Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jonathan Desrocher, Security Solutions Architect...
45% $40k 58%
of organizations have
experienced a DDoS attack
average hourly cost
of a DDoS attack
of attacks last 30
mins ...
Agenda
Types of DDoS attacks
Mitigation Techniques
DDoS Resilient Architecture
Typical DDoS Infrastructure Attack
Reflection and Amplification Attack
Application Attack (Layer 7) Examples
Web ServerAttacker(s)
GET
HTTP GET Flood
Slowloris
GET GET GET GET GET
G - E - T
Mitigation Techniques
Front your application with AWS services
Safeguard Exposed Resources
Minimize the Attack Surface Are...
Front your Application with AWS Services
Leverage services such as Amazon API Gateway and
Amazon CloudFront for caching an...
Request Flow using Amazon API Gateway
Internet
Mobile apps
Websites
Services
API
Gateway
AWS Lambda
functions
AWS
API Gate...
Safeguard Exposed Resources
Restrict access to resources with
CloudFront
Block unnecessary geos, Origin Access
Identity
Ob...
Minimize your Application Attack Surface
Architect your application
with attack surface area in
mind
• Reduce the number o...
Web Application Firewall Sandwich Architecture
Partner Solutions
See Security section of the AWS Marketplace for more:
https://aws.amazon.com/marketplace
Be Ready to Scale to Absorb the Attack
Scale vertically and horizontally to:
Disperse attack over wider area
Make attacker...
Using AWS to Scale Vertically and Horizontally
Enable EC2
Advanced
Networking
Set up Elastic
Load Balancing
& Auto Scaling...
Learn Normal Behavior
Understand and benchmark expected
usage levels
Use this data to identify abnormal levels
or patterns...
Continuous Visibility using Amazon CloudWatch
Gather metrics, graph and alert on
thresholds
Use CloudWatch alarms to drive...
CloudWatch Metrics to Watch For
Topic Metric Description
Auto Scaling GroupMaxSize The maximum size of the Auto Scaling gr...
VPC Flow Logging
See traffic patterns for your
Amazon EC2 instances
Feeds into Amazon CloudWatch
Deep Analytics of Flow Logs
https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/
Additional Data Sources
Amazon S3 and Amazon CloudFront access logs (web requests).
AWS CloudTrail Logs (select API calls ...
Create a Plan for Attacks
Having a plan in place before an
attack ensures that:
• You have a resilient architecture
• You ...
Getting Help: Support
Account Team
• Your Account Manager is your advocate
• Solutions Architects have a wealth of experti...
Understand the Economics
Evaluate the cost of an outage
Set yourself upper bounds for instances
and time
Factor in Auto Sc...
Where Can I Find More Information?
White paper: Best Practices for DDoS resiliency
https://d0.awsstatic.com/whitepapers/DD...
Thank you!
Próxima SlideShare
Cargando en…5
×

AWS August Webinar Series - DDoS Resiliency

3.677 visualizaciones

Publicado el

Distributed Denial of Service (DDoS) attackers use a variety of techniques to consume network or other resources, interrupting access for legitimate users Customers can adopt practices to reduce the impact of these attacks, including minimizing the attack surface area, safeguarding exposed resources and creating a plan for when attacks occur. This webinar will outline how to use AWS services like Elastic Load Balancing (ELB), Auto Scaling, Amazon CloudFront and Amazon Route53 to improve resiliency when attacks occur.

Learning Objectives:
• Learn techniques that can help maintain availability in the face of DDoS attacks
• Understand how AWS services can work together to increase resiliency

Who Should Attend:
• Systems Architects, Network Engineers, Web Developers

Publicado en: Tecnología
  • Sé el primero en comentar

AWS August Webinar Series - DDoS Resiliency

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jonathan Desrocher, Security Solutions Architect August 20th 2015 Best Practices for DDoS Resiliency
  2. 2. 45% $40k 58% of organizations have experienced a DDoS attack average hourly cost of a DDoS attack of attacks last 30 mins or less** * Source: Imperva What DDoS Attacks Really Cost Businesses (n=270) ** Source: Imperva Global DDoS Threat Landscape Q2 2015
  3. 3. Agenda Types of DDoS attacks Mitigation Techniques DDoS Resilient Architecture
  4. 4. Typical DDoS Infrastructure Attack
  5. 5. Reflection and Amplification Attack
  6. 6. Application Attack (Layer 7) Examples Web ServerAttacker(s) GET HTTP GET Flood Slowloris GET GET GET GET GET G - E - T
  7. 7. Mitigation Techniques Front your application with AWS services Safeguard Exposed Resources Minimize the Attack Surface Area Be Ready to Scale to Absorb the Attack Learn Normal Behavior Create a Plan for Attacks
  8. 8. Front your Application with AWS Services Leverage services such as Amazon API Gateway and Amazon CloudFront for caching and layer-3 protection. The recently launched Amazon API Gateway can be used to perform: User authentication. Request throttling. Response caching. Log requests.
  9. 9. Request Flow using Amazon API Gateway Internet Mobile apps Websites Services API Gateway AWS Lambda functions AWS API Gateway cache Endpoints on Amazon EC2/AWS Elastic Beanstalk Any other publicly accessible endpoint Amazon CloudWatch monitoring
  10. 10. Safeguard Exposed Resources Restrict access to resources with CloudFront Block unnecessary geos, Origin Access Identity Obfuscate unneeded information with Route 53 Private DNS, Alias Record Sets Deploy application level controls with a third party web application firewall Request rate limits Block certain types of requests
  11. 11. Minimize your Application Attack Surface Architect your application with attack surface area in mind • Reduce the number of Internet entry points • Separate end user traffic from management traffic • Only allow necessary users and traffic Use VPC to minimize attack surface area • Set up VPC and Internet Gateway • Set up Security Group • Launch instance into VPC • Assign elastic IP Address • Set up Network ACL
  12. 12. Web Application Firewall Sandwich Architecture
  13. 13. Partner Solutions See Security section of the AWS Marketplace for more: https://aws.amazon.com/marketplace
  14. 14. Be Ready to Scale to Absorb the Attack Scale vertically and horizontally to: Disperse attack over wider area Make attackers expend more resources to scale up the attack Buy yourself time to analyze and respond to the DDoS attack Provide additional layer of redundancy for other failure scenarios
  15. 15. Using AWS to Scale Vertically and Horizontally Enable EC2 Advanced Networking Set up Elastic Load Balancing & Auto Scaling Deploy multiple points of presence using Amazon CloudFront Use Amazon Route 53 with Shuffle Sharding and Anycast Routing https://www.youtube.com/watch?v=JUw8y_pqD_Y https://www.youtube.com/watch?v=V7vTPlV8P3U
  16. 16. Learn Normal Behavior Understand and benchmark expected usage levels Use this data to identify abnormal levels or patterns Look for attackers probing or testing your application Increase situational awareness by knowing what to expect
  17. 17. Continuous Visibility using Amazon CloudWatch Gather metrics, graph and alert on thresholds Use CloudWatch alarms to drive Auto Scaling policies
  18. 18. CloudWatch Metrics to Watch For Topic Metric Description Auto Scaling GroupMaxSize The maximum size of the Auto Scaling group. AWS Billing EstimatedCharges The estimated charges for your AWS usage. Amazon CloudFront Requests The number of requests for all HTTP/S requests. Amazon CloudFront TotalErrorRate The percentage of all requests for which the HTTP status code is 4xx or 5xx. Amazon EC2 CPUUtilization The percentage of allocated EC2 compute units that are currently in use. Amazon EC2 NetworkIn The number of bytes received on all network interfaces by the instance. Amazon EC2 StatusCheckFailed A combination of of StatusCheckFailed_Instance and StatusCheckFailed_System that reports if either of the status checks has failed. ELB RequestCount The number of completed requests that were received and routed to registered instances. ELB Latency The time elapsed, in seconds, after the request leaves the load balancer until a response is received. ELB HTTPCode_ELB_4xx HTTPCode_ELB_5xx The number of HTTP 4XX or 5XX error codes generated by the load balancer. ELB BackendConnectionErrors The number of connections that were not successfully. ELB SpilloverCount The number of requests that were rejected because the queue was full. Amazon Route 53 HealthCheckStatus The status of the health check endpoint.
  19. 19. VPC Flow Logging See traffic patterns for your Amazon EC2 instances Feeds into Amazon CloudWatch
  20. 20. Deep Analytics of Flow Logs https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/
  21. 21. Additional Data Sources Amazon S3 and Amazon CloudFront access logs (web requests). AWS CloudTrail Logs (select API calls such as IAM authentication). Amazon CloudWatch Logs (Amazon API Gateway, Amazon Lambda and customer application logs via reporting agent). • See CloudWatch Logs for Apache access logs reference: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quic kref-cloudwatchlogs.html
  22. 22. Create a Plan for Attacks Having a plan in place before an attack ensures that: • You have a resilient architecture • You understand the cost benefit equation • You know who to contact when an attack happens
  23. 23. Getting Help: Support Account Team • Your Account Manager is your advocate • Solutions Architects have a wealth of expertise Recommended tiers of support • Business – Phone/chat/email support, 1 hour response time • Enterprise – 15 min response time, dedicated Technical Account Manager, proactive notification
  24. 24. Understand the Economics Evaluate the cost of an outage Set yourself upper bounds for instances and time Factor in Auto Scaling, Route 53 CloudFront costs during an attack You don’t pay for traffic or attacks that get blocked before the load balancer • e.g. many UDP reflection attacks
  25. 25. Where Can I Find More Information? White paper: Best Practices for DDoS resiliency https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_ June2015.pdf AWS Best Practices for DDoS Resiliency June 2015
  26. 26. Thank you!

×