PowerPoint Presentation - PDF Free Download

游戏行业 DDOS 在 AWS 的解决方案狄颖伟,AWS 解决方案架构师 Yingwei Di, Solution Architect, Amazon Web Services 2017 年 7 月 18 日 18 th July, 2017

DDoS 攻击类型

DDoS 攻击类型流量 DDoS 攻击通过大流量造成网络拥塞 (e.g., UDP reflection attacks)

DDoS 攻击类型资源耗尽 DDoS 攻击通过网络协议使得诸如防火墙, 负载均衡等设备资源耗尽 (e.g., TCP SYN flood)

DDoS 攻击类型应用层 DDoS 攻击用大量的真实请求消耗应用资源 (e.g., HTTP GET)

DDoS 攻击趋势 17% State exhaustion 65% Volumetric 18% Application layer Volumetric State exhaustion Application layer

应对 DDoS 攻击的挑战难以处理 Complex set-up Provision bandwidth capacity Application re-architecture

应对 DDoS 攻击的挑战人工介入 Traditional Datacenter Operator involvement to initiate mitigation Re-route traffic via distant scrubbing location Increased time to mitigate

应对 DDoS 攻击的挑战成本

AWS 应对方法

AWS DDoS 防护与全球基础资源集成快速响应链路冗余

AWS 内置 DDoS 防护防护对基础设施的攻击应对 SYN/ACK Floods, UDP Floods, 等攻击 DDoS Attack 无额外费用 Users DDoS mitigation systems

AWS WAF 与 CloudFront,ALB 集成支持 API 策略 SQL 注入 CSRF IP 地址数据包特性

AWS 最佳实践最小化受攻击面吸收重点保护暴露的资源熟悉正常网络情况应对计划

自动化防御日志分析 CF log - S3 - Lambda ELB log - S3 - Lambda VPC flow log CloudWatch Log - Lambda

客户还关心 What about large DDoS attacks? Does AWS protect me from application layer attacks? Does AWS protect me from DDoS attacks? I want to talk to DDoS experts. How can I get visibility when I get attacked? Scaling for DDoS attacks is expensive.

AWS Shield A Managed DDoS Protection Service

AWS Shield 标准保护高级保护提供给所有客户, 无额外费用付费服务, 提供额外的服务和功能

AWS Shield 特点与 AWS 服务集成 Integration DDoS protection without infrastructure changes 持续侦测和压制 Minimize impact on application latency 经济 Don t force unnecessary trade-offs between cost and availability 灵活 Customize protections for your applications

AWS Shield 标准版

AWS Shield 标准版 3/4 层保护 Automatic detection & mitigation Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.) 7 层保护 AWS WAF for Layer 7 DDoS attack mitigation Self-service & pay-as-you-go Built into AWS services

AWS Shield 标准版更好的保护您运行在 AWS 上的资源通过 BlackWatch systems 提升效果持续监控和压制无额外费用

AWS Shield Advanced Managed DDoS Protection

AWS Shield 高级版与 AWS 服务结合, 需要 business support Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53

AWS Shield 高级版支持的区域 US East (N. Virginia) US West (Oregon) EU (Ireland) Asia Pacific (Tokyo) us-east-1 us-west-2 eu-west-1 ap-northeast-1

AWS Shield 高级版 AWS WAF 与 Application Load Balancer 集成 Valid users X AWS WAF Application Load Balancer Attackers

AWS Shield 高级版持续监控和侦测 AWS 费用优惠高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队攻击通知和报告

持续监控和侦测 Network flow monitoring Application traffic monitoring

持续监控和侦测异常检测 Detects anomalies based on attributes such as: Source IP Source ASN Traffic levels Validated sources

持续监控和侦测基线 Continuously baselining normal traffic patterns HTTP Requests per second Source IP Address URLs User-Agents AWS WAF 支持基于 rate 的过滤

AWS Shield 高级版持续监控和侦测 AWS bill protection 高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队攻击通知和报告

增强 DDoS 防护 Layer 3/4 infrastructure protection Layer 7 application protection

3/4 层基础设施防护高级防护技术技术 Deterministic filtering Traffic prioritization based on scoring Advanced routing policies

3/4 层基础设施防护过滤技术 Automatically filters malformed TCP packets IP checksum TCP valid flags UDP payload length DNS request validation

3/4 层基础设施防护流量优先级 Low suspicion attributes High suspicion attributes Normal packet or request header Traffic composition and volume is typical given its source Traffic valid for its destination Suspicious packet or request headers Entropy in traffic by header attribute Entropy in traffic source and volume Traffic source has a poor reputation Traffic invalid for its destination

3/4 层基础设施防护流量优先级 Inline inspection and scoring Preferentially discard lower priority (attack) traffic High-suspicion packets dropped Low-suspicion packets retained

3/4 层基础设施防护高级路由策略 Distributed scrubbing and bandwidth capacity Automated routing policies to absorb large attacks Manual traffic engineering

增强 DDoS 防护 Layer 3/4 infrastructure protection Layer 7 application protection

AWS WAF 7 层应用防护 Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning

AWS WAF 7 层应用防护三种操作模式 Self-service Engage DDoS experts Proactive DRT engagement

AWS WAF 7 层应用防护自服务 AWS WAF included at no additional cost

AWS WAF 7 层应用防护引入 DDoS 专家 1. You engage the AWS DDoS Response Team (DRT) 2. DRT triages attack 3. DRT assists you with creating AWS WAF rules

AWS WAF 7 层应用防护预先引入 DRT 1. Always-on monitoring engages the AWS DDoS Response Team (DRT) 2. DRT proactively triages DDoS attack 3. DRT creates AWS WAF rules (prior authorization required)

AWS Shield 高级版持续监控和侦测 AWS 费用优惠高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队攻击通知和报告

攻击通知和报告 Real-time notification of attacks via Amazon CloudWatch Near real-time metrics and packet captures for attack forensics Historical attack reports Attack monitoring and detection

AWS Shield 高级版持续监控和侦测 AWS 费用优惠高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队 Attack notification and reporting

24x7 联系 DDoS 响应团队关键紧急事件迅速响应, 直接与 DRT 专家沟通复杂可由 DTR 专家处理,DRT 专家在保护 AWS 和 amazon.com 具有丰富的实践经验

24x7 联系 DDoS 响应团队事前 Proactive consultation and best practice guidance 事中 Attack mitigation 事后 Post-mortem analysis

AWS Shield 高级版持续监控和侦测 AWS 费用优惠高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队攻击通知和报告

AWS 费用减免减免因 DDoS 攻击造成的扩展费用 Amazon CloudFront Elastic Load Balancer Application Load Balancer Amazon Route 53

游戏 DDoS 防护游戏应用组成 Web Portal HTTP(S) Backend services, like Matchmaking HTTP(S) / TCP Dedicated Game Servers - UDP Multiplayer Relay Servers - UDP

游戏 DDoS 防护 Web Portal and Match-Making Layer 3/4 Attacks SYN, ACK,.. Layer 7 Attacks HTTP Floods

游戏 DDoS 防护 Game Servers & Relay Servers: UDP awselb.amazon.com 11.23.92.12 EC2 Traffic Shaping EC2 EC2 Auto-Mitigation Web Portal and Matchmaking Region

游戏 DDoS 防护 GameLift

Thank You!