AWS re:Invent 2022
Building Ddos Resilient Applications Using Aws Shield Net314

Title

AWS re:Invent 2022 - Building DDoS-resilient applications using AWS Shield (NET314)

Summary

  • Oliver Starik and Paul lead AWS Shield and its response team, focusing on incident response and threat research for DDoS attacks.
  • AWS Shield protects the AWS network's availability and offers proactive measures to block DDoS attacks.
  • The shared responsibility model is emphasized, with AWS securing the cloud infrastructure and customers securing their applications.
  • AWS uses various strategies to differentiate between good and bad traffic and to mitigate DDoS attacks without causing false positives.
  • AWS Shield monitors hundreds of thousands of routers and examines exabytes of data to detect and mitigate DDoS attacks.
  • AWS has multiple points of ingress, making it challenging to monitor and protect against DDoS attacks.
  • AWS uses technologies like SynProxy and UDP traffic filtering to protect services like CloudFront from common DDoS attacks.
  • Route 53 is highly recommended for DNS due to its tight integration with Shield and its ability to absorb and prioritize traffic.
  • AWS Shield Advanced offers additional features like NACLs, byte matching, and health-based detection for more tailored DDoS protection.
  • AWS uses honeypots and malware analysis to proactively take down command and control servers, making AWS a less attractive DDoS target.
  • Best practices for DDoS resilience include architecting for resilience, using scalable AWS services, monitoring traffic flows, and engaging with the AWS Shield response team.

Insights

  • AWS Shield is an integral part of AWS's infrastructure, providing both reactive and proactive defenses against DDoS attacks.
  • The shared responsibility model is crucial for customers to understand their role in securing their applications within the AWS cloud.
  • AWS's approach to DDoS mitigation involves sophisticated detection and filtering mechanisms that operate at scale and with minimal false positives.
  • AWS's global network architecture presents unique challenges in DDoS defense due to the numerous points of ingress and the need for extensive monitoring.
  • AWS Shield Advanced provides enhanced protection with features that can be tailored to specific customer applications and traffic patterns.
  • AWS's use of honeypots and malware analysis for threat research is a proactive measure that not only protects AWS customers but also disrupts the operations of bad actors.
  • AWS emphasizes the importance of architecting applications for resilience and using AWS services to their full potential to ensure DDoS resilience.
  • Engaging with the AWS Shield response team and utilizing health checks can significantly improve an application's ability to withstand and quickly recover from DDoS attacks.
Building Data Mesh Architectures on Aws Ant336Building for a Better Future Agility Speed and Resilience Wps208 L