Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Cloud-Native DDoS Mitigation - AWS Online Tech Talks

360 visualizaciones

Publicado el

Learning Objectives:
- Learn how to use AWS Shield to build scalable DDoS defense into your applications
- Learn how to monitor your applications on the AWS Cloud and detect DDoS attempts
- Learn how to respond to in-progress DDoS attempts

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Cloud-Native DDoS Mitigation - AWS Online Tech Talks

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Venkat Vijayaraghavan Product Manager, AWS Perimeter Protection (WAF & Shield) Cloud-Native DDoS Attack Mitigation Dec 14, 2017
  2. 2. Today’s Objectives  Overview of DDoS attacks and other threats  Evolution of DDoS mitigation strategy  Three Pillars: Cloud Native App Protection  Built-in Protections  Tools For Customized Protections  Advanced Protection
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Types of Threats on Your Application Application Ping of Death | ICMP Flood | Teardrop SYN/ACK Flood | UDP Flood | Reflection Presentation Session Transport Network Data Link Physical Operated & Protected by AWS HTTP Flood, App exploits, SQL Injection, Bots, Crawlers, SSL Abuse, Malformed SSL
  4. 4. On-Premise Cloud-Routed Cloud-Native Evolution of DDoS Mitigation
  5. 5.  Scale network and fixed infrastructure to mitigate DDoS attacks on-site  Visibility and control  Large capital expenditures, maintenance costs, and in-house expertise On Premise
  6. 6.  Route traffic to other networks for better mitigation capacity, managed services  Mitigate larger DDoS attacks without upfront investment or in-house expertise  Black box solution – can introduce latency, additional points of failure, increased operating costs Cloud Routed
  7. 7.  Automatic, always-on DDoS protection for all applications on AWS  Leverage 16 AWS Regions and 100+ CloudFront Edge Locations to mitigate large attacks close to the source  Simple, flexible, and affordable  Robust capabilities without undifferentiated heavy-lifting Cloud Native
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is Different in AWS Cloud
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Three Pillars: Cloud Native App Protection Built-in Protection for Everyone Optional Advanced DDoS Protection Tools for Customized Protections
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Three Pillars: Cloud Native App Protection Built-in Protection for Everyone Optional Advanced DDoS Protection Tools for Customized Protections
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in Protection for Everyone  Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region  Comprehensive defense against all known network and transport layer attacks when using Amazon CloudFront and Amazon Route 53  SYN Floods, UDP Floods, Reflection Attacks, etc. AWS Shield Standard
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in Protection for Everyone For attacks on Amazon CloudFront & Amazon Route 53 Over 99% of Network & Transport layer attacks detected by AWS Shield are mitigated in less than 1 second
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in Protection for Everyone AWS Shield Standard Automatically Mitigates Several DDoS Attacks Everyday Source: AWS Global Threat Dashboard (Available for Shield Advanced customers)
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in Protection for Everyone  DNS Header Validations  Good vs Bad Resolvers  Priority Based Traffic Shaping  Shuffle sharding and Anycast striping Amazon Route 53
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in Protection for Everyone  Only Accepts valid HTTP/TCP Requests  Automatically drop traffic on non HTTP Ports  Protection Against Slow Reads (Slowloris)  Safeguards Against SSL Abuse (E.g. Perfect Forward Secrecy)  Web Server Offload (E.g., Request Collapsing) Amazon CloudFront
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Intro 101 Slack Uses Amazon CloudFront as a Proxy
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Uses CloudFront as a Proxy  Looking for DDoS Protection  CloudFront & Shield Filters Malicious Traffic Automatically  Highly Reliable & Performant Compared to other DDoS or CDN providers  Tight Integration with Other AWS services like ELB
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Uses CloudFront as a Proxy Their CloudFront Configuration:  Caching Disabled  Forward All Headers, Cookies, & Query strings  TLS Termination at Edge (TLS Back to ELBs)
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Uses CloudFront as a Proxy Before After
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Uses CloudFront as a Proxy
  21. 21. Amazon Route 53 ALB Security Group Amazon EC2 Instances Application Load Balancer Amazon CloudFront Public Subnet Web Application Security Group Private Subnet DDoS Attack Users Globally distributed attack mitigation capability SYN proxy feature that verifies three-way handshake before passing to the application Slowloris mitigation that reaps long-lived collections Mitigates complex attacks by allowing only the most reliable DNS queries Validates DNS Summary: A DDoS Resilient Architecture
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in Protection for Everyone Optional Advanced DDoS Protection Tools for Customized Protections Three Pillars: Cloud Native App Protection
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tools for Customized Protections Choosing an address range Setting up subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC VPC Security Groups
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tools for Customized Protections Fast Incident Response Preconfigured Protection APIs for Automation Flexible Rule Language AWS WAF Designed to help you defend against common web application exploits
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tools for Customized Protections AWS WAF Key Features  Geo Based Rules  Rate Based Rules  Customizable Regex Rules  Built-in Rules: SQLi, XSS, and Pre-Configured Templates for Common Protections
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Intro 101 eVitamins uses AWS WAF to Protect their Web Applications Against Common Threats
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. eVitamins uses AWS WAF for Common Threats  DDoS was a Significant Availability Risk  Bots & Crawlers caused Operational Burden  Need Application Threat Protection  Need Customizable Protection for their Application
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.  Deployed CloudFront For DDoS Protection  AWS WAF Bad Bot Protection • IP Reputation List • “Honeypot” solutions • Automated crawler protection using AWS Lambda & WAF Integration  AWS WAF rules for SQL Injection and XSS  1-click CloudFormation Templates eVitamins uses AWS WAF for Common Threats
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.  Literally, No Website Downtime due to DDoS  Attacks on the Application Layer reduced by 90%  Automations Decreased Response Time by 90% eVitamins uses AWS WAF for Common Threats
  30. 30. Demonstration
  31. 31. Amazon Route 53 ALB Security Group Amazon EC2 Instances Application Load Balancer Amazon CloudFront Public Subnet Web Application Security Group Private Subnet DDoS Attack Users Globally distributed attack mitigation capability SYN proxy feature that verifies three-way handshake before passing to the application Slowloris mitigation that reaps long-lived collections Mitigates complex attacks by allowing only the most reliable DNS queries Validates DNS Summary: A DDoS Resilient Architecture Provides flexible rule language to block or rate-limit malicious requests
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in Protection for Everyone Advanced Protection Tools for Customized Protections Three Pillars: Cloud Native App Protection
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield Advanced Detection  Additional Protection Against Large & Sophisticated Attacks  Fast escalation to the AWS DDoS Response Team (DRT) to assist with complex cases (like HTTP flood)  Attack visibility and enhanced detection  Cost Protection to mitigate economic attack vectors  AWS WAF for application-layer defense, at no additional cost AWS Shield Advanced A Managed DDoS Protection service
  34. 34. Aggs Aggs Aggs Aggs Pin Agg Evaluators AWS Shield Advanced Detection
  35. 35. Customer A Customer B Aggs Aggs Aggs Aggs Pin Agg Evaluators AWS Shield Advanced Detection
  36. 36. Aggs Aggs Aggs Aggs Pin Agg Evalu ators Customer B Customer A DB Shield API Cloud Watch AWS Shield Advanced Detection
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Protection AWS WAF Managed Rules  Managed Rules Written by Security Experts  Choice of Protections from Various Security Vendors  Automatically updated Rules  Purchase from AWS Marketplace  Pay-as-you-go Pricing. No Long Term Commitments
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF Managed Rules: Featured Sellers
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced Protection AWS WAF Managed Rules Very Easy to Enable Go To AWS WAF Console Discover & Subscribe to Managed Rules Associate with to your AWS WAF web ACL
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary: TakeAways AWS Automatically Protects You Against DDoS Attacks Using Amazon CloudFront & Amazon Route 53 AWS Gives Additional Tools For Customizations Using AWS WAF & VPC Security Groups AWS Also Provides Optional Advanced Protection Using AWS Shield Advanced & AWS WAF Managed Rules
  41. 41. Questions? @cloudfront
  42. 42. Thank You

×