• Infrastructure attacks (Layer 3 / 4)– Average attack size is 900Mbps (50% under 500Mbps)

– 78% of attacks are infrastructure (simple to launch)

• Application attacks (Layer 7)– 22% of all attacks target port 80 & 443 (more complex)

• Multi-vector – different attack types simultaneously

• Amplification (NTP, SSDP, DNS, Chargen, SNMP)

• Hit and run DDoS (91% < 1hour) and smokescreens (16-18%)

X

GET GET GET GET GET GET

G - E - T

web app

server

DMZ public subnet

ssh

bastion

NAT

ELBusers

admin

internet

Amazon EC2security group

security group

security group

security group

frontend private subnet

TCP: 8080

Amazon EC2

TCP: 80/443

backend private subnet

security group

TCP: 1433;

3306

MySQL db

TCP: Outbound

TCP: 22

ELB

users

security group

DMZ

public subnet

Amazon

Route 53

CloudFront

Edge Location

security group

web app

server

Frontend server

private subnet

DDoS

ELB

users

security group

DMZ

public subnet

Amazon

Route 53

CloudFront

Edge Location

security group

web app

server

Frontend server

private subnet

DDoS

InternetConnection C

InternetConnection A

InternetConnection B

CloudFront

ValidObject Request

InvalidProtocol

InvalidObject Request

Country B

Country A

Country C

Route A

Route B

Route C

users

Security

Group

Auto Scaling 1:1

WAF Master

Auto Scaling

WAF Worker

Admin

Auto Scaling

Web

Application

Management /

Monitoring

Custom Profile

Configuration ELB

ELBELB

Amazon S3

Web Traffic

Unauthorized

Web Traffic

ELB

security group

DMZ

public subnet

CloudFront

Edge Location

security group

web app

server

Frontend server

private subnet

DDoS

users

ELB

security group

DMZ

public subnet

CloudFront

Edge Location

security group

web app

server

frontend server

private subnet

DDoS

users

ELB

security

group

DMZ

public subnet

CloudFront

Edge Location

security group

WAF / Proxy

private subnet

DDoS

users

WAF

Auto

ScalingELB

security

group

Auto Scaling

security

group

frontend servers

private subnet

web app

server

9:30 pm PDTTraffic analysis suggests opportunity to mitigate attack by revising configuration.We also decide to disable auto-scaling to preserve data for FBI forensic analysis.

10:34 am PDTFirst indications of impaired response from monitors. Traffic ramps dramatically.

12:30 pm PDTAttack initially targets IP addresses of A record. Switch to Route53 CNAME as cutout eliminates traffic.

6:24 pm PDTAttack resumes (targeting CNAME this time). Traffic ramps dramatically.

2:15 am PDTBad guys give up. Attack stops … Hah!

9:30 pm PDTTraffic analysis suggests opportunity to mitigate attack by revising configuration.We also decide to disable auto-scaling to preserve data for FBI forensic analysis.

10:34 am PDTFirst indications of impaired response from monitors. Traffic ramps dramatically.

12:30 pm PDTAttack initially targets IP addresses of A record. Switch to Route53 CNAME as cutout eliminates traffic.

6:24 pm PDTAttack resumes (targeting CNAME this time). Traffic ramps dramatically.

1:00 am PDTRevised configuration in place. The arms race begins …

7:17 pm PDTPeak capacity deployed:- 17 c3.8xlarge HA proxies- 34 m3.large web servers

Bad guys run out of gas … traffic plateaus. 1-3 second response times.

Per-instance metric

First attack:IP specific

Second attack:arms race

Sigh of relief …

Customer CIO

“Team - I have been sitting here in

my hotel room thinking about what

this team has been able to

accomplish over the past 2 days and

it has been amazing. Not really my

style to think we are out of the woods

yet...but the level of effort and

coordination has been world class.

To the CrownPeak/AWS team...

Thank you for all of your efforts to

assist our organization. You should

know that it has been greatly

appreciated at all levels.”

Please give us your feedback on this session.

Complete session evaluations and earn re:Invent swag.

http://bit.ly/awsevals