Cloud-Native DDoS Mitigation - AWS Online Tech Talks

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Venkat Vijayaraghavan
Product Manager, AWS Perimeter Protection (WAF & Shield)
Cloud-Native DDoS Attack Mitigation
Dec 14, 2017

Today’s Objectives
 Overview of DDoS attacks and other threats
 Evolution of DDoS mitigation strategy
 Three Pillars: Cloud Native App Protection
 Built-in Protections
 Tools For Customized Protections
 Advanced Protection

Types of Threats on Your Application
Application
Ping of Death | ICMP Flood | Teardrop
SYN/ACK Flood | UDP Flood | Reflection
Presentation
Session
Transport
Network
Data Link
Physical
Operated & Protected by AWS
HTTP Flood, App exploits, SQL Injection, Bots, Crawlers,
SSL Abuse, Malformed SSL

On-Premise Cloud-Routed Cloud-Native
Evolution of DDoS Mitigation

 Scale network and fixed
infrastructure to mitigate DDoS
attacks on-site
 Visibility and control
 Large capital expenditures,
maintenance costs, and in-house
expertise
On Premise

 Route traffic to other networks for
better mitigation capacity, managed
services
 Mitigate larger DDoS attacks without
upfront investment or in-house
expertise
 Black box solution – can introduce
latency, additional points of failure,
increased operating costs
Cloud Routed

 Automatic, always-on DDoS protection for
all applications on AWS
 Leverage 16 AWS Regions and 100+
CloudFront Edge Locations to mitigate large
attacks close to the source
 Simple, flexible, and affordable
 Robust capabilities without undifferentiated
heavy-lifting
Cloud Native

What is Different in AWS Cloud

Three Pillars: Cloud Native App Protection
Built-in Protection
for Everyone
Optional Advanced
DDoS Protection
Tools for Customized
Protections

Built-in Protection for Everyone
 Automatic defense against the most common
network and transport layer DDoS attacks for any
AWS resource, in any AWS Region
 Comprehensive defense against all known network
and transport layer attacks when using Amazon
CloudFront and Amazon Route 53
 SYN Floods, UDP Floods, Reflection Attacks, etc.
AWS Shield Standard

For attacks on Amazon CloudFront & Amazon Route 53
Over 99% of Network & Transport layer attacks detected by AWS Shield
are mitigated in less than 1 second

AWS Shield Standard Automatically Mitigates Several DDoS Attacks Everyday
Source: AWS Global Threat Dashboard (Available for Shield Advanced customers)

 DNS Header Validations
 Good vs Bad Resolvers
 Priority Based Traffic Shaping
 Shuffle sharding and Anycast striping
Amazon Route 53

 Only Accepts valid HTTP/TCP Requests
 Automatically drop traffic on non HTTP Ports
 Protection Against Slow Reads (Slowloris)
 Safeguards Against SSL Abuse (E.g. Perfect
Forward Secrecy)
 Web Server Offload (E.g., Request Collapsing)
Amazon CloudFront

Intro 101
Slack Uses Amazon CloudFront as a Proxy

Slack Uses CloudFront as a Proxy
 Looking for DDoS Protection
 CloudFront & Shield Filters Malicious Traffic
Automatically
 Highly Reliable & Performant Compared to
other DDoS or CDN providers
 Tight Integration with Other AWS services like
ELB

Their CloudFront Configuration:
 Caching Disabled
 Forward All Headers, Cookies, & Query strings
 TLS Termination at Edge (TLS Back to ELBs)

Before
After

Amazon
Route 53
ALB Security Group
Amazon
EC2
Instances
Application
Load Balancer
Amazon
CloudFront
Public Subnet
Web Application
Security Group
Private Subnet
DDoS Attack
Users
Globally distributed attack
mitigation capability
SYN proxy feature that verifies
three-way handshake before
passing to the application
Slowloris mitigation that reaps
long-lived collections
Mitigates complex attacks by
allowing only the most reliable
DNS queries
Validates DNS
Summary: A DDoS Resilient Architecture

Built-in Protection
for Everyone
Optional Advanced
DDoS Protection
Protections

Tools for Customized Protections
Choosing an
address range
Setting up subnets in
Availability Zones
Creating a route to
the Internet
Authorizing traffic
to/from the VPC
VPC Security Groups

Fast Incident
Response
Preconfigured
Protection
APIs for
Automation
Flexible Rule
Language
AWS WAF
Designed to help you defend against common web application exploits

AWS WAF Key Features
 Geo Based Rules
 Rate Based Rules
 Customizable Regex Rules
 Built-in Rules: SQLi, XSS, and Pre-Configured Templates for
Common Protections

Intro 101
eVitamins uses AWS WAF to Protect their Web
Applications Against Common Threats

eVitamins uses AWS WAF for Common Threats
 DDoS was a Significant Availability Risk
 Bots & Crawlers caused Operational Burden
 Need Application Threat Protection
 Need Customizable Protection for their Application

 Deployed CloudFront For DDoS Protection
 AWS WAF Bad Bot Protection
• IP Reputation List
• “Honeypot” solutions
• Automated crawler protection using AWS
Lambda & WAF Integration
 AWS WAF rules for SQL Injection and XSS
 1-click CloudFormation Templates

 Literally, No Website Downtime due to DDoS
 Attacks on the Application Layer reduced by 90%
 Automations Decreased Response Time by 90%

Amazon
Route 53
ALB Security Group
Amazon
EC2
Instances
Application
Load Balancer
Amazon
CloudFront
Public Subnet
Web Application
Security Group
Private Subnet
DDoS Attack
Users
Globally distributed attack
mitigation capability
SYN proxy feature that verifies
three-way handshake before
passing to the application
Slowloris mitigation that reaps
long-lived collections
Mitigates complex attacks by
allowing only the most reliable
DNS queries
Validates DNS
Summary: A DDoS Resilient Architecture
Provides flexible rule language
to block or rate-limit malicious
requests

Built-in Protection
for Everyone
Advanced
Protection
Protections

AWS Shield Advanced Detection
 Additional Protection Against Large & Sophisticated
Attacks
 Fast escalation to the AWS DDoS Response Team
(DRT) to assist with complex cases (like HTTP flood)
 Attack visibility and enhanced detection
 Cost Protection to mitigate economic attack vectors
 AWS WAF for application-layer defense, at no
additional cost
AWS Shield Advanced
A Managed DDoS Protection service

Aggs
Aggs
Aggs
Aggs
Pin
Agg
Evaluators

Customer A
Customer B
Aggs
Aggs
Aggs
Aggs
Pin
Agg
Evaluators

Aggs
Aggs
Aggs
Aggs
Pin
Agg
Evalu
ators
Customer B
Customer A
DB
Shield
API
Cloud
Watch

Advanced Protection
AWS WAF Managed Rules
 Managed Rules Written by Security Experts
 Choice of Protections from Various Security
Vendors
 Automatically updated Rules
 Purchase from AWS Marketplace
 Pay-as-you-go Pricing. No Long Term
Commitments

AWS WAF Managed Rules: Featured Sellers

Advanced Protection
AWS WAF Managed Rules
Very Easy to Enable
Go To AWS WAF Console
Discover & Subscribe to
Managed Rules
Associate with to your AWS
WAF web ACL

Summary: TakeAways
AWS Automatically Protects You Against DDoS Attacks
Using Amazon CloudFront & Amazon Route 53
AWS Gives Additional Tools For Customizations
Using AWS WAF & VPC Security Groups
AWS Also Provides Optional Advanced Protection
Using AWS Shield Advanced & AWS WAF Managed Rules

Cloud-Native DDoS Mitigation - AWS Online Tech Talks

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cloud-Native DDoS Mitigation - AWS Online Tech Talks

Similar to Cloud-Native DDoS Mitigation - AWS Online Tech Talks (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Cloud-Native DDoS Mitigation - AWS Online Tech Talks