dns ddos mitigation using amazon route 53 and aws shield

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Sergey Royt, Jeffrey Lyon

Amazon Route 53 and AWS ShieldDDoS Protection and Risk Mitigation

DDoS 101

What is DDoS?

Distributed Denial of Service

DDoS attacks target DNS in two layers

Types of DDoS attacks

Types of DNS DDoS attacks

Volumetric DDoS attacks

Congest DNS networks by flooding them with more traffic than they are able to handle

(e.g., UDP reflection attacks)

DDoS attack trends - volumetric

Volumetric Application layer

Volumetric attacks using amplification and reflection

techniques are very common

47%Volumetric

53%Application layer

Amplification/Reflection attacks

Types of DNS DDoS attacks

Application-layer DDoS attacks

target DNS by using well-formed but malicious queries to circumvent mitigation

and consume application resources – These are known as query floods

DDoS attack trends – query floods

Volumetric Application layer

DNS query floods are real DNS requests

These can continue for hours and exhaust the available memory/cpu resources of the DNS

server

47%Volumetric

53%Application layer

DNS query floods

Few Good Actors

Thousands of Bad Bots

Recursive DNS servers

Authoritative DNS Service

Traditional challenges in mitigating DNS DDoS attacks


Difficult to enable

Zone isolation Over-provisioned bandwidth capacity

Redundancy and scale


Traditional Datacenter

Manual involvement

Operator involvement to initiate mitigation

Re-route traffic to scrubbing location

Increased time to mitigate


Traditional Datacenter

Traffic re-routing = Increased latency for users


Expensive to use

• DDoS mitigation service cost• Cost of maintaining scrubbing devices• Paying for bandwidth• Personnel cost

Amazon Route 53Highly resilient and fault tolerant DNS

Built-In redundancy

56 global edge locations

Network capacity

Tens of terabits of transit capacity

Network redundancy

Multiple transit and peering providers

Name server redundancy

4 name servers for each hosted zone

Resiliency and availability : Anycast DNS

Anycast striping

Fault tolerance and zone isolation

Zone Isolation

Amazon Route 53 always runs at scale

Network runs at Scale

Infrastructure runsat scale

100% SLA

Customers keep asking …

Does AWS protect me from DDoS attacks?

What about large DDoS attacks?

How can I get visibility when I get attacked?

Does AWS protect me from application

layer attacks?

Scaling for DDoS attacks is

expensive.I want to talk to DDoS experts.

AWS ShieldA managed DDoS protection service

AWS Shield

Standard Protection Advanced Protection

Available to all customers at no additional cost

Paid service that provides additional, comprehensive protections from large

and sophisticated attacks

AWS Shield Standard

DDoS protections built into AWS

Integrated into the AWS global infrastructure

Always-on, fast mitigation without external routing

Redundant Internet connectivity in AWS data centers

Layer 3/4 infrastructure protection

Automatically filters invalid traffic. Examples of attributes include:

• IP checksum• TCP valid flags• Payload length• DNS, HTTP request validation

Deterministic filtering

Low suspicion attributes

• Normal packet or request header• Traffic composition and volume is

typical given its source• Traffic valid for its destination

High suspicion attributes

• Suspicious packet or request headers• Entropy in traffic by header attribute• Entropy in traffic source and volume• Traffic source has a poor reputation• Traffic invalid for its destination• Request with cache-busting attributes

Layer 3/4 infrastructure protectionTraffic prioritization based on scoring

Layer 3/4 infrastructure protection

• Inline inspection and scoring• Preferentially discard lower priority (attack) traffic• False positives are avoided and legitimate viewers are protected

Traffic prioritization based on scoring

High-suspicion packets dropped

Low-suspicion packets retained

AWS Shield AdvancedManaged DDoS protection

AWS Shield Advanced

Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53

Available today on..

AWS Shield AdvancedAlways-on monitoring &

detection

Advanced L3/4 & L7 DDoS protection

Attack notification and reporting

24x7 access to DDoS Response team

Cost protection

Always-on monitoring and detection

Signature based detection Heuristics-based anomaly detection

Baselining


detection



24x7 access to DDoS Response Team

Cost protection

Advanced Layer 3/4 infrastructure protection

• Distributed scrubbing and bandwidth capacity

• Automated routing policies to absorb large attacks

• Manual traffic engineering

Advanced routing policies


detection




Cost protection


• Real-time notification of attacks via Amazon CloudWatch

• Near real-time metrics for attack forensics

• Historical attack reports


detection




Cost protection

24x7 access to DDoS response team

• Critical and urgent priority cases are answered quickly and routed directly to DDoS experts

• Complex cases can be escalated to the AWS DDoS Response Team (DRT), who have deep experience in protecting AWS as well as Amazon.com and its subsidiaries

24x7 access to DDoS response team

Before attack

Proactive consultation and best practice guidance

During attack

Attack mitigation

After attack

Post-mortem analysis


detection




Cost protection

Cost protection

AWS absorbs scaling cost due to DDoS attack

• Amazon CloudFront

• Elastic Load Balancer

• Application Load Balancer

• Amazon Route 53

Thank you!

Questions ?

Useful Links –

Forums-AWS Shield - https://forums.aws.amazon.com/forum.jspa?forumID=238Amazon Route53 - https://forums.aws.amazon.com/forum.jspa?forumID=87

Whitepapers-https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

dns ddos mitigation using amazon route 53 and aws shield

Technology