You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks.
Which of the below can be used to notify and mitigate the attacks? (Select THREE).
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer - C, D, and E.
This question is asking you to select some of the most recommended and widely used DDoS mitigation techniques.
What is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack is an attack orchestrated by distributed multiple sources that make your web application unresponsive and unavailable for the end-users.
DDoS Mitigation Techniques.
Some of the recommended techniques for mitigating the DDoS attacks are
(i) building the architecture using the AWS services and offerings that can protect the application from such attacks.
e.g.
CloudFront, WAF, Autoscaling, Route53, VPC, etc.
(ii) defending the infrastructure layer by over-provisioning capacity and deploying DDoS mitigation systems.
(iii) defending the application layer by using WAF and operating at scale by using autoscale so that the application can withstand the attack by scaling and absorbing the traffic.
(iv) minimizing the surface area of attack.
(v) obfuscating the AWS resources.
Option A is incorrect because ENIs do not help in increasing the network bandwidth.
Option B is incorrect because having dedicated instances performing at maximum capacity will not help mitigate the DDoS attack.
What is needed is instances behind auto-scaling so that the traffic can be absorbed while actions are being taken on the attack and the application can continue responding to the clients.
Option C is CORRECT because WAF can protect against DDoS attacks and users can define rules to allow or block traffic.
Option D is CORRECT because ELB helps distribute the traffic to the auto-scaling instances (helps to absorb the traffic).
Option E is CORRECT because CloudWatch alarms can be used to trigger an SNS notification so that the team can be alerted of the high traffic.
Note: Advanced Shield would be a better solution.
There is a cost factor attached to it.
It is very important to read the AWS Whitepaper on Best Practices for DDoS Resiliency.
https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdfDDoS attacks are a common problem for web-based applications, and it is important to take measures to mitigate the impact of such attacks. Here are the three options that can be used to notify and mitigate DDoS attacks:
Deploy AWS WAF on an Amazon CloudFront distribution: AWS WAF (Web Application Firewall) is a service that helps protect web applications from common web exploits that can affect the availability, security, or consumption of resources. By deploying AWS WAF on an Amazon CloudFront distribution, you can protect your application from DDoS attacks that target your application's origin servers. AWS WAF can also block malicious traffic that tries to exploit known vulnerabilities or patterns.
Use an Elastic Load Balancer with Auto Scaling Groups: An Elastic Load Balancer (ELB) can distribute incoming traffic across multiple EC2 instances, improving availability and fault tolerance. Auto Scaling Groups (ASGs) can dynamically scale the number of EC2 instances based on the incoming traffic load. By using ELB with ASGs, you can distribute traffic across multiple instances and scale up or down based on the traffic load, ensuring that the application can handle large spikes in traffic during a DDoS attack.
Create Amazon CloudWatch alarms: Amazon CloudWatch is a monitoring service that can monitor various metrics related to your AWS resources. By creating CloudWatch alarms, you can monitor metrics such as network in and CPU utilization, and receive notifications when certain thresholds are exceeded. You can also configure these alarms to trigger an SNS notification to notify the team of the high traffic, allowing them to take appropriate action.
The other two options mentioned are not directly related to mitigating DDoS attacks:
Adding multiple elastic network interfaces (ENIs) to each EC2 instance to increase network bandwidth: While adding multiple ENIs can increase network bandwidth, it does not directly mitigate DDoS attacks. DDoS attacks can saturate the network bandwidth, making additional ENIs ineffective.
Using dedicated instances to ensure that each instance has the maximum performance possible: Using dedicated instances can improve performance, but it does not directly mitigate DDoS attacks. DDoS attacks can overwhelm the instance, making it unavailable regardless of whether it is dedicated or not.