You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS)
attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)
A.
Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
B.
Use dedicated instances to ensure that each instance has the maximum performance possible.
C.
Use an Amazon CloudFront distribution for both static and dynamic content.
D.
Use an Elastic Load Balancer with auto scaling groups at the web. App and Amazon Relational Database
Service (RDS) tiers
E.
Add alert Amazon CloudWatch to look for high Network in and CPU utilization.
F.
Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
CDE
2
0
BDE
F is useless.
1
0
CDE
1
0
I agree CDE.
C – CloudFront can absorb attack to some extent, and you may add WAF to ward off such attacks
D – you can use both external and internal facing ELBs
E – is obvious
1
0
F is indeed impractical as it is hard or impossible to determine which traffic is legit when it is a DDoS
0
2
I think there may only be two correct answers to this one: C and E.
A. incorrect… While it is definitely an AWS published suggestion to consider enhanced networking or even 10Gbps interfaces on an instance to assist in mitigating against high traffic floods, two ENIs cannot be used together to help balance network load. ELB always sends traffic to the primary address on the primary ENI of the instance.
B. Not an AWS recommended approach for dealing with DDoS mitigation.
C. Absolutely correct… Cloudfront is probably the single, best DDoS mitigation you can implement if you had to pick only one.
D. This one is close, and would absolutely work as a recommended best practice for the web and app tiers. This answer might even be workable on the DB tier for DB read requests (writes would be problematic), by load-balancing across a number of read replicas using a non-ELB load-balancing mechanism, such as DNS load balancing, HAproxy, F5 instance, etc. But D states you are using ELBs to perform the load-balancing, and it is not currently possible to attach an RDS instance to an ELB, only EC2 instances. Also, D states that you are using auto scaling groups for all three tiers, and it is not currently possible to use RDS instances in an auto scaling group.
E. Absolutely correct, and very helpful for auto scaling.
F. Seems unlikely. Question is asking about DDoS attacks, which could come from millions of source IP addresses. Even if you could identify incoming requests as malicious (you would not always be able to separate legitimate from malicious), there could be so many malicious source IP addresses in a DDoS that this would not scale very well.
3
0
E is not a mitigation technique .. Question is not around the monitoring but the mitigation.
On the firewall ( IPS ) you can create rules for UDP and ICMP flood protect as in thresholds.
BDF still holds good .
0
0
E by itself doesn’t mitigate, but it is definitely part of any manual or automated response to the DDoS. You need to know that you have a problem.
B – Bad. It requires running the most expensive instances all of the time to protect from a rare DDoS event. AWS defeats DDoS attackers by not letting them get what they want. It allows companies to scale up quickly and inexpensively during an attack and prevent an outage. (Best approaches are WAF/Shield, Cloudfront and autoscale.) It takes away leverage from the attacker used to have when the company would have to pay all of the time for resources to combat random / infrequent attacks.
D – Kiran is right about the database tier not autoscaling. As written, the question is bad
0
0
Kirrim you bare bang on. I would go with B C and E
B : May help if its a low and slow attack (buffer overflow, teardrop etc) and I would be saved from an attack on an adjacent machine which doesn’t even belong to me.
C: is obvious.
E: Monitoring is the first step of mitigation
0
0
By the way all EIP are protected by AWS for volumetric attack so its safe to assume we are talking about low slow attack
0
0
C and E are correct. Don’t know why you would put an LB in front of an RDS, which rules out D
A is my third choice? Looks better than the others.
0
0
D says elb with auto scaling, which means if there is DOS, and the CPU is inundated , auto scaling can provision new instance based on ELB health checks. So D is definitely right.
0
1
should be C.D.E
0
0
C, E, and F.
A and B are wrong as they increase costs and don’t necessarily protect from DDoS.
D is a trick question, AS and ELB are for EC2 not RDS.
We get C, E, and F now just using elimination but C is obviously correct and E would be part of any solution. In regards to F take a look at OSSEC or any number of commercial products.
3
0