Advanced Techniques for DDoS Mitigation and Web Application Defense Dr. Andrew Kane, Solutions Architect Giorgio Bonfiglio, Technical Account Manager June 28th, 2017 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from this session Types of Threats AWS Shield AWS WAF AWS VPC
Types of Threats
Types of Threats DDoS Application Attacks Bad Bots Application Layer HTTP floods SQL injection Social engineering Sensitive data exposure Application exploits Crawlers Content scrapers Scanners & probes Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods
DDoS Threats Network / Transport Layer DDoS
DDoS Threats Application DDoS Good users Web server Database Bad guys
Application Threats Good users Web server Database Bad guys Exploit code XSS SQL injection
Bad Bot Threats Good users Web server Database Bad guys Steal premium content
AWS Shield
Types of Threats AWS Shield DDoS Application Layer HTTP floods Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods
AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.
Benefits of AWS Shield AWS Integration DDoS protection without infrastructure changes Always-On Detection and Mitigation Minimize impact on application latency Affordable Don t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications
AWS Shield Standard Layer 3/4 protection ü Automatic detection & mitigation ü Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.) Layer 7 protection ü AWS WAF for Layer 7 DDoS attack mitigation ü Self-service & pay-as-you-go ü Built into AWS services Automatic Protection against 96% of Layer 3/4 attacks Available globally on all internet-facing AWS services
AWS Shield Advanced Additional Detection & Monitoring Protection Against Large DDoS Attacks Visibility Into Attack Detection & Mitigation AWS WAF at No Additional Cost 24x7 DDoS Response Team Cost Protection (Absorb DDoS Scaling Cost)
AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: Large-Scale Attack Network Layer Mitigations AWS Services DDoS Detection DDoS Response Team Web Layer Mitigations Customer Infrastructure
AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: SYN Floods Reflection Attacks Suspicious Sources Network Layer Mitigations AWS Services Web Layer Mitigations DDoS Detection DDoS Response Team Customer Infrastructure
AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: SSL Attacks Slowloris Malformed HTTP Network Layer Mitigations AWS Services Web Layer Mitigations DDoS Detection DDoS Response Team Customer Infrastructure
AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: HTTP Floods Bad Bots Suspicious IPs Network Layer Mitigations AWS Services Web Layer Mitigations DDoS Detection DDoS Response Team Customer Infrastructure
AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: Sophisticated Layer 7 attacks Network Layer Mitigations AWS Services DDoS Detection DDoS Response Team Web Layer Mitigations Customer Infrastructure
Shield Demo
AWS Shield Advanced Available on... Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53 In the following regions... ü Northern Virginia (us-east-1) ü Oregon (us-west-2) ü Ireland (eu-west-1) ü Tokyo (ap-northeast-1)
AWS WAF
Types of Threats DDoS AWS WAF Application Attacks Bad Bots Application Layer HTTP floods SQL injection Social engineering Sensitive data exposure Application exploits Crawlers Content scrapers Scanners & probes Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods
Challenges of Web Application Firewalls Setup is complex and slow Too many false positives Limited APIs for automation Expensive to implement and maintain
AWS WAF A web application firewall designed to help you defend against common web application exploits Fast Incident Response Flexible Rule Language APIs for Automation Preconfigured Protection
What is AWS WAF Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning
How Does AWS WAF Protect You? Security Automations Preconfigured Protections Highly Flexible Rule Language
Highly Flexible Rule Language ü Quick Incident Response ü Mitigations in < ~1 Min ü Inspect Any Part of the Request Security Automations Preconfigured Protections Highly Flexible Rule Language
Preconfigured Protections You can get started quickly with built-in rules based on common use-cases. CloudFormation template AWS WAF Configuration Security Automations Preconfigured Protections Highly Flexible Rules Engine
Preconfigured Protections Demo
Virtual Patching Demo
Security Automations Automated anomaly detection that you can take action on using Lambda functions. ü Dynamic Rules Based on Anomaly ü Using Lambda & Service Logs Security Automations Preconfigured Protections Highly Flexible Rules Engine
Security Automations Traditional incident response Security Automations Preconfigured Protections Highly Flexible Rules Engine
Security Automations Next-generation incident response Security Automations Preconfigured Protections Highly Flexible Rules Engine
AWS VPC
What customers asked for ü Private IP space in AWS ü Familiar networking model ü Customer-defined networking logic ü Strong security controls ü Private connectivity to their data centers
Key Features of VPC Choosing an address range Setting up subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC
VPC Controls 10.0.1.0/24 SG-ALB Public Subnet 10.0.2.0/24 SG-Web SG-Web SG-Web Private Subnet (Web Tier) 10.0.3.0/24 SG-App SG-App SG-App Private Subnet (App Tier)
Simple Approach Allow all traffic 10.0.1.0/24 SG-ALB Public Subnet Allow 10.0.1.0/24 10.0.2.0/24 SG-Web SG-Web SG-Web Private Subnet (Web Tier) Allow 10.0.2.0/24 10.0.3.0/24 SG-App SG-App SG-App Private Subnet (App Tier)
Secure Approach Allow CloudFront IP Ranges only 10.0.1.0/24 Allow SG-ALB only SG-ALB Public Subnet 10.0.2.0/24 Allow SG-Web only SG-Web SG-Web SG-Web Private Subnet (Web Tier) 10.0.3.0/24 SG-App SG-App SG-App Private Subnet (App Tier)
Security Groups + CloudFront IP ranges AWS Lambda Amazon SNS IP-ranges.json SG-ALB Blog Post here -> http://amzn.to/2fj4q8e
Thank you!