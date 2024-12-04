Your organization was hit by a DDoS attack. It has been able to detect and stop the attack. Now what?

It's time to recover. Key steps include restoring services and conducting a post-attack review.

Step 1. Restore services Restarting or bringing applications and services back online after a DDoS attack requires a sound knowledge of how the apps and systems work and interconnect. Teams need a methodical, documented roadmap of the correct restoration sequence. Without one, teams could face cascading failures. For example, one system might not function properly if supporting services aren't back up yet, which, in turn, affects other services, making the problem worse. As services come back online, they might experience a flood of genuine connection attempts by users trying to reconnect. Sometimes, this can create an application layer DDoS effect, forcing everything offline again. To counter this, one simple option is to lower rate and connection limits to levels teams know the system can cope with. A better option, if available, is to route traffic to different data centers based on IP address ranges or geography. If the organization's ISP has dropped connectivity, it needs to get it restored. This might require explaining what protections have been put in place to handle another attack. If it was a Layer 3 or 4 DDoS attack, then run the clear ip bgp * command on Border Gateway Protocol routers. This reestablishes BGP connections so user requests are correctly routed to services and services no longer appear offline. IP transit providers and peering partners have flushed routing information about 90 seconds after the attack started.