Manually mitigating an application layer DDoS attack
This page provides instructions for manually mitigating an application layer DDoS attack.
If you determine that the activity in the events page for your resource represents a DDoS attack, you can create your own Amazon WAF rules in your web ACL to mitigate the attack. This is the only option available if you aren't a Shield Advanced customer. Amazon WAF is included with Amazon Shield Advanced at no additional cost. For information about creating rules in your web ACL, see Using web ACLs in Amazon WAF.
If you use Amazon Firewall Manager, you can add your Amazon WAF rules to a Firewall Manager Amazon WAF policy.
To manually mitigate a potential application layer DDoS attack
-
Create rule statements in your web ACL with criteria that matches the unusual behavior. To start with, configure them to count matching requests. For information about configuring your web ACL and rule statements, see Using web ACLs with rules and rule groups in Amazon WAF and Testing and tuning your Amazon WAF protections.
Note
Always test your rules first by initially using the rule action Count instead of Block. After you're comfortable that your new rules are identifying the correct requests, you can modify them to block the requests.
-
Monitor the request counts to determine whether you want to block the matching requests. If the volume of requests continues to be unusually high and you're confident that your rules are capturing the requests that are causing the high volume, change the rules in your web ACL to block the requests.
-
Continue monitoring the events page to ensure that your traffic is being handled as you want it to be.
Amazon provides preconfigured templates to get you started quickly. The templates include a
set of Amazon WAF rules that you can customize and use to block common web-based attacks. For
more information, see Amazon WAF Security Automations