Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sergey Royt, Jeffrey Lyon
Amazon Route 53 and AW...
DDoS 101
What is DDoS?
Distributed Denial of Service
DDoS attacks target DNS in two layers
Types of DDoS attacks
Types of DNS DDoS attacks
Volumetric DDoS attacks
Congest DNS networks by flooding them with
more traffic than they are ab...
DDoS attack trends - volumetric
Volumetric Application layer
Volumetric attacks using
amplification and reflection
techniq...
Amplification/Reflection attacks
Types of DNS DDoS attacks
Application-layer DDoS attacks
target DNS by using well-formed but
malicious queries to circumve...
DDoS attack trends – query floods
Volumetric Application layer
DNS query floods are real DNS requests
These can continue f...
DNS query floods
Few Good Actors
Thousands of Bad Bots
Recursive
DNS servers
Authoritative
DNS Service
Traditional challenges in mitigating
DNS DDoS attacks
Traditional challenges in mitigating DNS DDoS attacks
Difficult to enable
Zone isolation Over-provisioned
bandwidth capaci...
Traditional challenges in mitigating DNS DDoS attacks
Traditional
Datacenter
Manual involvement
Operator involvement to
in...
Traditional challenges in mitigating DNS DDoS attacks
Traditional
Datacenter
Traffic re-routing = Increased latency for us...
Traditional challenges in mitigating DNS DDoS attacks
Expensive to use
• DDoS mitigation service cost
• Cost of maintainin...
Amazon Route 53
Highly resilient and fault tolerant DNS
Built-In redundancy
56 global edge locations
Network capacity
Tens of terabits of transit capacity
Network redundancy
Multiple transit and peering providers
Name server redundancy
4 name servers for each
hosted zone
Resiliency and availability : Anycast DNS
Anycast striping
Fault tolerance and zone isolation
Zone Isolation
Amazon Route 53 always runs at scale
Network runs at
Scale
Infrastructure runs
at scale
100% SLA
Customers keep asking …
Does AWS protect me
from DDoS attacks?
What about large
DDoS attacks?
How can I get visibility
whe...
AWS Shield
A managed DDoS protection service
AWS Shield
Standard Protection Advanced Protection
Available to all customers at no
additional cost
Paid service that prov...
AWS Shield Standard
DDoS protections built into AWS
Integrated into the AWS global infrastructure
Always-on, fast mitigation without external ...
Layer 3/4 infrastructure protection
Automatically filters invalid traffic.
Examples of attributes include:
• IP checksum
•...
Low suspicion attributes
• Normal packet or request header
• Traffic composition and volume is
typical given its source
• ...
Layer 3/4 infrastructure protection
• Inline inspection and scoring
• Preferentially discard lower priority (attack) traff...
AWS Shield Advanced
Managed DDoS protection
AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available today on..
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
Always-on monitoring and detection
Signature based detection Heuristics-based
anomaly detection
Baselining
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
Advanced Layer 3/4 infrastructure protection
• Distributed scrubbing and bandwidth
capacity
• Automated routing policies t...
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
Attack notification and reporting
• Real-time notification of attacks via
Amazon CloudWatch
• Near real-time metrics for a...
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
Attack notification and reporting
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
24x7 access to DDoS response team
• Critical and urgent priority cases
are answered quickly and routed
directly to DDoS ex...
24x7 access to DDoS response team
Before attack
Proactive consultation and
best practice guidance
During attack
Attack mit...
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
...
Cost protection
AWS absorbs scaling cost due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancer
• Application Load...
Thank you!
Questions ?
Useful Links –
Forums-
AWS Shield - https://forums.aws.amazon.com/forum.jspa?forumID=238
Amazon Route53 - http...
Nächste SlideShare
Wird geladen in …5
×

DNS DDoS mitigation using Amazon Route 53 and AWS Shield

2.790 Aufrufe

Veröffentlicht am

Bigger and more sophisticated distributed denial of service (DDoS) attacks are targeting the Internet’s Domain Name System (DNS) causing significant downtime to websites and application. Amazon Route 53, the AWS DNS service, integrates tightly with AWS Shield, the AWS service that provides managed DDoS protection, to safeguard your web applications and protect against large scale attacks. Techniques Amazon Route 53 employs to thwart DDoS attacks including Anycast Striping, Shuffle Sharding and a global network of 56 points of presence. Mitigation strategies AWS Shield provides including inline mitigations, visibility and cost protection.

Learning Objectives:
• Learn how Amazon Route 53 scales against DDoS attacks
• Learn about the advanced features like Anycast Striping and traffic shaping mitigates DDoS risks
• Learn how always-on inline mitigation techniques protects against advanced attacks
• Learn how AWS Shield integrates with Amazon Route53 to monitor traffic signatures and undertakes deterministic packet filtering to minimize application downtime
• Learn why customers should use Amazon Route 53 and AWS Shield to protect against DNS DDoS attacks

Veröffentlicht in: Technologie
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

DNS DDoS mitigation using Amazon Route 53 and AWS Shield

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sergey Royt, Jeffrey Lyon Amazon Route 53 and AWS Shield DDoS Protection and Risk Mitigation
  2. 2. DDoS 101
  3. 3. What is DDoS? Distributed Denial of Service
  4. 4. DDoS attacks target DNS in two layers
  5. 5. Types of DDoS attacks
  6. 6. Types of DNS DDoS attacks Volumetric DDoS attacks Congest DNS networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks)
  7. 7. DDoS attack trends - volumetric Volumetric Application layer Volumetric attacks using amplification and reflection techniques are very common 47% Volumetric 53% Application layer
  8. 8. Amplification/Reflection attacks
  9. 9. Types of DNS DDoS attacks Application-layer DDoS attacks target DNS by using well-formed but malicious queries to circumvent mitigation and consume application resources – These are known as query floods
  10. 10. DDoS attack trends – query floods Volumetric Application layer DNS query floods are real DNS requests These can continue for hours and exhaust the available memory/cpu resources of the DNS server 47% Volumetric 53% Application layer
  11. 11. DNS query floods Few Good Actors Thousands of Bad Bots Recursive DNS servers Authoritative DNS Service
  12. 12. Traditional challenges in mitigating DNS DDoS attacks
  13. 13. Traditional challenges in mitigating DNS DDoS attacks Difficult to enable Zone isolation Over-provisioned bandwidth capacity Redundancy and scale
  14. 14. Traditional challenges in mitigating DNS DDoS attacks Traditional Datacenter Manual involvement Operator involvement to initiate mitigation Re-route traffic to scrubbing location Increased time to mitigate
  15. 15. Traditional challenges in mitigating DNS DDoS attacks Traditional Datacenter Traffic re-routing = Increased latency for users
  16. 16. Traditional challenges in mitigating DNS DDoS attacks Expensive to use • DDoS mitigation service cost • Cost of maintaining scrubbing devices • Paying for bandwidth • Personnel cost
  17. 17. Amazon Route 53 Highly resilient and fault tolerant DNS
  18. 18. Built-In redundancy 56 global edge locations
  19. 19. Network capacity Tens of terabits of transit capacity
  20. 20. Network redundancy Multiple transit and peering providers
  21. 21. Name server redundancy 4 name servers for each hosted zone
  22. 22. Resiliency and availability : Anycast DNS Anycast striping
  23. 23. Fault tolerance and zone isolation Zone Isolation
  24. 24. Amazon Route 53 always runs at scale Network runs at Scale Infrastructure runs at scale 100% SLA
  25. 25. Customers keep asking … Does AWS protect me from DDoS attacks? What about large DDoS attacks? How can I get visibility when I get attacked? Does AWS protect me from application layer attacks? Scaling for DDoS attacks is expensive. I want to talk to DDoS experts.
  26. 26. AWS Shield A managed DDoS protection service
  27. 27. AWS Shield Standard Protection Advanced Protection Available to all customers at no additional cost Paid service that provides additional, comprehensive protections from large and sophisticated attacks
  28. 28. AWS Shield Standard
  29. 29. DDoS protections built into AWS Integrated into the AWS global infrastructure Always-on, fast mitigation without external routing Redundant Internet connectivity in AWS data centers
  30. 30. Layer 3/4 infrastructure protection Automatically filters invalid traffic. Examples of attributes include: • IP checksum • TCP valid flags • Payload length • DNS, HTTP request validation Deterministic filtering
  31. 31. Low suspicion attributes • Normal packet or request header • Traffic composition and volume is typical given its source • Traffic valid for its destination High suspicion attributes • Suspicious packet or request headers • Entropy in traffic by header attribute • Entropy in traffic source and volume • Traffic source has a poor reputation • Traffic invalid for its destination • Request with cache-busting attributes Layer 3/4 infrastructure protection Traffic prioritization based on scoring
  32. 32. Layer 3/4 infrastructure protection • Inline inspection and scoring • Preferentially discard lower priority (attack) traffic • False positives are avoided and legitimate viewers are protected Traffic prioritization based on scoring High-suspicion packets dropped Low-suspicion packets retained
  33. 33. AWS Shield Advanced Managed DDoS protection
  34. 34. AWS Shield Advanced Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53 Available today on..
  35. 35. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response team Cost protection
  36. 36. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response team Cost protection
  37. 37. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response team Cost protection
  38. 38. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response team Cost protection
  39. 39. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response team Cost protection
  40. 40. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response team Cost protection
  41. 41. Always-on monitoring and detection Signature based detection Heuristics-based anomaly detection Baselining
  42. 42. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team Cost protection
  43. 43. Advanced Layer 3/4 infrastructure protection • Distributed scrubbing and bandwidth capacity • Automated routing policies to absorb large attacks • Manual traffic engineering Advanced routing policies
  44. 44. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team Cost protection
  45. 45. Attack notification and reporting • Real-time notification of attacks via Amazon CloudWatch • Near real-time metrics for attack forensics • Historical attack reports
  46. 46. Attack notification and reporting
  47. 47. Attack notification and reporting
  48. 48. Attack notification and reporting
  49. 49. Attack notification and reporting
  50. 50. Attack notification and reporting
  51. 51. Attack notification and reporting
  52. 52. Attack notification and reporting
  53. 53. Attack notification and reporting
  54. 54. Attack notification and reporting
  55. 55. Attack notification and reporting
  56. 56. Attack notification and reporting
  57. 57. Attack notification and reporting
  58. 58. Attack notification and reporting
  59. 59. Attack notification and reporting
  60. 60. Attack notification and reporting
  61. 61. Attack notification and reporting
  62. 62. Attack notification and reporting
  63. 63. Attack notification and reporting
  64. 64. Attack notification and reporting
  65. 65. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team Cost protection
  66. 66. 24x7 access to DDoS response team • Critical and urgent priority cases are answered quickly and routed directly to DDoS experts • Complex cases can be escalated to the AWS DDoS Response Team (DRT), who have deep experience in protecting AWS as well as Amazon.com and its subsidiaries
  67. 67. 24x7 access to DDoS response team Before attack Proactive consultation and best practice guidance During attack Attack mitigation After attack Post-mortem analysis
  68. 68. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team Cost protection
  69. 69. Cost protection AWS absorbs scaling cost due to DDoS attack • Amazon CloudFront • Elastic Load Balancer • Application Load Balancer • Amazon Route 53
  70. 70. Thank you!
  71. 71. Questions ? Useful Links – Forums- AWS Shield - https://forums.aws.amazon.com/forum.jspa?forumID=238 Amazon Route53 - https://forums.aws.amazon.com/forum.jspa?forumID=87 Whitepapers- https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

×