Kif tibni DDoS incident response runbook?

Question

Accepted Answer

A DDoS runbook jtella l-panik f'check-list. Il-prinċipju essenzjali tiegħu: **ipprepara qabel l-attakk, mhux matul tiegħu** — accounts provisioned, contacts magħrufa, u dashboards mibnija, għalhekk ir-rispons huwa execution, mhux improvisation.

## Ipprepara minn qabel

- Għandek **CDN/scrubbing provider integrat diġà** (DNS ipponjat minn ħamjiegħ, modalità "under attack" li tista' tiflaħ).
- Żomm **baseline dashboards and alerts** għat-traffic, error rate, u cache-hit ratio sabiex l-anomaliji jinqabdu malajr.
- Pre-write **WAF rules and rate-limit tiers** li tista' tserraq instantly.
- Żomm **contact list**: on-call, CDN/ISP support, leadership, u **status-page** template lest.

## Il-passi tal-runbook

1. **Detect and declare** — alert jew anomaly correlata (ara DDoS detection) ittella incident. Assenja incident commander immediately.
2. **Identify attack type and target** — hu Layer 3/4 (volumetric) jew Layer 7 (HTTP flood)? Liema endpoint, IP, jew reġjun? It-tip jiddikta liema controls tħaffef.
3. **Engage defenses** — xegħel CDN "under attack" mode / scrubbing, **tserraq WAF rules**, u **naqqa rate limits**. Ibda bil-kontroller l-irħas u l-wasi ħafna.
4. **Block / null-route sources** — block IP ranges jew geos offending tal-edge; bħala last resort, staqsi lil-ISP biex **null-route** l-IP targeted biex isalva l-bqija tal-platform.
5. **Communicate** — post għal **status page**, update stakeholders, u żomm timeline. Clear comms jipprevjeni kriza secunda ta' konfuzzjoni.
6. **Scale if needed** — autoscale jew overprovision origin capacity biex tassab traffic li jgħaddi minn ħamjiegħ filwaqt li l-filters isserrqu.
7. **Post-incident review** — ladarba stabbli, ħaddem blameless retro: x'ħadem, x'kien bil-mod, liema rules li nagħmelhom permanenti, u liema frammezzi li għad għad jkun għad għandek tiskopri.

```text
DETECT -> IDENTIFY -> ENGAGE (CDN/WAF/rate-limit) -> BLOCK/null-route
       -> COMMUNICATE -> SCALE -> POST-INCIDENT REVIEW
```

## Għaliex hu importanti

Taħt attakk reali, latency u adrenaline jagħmlu n-nies jiskipjaw passi u jagħmlu l-affarijiet agħar. Runbook jagħti sekwenza magħrufa, tooling pre-built, u rwoli ċari, sabiex it-team jmitiga f'minuti minflok jiddibattu opzjonijiet filwaqt li s-sit huwa down. L-aktar linja valwoza f'kwalunkwe DDoS runbook hija l-preparazzjoni magħmula minn qabel — ma tistax tintegra scrubbing provider jew issib in-numru tal-emerġenza tal-ISP filwaqt li inti qed tiġi alluvjunata.