DDoS Incident Report with NIST CSF Analysis

Overview

This report details the investigation of a suspected Distributed Denial of Service (DDoS) attack and applies the NIST Cybersecurity Framework (CSF) to guide response actions. The incident was simulated as part of a lab exercise designed to build analytical and framework application skills. The original worksheet for applying NIST CSF categories can be accessed here: NIST CSF Worksheet .

Incident Summary

The target web server experienced a flood of incoming TCP SYN requests that appeared automated and originated from multiple spoofed IP addresses. This pattern, common in SYN flood attacks, suggested an attempt to overwhelm the server’s ability to process legitimate connections. As a result, server performance degraded and many legitimate requests were dropped.

NIST CSF Functions Applied

• Identify: Asset management and risk assessment determined the exposure of public-facing web services.
• Protect: Rate-limiting and firewall rules were validated to mitigate traffic spikes.
• Detect: Intrusion detection systems triggered alerts based on SYN rate thresholds.
• Respond: SOC team initiated incident response playbooks, capturing evidence and mitigating the source.
• Recover: System reboot procedures and communication plans ensured service restoration and transparency.

Tools Used

• Wireshark for packet inspection
• Firewall rule verification tools
• NIST CSF categories and subcategories worksheet

Conclusion

This lab helped build a real-world mindset for identifying and mitigating DDoS activity and using a structured framework like the NIST CSF for incident response. Integrating tactical analysis with policy-driven practices ensures a complete and repeatable cybersecurity response.

← Back to Portfolio