Infrastructure Layer Defense (BP1, BP3, BP6, BP7, BP8) - AWS Best Practices for DDoS Resiliency

Infrastructure Layer Defense (BP1, BP3, BP6, BP7, BP8)

In a traditional datacenter environment, you can mitigate infrastructure layer DDoS attacks by using techniques like overprovisioning capacity, deploying DDoS mitigation systems, or scrubbing traffic with the help of DDoS mitigation services. On AWS, DDoS mitigation capabilities are automatically provided; but you can optimize your application’s DDoS resilience by making architecture choices that best leverage those capabilities and also allow you to scale for excess traffic.

Key considerations to help mitigate volumetric DDoS attacks include ensuring that enough transit capacity and diversity is available, and protecting your AWS resources, like Amazon EC2 instances, against attack traffic.

Some Amazon EC2 instance types support features that can more easily handle large volumes of traffic, for example, 25 Gigabit network interfaces and enhanced networking, that allow support to a larger volume of traffic. This helps prevent interface congestion for traffic that has reached the Amazon EC2 instance. Instances that support enhanced networking provide higher I/O performance and lower CPU utilization compared to traditional implementations. This improves the ability of the instance to handle traffic with larger packet volumes.

The 25 Gigabit feature is available on the largest instance sizes, for example, M4.16xlarge and c5.18xlarge or metal instances (such as c5.metal). To learn more about Amazon EC2 instances that support 25 Gigabit network interfaces and enhanced networking, see Amazon EC2 Instance Types. Amazon Linux 2 and the latest versions of the Amazon Linux AMI have the module required for enhanced networking installed and have the required enaSupport attribute set. Therefore, if you launch an instance with an HVM version of Amazon Linux on a supported instance type, enhanced networking is already enabled for your instance. For more information, see Testing Whether Enhanced Networking Is Enabled. To learn how to enable enhanced networking, see Enhanced Networking on Linux.