Web attacks like SQL injection and Cross-Site Scripting can be devastating, resulting in massive data breaches, customer turnover, notification costs, lawsuits, and fines.

1. AWS WAF
How to protect your site from
DDoS

2. Web attacks like SQL injection and Cross-Site Scripting can be devastating, resulting in massive
data breaches, customer turnover, notification costs, lawsuits, and fines.
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that
are forwarded to Amazon CloudFront and lets you control access to your content. Based on
conditions that you specify, such as the IP addresses that requests originate from, or the
values of query strings, CloudFront responds to requests either with the requested content or
with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a
custom error page when a request is blocked

4. The first illustration shows an infrastructure trying to respond to all requests,
an approach that exhausts the web server’s resources. The second illustration
shows a resilient infrastructure that uses AWS WAF, which blocks requests
originating from blacklisted sources.

5. AWS WAF is a relatively new service only recently brought out of Beta. This
service is tightly coupled to the CloudFront CDN service. The WAF service
reviews traffic that is passing through the CDN and, based off defined rules,
tells the CDN to either block or allow the traffic. To use this service, all site
traffic must pass through a CloudFront CDN.
AWS WAF helps in preventing from a lot of attacks, but DDoS is the most
common form of attack and also the most difficult to curb, let us start with
what exactly is a DDoS attack.

6. DDoS Attacks
A Denial of Service (DoS) attack is an attack that can make your website or
application unavailable to end users. To achieve this, attackers use a variety of
techniques that consume network or other resources, disrupting access for
legitimate end users.

7. Diagram of a DOS attack
In its simplest form, a DoS attack against a target is executed by a lone
attacker from a single source, as shown below:

8. In the case of a Distributed Denial of Service (DDoS) attack, an attacker uses
multiple sources—which may be compromised or controlled by a group of
collaborators—to orchestrate an attack against a target. As illustrated below,
in a DDoS attack, each of the collaborators or compromised hosts participates
in the attack, generating a flood of packets or requests to overwhelm the
intended target.

9. Diagram of a DDOS attack

10. DDoS attacks are most common at layers 3, 4, 6, and 7 of the Open Systems
Interconnection (OSI) model, which is described in the above table. Layer 3
and 4 attacks correspond to the Network and Transport layers of the OSI
model. This distinction is important because the attack types directed at these
layers are different and so different techniques are used to build resiliency.

11. Architecture Implications
WAF can be implemented as a CloudFormation stack as illustrated in the
image below:

12. The CloudFormation stack works as follows:
1. All web requests are passed through a CloudFront CDN network. All
request data is persisted to log files that reside on S3 buckets.
2. For every new request log file that is persisted, a Lambda function is
triggered to analyse the log file data. The Lambda function reviews the
traffic patterns and then updates the WAF block list based off defined
rules.
3. The WAF device blocks entry to the Elastic Load Balancer based off the
source IP address.

13. Features - Web Traffic Filtering
Traffic filtering is accomplished by creating specific web request conditions,
which are then grouped into rules. These rules are then associated with a
CloudFront distribution through a web access control list.

14. Condition - Define the basic characteristics that you want AWS WAF to watch for in web
requests.
1. Scripts that are likely to be malicious. Attackers embed scripts that can exploit
vulnerabilities in web applications; this is known as cross-site scripting.
2. The IP addresses or address ranges that requests originate from.
3. The length of specified parts of the request (Header, HTTP method, URI, body or
query string).
4. SQL code that is likely to be malicious. Attackers try to extract data from your
database by embedding malicious SQL code in a web request; this is known as SQL
injection.
5. Strings that appear in the request(Header, HTTP method, URI, body or query
string), for example, values that appear in the User-Agent header or text strings
that appear in the query string.
Some conditions take multiple values. For example, you can specify up to 1000 IP
addresses or IP address ranges in an IP condition.

15. Rules
You combine conditions into rules to precisely target the requests that you
want to allow or block.
When a rule includes multiple conditions, AWS WAF looks for requests that
match all those conditions — it ANDs the conditions together.

16. Web Access Control Lists (ACLs)
Finally, you combine rules into a Web ACL. This is where you define an action
for each rule—allow, block, or count—and a default action. A Web ACL is also
associated to a CloudFront resource. This allows you to have a set of rules and
actions for multiple web sites.
When a web request matches all of the conditions in a rule, AWS WAF can
either allow the request to be forwarded to CloudFront or block the request.
For testing purposes, you can instruct WAF to count the requests and evaluate
their behaviour later. You specify the action that you want AWS WAF to
perform for each rule.

17. At simplest level, AWS WAF let you choose one of the following behaviour:
1. Allow all requests except the ones that you specify – This is useful when you want
CloudFront to serve content for a public website but you also want to block requests
from attackers.
2. Block all requests except the ones that you specify – This is useful when you want
CloudFront to serve content for a restricted website whose users are readily identifiable
by properties in web requests, such as the IP addresses they use to browse to the
website.
3. Count the requests that match the properties that you specify – When you want to allow
or block requests based on new properties in web requests, you can first configure AWS
WAF to count the requests that match those properties without allowing or blocking
those requests. This lets you confirm that you didn’t accidentally configure AWS WAF to
block all of the traffic to your website. When you’re confident that you specified the
correct properties, you can change the behaviour to allow or block requests.

18. Full Feature API
Combining the core WAF Web Traffic Filtering features with some of the AWS
services you can make the rules dynamic. For example, it is possible to
temporarily block IP Addresses based off request volume – shutting down
bots or screen scraping processes.
There are several CloudFormation templates that can jump-start setting up
some of these dynamic rules.
You can view the AWF pricing list and limits on entities here and here.

19. Thank you...