AWS Certified Advanced Networking - Specialty Exam: Mitigating DDoS Attacks with AWS Services

Mitigating DDoS Attacks with AWS Services

Prev Question Next Question

Question

Which of the following services can be used to mitigate DDos attacks to your application hosted in AWS.

Choose 3 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer-A,B & C.

The AWS documentation mentions the following.

1

Route53- One of the most common targets of DDoS attacks is the Domain Name System (DNS)

Amazon Route 53 is a highly available and scalable DNS service designed to route end users to infrastructure running inside or outside of AWS.

Route 53 makes it possible to manage traffic globally through a variety of routing types, and provides out-of-the-box shuffle sharding and Anycast routing capabilities to protect domain names from DNS-based DDoS attacks.

2

Cloudfront - Amazon CloudFront distributes traffic across multiple Points of Presence (PoP) locations and filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts.

3

Elastic Load Balancing (ELB) enables the automatic distribution of application traffic to several Amazon Elastic Compute Cloud (Amazon EC2) instances across multiple Availability Zones, which minimizes the risk of overloading a single EC2 instance.

Elastic Load Balancing, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances.

For more information on mitigation of DDos attacks, please refer to the below link:

https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/

The following AWS services can be used to mitigate DDoS attacks to your application hosted in AWS:

  1. Route53: Amazon Route 53 is a domain name system (DNS) service that routes internet traffic to AWS resources such as EC2 instances, S3 buckets, and load balancers. Route 53 has built-in DDoS protection and can handle large amounts of traffic, including DDoS attacks. Route 53 uses a technique called "Anycast routing" to spread incoming traffic across multiple AWS edge locations, which can help absorb and mitigate DDoS attacks.

  2. CloudFront: Amazon CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. CloudFront uses AWS Shield to provide DDoS protection to the resources it serves. AWS Shield is a managed DDoS protection service that automatically detects and mitigates DDoS attacks. CloudFront has global edge locations that can help absorb and mitigate DDoS attacks by distributing traffic across multiple locations.

  3. Elastic Load Balancer: An Elastic Load Balancer (ELB) is a service that automatically distributes incoming application traffic across multiple targets, such as EC2 instances, containers, and IP addresses in a single or multiple Availability Zones. ELB has built-in DDoS protection that can detect and mitigate DDoS attacks. ELB uses AWS Shield to provide DDoS protection, and it also supports AWS WAF (Web Application Firewall), which can protect web applications from common web exploits and DDoS attacks.

  4. SQS: Amazon Simple Queue Service (SQS) is a message queue service that enables decoupling and asynchronous communication between distributed systems and microservices. SQS is not directly related to DDoS protection, and it does not have built-in DDoS protection features.

Therefore, the correct answers to this question are A. Route53, B. CloudFront, and C. Elastic Load Balancer.