AWS Shield is a managed threat protection service that safeguards applications running on AWS against exploitation of application vulnerabilities, bad bots, and Distributed Denial of Service (DDoS) attacks. The AWS Shield Threat Landscape Report (TLR) provides you with a summary of threats detected by AWS Shield. This report is curated by the AWS Threat Response Team (TRT), who continually monitors and assesses the threat landscape to build protections on behalf of AWS customers. This includes rules and mitigations for services like AWS Managed Rules for AWS WAF and AWS Shield Advanced. You can use this information to expand your knowledge of external threats and improve the security of your applications running on AWS.
Here are some of our findings from the most recent report, which covers Q1 2020:
Volumetric Threat Analysis
AWS Shield detects network and web application-layer volumetric events that may indicate a DDoS attack, web content scraping, account takeover bots, or other unauthorized, non-human traffic. In Q1 2020, we observed significant increases in the frequency and volume of network volumetric threats, including a CLDAP reflection attack with a peak volume of 2.3 Tbps.
You can find a summary of the volumetric events detected in Q1 2020, compared to the same quarter in 2019, in the following table:
|Metric||Same Quarter, Prior Year (Q1 2019)
||Most Recent Quarter (Q1 2020)
|Total number of events||253,231||310,954||+23%|
|Largest bit rate (Tbps)||0.8||2.3||+188%|
|Largest packet rate (Mpps)||260.1||293.1||+13%|
|Largest request rate (rps)||1,000,414||694,201||-31%|
|Days of elevated threat*||1||3||+200%|
Days of elevated threat indicates the number of days during which the volume or frequency of events was unusually high.
Malware Threat Analysis
AWS operates a threat intelligence platform that monitors Internet traffic and evaluates potentially suspicious interactions. We observed significant increases in the both the total number of events and the number of unique suspects, relative to the prior quarter. The most common interactions observed in Q1 2020 were Remote Code Execution (RCE) attempts on Apache Hadoop YARN applications, where the suspect attempts to exploit the API of a Hadoop cluster’s resource management system and execute code, without authorization. In March 2020, these interactions accounted for 31% of all events detected by the threat intelligence platform.
You can find a summary of the volumetric events detected in Q1 2020, compared to the prior quarter, in the following table:
|Most Recent Quarter
|Total number of events (billion)||0.7||1.1||+57%|
|Unique suspects (million)||1.2||1.6||+33%|
For more information about the threats detected by AWS Shield in Q1 2020 and steps that you can take to protect your applications running on AWS, download the AWS Shield Threat Landscape Report.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.