At the end of august, aws security teams detected a novel form of cyberattack targeting customers—an http request flood. request floods are a type of distributed denial of service (ddos) attack intended to render websites and applications inaccessible to users. unfortunately, such attacks have become a common challenge for cybersecurity teams. however, this particular attack stood out due to its unprecedented size and magnitude.
according to tom scholl, aws vice president and distinguished engineer, ddos attacks are continuously evolving. attackers have discovered ways to communicate with web servers more aggressively and at significantly higher rates than in the past. a request flood involves a user requesting data from a server, only to discard it upon receipt. it's akin to repeatedly calling someone and promptly hanging up when they answer. if more than 100 million requests occur simultaneously, substantial resources are consumed, obstructing the processing of normal traffic. the specific attack in question, referred to as the "http/2 rapid reset attack," surpassed 155 million requests per second.
amid this evolving threat landscape, aws swiftly safeguarded its customers from this new ddos attack. collaborating with other technology companies, aws also focused on developing additional mitigation strategies to enhance the industry's ability to handle such attacks effectively.
scholl emphasized that aws employs a comprehensive approach when addressing such challenges. they consolidate in-house expertise to expedite the development of solutions and simultaneously identify other potentially vulnerable areas. in the case of novel ddos attacks, aws replicates the attackers' methodologies in their labs to gain a deeper understanding of their tactics and test the resilience of their systems.
furthermore, scholl underscored the importance of collaboration with industry peers to share knowledge and implement the most effective engineering approaches in preventing such attacks.
ultimately, aws strives to create a safer and more secure internet not just for its customers but for all legitimate web users worldwide.
here are three ways aws contributes towards preventing ddos attacks and disrupting the infrastructure responsible for generating them.
1. detecting and identifying botnets
attackers frequently utilize "botnets" to fuel their ddos attacks. a botnet refers to a network of computers compromised by malware or other malevolent software intended to disrupt regular programming. these infected machines, which can number in the tens of thousands, are under the control of a central server. through our advanced threat intelligence tool, madpot, we possess the capability to identify and detect botnets, as well as pinpoint their command center. subsequently, we collaborate with domain registrars and hosting providers to promptly deactivate this control point. by doing so, we effectively prevent the botnet from engaging in any further attacks.
2. identifying the true source of spoofed ip addresses
one prevalent technique employed by ddos actors is known as "ip spoofing." this technique involves sending attack messages while disguising the true source, making it exceedingly challenging to halt the malicious activity. historically, security teams have struggled to ascertain the real origin due to the intricate nature of ip spoofing. to illustrate this complexity, imagine receiving a thousand simultaneous phone calls from a thousand different numbers; tracing each message back to its originating network would require a step-by-step investigation. nevertheless, aws, with its extensive and globally interconnected network, leverages direct engagement with peer networks to trace an attack back to its source and effectively neutralize it. through collaboration with various network operators, we undertake trace-back exercises to shut down the infrastructure exploited by these types of attacks.
3. tracing http request floods utilizing open proxies
a "proxy server" acts as an intermediary between a user and the internet, enabling internet access for the user. popular proxy server software packages, like squid, are used by ddos actors to exploit freely available open proxy servers, allowing them to conceal their attacks. these malicious actors actively scan for open proxies and leverage them to generate http request floods, thereby obscuring their true identity when targeting a victim. consequently, when observing an attack, the victim perceives it as originating from numerous live proxy servers across the internet, rather than from the actual source. with the aid of our innovative madpot threat intelligence tool, we possess the capability to trace back the genuine sources that connect to these proxies. we then engage with the upstream hosting provider to promptly disable these sources, preventing further attacks from being launched.
here are three key measures to enhance your online business security:
1. collaborate and seek support
scholl emphasizes that security is an endeavor that necessitates collaboration. that's where services like amazon cloudfront come into play, regardless of whether your business is a startup or an established enterprise. cloudfront boasts a vast global footprint, fortified with robust ddos mitigation systems and traffic management capabilities, enabling efficient handling of both legitimate and malicious traffic influxes. scholl illustrates cloudfront's efficacy with the analogy of an exceedingly strong, reinforced front door; even if a heavy rock were hurled at it, only a superficial dent may result while the door itself remains impregnable. when paired with aws shield services, designed specifically to combat ddos attacks, customers gain access to a comprehensive toolkit for effectively addressing ddos-related threats.
2. maintain up-to-date systems
ensuring that the software your business relies on is regularly patched and updated is imperative for incorporating the latest security enhancements. these updates are precisely crafted to counter prevailing vulnerabilities. as a precautionary step, we recommend that customers running their own http/2-capable web servers reach out to their web server vendors to determine whether they have been affected by recent attacks. if affirmative, promptly installing the latest patches provided by the vendors will effectively address this issue.
3. utilize multi-factor authentication
employing multi-factor authentication (mfa) represents one of the most robust measures for safeguarding both yourself and your online business. mfa, considered a security best practice, necessitates an additional authentication factor beyond the traditional username and password. this supplementary factor acts as an extra layer of protection, effectively thwarting unauthorized individuals from gaining illicit access to your systems or data.
0 Comments