DDoS Attack on Public API Gateway

Root Cause & Remediation

Coordinated botnet attack, amplification attack (DNS, NTP, SSDP), or HTTP slow-loris targeting the application layer. Lack of WAF rules, rate limiting, or scrubbing centre routing allows the traffic to reach origin servers.

Remediation steps

1. 1Activate DDoS mitigation playbook — engage your scrubbing centre provider or cloud-native shield (AWS Shield Advanced, Cloudflare Magic Transit).
2. 2Enable aggressive rate limiting and geo-blocking at the CDN/WAF layer as an immediate mitigation.
3. 3Monitor legitimate traffic using a separate observability endpoint to track actual client impact.
4. 4Engage your ISP or upstream provider for network-level null routing if volumetric.
5. 5Document attack vectors, peak PPS/Gbps, and mitigation timestamps for the DORA regulatory report.

DORA Risk Matrix

Likelihood

High

Blast radius

Full external client impact during the attack. Internal systems typically remain operational, but external-facing CIFs (online banking, mobile apps, payment APIs) are blocked.

CIF impact

Online banking and payment APIs are the most common DDoS targets in financial services. Client impact threshold (>10% of clients) is often breached within minutes of attack commencement.

Analyst notes

A successful DDoS attack is a malicious cyberattack. If it results in data integrity issues (e.g. corrupted in-flight transactions), Criterion A may also fire, making this an automatic MAJOR. Even without data integrity loss, a DDoS that blocks >10% of clients or >100,000 users for any meaningful duration meets the Art. 9(1) threshold.