Skip to main content

DoS or DDoS Attack

This runbook outlines general steps to take in the event of a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack.

Identification of an attack

DDoS alarms should be configured for all production public facing interfaces, when these alarms are triggered they will send a notification through to the #modernisation-platform-high-priority-alarms channel. Documentation on these alarms can be read here.

Create an incident and follow the incident guidance

Follow the general incident guidance to record the incident and gather information.

DDoS Specific Actions

View information about the attack

Detailed metrics on the type of DDoS attack can be found in Cloudwatch under the DDoS metrics in the affected account.

If the application has automatic DDoS layer 7 mitigation enabled, the attack may already be mitigated by this. You can check this in the DDoS metrics or the AWS Shield Events area in the console.

Report the attack to AWS

If the attack is on going and you require assistance from the AWS Shield Response Team (SRT) to help create additional WAF mitigation rules, raise a support case in the application account.

If the account has proactive engagement with Route53 health checks enabled AWS will contact the provided contacts.

Modify WAF rules

If you are confident in modifying the WAF rules to mitigate the attack you can do this through the infrastructure code as per normal changes.

Alternatively the SRT team can assist with creating these rules.

Notify users and security

Follow the general incident guidance to notify users and the security team.

This page was last reviewed on 11 March 2024. It needs to be reviewed again on 11 September 2024 by the page owner #modernisation-platform .
This page was set to be reviewed before 11 September 2024 by the page owner #modernisation-platform. This might mean the content is out of date.