Blocking DDoS Attacks on AWS with EC2 Instances and Application Load Balancer

Extra Measures for Blocking DDoS Attacks on EC2 Instances and Application Load Balancer

Prev Question Next Question

Question

Your current web application is hosted on a set of EC2 Instances placed behind an Application Load Balancer.

All the Security groups and NACLs have been put into place for tight security.

What extra measures can be taken to ensure the blocking of DDoS attacks?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

The AWS Documentation mentions the following.

For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced.

Whereas AWS WAF can mitigate DDoS attacks at layer 7 of the OSI reference model.

Therefore,

Option A is the correct answer.

Option B is incorrect because AWS PrivateLink is used to provide an endpoint for a service.

Option C is incorrect because AWS Shield Standard is already a service present.

It defends against the most common, frequently occurring network and transport layer (at layers 3 and 4 of the OSI reference model) DDoS attacks that target your website or applications.

Option D is incorrect because it is just a distractor you need a better effective mechanism for protecting against DDoS attacks.

https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc

In order to protect against DDoS attacks, there are several measures that can be taken to further secure your web application hosted on EC2 instances behind an Application Load Balancer.

One option is to consider placing an AWS Shield service in front of the Application Load Balancer. AWS Shield provides protection against DDoS attacks and is available in two tiers: Standard and Advanced. AWS Shield Standard is automatically included for free with Amazon CloudFront, Elastic Load Balancing, and Amazon Route 53, and provides basic protection against common, most frequently occurring DDoS attacks. AWS Shield Advanced provides additional protection and is recommended for applications that are more likely to be targeted by DDoS attacks. It offers 24/7 support, advanced DDoS protection, and DDoS cost protection.

Another option is to consider adding more restrictive rules to the Network ACLs. Network ACLs act as a firewall for controlling traffic in and out of your VPC subnets, and can be used to block traffic from known bad IP addresses or to limit traffic to specific ports. By adding more restrictive rules to the Network ACLs, you can further enhance the security of your web application against DDoS attacks.

In summary, for the best protection against DDoS attacks, it is recommended to consider using AWS Shield Advanced service in front of the Application Load Balancer and adding more restrictive rules to the Network ACLs.