SlideShare a Scribd company logo

DDoS Protection

Amazon Web Services
Amazon Web Services

Understand AWS best practices for Distributed Denial of Service (DDoS) resiliency and how AWS Shield can assist you to protect your business. Uncover how this tool safeguards web applications running on AWS, and how always-on detection and automatic inline mitigations minimize application downtime and latency.

Related slideshows

DDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS ShieldDDoS Mitigation Techniques and AWS Shield
DDoS Mitigation Techniques and AWS Shield
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
1 of 52
© 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. DDoS Protection Craig Lawton, AWS Solutions Architect 30th August 2017 AWS Shield
What to expect from this session  What is DDoS?  Challenge/Impact customers face mitigating DDoS attacks  AWS approach to DDoS Protection  Introducing AWS Shield, a managed DDoS protection service  Getting Started
What is DDoS? Distributed Denial Of Service
Denial of Service The act of making a network service unusable or unavailable usually by overloading the server or the network
Who Get’s Attacked and Why Source: Arbor Networks, Inc. 2016 WISR Report
Types of DDoS attacks Volumetric DDoS attacks Congest networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks) 1 2 3 4 5 6 7
Types of DDoS attacks State-exhaustion DDoS attacks Abuse protocols to stress systems like firewalls, IPS, or load balancers (e.g., TCP SYN flood) 1 2 3 4 5 6 7
Types of DDoS attacks Application-layer DDoS attacks Use well-formed but malicious requests to circumvent mitigation and consume application resources (e.g., HTTP GET, DNS query floods) 1 2 3 4 5 6 7
DDoS attack trends Volumetric State exhaustion Application layer 73% Volumetric 18% State exhaustion 16% Application layer
Impact of mitigating DDoS attacks
Attack Duration: varies by service provider Source: Arbor Networks, Inc. 2016 WISR Report Source: Imperva DDoS Threat Landscape Report 2015-2016
Traditional approach mitigating DDoS attacks Difficult to enable Complex set-up Provision bandwidth capacity Operator involvement to initiate mitigation
Traditional approach mitigating DDoS attacks Traffic re-routing = Increased latency for users Traditional Datacenter
Challenges in mitigating DDoS attacks Expensive to use Or already paid ransom demand
Impact of DDoS Attacks Source: Arbor Networks, Inc. 2016 WISR Report
Impact of DDoS Attacks Source: Arbor Networks, Inc. 2016 WISR Report
AWS approach to DDoS protection
At AWS, our goal has always been to … Remove undifferentiated heavy lifting Automatically protected against common attacks Ensure availability AWS services are highly available
AWS Shield AWS Integration DDoS protection without infrastructure changes Affordable Don’t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications Always-On Detection and Mitigation Minimize impact on application latency Four key pillars…
AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.
AWS Shield Standard Layer 3/4 protection  Automatic detection & mitigation  Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.)  Built into AWS services Layer 7 protection  AWS WAF for Layer 7 DDoS attack mitigation  Self-service & pay-as-you-go
DDoS protections built into AWS  Protection against most common infrastructure attacks  SYN/ACK Floods, UDP Floods, Refection attacks etc.  No additional cost DDoS mitigation systems DDoS Attack Users Amazon CloudFront Amazon Route 53 Classic Load Balancer Traditional D/C
AWS Shield Advanced Application Load Balancer (Select Regions only) Elastic Load Balancer (Select Regions only) Amazon CloudFront (All Regions) Amazon Route 53 (All Regions) Available today on …
AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
Behind the Scenes
Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview DDoS Response Team
Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • Any Large-Scale Attack (>xxxGpbs) DDoS Response Team
Internet-Layer Mitigation ISP ISP ISP ISP ISP Tier 1 Transit Tier 1 Transit AWS edge Location AWS edge Location Tier 1 Transit DDoSer Scale:
Internet-Layer Mitigation ISP ISP ISP ISP ISP Tier 1 Transit Tier 1 Transit AWS edge Location AWS edge Location Tier 1 Transit DDoSer Shunt:
Internet-Layer Mitigation ISP ISP ISP ISP ISP Tier 1 Transit Tier 1 Transit AWS edge Location AWS edge Location Tier 1 Transit DDoSer Tarpit:
Internet-Layer Mitigation ISP ISP ISP ISP ISP Tier 1 Transit Tier 1 Transit AWS edge Location AWS edge Location Tier 1 Transit DDoSer Tarpit:
Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • SYN Floods • Reflection Attacks • Suspicious Sources DDoS Response Team
Network-Layer Mitigation – Edge Services CloudFrontDDoS attack Users BlackWatch DDoS mitigation API Gateway Route 53 Edge Location
Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • SSL Attacks • Slowloris • Malformed HTTP • HTTP Floods DDoS Response Team
Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • HTTP Floods • BadBots • Suspicious IPs DDoS Response Team
Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • Application-Layer • Custom Protocol Attacks DDoS Response Team
Customer categories for AWS WAF Ready-to-use Protection  SQLi  XSS  3rd Party Reputation Lists  HTTP Flood Protection Customizable Protection  Flexible Rules Engine  Size Constraint Rules, Body Inspection, String Match  100K Entry Blacklists  ~1 Min Updates  Lambda Based Protection  Open Source GitHub Repository Solution Builder Protections https://aws.amazon.com/waf/preconfiguredrules/
AWS WAF – Layer 7 application protection Three modes of operation Self-service Engage DDoS experts Proactive DRT engagement
DDoS Detection Shield Standard Aggs Aggs Aggs Aggs Pin Agg DB Top Talker API Evalu ators
Customer A Customer B DDoS Detection Shield Advanced Aggs Aggs Aggs Aggs Pin Agg DB Top Talker API Evalu ators
DDoS Response Team Mitigation CloudFrontDDoS attack Users BlackWatch DDoS mitigation API Gateway Route 53 Edge Location AWS WAF DDoS Response Team Int Internal Tools
Attack notification and reporting Attack monitoring and detection • Real-time notification of attacks via Amazon CloudWatch • Near real-time metrics and packet captures for attack forensics • Historical attack reports
Infrastructure Security – Pattern 1 Web /App https://www.example.com AWS Edge Locations Production VPC - Sydney Development VPC - Sydney ELB Web /App RDS Master RDS Standby Web /App ELB Web /App RDS Master RDS Standby Development Account >< Production Account AWS WAF Amazon Route 53 Amazon CloudFront AWS Shield Advanced
Pattern 2 DR Region >< Primary Region CloudFront Edge Cache CloudFront Regional Cache Route 53 Failover Autoscaling EC2 - NGINX w/ ModSecurity Autoscaling EC2 - NGINX w/ ModSecurity CloudFront Regional Cache WorkloadWorkload AWS WAF AWS Shield Advanced AWS Edge Locations
• No commitment • No additional cost AWS DDoS Shield: Pricing • 1 year subscription commitment • Monthly base fee: $3,000 • Data transfer fees Data Transfer Price ($ per GB) CloudFront ELB First 100 TB $0.025 0.050 Next 400 TB $0.020 0.040 Next 500 TB $0.015 0.030 Next 4 PB $0.010 Contact Us Above 5 PB Contact Us Contact Us Standard Protection Advanced Protection
How to Get Started
How to get started
Notification and Reporting
For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS. AWS DDoS Shield: How to choose For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases. Standard Protection Advanced Protection
You get it automatically AWS Shield: Getting started Enable via the AWS Console Standard Protection Advanced Protection
Resources DDoS White paper http://bit.ly/DDoSWP AWS WAF Automation http://bit.ly/AWSWAF AWS Shield FAQ http://bit.ly/AWSShield
© 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Thank you!

More Related Content

DDoS Protection

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. DDoS Protection Craig Lawton, AWS Solutions Architect 30th August 2017 AWS Shield
  • 2. What to expect from this session  What is DDoS?  Challenge/Impact customers face mitigating DDoS attacks  AWS approach to DDoS Protection  Introducing AWS Shield, a managed DDoS protection service  Getting Started
  • 3. What is DDoS? Distributed Denial Of Service
  • 4. Denial of Service The act of making a network service unusable or unavailable usually by overloading the server or the network
  • 5. Who Get’s Attacked and Why Source: Arbor Networks, Inc. 2016 WISR Report
  • 6. Types of DDoS attacks Volumetric DDoS attacks Congest networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks) 1 2 3 4 5 6 7
  • 7. Types of DDoS attacks State-exhaustion DDoS attacks Abuse protocols to stress systems like firewalls, IPS, or load balancers (e.g., TCP SYN flood) 1 2 3 4 5 6 7
  • 8. Types of DDoS attacks Application-layer DDoS attacks Use well-formed but malicious requests to circumvent mitigation and consume application resources (e.g., HTTP GET, DNS query floods) 1 2 3 4 5 6 7
  • 9. DDoS attack trends Volumetric State exhaustion Application layer 73% Volumetric 18% State exhaustion 16% Application layer
  • 10. Impact of mitigating DDoS attacks
  • 11. Attack Duration: varies by service provider Source: Arbor Networks, Inc. 2016 WISR Report Source: Imperva DDoS Threat Landscape Report 2015-2016
  • 12. Traditional approach mitigating DDoS attacks Difficult to enable Complex set-up Provision bandwidth capacity Operator involvement to initiate mitigation
  • 13. Traditional approach mitigating DDoS attacks Traffic re-routing = Increased latency for users Traditional Datacenter
  • 14. Challenges in mitigating DDoS attacks Expensive to use Or already paid ransom demand
  • 15. Impact of DDoS Attacks Source: Arbor Networks, Inc. 2016 WISR Report
  • 16. Impact of DDoS Attacks Source: Arbor Networks, Inc. 2016 WISR Report
  • 17. AWS approach to DDoS protection
  • 18. At AWS, our goal has always been to … Remove undifferentiated heavy lifting Automatically protected against common attacks Ensure availability AWS services are highly available
  • 19. AWS Shield AWS Integration DDoS protection without infrastructure changes Affordable Don’t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications Always-On Detection and Mitigation Minimize impact on application latency Four key pillars…
  • 20. AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.
  • 21. AWS Shield Standard Layer 3/4 protection  Automatic detection & mitigation  Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.)  Built into AWS services Layer 7 protection  AWS WAF for Layer 7 DDoS attack mitigation  Self-service & pay-as-you-go
  • 22. DDoS protections built into AWS  Protection against most common infrastructure attacks  SYN/ACK Floods, UDP Floods, Refection attacks etc.  No additional cost DDoS mitigation systems DDoS Attack Users Amazon CloudFront Amazon Route 53 Classic Load Balancer Traditional D/C
  • 23. AWS Shield Advanced Application Load Balancer (Select Regions only) Elastic Load Balancer (Select Regions only) Amazon CloudFront (All Regions) Amazon Route 53 (All Regions) Available today on …
  • 24. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  • 26. Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview DDoS Response Team
  • 27. Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • Any Large-Scale Attack (>xxxGpbs) DDoS Response Team
  • 28. Internet-Layer Mitigation ISP ISP ISP ISP ISP Tier 1 Transit Tier 1 Transit AWS edge Location AWS edge Location Tier 1 Transit DDoSer Scale:
  • 29. Internet-Layer Mitigation ISP ISP ISP ISP ISP Tier 1 Transit Tier 1 Transit AWS edge Location AWS edge Location Tier 1 Transit DDoSer Shunt:
  • 30. Internet-Layer Mitigation ISP ISP ISP ISP ISP Tier 1 Transit Tier 1 Transit AWS edge Location AWS edge Location Tier 1 Transit DDoSer Tarpit:
  • 31. Internet-Layer Mitigation ISP ISP ISP ISP ISP Tier 1 Transit Tier 1 Transit AWS edge Location AWS edge Location Tier 1 Transit DDoSer Tarpit:
  • 32. Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • SYN Floods • Reflection Attacks • Suspicious Sources DDoS Response Team
  • 33. Network-Layer Mitigation – Edge Services CloudFrontDDoS attack Users BlackWatch DDoS mitigation API Gateway Route 53 Edge Location
  • 34. Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • SSL Attacks • Slowloris • Malformed HTTP • HTTP Floods DDoS Response Team
  • 35. Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • HTTP Floods • BadBots • Suspicious IPs DDoS Response Team
  • 36. Border Network Network Layer Mitigations AWS Services Web Layer Mitigations Customer Infrastructure DDoS Detection Internet Internet- Layer MitigationsDDoSer Systems Overview Effective Against: • Application-Layer • Custom Protocol Attacks DDoS Response Team
  • 37. Customer categories for AWS WAF Ready-to-use Protection  SQLi  XSS  3rd Party Reputation Lists  HTTP Flood Protection Customizable Protection  Flexible Rules Engine  Size Constraint Rules, Body Inspection, String Match  100K Entry Blacklists  ~1 Min Updates  Lambda Based Protection  Open Source GitHub Repository Solution Builder Protections https://aws.amazon.com/waf/preconfiguredrules/
  • 38. AWS WAF – Layer 7 application protection Three modes of operation Self-service Engage DDoS experts Proactive DRT engagement
  • 39. DDoS Detection Shield Standard Aggs Aggs Aggs Aggs Pin Agg DB Top Talker API Evalu ators
  • 40. Customer A Customer B DDoS Detection Shield Advanced Aggs Aggs Aggs Aggs Pin Agg DB Top Talker API Evalu ators
  • 41. DDoS Response Team Mitigation CloudFrontDDoS attack Users BlackWatch DDoS mitigation API Gateway Route 53 Edge Location AWS WAF DDoS Response Team Int Internal Tools
  • 42. Attack notification and reporting Attack monitoring and detection • Real-time notification of attacks via Amazon CloudWatch • Near real-time metrics and packet captures for attack forensics • Historical attack reports
  • 43. Infrastructure Security – Pattern 1 Web /App https://www.example.com AWS Edge Locations Production VPC - Sydney Development VPC - Sydney ELB Web /App RDS Master RDS Standby Web /App ELB Web /App RDS Master RDS Standby Development Account >< Production Account AWS WAF Amazon Route 53 Amazon CloudFront AWS Shield Advanced
  • 44. Pattern 2 DR Region >< Primary Region CloudFront Edge Cache CloudFront Regional Cache Route 53 Failover Autoscaling EC2 - NGINX w/ ModSecurity Autoscaling EC2 - NGINX w/ ModSecurity CloudFront Regional Cache WorkloadWorkload AWS WAF AWS Shield Advanced AWS Edge Locations
  • 45. • No commitment • No additional cost AWS DDoS Shield: Pricing • 1 year subscription commitment • Monthly base fee: $3,000 • Data transfer fees Data Transfer Price ($ per GB) CloudFront ELB First 100 TB $0.025 0.050 Next 400 TB $0.020 0.040 Next 500 TB $0.015 0.030 Next 4 PB $0.010 Contact Us Above 5 PB Contact Us Contact Us Standard Protection Advanced Protection
  • 46. How to Get Started
  • 47. How to get started
  • 49. For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS. AWS DDoS Shield: How to choose For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases. Standard Protection Advanced Protection
  • 50. You get it automatically AWS Shield: Getting started Enable via the AWS Console Standard Protection Advanced Protection
  • 51. Resources DDoS White paper http://bit.ly/DDoSWP AWS WAF Automation http://bit.ly/AWSWAF AWS Shield FAQ http://bit.ly/AWSShield
  • 52. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved. Thank you!