Using AWS WAF and Lambda for Automatic Protection


Published on

Securing your web applications can be a daunting task, as attackers find different ways to exploit your web application or impact your availability. In this webinar (Level 300), we will share AWS Lambda scripts that you can use to automate security with AWS WAF (web application firewall) and write dynamic rules that can prevent HTTP floods, protect against bad-behaving IPs, and maintain IP reputation lists. You can also learn how Brazilian retailer, Magazine Luiza, leveraged AWS WAF and Lambda to protect its site and guaranteed an operationally smooth Black Friday.

• Learn how to use AWS WAF and Lambda together to automate security responses.
• Get the Lambda scripts and CloudFormation templates that prevent HTTP floods, automatically block bad-behaving IPs, bad-behaving bots, and allow you to import and maintain publicly available IP reputation lists.
• Gain an understanding of strategies for protecting your web applications using AWS WAF, CloudFront, and Lambda.

Who Should Attend:
IT Managers, Security Engineers, DevOps Engineers, Developers, Solution Architects, and Web Site Administrators

Published in: Technology

Using AWS WAF and Lambda for Automatic Protection

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nathan Dye AWS WAF Software Development Manager Gleicon Moraes, Magazine Luiza Infrastructure Manager March 2, 2016 Using AWS WAF & Lambda for Automatic Protection
  2. 2. Agenda WAF & Lambda Intro Security Automation Scripts & Templates Customer story
  3. 3. Web site without AWS WAF Good users Attackers Web site Exploit
  4. 4. Web site with AWS WAF Good users Web site Exploit Attackers
  5. 5. What is AWS WAF? Web application firewall (WAF) that gives you control over who (or what) can access your web applications. • Full-feature API • Customizable security • Integrated with Amazon CloudFront - protection at the edge • Use cases: protection against exploits, abuse, and application DDoS
  6. 6. What is AWS Lambda? Lambda automatically runs your code without requiring you to provision servers. • “Server-less” scripting; event driven actions • Integrated with other AWS services • Use cases: scheduled events, provisioning services, and customer analysis
  7. 7. • Bad guys are adaptive and persistent • Better protection • Integrate application specific or open-source data sources • Sophisticated out of band analysis Why build automated security?
  8. 8. Automated security Good users Logs Threat analysis Rule updater Web siteRules Exploit Attackers
  9. 9. Automated security – traditional data center Good users Logs Threat analysis Rule updater Web site Exploit Attackers Rules
  10. 10. Automated security – AWS makes it easier Good users Logs Threat analysis Rule updater Web site Exploit Attackers Rules
  11. 11. Other AWS Services we’ll use Amazon CloudFront Amazon CloudWatch AWS CloudFormation Amazon S3 Amazon API Gateway
  12. 12. Types of attacks that need automation HTTP floods Scans & probesIP reputation lists Bots & scrapers Attackers
  13. 13. IP reputation lists Collection of IP addresses with a bad reputation based on sending history • Open proxies or known hosts that send spam/trojans/viruses • Constantly changing/updating • Solution: import open source lists (i.e., Emerging Threats, Spamhause, Tor Node list) and update lists using CloudWatch events
  14. 14. IP reputation lists (cont’d)
  15. 15. IP reputation lists (cont’d) <Example Demo>
  16. 16. HTTP floods Legitimate requests at a level that excessively consume web server resources • Requests targeted at expensive components, i.e., login, product search, etc. • Different than other types of flood attacks because requests follow protocol. • Creates the problem of identifying attack from flash crowd. • Solution: count number of requests in CloudFront access logs and block offenders Attackers
  17. 17. HTTP floods (cont’d)
  18. 18. HTTP floods (cont’d) <Example Demo>
  19. 19. Scans & probes Program that communicates with web application front end to identify potential vulnerabilities • Initiated by you – good; initiated by someone else – bad • Someone (something) with bad intentions • Consume resources by requesting URLs that don’t exist • Solution: count 40x error in access logs and block offenders
  20. 20. Scans & probes (cont’d) <Example Demo>
  21. 21. Bots & scrapers Software application that run automated tasks over the internet. • Good bots (search engines, weather, price comparison) vs bad bots (scrape content, steal data, malware) • Aggressive vs conservative days • Constantly changing/updating • Solution: use robots.txt and “honeypot” file to identify & block offenders
  22. 22. Bots & scrapers (cont’d)
  23. 23. Bots & scrapers (cont’d) <Example Demo>
  24. 24. Customer story Magazine Luiza • One of the largest retail chains in Brazil • More than 700 stores, 24K staff, & 8 distribution centers • e-commerce platform customers use for purchases • Moving “all in” to AWS over the past 2-3 years • Breaking up monolithic app
  25. 25. Customer story (cont’d) Challenges • Balance security with performance & cost • Traditional WAFs didn’t work: 1. Inflated models – lots of rules & based on vm or hardware 2. Couldn’t scale - constrained by bandwidth & CPU 3. Automation meant more hardware • Need to block bad bots (based on IP) without affecting search & shopping experience • Have solution in place by Black Friday
  26. 26. Customer story (cont’d) Previous Architecture
  27. 27. Customer story (cont’d) New Architecture
  28. 28. Customer story (cont’d) Milestones Before Black Friday • September – October: confirmed new architecture and started building. • October – new architecture ready to go • November – started countdown and moved over all production traffic
  29. 29. Customer Story (cont’d) Black Friday • November 26: jumped from 4 – 28.9 million views/day • November 26: all hands on deck for the last infrastructure scale. • 12am: everyone went home, 5 people decided to sleep in our leisure room, I kept following monitoring. • November 27: Traffic started to ramp up around 6AM and stayed high during the entire weekend.
  30. 30. Customer Story (cont’d) Advice to Others • Do analysis in house & start small • Use the right library for the job • Identify what needs protection • Think about the time it takes to process logs • Defense in Depth: simple security rules at perimeter, complex security rules closer to app
  31. 31. Resources Security Blogs • Rate-Based Blacklisting Heitor Vital <> • IPs Generating Errors Ben Potter <> • Blocking Bots (this month) Vlad Vlasceanu <> • Importing IP Reputation Lists (this month) Lee Atkinson <> Tutorials Page •
  32. 32. Thank you!