Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Cloud-Native DDoS Attack Mitigation

256 visualizaciones

Publicado el

by Jeff Lyon, Manager of DDoS Ops Engineering, AWS

Mitigation of Distributed Denial of Service (DDoS) attacks to protect the availability of an application historically required expensive hardware, scaling of fixed capacity, or the enlistment of third-party DDoS mitigation services. Today, AWS provides you with tools to build applications that are automatically protected against DDoS attacks without having to invest in costly infrastructure, route traffic externally, or accept performance tradeoffs. In this session, you will learn simple techniques for building DDoS-resilient applications, monitoring and alarming on the presence of DDoS attacks, and responding to events in-progress.

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Cloud-Native DDoS Attack Mitigation

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cloud-Native DDoS Attack Mitigation Shawn Marck System Development Manager
  2. 2. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Today’s Objectives • Overview of DDoS attacks and other threats • Evolution of DDoS mitigation strategy • PREPARE: Build a DDoS-resilient application on AWS • MONITOR: Demonstration on application monitoring and alarms • RESPOND: Demonstration on DDoS event response
  3. 3. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Types of Threats Bad BotsDDoS Application Attacks UDP floods SYN floods Slowloris SSL abuse HTTP floods UDP reflection Content scrapers Scanners & probes CrawlersApplication Layer Network / Transport Layer SQL injection Application exploits
  4. 4. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Evolution of DDoS Mitigation On-Premise Cloud-Routed Cloud-Native
  5. 5. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved On-Premise • Scale network and fixed infrastructure to mitigate DDoS attacks on-site • Visibility and control • Large capital expenditures, maintenance costs, and in-house expertise
  6. 6. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cloud-Routed • Route traffic to other networks for better mitigation capacity, managed services • Mitigate larger DDoS attacks without upfront investment or in- house expertise • Black box solution – can introduce latency, additional points of failure, increased operating costs
  7. 7. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cloud-Native • Automatic, always-on DDoS protection for all applications on AWS • Leverage 16 AWS Regions and 76 Edge Locations to mitigate large attacks close to the source • Simple, flexible, and affordable • Robust capabilities without undifferentiated heavy-lifting
  8. 8. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at no additional cost Paid service that provides additional protections, features, and benefits
  9. 9. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Shield Standard Protection Available to ALL AWS customers at no additional cost • Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region • Comprehensive defense against all known network and transport layer attacks when using Amazon CloudFront and Amazon Route 53 • Application layer defense available when using AWS WAF
  10. 10. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Shield Advanced Protection Paid service that provides additional protections, features, and benefits • Fast escalation to the AWS DDoS Response Team (DRT) to assist with complex edge cases • Attack visibility and enhanced detection • Cost Protection to mitigate economic attack vectors • AWS WAF for application-layer defense, at no additional cost
  11. 11. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective Against: • SYN Floods • Reflection Attacks • Suspicious Sources Effective Against: • SSL Attacks • Slowloris • Malformed HTTP Effective Against: • HTTP Floods • Bad Bots • Suspicious IPs Defense In Depth Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet-Layer Mitigations DDoS Effective Against: • Large-scale attacks Effective Against: • Sophisticated Layer 7 attacks DDoS Response Team
  12. 12. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved PREPARE: DDoS-Resilient Architecture Amazon Route 53 ALB Security Group Amazon EC2 Instances Application Load Balancer Amazon CloudFront Public Subnet Web Application Security Group Private Subnet AWS WAF Amazon API Gateway DDoS Attack Users Globally distributed attack mitigation capability SYN proxy feature that verifies three-way handshake before passing to the application Slowloris mitigation that reaps long-lived collections Mitigates complex attacks by allowing only the most reliable DNS queries Validates DNS Provides flexible rule language to block or rate-limit malicious requests
  13. 13. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Demonstration
  14. 14. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

×