Denying DDoS: Crownpeak & AWS’ Breakthrough Solution

CTO Adrian Newby presents case study at AWS re:Invent

For any enterprise that relies on a digital presence, a Distributed Denial of Service (DDoS) attack can be crippling. For a financial services institution and its clients, the consequences can be even worse.

So when Crownpeak’s chief technology officer, Adrian Newby, took to the stage at AWS re:Invent 2016, along with senior experts from Amazon Web Services and TeamSpeak3, the audience was more than just intrigued. The topic of the presentation? “Mitigating DDoS Attacks on AWS: Five Vectors and Four Use Cases.”

By working closely with AWS, Crownpeak showed how it’s been able to build a uniquely resilient architecture capable of defending against DDoS assaults that would otherwise paralyze enterprise websites. And in the case study presented at re:Invent 2016, its relevance to financial firms was driven home by the fact that one of longtime Crownpeak's customers at a major financial services institution, collaborated in testing this new approach.

How DDoS endangers financial services

A world's foremost investment firm has good reason to be proactive about digital security, when you consider the threats to financial services providers from DDoS attacks:

• For starters, they can run afoul of compliance issues. In the U.S., for example, regulations mandate financial firms to maintain minimum levels of accessibility, including site uptime.  Moreover, if they’re involved in the stock market, each is obligated to ensure continuous online availability of published share and fund prices, or risk being penalized.
• Customer service obviously suffers, too, which strikes hard at revenue streams: a 2015 study by information services Neustar claimed even lesser DDoS attacks that don’t grab the headlines can cost a bank $100,000 an hour --  and quite frequently more.
• Unfortunately, financial services firms are a favorite target for DDoS attacks. A 2015 Verizon Data Breach Investigations Report showed DDoS attacks are the most common type of digital assault against these businesses, making up 32% of all attacks. And a recent  Worldwide Infrastructure Security Report by Arbor Networks found that 57% of financial services institutions have experienced a DDoS attack, more than any other sector.
  
  

DDoS attacks aren’t limited to financial firms, of course. Companies that operate under a lot of compliance legislation, such as pharmaceutical firms, are also targets; those who depend on high volumes of web traffic for revenues, like ecommerce sites, are another.

Who launches these attacks, and why? Sometimes, they’re by organized cybercriminals hoping to demonstrate their threat level in order to extort payment from their targets. Others may work on behalf of unscrupulous competitors.  Political grievances can be another motivator and sometimes it’s just a small group seeking notoriety. In addition, more companies are finding that DDoS attacks are smokescreens or diversions for installation of malware and data theft elsewhere in the organization. There’s also the open question of how many of these are state-sponsored attacks, of course, intended to serve strategic or political ends.

But “DDoS” actually covers a whole spectrum of different types of attacks. Just one, as an example, is a Slowloris attack, named after a slow-moving Asian primate who may look webclip-cute, but whose bite can induce anaphylactic shock.

In its DDoS namesake, a network of hacked devices opens multiple connections to the targeted server, keeping them open as long as possible by continuously bombarding it with partial HTTP requests, none of which are ever completed.

The victimized server keeps more and more connections open, waiting for request completions that never arrive, devouring their concurrent connection pools so legitimate attempts to connect are denied.

That’s only one of the attack vectors taken by the bad guys.  DDoS attacks can target networks with overwhelming volumes of traffic, hit at systems with large volumes of connections, and strike at services with large volumes of requests.

Countering the threat: the Crownpeak/AWS/ case study

For years, the security experts at AWS have worked long and hard at developing a suite of technologies specifically targeting cyberthreat defense and protection. Crownpeak has integrated many of these into a baseline architecture for thwarting DDoS attacks for its customers.

In the case study presented at the conference, Crownpeak showed how it had conducted a trio of very aggressive tests to show how this architecture could mitigate DDoS attacks at even the biggest scale:

• A HTTP GET Baseline test to demonstrate how to counter “shock-and-awe” attacks where a site is inundated with traffic to “simply bludgeon it to death,” as Adrian Newby put it;
• A WILD HULK DDoS test to show whether the security architecture could hold out against a range of more sophisticated assaults designed to sneak in past defenses to go about their nasty business;
• A WAF Overload test to see if AWS’ new Web Application Firewall technology could be specifically overwhelmed by exploits and attacks.

The test attack was done at massive scale, using no less than 200 concurrent attack vectors, with an average of 200K requests sent to its servers per second, rising at one point to 100 million per minute.

What were some of the capabilities Crownpeak was able to deploy in mounting a defense?

• IP Blacklisting: In real time, Crownpeak can use Amazon CloudFront log analysis to automatically identify IP addresses generating unusual volumes of queries, then instantly dump traffic from those IPs. This not only benefits the customer under attack, but other Crownpeak customers, as those blacklists can be used to defend their sites and servers, too.
• Query Limiting: Attackers will often generate long random URLs to target a site and consume server processing power; by automatically setting limits on URL length and GET query strings, Crownpeak can counter this approach.

It’s a sophisticated set of countermeasures that, up until now, have been extremely costly to procure from other vendors.

At the height of the simulated attack test, the results were more than impressive. The most meaningful metrics?

• Nearly 200 rogue source IP addresses were identified and blocked at a time
• 47 million illegitimate requests were denied per minute…
• While 20 million legitimate requests were served with no backlogs

Scalable DDoS defenses are more crucial than ever

The test results provided convincing proof of performance for Crownpeak’s approach to DDoS prevention.  For companies with global reach -- or are growing in that direction -- solutions like this are already almost compulsory. They’re doing business in an age when the black hats, whether they’re worn by activist hackers or state-sponsored cybercriminals, are multiplying.

AWS’ recent launch of its Shield service is a tremendous step forward for customers deploying and running their own workloads directly on AWS.  Crownpeak’s integration of those same capabilities into a viable, full-featured security architecture is a big step forward for those enterprises looking for the same level of protection in a fully-outsourced model:

• Technology: Built on the most advanced -- and previously unattainable -- technologies, it’s a solution providing robust levels of protection that have already been proven in practice.
• Accessibility: By affordably packaging these technologies for easy adoption, more companies can now mount effective DDoS defenses.
• Scalability: Leveraging the world’s largest cloud service provider, a solution that can operate at truly global scale.

Introducing Crownpeak Advanced Web Hosting

On the heels of this highly successful attack test, Crownpeak is proud to introduce Advanced Web Hosting to all customers, which offers the same Layer 7 defense product highlighted at AWS re:Invent.