Mar 17, 2026 · Written by: Netspare Team
A Practical DDoS Readiness Checklist for SMEs
DDoS attacks range from volumetric UDP floods to crafty HTTPS GET storms that exhaust CPU on L7 proxies. SMEs cannot afford always-on terabit scrubbing like hyperscalers, but they can still reduce mean time to recovery with baselines, runbooks, and tested provider features.
Your CDN or ISP scrubbing center is only as good as the contacts and BGP/GRE tunnel details documented before the event. Panic-driven DNS changes propagate slowly and often break email.
Use this article as a living checklist: assign owners, dates, and evidence links in your internal wiki.
Application-layer attacks mimic legitimate traffic with rotating residential IPs—rate limits alone fail without behavioral scoring. Combine request fingerprinting with slow client detection at the proxy.
Insurance and cyber policies increasingly ask for evidence of annual drills; keep dated reports with redacted traffic graphs.
Traffic baselines and anomaly detection
Know normal RPS, unique client counts, and geographic distribution per public hostname. Spikes that preserve user-agent diversity but spike single URLs often indicate L7 attacks.
Alert on sustained deviation from baseline, not one-minute blips, to avoid alert fatigue.
Edge rate limits, WAF, and bot management
Start with conservative rate limits on login, cart, and search endpoints—cheap for attackers to abuse. WAF managed rule sets catch known signatures; custom rules block obvious scraper patterns.
Challenge modes (JS/captcha) harm UX; use only after softer throttles fail and communicate status pages to customers.
Origin shielding and IP allow-lists
- Never expose origin IPs in DNS if you front with CDN; firewall allow-list only CDN pops.
- Separate management VPN IPs from public website paths.
- Keep a cold standby static status site on a different provider for comms-only traffic.
- Document how to drain attack traffic to sinkhole vs. legitimate failover regions.
Customer and internal communications
Prepare status templates in three lengths (tweet, email, detailed post) and pre-approve who publishes. Legal/compliance may need wording for regulated sectors.
Internal Slack/email templates reduce duplicate questions to the on-call engineer during mitigation.
Quarterly drills and evidence retention
Run tabletop exercises with synthetic load against staging mirrored rules. Store PCAP or flow summaries (where lawful) to tune thresholds after the drill.
Post-incident, capture timelines with UTC timestamps, actions taken, and customer impact minutes for insurance or SLA discussions.
Layer 7 behavioral signals
Track request entropy: sudden uniformity in user-agent strings or path depth often marks bot swarms.
Challenge expensive endpoints (search, export) before homepage static assets to preserve cache efficiency.
Evidence for legal and insurers
Store summarized flow metadata where retention policies allow; full PCAP may be prohibited—agree formats with counsel upfront.
Chain of custody for logs matters if litigation follows a sustained attack.
Frequently asked questions
Will a bigger VPS stop DDoS?
Is geo-blocking enough?
Netspare Team
More posts from this authorYou may also like
- TLS Certificates in 2026: ACME, HTTP-01, DNS-01, and Wildcard Domains
Let's Encrypt normalized free automation, but renewal still fails when firewalls, CDNs, or split-horizon DNS disagree. Pick the challenge type that matches your architecture.
- Web Application Firewalls: What They Block, What They Miss, and How to Test
A WAF is not a replacement for secure code or patching. Learn rule modes, false positives, and why attackers probe for logic flaws WAFs cannot see.
- DNS Propagation and TTL: What Site Owners Actually Need to Know
Changing DNS records feels instant in the control panel, but resolvers cache answers for as long as your TTL says. Learn how to plan cuts with minimal user-visible flapping.
- Object Storage or Local VPS Disk: Choosing for Video, Backups, and Large Files
Local SSD is fast for databases and code; S3-compatible object storage scales egress billing and durability differently. Understand trade-offs before you fill a single volume.