The new service is called AWS Shield, and it’s meant to protect against volumetric and state attacks.
Those are the two most common types of DDoS attacks. A volumetric attack spews traffic at a server, hoping to overwhelm or paralyze it. A state attack is similar but targets the TCP layer. TCP tracks state for every new connection created, so a state attack targets that layer, trying to cause “explosions of state inside your operating system,” Vogels said.
To enhance security further, a web application firewall can be deployed alongside AWS Shield, Vogels said.
AWS Shield’s arrival is timely, because DDoS attacks have become a headline-grabbing type of security issue. The Mirai botnet, which exploits Internet of Things (IoT) devices to launch DDoS attacks, has been blamed for some record-setting attacks lately, including one against Domain Name Service (DNS) provider Dyn.
What makes DDoS attacks particularly scary is that they can be launched by pretty much anybody. This was true even before the code to activate Mirai became available publicly.
A third type of DDoS attack targets Layer 7, the application layer. AWS Shield can help against some of those, but in general, customers targeted at that layer might need an additional level of security. Along those lines, Amazon has also introduced AWS Shield Advanced, which includes a 24/7 human response team.
Possibly the most intriguing aspect of AWS Shield, though, is that Amazon has pledged to cap its cost.
That matters because a DDoS attack could be arbitrarily large, in theory, and the larger the attack, the more expensive the response becomes. That’s why the KrebsOnSecurity blog, the first known victim of Mirai, was removed from Akamai’s network; Akamai was providing pro bono security, and the record-setting attack — with the likelihood of more to follow — was too much to bear. (The site is now hosted by Google.)
X-Ray Vision Into the Cloud
Vogels, being the CTO, also announced some new services related to the nuts and bolts of operations.
Specifically, AWS is starting to let enterprises visualize the resources they have on the AWS cloud. The exact “shape” of the network that a customer builds on AWS has been a mystery.
That’s starting to change. One of today’s announcements was AWS Personal Health, a dashboard showing which of AWS’ availability zones are hosting your servers. It also can notify you of system events, such as outages. You can create automated responses to those events by using Lambda, AWS’ so-called serverless functions ability.
Vogels also announced X-Ray, which lets a user delve into the multiple services that might comprise an application.
That’s an important trait, because “your applications are becoming complex. They’re a web of services, a web of components put together,” Vogels said. “You need x-ray vision to dive into the application.”
X-Ray is a managed service that lets a customer dissect an application down to the component level. It can show just how much latency each service is contributing to the overall application’s performance, for example. It’s not targeted solely at containers, which lend themselves to this microservices approach, but it can certainly be used with containers, Vogels said.
Vogels was enthusiastic about all of AWS’ announcements, of course, but he seemed to particularly geek out about X-Ray. “This is one of the coolest releases that i can think of,” he said.