Description

This curriculum spans the technical, operational, and coordination practices found in multi-workshop incident response programs for DDoS resilience, covering the same depth of architecture design, real-time detection, and cross-system orchestration used in enterprise CDN security operations.

Module 1: Threat Landscape and Attack Vector Analysis

Selecting packet capture tools and placement locations to accurately classify volumetric, protocol, and application-layer DDoS attacks in real traffic.
Differentiating between legitimate traffic spikes and distributed denial-of-service events using behavioral baselines and anomaly detection thresholds.
Mapping observed attack signatures to known threat actor profiles, including botnet sources and attack toolkits like Mirai or LOIC.
Integrating threat intelligence feeds from third-party providers while filtering false positives and maintaining data freshness.
Assessing the risk of reflection/amplification attacks (e.g., DNS, NTP) based on exposed UDP services in the CDN edge architecture.
Documenting attack vectors specific to API endpoints and dynamic content origins exposed through CDN caching layers.

Module 2: CDN Architecture for DDoS Resilience

Designing anycast routing configurations to distribute attack load across geographically dispersed edge nodes.
Configuring edge node failover policies to maintain service availability during partial infrastructure saturation.
Implementing DNS-level load distribution to redirect traffic away from overwhelmed POPs during active attacks.
Deciding cacheability rules for dynamic content to reduce origin exposure without degrading user experience.
Deploying redundant reverse proxy layers at the edge to absorb and filter malicious payloads before reaching origin servers.
Evaluating the trade-off between TLS termination at edge vs. origin in terms of decryption overhead and attack surface exposure.

Module 3: Traffic Scrubbing and Filtering Mechanisms

Configuring stateful rate limiting per client IP, ASN, or geographic region without blocking legitimate burst traffic.
Implementing challenge mechanisms (e.g., JavaScript challenges, CAPTCHA) for suspicious sessions while minimizing conversion impact.
Creating signature-based filters for known attack patterns in HTTP headers, URI structures, or payload content.
Deploying behavioral fingerprinting to detect non-browser clients such as headless browsers or scripted requests.
Setting up automated blackhole routing in BGP for sustained Layer 3/4 attacks exceeding edge capacity.
Calibrating entropy-based detection for spoofed source IPs in UDP flood scenarios using flow telemetry.

Module 4: Real-Time Detection and Monitoring

Establishing thresholds for packet-per-second and connection-per-second metrics that trigger automated alerts.
Correlating logs from edge nodes, WAFs, and DNS resolvers to identify coordinated multi-vector attacks.
Deploying streaming telemetry pipelines using sFlow or IPFIX to monitor traffic patterns across CDN POPs.
Integrating SIEM platforms with CDN control planes for centralized event correlation and forensic analysis.
Validating detection accuracy by conducting red-team exercises that simulate realistic attack profiles.
Adjusting monitoring granularity during peak traffic to avoid alert fatigue while maintaining detection sensitivity.

Module 5: Automated Response and Orchestration

Designing playbooks for automated mitigation actions such as rate limiting, geo-blocking, or challenge insertion.
Integrating CDN APIs with SOAR platforms to execute cross-system responses during active incidents.
Implementing circuit-breaker logic to suspend automated actions if they trigger unintended service degradation.
Configuring auto-scaling policies for edge resources to handle traffic surges without enabling resource exhaustion.
Testing fail-open vs. fail-closed behavior in mitigation systems during control plane outages.
Version-controlling response rules and maintaining audit trails for regulatory and post-incident review.

Module 6: Origin Protection and Backend Security

Enforcing strict allow-lists for CDN-to-origin communication using IP whitelisting and mutual TLS.
Deploying backend rate limiting at origin load balancers to prevent cascading failures during edge bypass attempts.
Obfuscating origin server IP addresses through DNS and routing policies to prevent direct targeting.
Implementing circuit breakers in application logic to halt processing under sustained high-load conditions.
Configuring health checks to avoid routing traffic to origin during mitigation-induced latency spikes.
Validating that origin infrastructure can withstand residual attack traffic that bypasses edge filters.

Module 7: Legal, Compliance, and Incident Coordination

Documenting incident timelines and mitigation steps to meet regulatory reporting requirements (e.g., GDPR, SEC).
Establishing data retention policies for attack logs that balance forensic needs with privacy obligations.
Coordinating with upstream ISPs and transit providers to implement upstream filtering during large-scale attacks.
Engaging law enforcement or CERTs when attacks involve extortion, data exfiltration, or nation-state indicators.
Defining communication protocols for notifying customers and stakeholders during ongoing mitigation events.
Conducting post-incident reviews to update detection rules, response playbooks, and architectural controls.

Module 8: Performance and Business Impact Management

Measuring latency and throughput degradation during active mitigation to assess user impact.
Adjusting caching strategies during attacks to maximize hit ratios and reduce origin dependency.
Monitoring conversion rates and session drop-offs to quantify business impact of mitigation measures.
Optimizing challenge mechanisms to minimize friction for returning or high-value users.
Evaluating cost implications of traffic surges on pay-per-use CDN billing models during attacks.
Implementing synthetic transaction monitoring to validate service availability across global regions.