Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mitigating DDOS Attacks with Terraform

Andy Gale
November 09, 2016

Mitigating DDOS Attacks with Terraform

A lightning talk about avoiding DDOS attacks with Terraform.

Andy Gale

November 09, 2016
Tweet

More Decks by Andy Gale

Other Decks in Technology

Transcript

  1. Mitigating DDOS
    Attacks with Terraform
    Andy Gale

    View full-size slide

  2. Andy Gale
    Managing Director
    Hello Future

    View full-size slide

  3. DDOS Attacks
    • DDOS - Distributed Denial Of Service attacks
    • DDOS attacks often target certain one or two
    few providers
    • If you host everything with one provider you
    can be stung if they are attacked

    View full-size slide

  4. Terraform
    • Keep your infrastructure as code
    • Set up your platform automatically with one
    command
    • Supports many of different services, called
    providers

    View full-size slide

  5. Terraform
    Archive
    Atlas
    AWS
    Bitbucket
    Chef
    CenturyLinkCloud
    CloudFlare
    CloudStack
    Cobbler
    Consul
    Datadog
    DigitalOcean
    DNSMadeEasy
    DNSimple
    Docker
    Dyn
    GitHub
    Fastly
    Google Cloud
    Grafana
    Heroku
    InfluxDB
    Librato
    Logentries
    Mailgun
    Microsoft Azure
    Microsoft Azure (Legacy ASM)
    MySQL
    OpenStack
    Packet
    PagerDuty
    PostgreSQL
    PowerDNS
    RabbitMQ
    Random
    Rundeck
    StatusCake
    SoftLayer
    Scaleway
    Template
    Terraform
    TLS
    Triton
    UltraDNS
    VMware vCloud Director
    VMware vSphere
    Providers

    View full-size slide

  6. Terraform
    • So we can see that we could set up our platform
    on multiple infrastructures with Terraform
    • Have them running on the time or spin them up
    on demand when a DDOS strikes
    • Of course budgetary constraints may have
    apply!

    View full-size slide

  7. Terraform
    • Simple, easy win - DNS
    • Have them running on the time or spin them up
    on demand when a DDOS strikes
    • Of course budgetary constraints may have apply!
    • But recent DDOS on Dyn DNS broke many sites

    View full-size slide

  8. Terraform
    resource "aws_route53_zone" "hellofuture" {
    name = "hellofutu.re"
    }
    resource "aws_route53_record" "www" {
    zone_id = "${aws_route53_zone.hellofuture.zone_id}"
    name = "www.hellofutu.re"
    type = "A"
    ttl = "300"
    records = ["212.45.31.81"]
    }
    AWS

    View full-size slide

  9. Terraform
    resource "dnsimple_record" "foobar" {
    domain = "hellofutu.re"
    name = "www.hellofutu.re"
    value = "212.45.31.81"
    type = "A"
    ttl = 300
    }
    DNSimpe

    View full-size slide

  10. Terraform
    resource "dyn_record" "foobar" {
    zone = "${var.dyn_zone}"
    name = "${var.www_record}"
    value = "${var.www_a}"
    type = "A"
    ttl = 300
    }
    DYN

    View full-size slide

  11. Terraform
    variable "domain" {
    default = "hellofutu.re"
    }
    variable "www_name" {
    default = "www.hellofutu.re"
    }
    variable "www_a" {
    default = "212.45.31.81"
    }
    Variables

    View full-size slide

  12. Terraform
    • Define multiple DNS servers for your domains
    • Keep them somewhere else (shortish TTL on
    the NS records) and if there is a DDOS attack
    just move them elsewhere.

    View full-size slide