How Catch Group Uses Aws Waf Bot Control on Their Ecommerce Platform Nis306

Title: AWS re:Inforce 2024 - How Catch Group uses AWS WAF Bot Control on their ecommerce platform (NIS306)

Insights:

  • Introduction and Context: The session was presented by Robbie Curay, a Senior Solutions Architect at AWS, alongside Cameron Hall from Catch and Etienne Munich from AWS. The focus was on Catch's journey from experiencing a DDoS attack to implementing AWS WAF Bot Control to enhance their security posture.
  • Global Threat Landscape: Over the past 12 months, AWS Shield reported 212,000 DDoS events, with the largest request flood event reaching 155 million requests per second. The sophistication of attacks has increased, moving from infrastructure and networking attacks (Layer 3 and 4) to application layer attacks (Layer 7).
  • Impact on Performance: Performance is critical for customer satisfaction, especially in retail. A 1-second increase in latency can lead to a 17% decrease in conversion rates. Bots contribute significantly to latency and can make websites unavailable.
  • Types of Bot Attacks: Common bot attacks include content scraping, credential stuffing, card cracking, account creation fraud, scalping, and denial of service. These attacks can lead to customer dissatisfaction, revenue loss, and brand reputation damage.
  • Catch's DDoS Attack Experience: In 2022, Catch experienced a DDoS attack that increased their request traffic by 11 times the normal rate, overwhelming their backend APIs. They initially relied on AWS Shield Standard and AWS WAF but found their protections were insufficient for Layer 7 attacks.
  • Post-Attack Measures: Catch implemented a global rate limit, created a block list and playbook, and introduced a geo-block rule to restrict traffic to Australia and New Zealand. They also reassessed their security solutions, considering AWS Shield Advanced and AWS WAF Bot Control.
  • Cost Considerations: Catch found that third-party solutions were significantly more expensive than AWS's offerings. AWS's solution provided substantial cost savings, with a total cost of ownership rendering savings of two times in the first year and four times every year thereafter.
  • Implementation Strategy: Catch used a phased approach to implement AWS WAF rules, starting with count mode to observe traffic patterns and adjust rules before promoting them to block mode. They also built a dashboard in Datadog to monitor and analyze WAF logs.
  • Bot Control Capabilities: AWS WAF Bot Control includes common bot detection (signature-based) and targeted bot detection (behavior-based). Implementing the WAF SDK is necessary for full functionality, including browser fingerprinting and CAPTCHA challenges.
  • Best Practices: Key recommendations include starting with count mode for new rules, addressing false positives with scoped down statements, and ensuring WAF logs are ingested and analyzed in an observability platform.

Quotes:

  • "We have had a total of 212,000 DDoS events over the last 12 months."
  • "Bots have this innate nature of slowing down and adding additional latency into your workloads."
  • "47% of internet traffic is bot-based. Humans account for only 53%."
  • "We had AWS WAF, but we had left every single Amazon managed rule in count mode, and doing that doesn't really help anyone at all."
  • "The starting price for any of these solutions that we're looking at was close to a quarter of a million dollars."
  • "The total cost of ownership for us with the AWS option rendered savings of two times in the first year, and then four times every year thereafter."
  • "You can't just enable some of these rules, walk away and hope for the best."
  • "Use count actions when you're testing new rules, irrespective."
  • "Ensure that you're ingesting and analyzing the WAF logs. Aggregation is absolutely imperative."
  • "Always be caching. The more you cache, the more you offload of your origin services."