Infrastructure Layer Defense (BP1, BP3, BP6, BP7, BP8)
In a traditional datacenter environment, you can mitigate infrastructure layer DDoS attacks by using techniques like overprovisioning capacity, deploying DDoS mitigation systems, or scrubbing traffic with the help of DDoS mitigation services. On AWS, DDoS mitigation capabilities are automatically provided; but you can optimize your application’s DDoS resilience by making architecture choices that best leverage those capabilities and also allow you to scale for excess traffic.
Key considerations to help mitigate volumetric DDoS attacks include ensuring that enough transit capacity and diversity is available, and protecting your AWS resources, like Amazon EC2 instances, against attack traffic.
Some Amazon EC2 instance types support features that can more easily handle large volumes of traffic, for example, 25 Gigabit network interfaces and enhanced networking, that allow support to a larger volume of traffic. This helps prevent interface congestion for traffic that has reached the Amazon EC2 instance. Instances that support enhanced networking provide higher I/O performance and lower CPU utilization compared to traditional implementations. This improves the ability of the instance to handle traffic with larger packet volumes.
The 25 Gigabit feature is available on the largest instance sizes,
for example, M4.16xlarge and c5.18xlarge or metal instances (such
as c5.metal). To learn more about Amazon EC2 instances that
support 25 Gigabit network interfaces and enhanced networking, see
Amazon EC2 Instance Types
Topics
