"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How we approach DDoS threat research
Threat landscape in 2024
Customer case study: Ukraine, 2022
Agenda

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DDoS threat research
Protect Amazon infrastructure and customers,
making AWS an unattractive target for
cyber threats
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our approach
Analyze inbound and outbound internet traffic
Convert research into actionable threat intelligence for our customers
Disrupt the capability of unauthorized users to repeatedly and easily target us

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Leverage AWS’sreach and scale to detect threats
600+ points of presence
(POP) across 100+ cities in
50countries
Exabytes of data
analyzed every 60 sec.
Thousands of DDoS attacks
mitigated every day
100+ billion AWS-managed rules
requests processed per day

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
0
20,000
40,000
60,000
80,000
100,000
120,000
9/1/2210/1/2211/1/2212/1/221/1/232/1/233/1/234/1/235/1/236/1/237/1/238/1/23
DDoS Events
Month
AWS Shield DDoS events detected per month
DDoS isn’t going away
56%
Application layer
40%
YoY growth

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
From video games to critical public infrastructure

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Proxy-based L7 DDoS attacks
ProxyProxy driverTarget

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Botnets
Command &
control
Bots

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tracking DDoS infrastructure

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Known offenders
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Known offenders
1.2.3.4
2.3.4.5
3.4.5.6
4.5.6.7
AnyAuthority ELB
AnyCompany NLB
AnyOrganization CloudFront Distribution

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tracking known offenders

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Available as a Managed Rule for AWS WAF
Amazon CloudFront
AWSManagedIPReputationList
Elastic Load Balancing (ELB)Amazon API Gateway

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internal success stories
Amazon CloudFrontAWS Management ConsoleAmazon.com

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield automatic mitigation
AWS Shield
detects attack
AWS Shield
deploys L7KO
AWS Shield
analyzes
traffic
AWS Shield
deploys
attack
signature

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
MadPot

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Global-scale threat intelligence
using the AWS Cloud
10k+ sensors deployed globally
Observes 100M+ potential threat
interactions daily
500,000 activities classified as
malicious daily

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
MadPot (Honeypot) network
Amazon GuardDuty
AWS Shield
AWS WAF
Internet
MadPot

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
We are making a difference
https://www.theregister.com/2023/
10/02/aws_security_madpot/
AWS stirs the MadPot –
busting bot baddies and
eastern espionage
Security exec Mark Ryland spills the tea
on hush-hush threat intel tool

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Takedown
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Proxy-based L7 DDoS Attacks
Proxy driverTarget
!
Proxy honeypot

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Top talking networks by proxy drivers
LinodeHetzner Online
Digital Ocean
FranTech Solutions
SoftLayer
Technologies
Interserver
Psychz Networks
Scaleway
Dedioutlet-
network-phxDediPath
myLoc
manage
d IT AG
Akamai
Connect
ed Cloud
Edgevirt
Choopa,
LLC
Kamater
a Inc
Hetzner
Online
GmbH
Aggros
Operati
ons …
Worl
dStre
am …
Relia
bleSit
e.N…
Wind
str…
Ad…
Re…
AE…
Or…H…M…A…V…
RW
-…
O…
C…
R…
D…
T…M…L…C…L…
Pe
b…
i…
D…
L…
I…
1…M…N…
D…
S…
C…
1…
W…
D…
U…
R
C
ZAYT
SCEPIA
H
D
H
C
C
CSCAP
S
u
T
U
HSTC
A
S
C
N3B
CTC
D
LinodeHetzner OnlineDigital OceanFranTech Solutions
SoftLayer TechnologiesInterserverPsychz NetworksScaleway
Dedioutlet-network-phxDediPathmyLoc managed IT AGAkamai Connected Cloud
EdgevirtChoopa, LLCKamatera IncHetzner Online GmbH
Aggros Operations Ltd.WorldStream B.V.ReliableSite.Net LLCWindstream Communications

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Botnet C2 Case Study
free.bot.c2

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Botnet C2 Case Study
0
5
10
15
20
25
30
35
40
5/14/23 12:005/14/23 13:005/14/23 14:005/14/23 15:005/14/23 16:005/14/23 17:005/14/23 18:005/14/23 19:005/14/23 20:005/14/23 21:005/14/23 22:005/14/23 23:005/15/23 0:005/15/23 1:005/15/23 2:005/15/23 3:005/15/23 4:005/15/23 5:005/15/23 6:005/15/23 7:005/15/23 8:005/15/23 9:005/15/23 10:005/15/23 11:005/15/23 13:005/15/23 14:005/15/23 15:005/15/23 16:005/15/23 17:005/15/23 18:005/15/23 19:005/15/23 20:005/15/23 21:005/15/23 22:005/15/23 23:005/16/23 0:005/16/23 1:005/16/23 2:005/16/23 3:005/16/23 4:005/16/23 5:005/16/23 6:005/16/23 7:005/16/23 8:005/16/23 9:005/16/23 10:005/16/23 11:005/16/23 12:005/16/23 13:005/16/23 14:005/16/23 15:005/16/23 16:005/16/23 17:005/16/23 18:005/16/23 19:005/16/23 20:005/16/23 21:005/16/23 22:005/16/23 23:005/17/23 0:005/17/23 1:005/17/23 2:005/17/23 3:005/17/23 4:005/17/23 5:005/17/23 6:005/17/23 7:005/17/23 8:005/17/23 9:005/17/23 10:00
DDoS Attacks per Hour Orchestrated by C2

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Botnet C2 Case Study
050100150200250300350
China Telecom
xTom
Hangzhou Alibaba Advertising Co.,Ltd.
China Unicom
China Mobile
Tencent cloud computing
China Telecom Guangdong
Overland Storage
xTom Hong Kong Limited
VMISS
Plus Provedor De Internet Ltda
OVH SAS
OVH Hosting
Metfone
Amazon.com
Level 3 Communications
Web Lacerda Provedor De Internet Ltda
Akamai Technologies
DDoS Attacks by Targeted Networks Orchestrated by C2

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Botnet C2 Case Study

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Proxy driver takedown

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Landscape Per Industry

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PARIS OLYMPICS
34
Threat Landscape Olympics
The Olympics is a known WW target of massive and systemic
cyberattacks
•London 2012 : 200 million cyberattacks
•Rio 2016 : 400 million cyberattacks
•Tokyo 2020 : 450 million cyberattacks

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PARIS OLYMPICS
35
Threat Landscape Olympics
We expect eight to 12 times the Tokyo numbers of cyber
attacks ”
•Mr. Franz Regul
•CISO of the Paris Olympic organizing committee
I have no doubt whatsoever that Russia would try to target the
Paris Olympics
“
”
Emmanuel Macron
President of France

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
RETAIL
36
Threat Landscape

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Data

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Last 12 months statistics
212k 842 Gbps155 M RPS221 M PPS
Total
Attacks
Largest request
flood attack
Largest bandwidth
heavy attack
Largest packet
attack

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.39
Infrastructure and Application (HTTP) layer DDoS events
application
infrastructure
2021202020222024
Count of events

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.40
2024 – DDoS events in the numbers
Infrastructure DDoS events
360 thousands events
detected in 2024
-1.0% YoY decrease
Application (HTTP) DDoS
events
526 thousands events
detected in 2024
52.1% YoY increase
63,000 61,000
136,000
100,000
Q1 Q2 Q3 Q4
Infrastructure Layer DDoS events
Quarter
Infrastructure DDoS Events 2024
100000
118000
143000
164000
Q1 Q2 Q3 Q4
Application DDoS events
Quarter
Application (HTTP) DDoS Events 2024

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
020,000,00040,000,00060,000,00080,000,000100,000,000120,000,000140,000,000160,000,000180,000,000
2023
2022
2021
2020
2019
Request Per Second
Year
1.5M rps
41
Largest Request Flood Events, As seen by AWS, by year
2.9M rps
4.3M rps
8.4M rps
155M rps

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.42
Infrastructure Layer DDoS Events in 2024 – Distribution by top vectors
30.6%
25.0%
15.5%
11.0%
7.7%
6.0%
2.7%
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
SYN_FLOOD
DNS_REFLECTIONSSDP_REFLECTIONNTP_REFLECTION
MEMCACHED_REFLECTION
SNMP_REFLECTION
GENERIC_UDP_REFLECTION
Share of all events
Event Vectors

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.43
Infrastructure Layer DDoS Events in 2022 vs 2024 – top emerging events
401.3%
349.2%
122.2%105.7%91.0%
24.9%8.8%
0%
50%
100%
150%
200%
250%
300%
350%
400%
450%
RIP_REFLECTIONHTTP_REFLECTIONREQUEST_FLOODDNS_REFLECTIONUDS_REFLECTION
GENERIC_UDP_REFLECTION
NTP_REFLECTION

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.44
Quarterly P99 Request per second, by year
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
180,000
200,000
Q1 Q2 Q3 Q4
2019
2020
2021
2022
2023
P99 Request per second
19.9% YoY increase

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DDoS from the Front Row

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Customer responsibility
•Design resilient architectures:
§Use AWS services with better protection against DDoS attacks
§Reduce the attacksurface
§Build scalable applications
•Use application level security controls such as AWS WAF.
•Ensure observability and monitor the traffic to understand baseline
•Detect anomaly, prepare run book for incident response which involves
platform support
46

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Protecting web applications
47
Private subnet
Amazon CloudFront
Amazon Route 53
AWS WAF
AWS Cloud
Public subnet
ALB
AWS Edge ServicesRegion
AWS WAFCompute Capacity
Amazon S3
VPC
Shield Advanced
protected resource

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Protecting on-premise applications
48
Private subnet
Amazon CloudFront
Amazon Route 53
AWS WAF
AWS Cloud
Public subnet
Application Load
Balancer
AWS Edge ServicesRegion
Corporate data center
TGW
Customer
Gateway
DX/VPN
Internet
Compute Capacity
Shield Advanced
protected resource

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Shield Advanced Features
49
AWS Shield
Advanced
Near real-time
events visibility
and alerting
24/7 Support of
AWS Shield
Response Team
Health-based
detection and
proactive event
response
Infrastructure
and application
protection (L3-7)
Application attack
detection and
automatic mitigation
with AWS WAF
Cost protection
for scaling during
an attack
Amazon
Route53
Amazon
CloudFront
AWS Global
Accelerator
Elastic Load
Balancing
Elastic IP
Protected Resources
AWS Firewall Manager
for Centralized
Management
AWS WAF for
Application protection

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
February 15th, 2022
50
On the 15-16th February a number of Ukrainian websites weretaken offlinedue to Distributed Denial-of-
Service (DDoS) attacks. Theimpacted sitesincluded Banks, Government andMilitarywebsites.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Attack profile
51
•Mirai botnet (actually – forked “Katana” network)
•Mikrotiks, Avtech network cameras, etc
•Not just DDoS:
•Fake SMS messages about ATM issues
•A denial of service attack against the .gov.ua
DNS servers; and
•A BGP hijacking attack against the
Privatbank IP space causing difficulties
routing traffic to their network.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Chronology
53
Feb 15.02
12:00 - attack started (first wave)
18:00 - customer reaches out AWS account team
18:20 - internal escalation inside AWS
19:26 - customer case created
19:46 - AWS war room created
22:00 - WAF configured for mobile endpoint
23:00 - WAF configured for web endpoint
Feb 16.02
00:00 - attack peak (first wave)
3:00 - attack stopped (first wave)
10:00 - attack start (second wave)
11:50 - Shield Advanced activated
12:00 - attack stopped (second wave)

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
WAF to the rescue
57
•Block Brazil traffic
•Reputation list - block
•Core rule set
•Rate-limit - 2000 requests

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Stats
63
Wave 1:
mobile:
1.5Mrps - total blocked
1.266Mrps - rate-limited - most efficient rule
333Krps - county block (Brazil)
web:
20Gbps - incoming bandwidth
1.6Mrps - total blocked
1.17Mrps - rate-limited - most efficient rule
333Krps - county block (Brazil)
Wave 2:
mobile:
not affected
web:
40Gbps - incoming bandwidth
3.6Mrps - total blocked
2.6Mrps - rate-limited - most efficient rule
666Krps - county block (Brazil)

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the
session survey
Thank you

"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

&quot;Frontline Battles with DDoS: Best practices and Lessons Learned&quot;, Igor Ivaniuk

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx

"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk