(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AWS re:Invent 2014
-
Upload
amazon-web-services -
Category
Technology
-
view
1.866 -
download
6
description
Transcript of (SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AWS re:Invent 2014
• Infrastructure attacks (Layer 3 / 4)– Average attack size is 900Mbps (50% under 500Mbps)
– 78% of attacks are infrastructure (simple to launch)
• Application attacks (Layer 7)– 22% of all attacks target port 80 & 443 (more complex)
• Multi-vector – different attack types simultaneously
• Amplification (NTP, SSDP, DNS, Chargen, SNMP)
• Hit and run DDoS (91% < 1hour) and smokescreens (16-18%)
X
GET GET GET GET GET GET
G - E - T
web app
server
DMZ public subnet
ssh
bastion
NAT
ELBusers
admin
internet
Amazon EC2security group
security group
security group
security group
frontend private subnet
TCP: 8080
Amazon EC2
TCP: 80/443
backend private subnet
security group
TCP: 1433;
3306
MySQL db
TCP: Outbound
TCP: 22
ELB
users
security group
DMZ
public subnet
Amazon
Route 53
CloudFront
Edge Location
security group
web app
server
Frontend server
private subnet
DDoS
ELB
users
security group
DMZ
public subnet
Amazon
Route 53
CloudFront
Edge Location
security group
web app
server
Frontend server
private subnet
DDoS
InternetConnection C
InternetConnection A
InternetConnection B
CloudFront
ValidObject Request
InvalidProtocol
InvalidObject Request
Country B
Country A
Country C
Route A
Route B
Route C
users
Security
Group
Auto Scaling 1:1
WAF Master
Auto Scaling
WAF Worker
Admin
Auto Scaling
Web
Application
Management /
Monitoring
Custom Profile
Configuration ELB
ELBELB
Amazon S3
Web Traffic
Unauthorized
Web Traffic
ELB
security group
DMZ
public subnet
CloudFront
Edge Location
security group
web app
server
Frontend server
private subnet
DDoS
users
ELB
security group
DMZ
public subnet
CloudFront
Edge Location
security group
web app
server
frontend server
private subnet
DDoS
users
ELB
security
group
DMZ
public subnet
CloudFront
Edge Location
security group
WAF / Proxy
private subnet
DDoS
users
WAF
Auto
ScalingELB
security
group
Auto Scaling
security
group
frontend servers
private subnet
web app
server
9:30 pm PDTTraffic analysis suggests opportunity to mitigate attack by revising configuration.We also decide to disable auto-scaling to preserve data for FBI forensic analysis.
10:34 am PDTFirst indications of impaired response from monitors. Traffic ramps dramatically.
12:30 pm PDTAttack initially targets IP addresses of A record. Switch to Route53 CNAME as cutout eliminates traffic.
6:24 pm PDTAttack resumes (targeting CNAME this time). Traffic ramps dramatically.
2:15 am PDTBad guys give up. Attack stops … Hah!
9:30 pm PDTTraffic analysis suggests opportunity to mitigate attack by revising configuration.We also decide to disable auto-scaling to preserve data for FBI forensic analysis.
10:34 am PDTFirst indications of impaired response from monitors. Traffic ramps dramatically.
12:30 pm PDTAttack initially targets IP addresses of A record. Switch to Route53 CNAME as cutout eliminates traffic.
6:24 pm PDTAttack resumes (targeting CNAME this time). Traffic ramps dramatically.
1:00 am PDTRevised configuration in place. The arms race begins …
7:17 pm PDTPeak capacity deployed:- 17 c3.8xlarge HA proxies- 34 m3.large web servers
Bad guys run out of gas … traffic plateaus. 1-3 second response times.
Per-instance metric
First attack:IP specific
Second attack:arms race
Sigh of relief …
Customer CIO
“Team - I have been sitting here in
my hotel room thinking about what
this team has been able to
accomplish over the past 2 days and
it has been amazing. Not really my
style to think we are out of the woods
yet...but the level of effort and
coordination has been world class.
To the CrownPeak/AWS team...
Thank you for all of your efforts to
assist our organization. You should
know that it has been greatly
appreciated at all levels.”
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals