Your online shopping web application is deployed in an AWS Auto Scaling group.
An Application Load Balancer is used to distribute the traffic to the ASG.
Recently there are frequent application layer DDoS attacks against the server.
The attacker uses a botnet to perform an HTTP Flood attack that targets several components of the website.
You perform some analysis and identify several IPs that generate the malicious traffic.
Which of the following actions can block these IPs to mitigate the DDoS attack effectively?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
AWS WAF can effectively protect the servers from application layer DDoS attacks.
You can create a WAF ACL that has the rule to block problematic IPs.
Option A is incorrect: With AWS Shield Advanced, you can involve the DDoS response team (DRT) to help you analyze the suspicious activity.
However, AWS Shield Advanced does not automatically create WAF ACLs.
The DRT team needs your permissions to create or update WAF ACLs if necessary.
Option B is incorrect: Because you cannot configure an IP blacklist in a CloudFront distribution.
It should be configured in AWS WAF.Option C is CORRECT: You can configure a rule in WAF ACL that has an IP match condition.
The application layer DDoS attacks can be effectively mitigated as the incoming requests are filtered by AWS WAF.Option D is incorrect: AWS Shield is enabled by default, and you do not need to enable it.
And the WAF ACL should include an IP match condition instead of a string match condition.
Sure, I'd be happy to help you with this question.
First, let's understand what each answer option means and how it can help mitigate the DDoS attack effectively:
A. Enable AWS Shield Advanced that identifies suspicious IP addresses, generates WAF ACL rules automatically, and blocks the malicious traffic.
AWS Shield is a managed DDoS protection service that provides protection against DDoS attacks. AWS Shield Advanced is a paid service that provides enhanced protection and detection capabilities. It can identify and block malicious traffic that originates from known sources, such as suspicious IP addresses. In this option, AWS Shield Advanced would automatically generate AWS WAF (Web Application Firewall) Access Control List (ACL) rules to block traffic from the identified malicious IPs.
B. Create a CloudFront distribution for your application. Configure an IP blacklist in the distribution.
Amazon CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. In this option, you would create a CloudFront distribution for your application and configure an IP blacklist to block traffic from the identified malicious IPs.
C. Configure an AWS WAF ACL that contains an IP match condition to block suspicious IPs. Deploy AWS WAF on the Application Load Balancer.
AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. In this option, you would configure an AWS WAF ACL that contains an IP match condition to block traffic from the identified malicious IPs. You would then deploy the AWS WAF on the Application Load Balancer to block the malicious traffic before it reaches the web servers.
D. Enable AWS Shield and in the meantime, create an AWS WAF ACL with a string match condition to block the bogus traffic.
This option is similar to Option C, except that it suggests creating an AWS WAF ACL with a string match condition instead of an IP match condition. A string match condition can be used to block traffic that matches a specific pattern in the HTTP request, such as a specific user agent or a specific query parameter. In this option, you would enable AWS Shield and create an AWS WAF ACL with a string match condition to block the malicious traffic.
Now, let's analyze each option to determine which one is the best to mitigate the DDoS attack effectively.
Option A suggests enabling AWS Shield Advanced. AWS Shield Advanced is a good option because it can identify and block malicious traffic from known sources automatically. It can also generate AWS WAF ACL rules automatically to block the traffic. Therefore, Option A is a good choice.
Option B suggests creating a CloudFront distribution for your application and configuring an IP blacklist. While CloudFront can help distribute the traffic to your web servers, it may not be the best option to mitigate the DDoS attack because the attack is happening at the application layer. Blocking traffic from specific IPs may not be effective against HTTP Flood attacks because the attacker can use a botnet with multiple IPs to perform the attack. Therefore, Option B is not the best choice.
Option C suggests configuring an AWS WAF ACL that contains an IP match condition and deploying it on the Application Load Balancer. This option is a good choice because AWS WAF is designed to protect web applications from common web exploits. By blocking traffic from suspicious IPs at the Application Load Balancer, you can effectively block the malicious traffic before it reaches the web servers. Therefore, Option C is a good choice.
Option D suggests enabling AWS Shield and creating an AWS WAF ACL with a string match condition to block the malicious traffic. While this option may work, it is not as effective as Option A or Option C. Blocking traffic based on a string match condition may not be effective against HTTP Flood