Exam CISSP topic 1 question 445 discussion

I will go with D. Engage ISP...Reduce Attack Surface Area One of the first techniques to mitigate DDoS attacks is to minimize the surface area that can be attacked We are not told which layer ddos are we dealing with. WAF wont help against layer-3-4 DDoS,

Answer D) Engaging an upstream Internet Service Provider (ISP) This entire NIST document is referencing upstream ISP as a mitigation option. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-189.pdf

D. Engaging an upstream Internet Service Provider (ISP) can be helpful in mitigating Distributed Denial of Service (DDoS) attacks because the upstream ISP can take proactive measures to prevent or filter out malicious traffic before it reaches the organization's network.

By working with the upstream ISP, traffic can be filtered and blocked before it reaches the target organization's network. ISPs often have more significant resources and specialized tools to handle large-scale DDoS attacks, and they can implement traffic filtering mechanisms to mitigate the impact. This approach helps prevent the malicious traffic from overwhelming the organization's network infrastructure in the first place. While deploying a web application firewall (WAF), blocking specific TCP ports, and detecting and blocking bad IP subnets on the corporate firewall are also valid strategies, engaging an upstream ISP is often more effective against large-scale DDoS attacks that may otherwise saturate the organization's internet bandwidth and overwhelm its defenses.

An ISP doesn't block traffic, they provide access. If you have a service like Akamai, which is a content delivery network, they can block, but not your ISP. C. Block the bad addresses at the firewall

To stop a distributed attack, a website should be able to differentiate between an attack and a high volume of legitimate traffic. IP reputation, previous data, and common attack patterns are able to help with the detection of an actual attack.

Got to go with A here. I know AWS uses WAF to prevent DDoS attacks. A web application firewall (WAF) is a type of firewall that monitors, filters or blocks incoming traffic to a web application. It is designed to protect web applications from attacks such as DDoS attacks. A WAF can prevent a DDoS attack by blocking or rate-limiting incoming traffic that is deemed to be malicious.