All the measures outlined below will stand a better chance of success if you have prepared for a DoS attack. If you already have a response plan, once you have confirmed you are actually under attack (and not simply very popular for some legitimate reason), you should follow your plan and then consider notifying the NCSC and ActionFraud.
If you believe an attack is imminent and some preparation is possible, we have guidance on preparing your systems for attack.
If you find yourself under attack and you are not well prepared, you should think about taking the measures outlined in the minimal response plan outlined below.
Minimal response plan
If an attack begins:
- Confirm that you are actually under attack
- Understand the nature of the attack
- Deploy, the mitigations you can quickly put in place
- Monitor the attack and recover once you're certain it has finished
1. Confirm that you are under attack
There may be a perfectly legitimate explanation for the surge in traffic which has caused your service to be interrupted. Before responding to a DoSyou should confirm that this is actually what you are dealing with.
For example, large amounts of traffic could be generated by a news or social media article about your organisation, or numerous attempts to download large files from your site, such as a prominent press releases with lots of images. Any burst of traffic like this may have effects similar to a malicious denial of service attack.
Once you are confident that an attack is being performed, consider notifying the NCSC via CiSP and/or the police via ActionFraud.
Notifying the police via ActionFraud is highly recommended if you think you might wish to pursue criminal charges against the perpetrator of the attack. It is unlikely that either the police or the NCSC will be in a position to respond to the attack in real-time.
2. Understand the nature of the attack
Understanding the kind of attack you're facing is going to be much easier if you have monitoring set up, capturing data which gives you a clear picture of what is going on within your networks. Without this, your response is much less likely to hit its target.
B. Interpreting the data
If you are satisfied that the source of your problem is malicious. Investigate its nature. Different types of attack will affect your service in different ways. And this will in turn favour certain mitigations. For example:
C. Maintain normal security monitoring
It is tempting to divert all available security and network personnel into dealing with the attack. However, some adversaries may use a DoS or DDoS attack as a "smoke screen" for a penetrative attack into your networks.
Ensure that you do not neglect your regular security monitoring during a DoS attack.
3. Decide on, and deploy, the mitigations you can quickly put in place
It may be possible to rapidly deploy DoS mitigations, either through your Service Provider, or with a Content Delivery Network (CDN) provider.
Note that emergency mitigations from providers may be more expensive than planned-for mitigations.
You may be able to reduce the impact of an attack, or an attacker's ability to overwhelm your service, by making some temporary changes to your site. You could, for example, generate a static version of your site or disable processor or database intensive functionality (e.g. search).
Always ensure that you keep a log of what changes you make, so that you can return to a known state once you are confident that the attack is over.
4. Monitor the attack and recover
While the attack is ongoing, consider using other communication methods to notify your users of the state of the your services and other methods that they may be able to use to access your services. Pre-existing social media accounts may be a good route for this.
Distributed DoS (DDoS) attacks tend to be relatively short-lived (90% are less than 3 hours in duration). If the attack is persistent and continues even with your initial mitigations in place, you should consider which further provider and application mitigations you can apply (see the Preparing for denial of service attacks page for more details).
It is relatively common for attacks to come in bursts, once the initial attack has subsided you may wish to wait until you are confident that the attacker is not returning before rolling back any changes you made to your service.
After you have fully recovered your service, you should review the impact of the attack, the likelihood of a recurrence and look at our preparation guidance to decide what changes, if any, are required to protect against future issues.