Advanced Techniques for DDoS Mitigation and Web...

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Dr. Andrew Kane, Solutions ArchitectGiorgio Bonfiglio, Technical Account Manager

June 28th, 2017

Advanced Techniques for DDoS Mitigation and Web Application

Defense

AWS Shield AWS VPC

What to expect from this session

Types of Threats AWS WAF

Types of Threats

Types of Threats

Bad BotsDDoS Application Attacks

Reflection

Layer 4 floods

Slowloris

SSL abuse

HTTP floods

Amplification

Content scrapers

Scanners & probes

CrawlersApplicationLayer

Network /Transport

Layer

SQL injection

Application exploitsSocial

engineering

Sensitive data exposure

DDoS Threats

Network / Transport Layer DDoS

DDoS Threats

Application DDoS

Good users

Bad guys

Web server Database

Application Threats

Good users

Bad guys

Web server Database

Exploitcode

SQL injectionXSS

Bad Bot Threats

Good users

Bad guys

Web server Database

Steal premium content

AWS Shield

Types of Threats

DDoS

Reflection

Layer 4 floods

Slowloris

SSL abuse

HTTP floods

Amplification

ApplicationLayer

Network /Transport

Layer

AWS Shield

AWS Shield

Standard Protection Advanced Protection

Available to ALL AWS customers at No Additional Cost

Paid service that provides additional protections, features and benefits.

Benefits of AWS Shield

AWS IntegrationDDoS protection without infrastructure changes

AffordableDon’t force unnecessary

trade-offs between cost and availability

FlexibleCustomize protections for your applications

Always-On Detectionand Mitigation

Minimize impact on application latency

AWS Shield Standard

Layer 3/4 protection

ü Automatic detection & mitigation

ü Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.)

ü Built into AWS services

Layer 7 protection

ü AWS WAF for Layer 7 DDoS attack mitigation

ü Self-service & pay-as-you-go

Automatic Protection against 96% of Layer 3/4 attacks

Available globally on all internet-facing AWS services

AWS Shield AdvancedAdditional Detection & Monitoring

Protection Against Large DDoS Attacks

Visibility Into Attack Detection & Mitigation

AWS WAF at No Additional Cost

24x7 DDoS Response Team

Cost Protection (Absorb DDoS Scaling Cost)

AWS Shield Advanced

Multi-Layered MitigationBorder Network

Network Layer Mitigations

AWS Services

Web Layer Mitigations

Customer Infrastructure

DDoSDetection

Internet

Internet-Layer Mitigations

DDoS

DDoSResponse

Team

Effective Against:• Large-Scale Attack

AWS Shield Advanced



AWS Services



DDoSDetection

Internet


DDoS

DDoSResponse

Team

Effective Against:• SYN Floods• Reflection Attacks• Suspicious

Sources

AWS Shield Advanced



AWS Services



DDoSDetection

Internet


DDoS

DDoSResponse

Team

Effective Against:• SSL Attacks• Slowloris• Malformed HTTP

AWS Shield Advanced



AWS Services



DDoSDetection

Internet


DDoS

DDoSResponse

Team

Effective Against:• HTTP Floods• Bad Bots• Suspicious IPs

AWS Shield Advanced



AWS Services



DDoSDetection

Internet


DDoS

DDoSResponse

Team

Effective Against:• Sophisticated

Layer 7 attacks

Shield Demo

AWS Shield Advanced

Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53

Available on ...

ü Northern Virginia (us-east-1)ü Oregon (us-west-2)

ü Ireland (eu-west-1)ü Tokyo (ap-northeast-1)

In the following regions ...

AWS WAF

Types of Threats

Bad BotsDDoS Application Attacks

Reflection

Layer 4 floods

Slowloris

SSL abuse

HTTP floods

Amplification

Content scrapers

Scanners & probes

CrawlersSQL injection

Application exploitsSocial

engineering

Sensitive data exposureApplication

Layer

Network /Transport

Layer

AWS WAF

Challenges of Web Application Firewalls

Setup is complex and slow

Too many false positives

Limited APIs for automation

Expensive to implement and

maintain

AWS WAF

Fast Incident Response

PreconfiguredProtection

APIs for Automation

Flexible Rule Language

A web application firewall designed to help youdefend against common web application exploits

What is AWS WAF

Web traffic filtering with custom rules

Malicious request blocking

Active monitoringand tuning

How Does AWS WAF Protect You?

Security Automations

Preconfigured Protections

Highly Flexible Rule Language


ü Quick Incident Responseü Mitigations in < ~1 Min

ü Inspect Any Part of the Request





You can get started quickly with built-in rules based on common use-cases.

CloudFormation template

AWS WAF Configuration



Highly Flexible Rules Engine

PreconfiguredProtectionsDemo

Virtual PatchingDemo





Automated anomaly detection that you can take action on using Lambda functions.

ü Dynamic Rules Based on Anomaly

ü Using Lambda & Service Logs


Traditional incident response





Next-generation incident response




AWS VPC

ü Private IP space in AWSü Familiar networking model

ü Customer-defined networking logicü Strong security controls

ü Private connectivity to their data centers

What customers asked for…

Key Features of VPC

Choosing an address range

Setting up subnets in Availability Zones

Creating a route to the Internet

Authorizing traffic to/from the VPC

Private Subnet (Web Tier)

Private Subnet (App Tier)

VPC Controls

Public Subnet

SG-Web

SG-App

SG-Web SG-Web

SG-App SG-App

10.0.2.0/24

10.0.1.0/24

10.0.3.0/24

SG-ALB



Simple Approach

Public Subnet

SG-Web

SG-App

SG-Web SG-Web

SG-App SG-App

10.0.2.0/24

10.0.1.0/24

10.0.3.0/24

SG-ALB

Allow all traffic

Allow 10.0.2.0/24

Allow 10.0.1.0/24



Secure Approach

Public Subnet

SG-Web

SG-App

SG-Web SG-Web

SG-App SG-App

10.0.2.0/24

10.0.1.0/24

10.0.3.0/24

SG-ALB

Allow CloudFrontIP Ranges only

Allow SG-ALB only

Allow SG-Web only

Security Groups + CloudFront IP ranges

Blog Post here -> http://amzn.to/2fj4Q8e

IP-ranges.json

SG-ALBAmazon SNS

AWS Lambda

Thank you!

Advanced Techniques for DDoS Mitigation and Web...

Documents

Transcript of Advanced Techniques for DDoS Mitigation and Web...