Network Security

Type of attacks on infrastructure

Distributed Denial of Service (DDoS) - When your service is unavailable because it's receiving too many requests.
- SYN Flood (Layer 4): Send too many TCP connection requests.
- UDP Reflection (Layer 4): Get other servers to send many big UDP requests.
- DNS Flood: overwhelm the DNS server so the legitimate users cannot find the site.
- Slow Loris attack: A lot of HTTP connections are opened and maintained.

Application level attacks

Protection on AWS

AWS Shield Standard:
- Free service for every AWS customer.
- Protects agains attacks such as SYN / UDP Flood, Reflection and other Layer 3, 4 attacks.
AWS Shield Advanced:
- Optional DDoS mitigation service ($3,000 per month per organization).
- Provide notification.
- Protect against more sophisticated attack on EC2, ELB, CloudFront, Global Accelerator, Route53.
- 24/7 access to AWS DDoS response team (DRP)
- Protect against higher fees during usage spikes due to DDoS.
AWS WAF:
- Filter specific requests based on rules (layer 7).
- Define Web ACL
  - Rules can include: IP, HTTP Header, HTTP Body, or URI strings.
  - Protects from: SQL Injection, Cross-site Scripting (XSS)
  - Size constraints, Geo match.
  - Rate-based rules.
- Deployable on
  - ALB (localized rules).
  - API Gateway (rules running at the regional or edge level).
  - CloudFront (rules globally on edge locations)
AWS Firewall Manager
- Manages rules in all accounts of an AWS Organization.
- Common set of security rules.
- WAF rules (ALB, API Gateway, CloudFront)
- AWS Shiled Advanced (ELB, Elastic IP, CloudFront)
- Security Groups for EC2 and ENI resources in VPC.
CloudFront and Route53:
- Availability protection using global edge network.
- Combined with AWS Shield, provides DDoS attack mitigation at the edge.
Be ready to scale: leverage AWS Auto Scaling.
Separate static resouces (S3 / CloudFront) from dynamic ones (EC2 / ALB).

Inspection Tools

Last updated 4 years ago