Learning from the Amazon Web Services (AWS) DDoS Attack

Amazon’s cloud computing division AWS was hit by an eight-hour distributed denial of service (DDoS) attack on October 22, 2019. The attack hit the Amazon Route 53 Domain Name System (DNS) web service, which had a knock-on effect on other AWS services. Amazon’s own mitigation service, Shield Advanced, reportedly could not fully mitigate the attack. TechRadar.com reported that “An email sent out to AWS customers, during the time of the attack, confirmed that the DNS outage was caused by a DDoS attack.” Given the enormous size of the AWS customer base, the outage impacted the websites of thousands of their customers, and had a trickle down or ripple effect on the stakeholders of those customers.

DDoS Attacks are Costly

DDoS attacks are on the rise and can have a damaging impact on a company’s bottom line, both in terms of lost revenue and the manpower costs typically incurred to mitigate and recover from those attacks. The process of fighting DDoS attacks consumes a lot of valuable security analyst and support resources. Furthermore, in an “always-on” world, where customers expect constant service availability to conduct business, or to simply communicate, any downtime is obviously more than an inconvenience. According to Computer Business Review, “Critics noted that AWS’s Route 53 Service Level Agreement (SLA) promises 100 percent uptime…” The failure to meet SLA standards will almost certainly add more costs to the incident for AWS. In addition to those costs is the loss of customer trust. DDoS incidents like this one often result in customer churn, and damage to a brand’s reputation.

Size of the Attack Unknown

Given that AWS must have a large DDoS mitigation platform in place, one can safely surmise that it took a substantial volumetric attack to knock AWS offline. Was it as big or bigger than the October 2016 DDoS attack that hit the DNS provider Dyn? Perhaps AWS will disclose the size of the attack after a post-incident investigation, which leads me to my next point, which is…

Forensic Analysis is Crucial

Comprehensive visibility into an organization’s network activity is essential, not only to quickly combat DDoS threats, but also to enable compliance reporting and archive security event data that enables forensic analysis of past threats. Without this level of visibility, it is impossible to determine how effectively an attack was mitigated and whether there were any false-positives which led to collateral damage that substantiates any SLA claims.

Legacy vs. Modern DDoS Mitigation

According to Amazon, its Shield Advanced DDoS mitigation did play a role in dealing with the attack. However, the service’s mitigations did end up treating some legitimate customer queries as malicious ones, leaving users unable to connect. The fact that its DDoS mitigation platform also blocked some good traffic may indicate that it is using legacy/manual approaches to mitigation. After all, with many of today’s DDoS attack techniques, it is just not possible for legacy approaches to accurately discern good (legitimate) traffic from bad (DDoS) traffic. A modern DDoS mitigation solution automatically blocks only the bad traffic, and allows good traffic to pass through, on a packet by packet basis, using granular detection mechanisms with surgical blocking filters. These mechanisms leverage heuristic and closed-loop policy, allowing for rapid filter creation and deployment, thereby enabling the ability to respond dynamically to the evolving nature of today’s sophisticated DDoS attacks.

Criminals now use multi-vector attacks that are automated and can morph every few seconds or minutes. They also typically launch low-threshold, sub-saturating, attacks which further increases the challenge for legacy DDoS mitigation tools to distinguish them from regular traffic. In these cases, organizations either end up with attacks still getting through, or taking their own services offline to keep the attacks at bay.

Other cloud providers and enterprises would be wise to learn from this incident, and take a proactive stance to strengthen their DDoS defenses. If it can happen to AWS, it can surely happen to any organization.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.