Network security, Anti-DDoS and other Internet-side protections: Encryption in Transit (and when it’s needed), Shield, CloudFront and WAFn - Pop-up Loft TLV 2017

Network Security, Anti-DDoS
(etc)
Dave Walker
Specialist Solutions
Architect, Security
and Compliance

Agenda
• “DDoS 101”
• Challenges in DDoS Mitigation
• The AWS Approach
• AWS Shield

What is DDoS?
Distributed Denial Of Service

Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)

State-exhaustion DDoS attacks
Abuse protocols to stress systems like
firewalls, IPS, or load balancers (e.g., TCP
SYN flood)

Application-layer DDoS attacks
Use well-formed but malicious requests to
circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS
query floods)

DDoS attack trends
Volumetric State exhaustion Application layer
65%
Volumetric
18%
State exhaustion
18%
Application layer

65%
Volumetric
18%
State exhaustion
18%
Application layer
DDoS attack trends
SSDP reflection attacks are very
common
Reflection attacks have clear signatures,
but can consume available bandwidth.

65%
Volumetric
18%
State exhaustion
18%
Application layer
DDoS attack trends
Other common volumetric attacks:
NTP reflection, DNS reflection,
Chargen reflection, SNMP reflection

65%
Volumetric
18%
State exhaustion
18%
Application layer
DDoS attack trends SYN floods can look like real
connection attempts
And on average, they are larger in
volume. They can prevent real users
from establishing connections.

65%
Volumetric
18%
State exhaustion
18%
Application layer
DDoS attack trends
DNS query floods are real DNS requests
These can continue for hours and exhaust the
available resources of the DNS server.

65%
Volumetric
18%
State exhaustion
18%
Application layer
DDoS attack trends
Other common application
layer attacks:
HTTP GET flood, Slowloris

Challenges in mitigating DDoS attacks

Difficult to enable
Complex set-up Provision bandwidth
capacity
Application re-architecture

Manual involvement
Operator involvement to
initiate mitigation
Re-route traffic via distant
scrubbing location
Increased time to
mitigate
Traditional
Datacenter

Traffic re-routing = Increased latency for users
Traditional
Datacenter

Expensive to use

AWS approach to DDoS protection

At AWS, our goal has always been to …
Remove undifferentiated
heavy-lifting
Automatically protected
against common attacks
Ensure availability
AWS services are highly
available

DDoS protections built into AWS
Integrated into the AWS global infrastructure
Always-on, fast mitigation without external routing
Redundant Internet connectivity in AWS data centers

DDoS protections built into AWS
 Protection against most common
infrastructure attacks
 SYN/ACK Floods, UDP Floods,
Refection attacks etc.
 No additional cost
DDoS mitigation
systems
DDoS Attack
Users

Customers keep asking …
Does AWS protect me
from DDoS attacks?
What about large
DDoS attacks?
How can I get visibility
when I get attacked?
Does AWS protect
me from application
layer attacks?
Scaling for
DDoS attacks
is expensive.
I want to talk to
DDoS experts.

AWS Shield
A Managed DDoS Protection Service

AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
No Additional Cost
Paid service that provides additional
protections, features and benefits.

AWS Shield
AWS Integration
DDoS protection
without infrastructure
changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency
Four key pillars…

AWS Shield Standard
Layer 3/4 protection
 Automatic detection & mitigation
 Protection from most common
attacks (SYN/UDP Floods, Reflection
Attacks, etc.)
 Built into AWS services
Layer 7 protection
 AWS WAF for Layer 7 DDoS attack
mitigation
 Self-service & pay-as-you-go

AWS Shield Standard
Better protection than ever for your applications running on AWS
• Improved mitigations using proprietary BlackWatch systems
• Additional mitigation capacity
• Commitment to continuously improve detection and mitigation
• Still at no additional cost

AWS Shield Advanced
Managed DDoS Protection

AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available today on …

AWS Shield Advanced
Available today in …
US East (N. Virginia) us-east-1
US West (Oregon) us-west-2
EU (Ireland) eu-west-1
Asia Pacific (Tokyo) ap-northeast-1

AWS Shield Advanced
Announcing AWS WAF for Application Load Balancer
Application Load BalancerAWS WAF
Valid users
Attackers
X

AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection

Always-on monitoring and detection
Network flow monitoring Application traffic monitoring

Signature based detection
Heuristics-based
anomaly detection
Baselining

Detects anomalies based on attributes such as:
• Source IP
• Source ASN
• Traffic levels
• Validated sources
Heuristics-based anomaly detection

Continuously baselining normal traffic patterns
• HTTP Requests per second
• Source IP Address
• URLs
• User-Agents
Baselining

Advanced DDoS protection
Layer 7
application
protection
Layer 3/4
infrastructure
protection

Layer 3/4 infrastructure protection
Advanced mitigation techniques
Deterministic
filtering
Traffic prioritization
based on scoring
Advanced routing
policies

Automatically filters malformed TCP
packets
• IP checksum
• TCP valid flags
• UDP payload length
• DNS request validation
Deterministic filtering

Low suspicion attributes
Normal packet or request header
Traffic composition and volume is typical
given its source
Traffic valid for its destination
High suspicion attributes
• Suspicious packet or request headers
• Entropy in traffic by header attribute
• Entropy in traffic source and volume
• Traffic source has a poor reputation
• Traffic invalid for its destination
• Request with cache-busting attributes
Traffic prioritization based on scoring

• Inline inspection and scoring
• Preferentially discard lower priority (attack) traffic
• False positives are avoided and legitimate viewers are protected
High-suspicion
packets dropped
Low-suspicion
packets retained

• See this in action at
https://www.youtube.com/watch?v=w9fSW6qMktA&feature=youtu.be&lis
t=PLhr1KZpdzukfYBoBNGKS3axyHW9-JClQb

• Distributed scrubbing and bandwidth
capacity
• Automated routing policies to absorb large
attacks
• Manual traffic engineering
Advanced routing policies

• Advanced routing capabilities
• Additional mitigation capacity
Additional protections against larger and more sophisticated
attacks

AWS WAF – Layer 7 application protection
Web traffic filtering
with custom rules
Malicious request
blocking
Active monitoring
and tuning

Three modes of operation
Self-service Engage DDoS experts Proactive DRT engagement

AWS WAF included at no additional
cost
Self-service

1. You engage the AWS DDoS Response Team (DRT)
2. DRT triages attack
3. DRT assists you with creating AWS WAF rules
Engage DDoS experts

1. Always-on monitoring engages the AWS DDoS
Response Team (DRT)
2. DRT proactively triages DDoS attack
3. DRT creates AWS WAF rules (prior
authorization required)
Proactive DRT engagement

Attack notification and reporting
Attack monitoring
and detection
• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics and packet captures for attack forensics
• Historical attack reports

24x7 access to DDoS Response Team
Critical and urgent priority cases are
answered quickly and routed directly
to DDoS experts
Complex cases can be escalated to
the AWS DDoS Response Team
(DRT), who have deep experience in
protecting AWS as well as
Amazon.com and its subsidiaries

24x7 access to DDoS Response Team
Before Attack
Proactive consultation and
best practice guidance
During Attack
Attack mitigation
After Attack
Post-mortem
analysis

AWS cost protection
AWS absorbs scaling cost due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancer
• Application Load Balancer
• Amazon Route 53

• No commitment
• No additional cost
AWS DDoS Shield: Pricing
• 1 year subscription commitment
• Monthly base fee: $3,000
• Data transfer fees
Data Transfer Price ($ per GB)
CloudFront ELB
First 100 TB $0.025 0.050
Next 400 TB $0.020 0.040
Next 500 TB $0.015 0.030
Next 4 PB $0.010 Contact Us
Above 5 PB Contact Us Contact Us

For protection against most
common DDoS attacks, and
access to tools and best
practices to build a DDoS
resilient architecture on AWS.
AWS DDoS Shield: How to choose
For additional protection against
larger and more sophisticated
attacks, visibility into attacks,
AWS cost protection, Layer 7
mitigations, and 24X7 access to
DDoS experts for complex cases.

You get it automatically
AWS Shield: Getting started
Enable via the AWS Console

More IDS / IPS (and, in fact, WAF)

AWS WAF
• Not the world's intrinsically-smartest WAF
• Understands XSS, SQLi, outssize packets
But:
• Located in CloudFront – so, closest to the Threat Actors
• Highly programmable (by customers as well as our nice DRT folk)
• ...

Enhancing AWS WAF Smartness, Option 1
• "Lambdafy All The Things!"
• https://aws.amazon.com/blogs/security/how-to-import-ip-address-
reputation-lists-to-automatically-update-aws-waf-ip-blacklists/
• aka "write a Lambda function to":
• periodically query well-known Realtime Blackhole Lists (Spamhaus et al)
• transform the list contents into AWS WAF rules
• populate your AWS WAF instances with them
• Pick another property, apply the same principles...

Enhancing AWS WAF Smartness, Option 2
• ...or have an AWS Marketplace product do it for you!
• Currently, Imperva, Alert Logic, Trend Micro have AWS WAF
integrations
• (others are working on it)
• Trend Micro have open-sourced their integration code:
• https://github.com/deep-security/aws-waf

Where and Why?
Across the Internet: of course
• https session termination
• in ELB / ALB?
• in CloudFront?
• in EC2 instances?
• Within a VPC...?
• HIPAA mandates it for in-scope services
• PCI-DSS doesn't
• Control 4 says "encrypt across public networks"
• Audit reports assert a VPC isn't a public network...

Options
• DIY (with S3 and KMS)
• EC2 Systems Manager Parameter Store
• Note:
• "The Magic's in the Scoping"
• In the following, KMS isn't in-scope for HIPAA and EC2 Systems
Manager Parameter Store and Run Command have yet to integrate
into our audit cycles at time of writing, but they don't touch PHI / CVV /
PAN / other data defined as sensitive...!

Formerly the Only Option: DIY
instances
instance

instances
instance
instance

instances
instance
long-term security
credential
instance

instances
instance
AWS
KMS
long-term security
credential
data encryptionkey
instance

instances
instance
AWS
KMS
dataencryptionkey
long-term security
credential
data encryptionkey
instance

instances
instance
AWS
KMS
dataencryptionkey
long-term security
credential
bucket
data encryptionkey
instance

instances
instance
AWS
KMS
dataencryptionkey
long-term security
credential
bucket
data encryptionkey
instance VPC Private Endpoint

instances
instance
AWS
KMS
dataencryptionkey
role
long-term security
credential
bucket
data encryptionkey
instance
role
VPC Private Endpoint

instances
instance
AWS
KMS
dataencryptionkey
role
long-term security
credential
bucket
data encryptionkey
instance
role
ARN of encrypted
https key in S3 bucket
ARN of data
encryption key in KMS
Instance UserData
VPC Private Endpoint

EC2 Systems Manager
Parameter Store

Parameter Store
• Centrally store and find configuration and access data
• Repeatable, automatable management (e.g. SQL
connection strings)
• Granular access control – view, use and edit values per
parameter
• Encrypt sensitive data at rest in-store using your own AWS
KMS keys

Parameter Store – Getting started
• Parameter: Key-value pair
• Secure Strings: Encrypt sensitive parameters with your
own KMS or default account encryption key
• Reuse: In Documents and easily reference at runtime
across EC2 Systems Manager using {{ssm:parameter-
name}}
• Access Control: Create an IAM policy to control access
to specific parameter

Creating and using a parameter
aws ssm put-parameter
--name myprivatekey
--type string
--value “-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzU6TMCsU2DtMUJf6Hc/bwilmWI6yOamzg...”
aws ssm send-command
--name AWS-DistributePrivateKey
--parameters commands=[“echo {{ssm:myprivatekey}} >
/etc/apache2/key.priv”]
--target Key=tag:Name,Values=WebServer

Dave Walker
davwal@amazon.com
Your feedback
is important to
us!

Network security, Anti-DDoS and other Internet-side protections: Encryption in Transit (and when it’s needed), Shield, CloudFront and WAFn - Pop-up Loft TLV 2017

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Network security, Anti-DDoS and other Internet-side protections: Encryption in Transit (and when it’s needed), Shield, CloudFront and WAFn - Pop-up Loft TLV 2017

Similar to Network security, Anti-DDoS and other Internet-side protections: Encryption in Transit (and when it’s needed), Shield, CloudFront and WAFn - Pop-up Loft TLV 2017 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Network security, Anti-DDoS and other Internet-side protections: Encryption in Transit (and when it’s needed), Shield, CloudFront and WAFn - Pop-up Loft TLV 2017