Distributed Denial of Service (DDoS) attackers use a variety of techniques to consume network or other resources, interrupting access for legitimate users Customers can adopt practices to reduce the impact of these attacks, including minimizing the attack surface area, safeguarding exposed resources and creating a plan for when attacks occur. This webinar will outline how to use AWS services like Elastic Load Balancing (ELB), Auto Scaling, Amazon CloudFront and Amazon Route53 to improve resiliency when attacks occur. Learning Objectives: • Learn techniques that can help maintain availability in the face of DDoS attacks • Understand how AWS services can work together to increase resiliency Who Should Attend: • Systems Architects, Network Engineers, Web Developers

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jonathan Desrocher, Security Solutions Architect
August 20th 2015
Best Practices for DDoS
Resiliency

2. 45% $40k 58%
of organizations have
experienced a DDoS attack
average hourly cost
of a DDoS attack
of attacks last 30
mins or less**
* Source: Imperva What DDoS Attacks Really Cost Businesses (n=270)
** Source: Imperva Global DDoS Threat Landscape Q2 2015

3. Agenda
Types of DDoS attacks
Mitigation Techniques
DDoS Resilient Architecture

4. Typical DDoS Infrastructure Attack

5. Reflection and Amplification Attack

6. Application Attack (Layer 7) Examples
Web ServerAttacker(s)
GET
HTTP GET Flood
Slowloris
GET GET GET GET GET
G - E - T

7. Mitigation Techniques
Front your application with AWS services
Safeguard Exposed Resources
Minimize the Attack Surface Area
Be Ready to Scale to Absorb the Attack
Learn Normal Behavior
Create a Plan for Attacks

8. Front your Application with AWS Services
Leverage services such as Amazon API Gateway and
Amazon CloudFront for caching and layer-3 protection.
The recently launched Amazon API Gateway can be
used to perform:
User authentication.
Request throttling.
Response caching.
Log requests.

9. Request Flow using Amazon API Gateway
Internet
Mobile apps
Websites
Services
API
Gateway
AWS Lambda
functions
AWS
API Gateway
cache
Endpoints on
Amazon
EC2/AWS
Elastic
Beanstalk
Any other publicly
accessible endpoint
Amazon
CloudWatch
monitoring

10. Safeguard Exposed Resources
Restrict access to resources with
CloudFront
Block unnecessary geos, Origin Access
Identity
Obfuscate unneeded information with
Route 53
Private DNS, Alias Record Sets
Deploy application level controls with a
third party web application firewall
Request rate limits
Block certain types of requests

11. Minimize your Application Attack Surface
Architect your application
with attack surface area in
mind
• Reduce the number of
Internet entry points
• Separate end user traffic from
management traffic
• Only allow necessary users
and traffic
Use VPC to minimize
attack surface area
• Set up VPC and Internet
Gateway
• Set up Security Group
• Launch instance into VPC
• Assign elastic IP Address
• Set up Network ACL

12. Web Application Firewall Sandwich Architecture

13. Partner Solutions
See Security section of the AWS Marketplace for more:
https://aws.amazon.com/marketplace

14. Be Ready to Scale to Absorb the Attack
Scale vertically and horizontally to:
Disperse attack over wider area
Make attackers expend more resources to
scale up the attack
Buy yourself time to analyze and respond
to the DDoS attack
Provide additional layer of redundancy for
other failure scenarios

15. Using AWS to Scale Vertically and Horizontally
Enable EC2
Advanced
Networking
Set up Elastic
Load Balancing
& Auto Scaling
Deploy multiple
points of
presence using
Amazon
CloudFront
Use Amazon
Route 53 with
Shuffle
Sharding and
Anycast Routing
https://www.youtube.com/watch?v=JUw8y_pqD_Y
https://www.youtube.com/watch?v=V7vTPlV8P3U

16. Learn Normal Behavior
Understand and benchmark expected
usage levels
Use this data to identify abnormal levels
or patterns
Look for attackers probing or testing
your application
Increase situational awareness by
knowing what to expect

17. Continuous Visibility using Amazon CloudWatch
Gather metrics, graph and alert on
thresholds
Use CloudWatch alarms to drive Auto
Scaling policies

18. CloudWatch Metrics to Watch For
Topic Metric Description
Auto Scaling GroupMaxSize The maximum size of the Auto Scaling group.
AWS Billing EstimatedCharges The estimated charges for your AWS usage.
Amazon CloudFront Requests The number of requests for all HTTP/S requests.
Amazon CloudFront TotalErrorRate The percentage of all requests for which the HTTP status code is 4xx or
5xx.
Amazon EC2 CPUUtilization The percentage of allocated EC2 compute units that are currently in use.
Amazon EC2 NetworkIn The number of bytes received on all network interfaces by the instance.
Amazon EC2 StatusCheckFailed A combination of of StatusCheckFailed_Instance and
StatusCheckFailed_System that reports if either of the status checks has
failed.
ELB RequestCount The number of completed requests that were received and routed to
registered instances.
ELB Latency The time elapsed, in seconds, after the request leaves the load balancer
until a response is received.
ELB HTTPCode_ELB_4xx HTTPCode_ELB_5xx The number of HTTP 4XX or 5XX error codes generated by the load
balancer.
ELB BackendConnectionErrors The number of connections that were not successfully.
ELB SpilloverCount The number of requests that were rejected because the queue was full.
Amazon Route 53 HealthCheckStatus The status of the health check endpoint.

19. VPC Flow Logging
See traffic patterns for your
Amazon EC2 instances
Feeds into Amazon CloudWatch

20. Deep Analytics of Flow Logs
https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/

21. Additional Data Sources
Amazon S3 and Amazon CloudFront access logs (web requests).
AWS CloudTrail Logs (select API calls such as IAM
authentication).
Amazon CloudWatch Logs (Amazon API Gateway, Amazon
Lambda and customer application logs via reporting agent).
• See CloudWatch Logs for Apache access logs reference:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quic
kref-cloudwatchlogs.html

22. Create a Plan for Attacks
Having a plan in place before an
attack ensures that:
• You have a resilient architecture
• You understand the cost benefit
equation
• You know who to contact when an
attack happens

23. Getting Help: Support
Account Team
• Your Account Manager is your advocate
• Solutions Architects have a wealth of expertise
Recommended tiers of support
• Business – Phone/chat/email support, 1 hour
response time
• Enterprise – 15 min response time, dedicated
Technical Account Manager, proactive
notification

24. Understand the Economics
Evaluate the cost of an outage
Set yourself upper bounds for instances
and time
Factor in Auto Scaling, Route 53
CloudFront costs during an attack
You don’t pay for traffic or attacks that get
blocked before the load balancer
• e.g. many UDP reflection attacks

25. Where Can I Find More Information?
White paper: Best Practices for DDoS resiliency
https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_
June2015.pdf
AWS Best Practices for
DDoS Resiliency
June 2015

26. Thank you!