Skip to content

DDoS Attack

Your website or services are being overwhelmed by a flood of traffic, making them unavailable to legitimate users. DDoS (Distributed Denial of Service) attacks can last hours to days and are often used for extortion, hacktivism, or as cover for other attacks.

Types of DDoS Attacks

  • Volumetric - Flood of traffic overwhelming bandwidth (UDP floods, DNS amplification)
  • Protocol - Exploiting network protocol weaknesses (SYN floods)
  • Application - Targeting specific applications/features (HTTP floods, Slowloris)

Immediate Actions

  1. Contact your hosting provider/ISP - They may be able to filter traffic upstream
  2. Enable DDoS protection - Cloudflare, AWS Shield, etc.
  3. Document the attack - Traffic patterns, source IPs, timing
  4. Check for other attacks - DDoS is sometimes used as a distraction
  5. Consider reporting - To CERT-SE if significant

Free DDoS Protection Services

Cloudflare (Free Tier)

  • Website: cloudflare.com
  • Free plan includes basic DDoS protection
  • "Under Attack Mode" for active attacks
  • Easy DNS-based setup

Project Galileo (Cloudflare)

  • Website: cloudflare.com/galileo
  • Free for: Journalists, human rights organizations, democracy advocates
  • Full enterprise-level protection at no cost

Deflect

  • Website: deflect.ca
  • Free for: Independent media, civil society, human rights organizations
  • Run by eQualitie, focused on at-risk websites

Google Project Shield

  • Website: projectshield.withgoogle.com
  • Free for: News sites, journalists, human rights organizations, election monitoring
  • Unlimited free protection

Commercial DDoS Protection

Provider Suitable For Website
Cloudflare Pro/Business SMEs cloudflare.com
AWS Shield AWS customers aws.amazon.com/shield
Azure DDoS Protection Azure customers azure.microsoft.com
Akamai Prolexic Enterprise akamai.com
Imperva Enterprise imperva.com

During an Attack

Enable "Under Attack Mode" (Cloudflare)

If using Cloudflare: 1. Log into Cloudflare dashboard 2. Select your domain 3. Click "Under Attack Mode" in Quick Actions 4. This adds a JavaScript challenge to all visitors

Rate Limiting

Configure your web server to limit requests:

Nginx:

limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

Apache:

<IfModule mod_ratelimit.c>
    SetOutputFilter RATE_LIMIT
    SetEnv rate-limit 400
</IfModule>

Block Attack Sources

If attack sources are identifiable: - Block by IP range at firewall level - Use GeoIP blocking if attack originates from specific countries - Work with your ISP for upstream filtering

After the Attack

  1. Analyze logs - Understand the attack pattern
  2. Review infrastructure - Identify weak points
  3. Implement permanent protection - CDN, DDoS mitigation
  4. Create incident report - Document for future reference
  5. Consider reporting - Police if extortion involved

Evidence to Preserve

  • [ ] Traffic logs with timestamps
  • [ ] Attack source IP addresses
  • [ ] Traffic volume statistics
  • [ ] Screenshots of monitoring dashboards
  • [ ] Any ransom/extortion messages
  • [ ] Timeline of the attack

Swedish Resources

CERT-SE

  • Website: cert.se
  • Report significant DDoS attacks
  • May have intelligence on attack campaigns

Police

  • Report if: Extortion involved, significant business impact
  • Website: polisen.se/anmal

DDoS Analysis Tools

Check If You're Under Attack

Analyze Traffic

Guides & Documentation

CISA DDoS Guidance

Cloudflare Learning Center

AWS DDoS White Paper

If Extortion Is Involved

Some attackers demand ransom to stop DDoS attacks:

  1. Do NOT pay - No guarantee attacks will stop, encourages more attacks
  2. Document all communications - Screenshots, preserve emails
  3. Report to police - This is criminal extortion
  4. Implement protection - Better to invest in mitigation than pay attackers

Need Help?

If your Swedish organization is under DDoS attack:

Apply to HackAid - We can help analyze the attack and recommend protection.

Last updated: 2026-01