# Network Security

**Type of attacks on infrastructure**

* Distributed Denial of Service (DDoS) - When your service is unavailable because it's receiving too many requests.
  * SYN Flood (Layer 4): Send too many TCP connection requests.
  * UDP Reflection (Layer 4): Get other servers to send many big UDP requests.
  * DNS Flood: overwhelm the DNS server so the legitimate users cannot find the site.
  * Slow Loris attack: A lot of HTTP connections are opened and maintained.

**Application level attacks**

* More complex, more specific (HTTP level)
* Cache bursting strategies: Overload the backend database by invalidating cache.

**Protection on AWS**

* AWS Shield Standard:
  * Free service for every AWS customer.
  * Protects agains attacks such as SYN / UDP Flood, Reflection and other Layer 3, 4  attacks.
* AWS Shield Advanced:&#x20;
  * Optional DDoS mitigation service ($3,000 per month per organization).
  * **Provide notification.**
  * Protect against more sophisticated attack on EC2, ELB, CloudFront, Global Accelerator, Route53.
  * 24/7 access to AWS DDoS response team (DRP)
  * Protect against higher fees during usage spikes due to DDoS.&#x20;
* AWS WAF:&#x20;
  * Filter specific requests based on rules (layer 7).
  * Define Web ACL
    * Rules can include: IP, HTTP Header, HTTP Body, or URI strings.
    * Protects from: SQL Injection, Cross-site Scripting (XSS)
    * Size constraints, Geo match.
    * Rate-based rules.
  * Deployable on&#x20;
    * ALB (localized rules).
    * API Gateway (rules running at the regional or edge level).
    * CloudFront (rules globally on edge locations)
* AWS Firewall Manager
  * Manages rules **in all accounts of an AWS Organization**.
  * Common set of security rules.
  * WAF rules (ALB, API Gateway, CloudFront)
  * AWS Shiled Advanced (ELB, Elastic IP, CloudFront)
  * Security Groups for EC2 and ENI resources in VPC.
* CloudFront and Route53:
  * Availability protection using global edge network.
  * Combined with AWS Shield, provides DDoS attack mitigation at the edge.
* Be ready to scale: leverage AWS Auto Scaling.
* Separate static resouces (S3 / CloudFront) from dynamic ones (EC2 / ALB).

**Inspection Tools**

* AWS Inspector
  * Vulnerability analysis for unintended network accessibility of your running EC2 instances. (not an AMI scan)
  * AWS Inspector Agent must be installed on OS in EC2 instances for analysis.
  * Define template (rules package, duration, attributes, SNS topics).
  * No custom rules support yet (only AWS managed rules).
  * After the assessment, you get a report with a list of vulnerabilities.