AWS DDOS

Question 1

To mitigate DDOS, what is the recommended approach?

Answer 1

• Be ready and able to scale.
• Minimise attach surface
• What is normal, need to be monitoring to understand what is normal
• Plan for attacks

Question 2

With regard to DDOS, what should you be doing with your attack surface?

Answer 2

Minimizing the attack surface, this means minimizing the footprint exposed to the internet, by way of securing all ports not required.

Question 3

To mitigate a DDOS attack, what infrastructure services can you use?

Answer 3

ELB to balance traffic between autoscaled instances, so as the DDOS load increases so does the ability to absorb the increase of traffic

Question 4

With regard to the attack surface, what should you be doing when designing an application and infrastructure on AWS to deal with DDOS?

Answer 4

Minimizing the attack surface by decoupling your application into layers, with only the layer like the web layer exposed to the internet. Keep all other layers in private VPC, ensure only one service per instance.

Question 5

With regard to DDOS and having a decoupled application infrastructure, what AWS components are good for decoupling?

Answer 5

SQS, Elastic Beanstalk.

Question 6

With regard to DDOS and knowing what is normal, what services can help in this area?

Answer 6

SNS, CloudWatch

Question 7

With regard to DDOS, do you need a plan?

Answer 7

Yes, you need a plan,
Same app
Country
Nature (SYN flood, App)
Have business support should be in place

Question 8

What services can help mitigate DDOS?

Answer 8

• Cloudfront CDN is designed to mitigate any attack so your content is always available.
• Route53 is designed to mitigate the attack and be always available.
• Autoscaling enables your app to absorbed attack
• ELB enables your app to scale
• WAF
• VPC & Security groups

Question 9

What are the five DDOS attack vectors?

Answer 9

UDP reflection attacks
UDP flood
TCP SYN flood
Web application layer
DNS query flood

Question 10

What is rate based blacklisting?

Answer 10

It is the ability of a WAF to blacklist traffic on its rate if some bad actor is DDOSing your application.

Question 11

What is a syn cookie and how dose it helkp with syn flooding?

Answer 11

A syn cookiis is returned with the syn+ack to a syn, it

Question 12

What tequniques is AWS using to mitigate DDOS attacks?

Answer 12

Allow only valid traffic
SYN- Cookie
Suspicion-based traffic shaping

Question 13

How will the AWS ELB mitigate DDOS attack?

Answer 13

• ELB will start to scale our as traffic arives.
• AWS Blackwatch kickes in to protect the ELB and apply blackwatch mitigation.
• This is why you wnat your app to also auto scale

Question 14

What is a Syn flood attack?

Answer 14

A syn attach is an attack where many syns are sent to try to overflow the table used to track syn requests.

Question 15

What is the mitigation used for syn attacks?

Answer 15

Use syn cookies

Question 16

what is UDP reflection attacks?

Answer 16

Where the stateless nature of UPD is used to have another server respond to the target IP to a request sent by another server.

Question 17

What are application layer attacks?

Answer 17

Where Lare 7, the application layer protocol is used to try to overflow many parts of the application, like, cache.

Question 18

Do you get DDOS mitigation from AWS?

Answer 18

Yes, you get transport layer DDOS mitigation on all services?

Question 19

I have an application, it is a single server web facing, how cna I easily get DDOS protection on it?

Answer 19

Add an LB, even tho you do not need the lB feature. AWS LB has built-in DDOS protection for the transport layer.

Question 20

What services could I use from AWS to protect again DDOS attacks?

Answer 20

You can use LB, Route53 and CloudFront as all these services have DDOS protection builtin, where AWS baselines traffic and mitigates.

Question 21

What are the following group of DDOS attacks, syn, UDP reflection, UDP flood?

Answer 21

Transport layer group

Question 22

I need to secure my API from DDOS, how can I do this?

Answer 22

Using an ELB is an option, but you can also use CloudFront as you can have API delivered to the origin as CF can deal with dynamic content.

Question 23

What services help mitigate DDOS attacks?

Answer 23

AWS WAF (
Route53
AWS API GW
VPC (Reflection attacks)
EC2 (Reflection attack)

Question 24

What will placing the ELB in front of instances do for security?

Answer 24

ELC stops many attacks but needs WAFfor l7

Question 25

What protection does ALB offer?

Answer 25

Blocks, Many common DDOS attacks.

Question 26

How do CF help again DDOS attacks?

Answer 26

It baselines traffic and filters, it also protects again syn attacks, UDP floods and scales.

Question 27

I want to block traffic based on signature, what service can I use?

Answer 27

You cna use CF and ELB

Question 28

I want to block traffic based on signature, what service can I use?

Answer 28

You cna use CF and ELB pr Advanced WAF

Question 29

I want to get restrict traffic to help protect again attacks, what options do I have?

Answer 29

WAF and CF enable you to restrict traffic by GEO, Route53 also can restrict its traffic by GEO.

Question 30

How can I ensure that only traffic from CF is sent to my origin?

Answer 30

You can set up a custom header in CF

Question 31

I have an API on EC2 instance, how could I protect this?

Answer 31

CF does a good job of providing DDOS attacks and works for dynamic content. So does API Gateway, with API GW you have edge optimised.

Question 32

From an operational perspective, what must you have

Answer 32

Visibility. Cloudwatch, network flows,

Question 33

What are DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, or
DDoSAttackRequestsPerSecond

Answer 33

They are a metric in Cloudwatch that show you a DDOS attack, only available on the advanced shield. You should have an alarm set on these.

Question 34

What is DDoSDetected?

Answer 34

It is on the shield and enables you to know if DDOS is happening.

Question 35

What is the difference between DOS and DDOS?

Answer 35

DOS is a using attacker, DDOS is multiple coordinated attackers

Question 36

How do you minimize the attack surface?

Answer 36

Reduce entry points.
do not expose middle or backend
separate user and management traffic

Question 37

How do you scale to absorb attack?

Answer 37

Auto scale ELB & ELB

• Horizontal scale with ELB
• EC2 vertical scale
• Enhanced networking enables more traffic to be processed by instance.
• CloudFront
• WAF

Question 38

When using Shield Advance, what happens to your ACL’s in relation to the edge?

Answer 38

During an attack, your ACL’s are enforced at the edge of the AWS network, stopping traffic out at the edge and close to where it comes to form.

Question 39

What are the top 10 to protect again DDOS attacks?

Answer 39

• Use globally distributed services like CF and R53
• ELB to provide scale
• Instance and environment scaling
• Security groups and ACLs

Question 40

What protection do you get from using CF?

Answer 40

• Inline inspection
• Syn proxy protection
• Slow read protection
• Only valid HTTP/TCP packets