What is DDoS in AWS?
An AWS distributed denial of service (DDoS) attack involves a malicious attempt to overwhelm a targeted AWS service or application with a flood of internet traffic, disrupting its normal function. AWS offers various services and features, like AWS Shield and AWS WAF, to protect against these attacks.
Native AWS services that can defend against DDoS attacks include:
- AWS Shield: Offers basic and advanced DDoS protection, including 24/7 support from the AWS Shield Response Team.
- AWS WAF: Helps protect applications from common web exploits and can be used to mitigate DDoS attacks.
- AWS Firewall Manager: Enables centralized deployment and administration of firewall rules across resources and accounts in AWS.
- Amazon CloudFront: A content delivery network (CDN) that can help distribute traffic and absorb DDoS attacks.
- AWS Global Accelerator: Improves the availability and performance of internet applications by routing traffic through AWS's global network.
- Amazon Route 53: A scalable DNS service that can be used to mitigate DDoS attacks by routing traffic to healthy resources.
While native AWS services provide basic DDoS protection, third-party DDoS protection adds an extra layer of defense by covering attack vectors that native AWS services may not detect or mitigate well, especially complex application-layer and encrypted traffic floods.
These platforms use global scrubbing centers, behavioral analytics, and continuous threat intelligence to identify anomalies early and filter malicious traffic before it reaches AWS infrastructure. They also provide dedicated response teams and real-time mitigation controls, which help reduce downtime during large or coordinated attacks.
In this article:
AWS Shield
AWS Shield is Amazon’s managed DDoS protection service to safeguard applications running on AWS from both volumetric and sophisticated attacks. AWS Shield is available in two tiers: Standard and Advanced.
Shield Standard provides automatic protection for all AWS customers at no extra cost and mitigates the most common network and transport layer attacks. Shield Advanced delivers enhanced detection and mitigation for larger or more complex attacks, access to the AWS DDoS Response Team (DRT), real-time visibility, and financial protections in the form of DDoS cost protection.
Shield Advanced enables detailed attack diagnostics, custom mitigation strategies, and proactive event response. It integrates with other AWS security services like AWS WAF and offers advanced reporting and analytics for compliance needs. Customers with critical applications can automate incident response through Shield Advanced APIs and coordinate directly with AWS security experts.
AWS WAF
AWS Web Application Firewall (WAF) is a customizable, managed firewall that filters and monitors HTTP and HTTPS requests to web applications deployed on AWS. Customers can define security rules that block, allow, or monitor web requests based on IP addresses, HTTP headers, URI strings, and even specific query string parameters.
AWS WAF integrates directly with services like Amazon CloudFront, Application Load Balancer (ALB), and AWS AppSync, extending its DDoS and application-layer protection to complex, distributed workloads. It supports managed rule groups for common threats and real-time metrics through integration with AWS CloudWatch.
AWS Firewall Manager
AWS Firewall Manager is a security management service that centralizes the administration and deployment of firewall rules across multiple AWS accounts and resources. With Firewall Manager, security teams can enforce AWS WAF rules, Shield Advanced protections, and security group policies consistently across an organization’s cloud environment.
By using Firewall Manager, administrators quickly deploy new DDoS protections and update policies without manually configuring each resource or account. The service also provides compliance reporting, highlighting non-compliant resources in real time and triggering remediation where necessary.
Amazon CloudFront and Route 53
Amazon CloudFront, AWS's content delivery network (CDN), and Amazon Route 53, its managed DNS service, both offer additional resilience against DDoS attacks. CloudFront helps absorb and distribute large-scale traffic surges through its global network of edge locations, ensuring that malicious requests are filtered or rate-limited before reaching the origin infrastructure.
Route 53 provides highly available, scalable DNS resolution with built-in protections against DNS-based DDoS threats. Its features include shuffle sharding, health checks, and DNS failover, which help maintain uptime even during attacks targeting the DNS layer. By integrating CloudFront and Route 53, organizations can distribute user requests, throttle excessive traffic, and maintain application availability through globally redundant architecture.
AWS Global Accelerator
AWS Global Accelerator enhances the availability and performance of applications by routing user traffic through the AWS global network rather than the public internet. This global edge network leverages Anycast IP addresses, automatically steering traffic to the most optimal AWS endpoint based on health, geography, and performance.
Global Accelerator benefits security in two key areas: attack surface reduction and improved resilience. By masking application endpoints behind accelerator IP addresses, it reduces direct exposure and makes attacks harder to target. Integrated health checks and automatic traffic rerouting further ensure high availability, even when parts of the network are degraded or under attack.
Organizations hosting critical applications on AWS often face a trade-off between ease of deployment and the depth of security coverage. While AWS provides strong native defenses, these solutions may not cover the full spectrum of attack vectors, especially sophisticated or application-layer DDoS attacks.
Third-party DDoS protection services extend AWS’s native capabilities by offering comprehensive detection and mitigation, including advanced techniques such as network behavioral analysis and protection against SSL-based and zero-day attacks. These solutions are especially valuable in complex environments where maintaining uptime and data confidentiality is essential.
Third-party providers also offer flexible deployment models, such as on-demand or always-on protection, allowing traffic to be routed through global scrubbing centers for real-time mitigation with minimal latency. These services typically include automated threat detection, proactive alerting, and expert-led incident response, all managed externally.
Eva Abergel
Eva is a solution expert in Radware’s security group. Her domain of expertise is DDoS protection, where she leads positioning, messaging and product launches. Prior to joining Radware, Eva led a Product Marketing and Sales Enablement team at a global robotics company acquired by Bosch and worked as an Engineer at Intel. Eva holds a B.Sc. degree in Mechatronics Engineering from Ariel University and an Entrepreneurship Development certificate from the York Entrepreneurship Development Institute of Canada.
Tips from the Expert:
In my experience, here are tips that can help you better defend AWS-hosted applications against DDoS attacks:
1. Use traffic mirroring for behavioral baselining: Enable VPC Traffic Mirroring to capture and analyze packet-level traffic. This allows security teams to build a behavioral baseline for services and detect deviations that may signal stealthy, low-rate DDoS attempts.
2. Deploy pre-authentication throttling at the edge: For APIs or login portals, implement rate limits and throttling before authentication occurs. This prevents backend resource consumption from bot-driven credential stuffing or HTTP floods that bypass traditional security controls.
3. Separate static and dynamic traffic paths: Serve static content (e.g., images, JS, CSS) exclusively via CloudFront with aggressive caching, and isolate dynamic endpoints behind different ALBs. This enables more precise filtering and protection rules per traffic type.
4. Use AWS Gateway Load Balancer for inline inspection: Insert third-party DDoS appliances inline using Gateway Load Balancer for deep packet inspection and customized response logic without modifying application architecture.
5. Geo-segment DDoS response controls: Use geographic segmentation in WAF rules and Route 53 geolocation-based routing to isolate attacks from specific regions, reroute or block malicious zones, and preserve availability elsewhere.
2025: Dismantling of the RapperBot IoT Botnet
In mid‑2025, AWS played a pivotal role along with the U.S. Department of Justice, Google, Cloudflare, and others in dismantling RapperBot, one of the largest IoT-based “DDoS-for-hire” botnets in operation. Active since at least 2021, RapperBot has infected tens of thousands of IoT devices, launching over 370,000 attacks in 2025 alone across more than 80 countries, including high-profile targets such as U.S. government systems.
October 2023: HTTP/2 “Rapid Reset” Zero-Day Surge
In 2023, AWS, alongside Google and Cloudflare, reported a novel class of DDoS leveraging a zero‑day vulnerability in the HTTP/2 protocol known as Rapid Reset. This technique allowed attackers to flood systems with high-frequency incomplete connection requests, disrupting services at previously unseen request-per-second (RPS) volumes. The swift exploit of HTTP/2 underscored a new level of protocol-layer threat that cloud providers must guard against.
February 2020: 2.3 Tbps CLDAP Amplification Attack
In mid‑February 2020, AWS Shield successfully mitigated an unprecedented DDoS attack that peaked at approximately 2.3 terabits per second, marking one of the largest attacks ever recorded at the time. The attack was powered by a CLDAP (Connection‑less Lightweight Directory Access Protocol) amplification vector, which greatly magnified the threat through reflection-based techniques. The assault persisted for up to three days.
1. Architect for Scalability
Designing AWS applications for horizontal scalability is fundamental to DDoS resilience. By distributing workloads across multiple Availability Zones and leveraging services like Auto Scaling, Elastic Load Balancing, and stateless architectures, organizations can better absorb traffic surges and avoid single points of failure. Utilizing Amazon CloudFront as a CDN further helps distribute incoming requests, shielding backend resources from direct attack and offloading the majority of user-facing traffic to the edge network.
Scalable architecture also involves considering resource quotas and implementing usage limits, so systems can tolerate traffic spikes without exhaustive resource consumption. By proactively scaling infrastructure and setting automatic scaling policies, AWS customers can dampen the operational impact of volumetric attacks and maintain availability for legitimate users under duress.
2. Automate Response and Incident Playbooks
Automation is critical for timely and effective DDoS incident response. AWS provides several tools, such as Lambda, CloudWatch, and Systems Manager, which teams can leverage to detect anomalies, launch mitigation workflows, or adjust security policies automatically. For example, automated rules can temporarily block offending IPs, scale resources, or alert response teams as soon as suspicious activity is detected.
Incident response playbooks should be documented and regularly updated to reflect the latest threats and infrastructure changes. Using AWS Step Functions or Incident Manager, teams can codify runbooks that orchestrate response actions across multiple AWS services, reducing manual errors and accelerating incident resolution. Consistent automation helps organizations respond faster and more precisely during an attack, preserving service availability and minimizing recovery time.
3. Test DDoS Readiness with Simulations
Regular testing is essential to validate DDoS protections and ensure team readiness. Organizations should conduct simulated DDoS attacks (red team exercises) against non-production environments using tools like AWS Fault Injection Simulator or third-party solutions. Such drills measure how well defenses detect, absorb, and recover from attack traffic, highlighting weaknesses in scaling policies, alerting pipelines, or incident playbooks.
Post-simulation reviews are as important as the tests themselves. By analyzing response times, bottlenecks, and communication gaps during exercises, security teams can update runbooks, re-tune monitoring thresholds, and refine escalation procedures. This iterative process builds organizational resilience, ensuring that both tooling and personnel are ready when a real DDoS event occurs.
4. Maintain Continuous Visibility and Logging
Visibility is key to early threat detection and effective incident response. AWS customers should enable and centralize logging for services such as VPC Flow Logs, CloudFront logs, Route 53 query logs, and AWS WAF logs. These detailed records allow security teams to investigate suspicious traffic patterns, identify affected resources, and support post-incident forensics.
Integrating logs with monitoring and alerting tools (like CloudWatch, GuardDuty, and SIEM solutions) allows for real-time detection of anomalous traffic indicative of DDoS attacks. With continuous visibility, organizations can correlate events across layers, rapidly escalate incidents, and preserve audit trails often required for compliance investigations following a significant security event.
5. Utilize Third-Party DDoS Protection Services
While AWS offers a robust set of native defenses, many organizations find that these tools alone are not enough, especially during complex or persistent attacks. A major limitation is the lack of a managed incident response service or an emergency response team (ERT) included by default with most AWS DDoS protections. Outside of AWS Shield Advanced, customers are largely responsible for identifying, diagnosing, and mitigating attacks on their own, which can result in delays and increased downtime.
Third-party DDoS mitigation providers fill this gap by offering 24/7 monitoring, real-time response teams, and managed protection at both the network and application layers. These services typically include threat intelligence, rapid incident triage, and live human support during an active attack—capabilities not built into AWS’s baseline protections. Providers like Radware often maintain global scrubbing centers to clean malicious traffic before it reaches cloud environments.
For mission-critical applications or teams without deep in-house security expertise, these services can offer faster containment and a higher level of assurance during DDoS events. Integrating third-party protection alongside AWS-native tooling provides layered defense, faster recovery, and expert support that many organizations require to maintain uptime under attack.
While AWS provides strong native protections through services such as AWS Shield, AWS WAF, and CloudFront, sophisticated DDoS attacks often require additional visibility, behavioral detection, and mitigation beyond default cloud controls. Radware helps organizations strengthen their AWS DDoS posture by adding advanced, multi-layered protection that integrates seamlessly with AWS environments.
Radware Cloud DDoS Protection Service
Radware Cloud DDoS Protection Service provides always-on or on-demand protection for applications and services hosted on AWS. Using globally distributed scrubbing centers and real-time behavioral analytics, the service detects and mitigates volumetric, protocol, and application-layer DDoS attacks before they reach AWS infrastructure. This is particularly valuable for mitigating large-scale floods, encrypted attacks, and complex multi-vector campaigns that may evade basic cloud-native controls.
The service integrates with AWS architectures to support traffic diversion and rapid mitigation without requiring application changes. Behavioral detection allows Radware to distinguish legitimate traffic surges, such as flash crowds, from malicious activity, reducing false positives during peak demand.
To support a layered defense strategy, Radware Cloud DDoS Protection Service works in concert with other Radware solutions. DefensePro can be deployed in hybrid or multi-cloud architectures to provide inline, on-prem, or edge-based DDoS mitigation that complements AWS-native services. Cloud Network Analytics delivers continuous visibility into traffic patterns across AWS environments, helping security teams detect anomalies early and validate attack activity. Threat Intelligence Subscriptions enrich mitigation with real-world attacker intelligence, enabling proactive blocking of known malicious sources.
Together, these capabilities help organizations extend AWS’s native DDoS protections with advanced detection, global scrubbing, and expert response, reducing downtime, improving resilience, and strengthening overall DDoS readiness in AWS environments.