In late August, AWS security teams noticed a new type of HTTP request flooding targeting customers. Request flooding is a type of distributed denial of service (DDoS) attack, deliberately designed to make a website or application unavailable to users. Unfortunately, these types of attacks have become a common problem that cybersecurity teams must defend against. But this one was different and of a size and scale never seen before.
“DDoS attacks are evolving. “People have found a way to communicate with web servers much more aggressively and at much higher speeds than in the past,” said Tom Scholl, vice president and distinguished engineer at AWS. “A request avalanche is essentially someone requesting data. The server is going to get that data, but then the requester doesn’t want it. It’s a bit like calling someone repeatedly and hanging up as soon as they answer. If you have more than 100 million requests at a time, this can consume large amounts of resources and prevent normal traffic from being processed. This particular attack, known as the ‘HTTP/2 Fast Reset Attack’, was generating over 155 million requests per second.”
If a DDoS attack is successful, it can wreak havoc on businesses, increase costs, and impact people who are simply trying to go about their daily lives. It could, for example, prevent you from making bank transfers, viewing information from your healthcare provider, or watching your favorite show. If gaming is your thing, you may not be able to log in or you may be disconnected mid-game.
Thanks to the efforts of AWS engineers, AWS customers were quickly protected from this new DDoS attack. Along with other technology companies, AWS also worked on developing new mitigations to improve how such attacks are handled across the industry.
“We approach a problem like this from several angles,” Scholl said. “We brought together all of our internal expertise to quickly work on solutions, while at the same time identifying other areas that could be vulnerable. In the case of a new type of DDoS, we also create a replica in our labs of whatever the bad actors are doing, to better understand how their attack works and test the robustness of our systems against it.”
Scholl said collaborating with industry peers to share knowledge about the most effective engineering approaches is also vital to preventing attacks.
“Ultimately, we are trying to make the Internet a safer place, not only for our customers, but for all legitimate users of the web, wherever they are in the world,” he said.
Below are three ways AWS helps prevent DDoS attacks and disrupt the infrastructure responsible for generating them.
1. Botnet detection and identification
Attackers often use “botnets” to fuel their DDoS attacks. A botnet is a network of computers that has been infected by malware or other destructive software designed to interfere with normal programming. The affected computers, which could number in the tens of thousands, are controlled by a server. The server may instruct them to carry out an attack at the same time, in an attempt to overwhelm a system. Through our MadPot Threat Intelligence Tool, we can detect and identify botnets and identify where the botnet is controlled from. We will then contact domain registrars and hosting providers to close that checkpoint. This prevents the botnet itself from participating in any attack.
2. Find the source of a spoofed IP
A common technique used by DDoS actors is “IP spoofing,” sending messages as part of an attack while disguising the source to make the activity difficult to stop. Historically, IP spoofing has been a challenge for security teams because it is very difficult to identify the true source. (Imagine if you simultaneously received a thousand calls on your phone from a thousand different numbers. You would need to trace step by step to find the originating network of each message.) Because AWS runs a large global network footprint, interconnecting with thousands of unique networks, we can directly interact with our peer networks to trace an attack to the source and shut it down. We are working with a variety of network operators to participate in sniffing exercises to shut down the infrastructure used for these types of attacks.
3. Tracking HTTP Request Floods Through Open Proxies
A “proxy server” is a computer that acts as a sort of gateway between a user and the Internet. Popular examples include software packages, such as Squid. DDoS actors take advantage of freely open proxy servers, which anyone can use, to hide their attacks. They will actively search for open proxies to use when generating floods of HTTP requests, allowing them to hide their true origin when attacking a target. When a target observes an attack, they see that it is coming from the thousands of proxy servers that are active on the Internet, rather than the actual source. With our MadPot Threat Intelligence ToolWe can track the true sources connecting to these proxies and contact the upstream hosting provider to shut them down.
Here are three tips on how to keep your business safer online.
1. Don’t do it alone
Security is a collaborative effort, according to Scholl. That’s where services like Amazon CloudFront can help, whether your company is a startup or an established company. CloudFront’s global presence, DDoS mitigation systems, and traffic management systems are designed to handle large influxes of traffic, good or bad. Scholl said a useful metaphor for thinking about how CloudFront works is to imagine an incredibly strong, reinforced front door. If someone threw a heavy stone at it, it might scratch a small part, but the door itself would remain intact. When combined with AWS Shield services to specifically address DDoS, customers have a good set of tools at their fingertips to address DDoS-related threats.
2. Stay up to date
Ensuring you regularly patch and update the software your business depends on is critical to ensuring you have the latest security updates. These updates are designed against the latest known vulnerabilities. We recommend that customers who operate their own HTTP/2-capable web servers check with their web server vendor if they are affected by this recent attack and, if so, install the latest patches from their vendors to address this issue.
3. Use multi-factor authentication
One of the best ways to protect yourself and your business online is through multi-factor authentication (MFA). This is a security best practice that requires a second authentication factor in addition to your username and password login credentials. Provides an additional layer of protection to help prevent unauthorized persons from gaining access to your systems or data. AWS customers can learn more in this MFA blog post.
To learn more about how AWS keeps its customers safe, visit the AWS Cloud Security Website. To learn more about how we helped disrupt the DDoS attack in August, visit the AWS Security Blog.