AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 251

You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?

Answer options

• A. You configured the rule number to be too low.
• B. A NACL can't protect against a DDoS.
• C. The DDoS isn't a TCP attack.
• D. You need to add a deny rule outbound also since NACLs are stateful.

Correct answer: C

Explanation

The correct answer is C because if the DDoS attack is targeting a protocol other than TCP, the deny rule for TCP will not stop that traffic. Option A is incorrect as the rule number does not affect the rule's ability to block traffic once it is evaluated. Option B is misleading since NACLs can provide some level of protection against DDoS, and option D is incorrect because NACLs are stateless and do not require an outbound rule to match inbound traffic.