Edge Insights from Re:Inforce 2024
I am sharing with you some insights from sessions In Re:Inforce that were focused on protecting Web applications using AWS Edge services like AWS WAF.
The first confirmed trend is the evolution of DDoS attacks towards application level vectors, away from layer 3 and layer 4 volumetric attacks, that Cloud providers became very efficient at blocking. For example, in 2022, the biggest HTTP flood seen on AWS was at 8.4M RPS, but reached 155M RPS in 2023. On one hand, this is pushing customers to give more attention to application level security controls, such as hardening their WAF rules. On the other hand, it's driving internal efforts in AWS to add more native protections in public facing services like CloudFront and ALB, placed as early as possible in the networking stack to make it faster and cheaper to operate them.
In the testimony of Catch Group, I noted two important points to be considered by customers looking for web application protection solutions:
I love the way the presenters gamified the key messages they wanted to send to their audience, and I will most likely steal it for my next presentations. The first presenter played the role of the bad guy trying to attack an internet facing application, and our famous Tom Adamski playing the role of the good guy, protecting the application from the attacks. One of the key messages, that I often repeat to my customers, is the important of defense in depth using multiple security controls on different layers.
Recommended by LinkedIn
One notable trend across the sessions is the focus on bot management techniques, knowing that 47% of internet traffic is generated by automated bots, according to a mentioned study. The following lightening talks focus on this topic:
Other relevant sessions: