DDoS resiliency with AWS

Types of DDoS Attacks

ddos1A smart attacker can overwhelm a vulnerable service if they can exploit a resource intensive operation. Eg : A computational expensive search query which cause multiple full table scans on backend DBs will take too many requests to stack up and start denying access to Service!

If Application Layer is well designed then, host exhaustion is another possibility :

ddos2Exhausting rest of the OSI Layers. Example : connection consumption through SYN floods.


DDoS Prevention the AWS way!


AWS Autoscaling and its large number of edge location enable AWS to absorb a DDoS attack, though it may not be cost effective.



AWS has multiple Regions(10) and Edge(46) Locations enable to cordon off bad traffic.
Use of Route53 and CloudFront to take advantage of this diversity.

AWS Route53 (Anycast Striping)

  • Leverage Resolver Behaviour
  • Edge Location Diversity
  • Network Path Diversity


Route53 working

Route53 is using Anycast Stripping , so a client request is stripped across edge locations which is implemented using resolver behaviour. Take the following example for instance :


Above are the 4 listed NameServers for “internetkitties.com”
The resolver will then issue 4 simultaneous requests to these listed nameservers.
Only of the request needs to suceed for the client to recieve the IP address.
Each of the nameservers come from one of the AWS stripes(nameservers).
Each of these Nameservers are hosted from a unique set of Edge Locations.


So each NameServer is intentionally hosted among a bunch of edge locations.
The DNS resolver will take the fastest reply.
The NameServer of Route53 is AnyCasted ie the IP of each NS is announced from more than 1 edge location at the same time.
The effect of AnyCast routing is that – requesters from different source networks will take different network path and land in different edge locations
So when a network path or edge location is blocked, another path is available.

avalDetect DDoS

  • Traffic Spikes, Drops
  • CPU Utilization
  • Network Stats

Once Identified DDoS

  • Check  Access Logs for patterns – using tools like grep awk etc.
  • Eg : grep ‘expensive-param’ ./access.log | awk ‘{print $1}’ | sort | uniq -c | tail
  • Use X-Forwarded For if host are behind Proxy/LB

Src-IP Blacklisting

  • Host-Level Firewall (IPTables)
  • Web-server Configuration (Nginx,Apache,IIS)
  • VPC Network ACLs (saves time rather than setting rules on each host)
  • Web Application Firewall (available on AWS Market place)

DDoS Attack Response

  • Detection
  • Src-IP Blocking
  • Engaging Customer Support

There is no complete or perfect solution to DDoS. The logic is simple: NO software or countermeasures can stand up to attacks from, say, 100 servers at once. All that can be done is to take preventive measures, and respond quickly and effectively when the attack takes place.

To prevent or mitigate future DDoS attacks, follow these steps:

To prevent your network from being used as a slave, follow these steps:

  • Use tools like Rkdet, Rootkit Hunter, or chkrootkit to find if a rootkit has been installed on your system.
  • Keep your systems up to date to minimize software vulnerabilities (kernel and software upgrades)
  • Check for hidden processes by comparing the output of ‘ps’ and ‘lsof’.
  • Check for malicious cron entries
  • Check /dev /tmp /var directories for odd files (i.e., ‘…’, wrong permissions/ownership on device files, etc.)
  • Check for unwanted users and groups (examine /etc/passwd)
  • Check for and disable any unneeded services
  • Install PortSentry to block scanning hosts.
  • Add ‘Mod_dosevasive’ to your Apache installation. This is an Apache module which performs ‘evasive’ action in the event of an HTTP DDoS attack or brute force attack.
  • Install the ‘Mod_security’ module. Since DDoS often targets HTTP (port 80), it’s a good idea to have a filtering system for Apache; ‘Mod_security’ will analyze requests before passing them to the web server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s