The Internet is increasingly becoming a core part of how modern companies do business. For organizations like Amazon, whose business model is based upon providing web-based services like e-commerce and cloud computing, the ability of their customers to connect to Amazon’s web-based resources is crucial to the company’s revenue model.
The reliance of organizations upon their Internet visibility has led cybercriminals to target an organization’s web presence as an effective means of hurting a business or turning a profit. The availability of cheap cloud computing and the proliferation of the Internet of Things (IoT) devices with extremely poor security have made it easy for attackers to create massive botnets for use in Distributed Denial of Service (DDoS) attacks.
Amazon has recently been the target of a massive DDoS attack. Instead of targeting Amazon’s web presence, the attackers tried to deny access to Amazon’s internal DNS services. As a result, Amazon’s S3 services were largely unavailable to users for 8 hours. This attack demonstrated the importance of an effective DDoS mitigation solution since Amazon’s in-house anti-DDoS software was unable to defend against this large-scale attack.
Introduction to DNS
The Domain Name Service (DNS) was the target of the attack against Amazon. This service is crucial to the functioning of the Internet and had the ability to dramatically amplify the impact of the attacker’s efforts.
On the Internet, most people use domain names to tell their computer which website they want to visit. These domain names, like amazon.com, are easier to remember than IP addresses. Since a single web server may host several different websites, especially in the case of cloud services like AWS, the system needs to know which one the user is trying to access. As a result, it’s easier for everyone if users type a domain name into their address bar. However, the computers that make up the Internet work based on IP addresses, and having each computer try to remember the mapping of every domain name to IP address on the Internet is a hopeless task.
DNS solves this problem by setting up a system of servers that are designed to translate domain names to IP addresses. These servers are arranged hierarchically so that a computer can ask a DNS server with knowledge of .com domains for the IP address of the Amazon DNS server, which can provide the IP address of a particular web page within the amazon.com website.
While this system does its job effectively, it does have its problems. One of the biggest issues is that the Internet is entirely dependent upon the DNS infrastructure for routing traffic to the correct computers. If an attacker can block users’ access to an organization’s DNS servers, their entire website may as well be down since users’ computers have no idea how to find it. A DDoS attack against the Dyn DNS provider in 2016 denied users in large areas of the globe access to the Internet for a couple of hours.
The Amazon DDoS Attack
On October 23, 2019, Amazon suffered a DDoS attack that lasted for eight hours, from 10:30 AM to 6:30 PM PDT. The primary target of this attack was Amazon’s Router 53 DNS web service, but other services were affected as well.
The purpose of the Router 53 DNS service is to provide DNS lookups for systems across Amazon’s cloud-based services. A loss of access to Router 53 made it impossible for many users to access their Amazon S3 deployments while the attack was occurring. Other AWS-based services had to rely on external DNS infrastructure until the attack was remediated. Amazon has its own DDoS mitigation service called Shield Advanced. This service was important to the company’s efforts to mitigate the DDoS attack against their DNS services.
However, configuring these anti-DDoS protections can be difficult. Shield Advanced also contributed to the impact of the DDoS attack by identifying some legitimate requests for DNS resolution of S3 domain names as malicious. As a result, these requests were blocked by Amazon’s defenses, denying users access to their S3-based cloud resources.
Protecting Against DDoS Attacks
The attack against Amazon demonstrates the potential scope and impact of Distributed Denial of Service attacks. Amazon is a very large and powerful tech company whose core business model is based upon providing web-based services, whether through their online shopping website or cloud services. An inability for their customers to reach Amazon’s web presence can have a significant impact on the company’s profits.
As a result, it is not surprising that Amazon has its own defenses in place against DDoS attacks. A system like Shield Advanced should be adequate to defend against most DDoS attacks; however, it was unable to filter all of the malicious traffic from the attack against Amazon’s services in late October. This indicates that the attack likely included an extremely large amount of malicious traffic, enough to overwhelm even Amazon’s defenses.
Protecting against increasingly sophisticated DDoS attacks requires the ability to identify and filter massive amounts of malicious traffic. The attack against Amazon overwhelmed the defenses of a leading cloud services provider and tricked them into blocking legitimate traffic from their own users. As these types of massive DDoS attacks grow more common, organizations will need strong anti-DDoS solutions to protect their web presence and the ability to do business against cyber threats.