Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

DDoS Resiliency

Learn more about DDoS Resiliency.

DDoS Resiliency

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS Resiliency Andrew Kiggins Solutions Architect, Security Specialist
  2. 2. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to expect for this session • Learn best practices for building (D)DoS resilient services • Deep dive on some of the techniques and technologies that AWS uses to protect against (D)DoS Attacks
  3. 3. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The sky is not falling
  4. 4. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat landscape Extortion • Armada Collective • DD4BC LULZ • Script kiddies Ideology • Nation states Hacktivism • Anonymous • Lizard Squad
  5. 5. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat of DDoS attack Same Bitcoin address, many threats
  6. 6. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS attacks Attacks over 200Gbps Multi-vector attacks 10’s of attacks/threats • Manual intervention • Customer interaction 100’s of significant attacks • Auto-detected • Auto-mitigated 1000’s of attacks • No action necessary
  7. 7. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Route53
  8. 8. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fail
  9. 9. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How AWS stops DDoS
  10. 10. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Global Presence and Redundancy Internet Connection C Internet Connection A Internet Connection B CloudFront Valid Object Request Invalid Protocol Invalid Object Request Country B Country A Country C Route A Route B Route C users
  11. 11. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS anti-DDoS specific AWS anti-DDoS features DDoS visibility AWS Technology Amazon Route 53 CloudFront CloudWatch AWS WAF AmazonVPC BlackWatch Elastic Load Balancing
  12. 12. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Route53 Multiple Authoritative Servers Anycast IP Auto-Loadbalancing 100% availability during DDoS attacks (2015) Route53
  13. 13. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront Use CloudFront in front of your origin servers • ELBs • EC2 • Customer Origin Serve static content from S3 CloudFront can also serve your dynamic content CloudFront will reduce load on your VPC CloudFront
  14. 14. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront HTTP(S) termination TCP Only Origin obfuscation Geo-Isolation Route withdrawal by /24 Specific customer assignment (in /24) • ANY cast dispersion using DNS CustomerId using Distribution Signatures SSL re-negotiation disabled CloudFront
  15. 15. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WAF • Customizable rules created by customers to avoid false positives • Reusable rulesets • Full-feature API: this is a DevOps WAF that can be deployed inline with new web sites and applications • Integrated with AWS (e.g. CloudFront, CloudWatch) and with partners (e.g. Alert Logic) • Pay as you go pricing AWS WAF
  16. 16. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traditional WAF Deployment CloudFront Edge Location users hackers bad bots site scraping SQL Injection, XSS, other attacks legitimate traffic EC2ELBWAFELB ELB Sandwich Customer On Premises Environment Origin Origin Storage WAF on EC2 in ELB sandwich (complexity & latency)
  17. 17. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudFront w/ AWS WAF CloudFront Edge Location EC2 users hackers bad bots site scraping SQL Injection, XSS, other attacks legitimate traffic ELBS3 AND/OR Customer On Premises Environment Origin Server Origin Storage Malicious traffic is blocked by WAF rules at edge locations -can be custom origin -can be static and dynamic content -show the other on premises + S3
  18. 18. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Elastic Load Balancer Auto-scaling TCP HTTP(s) termination SYN Cookies EL B
  19. 19. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC FlowLogs Logs of traffic flows across the VPC • IP src/dst • Port src/dst • Proto Metrics Alarming flow logs
  20. 20. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Instance Level Metrics Custom Metrics Alarming Notification CloudWatch
  21. 21. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Service Checklist AWS Edge Locations AWS Regions Amazon CloudFront with AWS WAF (BP1, BP2) Amazon API Gateway (BP4) Amazon Route 53 (BP3) Elastic Load Balancing (BP6) Amazon VPC (BP5) Amazon EC2 with Auto Scaling (BP7) Layer 3 (eg. UDP reflection) attack mitigation ✔ ✔ ✔ ✔ ✔ Layer 4 (eg. SYN flood) attack mitigation ✔ ✔ ✔ ✔ Layer 6 (eg. SSL) attack mitigation ✔ ✔ N/A ✔ Reduce attack surface ✔ ✔ ✔ ✔ ✔ Scale to absorb application layer traffic ✔ ✔ ✔ ✔ ✔ Layer 7 (application layer) attack mitigation ✔ ✔ ✔ Geographic isolation and dispersion of excess traffic and larger DDoS attacks ✔ ✔ ✔
  22. 22. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Attack Mitigation by Common Vector Description Mitigation Strategy Application Layer (L6/L7) HTTP flood Flood of legitimate requests that seem like regular users • AWS WAF, rate-based blacklisting Lambda function, Auto Scaling SSL abuse Abuse of computationally expensive SSL protocol causing resource exhaustion • CloudFront • ELB WordPress XML-RPC (“Pingback”) XML-RPC flood to WordPress sites used as a reflector • AWS WAF, User-Agent block Infrastructure Layer (L3/L4) UDP reflection (DNS, NTP, SSDP, etc.) UDP responses sourced from common service ports; abuses legitimate services that respond openly • CloudFront, Route 53 • ELB • Larger region SYN flood TCP protocol abuse that generates large bit and packet volumes, exhausts connection table • CloudFront, Route 53 • ELB • Larger region Slowloris Slow read/write attack that holds TCP connections open • CloudFront
  23. 23. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where we are today (Edge) Protected by custom-built DDoS mitigation systems and service-based defences Every packet is inspected Inline systems engage quickly without impact to availability, throughput and latency Customer’s Origin Infrastructur e (ELB, EC2, S3, etc). CloudFront Route 53 CloudFront Route 53 DDoS Attack Users BlackWatch BlackWatch Edge Location AWS Region
  24. 24. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where we are today (Regions) Protected by custom hardware Protected by commercial hardware Auto-detection and rate limiting Manual operation for new threats DDoS Attack Users AWS Region Amazon EC2 Elastic Load Balancing
  25. 25. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deployment Scenarios
  26. 26. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Web Assets Amazon CloudFront and Amazon Route 53 ELB security group Amazon EC2 Instances ELB load balancer Public subnet Web application security group Private subnet DDoS Attack Users ELB load balancer WAF Private subnetAmazon Route 53 Amazon CloudFront AWS WAF Amazon API Gateway
  27. 27. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Web Assets Amazon CloudFront and Amazon Route 53 Amazon Route 53 ELB security group Amazon EC2 Instances ELB load balancer Amazon CloudFront Public subnet Web application security group Private subnet DDoS Attack Users ELB load balancer WAF
  28. 28. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Web Assets Amazon CloudFront and Amazon Route 53 Amazon Route 53 ELB security group Amazon EC2 Instances ELB load balancer Amazon CloudFront Public subnet Web application security group Private subnet AWS WAF Amazon API Gateway DDoS Attack Users
  29. 29. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Non-Web Based Assets (TCP-based) ELB security group Amazon EC2 Instances ELB load balancer Public subnet Web application security group Private subnet DDoS Attack Users
  30. 30. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Non-TCP Based Assets (Burst loads) Proxy ELB security group Amazon EC2 Instances Public subnet Application security group Private subnet DDoS Attack Users
  31. 31. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated DDoS response Flowlogs -> CloudWatch -> Lambda -> WAF • http://blogs.aws.amazon.com/security/post/Tx223ZW25YRPRK V/How-to-Use-AWS-WAF-to-Block-IP-Addresses-That- Generate-Bad-Requests • http://blogs.aws.amazon.com/security/post/Tx1ZTM4DT0HRH0 K/How-to-Configure-Rate-Based-Blacklisting-with-AWS-WAF- and-AWS-Lambda • http://blogs.aws.amazon.com/security/post/Tx8GZBDD7HJ6BS/ How-to-Import-IP-Address-Reputation-Lists-to-Automatically- Update-AWS-WAF-IP-Bla

×