Skip to content

Incident Response Runbook: Distributed Denial of Service (DDoS)

1. Identification

  • Triggers: WAF (Web Application Firewall) alerts, Azure DDoS Network Protection alerts, synthetic monitoring failures, customer reports of timeouts.
  • Initial Triage: Determine if the attack is volumetric (Layer 3/4) or application-layer (Layer 7).

2. Containment (Mitigation)

  1. Layer 3/4 (Volumetric):
  2. Ensure Azure DDoS Protection Standard is enabled on the affected Virtual Network. It automatically tunes and mitigates traffic.
  3. If not enabled, engage Azure Support immediately or enable the plan via the Azure Portal (Note: pricing implications apply).
  4. Layer 7 (Application):
  5. Review WAF logs to identify attack patterns (e.g., specific user-agents, IPs, or requested URIs).
  6. Apply Custom WAF Rules in Azure Application Gateway / Front Door to rate-limit or block the attacking IPs or patterns.
  7. Example: Enable RateLimit mode on Front Door WAF for the abused path.

3. Eradication & Investigation

  • Query WAF Logs (ApplicationGatewayFirewallLog or FrontDoorWebApplicationFirewallLog) in Log Analytics to tune filtering rules. 
    AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where action_s == "Matched" or action_s == "Blocked"
| summarize count() by clientIp_s, ruleId_s
  • Continuously monitor backend health and CPU/Memory to ensure mitigation is effective.

4. Recovery

  • Once traffic normalizes, slowly adjust rate-limiting rules if they are affecting legitimate users (false positives).
  • Confirm synthetic tests and customer endpoints are fully responsive.

5. Lessons Learned

  • Consider enabling caching at the edge (CDN/Front Door) to absorb future Layer 7 hits.
  • Review auto-scaling policies to ensure backend resources can scale rapidly during sudden traffic spikes.