The AWS DDoS Response Team (DRT) is responsible for automating thousands of mitigation actions every day, however sometimes customer require direct action or assistance. In this session, you will learn how to engage the DRT as well as some of the advanced capabilities of the DRT. You will also get a look into some of the advanced use cases and countermeasures the DRT can deploy to protect customers on AWS.

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shawn Marck, AWS Perimeter Protection
March, 2019
DDoS Response Team (DRT)
Engagement, Advanced Countermeasures
and Capabilities

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What does the DRT do?
• Own and execute DDoS mitigation runbook for supporting
Amazon properties, AWS Services and AWS Shield Advanced
Customers.
• Build automation which reduce or time to respond.
• Create tools to aid in swift mitigation of attacks.
• Provide training to AWS Support and technical field
community to share best practices and domain expertise on
DDoS mitigation in AWS.

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Engagement

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of Engagement
• DDoS Architecture Review
• Operational Readiness Inquiry (Prior to IEM)
• Custom mitigation templates for EIPs
(EC2/NLBs)
Pre-emptive
Engagements
• Automatically engaged for availability
impacting L3/L4 events against AWS
infrastructure or impacting to AWS Services
• Customer driven support cases through AWS
Support or AWS Shield Engagement Lambda
• Manual traffic engineering and assessment of
traffic patterns
24x7 Incident
Response

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to engage the DRT?
• Open an AWS Support case
• serviceCode = ‘distributed-denial-of-service’
• severityCode = ‘urgent’ or ‘critical’ depending on Support level

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to engage the DRT?
• Open an AWS Support case
• serviceCode = ‘distributed-denial-of-service’
• severityCode = ‘urgent’ or ‘critical’ depending on Support level
A better way…

7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to engage the DRT?
• Open an AWS Support case
• serviceCode = ‘distributed-denial-of-service’
• severityCode = ‘urgent’ or ‘critical’ depending on Support level
A better way…
• Use ShieldEngagementLambda.js
• Opens AWS Support case for you.
• Pages Primary DRT on call operator into your case.
• Bypasses AWS Support escalation SLA

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ShieldEngagementLambda.js
// ShieldEngagementLambda.js
// Source https://s3.amazonaws.com/aws-shield-lambda/ShieldEngagementLambda.js
// User configurable options
var config = {
// Change this to "critical" if you are subscribed to Enterprise Support
severity: 'urgent',
// Change this to 'advanced' if you are subscribed to AWS Shield Advanced
shield: 'standard',
// Change this to 'off' after testing
test: 'on',
// Modify subject and message if not subscribed to AWS Shield Advanced
// Change subject and message to the path of a .txt file that you created in S3
standardSubject: 'http://s3.amazonaws.com/aws-shield-lambda/EngagementSubject.txt',
standardMessage: 'http://s3.amazonaws.com/aws-shield-lambda/EngagementBody.txt'
}

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect?
• Is the right resource on the call?
• Have someone who understands the application and understands
the architecture.
• Am I prepared to make Changes?
• Expect that some countermeasures will be more effective when
coupled with scaling techniques and sometimes additional state or
request handling layers such as CloudFront or Load Balancers.
• What is my applications health?
• Be prepared to check key health metrics for your application.

10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced Countermeasures

11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Advanced Countermeasures
BGP traffic engineering
Custom BlackWatch mitigations
•Pattern matching, Geo-shaping, NACLs
AWS WAF Rules
•Log Parsing to map a botnet
•DRT Managed WAF rules (A list of high severity bot IP addresses generated from retail)
Architecture GAP analysis

12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example: Pattern Matching
iptables -m u32 --u32 "16=0xE0000001"
The u32 module matches arbitrary byte patterns
iptables -m length --length 256:65535
The iptables length module matches packet size
Stateless filtering is powerful because AWS Shield can scale it
• Be familiar with your packet format on the wire
Implement restrictive always-on filtering using iptables
• Ensures that filtering is safe and helps you survive the first few minutes of an attack

13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
https://aws.amazon.com/shield/