Watch 5-minute demo
Learn about the full power of the Wiz cloud security platform. Built to protect your cloud environment from code to runtime.
Watch now
Architecture best practices
The architectural decisions you make before an attack determine whether your defenses succeed or fail. Once traffic starts flooding in, you cannot redesign your network topology fast enough to matter.
Route all public traffic through your DDoS mitigation layer
Direct origin exposure is the most common DDoS protection bypass. Attackers discover origin IPs through DNS history services like SecurityTrails, certificate transparency logs on crt.sh, or information disclosure vulnerabilities. Once they know your origin IP, they bypass your CDN and DDoS protection entirely.
Check for exposure by searching DNS history for old A records, querying certificate transparency for IPs in certificate SANs, and attempting to access your application by IP address instead of domain name. If it responds, your origin accepts direct traffic.
Configure your CDN to proxy all traffic, then lock down origin servers to only accept connections from your CDN's IP ranges. On AWS, use the CloudFront managed prefix list in your ALB security group. On Azure, restrict NSG rules to the AzureFrontDoor.Backend service tag. On GCP, use firewall rules that only allow traffic only from Google Cloud Load Balancing source ranges.
Treat "origin-only-from-edge" as a continuously validated control. New endpoints, infrastructure changes, and configuration drift are the most common paths to bypass protection that was working yesterday.
Enable and configure cloud-native DDoS protection services
Cloud-native DDoS protections absorb terabits of traffic by distributing load across the provider's global network. Each provider offers automatic baseline protection plus enhanced tiers:
AWS Shield: Standard is automatic and covers common L3/L4 attacks. Advanced (starting at $3,000/month per AWS pricing) adds L7 protection, cost protection guarantees, and DDoS Response Team access.
Azure DDoS Protection: Basic is automatic. Standard adds adaptive tuning, attack analytics, and cost guarantees.
GCP Cloud Armor: Google provides always-on infrastructure-level DDoS protection, with Cloud Armor adding L7 policies, WAF rules, adaptive protection, and bot management.
For production workloads handling sensitive data or significant revenue, the paid tiers are worth the investment because they include cost protection guarantees and expert response team access during attacks.
A common mistake is assuming the free tier suffices for production. Shield Standard does not provide WAF-managed L7 protections, attack analytics, or cost protection if an attack inflates your bill through auto-scaling. Review your tier coverage before assuming you are protected.
Implement rate limiting at every layer
Application-layer attacks use low bandwidth and legitimate-looking requests, bypassing volumetric defenses entirely. An attacker sending 1,000 requests per second to your login endpoint looks nothing like a volumetric flood but can still overwhelm your authentication service.
Implement rate limiting at multiple layers to catch different attack patterns. Configure your WAF with rate-based rules that block IPs exceeding request thresholds. Set API gateway throttling with stricter limits for anonymous traffic than authenticated users. Add application-level limits for sensitive operations like login attempts, password resets, and checkout flows.
Implement progressive rate limiting that becomes stricter as abuse patterns emerge. A logged-in user should have higher limits than anonymous traffic, and repeated offenders should face increasingly strict throttling.
Design for graceful degradation
Users tolerate degraded service far better than complete unavailability. If your e-commerce site can still process checkouts while search is disabled, you preserve revenue and customer trust.
Build your architecture to shed non-critical load under stress. Use circuit breaker patterns to isolate failing components and prevent cascading failures. Serve cached or static content from CDN edge locations when origins cannot respond. Use feature flags to disable non-critical functionality and preserve resources for essential operations.
Plan a degradation hierarchy in advance. Under moderate stress, disable recommendations, reviews, and personalization while keeping core functionality. Under heavy stress, disable search and browsing while preserving checkout. Under extreme stress, serve a static catalog or maintenance page. Implement this using feature flags that operators can toggle during incidents, or configure automatic triggers based on error rates.
Detection best practices
Early detection before service degradation gives your team time to respond and limits blast radius.
Establish traffic baselines and anomaly alerts
Build traffic baselines from historical data and alert on deviations. Capture VPC Flow Logs to understand normal patterns, configure alarms on request rates, error rates, and latency thresholds. Document normal traffic by time of day, day of week, and seasonal variations so alerts reflect actual anomalies rather than predictable spikes.
Behavioral analytics that adapt to traffic patterns work better than static thresholds, which generate false positives during legitimate spikes like flash sales or viral content. Look for anomaly detection services that learn your normal patterns rather than relying solely on fixed numbers.
Monitor for application-layer resource exhaustion
Slow attacks like Slowloris evade volumetric detection by maintaining few connections that consume resources over extended periods. A Slowloris attack might use only a few hundred connections while keeping your web server threads occupied indefinitely, preventing legitimate users from connecting.
Monitor for resource exhaustion at the application and process level. Track CPU and memory consumption patterns for web servers. Identify long-lived connections with minimal data transfer. Watch for connection age distributions skewing toward connections lasting minutes instead of seconds, request completion times stretching far beyond normal, and high worker thread utilization despite low throughput. These patterns indicate attacks that look normal from a network perspective.
Detect economic DDoS targeting your cloud bill
Auto-scaling cost explosion occurs without traditional outage indicators. Your site stays up, your users stay happy, but your monthly bill explodes from $10,000 to $500,000 because attackers triggered massive scale-out events.
Implement financial controls alongside availability monitoring. Configure budget alerts with aggressive thresholds that trigger warnings at 50%, 75%, and 90% of expected spend. Set maximum instance counts that cap how far auto-scaling can expand. Enable cloud provider cost anomaly detection services like AWS Cost Anomaly Detection or Azure Cost Management alerts.
Unlimited auto-scaling without cost controls is a common misconfiguration that attackers exploit. The assumption that "auto-scaling handles everything" ignores the financial attack vector entirely.
Response best practices
Preparation determines response speed. Chaos during attacks leads to slow, inconsistent actions that extend outages.
Create and test a DDoS response playbook
Build and maintain a playbook that covers roles and responsibilities, escalation paths, communication templates, and technical response steps for different attack types and severity levels.
Integrate with cloud provider response teams. AWS Shield Advanced customers get access to the Shield Response Team (SRT). Azure customers with DDoS Protection Standard can engage DDoS Rapid Response (DRR) through Azure Support with severity level A. These teams provide expert assistance during attacks, but only if you know how to contact them.
Run tabletop exercises quarterly and update playbooks after every real incident. Playbooks that sit untested become outdated when you need them most.
Correlate DDoS events with other security signals
Attackers use DDoS as a smokescreen while pursuing lateral movement, credential theft, or data exfiltration. While your SOC focuses on mitigating a volumetric flood, the real threat quietly uses stolen credentials to access sensitive data.
Build unified investigation capabilities that connect network events with other security signals. Link high-volume traffic events with unusual identity activity, data access patterns, and configuration changes. If a traffic spike coincides with an identity that has never accessed S3 before suddenly downloading gigabytes of data, the correlation reveals the true attack.
Automatically escalate any incident where DDoS coincides with unusual identity or data access patterns. Treat the combination as a potential coordinated attack until proven otherwise.
Hardening best practices
Security configurations drift, new assets appear without protection, and vulnerabilities emerge in previously secure workloads.
Continuously validate your DDoS protection posture
Configuration drift and shadow assets create bypass opportunities. What was protected yesterday may not be protected today. A developer spins up a new load balancer and forgets WAF rules. An infrastructure change removes a security group restriction.
Implement continuous validation using cloud security posture management tools. Scan for resources missing expected protections: WAF not associated with load balancers, Shield Advanced not active on critical resources, security groups allowing traffic from outside CDN IP ranges, or unexpected public IPs on resources that should only receive CDN traffic.
Alert immediately when new public endpoints appear. New endpoints are often deployed without the security review process that ensures proper protection.
Prevent your infrastructure from becoming a DDoS source
Compromised workloads can be recruited into botnets that attack other targets. Beyond the ethical issues, this causes reputation damage, legal exposure, and potential blacklisting of your IP ranges.
Prioritize patching internet-facing workloads that attackers target for botnet recruitment. Monitor outbound traffic for anomalous patterns like UDP floods, SYN floods, or high-volume connections to unusual destinations. Limit outbound connections using security groups and network ACLs for IP/port restrictions. For domain-level control, deploy proxy-based egress solutions like AWS Network Firewall or Azure Firewall that support domain-based filtering for HTTP/HTTPS traffic, allowing you to restrict outbound connections by destination hostname where protocol visibility is available.
How Wiz helps detect and respond to DDoS-related threats
Wiz complements network-layer DDoS protections by providing workload-level visibility and attack surface validation. While WAFs, CDNs, and cloud provider DDoS services handle network-level mitigation, Wiz shows what's happening inside your cloud environment.
Wiz Defend with Wiz Sensor detects the impact of DoS attacks within cloud workloads. System Health Issues surface resource exhaustion, connectivity loss, and anomalous process behavior at high severity. You can create custom runtime rules to detect specific DoS payloads, such as rapid process creation, before they cause full system collapse. The Detection Engine uses thousands of threat detection rules and behavioral baselines to identify anomalous activity, with all events logged for auditing.
Wiz Attack Surface Management (ASM) proactively identifies external-facing misconfigurations, weak credentials, and vulnerabilities that attackers could exploit as entry points or misconfigurations that increase DDoS exposure. By hardening internet-facing assets before an attack, you reduce the opportunities attackers have to target your infrastructure.
The Security Graph connects these signals with identity and data access patterns to help reveal smokescreen attacks where DDoS distracts from credential abuse or data exfiltration.
Get a demo to see how Wiz helps detect DoS impact at the workload level and harden your attack surface before attackers exploit it.