DDoS Protection
- 1. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved.
DDoS Protection
Craig Lawton, AWS Solutions Architect
30th August 2017
AWS Shield
- 2. What to expect from this session
What is DDoS?
Challenge/Impact customers face mitigating DDoS attacks
AWS approach to DDoS Protection
Introducing AWS Shield, a managed DDoS protection service
Getting Started
- 4. Denial of Service
The act of making a network service unusable or
unavailable usually by overloading the server or the
network
- 6. Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)
1
2
3
4
5
6
7
- 7. Types of DDoS attacks
State-exhaustion DDoS attacks
Abuse protocols to stress systems like
firewalls, IPS, or load balancers (e.g., TCP
SYN flood)
1
2
3
4
5
6
7
- 8. Types of DDoS attacks
Application-layer DDoS attacks
Use well-formed but malicious requests to
circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS
query floods)
1
2
3
4
5
6
7
- 11. Attack Duration: varies by service provider
Source: Arbor Networks, Inc. 2016 WISR
Report
Source: Imperva DDoS Threat Landscape Report
2015-2016
- 12. Traditional approach mitigating DDoS attacks
Difficult to enable
Complex set-up Provision bandwidth
capacity
Operator involvement to
initiate mitigation
- 15. Impact of DDoS Attacks
Source: Arbor Networks, Inc. 2016 WISR Report
- 16. Impact of DDoS Attacks
Source: Arbor Networks, Inc. 2016 WISR Report
- 18. At AWS, our goal has always been to …
Remove undifferentiated
heavy lifting
Automatically protected
against common attacks
Ensure availability
AWS services are highly
available
- 19. AWS Shield
AWS Integration
DDoS protection
without infrastructure
changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency
Four key pillars…
- 20. AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
No Additional Cost
Paid service that provides additional
protections, features and benefits.
- 21. AWS Shield Standard
Layer 3/4 protection
Automatic detection & mitigation
Protection from most common
attacks (SYN/UDP Floods, Reflection
Attacks, etc.)
Built into AWS services
Layer 7 protection
AWS WAF for Layer 7 DDoS attack
mitigation
Self-service & pay-as-you-go
- 22. DDoS protections built into AWS
Protection against most common
infrastructure attacks
SYN/ACK Floods, UDP Floods,
Refection attacks etc.
No additional cost
DDoS mitigation
systems
DDoS Attack
Users
Amazon
CloudFront
Amazon
Route 53
Classic Load
Balancer
Traditional D/C
- 23. AWS Shield Advanced
Application Load Balancer
(Select Regions only)
Elastic Load Balancer
(Select Regions only)
Amazon CloudFront
(All Regions)
Amazon Route 53
(All Regions)
Available today on …
- 24. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
- 26. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
DDoS
Response
Team
- 27. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• Any Large-Scale
Attack (>xxxGpbs)
DDoS
Response
Team
- 32. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• SYN Floods
• Reflection Attacks
• Suspicious
Sources
DDoS
Response
Team
- 33. Network-Layer Mitigation – Edge Services
CloudFrontDDoS
attack
Users
BlackWatch
DDoS
mitigation
API
Gateway
Route 53
Edge Location
- 34. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• SSL Attacks
• Slowloris
• Malformed HTTP
• HTTP Floods
DDoS
Response
Team
- 35. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• HTTP Floods
• BadBots
• Suspicious IPs
DDoS
Response
Team
- 36. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• Application-Layer
• Custom Protocol
Attacks
DDoS
Response
Team
- 37. Customer categories for AWS WAF
Ready-to-use Protection
SQLi
XSS
3rd Party Reputation Lists
HTTP Flood Protection
Customizable Protection
Flexible Rules Engine
Size Constraint Rules, Body
Inspection, String Match
100K Entry Blacklists
~1 Min Updates
Lambda Based Protection
Open Source GitHub Repository
Solution Builder Protections
https://aws.amazon.com/waf/preconfiguredrules/
- 38. AWS WAF – Layer 7 application protection
Three modes of operation
Self-service Engage DDoS experts Proactive DRT engagement
- 41. DDoS Response Team Mitigation
CloudFrontDDoS
attack
Users
BlackWatch
DDoS
mitigation
API
Gateway
Route 53
Edge Location
AWS WAF
DDoS
Response
Team
Int
Internal Tools
- 42. Attack notification and reporting
Attack monitoring
and detection
• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics and packet captures for attack forensics
• Historical attack reports
- 43. Infrastructure Security – Pattern 1
Web /App
https://www.example.com
AWS Edge Locations Production VPC - Sydney Development VPC - Sydney
ELB
Web /App
RDS Master RDS Standby
Web /App
ELB
Web /App
RDS Master RDS Standby
Development Account >< Production Account
AWS WAF
Amazon
Route 53
Amazon
CloudFront
AWS Shield Advanced
- 44. Pattern 2
DR Region >< Primary Region
CloudFront
Edge Cache
CloudFront
Regional Cache
Route 53
Failover
Autoscaling EC2 - NGINX w/ ModSecurity Autoscaling EC2 - NGINX w/ ModSecurity
CloudFront
Regional Cache
WorkloadWorkload
AWS WAF AWS Shield
Advanced
AWS Edge Locations
- 45. • No commitment
• No additional cost
AWS DDoS Shield: Pricing
• 1 year subscription commitment
• Monthly base fee: $3,000
• Data transfer fees
Data Transfer Price ($ per GB)
CloudFront ELB
First 100 TB $0.025 0.050
Next 400 TB $0.020 0.040
Next 500 TB $0.015 0.030
Next 4 PB $0.010 Contact Us
Above 5 PB Contact Us Contact Us
Standard Protection Advanced Protection
- 49. For protection against most
common DDoS attacks, and
access to tools and best
practices to build a DDoS
resilient architecture on AWS.
AWS DDoS Shield: How to choose
For additional protection against
larger and more sophisticated
attacks, visibility into attacks,
AWS cost protection, Layer 7
mitigations, and 24X7 access to
DDoS experts for complex cases.
Standard Protection Advanced Protection
- 50. You get it automatically
AWS Shield: Getting started
Enable via the AWS Console
Standard Protection Advanced Protection
- 52. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved.
Thank you!