What To Do When You’re Under a DDoS Attack: A Guide to Action

In today's hyperconnected world, distributed denial-of-service (DDoS) attacks are no longer rare incidents. Cybercriminals use increasingly sophisticated techniques to disrupt businesses, damage reputations, and compromise critical online services. 

At Akamai, we’ve seen the number of DDoS attacks continue to rise by more than 45% year over year, with nation-state actors and cybercrime organizations like Killnet and Anonymous Sudan frequently leveraging DDoS tactics. 

The stakes have never been higher. So, what should you do if you find yourself under attack?

In this blog post, we’ll walk you through the seven key steps for responding to a DDoS attack and we’ll highlight how the Akamai Prolexic security platform can help protect your organization against these growing threats.

According to DDoS: Here to Stay, a white paper published in early 2024 by FS-ISAC and Akamai, 35% of all DDoS attacks in 2023 were aimed at the financial services industry, which has surpassed the games sector as the most-attacked vertical. Driven by a dramatic surge in the power of botnets and hacktivism motivated by the ongoing geopolitical wars, the financial services industry experienced a 154% increase in DDoS attacks between 2022 to 2023.

High technology and media/entertainment are the other two industry verticals that often witness DDoS attacks that disrupt the availability of their Layer 7 web applications, DNS, and the underlying digital infrastructure (Layers 3 and 4) that powers it all.

Today, DDoS as a service offerings make it easier for any would-be attacker to deploy these disruptive assaults. And for many organizations, traditional mitigation techniques are no longer enough to stop the deluge. This is where Akamai’s Prolexic platform steps in to offer a higher level of protection.

Akamai Prolexic is an advanced DDoS protection platform that combines powerful machine intelligence with the expertise of more than 225 global security engineers. The platform is available on-premises, in the cloud, or as a hybrid of both, and offers the flexibility of always-on or on-demand protection, to fit the specific security needs of global customers. 

What sets Prolexic apart is the resiliency of the platform, which stems from being deployed on its own infrastructure that includes several cloud scrubbing centers in 32 metropolitan cities worldwide and more than 20 terabits per second (Tbps) of dedicated defense capacity. Prolexic is purpose-built to detect and mitigate even the largest DDoS attacks before they can impact your services.

But what if you’re already under attack? Let’s explore the immediate steps you should take.

If you’re under attack, time is of the essence. Here are seven key actions you can take to mitigate the damage and secure your infrastructure.

1. Assess your risk and current defenses. Begin by evaluating your current DDoS mitigation capabilities. Are your existing defenses sufficient to handle the size and scope of the attack? Engage your DDoS mitigation provider to assess the ongoing threat and respond quickly to any vulnerabilities.

2. Review your critical IP spaces and subnets. Ensure that your most vital network resources, including critical subnets and IP spaces, are protected by mitigation controls. This will help to limit the areas of your infrastructure that can be compromised by the attack.

3. Activate always-on DDoS security controls. Deploy always-on security controls as a first layer of defense. This proactive approach minimizes the burden on incident responders and reduces the risk of emergency integration scenarios during a crisis.

4. Implement an edge-based cloud firewall. Expand your defenses beyond traditional DDoS protection by deploying an edge-based cloud firewall, such as Akamai Prolexic’s Network Cloud Firewall. This additional layer of security helps to block malicious traffic before it even reaches your network, reducing the load on your internal firewalls and systems.

5. Protect your DNS infrastructure. Domain Name System (DNS) attacks are a common and highly effective method of disrupting services. Use a robust DNS solution like Akamai Edge DNS to protect against DNS-focused attacks, and deploy Akamai Shield NS53 as a dynamic proxy to safeguard on-premises or hybrid DNS infrastructures.

6. Activate your incident response plan. Ensure that your incident response plan is up-to-date and activated. This plan should include a crisis response team with clearly defined roles, communication channels, and predefined strategies for mitigating the attack. Having a well-rehearsed playbook is key to maintaining calm and responding efficiently during a crisis.

7. Extend your protection to application and API layers. Many DDoS attacks target applications and APIs, making it essential to secure these components as well. Akamai App & API Protector offers a web application firewall (WAF) that blocks malicious HTTP requests and safeguards your applications from complex DDoS attacks that target ports 443 and 80.

Akamai Prolexic has successfully defended some of the world’s largest companies from massive DDoS attacks. Here are a few recent examples of Prolexic’s effectiveness.

In October, 2024, Akamai detected and mitigated one of the largest DDoS attacks in a financial services institution in EMEA. At its peak, the attack volume scaled up to 1.48 Tbps and 125 million packets per second (Mpps) in size. Even though the attack was orchestrated using a global botnet, more than 60% of the attack traffic was mitigated by seven Akamai Prolexic cloud scrubbing centers, of which four are located in major European metropolitan cities. 

Akamai’s automated machine intelligence, expert Security Operations Command Center (SOCC) personnel, and a network of local scrubbing centers all kicked into action and protected the customer’s digital infrastructure from being taken down.

On August 27, 2024, Akamai successfully detected and mitigated a DDoS attack against a large U.S.-based organization. The attack peaked at an astonishing 1.3 Tbps, making it the third-largest volumetric DDoS attack recorded on the Akamai Prolexic platform — and the most significant DDoS attack observed in the past four years. Despite the attack's intensity and duration (approximately 12 minutes), there was no impact on the organization or its legitimate users.

The attackers used a distributed botnet to cycle through a series of attack vectors within a very short period, indicating that the attack was orchestrated with a highly programmatic approach. Although the vectors were not novel (UDP flood, UDP fragment, TCP ACK flood, etc.), the scale and the rapidly evolving attack pattern indicated the sophistication of the attack.

At the peak of the attack, close to 30 Prolexic scrubbing centers globally were automatically activated to mitigate the attack and ensure that there was no impact on the customer’s digital infrastructure and web-facing assets. Prolexic’s automation and machine intelligence, human intervention from the SOCC, and 20+ Tbps of dedicated cloud scrubbing capacity, scaled in real time to mitigate the DDoS attack in zero seconds.

A month earlier, on July 15, 2024, a leading Israeli financial institution came under siege by a prolonged 24-hour DDoS attack. The highly sophisticated attack peaked at 798 Gbps and targeted not only the institution’s public-facing websites but also critical back-end systems and APIs.

Unlike many DDoS attacks that last only a few hours, this was a sustained assault designed to wear down the institution’s defenses over an entire day. The attackers used a combination of UDP flood, UDP fragmentation, DNS reflection, and PSH+ACK techniques to overwhelm the institution’s infrastructure. The complexity of the attack required more than just automated defense mechanisms — real-time adjustments and human expertise were essential.

As the attack progressed and evolved throughout the day, Akamai’s global scrubbing infrastructure dynamically adjusted to new traffic patterns. The Prolexic platform’s ability to automatically scale, combined with continuous human oversight from the SOCC, allowed for a tailored response with zero collateral damage or service degradation for our customer.

Toward the end of 2023, a leading video gaming company became the target of a large-scale DDoS attack designed to disrupt online games services. The attack peaked at more than 500 Gbps, with traffic primarily aimed at the company’s multiplayer games servers. This attack not only threatened to cripple the experience for users, but also posed a severe risk to the company’s reputation.

The company’s existing machine-only DDoS protection provider was unable to handle the scale of the attack. Despite deploying standard mitigation techniques, the attack continued to overwhelm its gaming infrastructure, leading to service interruptions and frustrated players.

The company was not originally an Akamai Prolexic customer, but was aware of the platform’s reputation and capabilities. In a last-minute decision, the company turned to Akamai for help. Within hours, Akamai Prolexic was deployed to neutralize the attack.

The platform’s 20+ Tbps of defense capacity and global scrubbing network  quickly began scrubbing incoming traffic, removing malicious packets and ensuring that legitimate traffic could flow through. Prolexic’s ability to scale on demand and adapt in real time was critical in this fast-moving scenario.

This incident highlights the importance of scalable, on-demand DDoS protection, especially in industries like games, where uptime is critical.

Modern DDoS attacks can easily (and often) overwhelm DDoS defense technologies that rely solely on automated mitigation. Smart hackers probe such automated defense mechanisms to detect and abuse flaws and vulnerabilities. The evolution of DDoS threats is no longer focused on increasing attack volume and bandwidth, but on the sophistication of the attack methods and refinement of the tactics.

That is why Akamai generally combines platform, people, and process. The automated mitigation and machine intelligence of our dedicated DDoS defense platform is combined with the flexibility, experience, and skills of human engineers in the SOCC.

The human factor is essential for navigating complex, evolving attacks that automated systems alone might not fully address.

The SOCC engineers work closely with Akamai’s customers to develop and define procedures and processes in the form of operational runbooks and configurations that save precious time during an attack and ensure an efficient response. Above all, these experts actively engage in the event of a significant attack. As professional full-time DDoS fighters, our SOCC engineers come equipped with significant expertise and experience.

Akamai Prolexic uses a three-pillared framework to provide the most comprehensive protection against DDoS attacks. These three pillars are:

1. People
2. Platform
3. Processes

Some of the key advantages of Akamai Prolexic’s three-pillared framework include:

Adaptive response to complex attacks. DDoS attacks today are multilayered, and attackers often change tactics in the middle of an attack. Automated defenses may miss subtle shifts or new attack patterns, but Prolexic’s SOCC team actively monitors and adjusts strategies in real time, ensuring that defenses adapt as attacks evolve. This human oversight is critical to staying ahead of sophisticated attackers.

Reducing false positives. Fully automated systems can mistakenly block legitimate traffic, sometimes causing more harm than the attack itself. Prolexic’s security engineers carefully analyze traffic to prevent false positives, ensuring the business continues to serve real customers even during an attack. This is especially important for industries like finance, games, and ecommerce, where uptime and user experience are paramount.

Real-time collaboration with clients. Akamai’s engineers work directly with our customers’ in-house security teams before, during, and after an attack, offering hands-on support and making real-time adjustments. Whether it’s developing a proactive and positive security posture, prioritizing critical services, or refining key defenses and processes to save precious minutes during an attack, this collaboration ensures the attacked organization stays operational and responsive, with solutions tailored to their specific infrastructure.

DDoS attacks are growing in size and sophistication, and no organization is immune. But with the right defense strategy, you can protect your network, your services, and your reputation.

Akamai is here to help. Our Prolexic platform is designed for complete flexibility, with the option to deploy always-on or on-demand protection. It also integrates easily with hybrid environments, ensuring that your data centers, cloud infrastructure, and internet-facing services are secure from even the most sophisticated threats.

Akamai Prolexic works in tandem with Akamai Edge DNS and Akamai Shield NS53 to protect your network and DNS infrastructure from DDoS attacks, and with Akamai App & API Protector to protect your critical applications from application layer DDoS attacks. Together, these solutions provide the most comprehensive DDoS protection for customers.