Which approach provides a cost effective scalable mitigation to this kind of attack?
Recommend that they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC.
Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet.
Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would their pass the traffic to the current web tier The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group
Remove all but TLS 1.2 from the web tier ELB and enable Advanced Protocol Filtering. This will enable the ELB itself to perform WAF functionality.
Explanations:
Leasing space for DirectConnect and filtering traffic with hardware WAF would be a costly and complex solution for mitigating web attacks. It adds latency and infrastructure costs without directly addressing the immediate security needs of the application. DirectConnect is typically used for private connectivity rather than for web traffic filtering.
Adding hostile source IPs to a NACL (Network Access Control List) provides a basic level of security by blocking known bad actors. However, this method is not scalable as it requires constant updates to the NACL, and it does not address sophisticated attacks such as those that might use spoofed IPs or changing tactics. It also does not mitigate threats from IPs not previously identified.
Implementing a WAF tier with a new ELB and Auto Scaling group for EC2 instances running a host-based WAF provides a scalable and effective approach to filtering malicious traffic. This setup allows for real-time traffic inspection and the ability to block attacks before they reach the web tier. It also enhances security posture by allowing more granular control over traffic. Redirecting Route 53 to this new tier and updating Security Groups ensures that only clean traffic is passed to the web tier, effectively mitigating potential threats.
While removing older TLS versions enhances security, enabling Advanced Protocol Filtering on the ELB does not provide comprehensive WAF functionality. This approach lacks the application-layer inspection and rule sets provided by a WAF, which are necessary for identifying and mitigating sophisticated attacks, leaving the application vulnerable to many types of attacks that a WAF would typically handle.