Runbook: DDoS Attack
Security SpecialistOperations & StrategyDevops
This is an example runbook. Review and customize for your protocol before use. Add your specific CDN/WAF provider commands and escalation contacts.
Quick Reference
| Field | Value |
|---|---|
| Typical Severity | P2-P3 |
| Primary Responder | Infrastructure SME |
| Last Updated | [Date] |
| Owner | [Name] |
Identification
Symptoms
- Website/API unresponsive or slow
- Monitoring shows traffic spike
- CDN/hosting alerts
- Error rate increase
- Legitimate requests timing out
Differentiation
| Symptom | Likely Cause |
|---|---|
| Traffic spike + slow response | DDoS |
| Traffic normal + slow response | Application issue |
| Single endpoint affected | Targeted attack or bug |
| All traffic from few IPs | Simple attack, easy to block |
| Distributed traffic | Sophisticated DDoS |
Immediate Actions
Step 1: Confirm DDoS
Why: Distinguish from application issues
- Check CDN/WAF dashboards
- Review traffic patterns
- Check if specific endpoints targeted
Step 2: Enable DDoS Protection
Why: Use provider-level mitigation
For Cloudflare:
[Document your Cloudflare mitigation steps]For AWS:
[Document your AWS Shield steps]Step 3: Assess Impact
- Which services affected?
- Are critical functions available?
- User impact level?
Investigation
Key Questions
- Attack type (volumetric, protocol, application layer)?
- Targeted endpoints?
- Attack source patterns?
- Why now? (retaliation, extortion, distraction?)
Data to Collect
| Data | Source |
|---|---|
| Traffic volume | CDN/hosting dashboard |
| Request patterns | Access logs |
| Source IPs | WAF/firewall logs |
| Targeted paths | Application logs |
Mitigation
CDN/WAF Level
- Enable "Under Attack" mode if available
- Increase security level
- Add rate limiting rules
- Block obvious attack patterns
- Enable bot protection
Application Level
- Enable rate limiting
- Add CAPTCHA to affected endpoints
- Cache aggressively
- Disable non-essential features temporarily
DNS Level
- Reduce TTL for flexibility
- Consider geo-blocking if attack is regional
- Failover to backup if available
Escalation
- CDN/hosting provider - for attack mitigation support
- Decision Makers - if extended outage
Recovery
Attack Subsiding
- Monitor traffic patterns
- Gradually reduce protection levels
- Watch for resurgence
- Keep enhanced monitoring for 24-48 hours
Post-Attack
- Review logs for attack details
- Update protection rules
- Document attack patterns
- Consider permanent mitigations
Communication
Internal
- Status updates every 30 min during active attack
- Clear when degraded vs. fully down
External (if needed)
We're experiencing elevated traffic that's affecting site performance. We're actively mitigating and will provide updates.
Usually not needed for brief DDoS attacks. Avoid drawing attention.
Prevention
After resolving, consider:
- Always-on DDoS protection
- Rate limiting by default
- Geographic restrictions if appropriate
- Improved caching
- Backup/failover infrastructure