At the end of August, AWS security teams noticed a new type of HTTP request flood targeting customers. Request floods are a type of distributed denial of service (DDoS) attack—deliberately designed to make a website or application unavailable to users. These kinds of attacks have unfortunately become a common problem for cybersecurity teams to fend off. But this one was different, and of a size and scale not seen before.
“DDoS attacks are evolving. People have found a way to talk to web servers much more aggressively and at much higher rates than in the past,” said Tom Scholl, AWS vice president and distinguished engineer. “A request flood is essentially someone asking for data. The server goes to get that data, but then the requester doesn’t want it. It’s a bit like calling someone repeatedly and hanging up as soon as they answer. If you have more than 100 million requests at once, this can consume large amounts of resources and prevent normal traffic from being processed. This particular attack, known as the ‘HTTP/2 Rapid Reset Attack,’ was driving more than 155 million requests per second.”
If a DDoS attack succeeds, it can cause havoc for businesses, drive up costs, and affect people just trying to go about their daily lives. It could, for example, stop you from making bank transfers, viewing information from your health care provider, or watching your favorite show. If gaming’s your thing, you might not be able to log on, or you could get disconnected halfway through playing.
Thanks to the efforts of AWS engineers, AWS customers were quickly protected from this new DDoS attack. Together with other tech companies, AWS also worked on developing further mitigations, to improve how such attacks are handled across the industry.
“We come at a problem like this from several angles,” said Scholl. “We bring together all of our in-house expertise to rapidly work on fixes, while at the same time we identify other areas that might be vulnerable. In the case of a new kind of DDoS type, we also build a reproduction in our labs of whatever the bad actors are doing, to better understand how their attack works and to test the strength of our systems against it.”
Scholl said that collaborating with industry peers to share knowledge on the most effective engineering approaches is also vital to preventing attacks.
“Ultimately, we’re trying to make the internet a safer and more secure place, not only for our customers, but for every legitimate web user, wherever they are in the world,” he said.
Here are three ways AWS is helping to prevent DDoS attacks and disrupt the infrastructure responsible for generating them.
1. Detecting and identifying botnets
Attackers often use “botnets” to power their DDoS attacks. A botnet is a network of computers that has been infected by malware or other destructive software designed to interfere with normal programming. The affected machines, which could total tens of thousands, are controlled by a server. The server can instruct them to carry out an attack at the same time, in an attempt to overwhelm a system. Through our MadPot threat intelligence tool, we can detect and identify botnets, and identify where the botnet is being controlled from. We’ll then engage with domain registrars and hosting providers to shut down that point of control. This stops the botnet itself from being able to participate in any attacks.
2. Finding the source of a spoofed IP
One common technique that DDoS actors use is “IP spoofing”, sending messages as part of an attack while disguising the source to make it hard to stop the activity. Historically, IP spoofing has been a challenge for security teams to deal with because it’s so hard to identify the true source. (Imagine if you simultaneously received a thousand calls on your phone from a thousand different numbers. You would need to trace back step-by-step to find each message’s originating network.) Because AWS runs a large global network footprint, interconnecting with thousands of unique networks, we can directly engage with our peer networks to trace an attack back to the source and shut it down. We work with a variety of network operators to engage in trace-back exercises to shut down the infrastructure used for these kinds of attacks.
3. Tracing HTTP request floods via open proxies
A “proxy server” is a computer that acts as a kind of gateway between a user and the internet. Popular examples include software packages, like Squid. DDoS actors take advantage of freely open proxy servers, which anyone can use, to hide their attacks. They will actively scan for open proxies to use them when they generate HTTP request floods, allowing them to hide their true origin when attacking a target. When a target observes an attack, they see it coming from the thousands of proxy servers that are live on the internet, rather than from the true source. With our MadPot threat intelligence tool, we’re able to trace back the true sources connecting to these proxies and engage with the upstream hosting provider to shut them down.
Here are three tips for how you can keep your business more secure online.
1. Don’t go it alone
Security is a collaborative effort, according to Scholl. That’s where services such as Amazon CloudFront can help, whether your business is a startup or an established enterprise. CloudFront’s global footprint, DDoS mitigation systems, and traffic management systems are designed to handle large influxes of traffic, good or bad. Scholl said a useful metaphor for thinking about how CloudFront works is to imagine an incredibly strong, reinforced front door. If someone threw a heavy rock at it, they might be able to scratch a tiny part, but the door itself would remain intact. When combined with AWS Shield services to specifically address DDoS, customers have a good set of tools at their fingertips to address DDoS-related threats.
2. Stay up to date
Making sure you regularly patch and update the software your business relies on is crucial to ensure you have the latest security updates. These updates are designed against the latest known vulnerabilities. We recommend that customers who operate their own HTTP/2-capable web servers check with their web server vendor if they are affected by this recent attack and, if so, install the latest patches from their vendors to address this issue.
3. Use multi-factor authentication
One of the best ways for you to protect yourself and your business online is through multi-factor authentication (MFA). This is a security best practice that requires a second authentication factor in addition to your username and password sign-in credentials. It offers an added layer of protection to help prevent unauthorized individuals from gaining access to your systems or data. AWS customers can learn more in this blog post about MFA.
For more information on how AWS keeps its customers secure, visit the AWS Cloud Security website. For a deeper dive on how we helped disrupt the DDoS attack in August, visit the AWS Security Blog.