Activate Scrubbing and Layered Mitigation
Apply layered mitigation appropriate to the attack: upstream scrubbing for volumetric floods, geo-blocking or rate-limiting for clear source profiles, application-layer controls (WAF rules, bot management, JS challenges) for L7 attacks.
Actions
- 1
Route traffic through upstream scrubbing (BGP redirection, DNS redirection to scrubbing provider anycast, on-demand cloud WAF activation) for volumetric attacks.
- 2
Apply rate limiting at edge: per-IP, per-subnet, per-session rate limits on affected endpoints; aggressive but not blocking legitimate users unless necessary.
- 3
For clear source concentrations, apply geo-blocking or ASN-blocking at the edge; revert once attack subsides to restore legitimate traffic.
- 4
For L7 attacks, enable WAF rate limiting, bot management (Cloudflare Bot Management, Akamai Bot Manager, Imperva), JS challenges, and CAPTCHA on high-cost endpoints.
- 5
If application-layer: cache previously uncached responses, serve static fallback, disable expensive search/filter endpoints temporarily.
- 6
Monitor mitigation effectiveness in near real-time: bps/pps reduction, error rate reduction, request-success rate recovery.
Queries
What is the upstream scrubbing provider currently mitigating (pps, bps, RPS), and what is bypassing mitigation?
What WAF rules are currently active for the DDoS event, and what is their block rate?
Notes
Over-aggressive mitigation blocks legitimate users; err toward layered and adjustable rather than single-setting and aggressive.
Attack profiles evolve during mitigation; keep a tight feedback loop with the scrubbing provider and be ready to adjust rules.