How to Respond to Active Attacks

This guide provides systematic procedures for responding to various attack types, from initial detection through resolution and post-incident review.

Attack Detection

Recognizing an Attack

Common indicators:

Traffic Patterns: – Sudden traffic spike – High volume from few IPs – Requests from unusual locations – Off-hours activity surge

Performance Impact: – Site slowdown – Server resource exhaustion – Increased error rates – Database connection limits hit

Log Patterns: – High WAF block rate – Repeated rule triggers – Similar attack patterns – Coordinated timing

User Reports: – Site unavailability – Slow response times – Intermittent errors

Initial Assessment

When attack suspected:

Step 1: Confirm Attack (2 minutes)

# Check recent security logs
# Dashboard: Last 1 hour, sort by count

# Look for:
- Unusual volume of blocks
- Repeated IPs
- Specific attack types
- Time correlation

Step 2: Determine Severity (3 minutes)

Low Severity: – Normal scanning activity – Single IP, low volume – All attacks blocked – No performance impact

Medium Severity: – Multiple IPs coordinated – Moderate volume (100-1000 requests/min) – Attacks blocked but noticeable – Minor performance impact

High Severity: – Large botnet (100+ IPs) – High volume (1000+ requests/min) – Some bypasses detected – Significant performance impact

Critical Severity: – Massive distributed attack – Site unavailability – Successful breaches – Data exposure risk

Step 3: Identify Attack Type (2 minutes)

Check logs for predominant attack pattern: – Brute force (login attempts) – DDoS (overwhelming volume) – Application attacks (SQL injection, XSS) – Reconnaissance (scanning) – Resource exhaustion

Response Procedures

Brute Force Attack Response

Characteristics: – Repeated login attempts – /wp-login.php or /admin/ targeted – Moderate volume – May be single IP or distributed

Immediate Actions (5 minutes):

1. Enable Rate Limiting:

Rate Limiting: Enabled
Protected Paths: /wp-login.php, /admin/login
Events per minute: 3
Response: Drop

1. Review Attack Source:
2. Check security logs for source IPs
3. Note if single source or distributed

4. Identify source countries

5. Geographic Blocking (if concentrated):

If 80%+ attacks from single country:
  Enable geographic blocking for that country
  Response: Drop

1. Monitor Effectiveness:
2. Watch logs for attack volume
3. Verify rate limiting triggers
4. Check legitimate users unaffected

Follow-Up (30 minutes):

• Review compromised accounts (if any successful logins)
• Force password resets if needed
• Enable two-factor authentication
• Document attack timeline and response

DDoS Attack Response

Characteristics: – Extremely high request volume – Many source IPs – Site slowdown or unavailability – Simple GET requests (not complex attacks)

Immediate Actions (10 minutes):

1. Verify It’s DDoS:
2. Check request volume (>10,000/min indicates DDoS)
3. Note geographic distribution

4. Check if WAF blocks are effective

5. Enable Rate Limiting Site-Wide:

Rate Limiting: Enabled
Protected Paths: /
Events per minute: 100
Response: Drop

1. Geographic Blocking:

If attack sources concentrated:
  Block top 3 source countries
  Response: Drop

1. Bot Protection:

Enable Bot Protection
Response: Drop

1. Contact Support:
2. For large-scale DDoS, contact AtomicEdge support
3. Provide attack details (volume, sources, timing)
4. Request additional capacity if needed

During Attack:

• Monitor continuously
• Note attack patterns
• Track effectiveness of mitigations
• Be ready to adjust protections

Post-Attack:

• Review attack logs
• Document response actions
• Keep protections active 24-48 hours
• Gradually remove temporary restrictions

Application Attack Response

Characteristics: – SQL injection, XSS, RCE attempts – Targeted at specific endpoints – May be single attacker or small group – Technically sophisticated

Immediate Actions (5 minutes):

1. Verify Blocking:
2. Check security logs
3. Confirm all attacks blocked (403/404)

4. Look for any successful requests (200 status)

5. If Attacks Are Blocked:

6. WAF is working correctly
7. Monitor for bypass attempts
8. No immediate action needed

9. Document for review

10. If Attacks Succeed:

11. Immediate incident response
12. Isolate affected systems
13. Check application logs
14. Assess data exposure
15. Follow breach procedures

Investigation (30 minutes):

• Identify targeted vulnerability
• Check if known vulnerability
• Review application for weakness
• Plan security patch
• Consider temporary endpoint disable

Remediation:

• Apply security patches
• Update WAF rules if needed
• Test fixes thoroughly
• Monitor for repeated attempts

Reconnaissance/Scanning Response

Characteristics: – Requests to common paths (/admin/, /phpmyadmin/) – Low to moderate volume – Systematic pattern – Information gathering phase

Immediate Actions (2 minutes):

1. Verify Blocking:
2. Check logs confirm blocks

3. Standard WAF rules sufficient

4. No Immediate Action Needed:

5. Scanning is constant on internet
6. WAF blocks automatically
7. Part of normal baseline

Optional Enhanced Protection:

• Add attacker IP to block list
• Enable bot protection
• Geographic blocking if repeated

Monitor For: – Escalation to active attacks – Successful information disclosure – Bypass attempts

Credential Stuffing Response

Characteristics: – Login attempts with valid username/password pairs – High success rate if credentials valid – May be low volume to avoid detection – Uses stolen credentials from other breaches

Immediate Actions (10 minutes):

1. Enable Aggressive Rate Limiting:

Protected Paths: /wp-login.php, /api/auth/
Events per minute: 3
Response: Drop

1. Review Successful Logins:
2. Check access logs for 200 status on login
3. Note IP addresses of successful logins

4. Check if IPs match legitimate users

5. If Compromises Detected:

6. Force password resets
7. Lock compromised accounts
8. Enable two-factor authentication

9. Review account activity logs

10. Email Notifications:

11. Notify affected users
12. Require password changes
13. Recommend unique passwords

Prevention:

• Enforce strong password policies
• Implement two-factor authentication
• Monitor for unusual login patterns
• Use CAPTCHA on login forms

Attack-Specific Tactics

Blocking Persistent Attackers

Single IP attacking repeatedly:

Configuration:

Create IP block list:
  203.0.113.45
  198.51.100.30
  192.0.2.99

Response: Drop

Considerations: – Effective for single-source attacks – Attackers may rotate IPs – Monitor for IP changes

Emergency Geographic Blocking

Attack from specific region:

Fast Implementation: 1. Identify attack source country 2. Enable geographic blocking 3. Select country 4. Response: Drop 5. Deploy (30-60 seconds)

Effectiveness: – Immediate attack volume reduction – May block some legitimate users – Monitor for impact – Plan to remove after attack

Temporary Protection Tightening

During active attack, temporarily increase security:

Tighter Rules: – Lower rate limits by 50% – Enable all rule groups – Use “drop” response – Enable bot protection

After Attack: – Gradually relax restrictions – Monitor for attack resumption – Return to normal configuration – Document temporary changes

Coordinated Response

Team Communication

During attack:

Notify Team: – Security team (immediate) – DevOps/infrastructure (immediate) – Management (within 30 minutes) – Customer support (within 1 hour)

Information to Share: – Attack type and severity – Response actions taken – Expected impact on users – Timeline for resolution

Communication Channels: – Dedicated incident channel (Slack, Teams) – Status page updates – Support ticket responses – Management briefings

Escalation

When to escalate:

To Management: – High or critical severity – Potential data breach – Extended outage (>1 hour) – Media attention likely

To AtomicEdge Support: – Massive DDoS (>100k requests/min) – Suspected WAF bypass – Configuration assistance needed – Additional resources required

To Law Enforcement: – Successful breach – Data exposure – Ransomware – Legal requirements

Post-Attack Review

Immediate Post-Attack (Within 24 hours)

Assessment: – Total attack duration – Attack volume – Response effectiveness – Impact on legitimate users – Successful vs blocked attempts

Documentation: – Timeline of events – Actions taken – Configuration changes – Lessons learned

Communications: – Update team – Notify affected users (if any) – Update status page – Brief management

Detailed Analysis (Within 1 week)

Attack Analysis: – Review complete log data – Identify attack patterns – Trace attack source – Determine attack motivation – Assess attacker capability

Response Evaluation: – What worked well – What could improve – Response timeline – Team coordination – Tool effectiveness

Recommendations: – Configuration changes – Additional protections – Monitoring improvements – Training needs – Process updates

Long-Term Improvements

Configuration Updates:

Based on attack:
- Permanent rate limiting
- Geographic blocks if justified
- Additional rule groups
- Stricter response actions

Monitoring Enhancements: – Set up attack-specific alerts – Create attack dashboards – Automated response triggers – Improved log analysis

Process Improvements: – Update response procedures – Train team on lessons learned – Improve communication protocols – Document new attack patterns

Attack Type Decision Matrix

Quick reference for response decisions:

Brute Force

Action: Rate limiting (3-5 requests/min)
Priority: High
Response: Drop
Monitor: Login success rates

DDoS

Action: Rate limiting + geographic blocking + bot protection
Priority: Critical
Response: Drop
Monitor: Site availability, request volume

SQL Injection

Action: Verify WAF blocking, investigate if successful
Priority: Critical if successful, Low if blocked
Response: 403/Drop
Monitor: Application logs, database

XSS

Action: Verify WAF blocking, tune for false positives
Priority: High if successful, Low if blocked
Response: 403
Monitor: False positive rate

Scanning

Action: No action unless high volume
Priority: Low
Response: 403
Monitor: For escalation

Credential Stuffing

Action: Aggressive rate limiting, 2FA, password resets
Priority: High
Response: Drop
Monitor: Successful logins, account activity

Emergency Procedures

Complete Site Protection Lockdown

When under severe attack:

Configuration:

Rate Limiting:
  Protected Paths: /
  Events per minute: 20
  Response: Drop

Geographic Blocking:
  Block all except primary market
  Response: Drop

Bot Protection:
  Enabled
  Response: Drop

Page Protection:
  Whitelist known good IPs only

Use Cases: – Massive DDoS – Active breach attempt – Zero-day exploitation – Until proper fix deployed

Duration: Temporary only, plan to remove restrictions.

Temporary Site Disable

If attack overwhelming:

Option 1: Maintenance Mode – Application-level maintenance page – Preserves some functionality – Can whitelist admin access

Option 2: Origin Shutdown – Stop origin server temporarily – Prevents successful attacks – Complete outage – Last resort only

Option 3: DNS Change – Point to static maintenance page – Preserves DNS – Full control over messaging

Preparation Checklist

Before attacks occur:

• [ ] Document response procedures
• [ ] Establish team communication channels
• [ ] Set up monitoring and alerts
• [ ] Create emergency contact list
• [ ] Practice incident response
• [ ] Document current configuration
• [ ] Have rollback procedures ready
• [ ] Establish escalation paths
• [ ] Train team members
• [ ] Test protection changes

Best Practices

Stay Calm: Methodical response is more effective than panic.

Document Everything: Record timeline, actions, results.

Communicate Clearly: Keep team and stakeholders informed.

Monitor Continuously: Watch for attack pattern changes.

Verify Effectiveness: Ensure mitigations actually work.

Layer Protections: Multiple protections more effective than single method.

Plan for Long-Term: Some attacks persist for days or weeks.

Learn and Improve: Every attack is learning opportunity.

Don’t Over-React: Balance security with user experience.

Know Your Tools: Understand capabilities before attack occurs.

Effective attack response requires preparation, clear procedures, and calm execution. Most attacks can be mitigated quickly with proper use of AtomicEdge protection features.