Free AWS Security Whitepaper
    Toc Consulting Logo
    HIGHNetwork Attack15-30 min containment15 steps across 5 phases

    DDoS Attack

    Your application is under a DDoS attack - users cannot access your services, latency is spiking, and requests are timing out. AWS provides built-in DDoS protection (Shield Standard) and optional advanced protection (Shield Advanced), but you need to act fast to mitigate the impact.

    wafwafcloudfrontcloudfrontroute53route53elbelb

    Phase 1: Detection

    $ tail -f /var/log/cloudtrail/events.log
    1

    Check AWS Shield Dashboard

    AWS Shield Standard automatically protects against L3/L4 DDoS attacks. Check the Shield dashboard for active events.

    # Note: Shield CLI commands require Shield Advanced subscription
aws shield list-attacks \
  --start-time FromInclusive=<epoch-seconds> \
  --end-time ToExclusive=<epoch-seconds>
    aws shield describe-attack --attack-id <attack-id>
    2

    Monitor CloudWatch metrics for anomalies

    Check request rates, 5xx errors, latency, and network throughput on your ALB/CloudFront distribution.

    # ALB request count
aws cloudwatch get-metric-statistics \
  --namespace AWS/ApplicationELB \
  --metric-name RequestCount \
  --dimensions Name=LoadBalancer,Value=<alb-arn-suffix> \
  --start-time <1h-ago> --end-time <now> \
  --period 60 --statistics Sum
    3

    Analyze WAF logs for attack patterns

    If WAF is enabled, check sampled requests to identify attack signatures (user agents, IPs, request patterns).

    aws wafv2 get-sampled-requests \
  --web-acl-arn <web-acl-arn> \
  --rule-metric-name <rule-name> \
  --scope REGIONAL \
  --time-window StartTime=<1h-ago>,EndTime=<now> \
  --max-items 100

    Phase 2: Containment

    $ ./containment.sh --isolate --immediate
    1

    Enable WAF rate-based rules

    Add a rate-based rule to block IPs exceeding a request threshold (e.g., 2000 requests per 5 minutes).

    # Rate-based rules are configured in the WAF console
# or via update-web-acl with a RateBasedStatement
aws wafv2 update-web-acl \
  --name <web-acl-name> \
  --scope REGIONAL \
  --id <web-acl-id> \
  --lock-token <token> \
  --default-action '{"Allow":{}}' \
  --visibility-config '{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"web-acl-metric"}' \
  --rules file://rate-limit-rule.json

    Start with a higher threshold and lower it gradually to avoid blocking legitimate traffic.

    2

    Deploy geographic restrictions if the attack comes from specific regions

    If the attack traffic originates from countries where you have no users, apply geo-blocking via WAF or CloudFront.

    aws cloudfront update-distribution \
  --id <distribution-id> \
  --distribution-config file://geo-restriction-config.json
    3

    Scale up your infrastructure

    While mitigation takes effect, scale up ALB capacity, increase Auto Scaling group limits, and enable CloudFront caching.

    Phase 3: Eradication

    $ ./eradicate.sh --purge --verify
    1

    Block identified attacker IPs

    Create a WAF IP set with the attacker IPs and add a blocking rule.

    aws wafv2 create-ip-set \
  --name "DDoS-Blocked-IPs" \
  --scope REGIONAL \
  --ip-address-version IPV4 \
  --addresses "1.2.3.4/32" "5.6.7.0/24"
    2

    Enable AWS Shield Advanced (if not already enabled)

    Shield Advanced provides DDoS Response Team (DRT) support, advanced mitigation, and cost protection.

    Shield Advanced costs $3,000/month but includes DDoS cost protection - AWS will credit charges from scaling during the attack.

    3

    Engage AWS Shield Response Team (if Shield Advanced)

    Contact the DRT for expert assistance with active DDoS mitigation.

    aws shield create-protection \
  --name "Production-ALB" \
  --resource-arn <alb-arn>

    Phase 4: Recovery

    $ ./recovery.sh --restore --validate
    1

    Monitor for attack resumption

    DDoS attacks often come in waves. Monitor for 24-48 hours after the initial attack subsides.

    2

    Review and optimize WAF rules

    Based on the attack patterns observed, fine-tune your WAF rules to better protect against similar future attacks.

    3

    Scale infrastructure back to normal

    Once the attack has fully subsided, return Auto Scaling group limits and other temporary changes to normal.

    Phase 5: Lessons Learned

    $ cat POST_INCIDENT_REVIEW.md
    1

    Deploy CloudFront in front of all public endpoints

    CloudFront absorbs DDoS traffic at the edge, preventing it from reaching your origin. All public-facing apps should use CloudFront.

    2

    Pre-configure WAF rate-limiting rules

    Have rate-based rules in place before an attack. Reactive rule deployment during an attack is slower.

    3

    Create a DDoS response runbook

    Document the steps your team took during this incident and create a reusable runbook for the next attack.

    ddoswafshieldcloudfrontrate-limitingbot-control
    Previous
    Secrets Manager / Credential Leak
    Next
    Supply Chain Attack

    Need Help with Incident Response?

    When an incident strikes, every minute counts. We help AWS teams prepare, detect, and respond to security incidents with proven expertise.

    All PlaybooksGet in Touch