![Page 1: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nathan DyeAWS WAF Software Development ManagerGleicon Moraes, Magazine Luiza Infrastructure ManagerMarch 2, 2016
Using AWS WAF & Lambda for Automatic Protection
![Page 2: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/2.jpg)
Agenda
WAF & Lambda Intro Security Automation Scripts & Templates Customer story
![Page 3: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/3.jpg)
Web site without AWS WAF
Good users
Attackers
Web siteExploit
![Page 4: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/4.jpg)
Web site with AWS WAF
Good users
Web siteExploit
Attackers
![Page 5: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/5.jpg)
What is AWS WAF?
Web application firewall (WAF) that gives you control over who (or what) can access your web applications.• Full-feature API• Customizable security• Integrated with Amazon CloudFront - protection at the
edge• Use cases: protection against exploits, abuse, and
application DDoS
![Page 6: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/6.jpg)
What is AWS Lambda?
Lambda automatically runs your code without requiring you to provision servers.• “Server-less” scripting; event driven actions• Integrated with other AWS services• Use cases: scheduled events, provisioning services,
and customer analysis
![Page 7: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/7.jpg)
• Bad guys are adaptive and persistent• Better protection
• Integrate application specific or open-source data sources• Sophisticated out of band analysis
Why build automated security?
![Page 8: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/8.jpg)
Automated security
Good users
Logs Threat analysis
Rule updater
Web siteRulesExploit
Attackers
![Page 9: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/9.jpg)
Automated security – traditional data center
Good users
Logs Threat analysis
Rule updater
Web siteExploit
Attackers
Rules
![Page 10: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/10.jpg)
Automated security – AWS makes it easier
Good users
Logs Threat analysis
Rule updater
Web siteExploit
Attackers
Rules
![Page 11: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/11.jpg)
Other AWS Services we’ll use
Amazon CloudFront Amazon CloudWatch AWS CloudFormation
Amazon S3 Amazon API Gateway
![Page 12: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/12.jpg)
Types of attacks that need automation
HTTP floods Scans & probesIP reputation lists Bots & scrapers
Attackers
![Page 13: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/13.jpg)
IP reputation lists
Collection of IP addresses with a bad reputation based on sending history• Open proxies or known hosts that send
spam/trojans/viruses• Constantly changing/updating• Solution: import open source lists (i.e., Emerging
Threats, Spamhause, Tor Node list) and update lists using CloudWatch events
![Page 14: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/14.jpg)
IP reputation lists (cont’d)
![Page 15: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/15.jpg)
IP reputation lists (cont’d)
<Example Demo>
![Page 16: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/16.jpg)
HTTP floods
Legitimate requests at a level that excessively consume web server resources• Requests targeted at expensive components, i.e.,
login, product search, etc.• Different than other types of flood attacks because
requests follow protocol.• Creates the problem of identifying attack from flash
crowd.• Solution: count number of requests in CloudFront
access logs and block offenders
Attackers
![Page 17: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/17.jpg)
HTTP floods (cont’d)
![Page 18: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/18.jpg)
HTTP floods (cont’d)
<Example Demo>
![Page 19: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/19.jpg)
Scans & probes
Program that communicates with web application front end to identify potential vulnerabilities• Initiated by you – good; initiated by someone else –
bad• Someone (something) with bad intentions• Consume resources by requesting URLs that don’t
exist• Solution: count 40x error in access logs and block
offenders
![Page 20: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/20.jpg)
Scans & probes (cont’d)
<Example Demo>
![Page 21: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/21.jpg)
Bots & scrapers
Software application that run automated tasks over the internet.• Good bots (search engines, weather, price
comparison) vs bad bots (scrape content, steal data, malware)
• Aggressive vs conservative days• Constantly changing/updating• Solution: use robots.txt and “honeypot” file to identify
& block offenders
![Page 22: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/22.jpg)
Bots & scrapers (cont’d)
![Page 23: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/23.jpg)
Bots & scrapers (cont’d)
<Example Demo>
![Page 24: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/24.jpg)
Customer story
Magazine Luiza• One of the largest retail
chains in Brazil• More than 700 stores, 24K
staff, & 8 distribution centers• e-commerce platform
customers use for purchases• Moving “all in” to AWS over
the past 2-3 years• Breaking up monolithic app
![Page 25: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/25.jpg)
Customer story (cont’d)
Challenges• Balance security with performance & cost• Traditional WAFs didn’t work:
1. Inflated models – lots of rules & based on vm or hardware2. Couldn’t scale - constrained by bandwidth & CPU3. Automation meant more hardware
• Need to block bad bots (based on IP) without affecting search & shopping experience
• Have solution in place by Black Friday
![Page 26: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/26.jpg)
Customer story (cont’d)
Previous Architecture
![Page 27: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/27.jpg)
Customer story (cont’d)
New Architecture
![Page 28: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/28.jpg)
Customer story (cont’d)
Milestones Before Black Friday• September – October: confirmed new architecture and started
building.• October – new architecture ready to go• November – started countdown and moved over all production traffic
![Page 29: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/29.jpg)
Customer Story (cont’d)
Black Friday• November 26: jumped from 4 – 28.9 million views/day• November 26: all hands on deck for the last infrastructure scale.• 12am: everyone went home, 5 people decided to sleep in our
leisure room, I kept following monitoring.• November 27: Traffic started to ramp up around 6AM and stayed
high during the entire weekend.
![Page 30: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/30.jpg)
Customer Story (cont’d)
Advice to Others• Do analysis in house & start small• Use the right library for the job• Identify what needs protection• Think about the time it takes to process logs• Defense in Depth: simple security rules at perimeter, complex
security rules closer to app
![Page 31: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/31.jpg)
Resources
Security Blogs• Rate-Based Blacklisting Heitor Vital <[email protected]>• IPs Generating Errors Ben Potter <[email protected]>• Blocking Bots (this month) Vlad Vlasceanu <[email protected]>• Importing IP Reputation Lists (this month) Lee Atkinson
Tutorials Page• aws.amazon.com/waf/preconfiguredrules/
![Page 32: Using AWS WAF and Lambda for Automatic Protection](https://reader035.vdocuments.us/reader035/viewer/2022081414/587125d31a28abe4448b6183/html5/thumbnails/32.jpg)
Thank you!