Which of the following techniques can be used to reduce the surface of DDos attacks on your AWS infrastructure.
Choose 3 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B,C and D.
The AWS documentation mentions the following.
One of the first techniques to mitigate DDoS attacks is to minimize the surface area that can be attacked thereby limiting the options for attackers and allowing you to build protections in a single place.
We want to ensure that we do not expose our application or resources to ports, protocols or applications from where they do not expect any communication.
Thus, minimizing the possible points of attack and letting us concentrate our mitigation efforts.
In some cases, you can do this by placing your computation resources behind Content Distribution Networks (CDNs) or Load Balancers and restricting direct Internet traffic to certain parts of your infrastructure like your database servers.
In other cases, you can use firewalls or Access Control Lists (ACLs) to control what traffic reaches your applications.
For more information on DDos attack prevention,please refer to the below URL:
https://aws.amazon.com/shield/ddos-attack-protection/The correct answers to the question are B, C, and D. Here is a detailed explanation of each option:
A. Use SQS queues to absorb the requests from the attack: This option is not correct. Amazon Simple Queue Service (SQS) is a message queuing service that enables decoupling and scaling of microservices, distributed systems, and serverless applications. However, it is not suitable for absorbing DDoS attacks as it is designed to handle messages between distributed application components.
B. Deploy a load balancer in front of your computational resource: This option is correct. Elastic Load Balancing (ELB) is a service that automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses, in one or more Availability Zones. ELB can detect and mitigate DDoS attacks by routing the traffic through an elastic IP address and dynamically scaling the capacity of the load balancer to absorb the attack traffic.
C. Deploy a CloudFront distribution in front of your computational resource: This option is correct. Amazon CloudFront is a global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers around the world with low latency and high transfer speeds. CloudFront can protect your infrastructure against DDoS attacks by caching and serving the content from its edge locations, which are closer to your customers and provide additional capacity and redundancy.
D. Use NACL's to control the flow of traffic: This option is correct. Network access control lists (NACLs) are stateless firewalls that control the traffic flow in and out of your VPC subnet. NACLs can be used to block traffic from suspicious IP addresses or protocols and allow only the necessary traffic to your resources. NACLs can also be used in conjunction with other security controls, such as security groups, to provide layered defense against DDoS attacks.
In summary, to reduce the surface of DDoS attacks on your AWS infrastructure, you can deploy a load balancer, a CloudFront distribution, and use NACLs to control the traffic flow.