News

AWS Fights DDoS Attacks

• By David Ramel
• 01/03/2017

Even before last October's disruptive Mirai malware-generated distributed denial of service (DDoS) attacks, the Amazon Web Services Inc. (AWS) cloud has provided protection guidance such as the AWS Best Practices for DDoS Resiliency whitepaper, published last June.

Now, AWS is boosting its anti-DDoS guidance, spokesperson Jeff Barr announced on Friday. He outlined a three-pronged approach leveraging the AWS cloud's automatic scaling capabilities, fault tolerance protections and automatic attack mitigation mechanisms.

This approach can help enterprises withstand new-age DDoS attacks like Mirai that utilize the growing Internet of Things (IoT) as a new source of attack vectors, hijacking seemingly benign connected devices such as cameras, home routers, printers and even baby monitors to flood targets with crippling amounts of network traffic and crash sites.

The Mirai-powered botnet took down major Web sites such as Amazon itself (not AWS), Spotify and Twitter.

"In the wake of this attack and others that have preceded it, our customers have been asking us for recommendations and best practices that will allow them to build systems that are more resilient to various types of DDoS attacks," Barr said in a blog post. "The short-form answer involves a combination of scale, fault tolerance, and mitigation (the AWS Best Practices for DDoS Resiliency white paper goes in to far more detail) and makes use of Amazon Route 53 and AWS Shield."

Amazon Route 53 is described as "a highly available and scalable cloud Domain Name System (DNS) Web service. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other."

Barr said the service -- along with other edge services such as Amazon CloudFront and AWS WAF (Web Application Firewall) -- can create a "global surface area capable of absorbing large amounts of DNS traffic." Such expandable global surface areas can reduce the effect of DDoS attacks by handling the excess traffic they generate.

Route 53 also comes into play in the fault tolerance part of the three-pronged approach, as techniques such as shuffle sharding and anycast striping boost availability. "If one name server ... is not available, the client system or application will simply retry and receive a response from a name server at a different edge location," Barr said. "Anycast striping is used to direct DNS requests to an optimal location. This has the effect of spreading load and reducing DNS latency."

Finally, Barr said the company's AWS Shield Standard service -- automatically provided at no extra cost to services such as Elastic Load Balancers, CloudFront distributions and Route 53 resources -- protects enterprises against 96 percent of the most common attacks. A more comprehensive service, AWS Shield Advanced, "includes additional DDoS mitigation capability, 24×7 access to our DDoS Response Team, real time metrics and reports, and DDoS cost protection," Barr said.

While AWS provides guidance and services, it's up to enterprise customers to utilize the aforementioned and other products and services to protect themselves, starting with an appropriate architectural-level foundation. The AWS Best Practices for DDoS Resiliency whitepaper says "AWS infrastructure is DDoS-resilient by design and is supported by DDoS mitigation systems that can automatically detect and filter excess traffic. To protect the availability of your application, it is necessary to implement an architecture that allows you to take advantage of these capabilities."

Furthermore, the whitepaper states, "The degree to which you are able to architect your application according to these best practices will influence the type, vector, and volume of DDoS attacks that you are able to mitigate. AWS encourages you to use these best practices to better protect the availability of your application against common DDoS attacks."