AWS Fights DDoS Attacks
Amazon Web Services Inc. (AWS), which was responsible for the Mirai malware-generated distributed Denial of Service (DDoS), attacks last October, provided protection guidance, such as the AWS Best practices for DDoS resilience whitepaper published last June.
AWS has announced that it is increasing its anti-DDoS guidance. Spopokesman Jeff Barr made the announcement on Friday. He described a three-pronged approach that leverages the AWS cloud’s fault tolerance protections, automatic scaling capabilities, and attack mitigation mechanisms.
This can help enterprises resist new-age DDoS attacks such as Mirai. It uses the Internet of Things (IoT), which is growing in popularity, as a source of attack vectors. It hijacks seemingly benign connected devices like cameras, printers, and home routers to flood targets with crippling network traffic and crash sites.
Major Web sites were taken down by the Mirai-powered botnet, including Amazon (not AWS), Spotify, and Twitter.
Barr wrote in a blog post that “In the aftermath of this attack as well as others that preceded it,” he said. The short answer is scale, fault tolerance and mitigation. (The AWS Best Practices For DDoS Resiliency whitepaper goes into far more detail and makes use of AWS Shield and Amazon Route 53).
Amazon Route 53 is described by Amazon as “a highly available, scalable cloud Domain Name System Web service (DNS).” It’s designed to provide developers and businesses with a reliable and cost-effective way to route end users to Internet services by translating names such as www.example.com into numeric IP addresses like 192.0.2.1, which computers use to connect to one another.
Barr stated that the service, along with other edge services like Amazon CloudFront or AWS WAF (Web Application Firewall), can create a “global area capable of absorbing large quantities of DNS traffic.” This global expansion can help reduce the impact of DDoS attacks and handle the excessive traffic they generate.
Route 53 is also used in the fault tolerance portion of the three-pronged approach. Techniques such as anycast striping and shuffle sharding increase availability. Barr explained that if one name server is unavailable, the client system will simply retry and get a response from another name server at a different edge. “Anycast striping is used for directing DNS requests to the best location. This can spread load and reduce DNS latency.
Barr stated that AWS Shield Standard, which is provided automatically at no additional cost to services like CloudFront distributions, Elastic Load Balancers, Route 53 resources, and CloudFront distributions, protects companies against 96 percent most common attacks. Barr stated that AWS Shield Advanced, a more comprehensive service, offers additional DDoS mitigation capabilities, 24×7 access and reports to our DDoS Response Team, as well as DDoS cost protection.
AWS offers guidance and services. However, enterprise customers must use the aforementioned products and services to protect their business. Enterprise customers should start with a solid architectural foundation. According to the AWS Best Practices in DDoS Resiliency whitepaper, “AWS infrastructure is DDoS resilient by design and is supported with DDoS mitigation system that can automatically detect excess traffic and filter it out.” It is important to create an architecture that allows you take advantage of these capabilities to protect your application’s availability.
The whitepaper also states that “The type, vector, or volume of DDoS attacks you are able mitigate will depend on how well you can architect your application.” AWS encourages you use these best practices