AWS Certified Advanced Networking – Specialty ANS-C00 – Question160

You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?

A.
You configured the rule number to be too low.
B. A NACL can't protect against a DDoS.
C. The DDoS isn't a TCP attack.
D. You need to add a deny rule outbound also since NACLs are stateful.

Correct Answer: C

Explanation:

Explanation: The DDoS isn’t a TCP attack (this time.) A DDoS can use several different protocols. NACLs are stateless. The lower the rule number, the higher the priority.