Fast checklist for organisations
If your website suddenly becomes slow, unresponsive, or goes offline:
- Check your monitoring tools for unusual spikes in traffic or server load
- Inform your IT, security team or website support provider immediately
- Make a note of when the issue started and what it looks like to users
- Confirm whether DDoS protection, rate limiting or firewall rules can be switched on or strengthened
- Prepare key messages to communicate in case customers or stakeholders are affected
The sections below explain these actions in more detail.
Step 1 – Clarify what is happening
Your priority is to gather as much information as possible to understand the cause of the unusual activity.
Start by collecting data from all relevant parts of the system, including:
- Traffic volumes and where traffic is coming from
- Bandwidth consumption
- Web server and processor load
- Database activity and response times
- Alerts generated by your monitoring and security tools
You should also consider other sources of information that may explain unusual behaviour, such as:
- Helpdesk tickets and user reports
- Social media activity or public campaigns relating to your organisation
- Recent media coverage
- Any recent website updates, changes or deployments
It’s important to remember that not all increases in traffic are caused by attacks. For example, genuine public interest, a campaign launch or a misconfiguration can also result in abnormal patterns.
As you analyse the data, you may find that:
- Very high traffic with no obvious business reason could indicate a volumetric attack, designed to exhaust your bandwidth
- High load on network devices with normal traffic levels could indicate a protocol-based attack, targeting how network equipment handles requests
- Very heavy, repeated database or application requests could suggest an application-layer attack, aimed at exhausting server or processing resources
Understanding which of these scenarios is most likely will help you plan your next steps.
Step 2 – Put the right defences in place
Once you have determined that the probable cause is a DDoS attack, you can apply appropriate controls.
Depending on your set-up, this may include:
Automated protections (where in place)
- Web Application Firewalls (WAFs)
- Content Delivery Networks (CDNs) to absorb and distribute traffic
- Traffic baselining to detect and block abnormal patterns
- Rate limiting rules to restrict excessive requests
- Allow and deny lists, including geo-blocking
- Load balancers to spread traffic evenly
These measures are most effective when they are already configured and can be triggered automatically.
Controls from service providers
- Your hosting provider or ISP may be able to block known malicious IP ranges
- Geo-blocking can be used to restrict access to necessary locations only
- Challenge-response tools such as CAPTCHA can reduce automated traffic
- Thresholds for alerting and blocking can be tightened
Infrastructure changes
- Increasing available bandwidth or processing power
- Manually activating failover systems
- Your hosting provider or ISP may be able to divert known malicious traffic to a controlled environment (sometimes called ‘sinkholing’). This is typically managed by providers rather than in-house teams.
- Making temporary firewall or routing changes
Application-level adjustments
- Temporarily disabling non-essential features such as search functions
- Limiting the use of resource-heavy plugins or integrations
- Reducing the website to essential functions only
Once the initial defences are in place, continue to monitor the environment and apply additional controls if required.
If internal capability is limited, a commercial cyber incident response provider may be able to support log analysis, containment and recovery.
Step 3 – Continually review the situation
A DDoS attack is rarely static, so ongoing review is essential.
You should keep monitoring:
- Whether traffic is increasing, decreasing or stabilising
- Whether the type of traffic is changing
- How system performance is responding
- What alerts are continuing or stopping
- Whether more, or fewer, services are being affected
- Whether third parties or partners are seeing similar issues
It is also important to watch for other types of attack. In some cases, a DDoS can be used as a distraction while a more targeted intrusion attempt happens elsewhere.
Step 4 – Communicate clearly
For NGOs and other public-facing organisations, communication during a DDoS event is particularly important.
Depending on the impact, you may need to inform:
Internally
- Leadership and risk owners
- IT, security and support teams
- Communications teams
Externally
- Users, donors or beneficiaries
- Partners and stakeholders
- Hosting or technology providers
Your communication may include:
- Confirmation that a cyber incident is affecting the website
- Acknowledgement of reduced performance or temporary unavailability
- Alternative ways to get in contact if required
- Updates as services begin to stabilise
All messaging should follow your established communications and reputational risk protocols.
Step 5 – Recover and restore
Once the attack has reduced and the situation is stabilising, recovery should begin to minimise downtime and disruption.
Signs that recovery can start include:
- Traffic volumes returning to manageable levels
- System resources stabilising
- Alerts decreasing
- User reports of problems reducing
At this point, you may:
- Restart systems or features that were switched off
- Roll back temporary filters or restrictions
- Return from backup or failover systems to primary systems
- Restore any affected content from backup if needed
Where possible, address any vulnerabilities identified during the incident so the same method cannot be used again.
Step 6 – Strengthen your defences
After a DDoS incident, it is important to review both your preventative and reactive controls.
Preventative measures
- Keep the website up to date (software, plugins, backend infrastructure)
- Proactively manage website access in line with the starters, movers and leavers process
- Apply the principle of least privilege (e.g. editors vs administrators)
- Include third-party developers or website providers in all access management
- Vet third parties and periodically audit their access and compliance
- Ensure the website is being backed up and that restores are periodically tested
- Consider resilient architecture such as load balancers and web application firewalls
- Keep and review logs of website activity
Reactive measures
- Monitoring and alerting of unusual website activity
- Clearly documented incident response procedures, including who to contact
- Ability to restore from backup
- Communications protocols in the event of reputational damage
Update your response plans, playbooks and technical controls based on the lessons learned.
Step 7 – Report and learn
Where appropriate, report the DDoS attack using the UK cyber incident signposting service (https://signpost-cyber-incident.service.gov.uk/) to support wider understanding of the threat landscape.
You should also carry out a post-incident review to identify:
- How quickly the attack was detected
- Whether defences activated as expected
- Where delays or confusion occurred
- What improvements are needed in tools, processes, training or incident response plans.
Final thoughts
Website DDoS attacks are increasingly common, especially for organisations in the public eye. While they cannot always be prevented, their impact can be significantly reduced through preparation, clear roles and a well-practised response.
Resilient design, good monitoring, strong communication and tested recovery processes are what turn a serious incident into a manageable one.
Reviewed by: Katie Barnett, Director of Cyber Security
Last updated: 09/12/2025
Need support with DDoS readiness or incident response?
Talk to Toro about resilience planning and incident response exercises to build clear, tested procedures to handle denial of service incidents with confidence.