Shield Advanced automatic application layer DDoS mitigation

You can configure Shield Advanced to respond automatically to mitigate application layer (layer 7) attacks against your protected application layer resources, by counting or blocking web requests that are part of the attack. This option is an addition to the application layer protection that you add through Shield Advanced with an AWS WAF web ACL and your own rate-based rule.

When automatic mitigation is enabled for a resource, Shield Advanced maintains a rule group in the resource's associated web ACL where it manages mitigation rules on behalf of the resource. The rule group contains a rate-based rule that tracks the volume of requests from IP addresses that are known to be sources of DDoS attacks.

Additionally, Shield Advanced compares current traffic patterns against historic traffic baselines to detect deviations that might indicate a DDoS attack. Shield Advanced responds to detected DDoS attacks by creating, evaluating, and deploying additional, custom AWS WAF rules in the rule group.

Contents

• Caveats for using automatic mitigation
• Best practices for using automatic mitigation
• Configuration required to enable automatic mitigation
• How Shield Advanced manages automatic mitigation
  • What happens when you enable automatic mitigation
  • How Shield Advanced responds to DDoS attacks with automatic mitigation
  • How Shield Advanced manages the rule action setting
  • How Shield Advanced manages mitigations when an attack subsides
  • What happens when you disable automatic mitigation
• The Shield Advanced rule group
• Managing automatic application layer DDoS mitigation
  • Viewing the automatic application layer DDoS mitigation configuration for a resource
  • Enabling and disabling automatic application layer DDoS mitigation
  • Changing the action used for automatic application layer DDoS mitigation
  • Using AWS CloudFormation with automatic application layer DDoS mitigation