Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Best Practices for DDoS Mitigation on AWS

198 vues

Publié le

This presentation looks at the best practices for DDoS mitigation on AWS.

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Best Practices for DDoS Mitigation on AWS

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2018-03-13 Best Practices to Increase Availability, Performance and Security of your Web Applications with AWS WAF and AWS Shield Tobias Philipps, Enterprise Account Manager - Edge Services tobiasp@amazon.co.uk
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda 09:30 - 10:30 Best Practices for DDoS Mitigation on AWS Andrew Thomas GM, Perimeter Protection 10:30 - 10:45 Coffee Break 10:45 - 11:25 Advanced Techniques For Securing Your Web Applications with AWS WAF and AWS Shield Sundar Jayashekar Sr PM, Perimeter Protection 11:25 - 11:30 Break 11:30 - 12:00 Practical Examples Of How To Configure AWS WAF and AWS Shield To Protect Against Common Attack Vectors (Demo) Sundar Jayashekar Andrew Thomas 12:00 - 12:20 Simplify security with Trend Micro Managed Rules for AWS WAF Bharat Mistry Principal Engineer, Trend Micro 12:20 - 12:30 Q&A session
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2018-03-13 Best Practices for DDoS Mitigation on AWS Andrew Thomas, General Manager - AWS WAF & AWS Shield andrewlt@amazon.com
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda 1. DDoS Threats and Trends 2. 10 Best Practices for DDoS Resiliency 3. Demo
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS Threats and Trends 0 200 400 600 800 1000 1200 1400 1600 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Largest DDoS Attacks (Gbps) Largest DDoS Attacks Memcached Attacks Mirai Attacks
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS Threats and Trends AWS detects and mitigates 1000’s of DDoS Attacks Daily Source: AWS Global Threat Dashboard (Available for Shield Advanced customers)
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Types of DDoS Attacks Application Ping of Death | ICMP Flood | Teardrop SYN/ACK Flood | UDP Flood | Reflection Presentation Session Transport Network Data Link Physical Operated & Protected by AWS HTTP Flood, App exploits, SQL Injection, Bots, Crawlers, SSL Abuse, Malformed SSL
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is DDoS a Problem? Availability of your applications • Attacks can last for hours and even days Financial Impact • Lost Revenue • Increased Infrastructure Expense • Extortion • Reputation Hit Security • Data Loss
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traditional Challenges with DDoS Protection • Mitigations require bandwidth – lots of it. • Scaling is expensive. • Anomaly detection is challenging and evolving. • DDoS expertise is in short supply.
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield AWS Shield Standard AWS Shield Advanced Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield Standard Layer 3/4 Protection for Everyone  Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region  Comprehensive defense against all known network and transport layer attacks when using Amazon CloudFront and Amazon Route 53  SYN Floods, UDP Floods, Reflection Attacks, etc. Layer 7 Protection Available via AWS WAF  Self-service & pay-as-you-go AWS Shield Standard AWS WAF
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield Advanced Additional Detection & Monitoring Protection Against Large DDoS Attacks Visibility Into Attack Detection & Mitigation AWS WAF at No Additional Cost 24X7 DDoS Response Team Cost Protection (Absorb DDoS Scaling Cost)
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best Practices for DDoS Resiliency
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Basic Web Application on AWS Elastic Load Balancer EC2 Instances Internet
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a highly scalable, secure, well-monitored, DDoS-protected application.
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a highly scalable, secure, well-monitored, DDoS-protected application.
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a highly scalable application • Comprehensive built-in protection against Layer 3 and 4 DDoS attacks • 99.9% of the identified network and transport attacks are mitigated in less than 1 minute • Tens of Tbps of mitigation capacity Use Globally Distributed services like Amazon CloudFront and Route 53 • Inline Inspection & SYN Proxy Protection • Protection Against Slow Reads (Slowloris) • Only Accepts valid HTTP/TCP packets • Safeguards against SSL Abuse • DNS Header Validations • Good vs. Bad Resolvers • Priority Based Traffic Shaping Amazon CloudFront Amazon Route 53
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a highly scalable application Handle fluctuations in demand with Elastic Load Balancer • Use a single ELB tier for all instances • Pass only well-formed connections, only on allowed ports
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a DDoS-protected application Instance Scaling • Rapidly Scale Individual Services • Additional CPU or memory capacity can be added to a server instance very quickly with no impact to the end user Prepare to scale compute to maintain availability Environment Scaling • Auto Scaling based on load and incoming request rates • Scale from few servers to several hundreds within minutes Control Scaling costs with AWS Shield Advanced • AWS WAF included at no additional cost • Cost Protection of Resource scaling
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a highly scalable, secure, well-monitored, DDoS-protected application.
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a highly secure application “Hide” instances from the internet Use Security Groups and Network ACLs with a Virtual Private Cloud (VPC) Security Groups Network ACLs AWS Lambda Combine with AWS Lambda to dynamically update access control
  22. 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a highly scalable, secure, well-monitored, DDoS-protected application.
  23. 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a well-monitored application Amazon CloudWatch Enable CloudWatch for metrics that matter to you Enable Service Logs for Deeper Analysis • Multiple metrics provided for every service • Create dashboards and events for custom views • Integrate with notification channels like pager-Duty and Slack • VPC Flow Logs can help troubleshoot connectivity and security issues • Ingest and store logs with Amazon Kinesis Firehose and Amazon S3 • Amazon RedShift can help in deeper analysis VPC Flow Logs Amazon Kinesis Firehose Amazon S3 Amazon Redshift
  24. 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a well-monitored application AWS Shield Advanced AWS WAF • Rate Based Rules in count mode • Different rules by conditions like URL, Geos, etc. • HTTP request samples • CloudWatch metrics • Layer 7 attack detection (HTTP floods, DNS query floods) • Enhanced layer 3/4 attack detection • Granular detection thresholds (for regional services – EC2 / ELB) Enable AWS WAF for baselining layer 7 traffic Enable Shield Advanced for advanced anomaly detection
  25. 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a highly scalable, secure, well-monitored, DDoS-protected application.
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a DDoS-protected application AWS WAF • Flexible Rule Language (RegEx, Rate based rules, Geo IP, etc.) • Security Automations • Fast Rule Propagation (20 sec for ALB, 50 sec for Edge) • Self Service API • Managed Rules marketplace • WAF Partners Use AWS WAF to quickly block Layer 7 attacks
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build a DDoS-protected application AWS Shield Advanced • Advanced mitigations like SYN throttle • Traffic engineering for large DDoS attacks • Custom defined L3/4 mitigations • 24x7 access to the DDoS Response Team for more complex cases • Advise / Implement WAF mitigations / re-architecture • Availability SLA of services • Low latency protections • AWS WAF included at no additional cost • Cost Protection of Resource scaling Use AWS Shield Advanced for effective incident response
  28. 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best Practices for DDoS Resiliency Use Globally Distributed services like Amazon CloudFront and Amazon Route 53 Handle fluctuations in demand with Elastic Load Balancer Prepare to scale compute to maintain availability Use Security Groups and Network ACLs with a Virtual Private Cloud (VPC) Enable CloudWatch for metrics that matter to you Enable Service Logs for Deeper Analysis Enable AWS WAF for baselining layer 7 traffic Enable Shield Advanced for advanced anomaly detection Use AWS WAF to quickly block Layer 7 attacks Use AWS Shield Advanced for effective incident response
  29. 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best Practices for DDoS Resiliency Read the whitepaper: AWS Best Practices for DDoS Resiliency https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
  30. 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  31. 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank You! Questions?

×