Upload
amazon-web-services
View
844
Download
7
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Adrian Newby, CTO, CrownPeak
David Grampa, Founder, TypeFrag.com
Andrew Kiggins, AWS Solutions Architect
Jeffrey Lyon, AWS Operations Manager
November 29, 2016
SEC310
Mitigating DDoS Attacks on AWSFive Vectors and Four Use Cases
In this session, you will learn about …
Five DDoS Attack Vectors
1. UDP reflection attacks
2. UDP floods
3. TCP SYN floods
4. Web application layer attacks
5. DNS query floods
Four AWS Use Cases
1. Common web application
2. Highly-resilient web application
3. Video game development
4. Voice communication
DDoS attacks
DDoS attacks can …
• Target networks with large volumes of traffic
• Target systems with large volumes of connections
• Target services with large volumes of requests
Vector #1: UDP Reflection Attacks
• Attacker sends spoofed request to UDP service
• Spoofed IP is that of the victim
• Asymmetric: UDP service responds with large payload
Network Traffic | System Connections | Service Requests
20:07:45.918266 IP 192.0.2.2.1900 > server.example.com.http: UDP, length 274
20:07:45.918271 IP 198.51.100.3.1900 > server.example.com.http: UDP, length 320
20:07:45.918275 IP 203.0.113.7.1900 > server.example.com.http: UDP, length 307
20:07:45.918279 IP 192.0.2.5.1900 > server.example.com.http: UDP, length 326
20:07:45.918283 IP 198.51.100.12.1900 > server.example.com.http: UDP, length 300
20:07:45.918287 IP 203.0.113.58.1900 > server.example.com.http: UDP, length 307
20:07:45.918291 IP 192.0.2.33.1900 > server.example.com.http: UDP, length 302
20:07:45.918294 IP 198.51.100.113.1900 > server.example.com.http: UDP, length 323
20:07:45.918301 IP 203.0.113.90.1900 > server.example.com.http: UDP, length 268
Vector #1: UDP Reflection Attacks
Clear signatureMany requests from suspicious
source port
Large packet sizeFlood of traffic is easy to
generate
UDP protocolClear indicator of suspicious activity if
destination does not use UDP
Network Traffic | System Connections | Service Requests
20:07:45.918266 IP 192.0.2.2.51523 > server.example.com.http: UDP, length 1024
20:07:45.918271 IP 198.51.100.3.23769 > server.example.com.http: UDP, length 1024
20:07:45.918275 IP 203.0.113.7.4655 > server.example.com.http: UDP, length 1024
20:07:45.918279 IP 192.0.2.5.13002 > server.example.com.http: UDP, length 1024
20:07:45.918283 IP 198.51.100.12.52670 > server.example.com.http: UDP, length 1024
20:07:45.918287 IP 203.0.113.58.21266 > server.example.com.http: UDP, length 1024
20:07:45.918291 IP 192.0.2.33.7940 > server.example.com.http: UDP, length 1024
20:07:45.918294 IP 198.51.100.113.35950 > server.example.com.http: UDP, length 1024
20:07:45.918301 IP 203.0.113.90.62370 > server.example.com.http: UDP, length 1024
Vector #2: UDP floods
AmbiguousSource port may be difficult to
distinguish
Packet sizeDefined by attacker
UDP protocolClear indicator of suspicious activity if
destination does not use UDP
Network Traffic | System Connections | Service Requests
Vector #3: TCP SYN Floods
• Flood of many connections targeting a system
• Very small packets
• Connections are left half-open, state table exhaustion
Network Traffic | System Connections | Service Requests
tcp 0 0 192.0.2.1:80 91.64.4.146:64979 SYN_RECV -
tcp 0 0 192.0.2.1:80 84.24.103.112:4005 SYN_RECV -
tcp 0 0 192.0.2.1:80 79.223.69.239:61510 SYN_RECV -
tcp 0 0 192.0.2.1:80 67.86.135.44:43312 SYN_RECV -
tcp 0 0 192.0.2.1:80 86.88.67.226:50600 SYN_RECV -
tcp 0 0 192.0.2.1:80 173.20.137.110:3813 SYN_RECV -
tcp 0 0 192.0.2.1:80 84.58.10.121:4878 SYN_RECV -
tcp 0 0 192.0.2.1:80 91.37.40.151:2408 SYN_RECV -
tcp 0 0 192.0.2.1:80 173.20.137.110:3441 SYN_RECV -
Vector #3: TCP SYN Floods
Half-open connectionsWe sent SYN-ACK, ACK never received
TCP protocolMany connections destined to HTTP service
Network Traffic | System Connections | Service Requests
Vector #4: Web Application Layer Attacks
• Malicious web requests that look like real users
• Impact availability or scrape site content
• Mitigate using a WAF
• Block abusive IP’s, user agents, etc.
• Rate-based blacklisting
Network Traffic | System Connections | Service Requests
Vector #5: DNS Query Floods
• Many legitimate DNS queries can exhaust host capacity
• Random queries can “cache bust” recursive DNS (eg.
ezspobmzlanungyp.www.example.com)
• Authoritative DNS compelled to respond
Network Traffic | System Connections | Service Requests
DDoS Mitigation on AWS
Conventional DDoS Mitigation
Conventional data center
DDoS attack
Users DDoS mitigation service
DDoS Mitigation on AWS
• Built into the AWS global
infrastructure
• Fast mitigation without external
routing
• Protection of availability, latency, and
throughput
DDoS Attacks and Mitigation
• “BlackWatch” systems protect AWS, mitigate large
volume attacks
• Methods:
• Allow only traffic valid for the service
• SYN proxy/cookies when high levels of SYN==1 detected
• Suspicion-based traffic shaping
Suspicion-Based Traffic Shaping
• Prioritize reliable traffic
• Deprioritize spikes of traffic:
• Abnormal sources (networks, geos)
• Abnormal ports and protocols
• Abnormal packet or request characteristics
• Leverage AWS scale, minimize false positives
Suspicion-Based Traffic Shaping
Protecting Web Applications
Common Web Application
ALB security group
Amazon
EC2
instancesApplication
Load Balancer
Public subnet
Web application
security group
Private subnet
DDoS
attack
Users
ALB Scaling and Mitigation
ALB security group
Application
Load
Balancer
Public subnet
DDoS
attack
Users
Application
Load
Balancer
Application
Load
Balancer
Application
Load
Balancer
BlackWatch
DDoS
mitigation
Transit Diversity and Redundancy
Internet
exchange
Internet
exchange
Internet
exchange
us-east-1
DDoS-resilient web
application
Highly Resilient Web Application
Amazon
Route 53
ALB security group
Amazon
EC2
instancesApplication
Load Balancer
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
AWS WAF
Amazon
API Gateway
DDoS
attack
Users
Mitigate closer to the source
Internet
exchange
Tokyo Singapore Hong Kong Dublin London Milan
Internet
exchange
Internet
exchange
Internet
exchange
Internet
exchange
Internet
exchange
us-east-1
BlackWatch
DDoS
mitigation
DDoS attack
DDoS resilient web
services
Globally Distributed Capacity
Case Study:
Crownpeak / BNY Mellon
Introduction to Crownpeak
• Crownpeak has pioneered the SaaS model for web
content management systems since 2001
• We provide a full digital experience management suite,
delivered entirely using Amazon Web Services
• We are headquartered in Los Angeles, CA, with offices
in Denver, CO, and London, UK
Introduction to the Case Study
• Bank of New York Mellon at a glance:
• $29.5 trillion assets under custody and/or administration
• $1.7 trillion assets under management
• 100+ markets worldwide
• Many websites managed and hosted by Crownpeak
• Committed to best-in-class cyber defense and threat protection
Baseline Architecture
Amazon
Route 53
ELB security group
Amazon
EC2
instancesELB load
balancer
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
DDoS
attack
Users
Hardened Architecture
Amazon
Route 53
ELB security group
Amazon
EC2
instances
Elastic Load
Balancing
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
AWS WAFDDoS
attack
Users
AWS
Lambda
Amazon
S3
DDoS Testing
Test Description
HTTP GET baseline Basic load test to establish thresholds at which
mitigation devices activate
WILD HULK DDoS Obfuscation of source client, reference forgery,
stickiness, URL transformation
WAF overload Parallel SQL injection and vulnerability scans
Metric Ave / Peak
Concurrent attack vectors 200
Requests sent 200 K/second (ave), 1 M+/second (peak)
Data volume returned 35-40 Gb/second (ave), 52 Gb/second (peak)
Data volume sent 2.5-3.5 Gb/second (ave), 4.4 Gb/second (peak)
Test Results
How Far Can You Push These Technologies?
Conclusions and Final Recommendations
• Amazon CloudFront, AWS WAF are a highly effective
defense against the most sophisticated Layer 7 attacks
• Best practices for best defense:
Eliminates many common attacksInvest time in limiting query
string and header forwarding
Shields the origin from redirect floodsDeploy HTTP->HTTPS
redirect at the edge
Many DDoS toolkits fail TLS handshakeImplement an SNI-based
infrastructure
DDoS-Resilient Architecture on
Amazon EC2
VPC Flow Logs, Security Groups, Network ACLs Primer
VPC public subnet VPC private subnet
10.200.0.0/16
10.200.150.0/2410.200.99.0/24
Route
tableRoute
table
Flow
logs
Instance
Instance
Application
Security
Group
WebServer
Security
Group
Ingress Rule
0.0.0.0/0 : 80
Egress Rule
0.0.0.0/0 : ANY
ApplicationSecurityGroup:8443
Ingress Rule
WebServerSecurityGroup: ANY
Egress Rule
0.0.0.0/0 : ANY
Works like a firewall
Internet
gateway
NAT
gateway
VPC Flow Logs, Security Groups, Network ACLs Primer
Internet
gateway
VPC public subnet VPC private subnet
10.200.0.0/16
10.200.150.0/2410.200.99.0/24
Route
tableRoute
table
Instance
Application
Security
Group
WebServer
Security
Group
NAT
gateway
Flow
logs
Instance
Works like NetFlow
srcIP, dstIP, srcPort, dstPort, protocol, accept/reject
VPC Flow Logs, Security Groups, Network ACLs Primer
Internet
gateway
VPC public subnet VPC private subnet
10.200.0.0/16
Route
table
NAT
gateway
Route
table
Flow
logs Application
Security
Group
WebServer
Security
Group
10.200.150.0/2410.200.99.0/24
Instance
Instance
Works like router ACLs
Amazon EC2 for Game Developers
• Web portals
• Game servers
• Matching servers
• Relay servers
Web Portal = The Usual Suspects
Amazon
Route 53
ELB security group
Amazon
EC2
instances
ELB / ALB
Amazon
CloudFront
Public subnet
Web application
security group
Private subnet
AWS WAF
Amazon
API Gateway
DDoS
attack
Users
Game Servers, Match Servers, Relays
• UDP vs TCP
• Latency
• Scaling
Options
• Reduce your attackable surface area
• Filter unwanted traffic
• DNS protection
• Protect API endpoint
• Restrict access
• Scale to absorb
• Size appropriately
• Reduce blast radius
• Move the target
Reduce the Blast Radius
Security group
Subnet
Players
Instance
Players
Players
Players
DDoS
attack
Security group
Security group Security group
Reduce the Blast Radius
Security groupSubnet
Players
Instance
Players
Players
Players
Players
DDoS
attack
Instance
Instance
InstanceInstance
Security group
Restrict Access – Security Groups
Subnet
Players
Players
Players
Players
Players
DDoS
attack
Instance
Security group
Restrict Access – Host-Based
Subnet
Players
Players
Players
Players
Players
DDoS
attack
Instance
Security group
Security group
Security group Security group
Move the Target
• Use elastic IP
addresses
• Don’t use
contiguous IP
addresses
Instance
Elastic IP
SubnetPlayers
Players
DDoS
attack
Instance
Elastic IP
Instance
TeamSpeak3 on EC2
• TeamSpeak3 is voice communication software
• Popular with online computer gamers
• Common DDoS target
TeamSpeak3 on EC2
Resiliency
1. Leverage AWS global infrastructure
2. Minimize attack surface
3. Reduce blast radius
4. Automatically mitigate attacks
5. Analyze and learn from attacks
Attack Surface
Amazon
Route 53
Users
Insta
nce
Subnet
One network ACL per VPC subnet
One VPC subnet per instance
Elastic IP
Ne
two
rk A
CL
Attack Surface
Blast Radius
Amazon
Route 53
Users
AZ #1 AZ #2 AZ #3
Blast Radius
Amazon
Route 53
Users
AZ #1 AZ #2 AZ #3
Attack
Attack Mitigation
Attack
Amazon
Route 53
Users
Insta
nce
SubnetNe
two
rk A
CL
Elastic IP
DDoS attack beginsCloudWatch AWS Lambda
Attack Mitigation
Attack
Amazon
Route 53
Users
Insta
nce
SubnetNe
two
rk A
CL
Elastic IP
CloudWatch AWS Lambda
1 DDoS attack detected
Attack Mitigation
Attack
Amazon
Route 53
Users
Insta
nce
SubnetNe
two
rk A
CL
Elastic IP
CloudWatch AWS Lambda
1
2
Elastic IP address changed
Elastic IP
Attack Mitigation
Attack
Amazon
Route 53
Users
Insta
nce
SubnetNe
two
rk A
CL
Elastic IP
CloudWatch AWS Lambda
1
2
Elastic IP
3
Route 53 DNS updated
Attack Mitigation
Amazon
Route 53
Users
Insta
nce
SubnetNe
two
rk A
CL
Elastic IP
CloudWatch AWS Lambda
DDoS attack mitigated
Demo: Attack Mitigation with EIP Swapping
Results
Before After
50 attacks per month
2000 users affected per attack
15 minutes per attack
5 attacks per month
200 users affected per attack
90 seconds per attack
1,500,000
user minutes
1,500
user minutes
Attack Analysis
Amazon S3
Amazon
CloudFront
Amazon
SimpleDB
Amazon S3
Amazon API
Gateway
Amazon
LambdaVPC
Flow Logs
Single-page app REST-based API
User
Attack Analysis
DDoS Mitigation Support
Need Help?
Step 1Click “Create Case”
Step 2Select “Distributed Denial of Service
(DDoS)”
Step 3Select the category and severity and write a
subject and description
Step 4Talk to a DDoS expert
AWS Best Practices for DDoS Resiliency
• Types of DDoS attacks
• Mitigation techniques
• Attack surface reduction
• Operational techniques
Download from
https://aws.amazon.com/security
AWS Best Practices for DDoS Resiliency
June 2016
Thank you!
Learn more about DDoS mitigation on AWS at https://aws.amazon.com/security
Remember to complete
your evaluations!
Remember to complete
your evaluations!