This document provides an overview of techniques for mitigating distributed denial of service (DDoS) attacks and defending web applications. It discusses various types of threats including DDoS, application attacks, and bad bots. It then describes AWS services for protection including AWS Shield for DDoS mitigation, AWS VPC for network segmentation, and AWS WAF for web application firewall capabilities. The presentation includes demos of these services blocking different attack types like HTTP floods, bots and scrapers, and security automation approaches.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Venkat Vijayaraghavan , Amazon
& Brittany Doncaster, Solutions Architect, Amazon
July 27, 2017
Advanced Techniques for DDoS
Mitigation and Web Application
Defense

2. What to expect from this session
Types of Threats AWS Shield AWS VPC AWS WAF

3. What to expect from this session
Types of Threats AWS Shield AWS VPC AWS WAF

4. Types of threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
Content scrapers
Scanners & probes
CrawlersApplication
Layer
Network /
Transport
Layer
SQL injection
Application exploits

5. DDoS threats
Network / Transport Layer DDoS

6. DDoS threats
Application DDoS
Good users
Bad guys
Web server Database

7. Application threats
Good users
Bad guys
Web server
Database
Exploit
code
SQL injectionXSS

8. Bad bot threats
Good users
Bad guys
Web server
Database
Steal premium content

9. What to expect from this session
Types of Threats AWS Shield AWS VPC AWS WAF

10. Types of threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
Content scrapers
Scanners & probes
Crawlers
SQL injection
Application exploits
Social
engineering
Sensitive data
exposureApplication
Layer
Network /
Transport
Layer
AWS Shield

11. Benefits of AWS Shield
AWS Integration
DDoS protection without
infrastructure changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency

12. AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
no Additional Cost
Paid service that provides additional
protections, features, and benefits.

13. AWS Shield Standard
Layer 3/4 protection
 Automatic detection & mitigation
 Protection from most common
attacks (SYN/UDP Floods, Reflection
Attacks, etc.)
 Built into AWS services
Layer 7 protection
 AWS WAF for Layer 7 DDoS attack
mitigation
 Self-service & pay-as-you-go
Automatic Protection against
96% of Layer 3/4 attacks
Available globally on all internet-facing AWS services

14. AWS Shield Advanced
Additional Detection & Monitoring
Protection Against Large DDoS Attacks
Visibility Into Attack Detection & Mitigation
AWS WAF at No Additional Cost
24X7 DDoS Response Team
Cost Protection (Absorb DDoS Scaling Cost)

15. AWS Shield Advanced
Multi-Layered Mitigation
Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-Layer
Mitigations
DDoS
DDoS
Response
Team
Effective Against:
• Large-Scale Attack
Effective Against:
• SYN Floods
• Reflection Attacks
• Suspicious
Sources
Effective Against:
• SSL Attacks
• Slowloris
• Malformed HTTP
Effective Against:
• HTTP Floods
• Bad Bots
• Suspicious IPs
Effective Against:
• Sophisticated
Layer 7 attacks

16. AWS Shield Advanced detection
Netflows from Routers
Web Server Logs

17. AWS Shield Advanced detection
Aggs
Aggs
Aggs
Aggs
Pin
Agg
Evaluators

18. Customer A
Customer B
AWS Shield Advanced detection
Aggs
Aggs
Aggs
Aggs
Pin
Agg
Evaluators

19. AWS Shield Advanced detection
Aggs
Aggs
Aggs
Aggs
Pin
Agg
Evalu
ators
Customer B
Customer A
DB
Shield
API
Cloud
Watch

20. AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available on ...
 Northern Virginia (us-east-1)
 Oregon (us-west-2)
 Ireland (eu-west-1)
 Tokyo (ap-northeast-1)
In the following regions ...

21. Shield demo

22. What to expect from this session
Types of Threats AWS Shield AWS VPC AWS WAF

23.  Private IP space in AWS
 Familiar networking model
 Customer-defined networking logic
 Strong security controls
What customers asked for…

24. Key features of VPC
Choosing an
address range
Setting up subnets
in Availability Zones
Creating a route to
the Internet
Authorizing traffic
to/from the VPC

25. Private Subnet (Web Tier)
Private Subnet (App Tier)
Traditional approach
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
Allow all traffic
Allow 10.0.2.0/24
Allow 10.0.1.0/24

26. Private Subnet (Web Tier)
Private Subnet (App Tier)
Cloud approach
Public Subnet
SG-Web
SG-App
SG-Web SG-Web
SG-App SG-App
10.0.2.0/24
10.0.1.0/24
10.0.3.0/24
SG-ALB
Allow CloudFront
IP Ranges only
Allow SG-Web
only
Allow SG-ALB
only

27. Security groups + CloudFront IP ranges
Blog Post here -> http://amzn.to/2fj4Q8e
IP-ranges.json
SG-ALB
Amazon SNS
AWS Lambda

28. VPC demo
SG-ALB
CloudFront
users

29. What to expect from this session
Types of Threats AWS Shield AWS VPC AWS WAF

30. Challenges of web application firewalls
Setup is complex
and slow
Too many false
positives
Limited APIs for
automation
Expensive to
implement and
maintain

31. AWS WAF
Fast Incident
Response
Preconfigured
Protection
APIs for
Automation
Flexible Rule
Language
A web application firewall designed to help you
defend against common web application exploits

32. What is AWS WAF?
Web traffic filtering
with custom rules
Malicious request
blocking
Active monitoring
and tuning

33. How does AWS WAF protect you?
Security
Automations
Preconfigured Protections
Highly Flexible Rule Language

34. Highly flexible rule language
 Quick Incident Response
 Mitigations in < ~1 Min
 Inspect Any Part of the Request
Security
Automations
Preconfigured
Protections
Highly Flexible Rule Language

35. Highly flexible rule language
 Rate-Based Rules
 Built-in blacklist IPs
 Monitor and Alarm
 Use with Conditions
Security
Automations
Preconfigured
Protections
Highly Flexible Rule Language

36. AWS WAF demo-1
HTTP floods
(Rated-based
Rules)

37. Preconfigured protections – common attacks
HTTP floods (Rated-
based Rules) Scanners and probes
SQL injection
Bots and scrapers
IP reputation lists
Cross-site scripting
Security
Automations
Preconfigured
Protections
Highly Flexible Rules Engine

38. Preconfigured protections – common attacks
You can get started quickly with built-in rules based on
common use cases.
CloudFormation
template
AWS WAF Configuration
Security
Automations
Preconfigured
Protections
Highly Flexible Rules Engine
http://bit.ly/2tgpoEj

39. Preconfigured protections – OWASP 10
A1: Injection
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Broken Access Control (New)
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Insufficient AttackProtection (new)
A8: Cross-Site Request Forgery
A9: Using Components with Known Vulnerabilities
A10: Underprotected APIs (New)
Security
Automations
Preconfigured
Protections
Highly Flexible Rules Engine
Whitepaper + CloudFormation template
http://bit.ly/2t503Su

40. Security automations
Security
Automations
Preconfigured
Protections
Highly Flexible Rules Engine
Automated anomaly detection that you can take action on
using Lambda functions.
 Dynamic Rules Based on Anomaly
 Using Lambda & Service Logs

41. Security automations
Traditional incident responseAutomated incident response
Next-generation incident response
Security
Automations
Preconfigured
Protections
Highly Flexible Rules Engine

42. Demo architecture

43. AWS WAF demo-2
Security
automations - Bots
and scrapers

44. Takeaways
• AWS Shield for DDoS protection and mitigation
• VPC to limit public-facing components
• AWS WAF for protection from Layer 7 attacks

45. Q&A
Thank you!

46. Thank you!