Why did I receive an Amazon GuardDuty Denial of Service (DoS) finding type for my Amazon EC2 instance?

Last updated: 2021-01-08

Amazon GuardDuty detected a Denial of Service (DoS) finding with my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

The GuardDuty Backdoor:EC2/DenialOfService finding type indicates that an Amazon EC2 instance is sending large amounts of outbound TCP or UDP traffic to another remote host. This might be due to a Denial of Service (DoS) attack. If this behavior isn't expected, your Amazon EC2 instance might have unauthorized activity.

Note: The Backdoor:EC2/DenialOfService finding type detects EC2 instances performing Denial of Service (DoS) attacks only with public routable IP addresses.

For additional information, see the Backdoor:EC2/DenialOfService.tcp finding types.

Resolution

Follow the instructions for to identify and stop unauthorized activity for the EC2 instance.

For additional information, see How Amazon GuardDuty uses its data sources.

Related information

Creating custom responses to GuardDuty findings with Amazon CloudWatch Events

How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

Security solutions in AWS Marketplace

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support