Secure your Web Applications with AWS WAF & AWS Shield James Chiang ( 蔣宗恩 ) AWS Solution Architect www.cloudsec.com
What to expect from this session Types of Threats AWS Shield AWS WAF DEMO
Real World DDOS Attack http://map.norsecorp.com/#/
DDoS Threats and Trends 1600 1400 1200 Largest DDoS Attacks (Gbps) Memcached Attacks 1000 800 Mirai Attacks 600 400 200 0 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Largest DDoS Attacks
Why is DDoS a Problem? Availability of your applications Attacks can last for hours and even days Financial Impact Lost Revenue Increased Infrastructure Expense Extortion Reputation Hit Security Data Loss
Types of DDoS attacks
Types of DDoS attacks Volumetric DDoS attacks Congest networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks)
Types of DDoS attacks State-exhaustion DDoS attacks Abuse protocols to stress systems like firewalls, IPS, or load balancers (e.g., TCP SYN flood)
Types of DDoS attacks Application-layer DDoS attacks Use well-formed but malicious requests to circumvent mitigation and consume application resources (e.g., HTTP GET, DNS query floods)
Traditional Challenges with DDoS Protection Mitigations require bandwidth lots of it. Scaling is expensive. Anomaly detection is challenging and evolving. DDoS expertise is in short supply.
AWS approach to DDoS protection
At AWS, our goal has always been to Remove undifferentiated heavy lifting Ensure availability Automatically protected against common attacks AWS services are highly available
DDoS protections built into AWS Integrated into the AWS global infrastructure Always-on, fast mitigation without external routing Redundant Internet connectivity in AWS data centers
DDoS protections built into AWS Protection against most common infrastructure attacks SYN/ACK Floods, UDP Floods, Refection attacks etc. No additional cost DDoS Attack Users DDoS mitigation systems
Customers keep asking What about large DDoS attacks? Does AWS protect me from application layer attacks? Does AWS protect me from DDoS attacks? I want to talk to DDoS experts. How can I get visibility when I get attacked? Scaling for DDoS attacks is expensive.
AWS Shield A Managed DDoS Protection Service
Types of Threats AWS Shield DDoS Application Attacks Bad Bots Application Layer HTTP floods SQL injection Social engineering Sensitive data exposure Application exploits Crawlers Content scrapers Scanners & probes Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods
Benefits of AWS Shield AWS Integration DDoS protection without infrastructure changes Always-On Detection and Mitigation Minimize impact on application latency Affordable Don t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications
AWS Shield Standard Protection Advanced Protection Available to ALL AWS customersat no additional cost Paid service that providesadditional protections, features, and benefits
AWS Shield Standard Layer 3/4 protection Automatic detection & mitigation Protection from most common attacks (SYN/UDP floods, reflection attacks, etc.) Layer 7 protection AWS WAF for Layer 7 DDoS attack mitigation Self-service & pay-as-you-go Built into AWS services Automatic protection against 96% of Layer 3/4 attacks Available globally on all internet-facing AWS services
L3/L4 Automatic mitigation system Developed L3 / L4 automatic mitigation system based on DDoS protection experience CloudFront, Route 53 placed inline before the edge location and examines all incoming packets Edge Location AWS Region Automatic reduction of 96% of DDoS attack DDoS Attack No additional settings or fees Advantage Scalability and low cost Permanent protection Automatic mitigation Built for AWS solution User Automatic mitigation CloudFront Route 53 CloudFront Route 53 Customerʼs Origin Infrastructure (ELB, EC2, S3, etc).
DDoS attack mitigation example May 6, 2015 DNS flood attack targeting Route 53's 34 edge locations Peak volume is the top 4% of DDoS to date (source: Arbor Networks) Automatically detect and mitigate without affecting availability Calm down hundreds of attacks each year
DDoS attack mitigation example May 6, 2015 DNS flood attack targeting Route 53's 34 edge locations Peak volume is the top 4% of DDoS to date (source: Arbor Networks) Automatically detect and mitigate without affecting availability Calm down hundreds of attacks each year
AWS Shield Advanced Managed DDoS Protection
AWS Shield Advanced Additional detection & monitoring Protection against large DDoS attacks Visibility into attack detection & mitigation AWS WAF at no additional cost 24X7 DDoS response team Cost protection (absorb DDoS scaling cost)
AWS Shield Advanced Available on... Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53 In the following regions... Northern Virginia (us-east-1) Oregon (us-west-2) Ireland (eu-west-1) Tokyo (ap-northeast-1)
Demo
AWS DDoS Shield: Pricing Standard Protection No commitment No additional cost Advanced Protection 1 year subscription commitment Monthly base fee: $3,000 Data transfer fees Data Transfer Price ($ pergb) CloudFront ELB First 100TB $0.025 0.050 Next 400TB $0.020 0.040 Next 500TB $0.015 0.030 Next 4 PB $0.010 Contact Us Above 5PB Contact Us Contact Us
AWS DDoS Shield: How to choose Standard Protection Advanced Protection For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture onaws. For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases.
AWS WAF Managed DDoS Protection
Types of Threats DDoS Application Attacks Bad Bots Application Layer AWS WAF HTTP floods SQL injection Social engineering Sensitive data exposure Application exploits Crawlers Content scrapers Scanners & probes Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods
How Does AWS WAF Protect you?
What is AWS WAF? Malicious request blocking SQLi XSS Web traffic filtering with custom rules Rate based rules IP Match & Geo-IP filters Regex & String Match Size constraints Action: Allow/Block Active monitoring & tuning CloudWatch Metrics/Alarms Sampled Logs Count Action mode
Common protections using AWS WAF today.. HTTP floods (Ratedbased Rules) Scanners and probes IP reputation lists Bots and scrapers SQL injection Cross-site scripting
AWS WAF available on Amazon CloudFront Application Load Balancer
AWS WAF Key Benefits Ease of Use Fast Incidence Response APIs + Flexible Rule Language Preconfigured Protection
Example: Whitelisting good users Verify that a valid referrer is present RAW request headers Host: www.example.com User-Agent: Mozilla/5.0 (Macintosh; Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Referrer: http://www.example.com/ Connection: keep-alive Rule String match condition Check: Header Referrer Match Type: Contains Match: example.com Action: ALLOW AWS WAF Good users CloudFront
Example: Apache Struts Vulnerability Virtual Patching: A security policy enforcement layer which prevents the exploitation of a known vulnerability in the code. For more details: https://forums.aws.amazon.com/ann.jspa?annid=4489
Example: Rate limit access to login page Rate-based Rule String Match condition on URI Protection from Brute force login attempts
Management Rule is enable Managed Rules on AWS WAF five featured sellers!
Featured sellers
Management Rule Key benefits 1. Rules managed by security experts 2. Choice of protections 3. Auto-updates 4. Pay as you go 5. Easy to deploy
Deploy in three easy steps Find rules on AWS WAF console or AWS Marketplace Click and subscribe Associate rules in AWS WAF
Trend Micro: Product details 1. Rules for Nginx and Apache servers Protects web servers, including the Apache Suite (Apache Httpd, Apache Struts, Apache Tomcat) and Nginx, from known vulnerabilities and helps meet PCI DSS requirements. 2. Content Management Servers (CMS) Rules Protects common CMS and EMS including WordPress, Joomla, and Drupal from known vulnerabilities, and to help meet PCI DSS requirements. Trend Micro delivers proactive global threat intelligence against zero-hour threats to ensure that you are always protected.
Demo
THANK YOU James Chiang AWS Solution Architect www.cloudsec.com