Responding to DDoS events - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Responding to DDoS events

Amazon automatically mitigates network and transport layer (layer 3 and layer 4) Distributed Denial of Service (DDoS) attacks. If you use Shield Advanced to protect your Amazon EC2 instances, during an attack Shield Advanced automatically deploys your Amazon VPC network ACLs to the border of the Amazon network. This allows Shield Advanced to provide protection against larger DDoS events. For more information about network ACLs, see Network ACLs.

For application layer (layer 7) DDoS attacks, Amazon attempts to detect and notify Amazon Shield Advanced customers through CloudWatch alarms. By default, it doesn't automatically apply mitigations, to avoid inadvertently blocking valid user traffic.

For application layer (layer 7) resources, you have the following options available for responding to an attack.

Additionally, before an attack occurs, you can proactively enable the following mitigation options:

  • Automatic mitigations on Amazon CloudFront distributions – With this option, Shield Advanced defines and manages mitigating rules for you in your web ACL. For information about automatic application layer mitigation, see Shield Advanced automatic application layer DDoS mitigation.

  • Proactive engagement – When Amazon Shield Advanced detects a large application layer attack against one of your applications, the SRT can proactively contact you. The SRT triages the DDoS event and creates Amazon WAF mitigations. The SRT contacts you and, with your consent, can apply the Amazon WAF rules. For more information about this option, see Configuring proactive engagement.

Contacting the support center during an application layer DDoS attack

If you're an Amazon Shield Advanced customer, you can contact the Amazon Web Services Support Center to get help with mitigations. Critical and urgent cases are routed directly to DDoS experts. With Amazon Shield Advanced, complex cases can be escalated to the Amazon Shield Response Team (SRT), which has deep experience in protecting Amazon,, and its subsidiaries. For more information about the SRT, see Shield Response Team (SRT) support.

To get Shield Response Team (SRT) support, contact the Amazon Web Services Support Center. The response time for your case depends on the severity that you select and the response times, which are documented on the Amazon Web Services Support Plans page.

Select the following options:

  • Case type: Technical Support

  • Service: Distributed Denial of Service (DDoS)

  • Category: Inbound to Amazon

  • Severity: Choose an appropriate option

When discussing with our representative, explain that you're an Amazon Shield Advanced customer experiencing a possible DDoS attack. Our representative will direct your call to the appropriate DDoS experts. If you open a case with the Amazon Web Services Support Center using the Distributed Denial of Service (DDoS) service type, you can speak directly with a DDoS expert by chat or telephone. DDoS support engineers can help you identify attacks, recommend improvements to your Amazon architecture, and provide guidance in the use of Amazon services for DDoS attack mitigation.

For application layer attacks, the SRT can help you analyze the suspicious activity. If you have automatic mitigation enabled for your resource, the SRT can review the mitigations that Shield Advanced is automatically placing against the attack. In any case, the SRT can assist you to review and mitigate the issue. Mitigations that the SRT recommends often require the SRT to create or update Amazon WAF web access control lists (web ACLs) in your account. The SRT will need your permission to do this work.


We recommend that as part of enabling Amazon Shield Advanced, you follow the steps in Configuring access for the Shield Response Team (SRT) to proactively provide the SRT with the permissions that they need to assist you during an attack. Providing permission ahead of time helps to prevent any delays in the event of an actual attack.

The SRT helps you triage the DDoS attack to identify attack signatures and patterns. With your consent, the SRT creates and deploys Amazon WAF rules to mitigate the attack.

You can also contact the SRT before or during a possible attack to review mitigations and to develop and deploy custom mitigations. For example, if you're running a web application and need only ports 80 and 443 open, you can work with the SRT to preconfigure a web ACL to "allow" only ports 80 and 443.

You authorize and contact the SRT at the account level. That is, if you use Shield Advanced within a Firewall Manager Shield Advanced policy, the account owner, not the Firewall Manager administrator, must contact the SRT for support. The Firewall Manager administrator can contact the SRT only for accounts that they own.

Manually mitigating an application layer DDoS attack

If you determine that the activity in the events page for your resource represents a DDoS attack, you can create your own Amazon WAF rules in your web ACL to mitigate the attack. This is the only option available if you aren't a Shield Advanced customer. Amazon WAF is included with Amazon Shield Advanced at no additional cost. For information about creating rules in your web ACL, see Amazon WAF web access control lists (web ACLs).

If you use Amazon Firewall Manager, you can add your Amazon WAF rules to a Firewall Manager Amazon WAF policy.

To manually mitigate a potential application layer DDoS attack
  1. Create rule statements in your web ACL with criteria that matches the unusual behavior. To start with, configure them to count matching requests. For information about configuring your web ACL and rule statements, see Web ACL rule and rule group evaluation and Testing and tuning your Amazon WAF protections.


    Always test your rules first by initially using the rule action Count instead of Block. After you're comfortable that your new rules are identifying the correct requests, you can modify them to block the requests.

  2. Monitor the request counts to determine whether you want to block the matching requests. If the volume of requests continues to be unusually high and you're confident that your rules are capturing the requests that are causing the high volume, change the rules in your web ACL to block the requests.

  3. Continue monitoring the events page to ensure that your traffic is being handled as you want it to be.

Amazon provides preconfigured templates to get you started quickly. The templates include a set of Amazon WAF rules that you can customize and use to block common web-based attacks. For more information, see Amazon WAF Security Automations.