AWS - WAF and Shield

Posted on |

Summary

Threats DDoS Application Attacks Bad Bots
Application Layer(7) HttpFloods <<-- Shield Advanced SQL Injection; Sensitive Data Explosure; Social Engineering; Application exploits <<-- WAF Crawler; Content Scraper; Scanner&Probe <<–WAF
Network Layer (3&4) Reflection; SSLAbuse; Amplification; SlowLoris; Layer4Floods <<-- Shield Standard

DDOS

  • Layer 3/4 DDoS
    • SYN/UDP Floods: A SYN flood attack works by not responding to the server with the expected ACK code, cause the server waiting for ACK for ever(timeout) and exhaust server resources.
    • reflection Attacks: trusted entities use shared mutual key, when faker is challenged to response using mutual key, he will send the orginal challenge to any server using same mutual key as a challenge, and get the response to respond to original request.
  • Layer 7 DDoS

Key Features

AWS Shield

  • Standard : layer 3/4 protection
    • Always on : heuristics-based anomal dectection; baseling
  • Advanced : layer 7 protection
    • with AWS Shield, WAF is free
    • DDoS Scaling up free (report and refund)
    • Available when you have App ELB, Classic ELB, CloudFront, S3 and Rout53
    • Integrate with Cloudwatch to have metrics and report about the attack
    • Billing : multi accounts shared in one enterprise can share the service once enterprise bought this services

AWS WAF

Feature Summary,

  • Filter traffic based on customized rules

  • Malicious Request protection

    • SQL injection
    • Process encrpting (???)

  • Active monitoring and tuning

  • Less than 55 sec before the new rule is applied globally

  • Less than 1 minisec inspection time when turned on

  • API & SDK support when define the rules

  • Pre-configured rules

How to use,

  • Flexible customized Rules
  • Pre-configured rules
  • Security Automations (combines with Lambda;)

Common use case for WAF,

  • IP Reputation List
    • Can deploy this feature using cloudformation
    • update reputation list from 3 trustful sources
  • HTTP floods
    • limit number of http requests per client in a 5 min bucket
  • Scanners & probes
    • available to deploy using cloudformation
    • Honney pot url (???)

DEMO-1 WhiteList good user

WAF config
Define conditions --> attach condition to rules --> attach rules to WEB ACLs, associate WEB ACLs to AWS services (S3, CloudFront, ELB)

DEMO-2 Virtual Patching

Example : Apache Struts Vulnerability
When a condition is attached to Rule, you can define whether block or allow when the condition is true

Rate-Based Rule + URI String Match Condition = protect Brute Force Login Attemps

DEMO-3 Brute Force on Login

When define a rule , there are 2 options, “Regular rule” or “Rate Based Rule”. For this scenario, we use “Rate Based Rule”

Define “Rate Based Rule” with the “/login” URI match condition, set 2000 times / 5 min

OWASP Top 10

  • A1 : Injection

  • A2 : Broken Authentication and Session Management

    • Hard to distinguish legistimate Users
    • Automate update of black list of token When
      • different location with same token
      • abnormal login rate

  • A3 : Cross Site Scripting (XSS)

    • for example, a blog platform has a user published a blog with embeded script loading from his own website to run in browser (who ever browse this perticular blog) and exploit the key inputs
    • It’s easy to block content with Script tag from Body, querystring or cookie; but needs to be carefully thinking about other requirement like SVG graphics (using script tag)

  • A4 : Broken Access Control

  • A5 : Security Misconfiguration

    • Leave web server ServerTokens Full (default config) which expose exact version and components for attackers to use known Vulnerabilities
    • Leave default directory listing enabled
    • Return stack trace in error page
    • PHP bug to allow request parameter registered as global variable; attackers use this to overwrite global variable http://mywebsite/?_SERVER[DOCUMENT_ROOT]=http://attackerswebsite/bad.htm ; this will change doc root to another website.
      • Mitigate: block query string with _SERVER
    • Mitigate: use Amazon Inspector check against common known mis-configurations
    • Mitigate: User AWS Config and EC2 System Manager to track configuration changes over time.

  • A6 : Sensitive Data Explosure

    • SHA-1 hashing algorithm; attackers can attempt to cause hash collision
    • Mitigate: Both ELB and Cloudfront support specify allowed ciphers

  • A7 : Insufficient Attack Protection

    • Submit abnormal huge number of requests or single request with huge payload
    • Mitigate: Rate based rules & size constraint Rules
    • Mitigate: WAF Security Automation with Lambda
      • Lambda analysis access log to update block ip
      • update block ip list from reputation list
      • Honeypot URL

  • A8 : Cross Site Request Forgery (CSRF)

    • Different with XSS. This is relying on user’s trust to browser
    • embed this link ; user who click it & just logged in online banking will transfer $1000 to Badman
    • Mitigate: embeded hidden token(GUID) in form or header.
    • Mitigate: check refer header is from correct source ( won’t work if the browser implementation is changed)

  • A9 : Using components with known vulnarables

    • CVE: common Vulnerabilities and Exposures
    • Mitigate:Filter out components not being used in your application
    • Mitigate: Penetrating Test ; needs aws permission

  • A10 : Unprotected APIs

    • same with A1-A9 but with API

  • Old A10 : Unvalidated Re-directs and Forwards

OWASP TOP 10 Cloudformation Templates

https://github.com/aws-samples/aws-waf-sample/blob/master/waf-owasp-top-10/owasp_10_base.yml

References

https://youtu.be/W01f7g7slHw

Use WAF to mitigate OWASP TOP 10 Coverage
https://d0.awsstatic.com/whitepapers/Security/aws-waf-owasp.pdf

SHA 1 and hash collision

https://zh.wikipedia.org/wiki/SHA-1

Reward Makes Perfect
0%