雲端原生 (Cloud-Native) 的 DDoS Attack 防禦方案 (Level: 200)

©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Retro Kuo
Cloud Support Engineer, Amazon Web Services
Cloud-Native DDoS Attack Mitigation

Three Pillars: Cloud Native
DDoS Mitigation
Protecting Diverse Use
Cases
What to Expect From This Session
Demos to Learn How-tos

SYN/ACK Flood | UDP Flood | ReflectionTransport
Ping of Death | ICMP Flood | TeardropNetwork
Data Link
Physical
Operated & Protected by AWS
Presentation
Application
Session
HTTP Flood, App exploits, SQL Injection, Bots, Crawlers,
SSL Abuse, Malformed SSL
Types of Threats

Bad BotsDDoS Application Attacks
Application
Layer
Network/
Transport
Layer
Types of Threats (Cont.)
UDP floods
SYN floods
Slowloris
SSL abuse
UDP reflection
HTTP floods Content scrapers
Scanners & probes
Crawlers
SQL injection
Application exploits

Evolution of DDoS Mitigation
On-Premises Cloud-NativeCloud-Routed

On-Premises Mitigation Approach
• Scale network and fixed
infrastructure to mitigate DDoS
and WAF attacks on-site
• Visibility and control
• Large capital expenditures,
maintenance costs, and in-house
expertise

Cloud-Routed Mitigation Approach
• Route traffic to other networks for
better mitigation capacity,
managed services
• Mitigate larger attacks without
upfront investment or in-house
expertise
• Black box solution – can introduce
latency, additional points of failure,
increased operating costs

Cloud-Native Mitigation Approach
• Automatic, always-on DDoS and WAF
protection for all applications on AWS
• Leverage 18 AWS Geographic Regions, 1
Local Region, 108 Edge Locations and 11
Regional Caches to mitigate large attacks
close to the source
• Simple, flexible, and affordable, with
visibility into attacks and their
remediations

Three Pillars: Cloud Native DDoS Mitigation
Built-in Protection
for Everyone
Optional Advanced
DDoS Protection
Tools for Customized
Protections

Built-in Protection for Everyone
• Automatic defense against the most common
network and transport layer DDoS attacks for
any AWS resource, in any AWS Region
• Comprehensive defense against all known
network and transport layer attacks when
using Amazon CloudFront and Amazon Route
53
• SYN floods, UDP floods, reflection attacks,
and other common attack vectors
AWS Shield Standard

Built-in Protection for Everyone (Cont.)
Amazon Route 53 Amazon CloudFront
• DNS header validations
• Good vs. Bad resolvers
• Priority based traffic shaping
• Inline inspection & SYN proxy protection
• Protection against slow reads (Slowloris)
• Only accepts valid HTTP/TCP packets
• Safeguards against SSL abuse
Globally Distributed Attack Mitigation Across 100+ Edge Locations

Built-in Protection for Everyone (Cont.)
For attacks on Amazon CloudFront and Amazon Route 53
99% of Network & Transport layer attacks detected by AWS Shield
are mitigated in less than 1 second

A True Story
Challenges
• On-premises resources were being
attacked and application availability was
impacted
• In urgent need of getting services back
to normal
corporate data center
DDoS
Local
ISP

Demo
Let Us See How We Mitigated This Attack

A True Story (Cont.)
Benefits
• Caching disabled - CloudFront simply
forwards HTTP requests/responses
from/to viewers
• HTTP headers, cookies, and query string
parameters are visible to the application
• Network and transport layer attacks
were mitigated at edges - Only clean
traffic was sent to their on-premises
corporate data center
DDoS
Local
ISPAmazon
CloudFront

Tools for Customized
Protections

Tools for Customized Protections – Amazon VPC
Choosing an
address range
Setting up subnets
in Availability Zones
Creating a route
to the Internet
Authorizing traffic
to/from the VPC
VPC Security Groups
Availability Zone security group

Tools for Customized Protections – AWS WAF
Fast Incident
Response
Managed
Rules
APIs for
Automation
Flexible Rule
Language
AWS WAF
Designed to help you defend against common web application exploits

Tools for Customized Protections – AWS WAF (Cont.)
Managed Rules for AWS WAF
Rules Written &
Managed by Security
Experts
Choice of Protections for
Range of Threats from
Multiple Security Vendors
Rules Automatically
Updated based on
Emerging Threats
Pay-as-you-go Pricing;
No long-term
Commitment; No
Professional Service

Tools for Customized Protections – AWS WAF (Cont.)
Managed Rules for AWS WAF: Featured Sellers

DDoS Bad BotsApplication Attacks
Application
Layer
Network/
Transport
Layer
AWSWAFAWS
ShieldStandard
Types of Threats
UDP floods
SYN floods
Slowloris
SSL abuse
UDP reflection
HTTP floods Content scrapers
Scanners & probes
Crawlers
SQL injection
Application exploits

Optional Advanced
DDoS Protection

Advanced Protection
• Additional protection against large and
sophisticated attacks
• Fast escalation to the AWS DDoS Response
Team (DRT) to assist with complex edge cases
• Attack visibility and enhanced detection
• Cost protection to mitigate economic attack
vectors
• AWS WAF for application-layer defense, at no
additional cost
AWS Shield Advanced

Another True Story
Challenges
An extremely large DDoS attack
against an Application Load Balancer
caused huge impact on not only this
customer’s application but also other
customers’ in the region
Massive
DDoS
virtual private cloud
AWS cloud
AWS WAF
AWS
Shield
Advanced

Demo
Let Us See How We Helped This Customer with
Migrating to Cloud-Native DDoS Mitigation

Best Practice Architecture
Am azon
Route 53
ALB Security G roup
Am azon
EC2
Instances
Application
Load Balancer
Am azon
CloudFront
Public Subnet
W eb Application
Security G roup
Private Subnet
Users
AW S W AF
DDoS
AW S W AF
AW S
Shield Advanced
• Mitigates complex attacks by
allowing only the most reliable
DNS queries
• Validates DNS
• Managed WAF rules from
security vendors
• Provides flexible rule
language to block or rate-
limit malicious requests
• Add multi-layer protection
to increase efficiency
• Managed DDoS
protection with
Shield Advanced
• Protects against
large and
sophisticated
attacks
• Access to the
24x7 DDoS
Response Team
• Automatic built-in DDoS protection
• Globally distributed attack mitigation capability
• SYN proxy feature that verifies three-way handshake
before passing to the application
• Slowloris mitigation that reaps long-lived collections

Effective Against:
• HTTP Floods
• Bad Bots
• Suspicious IPs
Effective Against:
• SSL Attacks
• Slowloris
• Malformed HTTP
Effective Against:
• SYN Floods
• Reflection Attacks
• Suspicious Sources
Defence in Depth
Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detect-
ion
Internet
Internet-
Layer
Mitigations
DDoS
Effective Against:
• Large-scale
attacks
Effective Against:
• Sophisticated
Layer 7 attacks
DDoS
Response
Team

What’s Next
• Enable caching on specific paths/objects to accelerate content delivery
• Request an Amazon Certificate Manager (ACM) certificate or import your own
SSL certificate and use it with Amazon CloudFront
• Configure Amazon CloudWatch to send notifications when attacks are being
detected
• For custom applications, enable AWS Shield Advanced on Elastic IP addresses
• Leverage Lambda@Edge to customize content
…and so much more

Thank you!

雲端原生 (Cloud-Native) 的 DDoS Attack 防禦方案 (Level: 200)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie 雲端原生 (Cloud-Native) 的 DDoS Attack 防禦方案 (Level: 200)

Ähnlich wie 雲端原生 (Cloud-Native) 的 DDoS Attack 防禦方案 (Level: 200) (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

雲端原生 (Cloud-Native) 的 DDoS Attack 防禦方案 (Level: 200)