Why did I receive an Amazon GuardDuty Denial of Service (DoS) finding type for my Amazon EC2 instance?

1 minute read

Amazon GuardDuty detected a Denial of Service (DoS) finding with my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

The GuardDuty Backdoor:EC2/DenialOfService finding type indicates that an Amazon EC2 instance is sending large amounts of outbound TCP or UDP traffic to another remote host. This might be due to a Denial of Service (DoS) attack. If this behavior isn't expected, then your Amazon EC2 instance might have unauthorized activity.

Note: The Backdoor:EC2/DenialOfService finding type detects EC2 instances performing Denial of Service (DoS) attacks only with public routable IP addresses.

For additional information, see the Backdoor:EC2/DenialOfService.tcp finding types.


Follow the instructions for to identify and stop unauthorized activity for the EC2 instance.

For additional information, see How Amazon GuardDuty uses its data sources.

Related information

Creating custom responses to GuardDuty findings with Amazon CloudWatch Events

How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

AWS OFFICIALUpdated a year ago