DDoS Protection

Distributed Denial of Service (DDoS) attacks are very common, and if successful, they can have a hugely detrimental impact on an organization's service operation. Depending on the scale of the DDoS attack, it can render an entire website unavailable, and for e-commerce retail businesses, this could cost them significant losses in sales.

In this chapter, we will be looking at DDoS and how you can leverage AWS Shield to help protect your infrastructure from these malicious attacks. We will look at the differences between the two different tiers supported by Shield and how you can utilize the services of the AWS DDoS Response Team (DRT).

This chapter will focus on the following:  

  • Understanding DDoS and its attack patterns
  • Protecting your environment using AWS Shield

Technical requirements

There are no requirements for this chapter. However, within the chapter, if you would like to set up and configure AWS Shield Advanced (at a cost of $3,000 a month), then you need to ensure you have permission for this service. As an alternative, I will also cover the features of AWS Shield Standard, which comes as a free service. 

For more information on how to grant access, please refer to Chapter 4, Working with Access Policies.

Understanding DDoS and its attack patterns

As mentioned previously, DDoS attacks are extremely common worldwide. To begin, the initiator of a DDoS attack will focus on a specific target, being a single host, network, or service to compromise, and this target will likely be a key component of an organization's infrastructure. During the attack, an attempt will be made to severely disrupt the performance of the target using a massive amount of inbound requests from a number of different distributed sources within the same time period. 

This creates two problems, as follows:  

  • The additional traffic load is designed to flood the target and prevent authentic and legitimate inbound requests from reaching that target and being processed as real requests.
  • The performance of the target is hindered, affecting the usability of the infrastructure and its associated resources. For example, should a DDoS attack be made against a web server running a website, anyone using the site would assume that the site was down and unavailable.

So far, we've just gotten a basic understanding of what a DDoS attack actually is. On a higher level, these attacks can be carried out using different patterns, which we will discuss next.

DDoS attack patterns

There are a number of different DDoS attacks that could be used to achieve the end goal of disruption. Let me explain a couple of these at a high level to help you understand the principles of DDoS attacks.

For the certification, you will not be tested on the different types of attacks and how they are initiated; this section was included as a foundation to the topic. More information on these topics is provided in the Further reading section at the end of the chapter.

SYN floods

This type of attack takes advantage of the three-way handshake that is used to establish a connection between two hosts, as can be seen in the following diagram:

It is called a SYN flood because a huge amount of connections are made simultaneously to the attacked host, these being the SYN seen in the diagram. In the host's attempt to establish these incoming connections, the host responds with a SYN/ACK packet.  Typically, to complete the handshake, the sender will then respond with a further ACK packet; however, the sender does not send this final response. As a result, this leaves a huge amount of open connections on the host, resulting in a large number of resources being utilized unnecessarily. This then leaves minimal resources available to then process legitimate requests.

HTTP floods

As expected from reading about the previous DDoS attack, the target is subjected to a substantial amount of HTTP requests, for example, GET or POST requests, which, in turn, consume valuable resources on the host. Much like a SYN flood, this results in a lack of available resources to process and serve legitimate requests on the server, rendering the performance of the host unusable.

Ping of death (PoD)

As suggested by the name, this isn’t something that’s going to help your environment! A PoD attack is initiated by a malicious user sending a number of oversized IP packets to a host through a series of pings. The maximum size of an IP packet is 65,535 bytes. However, due to the fragmenting of the packets sent, when they are reassembled into a single packet on the host, they are larger than the allowed size. This manipulation causes the host to suffer from memory overflow detrimental to its performance.

So far, DDoS has been explained and the general principles behind the attacks, but just bare knowledge about these attacks is of no use if we cannot do anything to stop them, right? Moving forward, let's focus on an AWS service that has been specifically designed to help protect your environment from DDoS threats, this being AWS Shield.

Protecting your environment using AWS Shield

In the previous chapter, we discussed the Web Application Firewall (WAF) service and Firewall Manager. AWS Shield is closely related to these applications. AWS Shield is a managed AWS service that helps to mitigate DDoS attacks on the applications running within your environment. 

This section will take you through the two tiers of AWS Shield, explaining the differences between them, allowing you to understand which tier would be best for your own environment. You will also see how to activate AWS Shield Advanced tier.

The two tiers of AWS Shield

Your environment and how much protection you require, and at which level, will determine the AWS Shield tier that you implement within it. Currently, there are two tiers available:

  • AWS Shield Standard: The first tier is freely available to anyone with an AWS account.
  • AWS Shield Advanced: The second tier is a premium tier that comes with a range of additional features and protection. However, this comes at an additional cost.
By visiting https://aws.amazon.com/shield/getting-started/, you can see the full list of differences between the two tiers.

AWS Shield Standard

If you already have an AWS account, then this standard tier is available to you at no additional cost. It can be used to protect your environment from some of the more common DDoS attacks operating at the network and transport layer of your infrastructure when using Amazon CloudFront or Route 53. When utilizing AWS WAF, it can also be used to help mitigate some common application layer attacks. 

AWS Shield Standard operates in real time in an always-on model. It automatically detects specific traffic signatures that could indicate an imminent attack against your infrastructure. 

AWS Shield Advanced

AWS Shield Advanced offers a wider scope of advantages, features, and DDoS protection compared to AWS Shield Standard. One of the biggest additional features that it supports is application traffic monitoring and support for large-scale DDoS attacks. With this in mind, AWS Shield Advanced is recommended for organizations where these kinds of attacks could be significant for business productivity.  

It also has advanced feature sets when it comes to visibility and reporting against layer 3, layer 4, and layer 7 attacks (network, transport, and application). Plus, it comes with access to a 24/7 specialized DDoS response team at AWS, known as DRT.

One last point I want to make about AWS Shield Advanced is that it comes with cost protection. This could be very advantageous in the event of a significant attack. During an attack, services such as Amazon Route 53, Amazon CloudFront, Elastic Load Balancing, and EC2 may escalate to cope with the flood of traffic. The cost protection with Shield Advanced would mitigate you having to pay for these additional spiked costs.

With all of these great features and protection also comes a cost. AWS Shield Advanced currently stands at $3,000 a month, plus data transfer fees. 

Activating AWS Shield Advanced

In this section, I want to provide a quick overview of how to activate AWS Shield Advanced: 

  1. From  the AWS Management Console, select WAF & Shield under the Security, Identity, & Compliance category:

  1. Click the blue Go to AWS Shield button:

  1. You will now be presented with a splash screen showing the core differences between Shield Standard and Shield Advanced. To activate Shield Advanced, you must select the blue Activate AWS Shield Advanced button:

However, do be aware, there is a $3,000 cost per month when you activate it.
  1. You will now be asked to agree to a number of terms and conditions before the service is activated. Once activated, you are subscribed to the service, and to unsubscribe, you must contact AWS Support.

If you have multiple accounts that you own, then it's recommended that you use AWS Firewall Manager to activate and configure Shield Advanced on these accounts. By doing so, you will only pay a single monthly bill of $3,000 for all your accounts, providing they are in the same consolidated billing configuration. For more information on how to set up and configure this, please see the following URL: https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms-shield.html

Configuring AWS Shield Advanced

Once you have activated AWS Shield Advanced, you will then need to configure it to protect your resources. In this section, I will review the steps involved. 

Selecting your resources to protect  

Once you have activated AWS Shield, you must then determine which resources and services you would like to protect using the ARNs of the resources. If you are looking to protect an EC2 instance, then you should be aware that you must first associate an elastic IP address (EIPwith the instance. AWS Shield can then be associated with the EIP and will protect whatever resource that particular EIP is associated with. 

Adding rate-based rules

Once you have selected which resources you are looking to protect, you can then add rate-based rules to help identify potential DDoS attacks from spiking traffic. If you remember from the previous chapter, a rate-based rule counts the number of requests received from a particular IP address over a time period of 5 minutes:

By selecting a rate-based rule, you can define the maximum number of requests from a single IP within a 5-minute time frame (this must be over 2,000, otherwise this setting falls within the boundaries of a standard rule). Once this limit is reached, all further requests are then blocked until the requests drop back below the defined threshold.

Adding support from the AWS DDoS Response Team (DRT)

Once your rate-based rules are configured, you have the option of adding support from the AWS DDoS Response Team (DRT). This is a specialized team at AWS who can help you to review, analyze, and monitor suspected malicious activity within your account and offer help and solutions on how to resolve a potential attack. 

To help the DRT team with your investigations, they will need access to your AWS WAF rules web ACLs within your affected account. This obviously requires your authorization for them to access this information should you need their assistance. Should you require access to the DRT team, then you need to pre-authorize their access at this stage. If you do not want the DRT team to have access to your resources, then you must select Do not grant the DRT access to my account option.

If access to DRT is required, it will be governed by an IAM role that will have the AWSShieldDRTAccessPolicy managed policy attached, which trusts the service principal of drt.shield.amazonaws.com to use the role.

As with all monitoring systems, it is always recommended that CloudWatch alarms are configured and set up in addition to SNS for the notification of potential DDoS attacks. AWS Shield Advanced configures CloudWatch metrics and SNS to notify you of potential DDoS attacks.

Additional services and features

As an additional effort and level of protection against DDoS attacks, following on from AWS WAF and AWS Shield, it is also recommended, where feasible when serving web traffic, to use AWS-managed edge services such as AWS CloudFront and Amazon Route 53. AWS Shield integration with these edge services allows the architecture and AWS services to detect and mitigate potential DDoS attacks down to a sub-second level, significantly decreasing the chances of compromise.

Both Amazon CloudFront (with AWS WAF) and Route 53 offer the following protections:

  • Layer 3, layer 4, and layer 7 attack mitigation (for example, UDP reflection, SYN floods, and application layer attacks).
  • Being managed services, they are able to scale to absorb the additional traffic generated from application-layer attacks and so reduce the impact on your infrastructure.
  • They are able to provide geo-location and the dispersion of additional traffic from larger DDoS attacks.

Amazon CloudFront (with AWS WAF) also offers protection from layer 6 attacks.

It is likely that you are already using elastic load balancers and autoscaling within your environment. However, if you are not, then these can also help to reduce the impact of a large-scale attack on your resources, which might be operating at the application or network level. By using application or network load balancers (ALBs or NLBs), they are able to quickly scale to meet the demands of additional loads that would be experienced during an attack, which would prevent your infrastructure from being overloaded as it would had it not got an ELB protecting it. When combined with autoscaling, your resources can be scaled to absorb the impact of the connections being initiated. These features will help to maintain the availability of your service during an attack.

Summary  

In this chapter, we first learned about DDoS attacks and their attack patterns, where we saw just how serious these attacks can be and the damage that they can cause. In order to mitigate these attacks, we then learned about AWS Shield and the different tier levels it provides to support varied features against DDoS protection. We then followed this up with a quick demonstration of how you can activate and configure AWS Shield Advanced and use it to your advantage to mitigate DDoS attacks.

Remember that DDoS attacks are a very real concern for many organizations and are widespread globally. They can have a significant impact on your environment, and ultimately on your business' reputation. With the help of the information in this chapter, you will now be able to defend yourself by detecting these attacks by using AWS Shield.

In the next chapter, we'll be looking at incident response and how to prepare for incidents, and the necessary response actions to help isolate an issue. 

Questions

As we conclude this chapter, here is a list of questions for you to test your knowledge regarding its material. You will find the answers in the Assessments section of the Appendix:

  1. Which type of DDoS attack takes advantage of the three-way handshake that is used to establish a connection between two hosts?
  2. How many tiers are there to choose from when working with AWS Shield?
  3. True or false: AWS Shield Advanced is a premium tier that comes with a range of additional features and protection. 
  1. True or false: The DDoS Response Team (DRT) is a specialized team at AWS who can help you to review, analyze, and monitor suspected malicious activity within your account and offer help and solutions on how to resolve a potential attack. 
  2. True or false: By selecting a rate-based rule, you can define the maximum number of requests from a single IP within a 30-minute time frame.

Further reading

For additional information relating to AWS DDoS protection, I recommend reading the following AWS White Paper: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf?did=wp_card&trk=wp_card

What is a DDoS attack?: https://aws.amazon.com/shield/ddos-attack-protection/

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.227.46.69