The document discusses how Slack uses Amazon CloudFront to accelerate its API delivery. Some key points:
- Slack saw performance and latency improvements by migrating its API from Elastic Load Balancers to CloudFront. This included average latency dropping from 90ms to 15ms worldwide.
- CloudFront provides automatic DDoS protection and security benefits that have improved reliability compared to other CDN providers.
- Slack serves over 5 billion API requests per week and saw response times drop from 480ms to 200ms on average worldwide after using CloudFront.
- Future plans include pushing more functionality like rate limiting to the edge for improved performance and security.
5. Challenges with Delivering APIs
API Response Time
APIs are often not
cacheable
Improving performance is
non-trivial
Security & DDoS Target
Protect from DDoS attacks
Block malicious activity
Scaling & Availability
Operational burden
Availability risks
@cloudfront
14. DDoS Protection for AWS Infrastructure
Inherent Protection
You don’t have to
enable anything
Layer 3/4 attacks like
SYN and UDP floods.
Layer 7 attacks like
Slowloris
Inline Detection &
Mitigation
Low MTTR
Microsecond latencies
Proven DDoS
Mitigation Techniques
Targeted and heuristic
mitigations
virtual private cloud
AWS global infrastructure
DDoS attack
Users AWS
DDoS mitigation
Amazon
CloudFront
Amazon
Route 53
@cloudfront
15. DDoS Mitigation Techniques
Basic Hygiene
Automatically filters
invalid Packets
e.g., block any UDP
destined to CloudFront
Traffic ACLs
Prioritize good vs bad
traffic based on several
factors
- DNS Request validation
- Source IP
- Source ASN
- Traffic Levels
- Validated Sources
Redundant High
Capacity Network Paths
Viewers always have a path
to reach CloudFront
@cloudfront
16. DDoS Mitigation
No Impact to Availability even during DDoS Attack
Sample Attack on CloudFront Customer
@cloudfront
19. Designed for High Availability
DDoS Attacks
Ensures DDoS attacks
don’t cause outages
Scale for Traffic Surge
Load based dynamic routing
Multiple transit providers
Collapse forwarding
Maintain buffer
Operator Errors
Fault tolerant deployment
Mitigate the Top 3 Risks for Availability
@cloudfront
26. ● POSTs and GETs to an HTTPS endpoint
Responses will come back as json objects
● All Slack clients are API consumers
Mobile, Desktop and Web clients use our API
● Accelerated Globally using CloudFront
Requests to slack.com and the HTTPS API are powered by
CloudFront
Web API
27. ● Search for all files or messages containing the string “Hello”
GET https://slack.com/api/search.all?token=xoxp-...&query=Hello
● List all channels along with their members
GET https://slack.com/api/channels.list?token=xoxp-...
● Create a new channel called “#test”
GET https://slack.com/api/channels.create?token=xoxp-...&name=test
Web API Examples
28. 3 Million Daily Active Users
Each user is making API calls all day.
1.5 Billion Total Requests Per Day
Over 10 Billion per week!
52% of those are API requests
Over 5 Billion API requests per week!
👤
🚀
📈
Web API Stats
30. DDoS Protection & Security Benefits
Amazon has some tricks up their sleeve.
Network Infrastructure
AWS Global Network Backbone
Performance and Reliability
CloudFront is designed for high volumes of traffic.
🔒
📈
📡
Benefits with Amazon CloudFront
31. ● Flexibility and ability to customize
No magic switches, everything can be configured.
● Outperformed all other DDoS and CDN providers
CloudFront stability was better than the other providers we tested.
● Pairs nicely with existing AWS technology
CloudFront is easy to configure with ELB and S3.
Why We Chose Amazon CloudFront
33. Caching Disabled
All API responses are dynamic so nothing is cached.
Forward all headers, cookies and query strings to origin
Forward all the things!
S3 bucket with static HTML error pages
If the origin is not responding we will still serve an error page from
S3.
💥
📉
Amazon CloudFront Configuration
42. ● Less affected by internet outages and route leaks.
Traffic enters the AWS backbone closer to the client.
● Slack loads more quickly all around the world.
The client spends less time waiting for API calls.
● Automatic DDoS protection
We let AWS deal with DDoS attacks without waking up the ops team.
Direct Benefits for Slack
44. ● Pushing Rate Limits to the edge.
Less infrastructure to maintain means less time and money.
● Limiting unauthenticated requests at the edge.
Stop high layer DDoS attacks early by setting per IP request limits.
● Alerting or posting to Slack when rate limits are tripped.
We want to know about this, it might be an attack or misconfiguration.
Rate Limiting
45. ● Manually adding rules to mitigate an attack
If our infrastructure is overwhelmed we can block at the edge.
● Blocking known bad IPs
Block known botnets using IP Blacklists.
● Using Lambda and WAF to block based on rule sets
Determine safe limits and temporarily block offenders.
Blocking Malicious Traffic