O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Best Practices to Mitigate from the Emerging Vectors of Network Attack

3.154 visualizações

Publicada em

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Best Practices to Mitigate from the Emerging Vectors of Network Attack

  1. 1. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Cybil Chiu Business Development Manager Best Practices to Mitigate from the Emerging Vectors of Network Attack Kwunhok Chan Solutions Architect
  2. 2. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Webinar Series https://aws.amazon.com/webinars/hk-webinar-series/
  3. 3. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Attack Threats and Trends
  4. 4. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Availability An attack that brings down your server will end up as Lost Revenue. You could massively scale but that just translates to Increased Infrastructure Expense Even without an actual attack DDoS threats are being use for Extortion Any combination of these results in a hit to your brand reputation Financial Impact Security Why does it matter? Attacks can last for hours and even days Some attacks are more just concerned with stealing or infecting data
  5. 5. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Why are you attacked? This message is only for your company. Send this information to your boss. We have completed network reconnaissance of your infrastructure. We studied the algorithms of your protection against DDoS. We are ready to crash your servers and disturb normal work of your trading platform. This is a small part of our power: L7; Botnet #1 - https://prnt.sc/kuyt6x - 3 500 000 requests per second. Botnet #2 - https://prnt.sc/kuyu60 - 450 000 requests per second. Botnet #3 - https://prnt.sc/kuywzf - 2 000 000 requests per second. L4; #1 - https://prnt.sc/kuyxjj #2 - https://prnt.sc/kuyxx8 #3 - https://prnt.sc/kuyy3r #4 - https://prnt.sc/kuyyah Total L4 power now - more than 1.3 TB/S UDP and 240 000 000 packets per second TCP. We know that you will be able to reflect the attack, but it will take at least 12-24 hours. Undoubtedly you will incur monetary losses. What we want? 5 BTC (it's just dust for you) to 1Kd4f6NCuk5tBdvcj5und8xxBoSZnxaPsM Your losses from the attack can be much greater. We are waiting until October 2. If you do what we want - we will help you fix some network bugs. If no - we will be forced to act. We do not say goodbye. TGF6YXJ1cyBIYWNrZXJzISBOb3J0aCBLb3JlYSBQb3dlciE=
  6. 6. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. AWS Attack Landscape
  7. 7. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Growth of Volumetric Attacks 0 200 400 600 800 1000 1200 1400 1600 1800 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Largest DDoS Attacks (Gbps) Memcached Attacks Mirai Attacks
  8. 8. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Recent Trends 310,954 Attacks observed in Q1 2020, a 23% increase from Q1 2019 2.3 Tbps Largest attack observed (bits) in Q1 2020, a 188% increase from Q1 2019 293.1 Mpps Largest attack observed (packets) in Q1 2020, a 13% increase from Q1 2019 694,210 rps Largest attack observed (requests) in Q1 2020, a 31% decrease from Q1 2019
  9. 9. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Common External Threats SQL Injection Cross-site Scripting (XSS) OWASP Top 10 Common Vulnerabilities and Exposures (CVE) SYN Floods Reflection Attacks Web Request Floods Crawlers Content Scrapers Scanners & Probes Denial of Service App Vulnerabilities Bad Bots
  10. 10. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Common External Threats SQL Injection Cross-site Scripting (XSS) OWASP Top 10 Common Vulnerabilities and Exposures (CVE) SYN Floods Reflection Attacks Web Request Floods Crawlers Content Scrapers Scanners & Probes Denial of Service App Vulnerabilities Bad Bots
  11. 11. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. 1 • Complex to Set up • Need to Provision Bandwidth Capacity • Re-architect applications Difficult to Enable 2 • Manual Intervention required • Re-routing traffic to scrubbing locations Sub-Optimal Incident Response 3 Scrubbing centers may be far from your servers leading to added latency Degrade performance 4 Manual intervention and re-routing takes away precious moments from incident response Increased Time to Mitigate 5 Due to the size, duration and complex nature of mitigation systems it becomes prohibitively expensive in some cases Expensive to Use Traditional Challenges of DDoS Mitigation
  12. 12. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. AWS Approach to DDoS Protection
  13. 13. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Protecting the Application Perimeter AWS Shield Standard Protects AWS services against common DDoS attacks AWS WAF Protects web applications by allowing you to write custom rules or choose managed rules from AWS or the AWS Marketplace. AWS Shield Advanced Managed threat protection that blocks DDoS attacks, vulnerability exploitation, and bad bots AWS Firewall Manager Centrally configure and manage security rules across accounts and applications AWS Shield Advanced includes WAF & FMS at no additional cost
  14. 14. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. AWS Shield Advanced: Managed Threat Protection Easy to configure without changing your application architecture Comprehensive protection against DDoS attack vectors Near-real time event visibility Protection from economic attack vectors AWS Shield Advanced
  15. 15. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Benefits of AWS Shield Standard and Shield Advanced Pre-Configured Protection Point and Protect Wizard Comprehensive protection against DDoS attack vectors Near-real time event visibility Protection from economic attack vectors AWS Shield
  16. 16. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Benefits of AWS Shield Standard and Shield Advanced Detection and Mitigation Faster Mitigation, Customized to Your Application 24x7 Access to DDoS Response Team (DRT) Pre-Configured Protection Point and Protect Wizard Near-real time event visibility Protection from economic attack vectors AWS Shield
  17. 17. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Benefits of AWS Shield Standard and Shield Advanced Detection and Mitigation Faster Mitigation, Customized to Your Application 24x7 Access to DDoS Response Team (DRT) Pre-Configured Protection Point and Protect Wizard Protection from economic attack vectors AWS Shield Attack Diagnostics Global Threat Environment Dashboard Quarterly Security Report CloudWatch Metrics
  18. 18. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Benefits of AWS Shield Standard and Shield Advanced Detection and Mitigation Faster Mitigation, Customized to Your Application 24x7 Access to DDoS Response Team (DRT) Pre-Configured Protection Point and Protect Wizard CloudWatch Metrics Attack Diagnostics Global Threat Environment Dashboard Quarterly Security Report AWS WAF at No Additional Cost For protected resources AWS Firewall Manager at No Additional Cost Cost Protection for Scaling AWS Shield
  19. 19. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Let’s see Shield Advanced in action
  20. 20. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Use Case: Pokemon GO Massive increase in user & traffic DDoS attack / Bot / Scanner Quick Deployment Low Latency Superior analytics logging Challenges :
  21. 21. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Common External Threats SQL Injection Cross-site Scripting (XSS) OWASP Top 10 Common Vulnerabilities and Exposures (CVE) SYN Floods Reflection Attacks Web Request Floods Crawlers Content Scrapers Scanners & Probes Denial of Service App Vulnerabilities Bad Bots
  22. 22. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Application threats and Bad bots Good users and bots Bad guys Web server Database SQL injection Application exploits Bad bo Content scrapers Scanners & probes Crawlers
  23. 23. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. AWS WAF Fast Incident Response Managed Rulesets APIs for Automation Flexible Rule Language “A web application firewall designed to help you defend against common web application exploits.”
  24. 24. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Step 2 Amazon CloudFront checks if request requires WAF Step 1 HTTP/HTTPS Request made for content to Amazon CloudFront AWS WAF Request Process
  25. 25. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Step 3 WAF reviews request; instructs Amazon CloudFront to allow/deny Step 2 Amazon CloudFront checks if request requires WAF Step 1 HTTP/HTTPS Request made for content to Amazon CloudFront AWS WAF Request Process Error Page Delivered by Amazon CloudFront
  26. 26. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Step 3 WAF reviews request; instructs Amazon CloudFront to allow/deny Step 2 Amazon CloudFront checks if request requires WAF Step 1 HTTP/HTTPS Request made for content to Amazon CloudFront Content Delivered via Amazon CloudFront AWS WAF Request Process Error Page Delivered by Amazon CloudFront
  27. 27. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Step 4 WAF sends metric to Amazon CloudWatch. Rule can be updated via API Step 3 WAF reviews request; instructs Amazon CloudFront to allow/deny Step 2 Amazon CloudFront checks if request requires WAF Step 1 HTTP/HTTPS Request made for content to Amazon CloudFront Content Delivered via Amazon CloudFront AWS WAF Request Process Error Page Delivered by Amazon CloudFront
  28. 28. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. AWS WAF – Security Automations 28 https://amzn.to/30VgbEe
  29. 29. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. AWS Marketplace rule groups • Pre-defined rules written by AWS Partners • Designed for different purposes, e.g. • Specific applications, such as WordPress • OWASP Top 10 vulnerabilities • Automatically updated as threats emerge • No long-term contracts
  30. 30. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. AWS WAF Console Walkthrough
  31. 31. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Architecting for DDoS Resiliency
  32. 32. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. DDoS-resilient Architecture AWS Cloud VPC Public subnet Private subnet Auto Scaling group Web Application Security group Instances Load Balancer Security group Amazon CloudFront Amazon Route 53 Application Load Balancer AWS WAF Users DDoS Attack Globally distributed attack mitigation capability SYN proxy feature that verifies three-way handshake before passing to the application Slowloris mitigation that reaps long-lived collectionsMitigates complex attacks by allowing only the most reliable DNS queries Validates DNS Provides flexible rule language to block or rate-limit malicious requests
  33. 33. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. “Are you Well- Architected?” Werner Vogels
  34. 34. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Pillars of Well-Architected Framework Security Reliability Performance Efficiency Cost Optimization Operational Excellence
  35. 35. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Planning for DDoS response Shared responsibility • We’re in this together What can you do to be prepared? • Architect with security and availability in mind from the beginning Architect for scale • Use auto scaling resources to scale up instance sizes and scale out quantity • Automate to scale static resources • And document intervention plans Automate notification and response • Proactively collect full or sampled web logs • Pre-calculate profiles to compare against anomalies • Enable DRT access for assistance
  36. 36. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Resources AWS Shield https://aws.amazon.com/shield AWS WAF https://aws.amazon.com/waf AWS Shield Threat Landscape Report https://amzn.to/2C30brC AWS Security Workshop https://awssecworkshops.com/ AWS Best Practices for DDoS Resiliency https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
  37. 37. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Webinar Series https://aws.amazon.com/webinars/hk-webinar-series/ Register to the upcoming Webinars
  38. 38. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Remember to complete your evaluations!
  39. 39. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Q&A
  40. 40. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark. Thank you!

×