DoS or DDoS Attack
This runbook outlines general steps to take in the event of a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack.
Identification of an attack
DDoS alarms should be configured for all production public facing interfaces, when these alarms are triggered they will send a notification through to the #modernisation-platform-high-priority-alarms channel. Documentation on these alarms can be read here.
Create an incident and follow the incident guidance
Follow the general incident guidance to record the incident and gather information.
DDoS Specific Actions
View information about the attack
Detailed metrics on the type of DDoS attack can be found in Cloudwatch under the DDoS metrics in the affected account.
If the application has automatic DDoS layer 7 mitigation enabled, the attack may already be mitigated by this. You can check this in the DDoS metrics or the AWS Shield Events area in the console.
Report the attack to AWS
If the attack is on going and you require assistance from the AWS Shield Response Team (SRT) to help create additional WAF mitigation rules, raise a support case in the application account.
If the account has proactive engagement with Route53 health checks enabled AWS will contact the provided contacts.
Modify WAF rules
If you are confident in modifying the WAF rules to mitigate the attack you can do this through the infrastructure code as per normal changes.
Alternatively the SRT team can assist with creating these rules.
Notify users and security
Follow the general incident guidance to notify users and the security team.