users
AWS
DDoS mitigation
AWS
DDoS mitigation
CloudFrontRoute 53
![Page 40: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/40.jpg)
Basic hygiene
Examples
• IP
• Checksum
• TCP
• Valid flags
• UDP
• Payload length
• DNS
• Request validation
![Page 41: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/41.jpg)
Packet prioritization
![Page 42: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/42.jpg)
Packet prioritization
![Page 43: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/43.jpg)
Priority-based traffic shaping
![Page 44: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/44.jpg)
Mitigation: Detection and
traffic engineering
![Page 45: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/45.jpg)
Target identification in shared space
• Each IP set has a
unique combination
Edge location
Users
Distribution Distribution Distribution
![Page 46: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/46.jpg)
Target identification in shared space
• Each IP set has a
unique combination
Edge locationDDoS attack
Users
Distribution Distribution Distribution
![Page 47: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/47.jpg)
Target identification in shared space
• Each IP set has a
unique combination
• Allows target
identification Edge locationDDoS attack
Users
Distribution Distribution
![Page 48: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/48.jpg)
Target identification in shared space
• Each IP set has a
unique combination
• Allows target
identification
• Enables new
options for
mitigation
Edge location
Edge locationDDoS attack
Users
Users
Distribution
Distribution
Distribution
![Page 49: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/49.jpg)
Traffic engineering
![Page 50: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/50.jpg)
Traffic engineering
DDoS attack
![Page 51: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/51.jpg)
Traffic engineering
Mitigate
DDoS attack
![Page 52: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/52.jpg)
Traffic engineering
Isolate
DDoS attack
![Page 53: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/53.jpg)
Traffic engineering
Isolate
Vacate
DDoS attack
![Page 54: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/54.jpg)
Traffic engineering
DisperseDDoS attack
![Page 55: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/55.jpg)
Architecture
![Page 56: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/56.jpg)
Architecting on AWS for DDoS resiliency
![Page 57: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/57.jpg)
Architecture: Volumetric
![Page 58: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/58.jpg)
Why does this matter?
![Page 59: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/59.jpg)
CloudFront – DNS reflection
• Simultaneous DNS reflection and UDP flood
• Automatically discarded by CloudFront
• No impact on CloudFront or CloudFront customers
![Page 60: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/60.jpg)
CloudFront – DNS reflection
• Simultaneous DNS reflection and UDP flood
• Automatically discarded by CloudFront
• No impact on CloudFront or CloudFront customers
![Page 61: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/61.jpg)
Common vector – SSDP
srcPort=
1900
Payload =
HTTP/1.1…
![Page 62: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/62.jpg)
Common vector – NTP
Payload =
MON_GETLIST
srcPort=
123
![Page 63: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/63.jpg)
Common vector – DNS reflection
srcPort=
53
DNS
response
Larger
payload
![Page 64: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/64.jpg)
Other vectors – RIPv1, Chargen, SNMP
• UDP based
• Reflection
• Amplification
• Unusual sources
• Abnormal payload
![Page 65: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/65.jpg)
ELB Scaling
ELBUsers
Security group
DMZ
public subnet
Security group
Front-end server
private subnet
Instances
![Page 66: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/66.jpg)
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
![Page 67: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/67.jpg)
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
![Page 68: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/68.jpg)
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
![Page 69: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/69.jpg)
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
![Page 70: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/70.jpg)
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
![Page 71: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/71.jpg)
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
DDoS
![Page 72: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/72.jpg)
Route 53 health checks on ELB instances
ELBUsers
Security group
ELB
instances
Route 53
DDoS
![Page 73: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/73.jpg)
Minimize the attack surface
Amazon Virtual Private Cloud (VPC)
• Allows you to define a virtual network in your own
logically isolated area on AWS
• Allows you to hide instances from the Internet using
security groups and network access control lists
(NACLs)
![Page 74: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/74.jpg)
Security in your VPC
Security groups• Operate at the instance level (first layer of defense)
• Supports allow rules only
• Stateful, return traffic is automatically allowed
• All rules are evaluated before deciding whether to allow traffic
Network ACLs• Operate at the subnet level (second layer of defense)
• Supports allow and deny rules
• Stateless, return traffic must be explicitly allowed
• Rules are processed in order
![Page 75: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/75.jpg)
Web app
server
DMZ public subnet
SSH
bastion
NAT
ELB
Amazon EC2security group
security group
security group
security group
Front-end private subnet
Amazon EC2
Back-end private subnet
security group
MySQL db
Amazon VPC
![Page 76: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/76.jpg)
Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Amazon EC2security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
Amazon VPC
![Page 77: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/77.jpg)
Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Admin Amazon EC2security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
TCP: 22
Amazon VPC
![Page 78: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/78.jpg)
Web app
server
DMZ public subnet
SSH
bastion
NAT
ELBUsers
Admin
Internet
Amazon EC2security group
security group
security group
security group
Front-end private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
Back-end private subnet
security group
TCP: 3306
MySQL db
TCP: Outbound
TCP: 22
Amazon VPC
![Page 79: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/79.jpg)
Reference security groups
![Page 80: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/80.jpg)
Reference security groups
![Page 81: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/81.jpg)
Reference network ACL
![Page 82: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/82.jpg)
Be ready to scale and absorb
Route 53
• Highly available, scalable DNS service
• Uses anycast routing for low latency
![Page 83: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/83.jpg)
Be ready to scale and absorb
Route 53
• Highly available, scalable DNS service
• Uses anycast routing for low latency
CloudFront
• Improves performance by caching content and
optimizing connections
• Disperses traffic across global edge locations
• DDoS attacks are absorbed close to the source
![Page 84: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/84.jpg)
Be ready to scale and absorb
Elastic Load Balancing
• Fault tolerance for applications
• Automatic scaling
• Multiple Availability Zones
![Page 85: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/85.jpg)
AWS global presence and redundancy
![Page 86: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/86.jpg)
AWS global presence and redundancy
InternetConnection C
InternetConnection A
InternetConnection B
![Page 87: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/87.jpg)
AWS global presence and redundancy
CloudFront
ValidObject Request
InvalidProtocol
InvalidObject Request
![Page 88: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/88.jpg)
AWS global presence and redundancy
ELB
TCP
UDP
![Page 89: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/89.jpg)
AWS global presence and redundancy
Route A
Route B
Route C
users
![Page 90: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/90.jpg)
AWS global presence and redundancy
ELB
instances
Availability Zone
ELB
instances
Availability Zone
ELB
![Page 91: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/91.jpg)
Route 53 anycast routing
How do I get toexample.com?
![Page 92: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/92.jpg)
Route 53 anycast routing
How do I get toexample.com?
.org
.co.uk
This way!
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
![Page 93: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/93.jpg)
Route 53 anycast routing
How do I get toexample.com?
.org
.co.uk
This way!
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
![Page 94: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/94.jpg)
Route 53 anycast routing
How do I get toexample.com?
.org
.co.uk
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
This way!
.net
![Page 95: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/95.jpg)
Route 53 anycast routing
How do I get toexample.com?
.org
.co.uk
This way!
This way!
.com
.net
This way!
.co.uk
This way!
.net
.org
This way!
.com
This way!
This way!
This way!
.net
![Page 96: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/96.jpg)
Architecture: State exhaustion
![Page 97: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/97.jpg)
Why does this matter?
![Page 98: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/98.jpg)
Common vector – SYN flood
Flags=
SYN
Cookie
returned
![Page 99: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/99.jpg)
SYN proxy and SYN cookies
![Page 100: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/100.jpg)
SYN proxy and SYN cookies
![Page 101: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/101.jpg)
SYN proxy and SYN cookies
![Page 102: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/102.jpg)
SYN proxy and SYN cookies
![Page 103: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/103.jpg)
Using custom proxies
NGINX
Security group
DMZ
public subnet
Security group
Front-end server
private subnet
InstancesDDoS
Users
![Page 104: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/104.jpg)
Architecture: Application layer
![Page 105: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/105.jpg)
Looks can be deceiving
![Page 106: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/106.jpg)
Route 53
• DNS query flood targeting 34 of our edge locations
• Peak volume was in top 4% of all DDoS attacks
• Automatically detected and mitigated with no impact to availability
![Page 107: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/107.jpg)
Route 53
• DNS query flood targeting 34 of our edge locations
• Peak volume was in top 4% of all DDoS attacks
• Automatically detected and mitigated with no impact to availability
![Page 108: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/108.jpg)
Safeguard exposed resources
![Page 109: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/109.jpg)
Resilient architecture
Web app
server
![Page 110: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/110.jpg)
Resilient architecture
UsersWeb app
server
![Page 111: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/111.jpg)
Resilient architecture
DDoS
UsersWeb app
server
![Page 112: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/112.jpg)
Resilient architecture
DDoS
Users
Auto Scaling
Web app
server
![Page 113: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/113.jpg)
Resilient architecture
Security group
DDoS
Users
Auto Scaling
Front-end servers
private subnet
Web app
server
![Page 114: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/114.jpg)
Resilient architecture
ELB
Security
group
DMZ
public subnet
Security group
WAF/proxy
private subnet
DDoS
Users
WAF
Auto
ScalingELB
Security
group
Auto Scaling
Security
group
Front-end servers
private subnet
Web app
server
![Page 115: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/115.jpg)
Resilient architecture
ELB
Security
group
DMZ
public subnet
CloudFront
edge location
Security group
WAF/proxy
private subnet
DDoS
Users
WAF
Auto
ScalingELB
Security
group
Auto Scaling
Security
group
Front-end servers
private subnet
Web app
server
![Page 116: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/116.jpg)
Under attack?
![Page 117: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/117.jpg)
Help with architecture and mitigation
Resources
• Account manager, solutions architect
• Whitepaper: AWS Best Practices for DDoS
Resiliency
• AWS Security Blog
AWS Support
• Business – Technical assistance by phone, chat,
or email
• Enterprise – Fastest response time. Dedicated
technical account manager (TAM).
![Page 118: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/118.jpg)
Information to provide AWS Support
• Instances (IPs help!), distributions, zones under attack
• Location
• Time
• Vector
• Sources
• Intel
![Page 119: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/119.jpg)
AWS Security Center
To learn more, visit https://aws.amazon.com/security.
![Page 120: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/120.jpg)
Thank you!
![Page 121: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/121.jpg)
Remember to submit
your evaluations
by using the re:Invent app!https://reinvent.awsevents.com/mobile/
![Page 122: (SEC306) Defending Against DDoS Attacks](https://reader031.vdocuments.us/reader031/viewer/2022030305/58707b301a28ab57368b51c9/html5/thumbnails/122.jpg)
Related sessions
• SEC323: Securing Web Applications with AWS WAF; Friday, 9:00–10:00 A.M.