Understand AWS best practices for Distributed Denial of Service (DDoS) resiliency and how AWS Shield can assist you to protect your business. Uncover how this tool safeguards web applications running on AWS, and how always-on detection and automatic inline mitigations minimize application downtime and latency.

1. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved.
DDoS Protection
Craig Lawton, AWS Solutions Architect
30th August 2017
AWS Shield

2. What to expect from this session
 What is DDoS?
 Challenge/Impact customers face mitigating DDoS attacks
 AWS approach to DDoS Protection
 Introducing AWS Shield, a managed DDoS protection service
 Getting Started

3. What is DDoS?
Distributed Denial Of Service

4. Denial of Service
The act of making a network service unusable or
unavailable usually by overloading the server or the
network

5. Who Get’s Attacked and Why
Source: Arbor Networks, Inc. 2016 WISR Report

6. Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)
1
2
3
4
5
6
7

7. Types of DDoS attacks
State-exhaustion DDoS attacks
Abuse protocols to stress systems like
firewalls, IPS, or load balancers (e.g., TCP
SYN flood)
1
2
3
4
5
6
7

8. Types of DDoS attacks
Application-layer DDoS attacks
Use well-formed but malicious requests to
circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS
query floods)
1
2
3
4
5
6
7

9. DDoS attack trends
Volumetric State exhaustion Application layer
73%
Volumetric
18%
State exhaustion
16%
Application layer

10. Impact of mitigating DDoS attacks

11. Attack Duration: varies by service provider
Source: Arbor Networks, Inc. 2016 WISR
Report
Source: Imperva DDoS Threat Landscape Report
2015-2016

12. Traditional approach mitigating DDoS attacks
Difficult to enable
Complex set-up Provision bandwidth
capacity
Operator involvement to
initiate mitigation

13. Traditional approach mitigating DDoS attacks
Traffic re-routing = Increased latency for users
Traditional
Datacenter

14. Challenges in mitigating DDoS attacks
Expensive to use
Or already paid ransom demand

15. Impact of DDoS Attacks
Source: Arbor Networks, Inc. 2016 WISR Report

16. Impact of DDoS Attacks
Source: Arbor Networks, Inc. 2016 WISR Report

17. AWS approach to DDoS protection

18. At AWS, our goal has always been to …
Remove undifferentiated
heavy lifting
Automatically protected
against common attacks
Ensure availability
AWS services are highly
available

19. AWS Shield
AWS Integration
DDoS protection
without infrastructure
changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency
Four key pillars…

20. AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
No Additional Cost
Paid service that provides additional
protections, features and benefits.

21. AWS Shield Standard
Layer 3/4 protection
 Automatic detection & mitigation
 Protection from most common
attacks (SYN/UDP Floods, Reflection
Attacks, etc.)
 Built into AWS services
Layer 7 protection
 AWS WAF for Layer 7 DDoS attack
mitigation
 Self-service & pay-as-you-go

22. DDoS protections built into AWS
 Protection against most common
infrastructure attacks
 SYN/ACK Floods, UDP Floods,
Refection attacks etc.
 No additional cost
DDoS mitigation
systems
DDoS Attack
Users
Amazon
CloudFront
Amazon
Route 53
Classic Load
Balancer
Traditional D/C

23. AWS Shield Advanced
Application Load Balancer
(Select Regions only)
Elastic Load Balancer
(Select Regions only)
Amazon CloudFront
(All Regions)
Amazon Route 53
(All Regions)
Available today on …

24. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection

25. Behind the Scenes

26. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
DDoS
Response
Team

27. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• Any Large-Scale
Attack (>xxxGpbs)
DDoS
Response
Team

28. Internet-Layer Mitigation
ISP
ISP
ISP
ISP
ISP
Tier 1
Transit
Tier 1
Transit
AWS edge
Location
AWS edge
Location
Tier 1
Transit
DDoSer
Scale:

29. Internet-Layer Mitigation
ISP
ISP
ISP
ISP
ISP
Tier 1
Transit
Tier 1
Transit
AWS edge
Location
AWS edge
Location
Tier 1
Transit
DDoSer
Shunt:

30. Internet-Layer Mitigation
ISP
ISP
ISP
ISP
ISP
Tier 1
Transit
Tier 1
Transit
AWS edge
Location
AWS edge
Location
Tier 1
Transit
DDoSer
Tarpit:

31. Internet-Layer Mitigation
ISP
ISP
ISP
ISP
ISP
Tier 1
Transit
Tier 1
Transit
AWS edge
Location
AWS edge
Location
Tier 1
Transit
DDoSer
Tarpit:

32. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• SYN Floods
• Reflection Attacks
• Suspicious
Sources
DDoS
Response
Team

33. Network-Layer Mitigation – Edge Services
CloudFrontDDoS
attack
Users
BlackWatch
DDoS
mitigation
API
Gateway
Route 53
Edge Location

34. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• SSL Attacks
• Slowloris
• Malformed HTTP
• HTTP Floods
DDoS
Response
Team

35. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• HTTP Floods
• BadBots
• Suspicious IPs
DDoS
Response
Team

36. Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
MitigationsDDoSer
Systems Overview
Effective Against:
• Application-Layer
• Custom Protocol
Attacks
DDoS
Response
Team

37. Customer categories for AWS WAF
Ready-to-use Protection
 SQLi
 XSS
 3rd Party Reputation Lists
 HTTP Flood Protection
Customizable Protection
 Flexible Rules Engine
 Size Constraint Rules, Body
Inspection, String Match
 100K Entry Blacklists
 ~1 Min Updates
 Lambda Based Protection
 Open Source GitHub Repository
Solution Builder Protections
https://aws.amazon.com/waf/preconfiguredrules/

38. AWS WAF – Layer 7 application protection
Three modes of operation
Self-service Engage DDoS experts Proactive DRT engagement

39. DDoS Detection Shield Standard
Aggs
Aggs
Aggs
Aggs
Pin
Agg
DB
Top
Talker
API
Evalu
ators

40. Customer A
Customer B
DDoS Detection Shield Advanced
Aggs
Aggs
Aggs
Aggs
Pin
Agg
DB
Top
Talker
API
Evalu
ators

41. DDoS Response Team Mitigation
CloudFrontDDoS
attack
Users
BlackWatch
DDoS
mitigation
API
Gateway
Route 53
Edge Location
AWS WAF
DDoS
Response
Team
Int
Internal Tools

42. Attack notification and reporting
Attack monitoring
and detection
• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics and packet captures for attack forensics
• Historical attack reports

43. Infrastructure Security – Pattern 1
Web /App
https://www.example.com
AWS Edge Locations Production VPC - Sydney Development VPC - Sydney
ELB
Web /App
RDS Master RDS Standby
Web /App
ELB
Web /App
RDS Master RDS Standby
Development Account >< Production Account
AWS WAF
Amazon
Route 53
Amazon
CloudFront
AWS Shield Advanced

44. Pattern 2
DR Region >< Primary Region
CloudFront
Edge Cache
CloudFront
Regional Cache
Route 53
Failover
Autoscaling EC2 - NGINX w/ ModSecurity Autoscaling EC2 - NGINX w/ ModSecurity
CloudFront
Regional Cache
WorkloadWorkload
AWS WAF AWS Shield
Advanced
AWS Edge Locations

45. • No commitment
• No additional cost
AWS DDoS Shield: Pricing
• 1 year subscription commitment
• Monthly base fee: $3,000
• Data transfer fees
Data Transfer Price ($ per GB)
CloudFront ELB
First 100 TB $0.025 0.050
Next 400 TB $0.020 0.040
Next 500 TB $0.015 0.030
Next 4 PB $0.010 Contact Us
Above 5 PB Contact Us Contact Us
Standard Protection Advanced Protection

46. How to Get Started

47. How to get started

48. Notification and Reporting

49. For protection against most
common DDoS attacks, and
access to tools and best
practices to build a DDoS
resilient architecture on AWS.
AWS DDoS Shield: How to choose
For additional protection against
larger and more sophisticated
attacks, visibility into attacks,
AWS cost protection, Layer 7
mitigations, and 24X7 access to
DDoS experts for complex cases.
Standard Protection Advanced Protection

50. You get it automatically
AWS Shield: Getting started
Enable via the AWS Console
Standard Protection Advanced Protection

51. Resources
DDoS White paper
http://bit.ly/DDoSWP
AWS WAF Automation
http://bit.ly/AWSWAF
AWS Shield FAQ
http://bit.ly/AWSShield

52. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved.
Thank you!