SlideShare a Scribd company logo

Edge immersion days module 2 - protect your application at the edge using aws waf & shield advanced

R
RoiElbaz1

The document discusses Amazon Web Services' (AWS) cloud-native protections against distributed denial-of-service (DDoS) attacks and web application threats. It describes AWS WAF for inspecting and mitigating layer 7 attacks, AWS Shield Standard for automatic protection against common network attacks, and AWS Shield Advanced for additional detection and monitoring capabilities. The document also provides an overview of DDoS trends, the benefits of a cloud-native defense approach, and example customer implementations of AWS WAF and Shield services.

1 of 28
Downloaded 11 times
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF & Shield Advanced Protect your application at the Edge
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat landscape
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Types of threats Application Ping of Death | ICMP Flood | Teardrop | reflections | UDP floods SYN/ACK Flood | Slowloris | SSL Abuse Presentation Session Transport Network HTTP Flood | Malformed HTTP App exploits | CVE |s XSS | SQLi | RFI Bots | Scrapers | Crawlers Bad BotsDDoS Web Application Attacks
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trends of DDoS attacks 0 200 400 600 800 1000 1200 1400 1600 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Largest DDoS Attacks (Gbps) Largest DDoS Attacks Memcached Attacks Mirai Attacks
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud native protection
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pillars of perimeter protection MONITOR RESPOND PREPARE Build a DDoS resilient application on AWS Be aware of threat environment and application health Engage response team
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud native protection Built-in protection Protection tools Always-on Automatic Distributed Easy to use Customizable APIs AWS scale Experts support
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in protection for everyone AWS Shield Standard Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region Available to ALL AWS customers at no additional cost
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Daily DDoS attacks mitigated by AWS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protection tools
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS resilient architecture Route 53 ALB Security Group EC2 Instances Application Load Balancer CloudFront Public Subnet Web Application Security Group Private Subnet AWS WAF DDoS Attack Users Cloudwatch S3 API Gateway
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Acceleration - Slack • Slack host their API behind ALB for serving json files with more than 10B requests/week. They were looking for DDoS protection • Slack selected CloudFront for its reliability, flexibility and AWS integration Average response time decreased to 200ms from 480ms
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF & Shield Advanced
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF Managed layer 7 inspection and mitigation tool, monitors HTTP/S requests and protects web applications from malicious activities Custom Rules Security AutomationManaged Rules
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF benefits AWS WAF Easy to deploy Fast incident response Affordable Full API support Managed service
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom rules 1. Define conditions: IP Match, Geo-IP, String Match, Regex Match, SQLi, XSS, Size Constraints 2. Define rules: Regular or rate based 3. Add to Web Access Control Lists: Order & action (Block, Allow, Count) 4. Attach to AWS Resource: CloudFront, ALB
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Seller managed rules Rules managed by experts Choice of 6 partners Pay as you go Easy to deploy automatic updates
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security automations Honeypot for bad bots CloudFront Log parsing Reputation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WAF automation - eVitamins • An global online retailer of health and beauty products. They were looking to solve DDoS, Bots & Crawlers security challenges. • eVitamins selected AWS WAF for its protection, automation and easiness of use.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Firewall manager • Central management for Security profile • Automated policy enforcement across accounts & applications • WAF rule sets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Additional detection & monitoring Advanced protection Visibility into attack detection & mitigation AWS WAF & FM at no additional cost 24X7 DDoS Response Team Cost protection (absorb scaling costs) Advanced Protection AWS Shield Advanced
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch metrics for Shield Advanced Metrics: • DDoSDetected • DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, DDoSAttackRequestsPerSecond Dimensions: • UDPTraffic, DNSReflection, SYNFlood, RequestFlood…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Improving DDoS response time Customer account AWS managed capabilities AWS Shield Engagement Lambda DRT notification topic SoC Engineer Shield Advanced IoT button DRT Support
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. attacks MONITOR RESPOND PREPARE AWS ShieldInternet Cloud native protection in a nutshell AWS services AWS WAF Customer infrastructure Application Presentation Session Transport Network Web Application Attacks DDoS Bad Bots x x x x MONITOR RESPOND PREPARE DDoS Cloudwatch CloudFront Access logs DDoS Response Team Security Automation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. To learn more about Perimeter protection on AWS DDoS Resiliency Whitepaper AWS re:Invent 2017: Automating DDoS Response in the Cloud (SID324) AWS re:Invent 2017: NEW LAUNCH! Introduction to Managed Rules for AWS WAF (SID217) Best Practices for DDoS Mitigation on AWS Advanced Techniques for Securing Your Web Applications with AWS WAF and AWS Shield
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Appendixes
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Evolution of WAF & DDoS mitigation On-Premise Cloud-Routed Cloud-Native
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WebACL example Rule Allow, Count, Block Rate-Based Rule Count, Block Rule Allow, Count, Block Match Condition SQL injection Match Condition Cross-site scripting Match Condition Size constraint Match Condition IP addresses Managed Rules No override, Override to count WebACL WebACL Match Condition String and Regex Match Condition Geo match Rule Allow, Count, Block Rule Allow, Count, Block Rule Allow, Count, Block
Ad

Recommended

Aws meetup aws_waf
Aws meetup aws_wafAws meetup aws_waf
Aws meetup aws_waf
Adam Book
 
Defending your workloads with aws waf and deep security
Defending your workloads with aws waf and deep securityDefending your workloads with aws waf and deep security
Defending your workloads with aws waf and deep security
Mark Nunnikhoven
 
Amazon CloudFront Best Practices and Anti-patterns
Amazon CloudFront Best Practices and Anti-patternsAmazon CloudFront Best Practices and Anti-patterns
Amazon CloudFront Best Practices and Anti-patterns
Abhishek Tiwari
 
Amazon guard duty_lab
Amazon guard duty_labAmazon guard duty_lab
Amazon guard duty_lab
Bela Sojina MBA, PMP
 
AWS CZSK Webinář 2019.05: Jak chránit vaše webové aplikace před DDoS útoky
AWS CZSK Webinář 2019.05: Jak chránit vaše webové aplikace před DDoS útokyAWS CZSK Webinář 2019.05: Jak chránit vaše webové aplikace před DDoS útoky
AWS CZSK Webinář 2019.05: Jak chránit vaše webové aplikace před DDoS útoky
Vladimir Simek
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
Richard Harvey
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Introduction to Hybrid Cloud on AWS
Introduction to Hybrid Cloud on AWSIntroduction to Hybrid Cloud on AWS
Introduction to Hybrid Cloud on AWS
Tom Laszewski
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
data science data stoger Presentation1.pptx
data science data stoger Presentation1.pptxdata science data stoger Presentation1.pptx
data science data stoger Presentation1.pptx
sandeepsherkhane830
 
How to Switch Hosting Providers in Vancouver Without Any Downtime
How to Switch Hosting Providers in Vancouver Without Any DowntimeHow to Switch Hosting Providers in Vancouver Without Any Downtime
How to Switch Hosting Providers in Vancouver Without Any Downtime
steve198109
 
final project for icpna b08 if someone want.pptx
final project for icpna b08 if someone want.pptxfinal project for icpna b08 if someone want.pptx
final project for icpna b08 if someone want.pptx
ESTEFANOANDREYGARCIA
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Virtualization Trends Streamlining Operations in Telecom with David Bernard ...
Virtualization Trends Streamlining Operations in Telecom with David Bernard ...Virtualization Trends Streamlining Operations in Telecom with David Bernard ...
Virtualization Trends Streamlining Operations in Telecom with David Bernard ...
David Bernard Ezell
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
What's going on with IPv6? presented by Geoff Huston
What's going on with IPv6? presented by Geoff HustonWhat's going on with IPv6? presented by Geoff Huston
What's going on with IPv6? presented by Geoff Huston
APNIC
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design ProcessStorytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
Ad

More Related Content

Recently uploaded (20)

Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
data science data stoger Presentation1.pptx
data science data stoger Presentation1.pptxdata science data stoger Presentation1.pptx
data science data stoger Presentation1.pptx
sandeepsherkhane830
 
How to Switch Hosting Providers in Vancouver Without Any Downtime
How to Switch Hosting Providers in Vancouver Without Any DowntimeHow to Switch Hosting Providers in Vancouver Without Any Downtime
How to Switch Hosting Providers in Vancouver Without Any Downtime
steve198109
 
final project for icpna b08 if someone want.pptx
final project for icpna b08 if someone want.pptxfinal project for icpna b08 if someone want.pptx
final project for icpna b08 if someone want.pptx
ESTEFANOANDREYGARCIA
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Virtualization Trends Streamlining Operations in Telecom with David Bernard ...
Virtualization Trends Streamlining Operations in Telecom with David Bernard ...Virtualization Trends Streamlining Operations in Telecom with David Bernard ...
Virtualization Trends Streamlining Operations in Telecom with David Bernard ...
David Bernard Ezell
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
What's going on with IPv6? presented by Geoff Huston
What's going on with IPv6? presented by Geoff HustonWhat's going on with IPv6? presented by Geoff Huston
What's going on with IPv6? presented by Geoff Huston
APNIC
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
data science data stoger Presentation1.pptx
data science data stoger Presentation1.pptxdata science data stoger Presentation1.pptx
data science data stoger Presentation1.pptx
sandeepsherkhane830
 
How to Switch Hosting Providers in Vancouver Without Any Downtime
How to Switch Hosting Providers in Vancouver Without Any DowntimeHow to Switch Hosting Providers in Vancouver Without Any Downtime
How to Switch Hosting Providers in Vancouver Without Any Downtime
steve198109
 
final project for icpna b08 if someone want.pptx
final project for icpna b08 if someone want.pptxfinal project for icpna b08 if someone want.pptx
final project for icpna b08 if someone want.pptx
ESTEFANOANDREYGARCIA
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Virtualization Trends Streamlining Operations in Telecom with David Bernard ...
Virtualization Trends Streamlining Operations in Telecom with David Bernard ...Virtualization Trends Streamlining Operations in Telecom with David Bernard ...
Virtualization Trends Streamlining Operations in Telecom with David Bernard ...
David Bernard Ezell
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
What's going on with IPv6? presented by Geoff Huston
What's going on with IPv6? presented by Geoff HustonWhat's going on with IPv6? presented by Geoff Huston
What's going on with IPv6? presented by Geoff Huston
APNIC
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 

Featured (20)

2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design ProcessStorytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design ProcessStorytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Ad

Edge immersion days module 2 - protect your application at the edge using aws waf & shield advanced

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF & Shield Advanced Protect your application at the Edge
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat landscape
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Types of threats Application Ping of Death | ICMP Flood | Teardrop | reflections | UDP floods SYN/ACK Flood | Slowloris | SSL Abuse Presentation Session Transport Network HTTP Flood | Malformed HTTP App exploits | CVE |s XSS | SQLi | RFI Bots | Scrapers | Crawlers Bad BotsDDoS Web Application Attacks
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trends of DDoS attacks 0 200 400 600 800 1000 1200 1400 1600 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Largest DDoS Attacks (Gbps) Largest DDoS Attacks Memcached Attacks Mirai Attacks
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud native protection
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pillars of perimeter protection MONITOR RESPOND PREPARE Build a DDoS resilient application on AWS Be aware of threat environment and application health Engage response team
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud native protection Built-in protection Protection tools Always-on Automatic Distributed Easy to use Customizable APIs AWS scale Experts support
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Built-in protection for everyone AWS Shield Standard Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region Available to ALL AWS customers at no additional cost
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Daily DDoS attacks mitigated by AWS
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protection tools
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS resilient architecture Route 53 ALB Security Group EC2 Instances Application Load Balancer CloudFront Public Subnet Web Application Security Group Private Subnet AWS WAF DDoS Attack Users Cloudwatch S3 API Gateway
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Acceleration - Slack • Slack host their API behind ALB for serving json files with more than 10B requests/week. They were looking for DDoS protection • Slack selected CloudFront for its reliability, flexibility and AWS integration Average response time decreased to 200ms from 480ms
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF & Shield Advanced
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF Managed layer 7 inspection and mitigation tool, monitors HTTP/S requests and protects web applications from malicious activities Custom Rules Security AutomationManaged Rules
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF benefits AWS WAF Easy to deploy Fast incident response Affordable Full API support Managed service
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom rules 1. Define conditions: IP Match, Geo-IP, String Match, Regex Match, SQLi, XSS, Size Constraints 2. Define rules: Regular or rate based 3. Add to Web Access Control Lists: Order & action (Block, Allow, Count) 4. Attach to AWS Resource: CloudFront, ALB
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Seller managed rules Rules managed by experts Choice of 6 partners Pay as you go Easy to deploy automatic updates
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security automations Honeypot for bad bots CloudFront Log parsing Reputation
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WAF automation - eVitamins • An global online retailer of health and beauty products. They were looking to solve DDoS, Bots & Crawlers security challenges. • eVitamins selected AWS WAF for its protection, automation and easiness of use.
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Firewall manager • Central management for Security profile • Automated policy enforcement across accounts & applications • WAF rule sets
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Additional detection & monitoring Advanced protection Visibility into attack detection & mitigation AWS WAF & FM at no additional cost 24X7 DDoS Response Team Cost protection (absorb scaling costs) Advanced Protection AWS Shield Advanced
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch metrics for Shield Advanced Metrics: • DDoSDetected • DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, DDoSAttackRequestsPerSecond Dimensions: • UDPTraffic, DNSReflection, SYNFlood, RequestFlood…
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Improving DDoS response time Customer account AWS managed capabilities AWS Shield Engagement Lambda DRT notification topic SoC Engineer Shield Advanced IoT button DRT Support
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. attacks MONITOR RESPOND PREPARE AWS ShieldInternet Cloud native protection in a nutshell AWS services AWS WAF Customer infrastructure Application Presentation Session Transport Network Web Application Attacks DDoS Bad Bots x x x x MONITOR RESPOND PREPARE DDoS Cloudwatch CloudFront Access logs DDoS Response Team Security Automation
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. To learn more about Perimeter protection on AWS DDoS Resiliency Whitepaper AWS re:Invent 2017: Automating DDoS Response in the Cloud (SID324) AWS re:Invent 2017: NEW LAUNCH! Introduction to Managed Rules for AWS WAF (SID217) Best Practices for DDoS Mitigation on AWS Advanced Techniques for Securing Your Web Applications with AWS WAF and AWS Shield
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Appendixes
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Evolution of WAF & DDoS mitigation On-Premise Cloud-Routed Cloud-Native
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WebACL example Rule Allow, Count, Block Rate-Based Rule Count, Block Rule Allow, Count, Block Match Condition SQL injection Match Condition Cross-site scripting Match Condition Size constraint Match Condition IP addresses Managed Rules No override, Override to count WebACL WebACL Match Condition String and Regex Match Condition Geo match Rule Allow, Count, Block Rule Allow, Count, Block Rule Allow, Count, Block