I wonder how well their Cloudfront CDN holds up for delivering static content in the face of a DDoS vs just using heavy static cachine with ngnix or apache on EC2.
Probably better, the CDN should be able to absorb much more traffic. (At 10Gbps, you need to worry about the attackers saturating your upstream pipe. Forget responding, just receiving that much traffic is nontrivial. EC2 nodes are probably networked using gigabit ethernet, so no matter how clever you get you can't solve this with everyone's favorite "single load balancer plus nginx web servers".)
If everything is edge-cached a local hubs (typically how a CDN works) then it should be pretty sturdy against a DDoS attack - after the first few waves of attacks the DDoS will just be hitting static content served up by the closest end-point to each individual ping to the server - the aggregate of the attack won't impact any of the dynamic servers if done right.
That being said, I wouldn't want to pay the bandwidth bill for the CDN :p
Check out the anti-DDoS article we wrote up a few months ago. It uses a constellation of Nginx nodes to absorb the DDoS. The constellation acts the same way as a CDN without the geoIP awareness.
The advantage of this approach is that instead of relying on one ISV's backbone, you can build the constellation across several ISVs to aggregate the bandwidth and packet processing power.
