Here is a detailed summary of the video transcription in markdown format, broken into sections for better readability:
Introduction
- This is a 300-level session, so some knowledge of AWS WAF (Web Application Firewall) is assumed.
- The presenters are Costa Fatak, Senior Product Manager for AWS WAF, and Tam, a Solution Architect Specialist for Edge Services.
Emerging Web Threats
- Automated traffic, or "bot traffic", now accounts for 47% of all web traffic.
- The evolution and sophistication of bot attacks have increased, with the advent of AI-powered bots making it easier for attackers to carry out these attacks.
- Bots are now not only focused on getting sensitive information, but also on scraping all available data to train AI models.
- New risks have emerged, such as network attacks, SMS fraud, social engineering, and threats specific to AI/LLM (Large Language Model) applications like prompt injection, hallucination, and data poisoning.
AWS Approach to Bot Mitigation
- AWS has observed a variety of AI-powered bots targeting news articles, product pages, user profiles, and other content across their customer base.
- Traditional bot mitigation techniques like robots.txt are becoming ineffective, as bots no longer adhere to these guidelines.
- The importance of bot control and mitigation is growing, as it can save $277 for every $1 spent, due to the high cost of generative AI compute.
AWS WAF Overview
- AWS WAF is a web application firewall that deals with HTTP traffic and allows for the creation of flexible rules, both managed and custom.
- It provides intelligent threat protection, allowing the identification of bots, differentiation of human and non-human actors, and fraud prevention.
- AWS WAF also provides visibility into the traffic through logging and CloudWatch metrics.
- The key construct in AWS WAF is the Web ACL, which contains a set of rules that are processed serially.
WAF Rule Configuration
- Rules can be managed (provided by AWS or partners) or custom (created by the user).
- Rules can have different actions: allow, block, count, challenge, or capture.
- Labels are metadata that can be attached to requests and used by other rules.
- Rate-based rules allow the tracking and enforcement of request thresholds.
- Managed rules like Bot Control, ATP (Account Takeover Prevention), and ACFP (Account Creation Fraud Prevention) provide advanced threat mitigation capabilities.
Mitigation Techniques
- Sophisticated attack mitigation evolves around strategies like zero-trust architectures, threat intelligence, and incident response.
- Adaptive defense techniques like diversion, distortion, depletion, and deception can be effective against advanced bots.
- Deception techniques include fake success, fake failure, fake execution, and normal execution.
Architecture and Use Cases
-
Fraud Mitigation:
- Enable ATP and ACFP managed rules in a "count" mode to collect data without blocking.
- Implement the SDK on the front-end to challenge incoming sessions.
- Create a custom rule to label requests based on the ATP and ACFP findings and use these labels for further mitigation.
-
Availability During Marketing Campaigns:
- Use a rate-based rule to monitor overall traffic and label requests that exceed a certain threshold as "volumetric traffic".
- Create a second rate-based rule that rate-limits IP addresses, but only for requests labeled as "volumetric traffic".
- Optionally, enable the IP Reputation managed rule for only the "volumetric traffic" labeled requests.
- Scope down Bot Control to be active only for the "volumetric traffic" labeled requests.
-
Protecting a Revenue-Generating Application:
- Start with a set of "count and label" rules to collect information about the traffic, such as SQL injection attempts, sensitive URIs, and verified bots.
- Use the collected labels to apply more targeted enforcement rules, blocking or challenging only the high-risk requests.
- Leverage multiple instances of Bot Control, with the common mode for verified bots and the targeted mode for specific parts of the application.
Additional Resources
- Bot Mitigation Strategy blog post
- Challenge flow detailed explanation
- Configuration examples