Comprehensive Attack Mitigation Strategies for Large-Scale Web Applications

This guide explores the architecture and implementation of security controls to protect large-scale web applications, focusing on the AWS ecosystem as defined in the SAP-C02 curriculum. We cover the transition from edge protection to host-level hardening.

Learning Objectives

• Differentiate between Layer 3/4 and Layer 7 attack mitigation tools.
• Design a multi-layered defense-in-depth strategy using AWS Shield, WAF, and Firewall Manager.
• Analyze strategies for reducing the attack surface through resource isolation and automated vulnerability scanning.
• Implement centralized security management across multiple AWS accounts.

Key Terms & Glossary

• DDoS (Distributed Denial of Service): A malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
• SQL Injection (SQLi): An attack that involves inserting malicious SQL code into input fields to manipulate a backend database.
• Cross-Site Scripting (XSS): An attack where malicious scripts are injected into otherwise benign and trusted websites.
• Stateful Firewall: A firewall that keeps track of the state of network connections (e.g., Security Groups).
• Stateless Firewall: A firewall that treats each packet in isolation (e.g., Network ACLs).
• SRT (Shield Response Team): A specialized team of experts available to Shield Advanced customers to help mitigate complex attacks.

The "Big Idea"

Security for large-scale applications is not a single "wall" but a series of overlapping filters. Defense in Depth ensures that if one layer is bypassed (e.g., a sophisticated Layer 7 attack slips through a WAF rule), secondary layers (e.g., host-level hardening and security groups) prevent a total system compromise. Effective mitigation requires moving the defense as close to the "edge" (the user) as possible to prevent malicious traffic from ever consuming internal resources.

Formula / Concept Box

Hierarchical Outline

1. Edge & Perimeter Protection
   • AWS Shield: Automatic protection against volumetric DDoS attacks at the infrastructure layer.
   • AWS WAF: Granular control over Layer 7 traffic (HTTP/S) using Web ACLs and Managed Rule Sets.
   • Amazon CloudFront: Distributes traffic and absorbs attacks at the global edge locations.
2. Network-Level Security
   • Security Groups: Stateful instance-level firewalls; implement the Principle of Least Privilege.
   • Network ACLs (NACLs): Stateless subnet-level firewalls for broad IP-based blocking.
   • Resource Isolation: Segregating business domains into different VPCs or Accounts.
3. Compute & Host Hardening
   • Vulnerability Assessment: Using Amazon Inspector and ECR Image Scanning for containers.
   • Patch Management: AWS Systems Manager (SSM) Patch Manager for automated OS updates.
   • Attack Surface Reduction: Stripping unnecessary software libraries and using CIS-hardened AMIs.
4. Centralized Management
   • AWS Firewall Manager: Deploying consistent security policies (WAF, Shield, Security Groups) across an entire AWS Organization.

Visual Anchors

Traffic Flow Mitigation

Defense in Depth (Layered Model)

Definition-Example Pairs

• Managed Rule Sets: Pre-configured WAF rules provided by AWS or Marketplace sellers to protect against common threats.
  • Example: Enabling the "Amazon IP Reputation List" to automatically block traffic from known malicious actors.
• Resource Isolation: The practice of placing sensitive workloads in dedicated network segments.
  • Example: Placing a payment processing microservice in a separate VPC with VPC Peering restricted only to the necessary application tier.
• Stateful Filtering: A mechanism where the firewall remembers the state of active connections and automatically allows return traffic.
  • Example: Creating an outbound rule in a Security Group for port 443; the firewall automatically permits the inbound response without an explicit inbound rule.

Worked Examples

Scenario: Protecting a Globally Scaled E-commerce Site

The Challenge: A company is launching a global sale and fears competitors might use botnets to scrape prices or launch HTTP flood attacks to crash the site.

The Strategy:

1. Deploy CloudFront: Use the global edge to absorb traffic and terminate SSL/TLS.
2. Apply AWS Shield Advanced: Protect the CloudFront distribution and the Route 53 zones. This provides automatic L3/4 mitigation and financial protection against scaling spikes.
3. Configure WAF Web ACLs:
   • Add a Rate-Limit rule to block any IP address making more than 2,000 requests per 5 minutes.
   • Add SQLi and XSS prevention rules to the checkout URI.
4. Use Firewall Manager: Ensure that every new ALB created across 20 child accounts automatically inherits these WAF rules.

Checkpoint Questions

1. Which AWS service would you use to automatically patch a fleet of 500 EC2 instances across multiple regions?
2. What is the main advantage of AWS Shield Advanced over Shield Standard regarding Layer 7 attacks?
3. How do Security Groups and NACLs differ in their handling of return traffic?
4. In a multi-account environment, what tool simplifies the deployment of a WAF baseline?

Muddy Points & Cross-Refs

• WAF vs. Security Groups: Remember that WAF operates at Layer 7 (inspecting the contents of the HTTP request), while Security Groups operate at Layer 4 (IPs and Ports). You usually need both.
• Shield Advanced Pricing: It is expensive ($3,000/month). For the exam, only recommend it if the requirement mentions SRT access, Layer 7 DDoS monitoring, or financial protection.
• Cross-Reference: For more on resource isolation, see Chapter 3: Designing a Multi-Account AWS Environment.

Comparison Tables