The DDoS Storm

Your monitoring alerts fire simultaneously: CloudFront error rates spike to 30%, ALB request counts jump 50x above normal, and your origin servers are returning 503s. A volumetric DDoS attack is hitting your e-commerce platform during a flash sale, and you cannot tell which traffic is legitimate customers and which is attack traffic because the attackers are using a sophisticated botnet that mimics real browser behavior with valid user agents and cookie handling. In this incident response challenge, you must mitigate the attack while keeping the site available for real customers — taking the entire site offline would cost hundreds of thousands of dollars in lost sales. Your immediate response uses AWS WAF rate limiting to throttle IPs exceeding 1,000 requests per 5 minutes, but the botnet rotates through 50,000+ IP addresses. You escalate to Shield Advanced, engaging the DDoS Response Team who analyze the traffic patterns and identify that the attack traffic, while mimicking browsers, has a telltale pattern: the requests do not execute JavaScript, so they never load secondary resources (images, CSS, fonts) after loading the HTML. You implement a CloudFront Function that injects a JavaScript challenge — a small script that must execute and return a token cookie — and configure WAF to block requests to API endpoints that lack this cookie. For the application-layer attack targeting your search endpoint (where each request triggers expensive database queries), you implement a WAF rule that requires a valid CAPTCHA for search after 10 requests per minute per session, and you deploy an ElastiCache layer in front of the search database to serve cached results for repeated queries. Your response also includes enabling CloudFront access logs to Kinesis for real-time attack traffic analysis, creating a runbook for the SOC team documenting the mitigation steps, and designing a permanent architecture improvement that includes always-on Shield Advanced, a WAF baseline rule set, and a Lambda-based automatic response that detects traffic anomalies and deploys rate-limiting rules within 60 seconds. This challenge teaches DDoS mitigation strategies, WAF rule design, and the incident response procedures for handling application-layer attacks.