Page 1
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
DDoS Resilience with Amazon Web Services
[email protected]
November 14, 2013
Page 2
Agenda
• Anatomy of DDoS
• Things We Do So You Don’t Have To
• Designing for Availability
• Attack Response
Page 3
DDoS Facts
• Yes, DDoS attacks are on the rise and the big
ones are getting bigger
• …although those attacks average out to
~14Gbps* and target services owners ~1 per
year
*source: Arbor Networks
Page 4
DDoS Facts
*source: Arbor Networks
Percentile Max Gbps Duration
(minutes) 10 2.39 5.87
20 4.28 7.68
30 6.55 9.00
40 8.27 10.53
50 10.49 13.23
60 11.85 16.80
70 13.97 23.12
80 17.38 35.87
90 25.45 66.13
95 35.74 141.74
99 84.90 906.80
Max 299.43
Average 13.81
Page 5
DDoS Anatomy
Application Exhaustion
/search.php?expensive-params
attacker service
Page 6
DDoS Anatomy
Host Exhaustion
attacker
attacker
service
Page 7
DDoS Anatomy
Traditional Datacenter Exhaustion
attacker
traditional
datacenter transit
attacker
attacker
Page 8
DDoS Anatomy
Intermediary Exhaustion
attacke
r
traditional
datacenter transit
transit
transit
transit
attacke
r
attacke
r
attacke
r
attacke
r
attacke
r
attacke
r
Page 9
DDoS Anatomy
• Large enough attacks consume the capacity of
application layer, host, datacenter connectivity,
Internet connectivity, or intermediary networks
Page 10
How can we help you?
• Scale and Diversity of AWS
• Resilient Service Designs
• Business or Enterprise Support
Page 11
Things We Do So You Don’t Have To
Page 12
Scale
model credit:
Page 13
Scale
traditional
datacenter transit
Page 14
AWS
region
Scale
transit
transit
transit
More Bandwidth
Page 15
Scale
transit AWS
region
transit
transit
More Compute
Page 16
Scale
transit AWS
region
AWS
edge
AWS
edge
AWS
edge transit
transit
More Points of Presence
Page 17
Scale Attack Absorbed
transit
attacker
attacker
attacker
AWS
region
AWS
edge
AWS
edge
AWS
edge transit
transit
Page 18
Diversity
Internet Transit and Peering
AWS
region peer
transit
peer
peer
peer
transit
transit
peer
Page 21
Diversity
Amazon Route 53 Example - Anycast Striping
• Leverages Resolver Behavior
• Edge Location Diversity
• Network Path Diversity
Page 22
Delegation Set [nated@xyz ~]$ dig NS internetkitties.com
;; QUESTION SECTION:
;internetkitties.com. IN NS
;; ANSWER SECTION:
internetkitties.com. 172800 IN NS ns-1131.awsdns-13.org.
internetkitties.com. 172800 IN NS ns-1751.awsdns-26.co.uk.
internetkitties.com. 172800 IN NS ns-340.awsdns-42.com.
internetkitties.com. 172800 IN NS ns-952.awsdns-55.net.
Page 23
Delegation Set [nated@xyz ~]$ dig NS internetkitties.com
;; QUESTION SECTION:
;internetkitties.com. IN NS
;; ANSWER SECTION:
internetkitties.com. 172800 IN NS ns-1131.awsdns-13.org.
internetkitties.com. 172800 IN NS ns-1751.awsdns-26.co.uk.
internetkitties.com. 172800 IN NS ns-340.awsdns-42.com.
internetkitties.com. 172800 IN NS ns-952.awsdns-55.net.
Page 24
awsdns-13.org.
awsdns-26.co.uk.
awsdns-42.com.
awsdns-55.net.
Edge Location Diversity
Page 25
awsdns-13.org.
awsdns-26.co.uk.
awsdns-42.com.
awsdns-55.net.
Edge Location Diversity
Page 26
awsdns-13.org.
awsdns-26.co.uk.
awsdns-42.com.
awsdns-55.net.
Edge Location Diversity
Page 27
awsdns-13.org.
awsdns-26.co.uk.
awsdns-42.com.
awsdns-55.net.
Edge Location Diversity
Page 28
awsdns-13.org.
awsdns-26.co.uk.
awsdns-42.com.
awsdns-55.net.
Edge Location Diversity
Page 29
Network Path Diversity
awsdns-13.org.
awsdns-26.co.uk.
awsdns-42.com.
awsdns-55.net.
[nated@xyz ~]$ traceroute ns-1131.awsdns-13.org.
traceroute to ns-1131.awsdns-13.org (205.251.196.107), 64 hops max, 52 byte packets
1 (192.168.1.1) 1.748 ms 0.830 ms 0.750 ms
2 * * *
3 cat.seattle.wa.seattle.comcast.net (68.85.255.255) 14.634 ms 12.822 ms 10.774 ms
4 ae-20-0-ar03.burien.wa.seattle.comcast.net (69.139.164.125) 31.766 ms 13.898 ms
5 ae-20-0-ar03.seattle.wa.seattle.comcast.net (69.139.164.129) 20.108 ms
6 he-1-7-0-0-11-cr01.seattle.wa.ibone.comcast.net (68.86.93.5) 18.781 ms
7 ae12.edge2.seattle3.level3.net (4.68.63.65) 34.371 ms 36.504 ms 27.301 ms
8 ae-31-51.ebr1.seattle1.level3.net (4.69.147.150) 48.557 ms 60.610 ms 56.751 ms
9 ae-7-7.ebr2.sanjose1.level3.net (4.69.132.49) 58.662 ms 46.830 ms 62.458 ms
10 ae-2-2.ebr2.sanjose5.level3.net (4.69.148.141) 60.700 ms 47.997 ms 54.477 ms
11 ae-6-6.ebr2.losangeles1.level3.net (4.69.148.201) 55.190 ms 58.829 ms 55.751 ms
12 ae-92-92.csw4.losangeles1.level3.net (4.69.137.30) 49.261 ms
13 ae-3-80.edge5.losangeles1.level3.net (4.69.144.139) 58.707 ms 53.091 ms
14 amazon.com.edge5.losangeles1.level3.net (205.129.4.26) 46.477 ms 36.525 ms 42.110 ms
15 LAX3
[nated@xyz ~]$ traceroute ns-1751.awsdns-26.co.uk.
traceroute to ns-1751.awsdns-26.co.uk (205.251.198.215), 64 hops max, 52 byte packets
1 (192.168.1.1) 1.298 ms 0.755 ms 0.694 ms
2 * * *
3 cat.seattle.wa.seattle.comcast.net (68.85.255.255) 9.254 ms 24.156 ms 19.167 ms
4 ae-20-0-ar03.seattle.wa.seattle.comcast.net (69.139.164.129) 17.281 ms 18.580 ms 17.906
5 he-1-5-0-0-11-cr01.seattle.wa.ibone.comcast.net (68.86.94.65) 20.842 ms
6 ae12.edge2.seattle3.level3.net (4.68.63.65) 38.159 ms 34.612 ms 30.382 ms
7 ae-31-51.ebr1.seattle1.level3.net (4.69.147.150) 48.510 ms 49.457 ms 49.945 ms
8 ae-7-7.ebr2.sanjose1.level3.net (4.69.132.49) 45.286 ms 43.456 ms 43.219 ms
9 ae-62-62.csw1.sanjose1.level3.net (4.69.153.18) 44.181 ms
10 ae-3-80.edge1.sanjose3.level3.net (4.69.152.144) 46.817 ms
11 4.53.208.22 (4.53.208.22) 54.634 ms 60.111 ms 44.187 ms
12 205.251.229.155 (205.251.229.155) 47.758 ms
13 205.251.230.91 (205.251.230.91) 52.714 ms 43.560 ms
14 SFO5
[nated@xyz ~]$ traceroute ns-340.awsdns-42.com.
traceroute to ns-340.awsdns-42.com (205.251.193.84), 64 hops max, 52 byte packets
1 (192.168.1.1) 2.444 ms 1.676 ms 1.028 ms
2 * * *
3 cat.seattle.wa.seattle.comcast.net (68.85.255.255) 19.842 ms 23.018 ms 26.469 ms
4 ae-20-0-ar03.seattle.wa.seattle.comcast.net (69.139.164.129) 24.366 ms 20.753 ms 29.955 ms
5 he-1-12-0-0-10-cr01.seattle.wa.ibone.comcast.net (68.86.93.173) 30.211 ms
6 ae12.edge2.seattle3.level3.net (4.68.63.65) 33.596 ms 31.948 ms 29.775 ms
7 ae-32-52.ebr2.seattle1.level3.net (4.69.147.182) 162.580 ms 167.112 ms 161.821 ms
8 ae-2-2.ebr2.denver1.level3.net (4.69.132.54) 163.723 ms 159.037 ms 174.670 ms
9 ae-3-3.ebr1.chicago2.level3.net (4.69.132.62) 169.379 ms 167.307 ms 168.454 ms
10 ae-6-6.ebr1.chicago1.level3.net (4.69.140.189) 166.002 ms 168.125 ms 164.232 ms
11 ae-2-2.ebr2.newyork2.level3.net (4.69.132.66) 167.861 ms 167.893 ms 160.681 ms
12 ae-1-100.ebr1.newyork2.level3.net (4.69.135.253) 163.919 ms 166.782 ms 161.686 ms
13 4.69.201.45 (4.69.201.45) 164.023 ms
14 ae-42-42.ebr2.london1.level3.net (4.69.137.69) 165.560 ms 160.461 ms
15 ae-46-46.ebr2.amsterdam1.level3.net (4.69.143.73) 165.627 ms
16 ae-59-224.csw2.amsterdam1.level3.ne (t4.69.153.214) 172.909 ms 166.052 ms
17 4.69.162.154 (4.69.162.154) 166.353 ms
18 212.72.41.162 (212.72.41.162) 171.714 ms 174.033 ms 179.219 ms
19 AMS50
[nated@xyz ~]$ traceroute ns-952.awsdns-55.net.
traceroute to ns-952.awsdns-55.net (205.251.195.184), 64 hops max, 52 byte packets
1 (192.168.1.1) 1.352 ms 0.642 ms 0.630 ms
2 * * *
3 cat.seattle.wa.seattle.comcast.net (68.85.255.255) 16.253 ms 17.221 ms 17.851 ms
4 be-1-ur08.seattle.wa.seattle.comcast.net (69.139.164.134) 13.561 ms
5 ae-1-0-ar03.seattle.wa.seattle.comcast.net (68.85.240.94) 21.009 ms
6 he-1-12-0-0-11-cr01.seattle.wa.ibone.comcast.net (68.86.93.177) 17.366 ms 19.162 ms
7 be-12-pe03.seattle.wa.ibone.comcast.net (68.86.84.106) 19.949 ms 22.968 ms 24.976 ms
8 * * *
9 * * *
10 * 65-122-235-178.dia.static.qwest.net (65.122.235.178) 40.707 ms 30.916 ms
11 205.251.225.22 (205.251.225.22) 85.275 ms
12 205.251.225.122 (205.251.225.122) 35.017 ms 38.568 ms
13 205.251.226.136 (205.251.226.136) 36.560 ms
14 SEA50
Page 30
Striping in Action
Page 31
Striping in Action
Page 32
awsdns-13.org.
awsdns-26.co.uk.
awsdns-42.com.
awsdns-55.net.
Striping in Action
Page 33
awsdns-13.org.
awsdns-26.co.uk.
awsdns-42.com.
awsdns-55.net.
Striping in Action
Page 34
awsdns-13.org.
awsdns-26.co.uk.
awsdns-42.com.
awsdns-55.net.
Striping in Action
Page 35
Diversity
transit
attacker
AWS
region
AWS
edge
AWS
edge
AWS
edge
client
client
AWS
edge
Page 36
Diversity
• Amazon Route 53 - Anycast Striping
• Amazon CloudFront Edge Locations
• AWS Regions
Page 37
How can we help you?
• Scale and Diversity of AWS
• Resilient Service Designs
• Business or Enterprise Support
Page 38
How can we help you?
• Amazon Route 53 and Amazon CloudFront
• Resilient Service Designs
• Business or Enterprise Support
Page 39
Designing for Resilience
Page 40
Designing for Resilience
• N+1 Failover
• Resilient Clients
• Capped Workloads
• Process Isolation
• Shuffle Sharding
Page 41
Designing for Resilience
• N+1 Failover
• Resilient Clients
• Capped Workloads
• Process Isolation
• Shuffle Sharding
Page 42
N+1 Failover
• Scale Out, Plus Redundancy
Page 43
N+1 Failover
• Scale Out, Plus Redundancy
• Failure of 1/100 < Failure of 1/10
Page 44
N+1 Failover
• Scale Out, Plus Redundancy
• Failure of 1/100 < Failure of 1/10
• Automatic Failover with Health Checked DNS
Page 45
N+1 Failover
client
attacker
Page 46
N+1 Failover
client
attacker
Page 47
N+1 Failover
Check out Amazon Route 53
Health Checks
Page 48
Designing for Resilience
• N+1 Failover
• Resilient Clients
• Capped Workloads
• Process Isolation
• Shuffle Sharding
Page 49
Resilient Clients
• Use multi-record RRSets
• Randomize the record on connect retry
• Popular HTTP clients already do this!
Page 50
Resilient Clients [nated@xyz ~]$ dig www.internetkitties.com
;; QUESTION SECTION:
;www.internetkitties.com. IN A
;; ANSWER SECTION:
www.internetkitties.com. 32 IN CNAME d3g5kqnbrlf3fg.cloudfront.net.
d3g5kqnbrlf3fg.cloudfront.net. 30 IN A 54.230.69.190
d3g5kqnbrlf3fg.cloudfront.net. 30 IN A 54.230.71.141
d3g5kqnbrlf3fg.cloudfront.net. 30 IN A 54.230.71.172
d3g5kqnbrlf3fg.cloudfront.net. 30 IN A 54.230.71.233
d3g5kqnbrlf3fg.cloudfront.net. 30 IN A 54.240.188.66
d3g5kqnbrlf3fg.cloudfront.net. 30 IN A 54.230.68.41
d3g5kqnbrlf3fg.cloudfront.net. 30 IN A 54.230.68.212
d3g5kqnbrlf3fg.cloudfront.net. 30 IN A 54.230.69.141
Page 51
Resilient Clients
Num Time Source Destination
4 2.535515 10.61.60.17 54.230.69.141 [SYN]
5 2.736659 10.61.60.17 54.230.69.190 [SYN]
6 2.93782 10.61.60.17 54.230.71.141 [SYN]
7 3.138996 10.61.60.17 54.230.71.172 [SYN]
8 3.339767 10.61.60.17 54.230.71.233 [SYN]
9 3.540963 10.61.60.17 54.240.188.66 [SYN]
11 3.541123 10.61.60.17 54.230.68.41 [SYN]
12 3.742296 10.61.60.17 54.230.68.212 [SYN]
13 3.824502 10.61.60.17 54.230.69.190 [SYN]
14 3.824515 10.61.60.17 54.230.69.141 [SYN]
15 4.024809 10.61.60.17 54.230.71.141 [SYN]
16 4.225094 10.61.60.17 54.230.71.172 [SYN]
Browser Packet Capture
Page 52
Client Retry Behavior, SYN Timeout Browser OS Rotates
IPs
Time to
Rotation
Chrome 30.0.1599 Windows 7 Yes 12
Internet Explorer 8 Windows 7 Yes 12
Firefox 25 Windows 7 Yes 20
Safari 5.0.5 Windows 7 Yes 20
Safari 6.0.5 OSX 10.7.5 Yes <1
Firefox 25 OSX 10.7.5
Yes (2) <1
Chrome 32.0.1678 OSX 10.7.5
Yes (2) DNS TTL, or
Refresh
Page 53
Resilient Clients attacker
service
client
Page 54
Resilient Clients
Page 55
Designing for Resilience
• N+1 Failover
• Resilient Clients
• Capped Workloads
• Process Isolation
• Shuffle Sharding
Page 56
Capped Workloads
• Protect Application Layer Capacity
• Strive for Sameness
• Throttle or Sample Request Workloads
Page 57
Strive for Sameness
Application Exhaustion
/search.php?expensive-params
attacker service
Page 58
Strive for Sameness
/search.php?expensive-params
attacker service
Search_Result_Page_1
Page 59
Capped Workloads Host/OS
~500K to 5M pps
AppLayer
~1K to ~10K rps
Page 60
Capped Workloads Host/OS
~500K to 5M pps
AppLayer
~1K to ~10K rps
Auth
Core
Logging
DAL
Page 61
Capped Workloads Host/OS
~500K to 5M pps
AppLayer
~1K to ~10K rps
Auth
Core
Logging
DAL
Throttle
~10 to ~100K rps
Page 62
Capped Workloads Host/OS
~500K to 5M pps
AppLayer
~1K to ~10K rps
Auth
Core
Logging
DAL
Throttle
~10 to ~100K rps
1,000 samples /
sec
Page 63
Designing for Resilience
• N+1 Failover
• Resilient Clients
• Capped Workloads
• Process Isolation
• Shuffle Sharding
Page 64
Process Isolation
• Isolate application components across
processes
• Let the OS protect critical resources
Page 65
Process Isolation
Auth
Core
Logging
DAL
Page 66
Process Isolation
Auth
Core
Logging
DAL
Page 67
Designing for Resilience
• N+1 Failover
• Resilient Clients
• Capped Workloads
• Process Isolation
• Shuffle Sharding
Page 68
Evolution of Resilience
client
client
Page 69
Evolution of Resilience
client
client
Page 70
Evolution of Resilience
client
client
Page 71
Evolution of Resilience
client
client
Page 72
Evolution of Resilience
client
client
Page 73
Evolution of Resilience
client
client
Page 74
Evolution of Resilience
client
client
Page 75
Evolution of Resilience
client
client
Page 76
Evolution of Resilience
client
client
Page 77
N Choose M Isolation
• 2 endpoints 2 AZs = 4 permutations
Page 78
N Choose M Isolation
• 2 endpoints 2 AZs = 4 permutations
• 8 endpoints 2 AZs = 64
Page 79
N Choose M Isolation
• 2 endpoints 2 AZs = 4 permutations
• 8 endpoints 2 AZs = 64
• 8 endpoints 3 AZs = 512
Page 80
Shuffle Sharding – Amazon Route 53
• Define Availability Lattice • Stripes – Edge Location
• Braids – Host Isolation
• Assign Endpoints to the Lattice • Virtual Name Servers
• Allocate Endpoints to Resources • Hosted Zone Delegate Set
Page 81
Non-Overlapping Delegation Sets
;; QUESTION SECTION:
;gray.internetkitties.com. IN NS
;; ANSWER SECTION:
ns-1131.awsdns-13.org.
ns-1751.awsdns-26.co.uk.
ns-340.awsdns-42.com.
ns-952.awsdns-55.net.
;; QUESTION SECTION:
;orange.internetkitties.org. IN NS
;; ANSWER SECTION:
ns-1140.awsdns-14.org.
ns-1773.awsdns-29.co.uk.
ns-290.awsdns-36.com.
ns-989.awsdns-59.net.
Page 82
Shuffle Sharding
.com
.net
.co.uk
.org
Page 83
Shuffle Sharding
.com
.net
.co.uk
.org
ns-1140.awsdns-14.org.
ns-1773.awsdns-29.co.uk.
Page 84
Shuffle Sharding
.com
.net
.co.uk
.org
A B C D
ns-1140.awsdns-14.org.
ns-1773.awsdns-29.co.uk.
Page 85
Shuffle Sharding
.com
.net
.co.uk
.org
A B C D
gray.internetkitties.com
orange.internetkitties.org
Page 86
Shuffle Sharding
.com
.net
.co.uk
.org
A B C D
gray.internetkitties.com
orange.internetkitties.org
Page 87
Non-Overlapping Delegation Sets
;; QUESTION SECTION:
;gray.internetkitties.com. IN NS
;; ANSWER SECTION:
ns-1131.awsdns-13.org.
ns-1751.awsdns-26.co.uk.
ns-340.awsdns-42.com.
ns-952.awsdns-55.net.
;; QUESTION SECTION:
;orange.internetkitties.org. IN NS
;; ANSWER SECTION:
ns-1140.awsdns-14.org.
ns-1773.awsdns-29.co.uk.
ns-290.awsdns-36.com.
ns-989.awsdns-59.net.
Page 88
Shuffle Sharding Resilience
gray.internetkitties.com
orange.internetkitties.org
.co.uk
.org
client
A
B
C
D
A
B
C
D
attacke
r
Page 89
Shuffle Sharding Resilience
gray.internetkitties.com
orange.internetkitties.org
.co.uk
.org
client
attacke
r
A
B
C
D
A
B
C
D
Page 90
Shuffle Sharding Toolkit
• Define a Lattice of Availability
• Allocate Service Resources to the Lattice
• Assign Customers Isolated Resources
• https://github.com/awslabs/route53-infima
Page 91
Lattice Configuration // Create a 1-D lattice with "AvailabilityZone” as the dimension
OneDimensionalLattice<HealthCheckedRecordSet> myServiceLayout =
new OneDimensionalLattice<HealthCheckedRecordSet>("AvailabilityZone”);
Page 92
Lattice Configuration // Add endpoints in the us-west-1a Availability zone
myServiceLayout.addEndpoint("us-west-1a”,
new HealthCheckedRecordSet("192.0.2.1"));
myServiceLayout.addEndpoint("us-west-1a”,
new HealthCheckedRecordSet("192.0.2.2"));
myServiceLayout.addEndpoint("us-west-1a”,
new HealthCheckedRecordSet("192.0.2.3"));
…
// Add endpoints in the us-west-1b Availability zone
myServiceLayout.addEndpoint("us-west-1b”
new HealthCheckedRecordSet("192.0.2.11"));
…
Page 93
Lattice Configuration // Add endpoints in the us-west-1a Availability zone
myServiceLayout.addEndpoint("us-west-1a”,
new HealthCheckedRecordSet("192.0.2.1"));
myServiceLayout.addEndpoint("us-west-1a”,
new HealthCheckedRecordSet("192.0.2.2"));
myServiceLayout.addEndpoint("us-west-1a”,
new HealthCheckedRecordSet("192.0.2.3"));
…
// Add endpoints in the us-west-1b Availability zone
myServiceLayout.addEndpoint("us-west-1b”
new HealthCheckedRecordSet("192.0.2.11"));
…
Page 94
Shuffle Shard // Create a shuffle sharder
SimpleSignatureShuffleSharder shuffleSharder = new SimpleSignatureShuffleSharder(5353L);
Lattice shard = shuffleSharder.shuffleShard(myServiceLayout, "v123543234", 1);
Page 95
Shuffle Shard // Create a shuffle sharder
SimpleSignatureShuffleSharder shuffleSharder = new SimpleSignatureShuffleSharder(5353L);
Lattice shard = shuffleSharder.shuffleShard(myServiceLayout, "v123543234", 1);
Page 96
Shuffle Shard // Create a shuffle sharder
SimpleSignatureShuffleSharder shuffleSharder = new SimpleSignatureShuffleSharder(5353L);
Lattice shard = shuffleSharder.shuffleShard(myServiceLayout, "v123543234", 1);
Page 97
Vulcanized Lattice // Create a shuffle sharder
SimpleSignatureShuffleSharder shuffleSharder = new SimpleSignatureShuffleSharder(5353L);
Lattice shard = shuffleSharder.shuffleShard(myServiceLayout, "v123543234", 1);
// Create a RubberTree of DNS records
Route53RubberTree rubberTree =
new Route53RubberTree(”v123543234.video.internetkitties.com", shard);
List rrsets = rubberTree.vulcanize();
Page 98
Lattice Shard RRSet
[nated@xyz ~]$ dig v123543234.video.internetkitties.com
;; QUESTION SECTION:
; v123543234.video.internetkitties.com. IN A
;; ANSWER SECTION:
v123543234.video.internetkitties.com. 60 IN A 192.0.2.12
v123543234.video.internetkitties.com. 60 IN A 192.0.1.45
v123543234.video.internetkitties.com. 60 IN A 192.0.3.24
us-west-1b
us-west-1a
us-west-1c
Page 99
Designing for Resilience
• N+1 Failover
• Resilient Clients
• Capped Workloads
• Process Isolation
• Shuffle Sharding
Page 101
Attack Response
• Detection
• Src-IP Blocking
• Engaging Customer Support
Page 102
Attack Response
• Detection
• Src-IP Blocking
• Engaging Customer Support
Page 103
Detect
• Traffic Spikes, Drops
• CPU Utilization
• Network Stats
Page 104
Detect
• Use Resilience Patterns to Access Logs
• X-Forwarded-For
• Sort and Sum
Page 105
X-Forwarded-For
• Use a trusted load balancer or proxy
Page 106
X-Forwarded-For
• Use a trusted load balancer or proxy
• Enable logging
Page 107
X-Forwarded-For
• Use a trusted load balancer or proxy
• Enable logging – IIS7
• Install ‘IIS Advanced Logging’
• Configure X-Forwarded-For field
Page 108
X-Forwarded-For
Enable Logging
nginx:
if($http_x_forwarded_for !='-’) {
log_format main '$http_x_forwarded_for - $remote_user
[$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$remote_addr"';
}
else {
log_format main '$remote_addr - $remote_user [$time_local]
$status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
}
Page 109
X-Forwarded-For
• Use a trusted load balancer or proxy
• Enable X-Forwarded-For logging
Page 110
Sort & Sum
• Used to identify “top talkers”
[[email protected] ~]$ grep 'expensive-param' ./access.log | awk '{print $1}' |
sort | uniq -c | tail
2 10.54.4.1
3 10.63.34.1
5 10.23.97.212
1182 10.54.0.183
Page 111
Sort & Sum
• Used to identify “top talkers”
[[email protected] ~]$ grep 'expensive-param' ./access.log | awk '{print $1}' |
sort | uniq -c | tail
2 10.54.4.1
3 10.63.34.1
5 10.23.97.212
1182 10.54.0.183
Page 112
Src-IP Blacklisting
• Host-Level Firewalling
• Web-Server Configuration
• VPC Network ACLs
• Web Application Firewall
Page 113
Src-IP Blacklisting
• Host-Level Firewalling (IPTables)
• Web-Server Configuration (Nginx / Apache, IIS)
• VPC Network ACLs
• Web Application Firewall
Page 114
Src-IP Blacklisting
• Host-Level Firewalling
• Web-Server Configuration
• VPC Network ACLs
• Web Application Firewall
Page 115
VPC Network ACLs
• Apply to a VPC subnet
• Supports DENY rules
Page 116
VPC Network ACLs
• Enter each source IP
• Set DENY
Page 117
Src-IP Blacklisting
• Host-Level Firewalling
• VPC Network ACLs
• Web Application Firewall
Page 118
Web Application Firewall
• Src-IP Blacklist
• HTTP Headers (X-Forwarded-For)
• URI-Based Filtering
• Advanced Throttling
Page 119
Attack Response
• Detection
• Src-IP Blocking
• Engaging Customer Support
Page 120
Engaging Customer Support
http://aws.amazon.com/premiumsupport/
Page 121
Summary
How can we help? • Scale and Diversity
• Route 53 and CloudFront
• Business and Enterprise
Support
Resilient Design • Availability Lattice
• Shuffle Sharding
• N+1 Failover
• Resilient Clients
• Capped Workloads
• Process Isolation Attack Response • Enable X-Forwarded-For Logging
• Detect, Sum and Sort
• Src-IP Blacklist
• Engage Customer Support
Page 122
Summary
How can we help? • Scale and Diversity
• Route 53 and CloudFront
• Business and Enterprise
Support
Resilient Design • Availability Lattice
• Shuffle Sharding
• N+1 Failover
• Resilient Clients
• Capped Workloads
• Process Isolation Attack Response • Enable X-Forwarded-For Logging
• Detect, Sum and Sort
• Src-IP Blacklist
• Engage Customer Support
Page 123
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
SEC305