DDoS Attack Response Quickstart

Confirm the traffic spike is an attack, not a marketing event, viral launch, or legitimate bot surge (search-engine crawl, partner integration). Check for anomalous source profiles (many low-throughput IPs, specific ASN concentration, reflector set with amplifying servers), request patterns (repetitive small packets, implausibly-formed requests), and magnitude vs baseline.

Classify by layer (L3/L4 vs L7) and vector (SYN flood, UDP flood, reflection/amplification via DNS/NTP/Memcached/SSDP/CLDAP, HTTP flood, Slowloris, cache-buster, search-expensive queries). Mitigation differs per layer; applying a volumetric fix to an L7 attack wastes the window. Record peak pps, bps, and RPS.

Activate the pre-existing DDoS response contract with your upstream provider (Cloudflare, Akamai, AWS Shield Advanced, Fastly). If no contract, initiate emergency engagement immediately -- most providers offer emergency onboarding but at premium. Route volumetric traffic through scrubbing via BGP redirection or anycast DNS redirection.

Apply edge rate limiting per-IP and per-subnet on affected endpoints. For clear source concentrations, apply geo-blocking or ASN-blocking at the edge with a planned revert once the attack subsides. Start with less-aggressive limits and escalate; over-aggressive edge controls block legitimate users.

For L7 attacks: enable WAF rate limiting, bot management (Cloudflare Bot Management, Akamai Bot Manager, Imperva), JS challenges, and CAPTCHA on high-cost endpoints. Cache previously uncached responses, serve static fallback, and temporarily disable expensive search/filter endpoints if needed.

DDoS is sometimes used as cover for concurrent intrusion (data theft, ransomware staging, credential attacks). While the network team fights the flood, SOC should hunt for anomalous authentication, internal lateral movement, data egress, or new outbound C2 that may be hidden by the traffic event. This parallel track is commonly skipped and commonly regretted.