This document summarizes a presentation about using Amazon CloudFront and AWS WAF for securing and accelerating APIs. It discusses the challenges of delivering APIs, how CloudFront addresses these challenges through application acceleration, security features, and high availability. The presentation also provides a case study of how Slack migrated from using Elastic Load Balancing to using CloudFront to deliver their API, improving performance metrics. It concludes with a demonstration of automating protections using Lambda and discusses future plans for rate limiting and blocking malicious traffic.
5. Challenges with Delivering APIs
API Response Time
APIs are often not
cacheable
Improving performance is
non-trivial
Security & DDoS Target
Protect from DDoS attacks
Block malicious activity
Scaling & Availability
Operational burden
Availability risks
@cloudfront
14. DDoS Protection for AWS Infrastructure
Inherent Protection
You don’t have to
enable anything
Layer 3/4 attacks like
SYN and UDP floods.
Layer 7 attacks like
Slowloris
Inline Detection &
Mitigation
Low MTTR
Microsecond latencies
Proven DDoS
Mitigation Techniques
Targeted and heuristic
mitigations
virtual private cloud
AWS global infrastructure
DDoS attack
Users AWS
DDoS mitigation
Amazon
CloudFront
Amazon
Route 53
@cloudfront
15. DDoS Mitigation Techniques
Basic Hygiene
Automatically filters
invalid Packets
e.g., block any UDP
destined to CloudFront
Traffic ACLs
Prioritize good vs bad
traffic based on several
factors
- DNS Request validation
- Source IP
- Source ASN
- Traffic Levels
- Validated Sources
Redundant High
Capacity Network Paths
Viewers always have a path
to reach CloudFront
@cloudfront
16. DDoS Mitigation
No Impact to Availability even during DDoS Attack
Sample Attack on CloudFront Customer
@cloudfront
19. Designed for High Availability
DDoS Attacks
Ensures DDoS attacks
don’t cause outages
Scale for Traffic Surge
Load based dynamic routing
Multiple transit providers
Collapse forwarding
Maintain buffer
Operator Errors
Fault tolerant deployment
Mitigate the Top 3 Risks for Availability
@cloudfront
26. ● POSTs and GETs to an HTTPS endpoint
Responses will come back as json objects
● All Slack clients are API consumers
Mobile, Desktop and Web clients use our API
● Accelerated Globally using CloudFront
Requests to slack.com and the HTTPS API are powered by
CloudFront
Web API
27. ● Search for all files or messages containing the string “Hello”
GET https://slack.com/api/search.all?token=xoxp-...&query=Hello
● List all channels along with their members
GET https://slack.com/api/channels.list?token=xoxp-...
● Create a new channel called “#test”
GET https://slack.com/api/channels.create?token=xoxp-...&name=test
Web API Examples
28. 3 Million Daily Active Users
Each user is making API calls all day.
1.5 Billion Total Requests Per Day
Over 10 Billion per week!
52% of those are API requests
Over 5 Billion API requests per week!
👤
🚀
📈
Web API Stats
30. DDoS Protection & Security Benefits
Amazon has some tricks up their sleeve.
Network Infrastructure
AWS Global Network Backbone
Performance and Reliability
CloudFront is designed for high volumes of traffic.
🔒
📈
📡
Benefits with Amazon CloudFront
31. ● Flexibility and ability to customize
No magic switches, everything can be configured.
● Outperformed all other DDoS and CDN providers
CloudFront stability was better than the other providers we tested.
● Pairs nicely with existing AWS technology
CloudFront is easy to configure with ELB and S3.
Why We Chose Amazon CloudFront
33. Caching Disabled
All API responses are dynamic so nothing is cached.
Forward all headers, cookies and query strings to origin
Forward all the things!
S3 bucket with static HTML error pages
If the origin is not responding we will still serve an error page from
S3.
💥
📉
Amazon CloudFront Configuration
42. ● Less affected by internet outages and route leaks.
Traffic enters the AWS backbone closer to the client.
● Slack loads more quickly all around the world.
The client spends less time waiting for API calls.
● Automatic DDoS protection
We let AWS deal with DDoS attacks without waking up the ops team.
Direct Benefits for Slack
44. ● Pushing Rate Limits to the edge.
Less infrastructure to maintain means less time and money.
● Limiting unauthenticated requests at the edge.
Stop high layer DDoS attacks early by setting per IP request limits.
● Alerting or posting to Slack when rate limits are tripped.
We want to know about this, it might be an attack or misconfiguration.
Rate Limiting
45. ● Manually adding rules to mitigate an attack
If our infrastructure is overwhelmed we can block at the edge.
● Blocking known bad IPs
Block known botnets using IP Blacklists.
● Using Lambda and WAF to block based on rule sets
Determine safe limits and temporarily block offenders.
Blocking Malicious Traffic
55. Customer case study
Customer: Magazine Luiza
• Large eCommerce platform in Brazil > than 700 stores
Requirements:
• Wanted protection days before Black Friday
• Needed APIs for automation
• Needed fast rule updates
• Needed high-scale blocking
60. Demo 2: Lambda based automated protection
• Problem: HTTP Requesters Overwhelm Web Servers or Database
Servers
• Solution: Count Number of requests in CloudFront access logs and
block offenders
Attackers
HTTP Floods (Rate Based Blacklisting)
61. Demo 2: Lambda based automated protection
HTTP Floods (Rate Based Blacklisting)
Good users
(allowed on src
ip)
Bad users
(blocked on src ip)
Amazon
CloudFront
Elastic Load
Balancing
Amazon
EC2
Amazon
RDS
AWS WAF CloudFront
Logs in S3
AWS
Lambda
Amazon
CloudWatch
1
3
2 4
AWS
CloudFormation
Stack
63. More Lambda based automated protection
HTTP floods Scans & probesIP reputation lists Bots & scrapers
Attackers
• Ready to use as-is
• And Customizable
64. Session Takeaways
CloudFront In Front of your
Websites and APIs
TLS/SSL Acceleration
Improve Application
performance without caching
Inherent DDoS Protection
AWS WAF for Automated
Protection
Easy Setup. Get started within
minutes
https://aws.amazon.com/waf/pr
econfiguredrules/
Customizable Automated
Protection.
https://github.com/awslabs/aws
-waf-sample