Protect AWS resources against DoS and DDoS Attack
Protect AWS resources against DoS and DDoS Attack
-by Utpal BhattacharjeeShare on-
Evernote Pocket Buffer
A distributed denial-of-service (DDoS) attack is one of the most powerful attack on the internet.
Any server or network device has a maximum traffic handling and responding capacity depending on it's processing power, RAM, OS etc.
If the load of traffic increases and cross the limit of the capacity then the device cannot response to them i.e. it deny to give any further service. Thus the client devices who creates the traffic and want service from the server cannot get the service.
In DoS attack, a hacker makes zombie client device or infect/compromise client device by trojan, malware etc who generate abnormally large number of requests (http, ICMP, DNS query, sync etc etc). The huge requests flooded towards the target server and thus they got hanged or deny to give their service. Thus normal client devices cannot get service from the server. This is called Denial of Service (DoS) attack.
If their are many zombie client devices or compromised devices doing DoS attack then this is called Distributed Denial of Service (DDoS) Attack. This attacks are often global attacks, distributed via botnets.
For example consider application Layer Attacks- Also known as layer 7 DDoS Attack where application layer protocols are used. Most common examples are http and DNS attack. In http DDoS Attack, many compromised client devices generate large number of http requests which flooded the web sever. It is of several types- Cache-busting attacks (circumventing the CDN caching), WordPress XML-RPC flood attack (also known as a WordPress pingback flood, where an attacker misuses the XML-RPC API function of website hosted on the
WordPress CMS to generate a flood of HTTP requests) etc.
In DNS DDoS Attack, large number of DNS name resolution queries are flooded targeting the DNS server.
In presentation layer, TLS abuse attack occurs.
In network layer, ICMP flooding, UDP reflection attacks occur.
In UDP reflection attack Attackers can craft a valid UDP request packet listing the attack target’s IP as the UDP source IP address. The attacker has now falsified, spoofed the UDP request packet’s source IP address. An attacker then sends the UDP packet containing the spoofed source IP to an intermediate server. The server is tricked into sending its UDP response packets to the targeted victim IP rather than back to the attacker’s IP address. The intermediate server is used because it generates a response that is several times larger than the request packet effectively amplifying the amount of attack traffic sent to the target IP address. The amplification factor, which is the ratio of response size to request size, varies depending on which protocol the attacker uses: DNS, NTP, or SSDP. For example, the amplification factor for DNS can be 28 to 54 times the original number of bytes. So if an attacker sends a request payload of 64 bytes to a DNS server, they can generate over 3400 bytes of unwanted traffic to an attack target.
In AWS cloud, an EC2 instance, database etc can also face DoS and DDoS Attack. To mitigate this, several steps can be taken-
AWS provide flexible infrastructure to mitigate even a strong DDoS Attack. AWS provide some automatic protections of AWS Shield Standard, at no additional charge. This provides protection against most common network and transport layer DDoS Attacks. Also Amazon Route 53, Amazon CloudFront, Elastic Load Balancing, and AWS WAF (Web Application Firewall) can be used to control and absorb traffic, and deflect unwanted requests. Using AWS Web Application Firewall (WAF) you can define rules to control the traffic towards your web application. To learn more go to this link- http://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html
The AWS WAF Security Automations provides fine-grained control over the requests attempting to access your web application. Here is the deployment guide for this- https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/welcome.html
Also one can subscribe to advanced AWS Shield for the following benefits-
Contact the AWS DDoS Response Team for assistance.
DDoS Attack visibility.
Access to the Global Threat Environment dashboard.
Access to AWS WAF.
Automatic baselining of web traffic attributes.
You can learn more here about AWS Shield in this link- https://aws.amazon.com/shield/
Apart from AWS tools, you can also use many others ways. One of them is a Apache module named 'mod_evasive' which provides evasive action on HTTP DDoS attack and give reports of abuses via email and syslog. It can be easily configured to talk to ipchains, firewalls, routers.
Another way is implementing Cloudflare. It has a distributed, redundant network which absorb the flood of traffic of DDoS attack. Also you can enable “I'm under attack” mode where additional protections are added to stop the attacking traffic. Also you can whitelist specific IP addresses to add an additional layer of defense to your website.
Best practices for DDoS mitigation are-
Ready to scale your infrastructure.
Minimize the attack surface area and safeguard exposed resources.
Know what is normal; alert on what is not.
Create a resilient architecture.
Any server or network device has a maximum traffic handling and responding capacity depending on it's processing power, RAM, OS etc.
If the load of traffic increases and cross the limit of the capacity then the device cannot response to them i.e. it deny to give any further service. Thus the client devices who creates the traffic and want service from the server cannot get the service.
In DoS attack, a hacker makes zombie client device or infect/compromise client device by trojan, malware etc who generate abnormally large number of requests (http, ICMP, DNS query, sync etc etc). The huge requests flooded towards the target server and thus they got hanged or deny to give their service. Thus normal client devices cannot get service from the server. This is called Denial of Service (DoS) attack.
If their are many zombie client devices or compromised devices doing DoS attack then this is called Distributed Denial of Service (DDoS) Attack. This attacks are often global attacks, distributed via botnets.
For example consider application Layer Attacks- Also known as layer 7 DDoS Attack where application layer protocols are used. Most common examples are http and DNS attack. In http DDoS Attack, many compromised client devices generate large number of http requests which flooded the web sever. It is of several types- Cache-busting attacks (circumventing the CDN caching), WordPress XML-RPC flood attack (also known as a WordPress pingback flood, where an attacker misuses the XML-RPC API function of website hosted on the
WordPress CMS to generate a flood of HTTP requests) etc.
In DNS DDoS Attack, large number of DNS name resolution queries are flooded targeting the DNS server.
In presentation layer, TLS abuse attack occurs.
In network layer, ICMP flooding, UDP reflection attacks occur.
In UDP reflection attack Attackers can craft a valid UDP request packet listing the attack target’s IP as the UDP source IP address. The attacker has now falsified, spoofed the UDP request packet’s source IP address. An attacker then sends the UDP packet containing the spoofed source IP to an intermediate server. The server is tricked into sending its UDP response packets to the targeted victim IP rather than back to the attacker’s IP address. The intermediate server is used because it generates a response that is several times larger than the request packet effectively amplifying the amount of attack traffic sent to the target IP address. The amplification factor, which is the ratio of response size to request size, varies depending on which protocol the attacker uses: DNS, NTP, or SSDP. For example, the amplification factor for DNS can be 28 to 54 times the original number of bytes. So if an attacker sends a request payload of 64 bytes to a DNS server, they can generate over 3400 bytes of unwanted traffic to an attack target.
In AWS cloud, an EC2 instance, database etc can also face DoS and DDoS Attack. To mitigate this, several steps can be taken-
AWS provide flexible infrastructure to mitigate even a strong DDoS Attack. AWS provide some automatic protections of AWS Shield Standard, at no additional charge. This provides protection against most common network and transport layer DDoS Attacks. Also Amazon Route 53, Amazon CloudFront, Elastic Load Balancing, and AWS WAF (Web Application Firewall) can be used to control and absorb traffic, and deflect unwanted requests. Using AWS Web Application Firewall (WAF) you can define rules to control the traffic towards your web application. To learn more go to this link- http://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html
The AWS WAF Security Automations provides fine-grained control over the requests attempting to access your web application. Here is the deployment guide for this- https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/welcome.html
Also one can subscribe to advanced AWS Shield for the following benefits-
Contact the AWS DDoS Response Team for assistance.
DDoS Attack visibility.
Access to the Global Threat Environment dashboard.
Access to AWS WAF.
Automatic baselining of web traffic attributes.
You can learn more here about AWS Shield in this link- https://aws.amazon.com/shield/
Apart from AWS tools, you can also use many others ways. One of them is a Apache module named 'mod_evasive' which provides evasive action on HTTP DDoS attack and give reports of abuses via email and syslog. It can be easily configured to talk to ipchains, firewalls, routers.
Another way is implementing Cloudflare. It has a distributed, redundant network which absorb the flood of traffic of DDoS attack. Also you can enable “I'm under attack” mode where additional protections are added to stop the attacking traffic. Also you can whitelist specific IP addresses to add an additional layer of defense to your website.
Best practices for DDoS mitigation are-
Ready to scale your infrastructure.
Minimize the attack surface area and safeguard exposed resources.
Know what is normal; alert on what is not.
Create a resilient architecture.
