You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming.
What could be the underlying issue?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer D.
There are different types of DDos attacks, it can also be a UDP attack.
For more information on the types of DDos attacks , please refer to the below link:
https://www.incapsula.com/ddos/ddos-attacks/A network access control list (NACL) is a security layer that acts as a firewall for controlling traffic in and out of subnets in Amazon Virtual Private Cloud (VPC). A Distributed Denial of Service (DDoS) attack is a common threat in which an attacker tries to overwhelm a network with traffic to cause it to fail. In such a scenario, adding a deny all TCP rule to an NACL is a common way to block traffic and prevent the attack. However, if traffic is still coming through despite this rule, there could be several underlying issues.
A. You configured the rule number to be too low: NACL rules are executed in order, starting with the lowest numbered rule. Therefore, if you added the deny all TCP rule with a rule number lower than a previous rule that allows TCP traffic, the deny rule will be ignored. In such a scenario, you need to update the rule number to a higher value than the previous rule.
B. You need to add a deny rule outbound to the NACL: The deny all TCP rule only blocks inbound traffic to the subnet, and it does not affect outbound traffic from the subnet. If the attack is originating from a host within your subnet, adding an outbound deny rule may help.
C. A NACL can't protect against a DDoS attack: While NACLs are effective in blocking individual malicious hosts, they may not be sufficient to stop a large-scale DDoS attack. In such cases, additional measures such as AWS Shield or CloudFront can be used to provide DDoS protection.
D. The DDoS isn't a TCP attack: If the DDoS attack is not TCP-based, a deny all TCP rule in the NACL will not be effective. For example, if the attack is a UDP flood, then UDP traffic must also be blocked in the NACL to prevent the attack.
In conclusion, to address the issue of traffic coming through despite adding a deny all TCP rule to an NACL, you need to check the rule number, add outbound deny rules, verify that the NACL is sufficient to stop a DDoS attack, and ensure that the attack is indeed TCP-based.