Recently I did Cloud War Games Friday Tech talk on fending off massive cyber attacks using AWS Web Application Firewall. For demonstration purposes I only did DoS (Denial Of Service) attacks.

For the next WAF Tech Talk I am going to step up my game to do a proper DDoS (Distributed Denial Of Service) attack.

Keep in mind these attacks are all against my own websites for the purposes of education and fun. No innocent websites were harmed in the production of these Tech Talks.

Practical Applications:

A more practical application of this would be for a crawler to pull data from websites without getting detected.

Lambdas:

With the pure scale of what you can accomplish with a Lambda its the obvious first choice to build a tool that can scale up and hammer your website (for educational purposes) but there are some bottlenecks.

The Bottle Neck:

If you are using a VPC paired with a NatGateway it would be cost prohibitive to spin up a bunch of NatGateways. I suppose if you only booted them up for a brief second it could be done but still could end up costing you if you really wanted to spread it out.

Run The Lambda Outside Of A VPC:

This is an option but the problem comes with trying to get the lambda to cycle IPs then. Once a lambda is hot (meaning it booted up) then requests appear to end up going back to the same IP address which makes sense. It would be silly for AWS to propagate the underlying image to new host environments when one is already warmed up.

Multiple Lambdas:

What is really interesting is that if I have 2 Lambdas outside of a VPC and I run them back to back they appear to have different IPs making me think they just throw the lambda in the hosts randomly. This is good. That will allow us to spread out IP address ranges more.

Another interesting thing I just learned is that it appears there is NOT a limit on the number of Lambda functions you can have, there are plenty of other limitations but I can’t find one for the count of lambdas you can have.

Upon testing this I found that the Lambda’s if left cold will keep an IP for just under 5 minutes.

So basically with a little bit of terraform magic and a basic event queue we should be able to execute a basic DDoS attack.

Obvious Ways To Track This Behavior:

Let’s imagine you are participating in a live event and want to track the source of the DDoS attack, it wouldn’t take you long to find a pattern in the Lambda traffic that would make this painfully obvious. How exactly? Well you would have to go back and watch my Tech Talk. I can’t be giving away all my secrets here 😛.

Advanced WAF Techniques:

If you are interested in attending my Tech Talk on Advanced WAF Techniques (TBD) get on the CWG mailing list. We would also love to have you on the next live War Game event which is coming up in early June.