AWS Infrastructure Monitoring for DDoS Attacks

Identifying DDoS Attack Indicators on AWS

Prev Question Next Question

Question

Which of the following metrics can help understand if your infrastructure in AWS (EC2+ELB) is under a DDos attack.

Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and B.

Definitely the CPU utilization of the backend instances can give an indication of whether the backend instances are under tremendous load.

Surge queue length is defined by the number of requests that are queued by Elastic Load Balancing (ELB)

These requests are queued when back-end systems are unable to process incoming requests as fast as the requests are being received.

For more information on ELB troubleshooting please refer to the below URL:

https://aws.amazon.com/premiumsupport/knowledge-center/elb-capacity-troubleshooting/

The correct answers are B. ELB SurgeQueueLength and D. UnHealthyHostCount.

Explanation:

A Distributed Denial of Service (DDoS) attack is an attempt to overwhelm a network or server with traffic to make it unavailable to its users. When an infrastructure in AWS (EC2+ELB) is under a DDoS attack, there are several indicators that can help detect and mitigate the attack.

  1. EC2 CPU Utilization: Although high CPU utilization is a sign of increased network activity, it does not necessarily indicate a DDoS attack. It could be caused by legitimate user traffic, poorly optimized applications, or other factors. Therefore, high CPU utilization alone cannot determine if your infrastructure is under a DDoS attack.

  2. ELB SurgeQueueLength: ELB (Elastic Load Balancer) is a service provided by AWS that distributes incoming traffic across multiple EC2 instances. The SurgeQueueLength metric measures the number of requests that are waiting in the Elastic Load Balancer's queue to be forwarded to the EC2 instances. During a DDoS attack, the number of requests can spike suddenly and dramatically, causing the SurgeQueueLength to increase. If the SurgeQueueLength is consistently high, it could indicate that your infrastructure is under a DDoS attack.

  3. HealthyHostCount: The HealthyHostCount metric indicates the number of EC2 instances that are healthy and able to handle traffic. During a DDoS attack, some instances may become overloaded and unresponsive, causing the HealthyHostCount to decrease. However, this metric alone cannot determine if your infrastructure is under a DDoS attack since it could also be caused by other factors such as configuration issues or infrastructure failures.

  4. UnHealthyHostCount: The UnHealthyHostCount metric indicates the number of EC2 instances that are unhealthy and unable to handle traffic. During a DDoS attack, some instances may become unresponsive or stop responding, causing the UnHealthyHostCount to increase. Therefore, monitoring this metric can help determine if your infrastructure is under a DDoS attack.

In conclusion, monitoring the ELB SurgeQueueLength and UnHealthyHostCount metrics can help determine if your infrastructure in AWS (EC2+ELB) is under a DDoS attack.