Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Â
Edge immersion days module 2 - protect your application at the edge using aws waf & shield advanced
1. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF & Shield Advanced
Protect your application at the Edge
2. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat landscape
3. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of threats
Application
Ping of Death | ICMP Flood | Teardrop | reflections | UDP floods
SYN/ACK Flood | Slowloris | SSL Abuse
Presentation
Session
Transport
Network
HTTP Flood |
Malformed HTTP
App exploits |
CVE |s XSS | SQLi |
RFI
Bots | Scrapers |
Crawlers
Bad BotsDDoS
Web Application
Attacks
4. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Trends of DDoS attacks
0
200
400
600
800
1000
1200
1400
1600
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Largest DDoS Attacks (Gbps)
Largest DDoS Attacks
Memcached Attacks
Mirai Attacks
5. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud native protection
6. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pillars of perimeter protection
MONITOR
RESPOND
PREPARE
Build a DDoS resilient
application on AWS
Be aware of threat
environment and
application health
Engage response team
7. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud native protection
Built-in protection Protection tools
Always-on
Automatic
Distributed
Easy to use
Customizable
APIs
AWS scale Experts support
8. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Built-in protection for everyone
AWS Shield Standard Automatic defense against the most
common network and transport layer DDoS
attacks for any AWS resource, in any AWS
Region
Available to ALL AWS customers at no
additional cost
9. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Daily DDoS attacks mitigated by AWS
10. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protection tools
11. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DDoS resilient architecture
Route 53
ALB Security Group
EC2
Instances
Application
Load Balancer
CloudFront
Public Subnet
Web Application
Security Group
Private Subnet
AWS WAF
DDoS
Attack
Users
Cloudwatch
S3
API
Gateway
12. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API Acceleration - Slack
⢠Slack host their API behind ALB for
serving json files with more than 10B
requests/week. They were looking for
DDoS protection
⢠Slack selected CloudFront for its
reliability, flexibility and AWS
integration Average response time decreased
to 200ms from 480ms
13. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF & Shield Advanced
14. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF
Managed layer 7 inspection and mitigation tool,
monitors HTTP/S requests and protects web
applications from malicious activities
Custom Rules Security AutomationManaged Rules
15. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF benefits
AWS WAF
Easy to deploy
Fast incident response
Affordable
Full API support
Managed service
16. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Custom rules
1. Define conditions: IP Match, Geo-IP, String Match, Regex Match, SQLi,
XSS, Size Constraints
2. Define rules: Regular or rate based
3. Add to Web Access Control Lists: Order & action (Block, Allow, Count)
4. Attach to AWS Resource: CloudFront, ALB
17. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Seller managed rules
Rules managed by experts
Choice of 6 partners
Pay as you go
Easy to deploy
automatic updates
18. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security automations
Honeypot for
bad bots
CloudFront
Log parsing
Reputation
19. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WAF automation - eVitamins
⢠An global online retailer of health and
beauty products. They were looking to
solve DDoS, Bots & Crawlers security
challenges.
⢠eVitamins selected AWS WAF for its
protection, automation and easiness
of use.
20. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall manager
⢠Central
management for
Security profile
⢠Automated policy
enforcement
across accounts &
applications
⢠WAF rule sets
21. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional detection & monitoring
Advanced protection
Visibility into attack detection & mitigation
AWS WAF & FM at no additional cost
24X7 DDoS Response Team
Cost protection (absorb scaling costs)
Advanced Protection
AWS Shield
Advanced
22. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch metrics for Shield Advanced
Metrics:
⢠DDoSDetected
⢠DDoSAttackBitsPerSecond,
DDoSAttackPacketsPerSecond,
DDoSAttackRequestsPerSecond
Dimensions:
⢠UDPTraffic, DNSReflection,
SYNFlood, RequestFloodâŚ
23. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Improving DDoS response time
Customer account AWS managed capabilities
AWS Shield
Engagement Lambda
DRT notification
topic
SoC Engineer
Shield Advanced
IoT button
DRT
Support
24. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
attacks
MONITOR
RESPOND
PREPARE
AWS ShieldInternet
Cloud native protection in a nutshell
AWS
services
AWS WAF
Customer
infrastructure
Application
Presentation
Session
Transport
Network
Web
Application
Attacks
DDoS
Bad Bots
x x x x
MONITOR
RESPOND
PREPARE
DDoS
Cloudwatch CloudFront
Access logs
DDoS
Response
Team
Security Automation
25. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
To learn more about Perimeter protection on AWS
DDoS Resiliency Whitepaper
AWS re:Invent 2017: Automating DDoS Response in the
Cloud (SID324)
AWS re:Invent 2017: NEW LAUNCH! Introduction to
Managed Rules for AWS WAF (SID217)
Best Practices for DDoS Mitigation on AWS
Advanced Techniques for Securing Your Web Applications
with AWS WAF and AWS Shield
26. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Appendixes
27. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Evolution of WAF & DDoS mitigation
On-Premise Cloud-Routed Cloud-Native
28. Š 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WebACL example
Rule
Allow, Count, Block
Rate-Based Rule
Count, Block
Rule
Allow, Count, Block
Match Condition
SQL injection
Match Condition
Cross-site scripting
Match Condition
Size constraint
Match Condition
IP addresses
Managed Rules
No override, Override to count
WebACL
WebACL
Match Condition
String and Regex
Match Condition
Geo match
Rule
Allow, Count, Block
Rule
Allow, Count, Block
Rule
Allow, Count, Block