Best Practices for DDoS Mitigation on AWS

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2018-03-13
Best Practices to Increase Availability,
Performance and Security of your Web
Applications with AWS WAF and AWS Shield
Tobias Philipps, Enterprise Account Manager - Edge Services
tobiasp@amazon.co.uk

Agenda
09:30 - 10:30 Best Practices for DDoS Mitigation on AWS Andrew Thomas
GM, Perimeter Protection
10:30 - 10:45 Coffee Break
10:45 - 11:25
Advanced Techniques For Securing Your Web
Applications with AWS WAF and AWS Shield
Sundar Jayashekar
Sr PM, Perimeter Protection
11:25 - 11:30 Break
11:30 - 12:00
Practical Examples Of How To Configure AWS
WAF and AWS Shield To Protect Against
Common Attack Vectors (Demo)
Sundar Jayashekar
Andrew Thomas
12:00 - 12:20
Simplify security with Trend Micro Managed
Rules for AWS WAF
Bharat Mistry
Principal Engineer, Trend Micro
12:20 - 12:30 Q&A session

2018-03-13
Best Practices for DDoS
Mitigation on AWS
Andrew Thomas, General Manager - AWS WAF & AWS Shield
andrewlt@amazon.com

Agenda
1. DDoS Threats and Trends
2. 10 Best Practices for DDoS Resiliency
3. Demo

DDoS Threats and Trends
0
200
400
600
800
1000
1200
1400
1600
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Largest DDoS Attacks (Gbps)
Largest DDoS Attacks
Memcached Attacks
Mirai Attacks

DDoS Threats and Trends
AWS detects and mitigates 1000’s of DDoS Attacks Daily
Source: AWS Global Threat Dashboard (Available for Shield Advanced customers)

Types of DDoS Attacks
Application
Ping of Death | ICMP Flood | Teardrop
SYN/ACK Flood | UDP Flood | Reflection
Presentation
Session
Transport
Network
Data Link
Physical
Operated & Protected by AWS
HTTP Flood, App exploits, SQL Injection, Bots, Crawlers,
SSL Abuse, Malformed SSL

Why is DDoS a Problem?
Availability of your applications
• Attacks can last for hours and even days
Financial Impact
• Lost Revenue
• Increased Infrastructure Expense
• Extortion
• Reputation Hit
Security
• Data Loss

Traditional Challenges with DDoS Protection
• Mitigations require bandwidth – lots of it.
• Scaling is expensive.
• Anomaly detection is challenging and evolving.
• DDoS expertise is in short supply.

AWS Shield
AWS Shield Standard AWS Shield Advanced
Available to ALL AWS customers at
No Additional Cost
Paid service that provides additional
protections, features and benefits.

AWS Shield Standard
Layer 3/4 Protection for Everyone
 Automatic defense against the most common network and
transport layer DDoS attacks for any AWS resource, in any
AWS Region
 Comprehensive defense against all known network and
transport layer attacks when using Amazon CloudFront
and Amazon Route 53
 SYN Floods, UDP Floods, Reflection Attacks, etc.
Layer 7 Protection Available via AWS WAF
 Self-service & pay-as-you-go
AWS Shield
Standard
AWS WAF

AWS Shield Advanced
Additional Detection & Monitoring
Protection Against Large DDoS Attacks
Visibility Into Attack Detection & Mitigation
AWS WAF at No Additional Cost
24X7 DDoS Response Team
Cost Protection (Absorb DDoS Scaling Cost)

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best Practices for DDoS Resiliency

Basic Web Application on AWS
Elastic Load
Balancer
EC2 Instances
Internet

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Build a highly scalable, secure, well-monitored,
DDoS-protected application.

Build a highly scalable application
• Comprehensive built-in protection against Layer 3 and 4 DDoS attacks
• 99.9% of the identified network and transport attacks are mitigated in less than 1 minute
• Tens of Tbps of mitigation capacity
Use Globally Distributed services like Amazon CloudFront and Route 53
• Inline Inspection & SYN Proxy Protection
• Protection Against Slow Reads (Slowloris)
• Only Accepts valid HTTP/TCP packets
• Safeguards against SSL Abuse
• DNS Header Validations
• Good vs. Bad Resolvers
• Priority Based Traffic Shaping
Amazon CloudFront Amazon Route 53

Build a highly scalable application
Handle fluctuations in demand with Elastic Load Balancer
• Use a single ELB tier for all instances
• Pass only well-formed connections, only on allowed ports

Build a DDoS-protected application
Instance Scaling
• Rapidly Scale Individual Services
• Additional CPU or memory capacity can be
added to a server instance very quickly with
no impact to the end user
Prepare to scale compute to maintain availability
Environment Scaling
• Auto Scaling based on load and incoming
request rates
• Scale from few servers to several hundreds
within minutes
Control Scaling costs with
AWS Shield Advanced
• AWS WAF included at no
additional cost
• Cost Protection of
Resource scaling

Build a highly secure application
“Hide” instances from the internet
Use Security Groups and Network ACLs with a Virtual Private Cloud (VPC)
Security
Groups
Network
ACLs
AWS
Lambda
Combine with AWS Lambda to dynamically
update access control

Build a well-monitored application
Amazon CloudWatch
Enable CloudWatch for metrics that matter to you
Enable Service Logs for Deeper Analysis
• Multiple metrics provided for every service
• Create dashboards and events for custom views
• Integrate with notification channels like pager-Duty and Slack
• VPC Flow Logs can help troubleshoot connectivity and security issues
• Ingest and store logs with Amazon Kinesis Firehose and Amazon S3
• Amazon RedShift can help in deeper analysis
VPC Flow Logs
Amazon Kinesis
Firehose
Amazon S3
Amazon
Redshift

Build a well-monitored application
AWS Shield
Advanced
AWS WAF
• Rate Based Rules in count mode
• Different rules by conditions like URL, Geos, etc.
• HTTP request samples
• CloudWatch metrics
• Layer 7 attack detection (HTTP floods, DNS query floods)
• Enhanced layer 3/4 attack detection
• Granular detection thresholds (for regional services – EC2 / ELB)
Enable AWS WAF for baselining layer 7 traffic
Enable Shield Advanced for advanced anomaly detection

AWS WAF
• Flexible Rule Language (RegEx, Rate based rules, Geo IP, etc.)
• Security Automations
• Fast Rule Propagation (20 sec for ALB, 50 sec for Edge)
• Self Service API
• Managed Rules marketplace
• WAF Partners
Use AWS WAF to quickly block Layer 7 attacks

AWS Shield
Advanced
• Advanced mitigations like SYN throttle
• Traffic engineering for large DDoS attacks
• Custom defined L3/4 mitigations
• 24x7 access to the DDoS Response Team for more complex cases
• Advise / Implement WAF mitigations / re-architecture
• Availability SLA of services
• Low latency protections
• AWS WAF included at no additional cost
• Cost Protection of Resource scaling
Use AWS Shield Advanced for effective incident response

Use Globally Distributed services like Amazon CloudFront and Amazon Route 53
Handle fluctuations in demand with Elastic Load Balancer
Prepare to scale compute to maintain availability
Use Security Groups and Network ACLs with a Virtual Private Cloud (VPC)
Enable CloudWatch for metrics that matter to you
Enable Service Logs for Deeper Analysis
Enable AWS WAF for baselining layer 7 traffic
Enable Shield Advanced for advanced anomaly detection
Use AWS WAF to quickly block Layer 7 attacks
Use AWS Shield Advanced for effective incident response

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Read the whitepaper: AWS Best Practices for DDoS Resiliency
https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

Demo

Thank You!
Questions?

Best Practices for DDoS Mitigation on AWS

Recommended

Recommended

More Related Content

More from Amazon Web Services

More from Amazon Web Services (20)

Best Practices for DDoS Mitigation on AWS