Published on June 19, 2017
1. Mitigate DDoS attack in AWS Environment PARAG KAMRA
2. #whoami • Parag Kamra • Senior Security Analyst at NII Consulting (Innovation and Research Team) • 2.4 years of experience • Published whitepaper on Azure cloud Security Audit • Twitter: @paragkamra3
3. Agenda • Introduction to DDoS Attacks • DDoS Attack Statistics (Trends) • Types of DDoS Attack • How DDoS Attack Works (Demo Video) • Introduction to Amazon web services • AWS Services for DDoS Mitigation • Introduction to Auto Scaling • Demo
4. Introduction to DDoS Attack • A Distributed denial of service (DDoS) attack is an attempt to make an online service unavailable such as web servers, Game servers by overwhelming it with traffic from multiple sources
5. DDoS Statistics • DDoS Attacks in Q1 2017 • China, South Korea and the US remained leaders in terms of both number of DDoS attacks and number of targets • The longest DDoS attack in Q1 2017 lasted for 120 hours – 59% shorter than the previous quarter’s maximum (292 hours). A total of 99.8% of attacks lasted less than 50 hours • For the first time in a year, activity by Windows-based botnets has exceeded that of Linux botnets, with their share increasing from 25% last quarter to 59.8% in Q1 2017
6. DDoS Attack Statistics • Geography of DDoS Attack (10 Most Targeted Countries in Q1 2017.)
7. DDoS Attack Statistics (Cont…) • Types of DDoS Attacks in Q1 2017
8. Vectors of DDoS Attack • UDP Flood • UDP Reflection Attack (NTP) • TCP SYN Flood • Web Application Layer Attacks
9. DDoS Attacks can …. • Target Network with large volume of Traffic • Target Systems with large volumes of connections • Target Services with large volumes of requests
10. #Vector 1 UDP Flood Network Traffic || System Connections || Service Requests Packet Size defined by Attacker Clear indicator of Suspicious activity if destination doesn’t have UDP
11. #Vector 2 UDP Reflection Attack Network Traffic || System Connections || Service Requests • Attacker sends spoofed request to UDP service • Spoofed IP is that of the victim • UDP service responds with large payload
12. #Vector 2 UDP Reflection Attack Network Traffic || System Connections || Service Requests Large Packet Size (Flood of traffic is easy to generate)
13. #Vector 3 TCP SYN Flood Network Traffic || System Connections || Service Requests • Flood of many connections targeting a system • Connections are left half-open, state table exhaustion
14. #Vector 3 TCP SYN Flood Network Traffic || System Connections || Service Requests Half open connection
15. #Vector 4 Web Application layer Attacks Network Traffic || System Connections || Service Requests • Malicious web requests that look like real users • Impact availability or scrape site content • Mitigate using a WAF • Block abusive IP’s, user agents, etc.
16. DEMO Video of DDoS attack
17. AWS Services for DDoS Mitigation • Amazon Route53 • Amazon Cloud Front • Amazon Cloud Watch • Elastic load balancing • VPCs and Security Groups • AWS WAF
18. Amazon Route53 • One of the most common targets of DDoS attacks is the Domain Name System (DNS). Amazon Route 53 is a highly available and scalable DNS service designed to route end users to infrastructure running inside or outside of AWS. Route 53 makes it possible to manage traffic globally through a variety of routing types, and provides out-of-the- box shuffle sharding and Anycast routing capabilities to protect domain names from DNS-based DDoS attacks.
19. Amazon Cloud Front • Amazon CloudFront distributes traffic across multiple Points of Presence (PoP) locations and filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts. CloudFront also supports geo restriction, also known as geoblocking, which can be useful for isolating attacks originating from a particular geographic location.
20. Amazon Cloud Watch • Amazon CloudWatch is a component of Amazon Web Services (AWS) that provides monitoring for AWS resources and the customer applications running on the cloud
21. Elastic load balancing • Elastic Load Balancing (ELB) enables the automatic distribution of application traffic to several Amazon Elastic Compute Cloud (Amazon EC2) instances across multiple Availability Zones, which minimizes the risk of overloading a single EC2 instance. Elastic Load Balancing, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances. It also offers a single point of management and can serve as a line of defense between the Internet and your backend, private EC2 instances.
22. VPCs and Security Groups • Amazon Virtual Private Cloud (Amazon VPC) allows customers to configure subnet routes, public IP addresses, security groups, and network access control lists in order to minimize application attack surfaces. ELB load balancers and EC2 instance security groups can be configured to allow only traffic that originates from specific IP addresses, such as that from CloudFront or AWS WAF, protecting backend application components from a direct attack.
23. AWS WAF • AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.
24. Introduction to Auto Scaling • Auto Scaling helps you maintain application availability and allows you to scale your Amazon EC2 capacity up or down automatically according to conditions you define. You can use Auto Scaling to help ensure that you are running your desired number of Amazon EC2 instances. Auto Scaling can also automatically increase the number of Amazon EC2 instances during demand spikes to maintain performance and decrease capacity during lulls to reduce costs
25. Auto Scaling
26. Mitigation approaches of DDoS attack in AWS Environment • Web
27. Mitigation approaches of DDoS attack in AWS Environment • Non web and load balanceable
28. DDoS Attack Mitigation using Automation
29. DDoS Attack Mitigation using Automation
30. DDoS Attack Mitigation using Automation
31. DDoS Attack Mitigation using Automation
32. DDoS Attack Mitigation using Automation
34. My AWS WordPress Application Architecture
35. References • https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos- attacks-by-reducing-your-attack-surface/ • DDoS White Paper from AWS https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pd f • https://aws.amazon.com/blogs/security/how-to-protect-your-web- application-against-ddos-attacks-by-using-amazon-route-53-and-a- content-delivery-network/ • Azure Cloud Security Audit using PowerShell ( it’s my paper ) https://dl.packetstormsecurity.net/papers/general/msazure-audit.pdf