© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dr. Andrew Kane, Solutions ArchitectGiorgio Bonfiglio, Technical Account Manager
June 28th, 2017
Advanced Techniques for DDoS Mitigation and Web Application
Defense
Types of Threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
Content scrapers
Scanners & probes
CrawlersApplicationLayer
Network /Transport
Layer
SQL injection
Application exploitsSocial
engineering
Sensitive data exposure
Types of Threats
DDoS
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
ApplicationLayer
Network /Transport
Layer
AWS Shield
AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at No Additional Cost
Paid service that provides additional protections, features and benefits.
Benefits of AWS Shield
AWS IntegrationDDoS protection without infrastructure changes
AffordableDon’t force unnecessary
trade-offs between cost and availability
FlexibleCustomize protections for your applications
Always-On Detectionand Mitigation
Minimize impact on application latency
AWS Shield Standard
Layer 3/4 protection
ü Automatic detection & mitigation
ü Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.)
ü Built into AWS services
Layer 7 protection
ü AWS WAF for Layer 7 DDoS attack mitigation
ü Self-service & pay-as-you-go
Automatic Protection against 96% of Layer 3/4 attacks
Available globally on all internet-facing AWS services
AWS Shield AdvancedAdditional Detection & Monitoring
Protection Against Large DDoS Attacks
Visibility Into Attack Detection & Mitigation
AWS WAF at No Additional Cost
24x7 DDoS Response Team
Cost Protection (Absorb DDoS Scaling Cost)
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• Large-Scale Attack
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• SYN Floods• Reflection Attacks• Suspicious
Sources
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• SSL Attacks• Slowloris• Malformed HTTP
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• HTTP Floods• Bad Bots• Suspicious IPs
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• Sophisticated
Layer 7 attacks
AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available on ...
ü Northern Virginia (us-east-1)ü Oregon (us-west-2)
ü Ireland (eu-west-1)ü Tokyo (ap-northeast-1)
In the following regions ...
Types of Threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
Content scrapers
Scanners & probes
CrawlersSQL injection
Application exploitsSocial
engineering
Sensitive data exposureApplication
Layer
Network /Transport
Layer
AWS WAF
Challenges of Web Application Firewalls
Setup is complex and slow
Too many false positives
Limited APIs for automation
Expensive to implement and
maintain
AWS WAF
Fast Incident Response
PreconfiguredProtection
APIs for Automation
Flexible Rule Language
A web application firewall designed to help youdefend against common web application exploits
What is AWS WAF
Web traffic filtering with custom rules
Malicious request blocking
Active monitoringand tuning
How Does AWS WAF Protect You?
Security Automations
Preconfigured Protections
Highly Flexible Rule Language
Highly Flexible Rule Language
ü Quick Incident Responseü Mitigations in < ~1 Min
ü Inspect Any Part of the Request
Security Automations
Preconfigured Protections
Highly Flexible Rule Language
Preconfigured Protections
You can get started quickly with built-in rules based on common use-cases.
CloudFormation template
AWS WAF Configuration
Security Automations
Preconfigured Protections
Highly Flexible Rules Engine
Security Automations
Security Automations
Preconfigured Protections
Highly Flexible Rules Engine
Automated anomaly detection that you can take action on using Lambda functions.
ü Dynamic Rules Based on Anomaly
ü Using Lambda & Service Logs
Security Automations
Traditional incident response
Security Automations
Preconfigured Protections
Highly Flexible Rules Engine
Security Automations
Next-generation incident response
Security Automations
Preconfigured Protections
Highly Flexible Rules Engine
ü Private IP space in AWSü Familiar networking model
ü Customer-defined networking logicü Strong security controls
ü Private connectivity to their data centers
What customers asked for…
Key Features of VPC
Choosing an address range
Setting up subnets in Availability Zones
Creating a route to the Internet
Authorizing traffic to/from the VPC
Private Subnet (Web Tier)
Private Subnet (App Tier)
VPC Controls
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
Private Subnet (Web Tier)
Private Subnet (App Tier)
Simple Approach
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
Allow all traffic
Allow 10.0.2.0/24
Allow 10.0.1.0/24
Private Subnet (Web Tier)
Private Subnet (App Tier)
Secure Approach
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
Allow CloudFrontIP Ranges only
Allow SG-ALB only
Allow SG-Web only
Security Groups + CloudFront IP ranges
Blog Post here -> http://amzn.to/2fj4Q8e
IP-ranges.json
SG-ALBAmazon SNS
AWS Lambda