Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DDoS-Resilient Architecture on AWS

Michael Wittig
June 09, 2015
Programming
2
320

DDoS-Resilient Architecture on AWS

What can we do if our system gets enormous amounts of traffic from the bad guys? We will look at a few attacks that are possible and what you can do against them. At then end we will have a system that looks like this: Route 53 -> CloudFront -> ELB -> Web Application Firewall (Auto Scalling) -> ELB -> Webservers (Auto Scalling) -> Protection Layer -> vulnerable legacy database

Michael Wittig

June 09, 2015
Tweet

More Decks by Michael Wittig

See All by Michael Wittig
AWS Cost Optimization 101
michaelwittig
0
61
DVC02 - Cutting-edge architectures based on AWS AppSync, Lambda, and Fargate
michaelwittig
0
82
Review: AWS Global Accelerator - AWS Meetup Stuttgart 2019
michaelwittig
0
280
Rapid Docker on AWS
michaelwittig
0
71
Serverless Workflows with AWS Step Functions
michaelwittig
0
40
Your Lambda function might execute twice. Be prepared! (ServerlessDays Zurich)
michaelwittig
0
50
Cutting-Edge Architectures Based on AppSync, Lambda, and Fargate
michaelwittig
1
470
Your Lambda function might execute twice. Be prepared!
michaelwittig
0
650
Network Security on AWS
michaelwittig
0
49

Other Decks in Programming

See All in Programming
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
330
ヤプリ新卒SREの オンボーディング
masaki12
0
130
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170
最新TCAキャッチアップ
0si43
0
140
Amazon Qを使ってIaCを触ろう!
maruto
0
400
Contemporary Test Cases
maaretp
0
140
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
600
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
subpath importsで始めるモック生活
10tera
0
300
みんなでプロポーザルを書いてみた
yuriko1211
0
260
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k

Featured

See All Featured
For a Future-Friendly Web
brad_frost
175
9.4k
Six Lessons from altMBA
skipperchong
27
3.5k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Docker and Python
trallard
40
3.1k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
The Language of Interfaces
destraynor
154
24k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Documentation Writing (for coders)
carmenintech
65
4.4k

Transcript

  1. DDoS-­‐Resilient  Architecture  

  2. What  we  do   •  Migra8on  /  Consul8ng   • 

    Training   •  Development   •  Managed  Hos8ng  
  3. None

  4. numbers  

  5. Q1  2015   hFp://resources.arbornetworks.com/h/i/73426938-­‐atlas-­‐q1-­‐2015-­‐global-­‐ddos-­‐aFack-­‐trends  

  6. DNS  aFacks   •  DNS  Amplifica8on  AFack   – 60  bytes

     request   – 3000  bytes  response   – use  DNS  servers  to  aFack  a  vic8m   •  IP-­‐Spoofing   – Response  IP  is  changed  to  the  target  

  7. AWS cloud Internet Amazon Route 53 •  Route  53  cares

     about  all   DNS  related  aFacks  

  8. DDoS-­‐Resilient  Architecture?   protec8ng  a  web  stack  

  9. What  can  we  do?   •  Minimize  aFackable  surface  

    – Only  expose  the  minimum  set   – Decouple  asynchronously   •  Be  ready  to  scale   •  Know  your  traffic   •  Safeguard  expensive  resources  (database)   •  Have  a  plan  to  deal  with  DDoS     AWS  re:Invent  2014  |  (SEC307)  Building  a  DDoS-­‐Resilient  Architecture  with  AWS  

  10. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB Amazon Route 53 security group security group MySQL •  Security  Groups  keep   bad  traffic  from  your   instances  without  using   your  resources  

  11. HTTP  aFacks   •  HTTP  Flood   – Send  enormous  amount

     of  valid  GET  /  POST   requests   – expensive   •  Slowloris   – Send  HTTP  request  extremly  slow  to  exhaust  max   connec8ons  on  the  web  server   – cheap  

  12. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB Amazon Route 53 security group security group MySQL •  A  single  web  server  is   easy  to  aFack  

  13. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB security group security group MySQL security group Elastic Load Balancing •  ELB  terminates  SSL   •  filters  bad  HTTP  requests   •  manages  8meouts  

  14. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB security group security group MySQL security group Elastic Load Balancing CloudFront •  CloudFront  returns   cached  results   •  absorbs  some  aFacks   •  geo  restric8ons  

  15. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB security group security group MySQL security group Elastic Load Balancing CloudFront •  More  web  servers  can   handle  more  requests   •  Stateless  server!   •  but:    database  can‘t  scale  

  16. Alert  Logic  Web  Security  Manager   Web  Applica8on  Firewall  (WAF)

     

  17. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet WAF security group security group security group Elastic Load Balancing CloudFront •  Inspect  HTTP  traffic     •  Automated  learning   engine   •  Reject  evil  requests  early   security group Elastic Load Balancing instance

  18. Be  ready  to  scale  

  19. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB security group security group MySQL security group Elastic Load Balancing CloudFront alarm •  Increasing  servers  when   traffic  goes  up  will   automa8cally  absorb   aFack  

  20. Know  your  traffic  

  21. Safeguard  expensive  resources    

  22. AWS cloud Internet virtual private cloud VPC subnet VPC subnet

    instance MySQL DB security group security group MySQL security group Elastic Load Balancing CloudFront alarm •  Absorbing  database   traffic  with  a  cache   •  Hystrix   VPC subnet security group cache node

  23. Have  a  plan  to  deal  with  DDoS  

  24. Michael  Wihg   tecRacer  GmbH  &  Co.  KG   [email protected]

     

  25. M A N N I N G Michael Wittig Andreas

    Wittig hFp://manning.com/wihg   Save  39%  with  code  39wihg