Denial of service (DoS) attack

The nature of a DoS attack means that the first thing you need to do is confirm that this is definitely what is happening.

To do this, you will need to gather the right data and then interpret it. For more information about what to look for, refer to the full NCSC DoS guidance. 

If you need help analysing your logs or applying defences, you may wish to consult a commercial cyber incident response (CIR) provider. The NCSC operates a scheme of assured CIR companies that will be able to help you.

Once you have identified the likely causes, it will determine what defences you need to put in place.

For details of different DoS defences, refer to the full NCSC guidance on DoS.

Monitor – It's important to keep monitoring all parts of a system during a DoS attack, including those that don’t initially appear to be affected. Adversaries may attack in multiple waves, or use a DoS attack as a diversion for a more penetrative attack into a system.

Communicate – Make sure you provide timely, clear and accurate information to the people who need to know what is happening. This includes both internally, such as employees or risk owners, and externally, such as service providers, business-to-business partners and users or customers.

Recover – After a DoS attack has subsided and systems are fully restored, you should review all phases of the response to identify where you could improve, including the technology used to detect and respond to DoS attacks.