Resposta a Incidentes 24/7 · Indisponibilidade / DDoS

My site or app is down or under a DDoS attack — what to do now

O que fazer agora

Act on three fronts at once. First, confirm whether it is DDoS, a legitimate access spike or an outage from a breach: look at the real-time traffic in your CDN/host dashboard and look for abnormal volume coming from many origins. Second, if it is an attack, enable edge mitigation immediately — put the site behind a WAF/CDN (such as Cloudflare), turn on Under Attack mode, apply rate limiting and, if necessary, temporary geoblocking, and open a maximum-severity ticket with the hosting and CDN. Third, preserve all logs before they rotate and treat the event as a possible compromise, because DDoS is often a smokescreen for a simultaneous intrusion. If the attack persists or you suspect a breach, engage Decripte's 24/7 Incident Response through /contato — containment SLA of up to 1 hour.

SOC 24x7 e SLA de contenção de até 1 hora. A Decripte é especialista em resposta a incidentes para fintechs, crypto, apps, e-commerces e empresas de todos os tamanhos.

Sinais de alerta

  • Site or app slow, intermittent or completely inaccessible without any recent deploy change.
  • Request volume far above normal coming from hundreds or thousands of different IPs and regions.
  • Mass 502, 503 or 504 errors and server CPU, memory or bandwidth saturated.
  • The CDN/WAF dashboard showing spikes of blocked traffic or challenges firing in abnormal volume.
  • An extortion message demanding payment in cryptocurrency to stop the attack.
  • Login, search or checkout specifically overloaded, suggesting an application-layer (L7) attack.
  • Suspicious administrative activity, new accounts or abnormal data outflow during the instability window.

Primeiros passos — o que fazer agora

  1. 1

    Confirm the cause before reacting

    Open your CDN/host traffic dashboard and compare with the normal baseline. DDoS appears as very high volume from many origins in a short time; a legitimate spike comes from a campaign, a viral post or peak hours; an outage from a breach brings 5xx errors, strange processes or changes you did not make. Do not reboot servers blindly: that can erase evidence.

  2. 2

    Put the site behind a WAF/CDN and enable Under Attack mode

    If you do not use one yet, put the domain behind a CDN with anti-DDoS protection and turn on Under Attack mode, which inserts a validation challenge before serving the content. This filters automated bots and absorbs most of the malicious traffic at the edge, outside your infrastructure.

  3. 3

    Apply rate limiting and temporary geoblocking

    Configure request limits per IP and per route (especially login, search and checkout) and temporarily block countries or ASNs from which you provably have no legitimate traffic. Treat it as a surgical, reversible measure, and document it, so you can revert when the attack stops and not penalize real users.

  4. 4

    Escalate with hosting and CDN immediately

    Open a maximum-severity ticket with your hosting and CDN provider informing them that you are under an active attack. They have scrubbing capacity and network-level mitigation rules that you cannot apply on your own. Have on hand the origin IP, affected domains and the exact start time.

  5. 5

    Preserve logs and evidence now

    Before the logs rotate or overwrite themselves, export and store safely: web server access and error logs, WAF/CDN logs, network flow data (NetFlow, if available) and the start time. This data is essential to understand the vector, size the attack and identify whether there was an attached intrusion.

  6. 6

    Check for an intrusion behind the DDoS

    DDoS is frequently a smokescreen. While the team focuses on keeping the site up, an attacker may exploit a flaw, exfiltrate data or attempt mass login. Check administrative access, new accounts or API keys, file changes, firewall rules and outbound data spikes during the attack window.

  7. 7

    Communicate the status to users calmly

    Publish a short, honest notice on a status page or on social media: acknowledge the instability, say it is being handled and avoid technical details that help the attacker. Clear communication reduces panic, support tickets and reputational damage.

  8. 8

    Engage Decripte's 24/7 Incident Response

    If the attack persists, you do not have a WAF, or you suspect a breach along with it, engage Decripte's 24/7 Incident Response through /contato. Our SOC takes on edge containment with an SLA of up to 1 hour, investigates whether there was a parallel compromise and returns the environment stabilized.

O que NÃO fazer

  • Do not reboot servers or clear logs on impulse just to bring the site back: that destroys the evidence that shows the attack vector and whether there was an attached breach.
  • Do not assume it is only DDoS and ignore the internal infrastructure: the volumetric attack often masks flaw exploitation, login brute-force or exfiltration happening at the same time.
  • Do not leave geoblocking or aggressive blocks permanent without review: you may be blocking real customers and losing revenue long after the attack has ended.
  • Do not confuse a legitimate access spike with an attack and shut everything down: a successful campaign or a viral moment is solved with scaling, not with blocking.
  • Do not negotiate or pay a ransom in DDoS extortion attacks: payment does not guarantee the end, feeds the crime and marks you as a paying target for new extortions. File a police report and seek specialized guidance.
  • Do not expose technical details of the incident publicly while it is active: information about your defenses and limits helps the attacker adjust the pressure.

First step: is it DDoS, a legitimate spike or a breach?

Before any mitigation, diagnose. A distributed DDoS attack appears as a request volume far above average, originating from many different networks and geographies and concentrated in a short time. A legitimate spike has a real-world explanation — a marketing campaign, a post that went viral, a promotion or peak business hours — and the traffic, though high, has a coherent pattern of real users. An outage from a breach, on the other hand, usually comes with internal errors, unknown processes consuming resources, altered files or configurations no one on the team touched.

The place to look is the analytics dashboard of your CDN, WAF or load balancer, plus the web server logs. Compare the current traffic with the baseline of the last few weeks. If the volume is abnormal and dispersed, it is DDoS mitigation. If the volume is normal but the server went down, investigate a compromise. Diagnosing wrong makes you waste precious time applying the wrong defense — and it is precisely in this detection-and-analysis phase that a SOC with 24x7 visibility drastically reduces the time to containment.

Enable edge mitigation: WAF, CDN and Under Attack mode

The most effective defense against DDoS happens at the edge, before the traffic reaches your server. Put the domain behind a CDN with anti-DDoS protection — Cloudflare is the most common option and offers a free entry plan — and enable Under Attack mode, which presents a validation challenge for a few seconds to each visitor, filtering automated bots without blocking real people. This mechanism absorbs most of the volumetric traffic on the provider's network, sparing your infrastructure.

Next, refine with rate limiting per IP and per route, paying special attention to the most expensive and most targeted endpoints: login, search, APIs and checkout. Use temporary geoblocking to cut off regions where you provably have no customers — but treat it as a surgical, reversible measure. Layer 7 (application) attacks mimic real users and require finer WAF rules than a simple volumetric block; this is where specialized configuration makes the difference between filtering the attacker and taking down your own customers.

Resposta a Incidentes · 24/7

Cada minuto conta. Comece o diagnóstico gratuito agora e veja o que já vazou.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

Escalate with providers and preserve evidence

You do not have to face a network attack alone. Immediately open a maximum-severity ticket with your hosting provider and with your CDN, making clear that it is an active attack. Providers have scrubbing capacity, network-level mitigation and visibility that you cannot reach from the inside. Provide the start time, affected domains and IPs and any pattern you have already identified to speed up their response.

In parallel, preserve evidence before it is lost. Export and store safely the access and error logs, the WAF/CDN logs, the network flow data and the timestamp record of the event. These artifacts are what later allow you to reconstruct the attack, size the impact and — crucially — check whether there was an attached intrusion. Logs rotate and overwrite themselves; losing them means investigating in the dark and, if there is a data leak, compromising your ability to meet the legal notification obligations.

The hidden risk: DDoS as a smokescreen

Teams under pressure to bring the site back up tend to focus exclusively on availability — and it is precisely in that blind spot that attackers operate. A loud DDoS attack frequently serves to distract the team while, silently, exploitation of a vulnerability, credential brute-force or data exfiltration takes place. When the traffic returns to normal, no one looks back and the compromise goes unnoticed for days or weeks.

That is why, during and after the attack, investigate thoroughly: out-of-pattern administrative access, new accounts or API keys, changes to files and configurations, changes to firewall rules and any abnormal data-outflow spike in the incident window. If there is evidence of improper access or a leak of personal data, the Brazilian General Data Protection Law imposes notification duties with a short deadline — covered in the legal note below. Treating every DDoS as a possible double event is what separates a mature response from a false sense of security.

Resposta a Incidentes · 24/7

Precisa conter o incidente agora? Comece de graça e ative a resposta 24x7.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

Recovery, communication and lessons learned

With the attack contained, restore normalcy in a controlled way: revert geoblocking and aggressive rules that are no longer needed, monitor closely to ensure the traffic has stabilized and confirm that no collateral service was left degraded. Keep the WAF and the monitoring active — attackers often return to test whether you lowered your guard. Communicate to users that the service was normalized, with the same honesty and calm as the initial notice.

Then, do the lessons learned. Document the vector, what worked, what took long and what was missing. Configure permanent edge protection, traffic-anomaly alerts and a DDoS runbook so the next occurrence is routine, not a crisis. Decripte protects clients' edge with well-configured WAF and anti-DDoS and monitors the environment 24x7 with its own SOC, so the attack is detected and contained before it becomes unavailability. And to see your exposure right away, the free Threat Management plan (https://decripte.com.br/intelligence-center) shows leaked credentials, dark web exposure and your domain's reputation, with no credit card and requiring no technical team.

Obrigações legais (Brasil)

If the incident involves improper access or a leak of personal data — a real risk when the DDoS covers a breach — communication to the ANPD must occur within 3 business days from awareness, under Resolution CD/ANPD No. 15/2024, with notice also to the affected data subjects. Unavailability without data compromise, as a rule, does not create that obligation, but record the event and investigate before ruling it out. In DDoS extortion, file a police report and do not pay a ransom. If there is financial fraud via Pix associated with the incident, contact the bank immediately to trigger the Special Return Mechanism (MED), whose window is short. These rules and deadlines (ANPD/LGPD) are Brazilian.

Termos importantes

DDoS (Distributed Denial of Service)
An attack that overwhelms a site, application or network with a huge volume of requests coming from many distributed origins at the same time, making the service slow or unavailable to legitimate users.
WAF (Web Application Firewall)
An application firewall that filters and blocks malicious traffic at the web layer, inspecting requests to block bots, exploits and attack patterns before they reach the server.
Under Attack mode
A feature of CDNs such as Cloudflare that presents a validation challenge for a few seconds to each visitor, filtering automated bot traffic and absorbing most of a volumetric attack at the edge.
Rate limiting
A technique that limits how many requests the same IP or route can make in a time interval, protecting sensitive endpoints such as login, search and checkout against abuse and application-layer attacks.
Layer 7 (L7) attack
A DDoS attack directed at the application layer that mimics the behavior of real users, focusing on expensive routes of the system; it is harder to detect and requires finer WAF rules than purely volumetric attacks.
Smokescreen
A tactic in which a loud attack, such as a DDoS, distracts the security team while, in parallel and silently, an intrusion, credential brute-force or data exfiltration takes place.

Perguntas frequentes

How do I know if my site is under a DDoS attack or if it is just an access spike?

Look at the traffic dashboard of your CDN, WAF or server and compare with the normal baseline. DDoS appears as very high volume coming from many IPs and regions in a short time, with no business explanation. A legitimate spike has a real cause — campaign, viral, peak hours — and a coherent pattern of users. If the server went down but the traffic is normal, investigate a breach instead of DDoS.

Does Cloudflare's Under Attack mode solve the DDoS attack?

It helps a lot against volumetric and bot attacks, as it inserts a validation challenge before serving the content, filtering automated traffic at the edge. But application-layer (L7) attacks mimic real users and require finer WAF and rate-limiting rules. For large or persistent attacks, combine Under Attack mode with escalation to the provider and specialized incident-response support.

Should I reboot the server to bring the site back faster?

Avoid rebooting blindly. Rebooting can drop the log collection and erase evidence of the attack vector and of a possible attached breach. First enable edge mitigation and preserve the logs; only reboot in a controlled, documented way, after capturing the current state and understanding what is happening.

Can DDoS be used to hide a breach in my system?

Yes, and it is common. The DDoS draws all the team's attention to availability while the attacker exploits a flaw, brute-forces login or exfiltrates data silently. During and after the attack, check administrative access, new accounts, file changes and data-outflow spikes. Treat every DDoS as a possible double event and, when in doubt, engage incident response.

I received a message demanding a crypto payment to stop the attack. Do I pay?

Do not pay. In DDoS extortion, payment does not guarantee the end of the attack, feeds the crime and marks you as a target willing to pay, attracting new extortions. The right path is to enable robust edge mitigation, escalate with the provider and CDN, file a police report and engage incident response to contain and investigate.

Do I have to notify the ANPD if the DDoS took my site down?

Pure unavailability, with no access to personal data, as a rule does not create an obligation to notify. But if the incident involves a leak or improper access to personal data — plausible when the DDoS covers a breach — communication to the ANPD must occur within 3 business days from awareness, under Resolution CD/ANPD No. 15/2024, in addition to notifying the affected data subjects. Investigate before ruling out the hypothesis.

How long does Decripte take to contain a DDoS attack?

Decripte's 24/7 Incident Response works with a containment SLA of up to 1 hour. When you engage through /contato, our SOC takes on edge mitigation with WAF and anti-DDoS, escalates with providers when necessary and investigates in parallel whether there was an attached intrusion, returning the environment stabilized.

How do I prevent this from happening again?

Keep permanent edge protection (well-configured WAF and anti-DDoS), traffic-anomaly alerts, rate limiting on critical endpoints and a response runbook. 24x7 monitoring detects the attack before it becomes unavailability. For preventive visibility of your exposure, Decripte's free Threat Management plan (https://decripte.com.br/intelligence-center) shows leaked credentials, dark web exposure and domain reputation, with no credit card.

Incidente em andamento?

Comece agora pelo diagnóstico gratuito — e ative SOC 24/7 e resposta a incidentes nos planos pagos.

Veja em minutos o que já vazou da sua empresa. Quando precisar, a Decripte assume a contenção, a investigação forense e a recuperação do ambiente com SLA de contenção de 1 hora.