search
WebsiteDevelopersPlatformPricingSign Up

Best Practices

hashtag
Deploy in DDoS-protected regions when possible

For workloads sensitive to DDoS attacks, choose regions with DDoS Protection. The BGP diversion and scrubbing pipeline provides significantly stronger defense than threshold-based blocking alone. See Regional Availability for the current list.

hashtag
Validate thresholds before you need them

Default thresholds are calibrated for general workloads — not tuned for yours. If your application routinely runs near those limits (a media server with sustained high BPS, a game server with high PPS), you're one traffic spike away from a false-positive block. Review your peak traffic metrics against your current thresholds and adjust proactively. Navigate to the Elastic IPv4arrow-up-right page, click the menu in the Actions column, and select Change Block Threshold.

hashtag
Take OutCPS blocks seriously

An OutCPS-triggered block usually means an instance is initiating outbound connections at an abnormal rate — a common sign of compromise. When you see one, check the instance for unusual processes or connections before re-enabling internet access.

hashtag
Use DDoS Protection policies for proactive defense

Leverage fingerprint rules, geo-blocking, and IP allow/block lists to proactively reduce your attack surface rather than relying solely on reactive threshold-based blocking. See the Configuration Guide for setup instructions.

hashtag
Design for block resilience

Blocks last 2 hours by default. If uptime is critical, don't rely on a single EIP per service — use multiple EIPs with load balancing so that a block on one doesn't take down the service entirely.

hashtag
Understand the cleaning lifecycle

Cleaning events progress through defined states (Cleaning → End Cleaning, or Cleaning → Blackhole → End Blackhole). If you see frequent escalations to blackhole, review and optimize your DDoS policies in the management consolearrow-up-right. See Cleaning Event Lifecycle for details.

hashtag
Troubleshooting

My EIP is blocked and I can't reach my instance Your EIP was likely blackholed due to a threshold breach. Go to the DDoS Protection events pagearrow-up-right to check status and manually release the blackhole.

I'm getting blocked during normal traffic spikes Your thresholds may be too low for your workload. Navigate to the Elastic IPv4arrow-up-right page, click the menu on the affected EIP, and select Change Block Threshold.

My instance is sending outbound traffic I didn't initiate An OutCPS block means your instance may be compromised. Investigate running processes and connections before re-enabling internet access.

PreviousFeature ComparisonNextConfiguration Guide

Last updated