I didn’t know AWS WAF did this (CDN303)

Here is a detailed summary of the video transcription in markdown format, broken into sections for better readability:

Introduction

  • This is a 300-level session, so some knowledge of AWS WAF (Web Application Firewall) is assumed.
  • The presenters are Costa Fatak, Senior Product Manager for AWS WAF, and Tam, a Solution Architect Specialist for Edge Services.

Emerging Web Threats

  • Automated traffic, or "bot traffic", now accounts for 47% of all web traffic.
  • The evolution and sophistication of bot attacks have increased, with the advent of AI-powered bots making it easier for attackers to carry out these attacks.
  • Bots are now not only focused on getting sensitive information, but also on scraping all available data to train AI models.
  • New risks have emerged, such as network attacks, SMS fraud, social engineering, and threats specific to AI/LLM (Large Language Model) applications like prompt injection, hallucination, and data poisoning.

AWS Approach to Bot Mitigation

  • AWS has observed a variety of AI-powered bots targeting news articles, product pages, user profiles, and other content across their customer base.
  • Traditional bot mitigation techniques like robots.txt are becoming ineffective, as bots no longer adhere to these guidelines.
  • The importance of bot control and mitigation is growing, as it can save $277 for every $1 spent, due to the high cost of generative AI compute.

AWS WAF Overview

  • AWS WAF is a web application firewall that deals with HTTP traffic and allows for the creation of flexible rules, both managed and custom.
  • It provides intelligent threat protection, allowing the identification of bots, differentiation of human and non-human actors, and fraud prevention.
  • AWS WAF also provides visibility into the traffic through logging and CloudWatch metrics.
  • The key construct in AWS WAF is the Web ACL, which contains a set of rules that are processed serially.

WAF Rule Configuration

  • Rules can be managed (provided by AWS or partners) or custom (created by the user).
  • Rules can have different actions: allow, block, count, challenge, or capture.
  • Labels are metadata that can be attached to requests and used by other rules.
  • Rate-based rules allow the tracking and enforcement of request thresholds.
  • Managed rules like Bot Control, ATP (Account Takeover Prevention), and ACFP (Account Creation Fraud Prevention) provide advanced threat mitigation capabilities.

Mitigation Techniques

  • Sophisticated attack mitigation evolves around strategies like zero-trust architectures, threat intelligence, and incident response.
  • Adaptive defense techniques like diversion, distortion, depletion, and deception can be effective against advanced bots.
  • Deception techniques include fake success, fake failure, fake execution, and normal execution.

Architecture and Use Cases

  1. Fraud Mitigation:

    • Enable ATP and ACFP managed rules in a "count" mode to collect data without blocking.
    • Implement the SDK on the front-end to challenge incoming sessions.
    • Create a custom rule to label requests based on the ATP and ACFP findings and use these labels for further mitigation.
  2. Availability During Marketing Campaigns:

    • Use a rate-based rule to monitor overall traffic and label requests that exceed a certain threshold as "volumetric traffic".
    • Create a second rate-based rule that rate-limits IP addresses, but only for requests labeled as "volumetric traffic".
    • Optionally, enable the IP Reputation managed rule for only the "volumetric traffic" labeled requests.
    • Scope down Bot Control to be active only for the "volumetric traffic" labeled requests.
  3. Protecting a Revenue-Generating Application:

    • Start with a set of "count and label" rules to collect information about the traffic, such as SQL injection attempts, sensitive URIs, and verified bots.
    • Use the collected labels to apply more targeted enforcement rules, blocking or challenging only the high-risk requests.
    • Leverage multiple instances of Bot Control, with the common mode for verified bots and the targeted mode for specific parts of the application.

Additional Resources

  • Bot Mitigation Strategy blog post
  • Challenge flow detailed explanation
  • Configuration examples

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us