Jan 30, 2017 - Traditional. Datacenter ... Redundant Internet connectivity in AWS data centers ..... (https://www.youtub
DDoS Mitigation in Cloud with AWS Shield – and More Dave Walker, Specialist Solutions Architect, Security and Compliance 30/01/17
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda • • • • • • •
“DDoS 101” Challenges in DDoS Mitigation The AWS Approach AWS Shield EC2 Systems Manager AWS Organizations AWS Cloud Directory
What is DDoS?
DDoS 101
What is DDoS?
Distributed Denial Of Service
Types of DDoS attacks
Types of DDoS attacks
Volumetric DDoS attacks Congest networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks)
Types of DDoS attacks
State-exhaustion DDoS attacks Abuse protocols to stress systems like firewalls, IPS, or load balancers (e.g., TCP SYN flood)
Types of DDoS attacks Application-layer DDoS attacks Use well-formed but malicious requests to circumvent mitigation and consume application resources (e.g., HTTP GET, DNS query floods)
DDoS attack trends
18% State exhaustion
65% Volumetric
18% Application layer
Volumetric
State exhaustion
Application layer
DDoS attack trends
18% State exhaustion
65% Volumetric
18% Application layer
SSDP reflection attacks are very common Reflection attacks have clear signatures, but can consume available bandwidth. Volumetric
State exhaustion
Application layer
DDoS attack trends
18% State exhaustion
65% Volumetric
18% Application layer
Other common volumetric attacks: NTP reflection, DNS reflection, Chargen reflection, SNMP reflection Volumetric
State exhaustion
Application layer
DDoS attack trends
SYN floods can look like real connection attempts And on average, they are larger in volume. They can prevent real users from establishing connections.
18% State exhaustion
65% Volumetric
18% Application layer
Volumetric
State exhaustion
Application layer
DDoS attack trends
18% State exhaustion
65% Volumetric
18% Application layer
DNS query floods are real DNS requests Volumetric
State exhaustion
These can continue for hours and exhaust the available Application layerresources of the DNS server.
DDoS attack trends
18% State exhaustion
65% Volumetric
18% Application layer
Other common application layer attacks: Volumetric
State exhaustion
HTTP GET flood, Slowloris
Application layer
Challenges in mitigating DDoS attacks
Challenges in mitigating DDoS attacks Difficult to enable
Complex set-up
Provision bandwidth capacity
Application re-architecture
Challenges in mitigating DDoS attacks Manual involvement
Traditional Datacenter
Operator involvement to initiate mitigation
Re-route traffic via distant scrubbing location
Increased time to mitigate
Challenges in mitigating DDoS attacks Traffic re-routing = Increased latency for users Traditional Datacenter
Challenges in mitigating DDoS attacks Expensive to use
AWS approach to DDoS protection
At AWS, our goal has always been to … Remove undifferentiated heavy-lifting
Ensure availability
Automatically protected against common attacks
AWS services are highly available
DDoS protections built into AWS Integrated into the AWS global infrastructure
Always-on, fast mitigation without external routing
Redundant Internet connectivity in AWS data centers
DDoS protections built into AWS ü Protection against most common infrastructure attacks ü SYN/ACK Floods, UDP Floods, Refection attacks etc.
DDoS Attack
Users
ü No additional cost
DDoS mitigation systems
Customers keep asking … Does AWS protect me from application layer attacks?
What about large DDoS attacks? Does AWS protect me from DDoS attacks?
How can I get visibility when I get attacked? I want to talk to DDoS experts.
Scaling for DDoS attacks is expensive.
AWS Shield A Managed DDoS Protection Service
AWS Shield Standard Protection
Available to ALL AWS customers at No Additional Cost
Advanced Protection
Paid service that provides additional protections, features and benefits.
AWS Shield Four key pillars…
AWS Integration DDoS protection without infrastructure changes
Always-On Detection and Mitigation Minimize impact on application latency
Affordable
Flexible
Don’t force unnecessary trade-offs between cost and availability
Customize protections for your applications
AWS Shield Standard
AWS Shield Standard Layer 3/4 protection ü Automatic detection & mitigation ü Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.) ü Built into AWS services
Layer 7 protection ü AWS WAF for Layer 7 DDoS attack mitigation ü Self-service & pay-as-you-go
AWS Shield Standard Better protection than ever for your applications running on AWS •
Improved mitigations using proprietary BlackWatch systems
•
Additional mitigation capacity
•
Commitment to continuously improve detection and mitigation
•
Still at no additional cost
AWS Shield Advanced Managed DDoS Protection
AWS Shield Advanced Available today on …
Application Load Balancer
Classic Load Balancer
Amazon CloudFront
Amazon Route 53
AWS Shield Advanced Available today in … US East (N. Virginia)
us-east-1
US West (Oregon)
us-west-2
EU (Ireland)
eu-west-1
Asia Pacific (Tokyo)
ap-northeast-1
AWS Shield Advanced Announcing AWS WAF for Application Load Balancer
Valid users
Attackers
X
AWS WAF
Application Load Balancer
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
Always-on monitoring and detection
Network flow monitoring
Application traffic monitoring
Always-on monitoring and detection
Signature based detection
Heuristics-based anomaly detection
Baselining
Always-on monitoring and detection Heuristics-based anomaly detection
Detects anomalies based on attributes such as: • Source IP • Source ASN • Traffic levels • Validated sources
Always-on monitoring and detection Baselining
Continuously baselining normal traffic patterns • HTTP Requests per second • Source IP Address • URLs • User-Agents
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
Advanced DDoS protection
Layer 3/4
Layer 7
infrastructure
application
protection
protection
Advanced DDoS protection
Layer 3/4
Layer 7
infrastructure
application
protection
protection
Layer 3/4 infrastructure protection Advanced mitigation techniques
Deterministic filtering
Traffic prioritization based on scoring
Advanced routing policies
Layer 3/4 infrastructure protection Deterministic filtering Automatically filters malformed TCP packets • IP checksum • TCP valid flags • UDP payload length • DNS request validation
Layer 3/4 infrastructure protection Traffic prioritization based on scoring
Low suspicion attributes
High suspicion attributes
Normal packet or request header Traffic composition and volume is typical given its source Traffic valid for its destination
• • • • • •
Suspicious packet or request headers Entropy in traffic by header attribute Entropy in traffic source and volume Traffic source has a poor reputation Traffic invalid for its destination Request with cache-busting attributes
Layer 3/4 infrastructure protection Traffic prioritization based on scoring •
Inline inspection and scoring
•
Preferentially discard lower priority (attack) traffic
•
False positives are avoided and legitimate viewers are protected High-suspicion packets dropped Low-suspicion packets retained
Layer 3/4 infrastructure protection Advanced routing policies
•
Distributed scrubbing and bandwidth capacity
•
Automated routing policies to absorb large attacks
•
Manual traffic engineering
Layer 3/4 infrastructure protection Additional protections against larger and more sophisticated attacks
• Advanced routing capabilities • Additional mitigation capacity
Advanced DDoS protection
Layer 3/4
Layer 7
infrastructure
application
protection
protection
AWS WAF – Layer 7 application protection
Web traffic filtering with custom rules
Malicious request blocking
Active monitoring and tuning
AWS WAF – Layer 7 application protection Three modes of operation
Self-service
Engage DDoS experts
Proactive DRT engagement
AWS WAF – Layer 7 application protection Self-service
AWS WAF included at no additional cost
AWS WAF – Layer 7 application protection Engage DDoS experts 1. You engage the AWS DDoS Response Team (DRT) 2. DRT triages attack 3. DRT assists you with creating AWS WAF rules
AWS WAF – Layer 7 application protection Proactive DRT engagement 1. Always-on monitoring engages the AWS DDoS Response Team (DRT) 2. DRT proactively triages DDoS attack 3. DRT creates AWS WAF rules (prior authorization required)
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
Attack notification and reporting •
Real-time notification of attacks via Amazon CloudWatch
•
Near real-time metrics and packet captures for attack forensics
•
Historical attack reports
Attack monitoring and detection
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
24x7 access to DDoS Response Team Critical and urgent priority cases are answered quickly and routed directly to DDoS experts Complex cases can be escalated to the AWS DDoS Response Team (DRT), who have deep experience in protecting AWS as well as Amazon.com and its subsidiaries
24x7 access to DDoS Response Team
Before Attack
During Attack
After Attack
Proactive consultation and best practice guidance
Attack mitigation
Post-mortem analysis
AWS Shield Advanced Always-on monitoring & detection
AWS bill protection
Advanced L3/4 & L7 DDoS protection
24x7 access to DDoS
Attack notification and
Response Team
reporting
AWS cost protection AWS absorbs scaling cost due to DDoS attack •
Amazon CloudFront
•
Elastic Load Balancer
•
Application Load Balancer
•
Amazon Route 53
AWS DDoS Shield: Pricing Standard Protection
• •
No commitment No additional cost
Advanced Protection • • •
1 year subscription commitment Monthly base fee: $3,000 Data transfer fees Data Transfer Price ($ per GB)
First 100 TB Next 400 TB Next 500 TB Next 4 PB Above 5 PB
CloudFront
ELB
$0.025 $0.020 $0.015 $0.010 Contact Us
0.050 0.040 0.030 Contact Us Contact Us
AWS DDoS Shield: How to choose Standard Protection For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS.
Advanced Protection For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases.
AWS Shield: Getting started Standard Protection
You get it automatically
Advanced Protection
Enable via the AWS Console
Configuration Monitoring: Inside EC2 Instances (With new enhancements from Re:Invent 2016!)
What is Inspector? • Application security assessment • Selectable built-in rules • Security findings •
Guidance and management
• Automatable via APIs
Getting started
Rule packages • • • • • •
CVE (common vulnerabilities and exposures) CIS OS-level Benchmarks AWS network security best practices AWS authentication best practices AWS OS security best practices AWS application security best practices
Prioritised findings
Detailed remediation recommendations
Amazon EC2 Systems Manager • Announced at Re:Invent 2016 • See sessions WIN401 (https://www.youtube.com/watch?v=Eal9K0aGLYI ) and WIN402 (https://www.youtube.com/watch?v=L5TglwWI5Yo )
Systems Manager Capabilities Configuration, Administration
Shared Capabilities
Update and Track
Automation Run Command
Maintenance Windows Inventory
State Manager
Parameter Store Patch Manager
Inventory
Inventory What we heard: • • •
Accurate software inventory is critical for understanding fleet configuration and license usage Legacy solutions not optimised for cloud Self-hosting requires additional overhead
Inventory Introducing Inventory • • • • •
End-to-end inventory collection (EC2/on-premises/Workspaces) Linux / Windows Powerful query syntax Extensible inventory schema Integrated with AWS services
Inventory – System Diagram
AWS Config Console + CLI/APIs
AWS Config
EC2 Windows Instance
EC2 Console, SSM CLI/APIs
SSMAgent
AWS SSM Service
EC2 Linux Instance
State Manager
SSMAgent EC2 Inventory SSM document
Inventory Store
OnPremises Instance SSMAgent
Inventory – Getting Started
1. Configure Inventory policy
2. Apply Inventory policy
3. Query inventory
Inventory – Configuration Create an Inventory association 1. Select instances (by instance ID or tag) 2. Select scan frequency (hours, minutes, days, NOW) 3. Select Inventory Types to gather • • • • • •
Instance information Applications AWS Components Network configuration Windows Updates Custom Inventory
Inventory – Custom Inventory Type Custom Inventory Collection • •
Extensible: record any attribute for a given instance On-premise Examples: rack location, BIOS version, firewall settings
Two ways to record custom inventory types 1. Agent/on-instance: Write a cron job to record custom inventory files to a predefined path 2. API: Use PutInventory API
Inventory Manager Query • • •
Search by inventory attribute Partial and inverse searches eg "Windows 2012 r2 instances running SQL Server 2016 where Windows Update KB112342 is not installed"
Integration with AWS Config • •
Record inventory changes over time Use AWS Config Rules to monitor changes, notify
State Manager
State Manager • • • • •
Maintain consistent state of instances Reapply to keep instances from drifting Easily view status of configuration changes Define schedule – ad hoc, periodic Track aggregate status for your fleet
State Manager – Getting started • Document: Author your intent • Target: Instances or tag queries • Association: Binding between a document and a target • Schedule: When to apply your association • Status: Check the state of your association at an aggregate or instance level
Creating an Association aws ssm create-association --document-name WebServerDocument --document-version \$DEFAULT --schedule-expression cron(0 */30 * * * ? *) --targets “Key=tag:Name;Values=WebServer” --output-location "{ \"S3Location\": { \"OutputS3Region\": \“us-east-1\", \"OutputS3BucketName\": \“MyBucket\", \"OutputS3KeyPrefix\": \“MyPrefix\" } }“
Configures all instances that match the tag query and reapplies every 30 minutes
Parameter Store
Parameter Store • Centrally store and find config data • Repeatable, automatable management (e.g. SQL connection strings) • Granular access control – view, use and edit values • Encrypt sensitive data using your own AWS KMS keys
Parameter Store – Getting started • Parameter: Key-value pair • Secure Strings: Encrypt sensitive parameters with your own KMS or default account encryption key • Reuse: In Documents and easily reference at runtime across EC2 Systems Manager using {{ssm:parametername}} • Access Control: Create an IAM policy to control access to specific parameter
Creating and using a parameter aws ssm put-parameter --name mycommand --type string --value “dir C:\Users” aws ssm send-command --name AWS-RunPowerShellScript --parameters commands=[“echo {{ssm:mycommand}}”] --target Key=tag:Name,Values=WebServer
AWS Organizations (In limited beta right now...)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is AWS Organizations? • • • • • • • •
A new AWS management capability Enables customers with multiple AWS accounts to centrally view and manage their AWS accounts Consolidated Billing families automatically migrated to an Organization Customers can programmatically create new AWS accounts Allows customers to create Administrative Root(s) (hierarchies) for delegated administration of different types of controls Allows customers to logically group AWS accounts into one or more Organizational Unit(s) (OU) to create units of management Hierarchically organize OUs to match business requirements Assign organizational control policies to organization, OU, and/or account(s)
Core concepts •
AWS account -
•
Organization -
•
Set of AWS accounts logically grouped within an organization
Administrative root -
•
Consolidated set of all AWS accounts customers want to centrally control
Organizational Unit (OU) -
•
Legal and business relationship with Amazon Resource container for AWS resources such as S3 buckets Access to resources controlled on IAM principals (users, roles) Smallest unit of management in AWS Organizations
Starting point for hierarchy of OUs
Organization Control Policy (OCP) -
Document describing controls to be applied to selected set of accounts Different use cases have different types of OCPs
Characteristics of organizations • The AWS account that created the organization is also the owner of the organization and its “resources” and is called the Master Account • IAM permissions control who can manage the organization • All organization management activity is logged in AWS CloudTrail in the Master Account • An AWS account can only be a member of one organization • An AWS account can be a member of multiple OUs • Policy-based controls are managed per type (financial, security, etc.) => separation of duties
Multiple Administrative Roots
Use case Customer has six AWS accounts and wants to centrally manage the financial and security aspects of these AWS accounts. Financially they want to organize the AWS accounts according to their cost centers and from a security perspective they differentiate between developer, test, and production accounts.
Financial Administrative Root 1
Root
Finance 2
OUs
AWS accounts
CC1
A1
A2
A3
CC2
A4
A5
3
A6
Security Administrative Root A
Root
Security B
OUs
AWS accounts
Prod
A1
A2
A3
Test
A4
Dev
A5
A6
C
Multi-tree support
Root
A
Finance
Security
B
2
OUs
AWS accounts
1
CC1
A1
Prod
CC2
A2
A3
A4
Dev
Test
A5
3
A6 C
V1 • • •
Create and manage organization, OUs, AWS accounts Existing CB families automatically converted to organization Pre-created single Administrative Root - One level deep OU hierarchies
•
OCP supported: Service Control - AWS service actions available for use within AWS accounts - White list or black list - Necessary but not sufficient
Service Control
Allow EC2:* Allow S3:*
IAM permissions
Allow EC2:*
Allow EC2:* Allow SQS:*
Cloud Directory • Announced 27/01/17 • Blog post at https://aws.amazon.com/blogs/aws/category/amazoncloud-directory/ • API details at http://docs.aws.amazon.com/amazoncds/latest/APIRefer ence/welcome.html • ...
Helpful Resources Compliance Enablers:
https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper:
https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Centre Website:
https://aws.amazon.com/compliance
Security Centre:
https://aws.amazon.com/security
Security Blog:
https://blogs.aws.amazon.com/security/
Well-Architected Framework:
https://aws.amazon.com/blogs/aws/are-you-well-architected/
AWS Audit Training:
[email protected]
Helpful Videos The Shared Security Model in Detail:
https://youtu.be/RwUSPklR24M
IAM Recommended Practices:
https://youtu.be/R-PyVnhxx-U
Encryption on AWS:
https://youtu.be/DXqDStJ4epE
Securing Serverless Architectures:
https://www.youtube.com/watch?v=8mpTpOXmws8
Account Separation and Mandatory Access Control: https://youtu.be/CNSaJs7pWjA IoT Security Recommendations: https://www.brighttalk.com/webcast/9019/229025?utm_campaign=CampaignPage
