Site icon Bizety: Research & Consulting

AWS Updates on Best Practices For DDoS Resiliency

AWS released an updated version of its AWS Best Practices for DDoS Resiliency Whitepaper, a guide for developers building new apps or looking to optimize their current architecture for DDoS resiliency. In addition, the whitepaper goes into detail to advise on how to develop best security practices and actionable steps against DDoS attacks in the AWS cloud platform.

The updated version adds a “Summary of Best Practices” checklist, builds upon the descriptions of various attack types such as volumetric attacks and application layer attacks, and explains which best practices are most effective at managing them. They also filled in more about which of their AWS products can work as DDoS mitigation methods and how they can be used to protect applications.

Overview

The whitepaper describes the two most common DDoS attacks: User Datagram Protocol (UDP) reflection attacks and synchronize (SYN) floods, both infrastructure layer attacks. In a DDoS attack, both of these methods to generate large volumes of traffic that overwhelms network capacity (e.g. server, firewall, IPS, load balancer). However, these attacks can be addressed quickly as they contain clear signatures that make for easier detection. To effectively combat UDP and SYN floods, network resources must have the ability to both absorb the entire attack and exceed the volume that’s generated by the attacker.

SYN floods in particular exhaust the available resources of any given system by leaving connections in a perpetually half-open state. Typically, when an end user connects to something like a web server, the client will send a SYN packet. The server then returns SYN-ACK, and the client ends the process by returning ACK. In a SYN flood, however, the ACK never gets returned, so the server is left waiting for a response. This can prevent new users from connecting to the server.

While not as common, layer 7 (L7) or application layer attacks also occur. In these instances, an attacker is trying to over-exercise certain functions of an application to render it unavailable. Sometimes in HTTP floods, WordPress XML-RPC floods, and cache-busting attacks, an attacker makes very low request volumes or stay hidden in an HTTP request that emulates a real user’s web application behavior and having an attack as more difficult to detect. Application layer attacks can also target domain name system (DNS) services where an attacker uses many well-formed DNS queries to exhaust the resources of a DNS server and cause downturn.

By scaling out, it would require more time and resources from the attacker thereby making the application resilient against DDoS. Services available within AWS assist with building DDoS resiliency, as well as scale to handle unforeseen spikes in traffic volumes:

Other AWS edge services allow users to leverage a global edge network to enable greater fault tolerance against infrastructure and application layer attacks and increase scale for managing those larger volumes of traffic:

Takeaway

AWS has hundreds of GB transit bandwidth available so they can easily absorb larger attacks and a backbone network which allows them to increase the surface area of attacks which increases the available bandwidth. They have also improved their DDoS services in the past year, but they have yet to stack competitively with the likes of CloudFlare and other DDoS protection services.

The current business model for using Amazon AWS DDoS mitigation is their vast bandwidth with the addition of a user’s ability to pay during an attack. DDoS attacks are volumetric in nature and an attack could go on for days. While larger businesses can certainly scale up to 1,000 instances to absorb a flood, the hosting costs can multiply quickly and that is not feasible for a majority of AWS users. AWS’s plan of $26/month for WAF is certainly in the right direction for DDoS protection, while CloudFlare charges a Pro Plan for $20/month and $5/month for WAF + Basic DDoS Mitigation, or a Business plan for $200/month/website for WAF + Advanced DDoS Mitigation, and both plans include unlimited bandwidth and rich with advanced DDoS features.

The updated whitepaper provides some solid AWS-specific guidance for users on how to buy more time since they describe how their services, tools and processes in anticipation to DDoS attacks. This is certainly an improvement since the introduction of their WAF firewall back in October 2015. For now, most should look into cost-effective alternatives such as CloudFlare that offer better DDoS mitigation features in tandem with AWS.

Copyright secured by Digiprove © 2016
Exit mobile version