DDoS
Distributed Denial of Service
Layer 4 DDoS
- SYN flood
- works at the TCP layer
How does the Layer 4 three-way handshake work?
1) Client sends a SYN packet to a server
2) server replies with SYN-ACK
3) Client responds with ACK
SYN Flood
uses the built in patience of the TCP stack to overwhelm a server by sending a large number of SYN packets and ignoring the SYN-ACK replies sent by the server
- causes the server to use up resources waiting for a set amount of time for the anticipated ACK that should come from a legitimate client
- eats thru the maximum amount of TCP connections
Amplification Attack
- where an attacker may send a 3rd party server a request using a spoofed IP address
- 3rd party sends a large # of bytes back to the spoofed IP address, jamming up their servers
Layer 7 attack
when a web server gets a flood of GET or POST requests, usually from a bot net or a large number of compromised computers
Cloud Trail
increases visibility into your user and resource activity by recording AWS Management Console actions and API calls
- logs are stored in S3
What can Cloud Trail identify?
- which users and accounts called AWS
- source IP address
- time of each call
- metadata of each call
- API request parameters
- response elements returned by the service
- NOT RDP or SSH traffic
What does Cloud Trail allow?
1) after-the-fact incident investigation
2) near real-time intrusion detection (when coupled with Lambda)
3) industry and regulatory compliance
What kind of attacks does Shield protect against?
Layer 3 and Layer 4
- SYN/UPD floods
- reflection attacks
Shield
Free DDoS protection
- protects all customers on ELB, CloudFront, Route 53
AWS Shield Advanced
$3000/mo
- always-on flow-based monitoring with real-time notifications
- 24/7 access to the DDoS Reponse Team (DRT)
- protects your AWS bill from DDoS usage spikes
AWS WAF
A LAYER 7 web application firewall that lets you monitor the https and http requests that are forwarded to CloudFront or an ALB
- also lets you control access to your content
What are some example configurations for WAF?
- what IP addresses are allowed to make a request
- what query string parameters need to be passed in
What status code will ALB or Cloud Front return if it doesn’t allow the request?
403 - Forbidden
What are some WAF behaviors?
1) allow all requests except the ones you specify
2) block all requests except the ones you specify
3) count the requests that match the properties you specify
Conditions you can specify in WAF
1) IP Address where requests originate from
2) Country that requests originate from
3) values in request headers
4) reject SQL injection (SQL code)
5) reject presence of a script (cross-site scripting attack)
6) reject or accept based on regex
Guard Duty
a threat-detection service that uses machine learning to continuously monitor for malicious behavior
What kinds of things does Guard Duty detect?
- unusual API calls
- calls from a known malicious IP
- attempts to disable CloudTrail logging
- unauthorized deployments
- compromised instances
- reconasissance by would-be attackers
- port scanning, failed logins
Where do Guard Duty alerts appear?*
- Guard Duty console
- Cloud Watch Events
What kinds of feeds can Guard Duty receive?*
- CrowdStrike, Proofpoint, AWS security
What does Guard Duty monitor?*
- Cloud Trail logs
- VPC Flow logs
- DNS logs
How can you automate responses to what Guard Duty finds?
Lambda and Cloud Watch Events
How long does it take for Guard Duty to set up a baseline of what is normal for your account?
7-14 days
