Amazon AWS Certified Advanced Networking Specialty – Security, Risk & Compliance Part 3

5. Denial of Service Attacks – Practical Overview

Hey everyone and welcome to the KP Labs course. Now in today’s lecture we are going to speak about a very interesting topic which I am sure most of you will really like it, which is called as the denial of service. So now one thing that I am sure that many of you might have already heard about denial of service and how many of the big websites are going down because of the denial of service attacks.

So let’s understand the basics or what denial of service attacks are all about and then we’ll go ahead with our interesting practicals as well. So in a normal website operation generally there is something called as the normal traffic. So if this is a website, a website can handle a specific amount of traffic. So it can be ten requests per second or it can be 100 requests per second depending upon the server capacity. So in the normal scenario, you see the server is all happy. So it is in green where there is a normal traffic. Certain times there can be a high traffic where the server resources becomes really busy and the application or the website becomes to be quite slow.

However, still the website is operational. So the about to use cases you will find to be a very genuine one. But certain times what attacker tries to do is they try to generate intentionally this malicious high traffic with a sole intention to bring the server down. So if you will see over here in the third use case you have a denial of service where a single attacker is generating a lot of requests in such a way that the server is completely down.

Now, there is one more attack called Distributed Denial of Service where there are multiple parties doing a denial of service attack on the same resource. So one of the difference between a Dos and a DDoS is that in Dos there can be maybe one user who is attacking the server. However, in DDoS there will be hundreds of users across the world who are attacking the same end point at an instant of time. And that is why it is called as the Distributed Denial of Service attacks. So Dos and DDoS are basically part and parcel of the servers and the network life.

Now, the reason why these attacks are so successful is because it is very easy to launch them. And along with that, when you go and inquire about DDoS protection, if you are a system administrator you will be presented with a big bill that you might have to pay if you really need a DDoS protection. However, many of the cloud providers like AWS they are coming with a good services like AWS Sheila, which can help you protect against the distributed denial of service attack to a certain extent. So nowadays the DDoS attacks are going very big. So if you talk about 2016 itself, which is like two years back, you had a DDoS of 800 Gbps.

You can imagine 800 GB per second worth of traffic. It can actually bring biggest of the websites down. So, let me actually show you in practical labs on how exactly the Dos attack would really look like. So, on the left hand side, I have my Windows machine. And if you look into the CPU utilization, it is at 3%. So I have a Core I seven, and it is at 3% of utilization. Now, after I performed a Denial of Service attack, you’ll see, the CPU went to 100% instantly.

So from 3% to 100% within just few seconds of Dos attacks. So, let’s not waste time. And let me show you on how exactly it would really look like. So, first, I have a Windows Ten machine over here.

And if you look into the CPU utilization, not much, quite empty, around 8% seven, 8% of the utilization. Now, on the right hand side, I have a Kali Linux machine. And this is where from we’ll be putting the Dos attacks from. So, let’s start. So, just notice the CPU utilization is quite low 3% right now. Now, within the Kali Linux, there is a great tool called as Loik.

So Loki is one of the tools which can perform the Denial of Service attacks. So, the first thing that you have to put is either you need to put a URL or you need to put the IP address of the endpoint which you want to attack. So, in my case, I’ll put the IP address of the end point. So 109, 216-8923. So, this is the IP address of my Windows machine.

Now, there can be various attack vectors that you can use depending upon the firewall and the application which is running. So, for my case, I will be using UDP based attack vector. And let’s start. So you can put the first thing you have to do, just log on to the target and just press the I am charging my laser. Now, you see, the amount of requests which has been sent by this Ploy is amazingly fast. And note that this virtual machine only has around two GB of Ram. So within two GB of Ram, look at the requests that are going.

Now, if I go to the Windows server now, you see the CPU utilization is actually going to a very high spike rate. So around 89%. And after a minute or two, the CPU utilization will be spiked to 100% full. And this is the power of denial of service attack. You see, CPU already reaching 89% anyway. So when I just press Stop flooding, let’s counter request, I’m sure I’ll be able to so, unit ten, 100,000, 10,000 lakh, ten lakh. So around 13 lakh request which was sent within just 1 minute from a two GB Ram virtual machine. So, imagine what would happen if you launch this attack vector from a 16 GB Ram server. The amount of requests that will be reaching will be tremendously fast and it can actually bring down lot of networks and lot of websites anyways.

So coming back to our PowerPoint presentation I hope you understood what the denial of service attack is all about. So the practical that we did right now, it was for the denial of service because there was a single entity. You also have distributed denial of service where there are multiple users who might run the logic tool which we just ran now to a common endpoint. So that is the difference between a Dawson, a DDS and DDoS attacks are again pretty common. It has actually brought down Twitter, brought on a lot of functionality of Facebook, PayPal and various other It’s.

6. Mitigating DDoS Attacks in AWS

Hi everyone and welcome back to the Knowledge for video series. Now in the previous lectures we understood the basic about DDoS and what a single machine can do for the DDoS based attacks. So generally what happens is hackers uses the full botnet of servers to attack the websites and lot of websites they generally go down because of distributed denial of service attacks. So what we’ll do is today we’ll understand on various techniques that we can use to mitigate the DDoS attacks from our infrastructure. So there are four major points to understand as far as the mitigating DDoS is concerned. The first is be ready to scale as a traffic surges so you should be ready to scale up if the traffic increases. So we’ll understand all of these points in detail. So second point is minimizing the attack surface area. So this basically means don’t expose your entire infrastructure to the internet because DDoS attack can majorly happen to the exposed area which is generally over the public subnet.

So this is what the second point says. Third point says is know what is normal and what is abnormal. This is specifically applicable to enterprise websites, they should have a proper metric to understand that this much traffic is normal and this traffic is abnormal. So very important point and the fourth point is create a plan for attacks. So this basically means what will you do when there is an ongoing DDoS attack? So you should have a proper plan for that as well. So let’s understand each point in detail. So the first point again is be ready to scale. So basically our infrastructure or your infrastructure in AWS should be designed to scale up as well as scale down whenever required. So this will not only help you in your peak business hours but it will also help you protect yourself under DDoS attack. So to scale infrastructure up and scale infrastructure down, there are various AWS services which you can use specifically ELB along with auto scaling.

Now for example, like whenever a CPU load is more than 70% in the application server automatically add one more application server to meet the needs. So generally in duos attack there is a resource consumption. So let’s assume that your application server, your present application server is consuming 70% of the CPU. Then the auto scaling group should automatically add one more application server to serve the needs. So this will help you not only in your peak hours or I would say suddenly when the traffic comes but also when there is a DDoS attack going on. So very important, always have your infrastructure ready for scale.

This is the first point. Now second point is minimize the attack survey surface area. So again this is possible if you have a proper decoupled infrastructure. So as PCI, DSS also says that one server should be used for one service or they cannot be multiple services in a single server. So for example an application and database server should not be in the same EC two instance. Now, let’s assume that you have a single EC two instance running both application and database server. So if you have such scenario and if there is a DDoS attack that is happening on that particular EC two instance, not only your application server will go down but along with that even your database will go down.

Now, if for example you have a separate EC to instance for application and database and if you have a sudden DDoS attack, then just application server will go down. In the worst case, your database server will still be up and running. So, very important, always have a decoupled infrastructure and in order to have a decoupled infrastructure, there are various services like SQS and elastic beanstalk that will help here. Third important point, know what is normal and what is abnormal. So there should be a key matrix that should define that this is a normal behavior. So again an example is that a website which is receiving huge traffic in the middle of night at 03:00 a. m.

So assume that you have an e commerce based website and suddenly at night 03:00 you’re getting a huge spike of traffic then that is actually abnormal. Now you can know that that is abnormal because during night time ecommerce website to a specific country will not receive a huge traffic. So similar to this, you should have help you as a security engineer determined that this amount of traffic at this time for example is normal or abnormal. So again, various services can help you like Cloud Watch and SNS two important services which can help in this case. Now the fourth and the most important point is create a plan for attack. So let’s assume that there is an ongoing attack on your infrastructures.

Now, how will you mitigate or what action will you take in this scenario is extremely important. So you should have a plan to mitigate DDUs attacks or to mitigate ongoing DDoS attacks. So for example, let’s assume that there is a duos attack going on and you are not aware on what exactly is happening. So very simple way to analyze if it is a DDoS attack or not is check whether the source IP address of the request which have sourced the traffic are same. Second important point, check from which country the increased traffic is coming from. So, if you have an ecommerce website based on India and suddenly you are finding huge amount of traffic coming from another country, that definitely means that that traffic is basically suspicious. Third is understand the nature of attack.

So if attack is thin flood or if the attack is at the application level. So once you understand the nature of attack, you can know on what measures that you can take. So, if it is a sin flood based attack, then maybe you can work around with say network AC or the security loop. But if it is an application level attack then maybe you might need a web application firewall et cetera. So in order to understand on how you can prevent the attack, you should know the nature of attack. And the fourth point is it can be blocked with network ACL or security group level. So example again, if a source IP address, most of the traffic is coming from a specific IP address, then you can directly block that IP address as a network ACL level. And the last point to remember which AWS also recommends here is that it is recommended to have an AWS support, at least the business support.

So whenever you are having a DDUs attack, you can immediately contact the AWS support and they along with your security engineers can help together work around with the ongoing attack. So, very important four points. Now there are various services which will help you protect against DDoS attacks like Amazon CloudFront. It is one of the major service which can help you protect against DDoS attack. Second is route 53. Then you have various services like Auto Scaling, web Application, Firewall, ELB VPC Security Group and Network ACS. So generally as far as maybe exams are concerned, specifically in security specialty exam, whenever you see a DDoS attack they might ask you on what can be the prevention measure to protect against those DDoS attacks. And again number one prevention mechanism I would say is having an AWS cloud front.

So very important two services. Now that is a very nice webinar or I would say very nice video from Amazon against mitigating DDoS attack. I’ll attach the link along with this module. I will really recommend you to watch that video once because it goes into too much of detail, too much of technical detail on how can cloud front or how route 53 can actually help you protect against DDoS attack. So it goes into the Sin flood on how cloud front can mitigate the Sin flood based attacks and those things. So, really recommended to watch this video. So this is the basic about mitigating of DDoS attacks. So I hope this has been useful for you. And this is again very important question. As far as the exams are concerns, I would really recommend you to watch and understand these. So this is it about this lecture, I hope this has been informative and I’d like to thank you for viewing.

• Category: Uncategorized