Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DDoS-Resilient Architecture on AWS

Michael Wittig
June 09, 2015
Programming
2
290

DDoS-Resilient Architecture on AWS

What can we do if our system gets enormous amounts of traffic from the bad guys? We will look at a few attacks that are possible and what you can do against them. At then end we will have a system that looks like this: Route 53 -> CloudFront -> ELB -> Web Application Firewall (Auto Scalling) -> ELB -> Webservers (Auto Scalling) -> Protection Layer -> vulnerable legacy database

Michael Wittig

June 09, 2015
Tweet

More Decks by Michael Wittig

See All by Michael Wittig
AWS Cost Optimization 101
michaelwittig
0
57
DVC02 - Cutting-edge architectures based on AWS AppSync, Lambda, and Fargate
michaelwittig
0
77
Review: AWS Global Accelerator - AWS Meetup Stuttgart 2019
michaelwittig
0
190
Rapid Docker on AWS
michaelwittig
0
71
Serverless Workflows with AWS Step Functions
michaelwittig
0
36
Your Lambda function might execute twice. Be prepared! (ServerlessDays Zurich)
michaelwittig
0
41
Cutting-Edge Architectures Based on AppSync, Lambda, and Fargate
michaelwittig
1
440
Your Lambda function might execute twice. Be prepared!
michaelwittig
0
600
Network Security on AWS
michaelwittig
0
46

Other Decks in Programming

See All in Programming
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
デフォルトにして至高、RubyMineの大好きな所
ruzia
0
320
雑に思考を整理する技術と効能
konifar
58
29k
今、知っておきたい! 生成AIエージェントの世界
elith
3
350
Semantic search with Django and pgvector
pauloxnet
0
240
Hanami and htmx
bkuhlmann
0
210
Tailwind CSSを本気でカスタマイズする方法
fsubal
13
5.2k
SIMD Parallel Programming with the Vector API
josepaumard
0
160
スクラムガイドのスプリントレトロスペクティブを改めて読みかえしてみた / Re-reading the Sprint Retrospective Section in the Scrum Guide
mackey0225
3
410
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
170
Anthropic Cookbook のおすすめレシピ
schroneko
7
920
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
1.2k

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
325
20k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Bash Introduction
62gerente
604
210k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
Music & Morning Musume
bryan
41
5.6k
KATA
mclloyd
15
12k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Embracing the Ebb and Flow
colly
80
4.1k

Transcript

  1. DDoS-­‐Resilient  Architecture  

  2. What  we  do   •  Migra8on  /  Consul8ng   • 

    Training   •  Development   •  Managed  Hos8ng  
  3. None

  4. numbers  

  5. Q1  2015   hFp://resources.arbornetworks.com/h/i/73426938-­‐atlas-­‐q1-­‐2015-­‐global-­‐ddos-­‐aFack-­‐trends  

  6. DNS  aFacks   •  DNS  Amplifica8on  AFack   – 60  bytes

     request   – 3000  bytes  response   – use  DNS  servers  to  aFack  a  vic8m   •  IP-­‐Spoofing   – Response  IP  is  changed  to  the  target  

  7. AWS cloud Internet Amazon Route 53 •  Route  53  cares

     about  all   DNS  related  aFacks  

  8. DDoS-­‐Resilient  Architecture?   protec8ng  a  web  stack  

  9. What  can  we  do?   •  Minimize  aFackable  surface  

    – Only  expose  the  minimum  set   – Decouple  asynchronously   •  Be  ready  to  scale   •  Know  your  traffic   •  Safeguard  expensive  resources  (database)   •  Have  a  plan  to  deal  with  DDoS     AWS  re:Invent  2014  |  (SEC307)  Building  a  DDoS-­‐Resilient  Architecture  with  AWS  

  10. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB Amazon Route 53 security group security group MySQL •  Security  Groups  keep   bad  traffic  from  your   instances  without  using   your  resources  

  11. HTTP  aFacks   •  HTTP  Flood   – Send  enormous  amount

     of  valid  GET  /  POST   requests   – expensive   •  Slowloris   – Send  HTTP  request  extremly  slow  to  exhaust  max   connec8ons  on  the  web  server   – cheap  

  12. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB Amazon Route 53 security group security group MySQL •  A  single  web  server  is   easy  to  aFack  

  13. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB security group security group MySQL security group Elastic Load Balancing •  ELB  terminates  SSL   •  filters  bad  HTTP  requests   •  manages  8meouts  

  14. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB security group security group MySQL security group Elastic Load Balancing CloudFront •  CloudFront  returns   cached  results   •  absorbs  some  aFacks   •  geo  restric8ons  

  15. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB security group security group MySQL security group Elastic Load Balancing CloudFront •  More  web  servers  can   handle  more  requests   •  Stateless  server!   •  but:    database  can‘t  scale  

  16. Alert  Logic  Web  Security  Manager   Web  Applica8on  Firewall  (WAF)

     

  17. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet WAF security group security group security group Elastic Load Balancing CloudFront •  Inspect  HTTP  traffic     •  Automated  learning   engine   •  Reject  evil  requests  early   security group Elastic Load Balancing instance

  18. Be  ready  to  scale  

  19. AWS cloud Internet virtual private cloud Availability Zone VPC subnet

    VPC subnet instance MySQL DB security group security group MySQL security group Elastic Load Balancing CloudFront alarm •  Increasing  servers  when   traffic  goes  up  will   automa8cally  absorb   aFack  

  20. Know  your  traffic  

  21. Safeguard  expensive  resources    

  22. AWS cloud Internet virtual private cloud VPC subnet VPC subnet

    instance MySQL DB security group security group MySQL security group Elastic Load Balancing CloudFront alarm •  Absorbing  database   traffic  with  a  cache   •  Hystrix   VPC subnet security group cache node

  23. Have  a  plan  to  deal  with  DDoS  

  24. Michael  Wihg   tecRacer  GmbH  &  Co.  KG   [email protected]

     

  25. M A N N I N G Michael Wittig Andreas

    Wittig hFp://manning.com/wihg   Save  39%  with  code  39wihg