Your online shopping web application is deployed in an AWS Auto Scaling group. An Application Load Balancer is used to distribute the traffic to the ASG. Recently there are frequent application layer DDoS attacks against the server. The attacker uses a botnet to perform an HTTP Flood attack that targets several components of the website. You perform some analysis and identify several IPs that generate the malicious traffic. Which of the following actions can block these IPs to mitigate the DDoS attack effectively?

Answer options:

A.Enable AWS Shield Advanced that identifies suspicious IP addresses, generates WAF ACL rules automatically and blocks the malicious traffic.
B.Create a CloudFront distribution for your application. Configure an IP blacklist in the distribution.
C.Configure an AWS WAF ACL that contains an IP match condition to block suspicious IPs. Deploy AWS WAF on the Application Load Balancer.
D.Enable AWS Shield and in the meantime, create an AWS WAF ACL with a string match condition to block the bogus traffic.

Correct Answer – C
AWS WAF can effectively protect the servers from application layer DDoS attacks. You can create a WAF ACL that has the rule to block problematic IPs.
Option A is incorrect: With AWS Shield Advanced, you can involve the DDoS response team (DRT) to help you analyze the suspicious activity. However, AWS Shield Advanced does not automatically create WAF ACLs. The DRT team needs your permissions to create or update WAF ACLs if necessary.
Option B is incorrect: Because you cannot configure an IP blacklist in a CloudFront distribution. It should be configured in AWS WAF.Option C is CORRECT: You can configure a rule in WAF ACL that has an IP match condition. The application layer DDoS attacks can be effectively mitigated as the incoming requests are filtered by AWS WAF.Option D is incorrect: AWS Shield is enabled by default, and you do not need to enable it. And the WAF ACL should include an IP match condition instead of a string match condition.