How to Contain an Ongoing DDoS Attack – A Strategic Guide

The InterCERT France operational guide provides a clear, hierarchical strategy to mitigate DDoS attacks effectively. Below are key steps and technical measures to counter such threats.

You Should Know:

1. Traffic Filtering with ISP/Upstream Provider

• Action: Contact your ISP to implement upstream filtering (BGP Flowspec, ACLs, or null-routing).
• Commands (Router/Firewall):

  </li>
  </ul>
  
  <h1>Cisco IOS (ACL to block malicious IP ranges)</h1>
  
  access-list 150 deny ip <attacker_subnet> any
  access-list 150 permit ip any any
  interface GigabitEthernet0/0
  ip access-group 150 in
  

  
  <h1>Linux (iptables drop rule)</h1>
  
  iptables -A INPUT -s <attacker_IP> -j DROP
  

  2. Activate Anti-DDoS & CDN Services

  • Cloudflare/Akamai: Enable “Under Attack” mode to absorb traffic.
  • AWS Shield Advanced: Use AWS WAF rate-based rules.

    </li>
    </ul>
    
    <h1>AWS CLI (WAF rate-limiting rule)</h1>
    
    aws wafv2 create-web-acl --name "Anti-DDoS-ACL" --scope REGIONAL --default-action "Allow" --rules "Name=RateLimit,Priority=1,Action=Block,Statement=RateBasedStatement(Limit=2000, AggregateKeyType=IP)"
    

    3. Reduce Load on Critical Resources

    • Linux (Throttle Connections):

      </li>
      </ul>
      
      <h1>Reduce SYN flood impact</h1>
      
      sysctl -w net.ipv4.tcp_syncookies=1
      sysctl -w net.ipv4.tcp_max_syn_backlog=2048
      

      – Windows (Adjust TCP Settings via PowerShell):

      Set-NetTCPSetting -SettingName InternetCustom -SynRetransmissions 2
      

      4. Preserve Logs for Forensics

      • Log Collection (Linux):

        </li>
        </ul>
        
        <h1>Capture netflow data</h1>
        
        nfcapd -p 9995 -l /var/log/netflow -D
        

        – Windows (Event Forwarding):

        wevtutil qe Security /f:text /rd:true /c:1000 > C:\logs\security_events.txt
        

        5. Avoid Side Effects of Mitigation

        • Test Rules Before Full Deployment:

          </li>
          </ul>
          
          <h1>Test iptables rule (log instead of drop)</h1>
          
          iptables -A INPUT -s <test_IP> -j LOG --log-prefix "DDoS_TEST: "
          

          What Undercode Say:

          DDoS attacks require layered defense—combining ISP cooperation, cloud mitigation, and system hardening. Always:
          – Monitor traffic anomalies (using iftop, nload).
          – Automate blacklisting (fail2ban, CSF firewall).
          – Simulate attacks (using hping3, LOIC) to test defenses.

          Expected Output: A resilient infrastructure with real-time filtering, minimized downtime, and forensic readiness.

          Reference: InterCERT France DDoS Guide

          References:

          Reported By: Cousinhub Ddos – Hackers Feeds
          Extra Hub: Undercode MoN
          Basic Verification: Pass ✅

          Join Our Cyber World:

          💬 Whatsapp | 💬 Telegram