Distributed denial of service (DDoS) can have an impact on the availability, security and resources consumption for your web application. AWS Web Application Firewall and AWS Shield allow to protect web applications from these attacks.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Alessandro Esposito, Edge services specialist
esposita@amazon.lu
15/11/2017
Secure web applications
Using AWS Web Application Firewall (WAF) and AWS Shield

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is DDoS?
DDoS 101

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is DDoS?
Distributed Denial Of Service

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of DDoS attacks

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of DDoS attacks
State-exhaustion DDoS attacks
Abuse protocols to stress systems like
firewalls, IPS, or load balancers (e.g., TCP
SYN flood)

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of DDoS attacks
Application-layer DDoS attacks
Use well-formed but malicious requests to
circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS
query floods)

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS approach to DDoS protection

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DDoS protections built into AWS
DDoS Attack
Users DDoS mitigation
systems

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DDoS protections built into AWS
 No additional cost
 Always-on detection and mitigation
 Protection against most common
infrastructure attacks
 SYN/ACK Floods (L4), UDP Floods,
Refection attacks (L3)

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Standard

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Adding L7 protection – AWS WAF
 Flexible Rules Language
 Pre-configured Protection
 Advanced Security Automation
 Partner Rules
AWS WAF

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF Components
Conditions Rules Web ACL
Elastic Load
Balancing
Apply
Amazon
CloudWatch
Report/Logs
Amazon
CloudFront

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
<demo>

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does AWS WAF protect you?
Flexible Rules
Automated Rules
Preconfigured Rules

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does AWS WAF protect you?
Preconfigured Rules

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Preconfigured protection – OWASP top 10
CloudFormation script available: http://amzn.to/2t5uI29

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How does AWS WAF protect you?
Automated Rules

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF security automation
CloudFormation script available: http://amzn.to/2gblvOz

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HTTP floods
Good Users
Allowed on source
IP address
Attackers
Block based on
IP address
Amazon
CloudFront
Classic Load
Balancer
Amazon
EC2
Amazon
RDS
AWS WAF
AWS
Lambda
AWS
CloudFormation
CloudFront
access logs
S3 bucket
Amazon
CloudWatch
1 2
3
4

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IP reputation lists
Good Users
Allowed on source
IP address
Attackers
Block based on IP
reputation
Amazon
CloudFront
Classic Load
Balancer
Amazon
EC2
Amazon
RDS
Amazon
CloudWatch
AWS WAF AWS
Lambda
AWS
CloudFormation
3rd Party lists
2
1
3

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
<demo>

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customers keep asking …
Does AWS protect me
from DDoS attacks?
What about large
DDoS attacks?
How can I get visibility
when I get attacked?
Does AWS protect
me from application
layer attacks?
Scaling for
DDoS attacks
is expensive.
I want to talk to
DDoS experts.

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Advanced
Managed DDoS Protection

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Layer 7 - Always-on monitoring and detection
Continuously baselining normal traffic patterns
• HTTP Requests per second
• Source IP Address
• URLs
• User-Agents
Baselining

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Layer 7 – AWS WAF included
AWS WAF
Included at no additional cost

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Attack notification and reporting
Attack monitoring
and detection
• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics and packet captures for attack forensics
• Historical attack reports

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
24x7 access to DDoS Response Team
Critical and urgent priority cases are
answered quickly and routed directly
to DDoS experts
Complex cases can be escalated to
the AWS DDoS Response Team
(DRT), who have deep experience in
protecting AWS as well as
Amazon.com and its subsidiaries

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
24x7 access to DDoS Response Team
Before Attack
Proactive consultation and
best practice guidance
During Attack
Attack mitigation
After Attack
Post-mortem
analysis

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS cost protection
AWS absorbs scaling cost due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancer
• Application Load Balancer
• Amazon Route 53

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
<demo/ShieldAdvanced>

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started with
AWS Shield

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You get it automatically
AWS Shield: Getting started
Enable via the AWS Console
Standard Protection Advanced Protection

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
• AWS Shield - https://aws.amazon.com/shield/
• AWS WAF - https://aws.amazon.com/waf/
• WAF preconfigured rules - http://amzn.to/2rBdR4Q
• OWASP Top 10 mitigation - http://amzn.to/2t5uI29
• Secure Web Apps with WAF and Shield -
http://bit.ly/2xzc70y

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A

41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!