More Related Content
Similar to Best Practices to Mitigate from the Emerging Vectors of Network Attack
Similar to Best Practices to Mitigate from the Emerging Vectors of Network Attack (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Best Practices to Mitigate from the Emerging Vectors of Network Attack
- 1. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Cybil Chiu
Business Development Manager
Best Practices to Mitigate
from the Emerging Vectors
of Network Attack
Kwunhok Chan
Solutions Architect
- 2. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Webinar Series
https://aws.amazon.com/webinars/hk-webinar-series/
- 3. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Attack Threats and Trends
- 4. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Availability
An attack that brings down your server
will end up as Lost Revenue.
You could massively scale but that just
translates to Increased Infrastructure
Expense
Even without an actual attack DDoS
threats are being use for Extortion
Any combination of these results in a
hit to your brand reputation
Financial
Impact Security
Why does it matter?
Attacks can last for hours and
even days
Some attacks are more just
concerned with stealing or
infecting data
- 5. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Why are you attacked?
This message is only for your company. Send this information to your boss.
We have completed network reconnaissance of your infrastructure. We studied the algorithms of your protection against DDoS. We are ready to crash your servers
and disturb normal work of your trading platform.
This is a small part of our power:
L7;
Botnet #1 - https://prnt.sc/kuyt6x - 3 500 000 requests per second.
Botnet #2 - https://prnt.sc/kuyu60 - 450 000 requests per second.
Botnet #3 - https://prnt.sc/kuywzf - 2 000 000 requests per second.
L4;
#1 - https://prnt.sc/kuyxjj
#2 - https://prnt.sc/kuyxx8
#3 - https://prnt.sc/kuyy3r
#4 - https://prnt.sc/kuyyah
Total L4 power now - more than 1.3 TB/S UDP and 240 000 000 packets per second TCP.
We know that you will be able to reflect the attack, but it will take at least 12-24 hours. Undoubtedly you will incur monetary losses.
What we want?
5 BTC (it's just dust for you) to 1Kd4f6NCuk5tBdvcj5und8xxBoSZnxaPsM
Your losses from the attack can be much greater.
We are waiting until October 2.
If you do what we want - we will help you fix some network bugs. If no - we will be forced to act.
We do not say goodbye. TGF6YXJ1cyBIYWNrZXJzISBOb3J0aCBLb3JlYSBQb3dlciE=
- 6. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Attack Landscape
- 7. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Growth of Volumetric Attacks
0
200
400
600
800
1000
1200
1400
1600
1800
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Largest DDoS Attacks (Gbps) Memcached
Attacks
Mirai Attacks
- 8. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Recent Trends
310,954
Attacks observed in Q1 2020, a 23% increase from Q1 2019
2.3 Tbps
Largest attack observed (bits) in Q1 2020, a 188% increase from Q1 2019
293.1 Mpps
Largest attack observed (packets) in Q1 2020, a 13% increase from Q1 2019
694,210 rps
Largest attack observed (requests) in Q1 2020, a 31% decrease from Q1 2019
- 9. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Common External Threats
SQL Injection
Cross-site Scripting (XSS)
OWASP Top 10
Common Vulnerabilities and
Exposures (CVE)
SYN Floods
Reflection Attacks
Web Request Floods
Crawlers
Content Scrapers
Scanners & Probes
Denial of Service App Vulnerabilities Bad Bots
- 10. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Common External Threats
SQL Injection
Cross-site Scripting (XSS)
OWASP Top 10
Common Vulnerabilities and
Exposures (CVE)
SYN Floods
Reflection Attacks
Web Request Floods
Crawlers
Content Scrapers
Scanners & Probes
Denial of Service App Vulnerabilities Bad Bots
- 11. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
1
• Complex to Set up
• Need to Provision Bandwidth
Capacity
• Re-architect applications
Difficult to Enable
2
• Manual Intervention required
• Re-routing traffic to scrubbing
locations
Sub-Optimal Incident
Response
3
Scrubbing centers may be far from
your servers leading to added
latency
Degrade performance
4
Manual intervention and re-routing
takes away precious moments from
incident response
Increased Time to Mitigate
5
Due to the size, duration and
complex nature of mitigation
systems it becomes prohibitively
expensive in some cases
Expensive to Use
Traditional Challenges of DDoS Mitigation
- 12. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Approach to DDoS Protection
- 13. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Protecting the Application Perimeter
AWS Shield Standard
Protects AWS services
against common DDoS
attacks
AWS WAF
Protects web applications by
allowing you to write custom
rules or choose managed rules
from AWS or the AWS
Marketplace.
AWS Shield Advanced
Managed threat protection
that blocks DDoS attacks,
vulnerability exploitation, and
bad bots
AWS Firewall Manager
Centrally configure and
manage security rules
across accounts and
applications
AWS Shield Advanced
includes WAF & FMS at
no additional cost
- 14. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Shield Advanced: Managed Threat Protection
Easy to configure without changing
your application architecture
Comprehensive protection against DDoS
attack vectors
Near-real time event visibility
Protection from economic attack vectors
AWS Shield
Advanced
- 15. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Benefits of AWS Shield Standard and Shield Advanced
Pre-Configured
Protection
Point and
Protect Wizard
Comprehensive protection against DDoS
attack vectors
Near-real time event visibility
Protection from economic attack vectors
AWS Shield
- 16. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Benefits of AWS Shield Standard and Shield Advanced
Detection and
Mitigation
Faster Mitigation,
Customized to
Your Application
24x7 Access to
DDoS Response
Team (DRT)
Pre-Configured
Protection
Point and
Protect Wizard
Near-real time event visibility
Protection from economic attack vectors
AWS Shield
- 17. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Benefits of AWS Shield Standard and Shield Advanced
Detection and
Mitigation
Faster Mitigation,
Customized to
Your Application
24x7 Access to
DDoS Response
Team (DRT)
Pre-Configured
Protection
Point and
Protect Wizard
Protection from economic attack vectors
AWS Shield
Attack
Diagnostics
Global Threat
Environment
Dashboard
Quarterly
Security
Report
CloudWatch
Metrics
- 18. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Benefits of AWS Shield Standard and Shield Advanced
Detection and
Mitigation
Faster Mitigation,
Customized to
Your Application
24x7 Access to
DDoS Response
Team (DRT)
Pre-Configured
Protection
Point and
Protect Wizard
CloudWatch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard
Quarterly
Security
Report
AWS WAF at No
Additional Cost
For protected resources
AWS Firewall
Manager at No
Additional Cost
Cost Protection
for Scaling
AWS Shield
- 19. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Let’s see Shield Advanced in action
- 20. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Use Case: Pokemon GO
Massive increase in
user & traffic
DDoS attack
/ Bot / Scanner
Quick Deployment
Low Latency
Superior analytics
logging
Challenges :
- 21. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Common External Threats
SQL Injection
Cross-site Scripting (XSS)
OWASP Top 10
Common Vulnerabilities and
Exposures (CVE)
SYN Floods
Reflection Attacks
Web Request Floods
Crawlers
Content Scrapers
Scanners & Probes
Denial of Service App Vulnerabilities Bad Bots
- 22. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Application threats and Bad bots
Good users
and bots
Bad guys
Web server
Database
SQL injection
Application
exploits
Bad bo
Content scrapers
Scanners & probes
Crawlers
- 23. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS WAF
Fast Incident
Response
Managed
Rulesets
APIs for
Automation
Flexible Rule
Language
“A web application firewall designed to help you
defend against common web application exploits.”
- 24. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Step 2
Amazon CloudFront
checks if request
requires WAF
Step 1
HTTP/HTTPS Request
made for content to
Amazon CloudFront
AWS WAF Request Process
- 25. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Step 3
WAF reviews request;
instructs Amazon
CloudFront to allow/deny
Step 2
Amazon CloudFront
checks if request
requires WAF
Step 1
HTTP/HTTPS Request
made for content to
Amazon CloudFront
AWS WAF Request Process
Error Page Delivered by Amazon CloudFront
- 26. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Step 3
WAF reviews request;
instructs Amazon
CloudFront to allow/deny
Step 2
Amazon CloudFront
checks if request
requires WAF
Step 1
HTTP/HTTPS Request
made for content to
Amazon CloudFront
Content Delivered via Amazon CloudFront
AWS WAF Request Process
Error Page Delivered by Amazon CloudFront
- 27. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Step 4
WAF sends metric to
Amazon CloudWatch. Rule
can be updated via API
Step 3
WAF reviews request;
instructs Amazon
CloudFront to allow/deny
Step 2
Amazon CloudFront
checks if request
requires WAF
Step 1
HTTP/HTTPS Request
made for content to
Amazon CloudFront
Content Delivered via Amazon CloudFront
AWS WAF Request Process
Error Page Delivered by Amazon CloudFront
- 28. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS WAF – Security Automations
28
https://amzn.to/30VgbEe
- 29. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Marketplace rule groups
• Pre-defined rules written by AWS Partners
• Designed for different purposes, e.g.
• Specific applications, such as WordPress
• OWASP Top 10 vulnerabilities
• Automatically updated as threats emerge
• No long-term contracts
- 30. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS WAF Console Walkthrough
- 31. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Architecting for DDoS Resiliency
- 32. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
DDoS-resilient Architecture
AWS Cloud
VPC
Public subnet Private subnet
Auto Scaling group
Web Application
Security group
Instances
Load Balancer
Security group
Amazon CloudFront
Amazon Route 53
Application
Load Balancer
AWS WAF
Users
DDoS
Attack
Globally distributed attack
mitigation capability
SYN proxy feature that verifies
three-way handshake before
passing to the application
Slowloris mitigation that reaps
long-lived collectionsMitigates complex attacks by
allowing only the most reliable
DNS queries
Validates DNS
Provides flexible rule language
to block or rate-limit malicious
requests
- 33. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
“Are you Well-
Architected?”
Werner Vogels
- 34. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Pillars of Well-Architected Framework
Security Reliability Performance
Efficiency
Cost
Optimization
Operational
Excellence
- 35. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Planning for DDoS response
Shared responsibility
• We’re in this together
What can you do to be prepared?
• Architect with security and availability in mind from the beginning
Architect for scale
• Use auto scaling resources to scale up instance sizes and scale out quantity
• Automate to scale static resources
• And document intervention plans
Automate notification and response
• Proactively collect full or sampled web logs
• Pre-calculate profiles to compare against anomalies
• Enable DRT access for assistance
- 36. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Resources
AWS Shield
https://aws.amazon.com/shield
AWS WAF
https://aws.amazon.com/waf
AWS Shield Threat Landscape Report
https://amzn.to/2C30brC
AWS Security Workshop
https://awssecworkshops.com/
AWS Best Practices for DDoS Resiliency
https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
- 37. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Webinar Series
https://aws.amazon.com/webinars/hk-webinar-series/
Register to the
upcoming Webinars
- 38. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Remember to complete
your evaluations!
- 39. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Q&A
- 40. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark.
Thank you!