AWS Advanced Networking - Protecting Against DDoS Attacks

Extra Measure to Block DDoS Attacks from Malicious IP Addresses

Prev Question Next Question

Question

Your current web application is hosted on a set of EC2 Instances which are placed behind an application load balancer.

All the Security groups and NACL's have been put into place for tight security.

What extra measure can be taken to ensure blocking of DDos attacks from malicious IP addresses?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

The AWS Documentation mentions the following.

AWS WAF is a web application firewall that lets you monitor web requests that are forwarded to Amazon CloudFront distributions or an Application Load Balancer.

You can also use AWS WAF to block or allow requests based on conditions that you specify, such as the IP addresses that requests originate from or values in the requests.

Option B is incorrect because AWS PrivateLink is used to provide an endpoint for a service.

Option C is incorrect because AWS Shield is already a service present.

You need AWS Shield Advanced for DDos protection.

Option D is incorrect because you need a better effective mechanism for protecting against DDoS attacks.

For more information on AWS WAF,please refer to the below link.

https://aws.amazon.com/documentation/waf/

In order to protect your web application from DDoS attacks from malicious IP addresses, you can consider adding an additional layer of protection in front of the Application Load Balancer (ALB) and your EC2 instances.

Option A is the correct answer as it suggests placing the AWS WAF (Web Application Firewall) service in front of the ALB. AWS WAF provides a set of predefined rules and a rule creation wizard to protect your web application from common web exploits that could affect application availability, compromise security, or consume excessive resources. By placing the AWS WAF in front of the ALB, all incoming traffic can be inspected and filtered before it reaches your EC2 instances.

Option B is not a valid option for protecting against DDoS attacks as AWS PrivateLink is a secure and scalable way to access services over the Amazon network.

Option C is partially correct as AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. However, the Advanced version of AWS Shield includes AWS WAF, which is the appropriate service to use for protecting against DDoS attacks.

Option D is also not the best option for protecting against DDoS attacks, as Network Access Control Lists (NACLs) are not designed to handle large-scale attacks. NACLs are used for controlling traffic at the subnet level, and while they can provide some basic security measures, they are not sufficient for handling DDoS attacks.

In summary, the best measure to take to block DDoS attacks from malicious IP addresses is to place the AWS WAF service in front of the Application Load Balancer.