This document provides an overview of techniques for mitigating distributed denial of service (DDoS) attacks and defending web applications. It discusses various types of threats including DDoS, application attacks, and bad bots. It then describes AWS services for protection including AWS Shield for DDoS mitigation, AWS VPC for network segmentation, and AWS WAF for web application firewall capabilities. The presentation includes demos of these services blocking different attack types like HTTP floods, bots and scrapers, and security automation approaches.
9. What to expect from this session
Types of Threats AWS Shield AWS VPC AWS WAF
10. Types of threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
Content scrapers
Scanners & probes
Crawlers
SQL injection
Application exploits
Social
engineering
Sensitive data
exposureApplication
Layer
Network /
Transport
Layer
AWS Shield
11. Benefits of AWS Shield
AWS Integration
DDoS protection without
infrastructure changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency
12. AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
no Additional Cost
Paid service that provides additional
protections, features, and benefits.
13. AWS Shield Standard
Layer 3/4 protection
Automatic detection & mitigation
Protection from most common
attacks (SYN/UDP Floods, Reflection
Attacks, etc.)
Built into AWS services
Layer 7 protection
AWS WAF for Layer 7 DDoS attack
mitigation
Self-service & pay-as-you-go
Automatic Protection against
96% of Layer 3/4 attacks
Available globally on all internet-facing AWS services
14. AWS Shield Advanced
Additional Detection & Monitoring
Protection Against Large DDoS Attacks
Visibility Into Attack Detection & Mitigation
AWS WAF at No Additional Cost
24X7 DDoS Response Team
Cost Protection (Absorb DDoS Scaling Cost)
19. AWS Shield Advanced detection
Aggs
Aggs
Aggs
Aggs
Pin
Agg
Evalu
ators
Customer B
Customer A
DB
Shield
API
Cloud
Watch
20. AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available on ...
Northern Virginia (us-east-1)
Oregon (us-west-2)
Ireland (eu-west-1)
Tokyo (ap-northeast-1)
In the following regions ...
22. What to expect from this session
Types of Threats AWS Shield AWS VPC AWS WAF
23. Private IP space in AWS
Familiar networking model
Customer-defined networking logic
Strong security controls
What customers asked for…
24. Key features of VPC
Choosing an
address range
Setting up subnets
in Availability Zones
Creating a route to
the Internet
Authorizing traffic
to/from the VPC
25. Private Subnet (Web Tier)
Private Subnet (App Tier)
Traditional approach
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
Allow all traffic
Allow 10.0.2.0/24
Allow 10.0.1.0/24
26. Private Subnet (Web Tier)
Private Subnet (App Tier)
Cloud approach
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
Allow CloudFront
IP Ranges only
Allow SG-Web
only
Allow SG-ALB
only
27. Security groups + CloudFront IP ranges
Blog Post here -> http://amzn.to/2fj4Q8e
IP-ranges.json
SG-ALB
Amazon SNS
AWS Lambda
29. What to expect from this session
Types of Threats AWS Shield AWS VPC AWS WAF
30. Challenges of web application firewalls
Setup is complex
and slow
Too many false
positives
Limited APIs for
automation
Expensive to
implement and
maintain
32. What is AWS WAF?
Web traffic filtering
with custom rules
Malicious request
blocking
Active monitoring
and tuning
33. How does AWS WAF protect you?
Security
Automations
Preconfigured Protections
Highly Flexible Rule Language
34. Highly flexible rule language
Quick Incident Response
Mitigations in < ~1 Min
Inspect Any Part of the Request
Security
Automations
Preconfigured
Protections
Highly Flexible Rule Language
35. Highly flexible rule language
Rate-Based Rules
Built-in blacklist IPs
Monitor and Alarm
Use with Conditions
Security
Automations
Preconfigured
Protections
Highly Flexible Rule Language
37. Preconfigured protections – common attacks
HTTP floods (Rated-
based Rules) Scanners and probes
SQL injection
Bots and scrapers
IP reputation lists
Cross-site scripting
Security
Automations
Preconfigured
Protections
Highly Flexible Rules Engine
38. Preconfigured protections – common attacks
You can get started quickly with built-in rules based on
common use cases.
CloudFormation
template
AWS WAF Configuration
Security
Automations
Preconfigured
Protections
Highly Flexible Rules Engine
http://bit.ly/2tgpoEj