Mitigating DDOS Attacks with Terraform Andy Gale 

Andy Gale Managing Director Hello Future 

DDOS Attacks • DDOS - Distributed Denial Of Service attacks • DDOS attacks often target certain one or two few providers • If you host everything with one provider you can be stung if they are attacked 

Terraform • Keep your infrastructure as code • Set up your platform automatically with one command • Supports many of different services, called providers 

Terraform Archive Atlas AWS Bitbucket Chef CenturyLinkCloud CloudFlare CloudStack Cobbler Consul Datadog DigitalOcean DNSMadeEasy DNSimple Docker Dyn GitHub Fastly Google Cloud Grafana Heroku InfluxDB Librato Logentries Mailgun Microsoft Azure Microsoft Azure (Legacy ASM) MySQL OpenStack Packet PagerDuty PostgreSQL PowerDNS RabbitMQ Random Rundeck StatusCake SoftLayer Scaleway Template Terraform TLS Triton UltraDNS VMware vCloud Director VMware vSphere Providers 

Terraform • So we can see that we could set up our platform on multiple infrastructures with Terraform • Have them running on the time or spin them up on demand when a DDOS strikes • Of course budgetary constraints may have apply! 

Terraform • Simple, easy win - DNS • Have them running on the time or spin them up on demand when a DDOS strikes • Of course budgetary constraints may have apply! • But recent DDOS on Dyn DNS broke many sites 

Terraform resource "aws_route53_zone" "hellofuture" { name = "hellofutu.re" } resource "aws_route53_record" "www" { zone_id = "${aws_route53_zone.hellofuture.zone_id}" name = "www.hellofutu.re" type = "A" ttl = "300" records = ["212.45.31.81"] } AWS 

Terraform resource "dnsimple_record" "foobar" { domain = "hellofutu.re" name = "www.hellofutu.re" value = "212.45.31.81" type = "A" ttl = 300 } DNSimpe 

Terraform resource "dyn_record" "foobar" { zone = "${var.dyn_zone}" name = "${var.www_record}" value = "${var.www_a}" type = "A" ttl = 300 } DYN 

Terraform variable "domain" { default = "hellofutu.re" } variable "www_name" { default = "www.hellofutu.re" } variable "www_a" { default = "212.45.31.81" } Variables 

Terraform • Define multiple DNS servers for your domains • Keep them somewhere else (shortish TTL on the NS records) and if there is a DDOS attack just move them elsewhere.