游戏行业 DDOS 在 AWS 的解决方案 狄颖伟,AWS 解决方案架构师 Yingwei Di, Solution Architect, Amazon Web Services 2017 年 7 月 18 日 18 th July, 2017
DDoS 攻击类型
DDoS 攻击类型 流量 DDoS 攻击 通过大流量造成网络拥塞 (e.g., UDP reflection attacks)
DDoS 攻击类型 资源耗尽 DDoS 攻击 通过网络协议使得诸如防火墙, 负载均衡等设备资源耗尽 (e.g., TCP SYN flood)
DDoS 攻击类型 应用层 DDoS 攻击 用大量的真实请求消耗应用资源 (e.g., HTTP GET)
DDoS 攻击趋势 17% State exhaustion 65% Volumetric 18% Application layer Volumetric State exhaustion Application layer
应对 DDoS 攻击的挑战 难以处理 Complex set-up Provision bandwidth capacity Application re-architecture
应对 DDoS 攻击的挑战 人工介入 Traditional Datacenter Operator involvement to initiate mitigation Re-route traffic via distant scrubbing location Increased time to mitigate
应对 DDoS 攻击的挑战 成本
AWS 应对方法
AWS DDoS 防护 与全球基础资源集成 快速响应 链路冗余
AWS 内置 DDoS 防护 防护对基础设施的攻击 应对 SYN/ACK Floods, UDP Floods, 等攻击 DDoS Attack 无额外费用 Users DDoS mitigation systems
AWS WAF 与 CloudFront,ALB 集成 支持 API 策略 SQL 注入 CSRF IP 地址 数据包特性
AWS 最佳实践 最小化受攻击面 吸收 重点保护暴露的资源 熟悉正常网络情况 应对计划
自动化防御 日志分析 CF log - S3 - Lambda ELB log - S3 - Lambda VPC flow log CloudWatch Log - Lambda
客户还关心 What about large DDoS attacks? Does AWS protect me from application layer attacks? Does AWS protect me from DDoS attacks? I want to talk to DDoS experts. How can I get visibility when I get attacked? Scaling for DDoS attacks is expensive.
AWS Shield A Managed DDoS Protection Service
AWS Shield 标准保护 高级保护 提供给所有客户, 无额外费用付费服务, 提供额外的服务和功能
AWS Shield 特点 与 AWS 服务集成 Integration DDoS protection without infrastructure changes 持续侦测和压制 Minimize impact on application latency 经济 Don t force unnecessary trade-offs between cost and availability 灵活 Customize protections for your applications
AWS Shield 标准版
AWS Shield 标准版 3/4 层保护 Automatic detection & mitigation Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.) 7 层保护 AWS WAF for Layer 7 DDoS attack mitigation Self-service & pay-as-you-go Built into AWS services
AWS Shield 标准版 更好的保护您运行在 AWS 上的资源 通过 BlackWatch systems 提升效果 持续监控和压制 无额外费用
AWS Shield Advanced Managed DDoS Protection
AWS Shield 高级版 与 AWS 服务结合, 需要 business support Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
AWS Shield 高级版 支持的区域 US East (N. Virginia) US West (Oregon) EU (Ireland) Asia Pacific (Tokyo) us-east-1 us-west-2 eu-west-1 ap-northeast-1
AWS Shield 高级版 AWS WAF 与 Application Load Balancer 集成 Valid users X AWS WAF Application Load Balancer Attackers
AWS Shield 高级版 持续监控和侦测 AWS 费用优惠 高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队 攻击通知和报告
持续监控和侦测 Network flow monitoring Application traffic monitoring
持续监控和侦测 异常检测 Detects anomalies based on attributes such as: Source IP Source ASN Traffic levels Validated sources
持续监控和侦测 基线 Continuously baselining normal traffic patterns HTTP Requests per second Source IP Address URLs User-Agents AWS WAF 支持基于 rate 的过滤
AWS Shield 高级版 持续监控和侦测 AWS bill protection 高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队 攻击通知和报告
增强 DDoS 防护 Layer 3/4 infrastructure protection Layer 7 application protection
3/4 层基础设施防护 高级防护技术技术 Deterministic filtering Traffic prioritization based on scoring Advanced routing policies
3/4 层基础设施防护 过滤技术 Automatically filters malformed TCP packets IP checksum TCP valid flags UDP payload length DNS request validation
3/4 层基础设施防护 流量优先级 Low suspicion attributes High suspicion attributes Normal packet or request header Traffic composition and volume is typical given its source Traffic valid for its destination Suspicious packet or request headers Entropy in traffic by header attribute Entropy in traffic source and volume Traffic source has a poor reputation Traffic invalid for its destination
3/4 层基础设施防护 流量优先级 Inline inspection and scoring Preferentially discard lower priority (attack) traffic High-suspicion packets dropped Low-suspicion packets retained
3/4 层基础设施防护 高级路由策略 Distributed scrubbing and bandwidth capacity Automated routing policies to absorb large attacks Manual traffic engineering
增强 DDoS 防护 Layer 3/4 infrastructure protection Layer 7 application protection
AWS WAF 7 层应用防护 Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning
AWS WAF 7 层应用防护 三种操作模式 Self-service Engage DDoS experts Proactive DRT engagement
AWS WAF 7 层应用防护 自服务 AWS WAF included at no additional cost
AWS WAF 7 层应用防护 引入 DDoS 专家 1. You engage the AWS DDoS Response Team (DRT) 2. DRT triages attack 3. DRT assists you with creating AWS WAF rules
AWS WAF 7 层应用防护 预先引入 DRT 1. Always-on monitoring engages the AWS DDoS Response Team (DRT) 2. DRT proactively triages DDoS attack 3. DRT creates AWS WAF rules (prior authorization required)
AWS Shield 高级版 持续监控和侦测 AWS 费用优惠 高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队 攻击通知和报告
攻击通知和报告 Real-time notification of attacks via Amazon CloudWatch Near real-time metrics and packet captures for attack forensics Historical attack reports Attack monitoring and detection
AWS Shield 高级版 持续监控和侦测 AWS 费用优惠 高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队 Attack notification and reporting
24x7 联系 DDoS 响应团队 关键 紧急事件迅速响应, 直接与 DRT 专家沟通 复杂可由 DTR 专家处理,DRT 专家在保护 AWS 和 amazon.com 具有丰富的实践经验
24x7 联系 DDoS 响应团队 事前 Proactive consultation and best practice guidance 事中 Attack mitigation 事后 Post-mortem analysis
AWS Shield 高级版 持续监控和侦测 AWS 费用优惠 高级 L3/4 & L7 DDoS 防护 24x7 联系 DDoS 响应团队 攻击通知和报告
AWS 费用减免 减免因 DDoS 攻击造成的扩展费用 Amazon CloudFront Elastic Load Balancer Application Load Balancer Amazon Route 53
游戏 DDoS 防护 游戏应用组成 Web Portal HTTP(S) Backend services, like Matchmaking HTTP(S) / TCP Dedicated Game Servers - UDP Multiplayer Relay Servers - UDP
游戏 DDoS 防护 Web Portal and Match-Making Layer 3/4 Attacks SYN, ACK,.. Layer 7 Attacks HTTP Floods
游戏 DDoS 防护 Game Servers & Relay Servers: UDP awselb.amazon.com 11.23.92.12 EC2 Traffic Shaping EC2 EC2 Auto-Mitigation Web Portal and Matchmaking Region
游戏 DDoS 防护 GameLift
Thank You!