DDoS Incident Response Guide

Yash Vasani
4 min readAug 3, 2021


Igor Stevanovic / Getty Images

DDoS attacks overwhelm the network infrastructure with redundant requests or traffic to such an extent that the infrastructure becomes unavailable to the genuine users. This attack operates on the bridge of security and network operations. These attacks are tricky to thwart while you are under siege, they require preemptive preparedness. Its virtually impossible to become “DDoS Proof” but proper response planning can limit the potential damage and allow the organization to function in an effective manner than someone trying to improvise through a DDoS crisis.

So far in 2021 Verizon analyzed 29,207 incidents out of which an approximate 50% of them account to DDoS

Types of DDoS Attacks

  • Network Layer Attacks

Network Layer Attacks are the most frequent and easier to execute DoS attacks, they “clog the network pipelines” creating a traffic jam to disrupt the connection of your service with the internet. Examples include UDP Flood, SYN Flood, NTP Amplification, DNS Amplification, SSDP Amplification, IP Fragmentation, and many more.

Over 20 percent of all network layer attacks last over five days

  • Application Layer Attacks

Application Layer Attacks seek to overload the finite resources upon which an application is running like disk space and available memory by opening connections and initiating process or by sending transaction requests.

Mitigating Network Layer DDoS Attacks

  • Border Gateway Protocol (BGP) Routing:

For larger organizations BGP Routing can be an effective way to protect multiple services and protocols across an entire range of IP address of class-C subnet (/24). BGP can handle large scale assaults on any protocol or infrastructure which includes HTTPS, SMTP, FTP et al.

It screens all incoming network traffic before it reaches its target. It works on the network level by rerouting malicious network packets to security providers before they can reach other computing resources. BGP routers can redirect high volumes of traffic to centralized data scrubbing centers which analyzes traffic and filters out malicious DDoS attack traffic using deep packet inspection. It then allows the healthy traffic to pass through to the Autonomous System.

  • Dedicated IP

For smaller organizations wishing to protect multiple service types and protocols, but without a full C-class IP range, this is similar to IP-based protection. In this deployment mode (and unlike BGP), the protection provider assigns you a “dedicated IP address” from its own IP range. Using this address, all incoming traffic passes through the provider’s network where it is inspected and filtered.

  • IP Reputation

IP reputation is another powerful tool that can be used to quickly filter out bad bots. DDoS mitigation services that operate global networks and protect large numbers of customers are positioned to perform wide-scale analysis on automated clients. It can be extended by implementing Firewall Botnet filter to block P2P and IRC.

  • Blackhole Routing

DDoS blackhole routing/filtering (sometimes called blackholing), is a countermeasure to mitigate a DDoS attack in which network traffic is routed into a “black hole,” and is lost. When blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route or black hole and dropped from the network.

Mitigating Application Layer Attacks

  • Client Classification

Client classification is all about automating the process of identifying and blocking malicious bots. It is done by using precompiled signatures and examining attributes of the source requests.

  • Progressive Challenges

Progressive challenges or as they are more commonly known “CAPTCHAs” are designed to ensure the optimal balance between strong DDoS protection and an uninterrupted user experience.

  • Real browser enforcement

Real browser enforcement works by inserting a JavaScript redirect to new connections, and then blacklisting them if they do not follow the redirect. This is a nice approach because it foils the majority of bots without interfering with real users using real browsers.


Deploy a DDoS solution before you need it An emergency DDoS mitigation solution can usually be deployed within an hour or less in typical cases. However, the best way to avoid site and web application downtime in the first place is to have a DDoS mitigation solution in place before any attacks occur.

  • Identify Single Points of Failure and Bottlenecks

Use network and application monitoring tools to identify traffic trends. Using these patterns, you can identify if there is a network bottleneck which are commonly found at the network perimeter and can be solved by introducing load balancers.

  • Collaborate with ISP

Establish a channel of communication with your ISP, and consider getting DDoS protection services directly from them which most ISPs offer. This channel can be most helpful on the D-Day where your organizations’ Network Engineers can directly collaborate with the ISP to handle the situation.

  • DDoS Testing

Operational readiness is as significant as having an expensive solution. For testing purposes, it is recommended to turn on your DDoS mitigation measures for a two-hour period every 3–4 months. Check if your services continue to function properly and there is no negative impact on the users.

  • Establishing key contact persons with the Organization

DDoS attacks have an impact not just on IT, but on all users of the company’s services, including non-technical departments. The main goal here is to eliminate organization wide panic that can delay the mitigation response when a DDoS attack occurs, so it is vitally important that the right people be notified of the attack immediately. It can be taken a step further by creating an internal SIRT (Security Incident Response Team).

More Resources