Understand AWS best practices for Distributed Denial of Service (DDoS) resiliency and how AWS Shield can assist you to protect your business. Uncover how this tool safeguards web applications running on AWS, and how always-on detection and automatic inline mitigations minimize application downtime and latency.
2. What to expect from this session
What is DDoS?
Challenge/Impact customers face mitigating DDoS attacks
AWS approach to DDoS Protection
Introducing AWS Shield, a managed DDoS protection service
Getting Started
6. Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)
1
2
3
4
5
6
7
7. Types of DDoS attacks
State-exhaustion DDoS attacks
Abuse protocols to stress systems like
firewalls, IPS, or load balancers (e.g., TCP
SYN flood)
1
2
3
4
5
6
7
8. Types of DDoS attacks
Application-layer DDoS attacks
Use well-formed but malicious requests to
circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS
query floods)
1
2
3
4
5
6
7
9. DDoS attack trends
Volumetric State exhaustion Application layer
73%
Volumetric
18%
State exhaustion
16%
Application layer
18. At AWS, our goal has always been to …
Remove undifferentiated
heavy lifting
Automatically protected
against common attacks
Ensure availability
AWS services are highly
available
19. AWS Shield
AWS Integration
DDoS protection
without infrastructure
changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency
Four key pillars…
20. AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
No Additional Cost
Paid service that provides additional
protections, features and benefits.
21. AWS Shield Standard
Layer 3/4 protection
Automatic detection & mitigation
Protection from most common
attacks (SYN/UDP Floods, Reflection
Attacks, etc.)
Built into AWS services
Layer 7 protection
AWS WAF for Layer 7 DDoS attack
mitigation
Self-service & pay-as-you-go
22. DDoS protections built into AWS
Protection against most common
infrastructure attacks
SYN/ACK Floods, UDP Floods,
Refection attacks etc.
No additional cost
DDoS mitigation
systems
DDoS Attack
Users
Amazon
CloudFront
Amazon
Route 53
Classic Load
Balancer
Traditional D/C
23. AWS Shield Advanced
Application Load Balancer
(Select Regions only)
Elastic Load Balancer
(Select Regions only)
Amazon CloudFront
(All Regions)
Amazon Route 53
(All Regions)
Available today on …
24. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
34. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• SSL Attacks
• Slowloris
• Malformed HTTP
• HTTP Floods
DDoS
Response
Team
35. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• HTTP Floods
• BadBots
• Suspicious IPs
DDoS
Response
Team
36. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• Application-Layer
• Custom Protocol
Attacks
DDoS
Response
Team
37. Customer categories for AWS WAF
Ready-to-use Protection
SQLi
XSS
3rd Party Reputation Lists
HTTP Flood Protection
Customizable Protection
Flexible Rules Engine
Size Constraint Rules, Body
Inspection, String Match
100K Entry Blacklists
~1 Min Updates
Lambda Based Protection
Open Source GitHub Repository
Solution Builder Protections
https://aws.amazon.com/waf/preconfiguredrules/
38. AWS WAF – Layer 7 application protection
Three modes of operation
Self-service Engage DDoS experts Proactive DRT engagement
39. DDoS Detection Shield Standard
Aggs
Aggs
Aggs
Aggs
Pin
Agg
DB
Top
Talker
API
Evalu
ators
40. Customer A
Customer B
DDoS Detection Shield Advanced
Aggs
Aggs
Aggs
Aggs
Pin
Agg
DB
Top
Talker
API
Evalu
ators
41. DDoS Response Team Mitigation
CloudFrontDDoS
attack
Users
BlackWatch
DDoS
mitigation
API
Gateway
Route 53
Edge Location
AWS WAF
DDoS
Response
Team
Int
Internal Tools
42. Attack notification and reporting
Attack monitoring
and detection
• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics and packet captures for attack forensics
• Historical attack reports
43. Infrastructure Security – Pattern 1
Web /App
https://www.example.com
AWS Edge Locations Production VPC - Sydney Development VPC - Sydney
ELB
Web /App
RDS Master RDS Standby
Web /App
ELB
Web /App
RDS Master RDS Standby
Development Account >< Production Account
AWS WAF
Amazon
Route 53
Amazon
CloudFront
AWS Shield Advanced
45. • No commitment
• No additional cost
AWS DDoS Shield: Pricing
• 1 year subscription commitment
• Monthly base fee: $3,000
• Data transfer fees
Data Transfer Price ($ per GB)
CloudFront ELB
First 100 TB $0.025 0.050
Next 400 TB $0.020 0.040
Next 500 TB $0.015 0.030
Next 4 PB $0.010 Contact Us
Above 5 PB Contact Us Contact Us
Standard Protection Advanced Protection
49. For protection against most
common DDoS attacks, and
access to tools and best
practices to build a DDoS
resilient architecture on AWS.
AWS DDoS Shield: How to choose
For additional protection against
larger and more sophisticated
attacks, visibility into attacks,
AWS cost protection, Layer 7
mitigations, and 24X7 access to
DDoS experts for complex cases.
Standard Protection Advanced Protection
50. You get it automatically
AWS Shield: Getting started
Enable via the AWS Console
Standard Protection Advanced Protection