Skip to main content


Blue Team Playbook

DDoS Playbook


DDoS Attack Playbook:

1) Identify the attack

  • Monitor network traffic for unusual activity or spikes in traffic.
  • Take note of unusually slow services .
  • Check traffic logs/firewall logs to identify malicious traffic.

2) Notify your ISP

  • Your ISP may be able to help by filtering out the malicious traffic, or by redirecting it from your network.

3) Determine the attack vectors

  • Find the point of compromise that the attacker abused to preform the attack.
  • Find what the attacker is trying to achieve and protect any critical or sensitive services of the network.

4) Block the attack

  • Try to redirect as much traffic away from important services and ideally away from the whole network.
  • Set firewall rules to try to block some malicious IP’s
  • Modify firewall rules to better detect this type of attack for the future.

5) Monitor network traffic

  • Both during and after the attack, network traffic should be carefully monitored for suspicious activity.
  • Logs should be kept to analyze at a later time.

6) Conduct analysis

  • Keep detailed notes of the attack so that after, you can look for areas of improvement.
  • Provide training based on areas that can be improved
  • Audit logs.
  • Review security controls and rules.
  • Get in contact with all necessary personnel i.e. stakeholders, law enforcement, etc.