The article includes:
- DoS vs DDoS separation
- Volumetric, Protocol, Application-layer, Reflection/Amplification, and Multi-Vector attacks
- Full IR lifecycle: Detection → Triage → Containment → Eradication → Recovery → Lessons Learned
- SOC-ready terminology (NetFlow, SYN backlog, WAF, BGP blackholing, uRPF, BCP 38, etc.)
- Suitable for SOC runbooks and playbooks.
Incident Response (IR) Table – Denial of Service (DoS) & Distributed Denial of Service (DDoS)
1. DoS (Denial of Service) – Single-Source Attacks
1.1 Volumetric DoS (Single Source Flooding)
| IR Phase | Technical Details |
|---|---|
| Attack Description | A single host overwhelms the target with excessive traffic (ICMP, UDP, TCP) to exhaust bandwidth or network stack resources. |
| Attack Vectors | ICMP Echo Flood, UDP Flood, TCP SYN Flood (single IP), malformed packet floods |
| Assets Affected | Network interfaces, routers, firewalls, web servers |
| Detection Methods | NetFlow/sFlow analysis, IDS/IPS flood signatures, interface utilization spikes |
| Indicators of Compromise (IoCs) | High PPS/BPS from one IP, packet drops, increased latency, interface saturation |
| Initial Triage | Identify source IP, protocol, and traffic rate; validate against baseline |
| Containment | ACL blocking, firewall rate limiting, null routing offending IP |
| Eradication | Block source upstream, update IDS rules, patch misconfigured services |
| Recovery | Restore normal routing, validate service availability, monitor traffic normalization |
| Post-Incident Actions | Update thresholds, improve rate-limiting policies, document attack pattern |
1.2 Protocol Exploitation DoS
| IR Phase | Technical Details |
|---|---|
| Attack Description | Exploits weaknesses in protocol implementations to crash or stall services |
| Attack Vectors | Ping of Death, Teardrop, LAND attack, malformed TCP/IP packets |
| Assets Affected | OS kernel, network stack, legacy systems |
| Detection Methods | IDS signature matches, kernel logs, system crash dumps |
| IoCs | Kernel panic logs, malformed packet headers, unexpected reboots |
| Containment | Disable vulnerable service, apply temporary packet filters |
| Eradication | Patch OS/network stack, firmware upgrades |
| Recovery | System reboot, integrity checks, service restart |
| Lessons Learned | Decommission legacy protocols, enforce RFC compliance |
1.3 Application-Layer DoS (Single Source)
| IR Phase | Technical Details |
|---|---|
| Attack Description | Targets application resources via legitimate-looking requests |
| Attack Vectors | HTTP GET/POST flood, slow HTTP headers (Slowloris) |
| Assets Affected | Web servers, application servers, databases |
| Detection Methods | Web server logs, WAF alerts, thread exhaustion metrics |
| IoCs | High request rate from single IP, long-lived connections |
| Containment | WAF IP blocking, connection timeouts, CAPTCHA enforcement |
| Eradication | Application tuning, thread pool limits |
| Recovery | Restart services, validate application performance |
| Post-Incident | Improve WAF rules, app-layer rate limiting |
2. DDoS (Distributed Denial of Service)
2.1 Volumetric DDoS
| IR Phase | Technical Details |
|---|---|
| Attack Description | Massive traffic flood from multiple distributed sources exhausting bandwidth |
| Attack Vectors | UDP Flood, ICMP Flood, DNS Flood |
| Assets Affected | ISP links, edge routers, firewalls |
| Detection Methods | Traffic anomaly detection, ISP alerts, BGP monitoring |
| IoCs | Sudden bandwidth spikes, packet loss, unreachable services |
| Initial Triage | Identify traffic type, volume, source ASNs |
| Containment | Traffic scrubbing, rate limiting, BGP blackholing |
| Eradication | Coordinate with ISP/CDN, deploy mitigation services |
| Recovery | Gradual traffic reintroduction, link stability verification |
| Post-Incident | Increase capacity, improve ISP coordination |
2.2 Reflection & Amplification DDoS
| IR Phase | Technical Details |
|---|---|
| Attack Description | Exploits third-party servers to amplify traffic toward victim |
| Attack Vectors | DNS, NTP, SSDP, CLDAP, Memcached |
| Assets Affected | Network bandwidth, upstream providers |
| Detection Methods | Asymmetric traffic patterns, spoofed source IPs |
| IoCs | Large response packets, unexpected protocol traffic |
| Containment | Block reflection protocols, enable uRPF |
| Eradication | Work with reflectors’ owners, patch open services |
| Recovery | Monitor spoofing reduction, restore services |
| Lessons Learned | Enforce ingress/egress filtering (BCP 38) |
2.3 Protocol-Based DDoS
| IR Phase | Technical Details |
|---|---|
| Attack Description | Exhausts stateful devices using protocol weaknesses |
| Attack Vectors | TCP SYN Flood, ACK Flood, RST Flood |
| Assets Affected | Firewalls, load balancers, servers |
| Detection Methods | Half-open connection tracking, SYN backlog alerts |
| IoCs | SYN queue exhaustion, connection failures |
| Containment | SYN cookies, connection rate limits |
| Eradication | Device tuning, firmware updates |
| Recovery | Validate session stability |
| Post-Incident | Optimize state table sizing |
2.4 Application-Layer DDoS (Layer 7)
| IR Phase | Technical Details |
|---|---|
| Attack Description | Distributed, low-and-slow requests mimic legitimate users |
| Attack Vectors | HTTP floods, API abuse, Slow POST |
| Assets Affected | Web apps, APIs, backend services |
| Detection Methods | Behavioral analytics, WAF anomaly scoring |
| IoCs | High request diversity, session exhaustion |
| Containment | WAF challenges, geo-blocking, bot mitigation |
| Eradication | Improve bot detection, API authentication |
| Recovery | Scale backend resources |
| Lessons Learned | Implement zero-trust & adaptive rate limiting |
2.5 Multi-Vector DDoS
| IR Phase | Technical Details |
|---|---|
| Attack Description | Combination of volumetric, protocol, and application attacks |
| Attack Vectors | UDP flood + SYN flood + HTTP flood |
| Assets Affected | Entire infrastructure stack |
| Detection Methods | Correlated SIEM alerts, cross-layer telemetry |
| IoCs | Simultaneous anomalies at L3–L7 |
| Containment | Layered defenses (CDN + WAF + ISP scrubbing) |
| Eradication | Coordinated mitigation strategy |
| Recovery | Phased service restoration |
| Post-Incident | Red-team simulations, IR playbook updates |
3. Strategic Post-Incident Improvements
- Implement always-on DDoS protection
- Deploy CDN and Anycast architectures
- Maintain tested IR playbooks
- Conduct regular DDoS simulation exercises
- Establish ISP and CERT escalation paths
