Advanced Techniques for DDoS Mitigation and Web App Defense Using AWS
•Download as PPTX, PDF•
3 likes•500 views
Security professionals and full-stack engineers will learn how to defend against distributed denial of service (DDoS) attacks and web application exploits by using automation to monitor activity, configure rate limiting, and deploy network filtering rules. This session will show you how to use Lambda functions to automate event response and integrate with your security operations tools. You will become an expert in advanced techniques to help you protect and monitor your AWS networks and resources using services such as Amazon Virtual Private Cloud, Amazon Web Application Firewall, Amazon Shield, and more. You will also learn how to monitor and gain deep visibility into your AWS environment by using highly-scaled solutions such as AWS CloudTrail and AWS CloudWatch. Learn More: https://aws.amazon.com/government-education/
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Advanced Techniques for DDoS Mitigation and Web App Defense Using AWS
Similar to Advanced Techniques for DDoS Mitigation and Web App Defense Using AWS (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Advanced Techniques for DDoS Mitigation and Web App Defense Using AWS
- 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jeffrey Lyon & Michael Capicotto June 14, 2017 Advanced Techniques for DDoS Mitigation and Web Application Defense
- 2. What to expect from this session Types of Threats AWS Shield Amazon VPC AWS WAF
- 3. What to expect from this session Types of Threats AWS Shield Amazon VPC AWS WAF
- 4. Types of Threats Bad BotsDDoS Application Attacks Reflection Layer 4 floods Slowloris SSL abuse HTTP floods Amplification Content scrapers Scanners & probes CrawlersApplication Layer Network / Transport Layer SQL injection Application exploits
- 5. Types of Threats Bad BotsDDoS Application Attacks Reflection Layer 4 floods Slowloris SSL abuse Amplification Application Layer Network / Transport Layer Layer 7 (HTTP) Floods IP Reputation List Trend Micro IP Reputation SQLi & XSS Secureworks: Joomla & Wordpress Trend Micro: Deep Security Integration Bot Detection Techniques IP Reputation List
- 6. DDoS Threats Network / Transport Layer DDoS
- 7. DDoS Threats Application DDoS Good users Bad guys Web server Database
- 8. Application Threats Good users Bad guys Web server Database Exploit code SQL injectionXSS
- 9. Bad Bot Threats Good users Bad guys Web server Database Steal premium content
- 10. What to expect from this session Types of Threats AWS Shield Amazon VPC AWS WAF
- 11. Types of Threats Bad BotsDDoS Application Attacks Reflection Layer 4 floods Slowloris SSL abuse HTTP floods Amplification Content scrapers Scanners & probes Crawlers SQL injection Application exploits Social engineering Sensitive data exposureApplication Layer Network / Transport Layer AWS Shield
- 12. Benefits of AWS Shield AWS Integration DDoS protection without infrastructure changes Affordable Don’t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications Always-On Detection and Mitigation Minimize impact on application latency
- 13. AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at no additional cost Paid service that provides additional protections, features, and benefits.
- 14. AWS Shield Standard Layer 3/4 protection Automatic detection & mitigation Protection from most common attacks (SYN/UDP floods, reflection attacks, etc.) Built into AWS services Layer 7 protection AWS WAF for Layer 7 DDoS attack mitigation Self-service & pay-as-you-go Automatic protection against 96% of Layer 3/4 attacks Available globally on all internet-facing AWS services
- 15. AWS Shield Advanced Additional detection & monitoring Protection against large DDoS attacks Visibility into attack detection & mitigation AWS WAF at no additional cost 24X7 DDoS response team Cost protection (absorb DDoS scaling cost)
- 16. AWS Shield Advanced Multi-Layered Mitigation Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet-Layer Mitigations DDoS DDoS Response Team Effective Against: • Large-Scale Attack Effective Against: • SYN Floods • Reflection Attacks • Suspicious Sources Effective Against: • SSL Attacks • Slowloris • Malformed HTTP Effective Against: • HTTP Floods • Bad Bots • Suspicious IPs Effective Against: • Sophisticated Layer 7 attacks
- 17. AWS Shield Advanced Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53 Available on ... Northern Virginia (us-east-1) Oregon (us-west-2) Ireland (eu-west-1) Tokyo (ap-northeast-1) In the following regions ...
- 18. Shield Demo
- 19. What to expect from this session Types of Threats AWS Shield Amazon VPC AWS WAF
- 20. Private IP space in AWS Familiar networking model Customer-defined networking logic Strong security controls What customers asked for…
- 21. Key Features of VPC Choosing an address range Setting up subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC
- 22. Private Subnet (Web Tier) Private Subnet (App Tier) Simple Approach Public Subnet SG-Web SG-App SG-Web SG-Web SG-App SG-App 10.0.2.0/24 10.0.1.0/24 10.0.3.0/24 SG-ALB Allow all traffic Allow 10.0.2.0/24 Allow 10.0.1.0/24
- 23. Private Subnet (Web Tier) Private Subnet (App Tier) Secure Approach Public Subnet SG-Web SG-App SG-Web SG-Web SG-App SG-App 10.0.2.0/24 10.0.1.0/24 10.0.3.0/24 SG-ALB Allow CloudFront IP Ranges only Allow SG-ALB only Allow SG-Web only
- 24. Secure Approach Allow CloudFront IP Ranges only SG-ALB
- 25. Security Groups + CloudFront IP ranges Blog post here -> http://amzn.to/2fj4Q8e IP-ranges.json SG-ALB Amazon SNS AWS Lambda
- 26. VPC Demo
- 27. What to expect from this session Types of Threats AWS Shield Amazon VPC AWS WAF
- 28. Challenges of Web Application Firewalls Setup is complex and slow Too many false positives Limited APIs for automation Expensive to implement and maintain
- 29. AWS WAF Fast Incidence Response Preconfigured Protection APIs for Automation Flexible Rule Language A web application firewall designed to help you defend against common web application exploits
- 30. What is AWS WAF Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning
- 31. How Does AWS WAF Protect You? Security Automations Preconfigured Protections Highly Flexible Rule Language
- 32. Highly Flexible Rule Language Quick incidence response Mitigations in < ~1 min. Inspect any part of the request Security Automations Preconfigured Protections Highly Flexible Rule Language
- 33. Preconfigured Protections You can get started quickly with built-in rules based on common use cases. CloudFormation template AWS WAF Configuration Security Automations Preconfigured Protections Highly Flexible Rules Engine
- 34. WAF Demo 1 & 2
- 35. Security Automations Security Automations Preconfigured Protections Highly Flexible Rules Engine Automated anomaly detection that you can take action on using Lambda functions. Dynamic rules based on anomaly Using Lambda & service logs
- 36. Security Automations Traditional incident responseAutomated incident response Next-generation incident response Security Automations Preconfigured Protections Highly Flexible Rules Engine
- 37. Q&A
- 38. Thank you!
Editor's Notes
- Denial of Service attacks attempt to block legitimate users from accessing a web application by overwhelming either the network or server resources serving that application, either with unrelated network traffic or invalid application requests. *Distributed* Denial of Service attacks are typically launched from a botnet of compromised computers or Internet devices. Objective is to knock the targeted website or application offline for a period of time, disrupting availability for legitimate users.
- Finally, Sometimes bad actors want to bring down a web site, using application-layer requests. At the application layer, these usually aren’t the very large volumes of traffic. Highly targeted attacks may go after expense web pages with less than 100 requests per second. Customers use WAFs to block these requests before they reach web server infrastructure.
- First and firemost, WAF is used to prevent Web application bugs from turning into security breaches. WAFs are an effective tool for blocking bad actors and known back attack signatures when they occur.
- Ecommerce customers often fights against bots that scrape pricing details Customers use AWS WAFs to find and block content abuse cases.
- Regardless of which tier you choose, we built AWS Shield Advanced with four key pillars in mind. First, we want it to seamlessly integrate with your existing AWS infrastructure …
- Available in two tiers: Standard and Advanced
- Built-in detection and mitigation of Layer 3/4 attacks. Customers who also want Layer 7 protections against application attacks can subscribe separately to AWS WAF.
- Reduce attack surface
- What customers wanted for VPC: Want the flexibility of the cloud but need to keep their data isolated to meet compliance needs Want to move applications to the cloud but need control over their network space
- Build architecture from previous slide (create emtpy SG, create Lambda function, paste code, point to SNS topic via CLI, trigger lambda function manually for first population of SG)
- Problems with traditional WAFs
- Get slide deck from Sundar: traditional WAFs don’t have API support, 100% API support in ours, Too many rules, too many false positives, buying elephant and using a mouse 4-5 talking points about what customers wanted Answering the questions of what the customer need WAF can be used for detection and mitigation or just mitigation Intel might come from Splunk or some other third-party Propogated in under 1 minute (differentiating feature for our WAF) damage is done in hours 100% API automation App code devs can dev WAF code/rules Flex = apache struts Pre = cfn Ease of use talking pt during demos
- Cfn templates with preconf rules, works with other services like lambda, Couple of demos (story, rule engine) AWS Answers Sundar will send this Consider demoing this for ease of use and flexibility: https://aws.amazon.com/answers/security/aws-waf-security-automations/
- Create WAF rule that blocks recent Apache Struts vuln “cmd=”
- Ip rep lists, cloudfront logs Take it one step further You can go beyond this
- You can only do this because of 100% API Analyzer that looks at highest detail of web logs