Question 13: You have a web application running on AcmeTechie. com a networking site for software professionals and freelancers and your users are most from selected countries like USA, India, China, Japan etc. This application is running on web server hosted on EC2 instances which are placed in a Placement Group. Now suddenly on some day, you found that hit on your website has increased as well as some unknown IP tries to reach the database server as well. Your Database server are in a subnet which is in private VPC. As an AWS security expert what will you do?

1. Shutdown the website for few minutes to disguise the attacker. If it is a real attack.
2. You will modify the security group rules of Database server instance, such that this particular unidentified can be blocked or denied.
3. You will change the NACL attached to database private VPC subnet, so that inbound traffic from that specific IP can be blocked.
4. You will change scaling strategy of database server instances, so that if traffic demand increases than also it can be served.
5. You will use enhanced networking feature, so that all the request can be fulfilled.

Correct Answer : C

Detailed Explanation: If you read question carefully then you will find it is talking about DDoS attach on the database server. If you have an application hosted like (http://QuickTechie.com ) and one of the malicious outside server continuously send huge request to your server intentionally to affect the availability of your server. This is called a DDOS (Distributed Denial of service) attack. Generally this type of attach does not happen from single IP but rather multiple systems (distributed) are used with different IP addresses.

There are two types of DDOS attack, decided based on OSI layer

1. Infrastructure Layer attack (Layer 4=transport and 3=Network in OSI model): This attacks are large in volume and usually aim to overload the capacity of the network of application servers. It can be easily detected because they have clear signature.
2. Application layer attack (Layer 6=Presentation and 7=Application): This types of attacks are not common. They are small in volume, but focuses on particular part of application like payment service of (http://hadoopexam.com)

In the given scenario to avoid attack from single IP address, we should consider using either security group or NACL (network access control list). Since Security group does not allow to define deny rules, we cannot use them. Hence option 2 is out. You cannot shutdown your website so option 1 is also out.

It is not a good idea to support/serve the attack we increase number of instances and scale it. Hence, option 4 is also out.

Enhanced Networking: Enhanced networking provides higher bandwidth, higher packet-per-second performance and consistently provide lower inter instance latencies. If your PPS (packets per second) rate appear to have reached ceiling, you should consider moving to enhanced networking because you have likely reached the upper threshold. There is no point to use enhanced networking feature to support/serve the attack.

Your first approach should always be avoid the attacker. For this you can use NACL, network access control list. NACL allows to define both outgoing and incoming traffic rules. In this case we need to block the IP address and port from which we are receiving suspicious traffic.