using aws waf and lambda for automatic protection

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Nathan DyeAWS WAF Software Development ManagerGleicon Moraes, Magazine Luiza Infrastructure ManagerMarch 2, 2016

Using AWS WAF & Lambda for Automatic Protection

Agenda

WAF & Lambda Intro Security Automation Scripts & Templates Customer story

Web site without AWS WAF

Good users

Attackers

Web siteExploit

Web site with AWS WAF

Good users

Web siteExploit

Attackers

What is AWS WAF?

Web application firewall (WAF) that gives you control over who (or what) can access your web applications.• Full-feature API• Customizable security• Integrated with Amazon CloudFront - protection at the

edge• Use cases: protection against exploits, abuse, and

application DDoS

What is AWS Lambda?

Lambda automatically runs your code without requiring you to provision servers.• “Server-less” scripting; event driven actions• Integrated with other AWS services• Use cases: scheduled events, provisioning services,

and customer analysis

• Bad guys are adaptive and persistent• Better protection

• Integrate application specific or open-source data sources• Sophisticated out of band analysis

Why build automated security?

Automated security

Good users

Logs Threat analysis

Rule updater

Web siteRulesExploit

Attackers

Automated security – traditional data center

Good users

Logs Threat analysis

Rule updater

Web siteExploit

Attackers

Rules

Automated security – AWS makes it easier

Good users

Logs Threat analysis

Rule updater

Web siteExploit

Attackers

Rules

Other AWS Services we’ll use

Amazon CloudFront Amazon CloudWatch AWS CloudFormation

Amazon S3 Amazon API Gateway

Types of attacks that need automation

HTTP floods Scans & probesIP reputation lists Bots & scrapers

Attackers

IP reputation lists

Collection of IP addresses with a bad reputation based on sending history• Open proxies or known hosts that send

spam/trojans/viruses• Constantly changing/updating• Solution: import open source lists (i.e., Emerging

Threats, Spamhause, Tor Node list) and update lists using CloudWatch events

IP reputation lists (cont’d)

IP reputation lists (cont’d)

<Example Demo>

HTTP floods

Legitimate requests at a level that excessively consume web server resources• Requests targeted at expensive components, i.e.,

login, product search, etc.• Different than other types of flood attacks because

requests follow protocol.• Creates the problem of identifying attack from flash

crowd.• Solution: count number of requests in CloudFront

access logs and block offenders

Attackers

HTTP floods (cont’d)

HTTP floods (cont’d)

<Example Demo>

Scans & probes

Program that communicates with web application front end to identify potential vulnerabilities• Initiated by you – good; initiated by someone else –

bad• Someone (something) with bad intentions• Consume resources by requesting URLs that don’t

exist• Solution: count 40x error in access logs and block

offenders

Scans & probes (cont’d)

<Example Demo>

Bots & scrapers

Software application that run automated tasks over the internet.• Good bots (search engines, weather, price

comparison) vs bad bots (scrape content, steal data, malware)

• Aggressive vs conservative days• Constantly changing/updating• Solution: use robots.txt and “honeypot” file to identify

& block offenders

Bots & scrapers (cont’d)

Bots & scrapers (cont’d)

<Example Demo>

Customer story

Magazine Luiza• One of the largest retail

chains in Brazil• More than 700 stores, 24K

staff, & 8 distribution centers• e-commerce platform

customers use for purchases• Moving “all in” to AWS over

the past 2-3 years• Breaking up monolithic app

Customer story (cont’d)

Challenges• Balance security with performance & cost• Traditional WAFs didn’t work:

1. Inflated models – lots of rules & based on vm or hardware2. Couldn’t scale - constrained by bandwidth & CPU3. Automation meant more hardware

• Need to block bad bots (based on IP) without affecting search & shopping experience

• Have solution in place by Black Friday

Customer story (cont’d)

Previous Architecture

Customer story (cont’d)

New Architecture

Customer story (cont’d)

Milestones Before Black Friday• September – October: confirmed new architecture and started

building.• October – new architecture ready to go• November – started countdown and moved over all production traffic

Customer Story (cont’d)

Black Friday• November 26: jumped from 4 – 28.9 million views/day• November 26: all hands on deck for the last infrastructure scale.• 12am: everyone went home, 5 people decided to sleep in our

leisure room, I kept following monitoring.• November 27: Traffic started to ramp up around 6AM and stayed

high during the entire weekend.

Customer Story (cont’d)

Advice to Others• Do analysis in house & start small• Use the right library for the job• Identify what needs protection• Think about the time it takes to process logs• Defense in Depth: simple security rules at perimeter, complex

security rules closer to app

Resources

Security Blogs• Rate-Based Blacklisting Heitor Vital <heitorc@amazon.com>• IPs Generating Errors Ben Potter <benpo@amazon.com>• Blocking Bots (this month) Vlad Vlasceanu <vladv@amazon.com>• Importing IP Reputation Lists (this month) Lee Atkinson

<leeatk@amazon.co.uk>

Tutorials Page• aws.amazon.com/waf/preconfiguredrules/

Thank you!