DDoS incident response playbook:
step-by-step procedures

Back to Blog

Why You Need a Playbook Before the Attack

The middle of a DDoS attack is the worst time to figure out your response procedure. Stress impairs decision-making. Critical information like provider support numbers and escalation contacts is hard to find under pressure. Team members are unsure of their roles. Without a documented playbook, incident response devolves into improvisation, and improvisation during a crisis leads to mistakes.

A DDoS incident response playbook is a pre-written, tested document that tells every team member exactly what to do when an attack is detected. It eliminates decision fatigue by providing step-by-step procedures for each phase of the incident. The playbook should be reviewed quarterly, updated when infrastructure changes, and tested annually through tabletop exercises.

Phase 0: Preparation

Preparation happens before any attack occurs. This phase establishes the foundation that makes everything else possible.

Roles and Responsibilities

• Incident Commander (IC): Makes decisions, coordinates response, communicates with stakeholders. Usually a senior engineer or team lead.
• Technical Responder: Implements mitigation actions, analyzes traffic, applies firewall rules. Needs SSH access to all infrastructure.
• Communications Lead: Updates status page, notifies customers, coordinates with support team. Does not need technical access.
• Escalation Contact: Contacts ISP, hosting provider, or DDoS mitigation service. Needs account credentials and support contact info.

Pre-Staged Resources

Gather these before an attack happens and store them in an accessible location (shared document, wiki, or incident management tool):

• ISP/hosting provider emergency contact numbers and account IDs
• DDoS mitigation service activation procedure (if applicable)
• Pre-written firewall rule sets for common attack types
• Status page update templates
• Customer communication templates
• Network diagrams showing IP ranges, transit links, and critical services
• Baseline traffic metrics for each monitored interface

Detection Infrastructure

Ensure your monitoring covers all entry points. Flowtriq agents should be deployed on every server that receives inbound internet traffic. Configure alert channels so the right people receive notifications immediately. Set up PagerDuty escalation policies that match your team's on-call schedule.

Phase 1: Detection and Triage (0-5 minutes)

This phase begins when a DDoS alert fires. The goal is to confirm the attack, assess its severity, and initiate the response.

Step 1.1: Acknowledge the Alert

When Flowtriq fires an alert, acknowledge it in your incident management system. This starts the clock on response time and notifies the team that someone is investigating.

Step 1.2: Confirm the Attack

Review the Flowtriq dashboard to confirm this is a real attack and not a false positive from a legitimate traffic spike. Check:

• Is the traffic pattern consistent with a DDoS attack? (Sustained high PPS/BPS, abnormal protocol distribution)
• Does the traffic timing correlate with a known event? (Product launch, marketing campaign)
• What attack type has Flowtriq classified? (This determines your mitigation strategy)

Step 1.3: Assess Severity

Severity Levels:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SEV-1 (Critical)  : Service is down. Link saturated. Multiple services affected.
                     → Full team response. Engage upstream immediately.

SEV-2 (High)      : Service degraded. Attack within link capacity but causing
                     packet loss or elevated latency.
                     → IC + Technical Responder. Apply host-level mitigation.

SEV-3 (Medium)    : Attack detected but no service impact. Host-level filtering
                     is handling the traffic.
                     → Technical Responder monitors. No escalation needed.

SEV-4 (Low)       : Small-scale attack or probe. No impact whatsoever.
                     → Log and monitor. No immediate action required.

Phase 2: Containment (5-30 minutes)

Step 2.1: Apply Host-Level Mitigation

Based on the attack classification from Flowtriq, apply the appropriate pre-staged firewall rules:

• UDP flood: Drop UDP on unused ports. See UDP flood mitigation guide.
• SYN flood: Enable SYN cookies, rate-limit new connections. See SYN flood iptables guide.
• DNS amplification: Drop inbound UDP from port 53. See DNS amplification guide.
• Memcached amplification: Drop inbound UDP from port 11211. See memcached detection guide.

Step 2.2: Escalate Upstream (if needed)

If the attack exceeds your link capacity (SEV-1) or host-level mitigation is insufficient (SEV-2), contact your upstream provider. Have the following ready:

• Account ID and authorized contact name
• Target IP(s) under attack
• Attack volume (PPS and BPS from Flowtriq dashboard)
• Attack type classification
• PCAP file from Flowtriq (download from the incident page)
• Specific request: traffic scrubbing, ACL, or BGP blackhole

Step 2.3: Update Status Page

Use a pre-written template:

Title: Service Disruption - DDoS Attack Mitigation in Progress

We are currently experiencing a DDoS attack targeting our infrastructure.
Our team has been engaged and is actively implementing mitigation measures.

Impact: [Describe affected services]
Status: Investigating / Mitigation in progress
Next update: [Time + 30 minutes]

We apologize for any inconvenience and will provide updates as the
situation develops.

Phase 3: Monitoring and Adaptation (30 min - ongoing)

After initial mitigation is applied, continuously monitor for changes in the attack pattern. Sophisticated attackers will adapt when their initial vector is blocked.

• Watch Flowtriq for new attack classifications (indicating a vector change)
• Monitor PPS/BPS trends to see if the attack is subsiding or escalating
• Check if mitigation rules are causing legitimate traffic to be dropped
• Provide status updates every 30 minutes until the attack ends

Phase 4: Recovery (post-attack)

When the attack subsides, do not immediately remove all mitigation measures. Keep protective rules in place for at least 24 hours, then gradually relax them while monitoring for a resurgence.

1. Verify all services are operating normally
2. Remove temporary firewall rules gradually (not all at once)
3. Update the status page to "Resolved"
4. Send a follow-up customer communication
5. Schedule a post-incident review within 48 hours

Phase 5: Post-Incident Review

Conduct a blameless post-incident review within 48 hours. Document:

• Timeline of events (detection, response actions, resolution)
• Attack characteristics (type, volume, duration, source patterns)
• What worked well in the response
• What could be improved
• Action items with owners and deadlines
• Whether the playbook needs updating

Start building your DDoS response capability with Flowtriq's free 7-day trial.

Back to Blog

Related Articles