Mitigating Attack on EC2 Instances: Commands for Temporary Relief

Security measures for your EC2 Instances during an attack

Prev Question Next Question

Question

You are currently experiencing an attack on your EC2 Instances located in a subnet.

At the moment , the IT security department is to stop the attack.

The default NACL's have been setup on the subnet.

Which of the following commands would you issue to mitigate the attack for the moment?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

Since the default rules of the NACL is to allow all traffic , the best option first would be to delete the default rule from the NACL to block all traffic.

An example of the command is shown below.

aws ec2 delete-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100

For more information on the command , please visit the below URL:

http://docs.aws.amazon.com/cli/latest/reference/ec2/delete-network-acl-entry.html

None of the options mentioned seem appropriate for mitigating an ongoing attack on EC2 instances.

Network Access Control Lists (NACLs) are stateless and act as a firewall for controlling inbound and outbound traffic at the subnet level. They operate on the 5-tuple rule, which means that traffic is allowed or denied based on source and destination IP address, source and destination port, and protocol type.

If an attack is ongoing on EC2 instances in a subnet, there are a few steps that you should take before thinking about modifying the NACLs:

  1. Identify the nature and extent of the attack.
  2. Stop the attack by taking the necessary steps, such as blocking the attacker's IP address, shutting down the affected instances, or applying patches to the vulnerable software.
  3. Determine the root cause of the attack and take corrective measures to prevent similar attacks in the future.

Only after the attack is contained and the root cause is determined, should you think about modifying the NACLs, if needed, to prevent similar attacks in the future.

In general, the commands listed are used for modifying the rules of the NACLs:

  • aws ec2 delete-network-acl-entry: This command is used to delete a specific rule from a NACL.
  • aws ec2 create-network-acl-entry: This command is used to add a new rule to a NACL.
  • aws ec2 rename-network-acl-entry: This command is used to rename an existing rule in a NACL.
  • aws ec2 change-network-acl-entry: This command is used to modify an existing rule in a NACL.

None of these commands are appropriate for mitigating an ongoing attack on EC2 instances.