What would be the BEST way to reduce the potential impact of these attacks in the future?
Use custom route tables to prevent malicious traffic from routing to the instances.
Update security groups to deny traffic from the originating source IP addresses.
Use network ACLs.
Install intrusion prevention software (IPS) on each instance.
Explanations:
Custom route tables control traffic routing within VPCs, but they cannot filter malicious traffic or prevent layer 7 attacks specifically.
Security groups are stateful firewalls, but updating them to block specific IP addresses may be ineffective against constantly changing attack sources. Additionally, brute-force attacks often use a wide range of IP addresses.
Network ACLs are stateless and provide an additional layer of security, but they are typically better suited for filtering traffic at a broader network level (e.g., IPs, ports), not specifically mitigating application-level attacks like brute force.
Installing intrusion prevention software (IPS) on each instance would directly mitigate layer 7 attacks by identifying and blocking malicious traffic targeting the web application.