dns ddos mitigation using amazon route 53 and aws shield
TRANSCRIPT
![Page 1: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sergey Royt, Jeffrey Lyon
Amazon Route 53 and AWS ShieldDDoS Protection and Risk Mitigation
![Page 2: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/2.jpg)
DDoS 101
![Page 3: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/3.jpg)
What is DDoS?
Distributed Denial of Service
![Page 4: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/4.jpg)
DDoS attacks target DNS in two layers
![Page 5: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/5.jpg)
Types of DDoS attacks
![Page 6: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/6.jpg)
Types of DNS DDoS attacks
Volumetric DDoS attacks
Congest DNS networks by flooding them with more traffic than they are able to handle
(e.g., UDP reflection attacks)
![Page 7: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/7.jpg)
DDoS attack trends - volumetric
Volumetric Application layer
Volumetric attacks using amplification and reflection
techniques are very common
47%Volumetric
53%Application layer
![Page 8: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/8.jpg)
Amplification/Reflection attacks
![Page 9: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/9.jpg)
Types of DNS DDoS attacks
Application-layer DDoS attacks
target DNS by using well-formed but malicious queries to circumvent mitigation
and consume application resources – These are known as query floods
![Page 10: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/10.jpg)
DDoS attack trends – query floods
Volumetric Application layer
DNS query floods are real DNS requests
These can continue for hours and exhaust the available memory/cpu resources of the DNS
server
47%Volumetric
53%Application layer
![Page 11: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/11.jpg)
DNS query floods
Few Good Actors
Thousands of Bad Bots
Recursive DNS servers
Authoritative DNS Service
![Page 12: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/12.jpg)
Traditional challenges in mitigating DNS DDoS attacks
![Page 13: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/13.jpg)
Traditional challenges in mitigating DNS DDoS attacks
Difficult to enable
Zone isolation Over-provisioned bandwidth capacity
Redundancy and scale
![Page 14: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/14.jpg)
Traditional challenges in mitigating DNS DDoS attacks
Traditional Datacenter
Manual involvement
Operator involvement to initiate mitigation
Re-route traffic to scrubbing location
Increased time to mitigate
![Page 15: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/15.jpg)
Traditional challenges in mitigating DNS DDoS attacks
Traditional Datacenter
Traffic re-routing = Increased latency for users
![Page 16: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/16.jpg)
Traditional challenges in mitigating DNS DDoS attacks
Expensive to use
• DDoS mitigation service cost• Cost of maintaining scrubbing devices• Paying for bandwidth• Personnel cost
![Page 17: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/17.jpg)
Amazon Route 53Highly resilient and fault tolerant DNS
![Page 18: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/18.jpg)
Built-In redundancy
56 global edge locations
![Page 19: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/19.jpg)
Network capacity
Tens of terabits of transit capacity
![Page 20: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/20.jpg)
Network redundancy
Multiple transit and peering providers
![Page 21: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/21.jpg)
Name server redundancy
4 name servers for each hosted zone
![Page 22: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/22.jpg)
Resiliency and availability : Anycast DNS
Anycast striping
![Page 23: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/23.jpg)
Fault tolerance and zone isolation
Zone Isolation
![Page 24: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/24.jpg)
Amazon Route 53 always runs at scale
Network runs at Scale
Infrastructure runsat scale
100% SLA
![Page 25: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/25.jpg)
Customers keep asking …
Does AWS protect me from DDoS attacks?
What about large DDoS attacks?
How can I get visibility when I get attacked?
Does AWS protect me from application
layer attacks?
Scaling for DDoS attacks is
expensive.I want to talk to DDoS experts.
![Page 26: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/26.jpg)
AWS ShieldA managed DDoS protection service
![Page 27: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/27.jpg)
AWS Shield
Standard Protection Advanced Protection
Available to all customers at no additional cost
Paid service that provides additional, comprehensive protections from large
and sophisticated attacks
![Page 28: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/28.jpg)
AWS Shield Standard
![Page 29: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/29.jpg)
DDoS protections built into AWS
Integrated into the AWS global infrastructure
Always-on, fast mitigation without external routing
Redundant Internet connectivity in AWS data centers
![Page 30: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/30.jpg)
Layer 3/4 infrastructure protection
Automatically filters invalid traffic. Examples of attributes include:
• IP checksum• TCP valid flags• Payload length• DNS, HTTP request validation
Deterministic filtering
![Page 31: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/31.jpg)
Low suspicion attributes
• Normal packet or request header• Traffic composition and volume is
typical given its source• Traffic valid for its destination
High suspicion attributes
• Suspicious packet or request headers• Entropy in traffic by header attribute• Entropy in traffic source and volume• Traffic source has a poor reputation• Traffic invalid for its destination• Request with cache-busting attributes
Layer 3/4 infrastructure protectionTraffic prioritization based on scoring
![Page 32: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/32.jpg)
Layer 3/4 infrastructure protection
• Inline inspection and scoring• Preferentially discard lower priority (attack) traffic• False positives are avoided and legitimate viewers are protected
Traffic prioritization based on scoring
High-suspicion packets dropped
Low-suspicion packets retained
![Page 33: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/33.jpg)
AWS Shield AdvancedManaged DDoS protection
![Page 34: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/34.jpg)
AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available today on..
![Page 35: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/35.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
![Page 36: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/36.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
![Page 37: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/37.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
![Page 38: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/38.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
![Page 39: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/39.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
![Page 40: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/40.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response team
Cost protection
![Page 41: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/41.jpg)
Always-on monitoring and detection
Signature based detection Heuristics-based anomaly detection
Baselining
![Page 42: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/42.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response Team
Cost protection
![Page 43: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/43.jpg)
Advanced Layer 3/4 infrastructure protection
• Distributed scrubbing and bandwidth capacity
• Automated routing policies to absorb large attacks
• Manual traffic engineering
Advanced routing policies
![Page 44: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/44.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response Team
Cost protection
![Page 45: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/45.jpg)
Attack notification and reporting
• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics for attack forensics
• Historical attack reports
![Page 46: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/46.jpg)
Attack notification and reporting
![Page 47: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/47.jpg)
Attack notification and reporting
![Page 48: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/48.jpg)
Attack notification and reporting
![Page 49: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/49.jpg)
Attack notification and reporting
![Page 50: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/50.jpg)
Attack notification and reporting
![Page 51: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/51.jpg)
Attack notification and reporting
![Page 52: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/52.jpg)
Attack notification and reporting
![Page 53: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/53.jpg)
Attack notification and reporting
![Page 54: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/54.jpg)
Attack notification and reporting
![Page 55: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/55.jpg)
Attack notification and reporting
![Page 56: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/56.jpg)
Attack notification and reporting
![Page 57: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/57.jpg)
Attack notification and reporting
![Page 58: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/58.jpg)
Attack notification and reporting
![Page 59: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/59.jpg)
Attack notification and reporting
![Page 60: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/60.jpg)
Attack notification and reporting
![Page 61: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/61.jpg)
Attack notification and reporting
![Page 62: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/62.jpg)
Attack notification and reporting
![Page 63: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/63.jpg)
Attack notification and reporting
![Page 64: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/64.jpg)
Attack notification and reporting
![Page 65: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/65.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response Team
Cost protection
![Page 66: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/66.jpg)
24x7 access to DDoS response team
• Critical and urgent priority cases are answered quickly and routed directly to DDoS experts
• Complex cases can be escalated to the AWS DDoS Response Team (DRT), who have deep experience in protecting AWS as well as Amazon.com and its subsidiaries
![Page 67: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/67.jpg)
24x7 access to DDoS response team
Before attack
Proactive consultation and best practice guidance
During attack
Attack mitigation
After attack
Post-mortem analysis
![Page 68: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/68.jpg)
AWS Shield AdvancedAlways-on monitoring &
detection
Advanced L3/4 & L7 DDoS protection
Attack notification and reporting
24x7 access to DDoS Response Team
Cost protection
![Page 69: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/69.jpg)
Cost protection
AWS absorbs scaling cost due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancer
• Application Load Balancer
• Amazon Route 53
![Page 70: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/70.jpg)
Thank you!
![Page 71: DNS DDoS mitigation using Amazon Route 53 and AWS Shield](https://reader034.vdocuments.net/reader034/viewer/2022052606/58a7e6991a28abd7248b52d7/html5/thumbnails/71.jpg)
Questions ?
Useful Links –
Forums-AWS Shield - https://forums.aws.amazon.com/forum.jspa?forumID=238Amazon Route53 - https://forums.aws.amazon.com/forum.jspa?forumID=87
Whitepapers-https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf