Responding to DDoS events in Amazon
This page explains how Amazon responds to DDoS attacks, and provides options for how you can further respond.
Amazon automatically mitigates network and transport layer (layer 3 and layer 4)
DDoS attacks. If you use Shield Advanced to protect your Amazon EC2 instances, during an
attack Shield Advanced automatically deploys your Amazon VPC network ACLs to the border of the Amazon
network. This allows Shield Advanced to provide protection against larger DDoS events. For more
information about network ACLs, see Network
ACLs
For application layer (layer 7) DDoS attacks, Amazon attempts to detect and notify Amazon Shield Advanced customers through CloudWatch alarms. By default, it doesn't automatically apply mitigations, to avoid inadvertently blocking valid user traffic.
For application layer (layer 7) resources, you have the following options available for responding to an attack.
-
Provide your own mitigations – You can investigate and mitigate the attack on your own. For information, see Manually mitigating an application layer DDoS attack.
-
Contact support – If you're a Shield Advanced customer, you can contact the Amazon Web Services Support Center
to get help with mitigations. Critical and urgent cases are routed directly to DDoS experts. For information, see Contacting the support center during an application layer DDoS attack.
Additionally, before an attack occurs, you can proactively enable the following mitigation options:
-
Automatic mitigations on Amazon CloudFront distributions – With this option, Shield Advanced defines and manages mitigating rules for you in your web ACL. For information about automatic application layer mitigation, see Automating application layer DDoS mitigation with Shield Advanced .
-
Proactive engagement – When Amazon Shield Advanced detects a large application layer attack against one of your applications, the SRT can proactively contact you. The SRT triages the DDoS event and creates Amazon WAF mitigations. The SRT contacts you and, with your consent, can apply the Amazon WAF rules. For more information about this option, see Setting up proactive engagement for the SRT to contact you directly.