A company is building up an online shopping platform.
Recently, the application has encountered frequent DDoS attacks such as UDP reflection attacks and SYN floods.
The users' experiences are impacted, and the cost increases sharply when servers scale up.
You need to take action to mitigate the attacks.
Which of the following actions can reduce the attack surface?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - B.
The AWS best practices for DDoS resiliency can be found in the white paper https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf.
Option A is incorrect: Cost protection is one feature of AWS Shield Advanced instead of normal AWS Shield.
Users can claim a limited refund if servers scale up/down due to DDoS attacks for AWS Shield Advanced.
Besides, this option is not an approach to reduce the attack surface.
Option B is CORRECT: This option improves the origin's security as malicious users cannot bypass the Amazon CloudFront when accessing the web application.
The attack surface is reduced.
Option C is incorrect: AWS Firewall Manager is a central management tool.
This method does not reduce the attack surface.
Option D is incorrect: The methods in option D help to gain visibility into abnormal behaviors.
However, the attack surface is not reduced.
The correct answer to this question is B. Configure Amazon CloudFront to distribute traffic to the application. Ensure that only the Amazon CloudFront distribution can forward requests to the origin.
Explanation:
DDoS (Distributed Denial of Service) attacks are malicious attempts to disrupt normal traffic of a targeted server, network, or service by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. These attacks can cause significant disruptions to online services and result in additional costs associated with scaling up servers.
To mitigate the effects of DDoS attacks, it is essential to reduce the attack surface, i.e., the potential entry points for attackers to exploit. One way to do this is by implementing a Content Delivery Network (CDN) like Amazon CloudFront, which can help distribute traffic to the application and reduce the load on the origin server. CloudFront is a globally distributed network of servers that cache and serve content from the closest location to the user, which can help to reduce latency and improve user experience.
By configuring CloudFront, we can ensure that only the CloudFront distribution can forward requests to the origin server. This prevents attackers from directly targeting the origin server, as requests must go through CloudFront first, which can filter out malicious traffic using features like AWS WAF (Web Application Firewall).
Option A, Enable AWS Shield for cost protection, is incorrect, as it only provides cost protection against scaling-related costs and does not address the underlying issue of DDoS attacks.
Option C, Configure AWS Firewall Manager to centrally configure and manage AWS WAF rules, is incorrect because while it can help to create and manage WAF rules, it does not provide a way to reduce the attack surface.
Option D, Collect VPC Flow Logs to identify network anomalies and DDoS attack vectors, is incorrect because while it can help to identify DDoS attacks, it does not provide a way to reduce the attack surface. Additionally, collecting flow logs can be resource-intensive, which can impact the cost of the service.