We can limit DDOS attacks in the following ways:
- identify ip range of ddos attacks and block it at the Network ACL level. Alternatively could do this at the Security Group Level, but it's quicker at the Network ACL level.
- Install DDOS prevention software on our EC2 instances that will monitor for DDOS attacks and filter them out.
AWS minimizes impact by:
- use of CloudFront, which can absorb most of the impact. Hence the edge collections takes on the main brunt of the attack
- If ddos against a static website that's hosted on S3, then S3 will absorb this impact.
- port scanning (using the nmap command) is disabled by default in AWS (even port scanning between EC2 instances that are inside the same VPC). If you want to enable port scanning, then you need to contact AWS for permission
- AWS has enabled ingress filtering on all incoming requests.