![Page 1: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/1.jpg)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dr. Andrew Kane, Solutions ArchitectGiorgio Bonfiglio, Technical Account Manager
June 28th, 2017
Advanced Techniques for DDoS Mitigation and Web Application
Defense
![Page 2: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/2.jpg)
AWS Shield AWS VPC
What to expect from this session
Types of Threats AWS WAF
![Page 3: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/3.jpg)
Types of Threats
![Page 4: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/4.jpg)
Types of Threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
Content scrapers
Scanners & probes
CrawlersApplicationLayer
Network /Transport
Layer
SQL injection
Application exploitsSocial
engineering
Sensitive data exposure
![Page 5: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/5.jpg)
DDoS Threats
Network / Transport Layer DDoS
![Page 6: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/6.jpg)
DDoS Threats
Application DDoS
Good users
Bad guys
Web server Database
![Page 7: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/7.jpg)
Application Threats
Good users
Bad guys
Web server Database
Exploitcode
SQL injectionXSS
![Page 8: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/8.jpg)
Bad Bot Threats
Good users
Bad guys
Web server Database
Steal premium content
![Page 9: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/9.jpg)
AWS Shield
![Page 10: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/10.jpg)
Types of Threats
DDoS
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
ApplicationLayer
Network /Transport
Layer
AWS Shield
![Page 11: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/11.jpg)
AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at No Additional Cost
Paid service that provides additional protections, features and benefits.
![Page 12: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/12.jpg)
Benefits of AWS Shield
AWS IntegrationDDoS protection without infrastructure changes
AffordableDon’t force unnecessary
trade-offs between cost and availability
FlexibleCustomize protections for your applications
Always-On Detectionand Mitigation
Minimize impact on application latency
![Page 13: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/13.jpg)
AWS Shield Standard
Layer 3/4 protection
ü Automatic detection & mitigation
ü Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.)
ü Built into AWS services
Layer 7 protection
ü AWS WAF for Layer 7 DDoS attack mitigation
ü Self-service & pay-as-you-go
Automatic Protection against 96% of Layer 3/4 attacks
Available globally on all internet-facing AWS services
![Page 14: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/14.jpg)
AWS Shield AdvancedAdditional Detection & Monitoring
Protection Against Large DDoS Attacks
Visibility Into Attack Detection & Mitigation
AWS WAF at No Additional Cost
24x7 DDoS Response Team
Cost Protection (Absorb DDoS Scaling Cost)
![Page 15: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/15.jpg)
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• Large-Scale Attack
![Page 16: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/16.jpg)
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• SYN Floods• Reflection Attacks• Suspicious
Sources
![Page 17: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/17.jpg)
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• SSL Attacks• Slowloris• Malformed HTTP
![Page 18: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/18.jpg)
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• HTTP Floods• Bad Bots• Suspicious IPs
![Page 19: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/19.jpg)
AWS Shield Advanced
Multi-Layered MitigationBorder Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoSDetection
Internet
Internet-Layer Mitigations
DDoS
DDoSResponse
Team
Effective Against:• Sophisticated
Layer 7 attacks
![Page 20: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/20.jpg)
Shield Demo
![Page 21: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/21.jpg)
AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available on ...
ü Northern Virginia (us-east-1)ü Oregon (us-west-2)
ü Ireland (eu-west-1)ü Tokyo (ap-northeast-1)
In the following regions ...
![Page 22: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/22.jpg)
AWS WAF
![Page 23: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/23.jpg)
Types of Threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
Content scrapers
Scanners & probes
CrawlersSQL injection
Application exploitsSocial
engineering
Sensitive data exposureApplication
Layer
Network /Transport
Layer
AWS WAF
![Page 24: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/24.jpg)
Challenges of Web Application Firewalls
Setup is complex and slow
Too many false positives
Limited APIs for automation
Expensive to implement and
maintain
![Page 25: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/25.jpg)
AWS WAF
Fast Incident Response
PreconfiguredProtection
APIs for Automation
Flexible Rule Language
A web application firewall designed to help youdefend against common web application exploits
![Page 26: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/26.jpg)
What is AWS WAF
Web traffic filtering with custom rules
Malicious request blocking
Active monitoringand tuning
![Page 27: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/27.jpg)
How Does AWS WAF Protect You?
Security Automations
Preconfigured Protections
Highly Flexible Rule Language
![Page 28: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/28.jpg)
Highly Flexible Rule Language
ü Quick Incident Responseü Mitigations in < ~1 Min
ü Inspect Any Part of the Request
Security Automations
Preconfigured Protections
Highly Flexible Rule Language
![Page 29: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/29.jpg)
Preconfigured Protections
You can get started quickly with built-in rules based on common use-cases.
CloudFormation template
AWS WAF Configuration
Security Automations
Preconfigured Protections
Highly Flexible Rules Engine
![Page 30: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/30.jpg)
PreconfiguredProtectionsDemo
![Page 31: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/31.jpg)
Virtual PatchingDemo
![Page 32: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/32.jpg)
Security Automations
Security Automations
Preconfigured Protections
Highly Flexible Rules Engine
Automated anomaly detection that you can take action on using Lambda functions.
ü Dynamic Rules Based on Anomaly
ü Using Lambda & Service Logs
![Page 33: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/33.jpg)
Security Automations
Traditional incident response
Security Automations
Preconfigured Protections
Highly Flexible Rules Engine
![Page 34: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/34.jpg)
Security Automations
Next-generation incident response
Security Automations
Preconfigured Protections
Highly Flexible Rules Engine
![Page 35: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/35.jpg)
AWS VPC
![Page 36: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/36.jpg)
ü Private IP space in AWSü Familiar networking model
ü Customer-defined networking logicü Strong security controls
ü Private connectivity to their data centers
What customers asked for…
![Page 37: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/37.jpg)
Key Features of VPC
Choosing an address range
Setting up subnets in Availability Zones
Creating a route to the Internet
Authorizing traffic to/from the VPC
![Page 38: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/38.jpg)
Private Subnet (Web Tier)
Private Subnet (App Tier)
VPC Controls
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
![Page 39: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/39.jpg)
Private Subnet (Web Tier)
Private Subnet (App Tier)
Simple Approach
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
Allow all traffic
Allow 10.0.2.0/24
Allow 10.0.1.0/24
![Page 40: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/40.jpg)
Private Subnet (Web Tier)
Private Subnet (App Tier)
Secure Approach
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
Allow CloudFrontIP Ranges only
Allow SG-ALB only
Allow SG-Web only
![Page 41: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/41.jpg)
Security Groups + CloudFront IP ranges
Blog Post here -> http://amzn.to/2fj4Q8e
IP-ranges.json
SG-ALBAmazon SNS
AWS Lambda
![Page 42: Advanced Techniques for DDoS ... - Amazon Web Services... · Challenges of Web Application Firewalls Setup is complex and slow Too many false positives ... Response Preconfigured](https://reader033.vdocuments.mx/reader033/viewer/2022060507/5f21fd8b01f41a69d36aa02a/html5/thumbnails/42.jpg)
Thank you!