© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Adrian Newby, CTO, CrownPeak

David Grampa, Founder, TypeFrag.com

Andrew Kiggins, AWS Solutions Architect

Jeffrey Lyon, AWS Operations Manager

November 29, 2016

SEC310

Mitigating DDoS Attacks on AWSFive Vectors and Four Use Cases

In this session, you will learn about …

Five DDoS Attack Vectors

1. UDP reflection attacks

2. UDP floods

3. TCP SYN floods

4. Web application layer attacks

5. DNS query floods

Four AWS Use Cases

1. Common web application

2. Highly-resilient web application

3. Video game development

4. Voice communication

DDoS attacks

DDoS attacks can …

• Target networks with large volumes of traffic

• Target systems with large volumes of connections

• Target services with large volumes of requests

Vector #1: UDP Reflection Attacks

• Attacker sends spoofed request to UDP service

• Spoofed IP is that of the victim

• Asymmetric: UDP service responds with large payload

Network Traffic | System Connections | Service Requests

20:07:45.918266 IP 192.0.2.2.1900 > server.example.com.http: UDP, length 274

20:07:45.918271 IP 198.51.100.3.1900 > server.example.com.http: UDP, length 320

20:07:45.918275 IP 203.0.113.7.1900 > server.example.com.http: UDP, length 307

20:07:45.918279 IP 192.0.2.5.1900 > server.example.com.http: UDP, length 326

20:07:45.918283 IP 198.51.100.12.1900 > server.example.com.http: UDP, length 300

20:07:45.918287 IP 203.0.113.58.1900 > server.example.com.http: UDP, length 307

20:07:45.918291 IP 192.0.2.33.1900 > server.example.com.http: UDP, length 302

20:07:45.918294 IP 198.51.100.113.1900 > server.example.com.http: UDP, length 323

20:07:45.918301 IP 203.0.113.90.1900 > server.example.com.http: UDP, length 268

Vector #1: UDP Reflection Attacks

Clear signatureMany requests from suspicious

source port

Large packet sizeFlood of traffic is easy to

generate

UDP protocolClear indicator of suspicious activity if

destination does not use UDP

Network Traffic | System Connections | Service Requests

20:07:45.918266 IP 192.0.2.2.51523 > server.example.com.http: UDP, length 1024

20:07:45.918271 IP 198.51.100.3.23769 > server.example.com.http: UDP, length 1024

20:07:45.918275 IP 203.0.113.7.4655 > server.example.com.http: UDP, length 1024

20:07:45.918279 IP 192.0.2.5.13002 > server.example.com.http: UDP, length 1024

20:07:45.918283 IP 198.51.100.12.52670 > server.example.com.http: UDP, length 1024

20:07:45.918287 IP 203.0.113.58.21266 > server.example.com.http: UDP, length 1024

20:07:45.918291 IP 192.0.2.33.7940 > server.example.com.http: UDP, length 1024

20:07:45.918294 IP 198.51.100.113.35950 > server.example.com.http: UDP, length 1024

20:07:45.918301 IP 203.0.113.90.62370 > server.example.com.http: UDP, length 1024

Vector #2: UDP floods

AmbiguousSource port may be difficult to

distinguish

Packet sizeDefined by attacker

UDP protocolClear indicator of suspicious activity if

destination does not use UDP

Network Traffic | System Connections | Service Requests

Vector #3: TCP SYN Floods

• Flood of many connections targeting a system

• Very small packets

• Connections are left half-open, state table exhaustion

Network Traffic | System Connections | Service Requests

tcp 0 0 192.0.2.1:80 91.64.4.146:64979 SYN_RECV -

tcp 0 0 192.0.2.1:80 84.24.103.112:4005 SYN_RECV -

tcp 0 0 192.0.2.1:80 79.223.69.239:61510 SYN_RECV -

tcp 0 0 192.0.2.1:80 67.86.135.44:43312 SYN_RECV -

tcp 0 0 192.0.2.1:80 86.88.67.226:50600 SYN_RECV -

tcp 0 0 192.0.2.1:80 173.20.137.110:3813 SYN_RECV -

tcp 0 0 192.0.2.1:80 84.58.10.121:4878 SYN_RECV -

tcp 0 0 192.0.2.1:80 91.37.40.151:2408 SYN_RECV -

tcp 0 0 192.0.2.1:80 173.20.137.110:3441 SYN_RECV -

Vector #3: TCP SYN Floods

Half-open connectionsWe sent SYN-ACK, ACK never received

TCP protocolMany connections destined to HTTP service

Network Traffic | System Connections | Service Requests

Vector #4: Web Application Layer Attacks

• Malicious web requests that look like real users

• Impact availability or scrape site content

• Mitigate using a WAF

• Block abusive IP’s, user agents, etc.

• Rate-based blacklisting

Network Traffic | System Connections | Service Requests

Vector #5: DNS Query Floods

• Many legitimate DNS queries can exhaust host capacity

• Random queries can “cache bust” recursive DNS (eg.

ezspobmzlanungyp.www.example.com)

• Authoritative DNS compelled to respond

Network Traffic | System Connections | Service Requests

DDoS Mitigation on AWS

Conventional DDoS Mitigation

Conventional data center

DDoS attack

Users DDoS mitigation service

DDoS Mitigation on AWS

• Built into the AWS global

infrastructure

• Fast mitigation without external

routing

• Protection of availability, latency, and

throughput

DDoS Attacks and Mitigation

• “BlackWatch” systems protect AWS, mitigate large

volume attacks

• Methods:

• Allow only traffic valid for the service

• SYN proxy/cookies when high levels of SYN==1 detected

• Suspicion-based traffic shaping

Suspicion-Based Traffic Shaping

• Prioritize reliable traffic

• Deprioritize spikes of traffic:

• Abnormal sources (networks, geos)

• Abnormal ports and protocols

• Abnormal packet or request characteristics

• Leverage AWS scale, minimize false positives

Suspicion-Based Traffic Shaping

Protecting Web Applications

Common Web Application

ALB security group

Amazon

EC2

instancesApplication

Load Balancer

Public subnet

Web application

security group

Private subnet

DDoS

attack

Users

ALB Scaling and Mitigation

ALB security group

Application

Load

Balancer

Public subnet

DDoS

attack

Users

Application

Load

Balancer

Application

Load

Balancer

Application

Load

Balancer

BlackWatch

DDoS

mitigation

Transit Diversity and Redundancy

Internet

exchange

Internet

exchange

Internet

exchange

us-east-1

DDoS-resilient web

application

Highly Resilient Web Application

Amazon

Route 53

ALB security group

Amazon

EC2

instancesApplication

Load Balancer

Amazon

CloudFront

Public subnet

Web application

security group

Private subnet

AWS WAF

Amazon

API Gateway

DDoS

attack

Users

Mitigate closer to the source

Internet

exchange

Tokyo Singapore Hong Kong Dublin London Milan

Internet

exchange

Internet

exchange

Internet

exchange

Internet

exchange

Internet

exchange

us-east-1

BlackWatch

DDoS

mitigation

DDoS attack

DDoS resilient web

services

Globally Distributed Capacity

Case Study:

Crownpeak / BNY Mellon

Introduction to Crownpeak

• Crownpeak has pioneered the SaaS model for web

content management systems since 2001

• We provide a full digital experience management suite,

delivered entirely using Amazon Web Services

• We are headquartered in Los Angeles, CA, with offices

in Denver, CO, and London, UK

Introduction to the Case Study

• Bank of New York Mellon at a glance:

• $29.5 trillion assets under custody and/or administration

• $1.7 trillion assets under management

• 100+ markets worldwide

• Many websites managed and hosted by Crownpeak

• Committed to best-in-class cyber defense and threat protection

Baseline Architecture

Amazon

Route 53

ELB security group

Amazon

EC2

instancesELB load

balancer

Amazon

CloudFront

Public subnet

Web application

security group

Private subnet

DDoS

attack

Users

Hardened Architecture

Amazon

Route 53

ELB security group

Amazon

EC2

instances

Elastic Load

Balancing

Amazon

CloudFront

Public subnet

Web application

security group

Private subnet

AWS WAFDDoS

attack

Users

AWS

Lambda

Amazon

S3

DDoS Testing

Test Description

HTTP GET baseline Basic load test to establish thresholds at which

mitigation devices activate

WILD HULK DDoS Obfuscation of source client, reference forgery,

stickiness, URL transformation

WAF overload Parallel SQL injection and vulnerability scans

Metric Ave / Peak

Concurrent attack vectors 200

Requests sent 200 K/second (ave), 1 M+/second (peak)

Data volume returned 35-40 Gb/second (ave), 52 Gb/second (peak)

Data volume sent 2.5-3.5 Gb/second (ave), 4.4 Gb/second (peak)

Test Results

How Far Can You Push These Technologies?

Conclusions and Final Recommendations

• Amazon CloudFront, AWS WAF are a highly effective

defense against the most sophisticated Layer 7 attacks

• Best practices for best defense:

Eliminates many common attacksInvest time in limiting query

string and header forwarding

Shields the origin from redirect floodsDeploy HTTP->HTTPS

redirect at the edge

Many DDoS toolkits fail TLS handshakeImplement an SNI-based

infrastructure

DDoS-Resilient Architecture on

Amazon EC2

VPC Flow Logs, Security Groups, Network ACLs Primer

VPC public subnet VPC private subnet

10.200.0.0/16

10.200.150.0/2410.200.99.0/24

Route

tableRoute

table

Flow

logs

Instance

Instance

Application

Security

Group

WebServer

Security

Group

Ingress Rule

0.0.0.0/0 : 80

Egress Rule

0.0.0.0/0 : ANY

ApplicationSecurityGroup:8443

Ingress Rule

WebServerSecurityGroup: ANY

Egress Rule

0.0.0.0/0 : ANY

Works like a firewall

Internet

gateway

NAT

gateway

VPC Flow Logs, Security Groups, Network ACLs Primer

Internet

gateway

VPC public subnet VPC private subnet

10.200.0.0/16

10.200.150.0/2410.200.99.0/24

Route

tableRoute

table

Instance

Application

Security

Group

WebServer

Security

Group

NAT

gateway

Flow

logs

Instance

Works like NetFlow

srcIP, dstIP, srcPort, dstPort, protocol, accept/reject

VPC Flow Logs, Security Groups, Network ACLs Primer

Internet

gateway

VPC public subnet VPC private subnet

10.200.0.0/16

Route

table

NAT

gateway

Route

table

Flow

logs Application

Security

Group

WebServer

Security

Group

10.200.150.0/2410.200.99.0/24

Instance

Instance

Works like router ACLs

Amazon EC2 for Game Developers

• Web portals

• Game servers

• Matching servers

• Relay servers

Web Portal = The Usual Suspects

Amazon

Route 53

ELB security group

Amazon

EC2

instances

ELB / ALB

Amazon

CloudFront

Public subnet

Web application

security group

Private subnet

AWS WAF

Amazon

API Gateway

DDoS

attack

Users

Game Servers, Match Servers, Relays

• UDP vs TCP

• Latency

• Scaling

Options

• Reduce your attackable surface area

• Filter unwanted traffic

• DNS protection

• Protect API endpoint

• Restrict access

• Scale to absorb

• Size appropriately

• Reduce blast radius

• Move the target

Reduce the Blast Radius

Security group

Subnet

Players

Instance

Players

Players

Players

DDoS

attack

Security group

Security group Security group

Reduce the Blast Radius

Security groupSubnet

Players

Instance

Players

Players

Players

Players

DDoS

attack

Instance

Instance

InstanceInstance

Security group

Restrict Access – Security Groups

Subnet

Players

Players

Players

Players

Players

DDoS

attack

Instance

Security group

Restrict Access – Host-Based

Subnet

Players

Players

Players

Players

Players

DDoS

attack

Instance

Security group

Security group

Security group Security group

Move the Target

• Use elastic IP

addresses

• Don’t use

contiguous IP

addresses

Instance

Elastic IP

SubnetPlayers

Players

DDoS

attack

Instance

Elastic IP

Instance

TeamSpeak3 on EC2

• TeamSpeak3 is voice communication software

• Popular with online computer gamers

• Common DDoS target

TeamSpeak3 on EC2

Resiliency

1. Leverage AWS global infrastructure

2. Minimize attack surface

3. Reduce blast radius

4. Automatically mitigate attacks

5. Analyze and learn from attacks

Attack Surface

Amazon

Route 53

Users

Insta

nce

Subnet

One network ACL per VPC subnet

One VPC subnet per instance

Elastic IP

Ne

two

rk A

CL

Attack Surface

Blast Radius

Amazon

Route 53

Users

AZ #1 AZ #2 AZ #3

Blast Radius

Amazon

Route 53

Users

AZ #1 AZ #2 AZ #3

Attack

Attack Mitigation

Attack

Amazon

Route 53

Users

Insta

nce

SubnetNe

two

rk A

CL

Elastic IP

DDoS attack beginsCloudWatch AWS Lambda

Attack Mitigation

Attack

Amazon

Route 53

Users

Insta

nce

SubnetNe

two

rk A

CL

Elastic IP

CloudWatch AWS Lambda

1 DDoS attack detected

Attack Mitigation

Attack

Amazon

Route 53

Users

Insta

nce

SubnetNe

two

rk A

CL

Elastic IP

CloudWatch AWS Lambda

1

2

Elastic IP address changed

Elastic IP

Attack Mitigation

Attack

Amazon

Route 53

Users

Insta

nce

SubnetNe

two

rk A

CL

Elastic IP

CloudWatch AWS Lambda

1

2

Elastic IP

3

Route 53 DNS updated

Attack Mitigation

Amazon

Route 53

Users

Insta

nce

SubnetNe

two

rk A

CL

Elastic IP

CloudWatch AWS Lambda

DDoS attack mitigated

Demo: Attack Mitigation with EIP Swapping

Results

Before After

50 attacks per month

2000 users affected per attack

15 minutes per attack

5 attacks per month

200 users affected per attack

90 seconds per attack

1,500,000

user minutes

1,500

user minutes

Attack Analysis

Amazon S3

Amazon

CloudFront

Amazon

SimpleDB

Amazon S3

Amazon API

Gateway

Amazon

LambdaVPC

Flow Logs

Single-page app REST-based API

User

Attack Analysis

DDoS Mitigation Support

Need Help?

Step 1Click “Create Case”

Step 2Select “Distributed Denial of Service

(DDoS)”

Step 3Select the category and severity and write a

subject and description

Step 4Talk to a DDoS expert

AWS Best Practices for DDoS Resiliency

• Types of DDoS attacks

• Mitigation techniques

• Attack surface reduction

• Operational techniques

Download from

https://aws.amazon.com/security

AWS Best Practices for DDoS Resiliency

June 2016

Thank you!

Learn more about DDoS mitigation on AWS at https://aws.amazon.com/security

Remember to complete

your evaluations!

Remember to complete

your evaluations!