On January 2nd 2016, the BBC suffered from a cyber-attack that targeted all of its applications. This attack resulted in unavailability for at least 3 hours. It was also claimed that this DDoS Attack was over 600 Gbps – the largest DDoS attack ever recorded. The group claiming responsibility for the attack was New World Hackers and various articles have been published with one of the group members providing interviews about the incident. One of the main claims was that it was performed using Amazon by bypassing Amazon’s security measures and using administrative privileges.
Amazon has a huge amount of infrastructure resources that are available to its users and the risk of abuse of these resources (like launching a mega DDoS attack) has been previously debated.
What Does it Actually Take to Generate a High-Volume Attack Using Amazon’s infrastructure?
Amazon on its side has employed several techniques to prevent this from happening as found in their AWS Security Whitepaper. Let’s look at some of the important ones and their meaning for generating a big attack:
- Anti-Spoofing: Amazon Elastic Compute Cloud (EC2) instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own. This means that almost all network layer attacks which result in high volumes such as spoofed floods, reflection and amplification floods, are ruled out.
- Network Monitoring and Protection: AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. AWS monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metric thresholds for unusual activity. Hence, any unusual volume leaving the environment is expected to be detected and cause the relevant nodes to be shut down.
- DDoS Protection: A proprietary protection system is deployed. While detailed description of the system is not exposed, there is some additional level of monitoring and automated protection which is targeted at protecting those systems.
- Abuse Reporting: Amazon customers can report an abuse of an Amazon account. Each report is investigated by the Amazon abuse team and actions are taken accordingly. So supposedly, an attack would have been reported and actions taken in a timely manner to resolve them.
- Additional Measures: Access control, anti-scanning, encryption and segregation are also measures which are indirectly employed in order to prevent such cases.
How likely is it that the attack was indeed performed by Amazon? While we recognize that a high-volume attack would be a very challenging task, let’s take a different approach – what if the attack was not so high volume? What if it was more sophisticated and cunning instead?
Enter the Dynamic IP Attack – An Equally Devastating Outcome
Various techniques are also employed in efforts to evade common defense mechanisms. Examples of these are the usage of headless browsers, evasion techniques, encryption, and specific user-like behaviors. When such an attack is well distributed across a large number of sources, it can also mean a low rate per each source used, making it impossible for even application rate limits to detect. If such an attack is generated out of a major public cloud infrastructure, there is also an additional challenge for mitigation systems, as public cloud ranges are not so easily added to access lists as a whole without compromising normal operational requirements.
Let’s re-examine dynamic IP attacks against the security measures described above:
- Anti-Spoofing: Application attacks require a full session anyway therefore no IP spoofing is relevant and actual sessions will be created. Nevertheless, the IP can be changed frequently using the huge ranges Amazon has to offer.
- Network Monitoring and Protection: A sophisticated attack will use a low bandwidth per each source node and will use high distribution in order to hide it. Such that each source looks legitimate.
- DDoS Protection: The low volume of the attack will keep it under the radar of any monitoring and it will converge only at the final destination. In this destination it will still be very hard to distinguish friend from foe.
- Abuse Reporting: In order to report an abuse, one first needs to identify the source which is abusing them and attribute them to Amazon. This is nearly an impossible task when sources behave so much like normal users.
- Additional Measures: An attack can be generated with the above attributes and still fall within the reasonable usage criteria, while using only accepted actions within the normal enforcement policy.
So, to conclude, the task of generating an attack using Amazon or any other public cloud service would not be easy given existing security measures but we did see most measures which are designed to prevent the traditional, network related, type of DDoS attacks. We believe attackers are increasingly aware of high complexity attacks that are becoming harder to detect and handle, but at the same time may be equally devastating.
Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.
Yotam started with Radware as head of the ERT DDoS research lab where he led security research activities and new mitigation technology development. Following that, he transitioned to a product management role as a product manager for DefensePro. Presently, he leads the Radware Security Product Management team and handles Radware’s security portfolio.