You are under a DDOS attack! Are you ready to respond? (CDN306)

Here is a detailed summary of the video transcription in markdown format, with the key takeaways broken down into sections for better readability:

Understanding Distributed Denial of Service (DDoS) Attacks

  • DDoS attacks are volumetric attacks - a flood of requests or packets against a public endpoint that can overwhelm an application, typically from many IP sources.
  • The intention of such attacks is to take a service offline or degrade its performance.
  • DDoS attacks commonly target the network or transport layer, but have now shifted more towards layer 7 HTTP request floods.
  • AWS sees around 2,000 DDoS attacks per day, ranging from short-lived, high-volume attacks to prolonged attacks with multiple vectors.
  • DDoS attacks can impact customers by causing DNS resolution issues, 5xx errors, and increased latency.

Mitigating DDoS Attacks

Initial Triage and Preparation

  1. Establish roles and responsibilities for the incident response team.
  2. Reach out to AWS Support, Enterprise Support, or your AWS account team for assistance.
  3. Enable logging and monitoring (CloudTrail, CloudWatch, Route 53 health checks) to get visibility into the environment.

Implementing Mitigation Strategies

  1. Use Route 53 for highly available DNS service to handle high DNS traffic.
  2. Implement CloudFront to offload traffic from the origin and perform protocol and packet inspection.
  3. Restrict the Application Load Balancer (ALB) to only accept traffic from CloudFront IP addresses.
  4. Configure CloudFront caching, error caching, and Geo-blocking to reduce the load on the backend.
  5. Enable AWS WAF directly from the CloudFront dashboard to add security rules and rate-based controls.
  6. Implement fine-grained rate-based controls using API Gateway aggregate keys or a combination of host header, URI path, and IP address.
  7. Consider using a JavaScript challenge for web content to distinguish between legitimate users and bots.
  8. Analyze AWS WAF logs to understand the traffic patterns and fine-tune the rules accordingly.

Monitoring and Post-Incident Review

  1. Add key metrics to the operations dashboard, such as CloudFront request rates, error rates, and health check status.
  2. Determine the criteria for when the incident is considered over (e.g., healthy health checks, expected load).
  3. Investigate logs for any further issues and amend rules as needed.
  4. Document any changes made to the infrastructure and plan for future mitigations.

AWS DDoS Mitigation Capabilities

AWS Shield Standard

  • AWS Shield Standard is the first line of defense against DDoS attacks, sitting in-line with the traffic at the Edge and Regional locations.
  • It identifies top talkers, applies intelligent rate limits, protects against known threats, and performs protocol-level mitigations.
  • It is designed to maximize throughput and minimize bad traffic, preventing attacks from reaching customer workloads.

AWS CloudFront

  • CloudFront provides additional DDoS protection at the layer 7 level, looking at both IP and request-level anomalies.
  • It uses techniques like top talker identification, known threat protection, and request entropy analysis to detect and mitigate layer 7 DDoS attacks.
  • CloudFront has demonstrated the ability to absorb massive DDoS attacks, such as the 155 million RPS HTTP/2 Rapid Reset attack.

AWS Threat Intelligence

  • AWS uses a global network of "Honey Pots" to gather first-party, verifiable threat intelligence, which is then used to mitigate known threats across its services.
  • This threat intelligence is used to identify and block malicious IP addresses, proxies, and other indicators of compromise.
  • AWS also uses this intelligence to disrupt threat actors by providing information to take down botnets and other malicious infrastructure.

Building DDoS-Resilient Architectures

  • Leverage AWS services like CloudFront, AWS WAF, and AWS Shield Advanced to build a layered defense-in-depth strategy.
  • Use AWS Firewall Manager to manage and scale your WAF policies and security group rules across your organization.
  • Implement a combination of rate-based controls, IP reputation lists, and customer-managed rules in AWS WAF.
  • Regularly review and update your WAF rule sets, and conduct DDoS and penetration testing to validate the effectiveness of your controls.
  • Engage with AWS support teams to help review your architecture and incident response processes.

Key QR codes to remember:

  1. DDoS Resiliency Guide
  2. AWS WAF Logging and Dashboarding Examples
  3. DDoS for Resiliency Best Practices

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us