When a DDoS attack hits at 2am, your on-call engineer shouldn't be improvising. They should be following a runbook. Here's a template based on how hundreds of incident responses have played out — adapted for teams using reverse-proxy scrubbing protection.
Minutes 0–5: Detect and Confirm
- Check monitoring dashboards: is this a spike or sustained attack?
- Confirm the attack vector: volumetric (bandwidth exhaustion) or L7 (request exhaustion)?
- Check Akarguard dashboard: is the attack being mitigated? What's the attack type shown?
- Page the team lead — this is a P1 incident until proven otherwise.
Minutes 5–15: Contain
- Verify DNS is still pointing to Akarguard's proxy (dig yourdomain.com from external).
- Enable emergency rate-limiting rules via the Akarguard dashboard if not already active.
- Block specific geographic regions if the attack is regionally concentrated.
- Activate emergency caching to serve cached pages and reduce origin load.
Minutes 15–45: Communicate
- Post internal incident update: what's happening, current impact, who's on it.
- Update your status page — even 'we are investigating elevated error rates' is better than silence.
- Notify customer success if enterprise customers are affected.
- Loop in leadership if SLA thresholds are being breached.
Minutes 45–60: Resolve and Document
- Confirm attack is fully mitigated and normal traffic is flowing.
- Begin incident document: timeline, attack profile, mitigation actions taken.
- Schedule post-mortem within 48 hours.
- Review whether any tuning to rate limits or rules is needed.