Amazon network engineering contact? re: DDoS traffic

John Weekes jw at
Thu Nov 8 20:44:24 UTC 2018

We've been seeing significant attack activity from Amazon over the last 
two months, involving apparently compromised instances that commonly 
send 1-10G of traffic per source and together generate Nx10G of total 
traffic. Even when our overall upstream capacity exceeds an attack's 
overall size, the nature of load-balancing over multiple 10G upstream 
links means that an individual link can be saturated by multiple large 
flows, forcing our systems to null-route the target to limit impact.

We've sent an abuse notification about every traffic source to Amazon, 
and specific sources seem to stop their involvement over time 
(suggesting that abuse teams are following up on them), but there is an 
endless parade of new attackers, and each source participates in many 
damaging attacks before it is shut down.

Is there anyone at Amazon who can help with an engineering solution in 
terms of programmatically detecting and rate-limiting attack traffic 
sources, to our networks or overall? Or applying the kludge of a 
rate-limit for all Amazon traffic to our networks? Or working with us on 
some other option?

At least one other large cloud provider has an automatic rate-limiting 
system in place that is effective in reducing the damage from repeat 
high-volume attacks.

Emails to the Amazon NOC, peering contacts (since that would be another 
possible solution), and abuse department have not connected me with anyone.


More information about the NANOG mailing list