AWS re:Invent 2025 - From threat to threat intel: 360 degrees of DDOS (NET318)

AWS re:Invent 2025 - From Threat to Threat Intel: 360 Degrees of DDoS (NET318)

Overview

• Presenters: Elena Wanik (AWS Shield Response Team), Brian Van Hook (AWS Senior Specialist SA), Bashar Alawi (Figma Software Engineer)
• Goal: Provide an in-depth look at how AWS turns DDoS attacks into actionable threat intelligence to defend against evolving threats

The Evolution of DDoS Threats

• Early 2000s: Reflection and amplification attacks mitigated by on-host IP table edits
• 2010s: Botnet-driven attacks addressed by deploying packet scrubbing hardware and automated mitigations
• 2020s: Rise of HTTP-based proxy floods led to Shield Application Layer Automation and the WAF Anti-DDoS rule group

AWS's 360-Degree Approach to DDoS Protection

1. Telemetry Collection: AWS's global network provides visibility into 60 TB/s peak traffic, 12 billion packets/s, and 105 million requests/s
   • Network layer detection, edge service detection, WAF detection, and honeypot monitoring provide comprehensive threat data
2. Threat Intelligence Generation:
   • Challenges in forming meaningful data from massive telemetry, including IP address reuse, flash crowds, and patched compromised hosts
   • Continuous analysis and tuning of traffic attributes to improve detection and mitigation
   • Honeypots (MADPOT) provide insight into botnet infrastructure and command-and-control activity
3. Service Integration:
   • Application Layer Known Offenders List and Network Layer Known Offenders List integrated into AWS services like CloudFront and Application Load Balancer
   • Case studies on UDP randomization and regionally targeted attacks demonstrate the effectiveness of the Known Offenders Lists
4. Threat Actor Disruption:
   • AWS collaborates with law enforcement to take down botnet infrastructures, such as the "Rapper Bot" that was issuing multi-terabit, multi-billion packet per second DDoS attacks

Best Practices for DDoS Resilience

Non-HTTP Workloads

• Use auto-scaling and intelligent load balancing (Network Load Balancer) in private subnets
• Leverage AWS Global Accelerator for static IP addresses and built-in DDoS mitigations
• Protect Global Accelerator endpoints with AWS Shield Advanced

HTTP Workloads

• Use private subnets and auto-scaling for load-balanced HTTP workloads
• Leverage Amazon CloudFront with VPC origins to avoid exposing origins to the public internet
• Protect CloudFront distributions with AWS WAF and the new Anti-DDoS Managed Rule Group

Figma's DDoS Mitigation Journey

• Figma, a leading design platform, faced weekly DDoS attacks overwhelming their infrastructure
• Adopted a defense-in-depth strategy using WAF, proxy-layer protections, and threat intelligence from AWS
• Leveraged WAF logging, rate limiting, and challenge actions to mitigate attacks
• Centralized DDoS protection in the proxy layer to provide immediate response and fair sharing of resources
• Integrated AWS's Anti-DDoS Managed Rule Group and IP Reputation List to automate threat detection and mitigation

Key Takeaways

• AWS's comprehensive telemetry and threat intelligence capabilities provide unparalleled DDoS protection
• Integrating AWS services like Global Accelerator, CloudFront, and WAF enables built-in DDoS resilience
• The new Anti-DDoS Managed Rule Group in WAF simplifies DDoS mitigation for HTTP workloads
• Collaboration with law enforcement helps disrupt and take down large-scale botnet infrastructures
• Adopting AWS's DDoS protection best practices can significantly improve an organization's resilience against evolving threats