In late August, AWS security teams noticed a new type of HTTP request flood targeting customers. Request flooding is a type of DDoS (distributed denial of service) attack – intentionally designed to make a website or application unavailable to users. Unfortunately, these types of attacks have become a common problem for cybersecurity teams to fend off. But this one was different and of a size and scale not seen before.
“DDoS attacks are evolving. People have found a way to talk to web servers much more aggressively and at a much higher rate than before,” said Tom Scholl, AWS vice president and principal engineer. “A request flood is essentially someone asking for data. The server goes to get that data, but then the requester doesn’t want it. It’s a bit like calling someone repeatedly and hanging up as soon as they answer. If you have more than 100 million requests at once, this can consume large amounts of resources and prevent normal traffic from being processed. This particular attack, known as the ‘HTTP/2 Rapid Reset Attack’, led to more than 155 million requests per second.”
If a DDoS attack is successful, it can wreak havoc on businesses, increase costs and affect people just trying to go about their daily lives. For example, it can prevent you from making bank transfers, seeing information from your healthcare provider or watching your favorite program. If gaming is your thing, you may not be able to log in, or you may get disconnected halfway through gameplay.
Thanks to the efforts of AWS engineers, AWS customers were quickly protected from this new DDoS attack. Along with other technology companies, AWS also worked to develop additional restrictions to improve how such attacks are handled in the industry.
“We come at a problem like this from multiple angles,” Scholl said. “We’re pooling all of our internal expertise to quickly work on fixes, while identifying other areas that may be vulnerable. In the case of a new type of DDoS, we’re also building a reproduction in our labs of whatever the bad actors are doing , to better understand how their attack works and to test the strength of our systems against it.”
Scholl said collaborating with industry peers to share knowledge about the most effective technical approaches is also critical to preventing attacks.
“Ultimately, we’re trying to make the internet a safer and more secure place, not just for our customers, but for all legitimate web users, wherever they are in the world,” he said.
Here are three ways AWS helps prevent DDoS attacks and disrupt the infrastructure responsible for generating them.
1. Detect and identify botnets
Attackers often use “botnets” to power their DDoS attacks. A botnet is a network of computers that have been infected with malware or other destructive software designed to disrupt normal programming. The affected machines, which can number in the tens of thousands, are controlled by a server. The server can instruct them to perform an attack simultaneously, in an attempt to overwhelm a system. Through spring MadPot threat intelligence tool, we can detect and identify botnets and identify where the botnet is controlled from. We will then contact domain registrars and hosting providers to turn off that checkpoint. This prevents the botnet itself from being able to participate in any attacks.
2. Find the source of a fake IP
A common technique used by DDoS actors is “IP spoofing,” sending messages as part of an attack while disguising the source to make it difficult to stop the activity. Historically, IP spoofing has been a challenge for security teams to deal with because it is so difficult to identify the true source. (Imagine if you simultaneously received a thousand calls on your phone from a thousand different numbers. You would have to trace back step-by-step to find each message’s network of origin.) Because AWS has a large global network footprint and interconnects with thousands of unique networks, we can contact our peer networks directly to trace an attack back to the source and shut it down. We are working with a variety of network operators to engage in tracking exercises to shut down the infrastructure used for these types of attacks.
3. Trace HTTP request floods through open proxies
A “proxy server” is a computer that acts as a sort of gateway between a user and the Internet. Popular examples include software packages, such as Squid. DDoS actors take advantage of freely open proxy servers, which anyone can use, to hide their attacks. They will actively search for open proxies to use when generating HTTP requests, allowing them to hide their true origins when attacking a target. When a target observes an attack, they see it coming from the thousands of proxies that are live on the Internet, rather than from the real source. With our MadPot threat intelligence toolwe can trace the real sources connecting to these proxies and work with the upstream hosting provider to shut them down.
Here are three tips for keeping your business more secure online.
1. Don’t go alone
Safety is a collaboration, according to Scholl. That’s where services like Amazon CloudFront can help, whether your business is a startup or an established business. CloudFront’s global footprint, DDoS mitigation system, and traffic management system are designed to handle large influxes of traffic, good or bad. Scholl said a useful metaphor for thinking about how CloudFront works is to imagine an incredibly strong, reinforced front door. If someone threw a heavy rock at it, they might be able to scratch a small part, but the door itself would remain intact. When combined with AWS Shield services to specifically address DDoS, customers have a good set of tools at their fingertips to manage DDoS-related threats.
2. Stay updated
Making sure you regularly patch and update the software your business depends on is critical to ensuring you have the latest security updates. These updates are designed against the latest known vulnerabilities. We recommend that customers running their own HTTP/2-capable web servers check with their web server provider if they have been affected by the latest attack and, if so, install the latest patches from their providers to resolve the issue.
3. Use multi-factor authentication
One of the best ways for you to protect yourself and your business online is through multi-factor authentication (MFA). This is a security best practice that requires a second authentication factor in addition to your username and password for login credentials. It offers an extra layer of protection to prevent unauthorized people from gaining access to your systems or data. AWS customers can learn more about this blog post about MFA.
For more information on how AWS keeps its customers secure, visit AWS Cloud Security website. For a deeper dive into how we helped disrupt the August DDoS attack, visit AWS Security Blog.
#Ways #AWS #Helping #Internet #Secure