Best Practices

Deploy in DDoS-protected regions when possible

For workloads sensitive to DDoS attacks, choose regions with DDoS Protection. The BGP diversion and scrubbing pipeline provides significantly stronger defense than threshold-based blocking alone. See Regional Availability for the current list.

Validate thresholds before you need them

Default thresholds are calibrated for general workloads — not tuned for yours. If your application routinely runs near those limits (a media server with sustained high BPS, a game server with high PPS), you're one traffic spike away from a false-positive block. Review your peak traffic metrics against your current thresholds and adjust proactively. Navigate to the Elastic IPv4 page, click the ⋯ menu in the Actions column, and select Change Block Threshold.

Take OutCPS blocks seriously

An OutCPS-triggered block usually means an instance is initiating outbound connections at an abnormal rate — a common sign of compromise. When you see one, check the instance for unusual processes or connections before re-enabling internet access.

Use DDoS Protection policies for proactive defense

Leverage fingerprint rules, geo-blocking, and IP allow/block lists to proactively reduce your attack surface rather than relying solely on reactive threshold-based blocking. See the Configuration Guide for setup instructions.

Design for block resilience

Blocks last 2 hours by default. If uptime is critical, don't rely on a single EIP per service — use multiple EIPs with load balancing so that a block on one doesn't take down the service entirely.

Understand the cleaning lifecycle

Cleaning events progress through defined states (Cleaning → End Cleaning, or Cleaning → Blackhole → End Blackhole). If you see frequent escalations to blackhole, review and optimize your DDoS policies in the management console. See Cleaning Event Lifecycle for details.

Troubleshooting

My EIP is blocked and I can't reach my instance Your EIP was likely blackholed due to a threshold breach. Go to the DDoS Protection events page to check status and manually release the blackhole.

I'm getting blocked during normal traffic spikes Your thresholds may be too low for your workload. Navigate to the Elastic IPv4 page, click the ⋯ menu on the affected EIP, and select Change Block Threshold.

My instance is sending outbound traffic I didn't initiate An OutCPS block means your instance may be compromised. Investigate running processes and connections before re-enabling internet access.