dns ddos mitigation using amazon route 53 and aws shield
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sergey Royt, Jeffrey Lyon
Amazon Route 53 and AWS ShieldDDoS Protection and Risk Mitigation
DDoS 101
What is DDoS?
Distributed Denial of Service
DDoS attacks target DNS in two layers
Types of DDoS attacks
Types of DNS DDoS attacks
Volumetric DDoS attacks
Congest DNS networks by flooding them with more traffic than they are able to handle
(e.g., UDP reflection attacks)
DDoS attack trends - volumetric
Volumetric Application layer
Volumetric attacks using amplification and reflection
techniques are very common
47%Volumetric
53%Application layer
Amplification/Reflection attacks
Types of DNS DDoS attacks
Application-layer DDoS attacks
target DNS by using well-formed but malicious queries to circumvent mitigation
and consume application resources – These are known as query floods
DDoS attack trends – query floods
Volumetric Application layer
DNS query floods are real DNS requests
These can continue for hours and exhaust the available memory/cpu resources of the DNS
server
47%Volumetric
53%Application layer
DNS query floods
Few Good Actors
Thousands of Bad Bots
Recursive DNS servers
Authoritative DNS Service
Traditional challenges in mitigating DNS DDoS attacks
Traditional challenges in mitigating DNS DDoS attacks
Difficult to enable
Zone isolation Over-provisioned bandwidth capacity
Redundancy and scale
Traditional challenges in mitigating DNS DDoS attacks
Traditional Datacenter
Manual involvement
Operator involvement to initiate mitigation
Re-route traffic to scrubbing location
Increased time to mitigate
Traditional challenges in mitigating DNS DDoS attacks
Traditional Datacenter
Traffic re-routing = Increased latency for users
Traditional challenges in mitigating DNS DDoS attacks
Expensive to use
• DDoS mitigation service cost• Cost of maintaining scrubbing devices• Paying for bandwidth• Personnel cost
Amazon Route 53Highly resilient and fault tolerant DNS
Built-In redundancy
56 global edge locations
Network capacity
Tens of terabits of transit capacity
Network redundancy
Multiple transit and peering providers
Name server redundancy
4 name servers for each hosted zone
Resiliency and availability : Anycast DNS
Anycast striping
Fault tolerance and zone isolation
Zone Isolation
Amazon Route 53 always runs at scale
Network runs at Scale
Infrastructure runsat scale
100% SLA
Customers keep asking …
Does AWS protect me from DDoS attacks?
What about large DDoS attacks?
How can I get visibility when I get attacked?
Does AWS protect me from application
layer attacks?
Scaling for DDoS attacks is
expensive.I want to talk to DDoS experts.
AWS ShieldA managed DDoS protection service
AWS Shield
Standard Protection Advanced Protection
Available to all customers at no additional cost
Paid service that provides additional, comprehensive protections from large
and sophisticated attacks
AWS Shield Standard
DDoS protections built into AWS
Integrated into the AWS global infrastructure
Always-on, fast mitigation without external routing
Redundant Internet connectivity in AWS data centers
Layer 3/4 infrastructure protection
Automatically filters invalid traffic. Examples of attributes include:
• IP checksum• TCP valid flags• Payload length• DNS, HTTP request validation
Deterministic filtering
Low suspicion attributes
• Normal packet or request header• Traffic composition and volume is
typical given its source• Traffic valid for its destination
High suspicion attributes
• Suspicious packet or request headers• Entropy in traffic by header attribute• Entropy in traffic source and volume• Traffic source has a poor reputation• Traffic invalid for its destination• Request with cache-busting attributes
Layer 3/4 infrastructure protectionTraffic prioritization based on scoring
Layer 3/4 infrastructure protection
• Inline inspection and scoring• Preferentially discard lower priority (attack) traffic• False positives are avoided and legitimate viewers are protected
Traffic prioritization based on scoring
High-suspicion packets dropped
Low-suspicion packets retained
AWS Shield AdvancedManaged DDoS protection
AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available today on..
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
Always-on monitoring and detection
Signature based detection Heuristics-based anomaly detection
Baselining
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response Team
Cost protection
Advanced Layer 3/4 infrastructure protection
• Distributed scrubbing and bandwidth capacity
• Automated routing policies to absorb large attacks
• Manual traffic engineering
Advanced routing policies
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response Team
Cost protection
Attack notification and reporting
• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics for attack forensics
• Historical attack reports
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response Team
Cost protection
24x7 access to DDoS response team
• Critical and urgent priority cases are answered quickly and routed directly to DDoS experts
• Complex cases can be escalated to the AWS DDoS Response Team (DRT), who have deep experience in protecting AWS as well as Amazon.com and its subsidiaries
24x7 access to DDoS response team
Before attack
Proactive consultation and best practice guidance
During attack
Attack mitigation
After attack
Post-mortem analysis
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response Team
Cost protection
Cost protection
AWS absorbs scaling cost due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancer
• Application Load Balancer
• Amazon Route 53
Thank you!
Questions ?
Useful Links –
Forums-AWS Shield - https://forums.aws.amazon.com/forum.jspa?forumID=238Amazon Route53 - https://forums.aws.amazon.com/forum.jspa?forumID=87
Whitepapers-https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf