A company is launching a web application on AWS, using EC2 instances in a VPC with an ELB and third-party DNS. What solution should be recommended for DDoS attack protection?