Protect Your Game Servers from DDoS Attacks - AWS Online Tech Talks

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shawn Marck, DDoS Response Team
Protect Your Game Servers
From DDoS Attacks

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
D D o S T h r e a t s & T r e n d s
A W S a p p r o a c h t o D D o S m i t i g a t i o n
A W S S h i e l d S t a n d a r d a n d A d v a n c e d
R e f e r e n c e A r c h i t e c t u r e s & B e s t P r a c t i c e s
C u s t o m e r R e f e r e n c e s & L i v e D e m o
AWS Shield

DDoS Attack Threats and
Trends

Types of Threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
Content scrapers
Scanners & probes
Crawlers
SQL injection
Application exploits
Social
engineering
Sensitive data
exposureApplication
Layer
Network /
Transport
Layer

DDoS Threats
Network / Transport Layer DDoS

DDoS Threats
Application DDoS
Clients
Attackers
Web server Database

0
200
400
600
800
1000
1200
1400
1600
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Largest DDoS Attacks (Gbps)
Memcached Attacks
Mirai Attacks
DDoS Attack Trends

DDoS Threats and Trends
AWS Shield detects and mitigates 1,000’s of DDoS Attacks Daily
Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)

Availability Financial Impact Security
Why does it matter?
• Flooding game servers can
impact performance and
drastically degrade the
player experience.
• Attacks can last for hours,
even days
• Stealing or misusing data• An attack that brings down your
server will end up as Lost
Revenue
• You could massively scale but
that just translates to Increased
Infrastructure Expense
• Even without an actual attack
DDoS threats are being use for
Extortion
• Any combination of these results
in a hit to your reputation

1
• Complex to Set up
• Need to Provision additional
capacity
• Re-architect applications
D i f f i c u l t t o E n a b l e
2
• Manual Intervention required
• Re-routing traffic to scrubbing
locations
S u b - O p t i m a l I n c i d e n t
R e s p o n s e
3
Scrubbing centers may be far from
your servers leading to added latency
D e g r a d e p e r f o r m a n c e
4
Manual intervention and re-routing
takes away precious moments from
incident response
I n c r e a s e d T i m e t o M i t i g a t e
5
Due to the size, duration and
complex nature of mitigation
systems it becomes prohibitively
expensive in some cases
E x p e n s i v e t o U s e
Traditional Challenges of DDoS Mitigation

AWS Approach to
DDoS protection

Evolution of DDoS Mitigation
On-Premise Cloud-Routed Cloud-Native

On-Premise
• Scale network and fixed
infrastructure to mitigate DDoS
attacks on-site
• Visibility and control
• Large capital expenditures,
maintenance costs, and in-house
expertise

Cloud-Routed
• Route traffic to other networks for
better mitigation capacity, managed
services
• Mitigate larger DDoS attacks without
upfront investment or in-house
expertise
• Black box solution – can introduce
latency, additional points of failure,
increased operating costs

Cloud-Native
• Automatic, always-on DDoS
protection for all applications on AWS
• Leverage 18 AWS Regions and over
100 Edge Locations to mitigate large
attacks close to the source
• Simple, flexible, and affordable
• Robust capabilities without
undifferentiated heavy-lifting

Four Pillars of our approach to
DDoS Protection
AWS Integration
DDoS protection without
infrastructure changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency

2015 2016 2017
for CloudFront for ALB
for EC2/NLBfor CloudFront,
Route 53, ELB
AWS WAF
AWS Shield Advanced
~2006
AWS Shield Standard : Protect Amazon.com & AWS Infrastructure
Our journey so far ….

AWS Shield
Standard & Advanced

AWS Shield
Standard & Advanced
Built-in DDoS
Protection for
Everyone
Enhanced Protection
24x7 access to
DDoS Response
Team (DRT)
CloudWatch Metrics Attack Diagnostics
Global threat
environment
dashboard
DDoS
Expertise
Visibility &
Compliance
Economic
Benefits
AWS WAF at no
additional cost
for protected resources
AWS Firewall
Manager
at no additional cost
Cost Protection for
scaling

Layer 3/4 Protection for Everyone
 Automatic defense against the most common network and transport
layer DDoS attacks for any AWS resource, in any AWS Region
 Comprehensive defense against all known network and transport layer
attacks when using Amazon CloudFront and Amazon Route 53
 SYN Floods, UDP Floods, Reflection Attacks, etc.
Layer 7 Protection Available via AWS WAF
 Self-service & pay-as-you-go
 Flexible rule language
 Fast rule propagation
AWS Shield
Standard
AWS WAF
AWS Shield
Standard

AWS WAF available on
Amazon CloudFront Application Load Balancer
(ALB)

Popular deployment modes
1. Custom Rules 3. Security Automation2. Managed Rules
Or use any combination of the above …

Deploy in 3 easy steps
Find rules on AWS WAF
console or AWS
marketplace
Click and
subscribe
Associate rules in
AWS WAF

AWS Shield Advanced:
Enhanced Protection
• Layer 7 attack detection (HTTP Floods,
DNS Query Floods)
• Baselining and Anomaly detection
• Enhanced Layer 3 attack detection
• Granular detection thresholds (for regional
services EC2/ELB only)
• Proprietary packet filtering stacks
• Suspicion-based filtering
• Advanced mitigations like SYN Throttling
• Pre-configured mitigations according to
resource type
• Customer defined Mitigations
• Traffic Engineering for Large DDoS Attacks
• Network ACLs executed at the border for EIPs
Detection Mitigation

DDoS Response Team (DRT)
• DDoS Architecture Review
• Fire Drills and Game Days
• Custom mitigation templates for
EIPs (EC2/NLBs)
• Automatically engaged for availability
impacting L3/4 events
• Customer driven support cases through
AWS Support or AWS Shield Engagement
Lambda
• Incident triaging
• Manual traffic engineering
For more sophisticated and complex attacks
Pre-emptive
Engagements
24x7 Incident
Response

Visibility
• Real time CloudWatch
metrics for Alerting
• 15 different metrics
• Multiple vectors - SYN
flood, HTTP flood, and
others
• Attack Details for Triaging
• Top IP address, ASN, Geo,
Referrer, etc.
• HTTP Request samples
• Automate Incident
Response with AWS WAF
rules
• AWS-wide trends of
threats updated hourly
• Largest attack seen,
popular vector, etc.
• Threat Level Indicator
• Trends over last 2 weeks, 3
days, or 24 hours
CloudWatch Metrics Diagnostic Reports Global Threat Reporting

Application Load
Balancer
Classic Load
Balancer
Amazon
CloudFront
Amazon
Route 53
EC2 Instances
Network Load
Balancer
 Northern Virginia (us-east-1)
 Oregon (us-west-2)
 San Francisco (us-west-1)
 Ireland (eu-west-1)
 Tokyo (ap-northeast-1)
 Sydney (ap-southeast-2)
 Frankfurt (eu-central-1)
 Ohio (us-east-2)
In the these 8 regionsAvailable for 6 AWS services
Elastic IP Address
AWS Shield
Advanced

AWS Shield Advanced
Look who has already seen value…..

Reference Architectures

DDoS-Resilient Architecture
Amazon
Route 53
ALB Security Group
Amazon
EC2
Instances
Application
Load Balancer
Amazon
CloudFront
Public Subnet
Web Application
Security Group
Private Subnet
AWS WAF
Amazon
API Gateway
DDoS
Attack
Users
Globally distributed attack
mitigation capability
SYN proxy feature that verifies
three-way handshake before
passing to the application
Slowloris mitigation that reaps
long-lived collections
Mitigates complex attacks by
allowing only the most reliable
DNS queries
Validates DNS
Provides flexible rule language
to block or rate-limit malicious
requests

Session-Based Game Architecture
Security Group
Amazon
EC2
Instances
Network Load
Balancer
Public Subnet
Web Application
Security Group
Private Subnet
DDoS
Attack
Users
AWS Shield Elastic IP
Address

Best Practices

Releasing a new Title or Service:
Best Practice Checklist
Questions to answer
 Are all the internet facing resources protected?
 Am I monitoring the right metrics?
 Do I know what to do if there is impact as a
result of a DDoS attack?
Register all internet facing resources
 Route53 Hosted Zones
 CloudFront Distributions
 Load Balancers (Classic, Application, Network)
 Exposed EC2 Instances

Questions to answer
Setup your CloudWatch Alarms
 Attack Detected Metrics
 Update your scripts to register against Shield
Advanced API/CLI

Questions to answer
Grant the DDoS Response Team Permissions
 Easy to deploy CloudFormation Template per
AWS Account

Conduct a readiness test / fire-drill call
 Test Shield Engagement Lambda
 Simulated Shield Alarm
 Runbook Validation
Questions to answer

Export record of trusted sources
 Users Authenticated
 From workflow or S3 triggered Lambda
 Game-day whitelist implementation
Another Best Practice:
Build a trust list

Demonstration

Thank You!
bit.ly/GetStartedWithAWSShieldAdvanced

Protect Your Game Servers from DDoS Attacks - AWS Online Tech Talks

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Protect Your Game Servers from DDoS Attacks - AWS Online Tech Talks

Semelhante a Protect Your Game Servers from DDoS Attacks - AWS Online Tech Talks (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

Protect Your Game Servers from DDoS Attacks - AWS Online Tech Talks