Welcome, **Network Security Specialist** at **ÇOLHAK Technology**! Your mission is critical: you are under a **large-scale DDoS attack** from an international botnet targeting your company's main servers. Websites, services, and even internal network connections are on the verge of collapse. This attack is overloading systems, threatening business continuity, and causing significant reputational damage. Your task: race against time to mitigate the attack, redirect traffic, protect the infrastructure, and ensure business continuity!
Simulation Roles
Your Role: Network Security Specialist
You are responsible for the security of the company's network infrastructure. You take an active role in DDoS mitigation steps. Your choices will directly affect the outcome.
CISO Melih Kaan Head of security, expects fast and effective mitigation.
CTO Onur Güngor Infrastructure performance and business continuity are his priorities.
CEO Ayfer Yıldız Wants to minimize reputational and financial losses.
CDN/DDoS Protection Provider Will provide external support, but may not always respond quickly.
Key Metrics
System Load Resilience of servers against DDoS traffic. (Start: Critical)
Attack Effectiveness The power and impact of the DDoS attack. (Start: Full)
Financial Loss Cost resulting from the outage. (Start: $0)
Downtime Total duration of the service interruption. (Start: 0 Minutes)
Customer Satisfaction Satisfaction of customers with service access. (Start: 100)
Decision Impacts
Strategic Assessment
System Load
Critical
Attack Effectiveness
Full
Financial Loss
$0
Downtime
0 Minutes
Customer Satisfaction
100
Phase 1: Initial Detection & Traffic Anomaly
Time 0:15 - Traffic Alert!
At midnight, a series of critical alerts started coming from your network monitoring systems: "Abnormal traffic increase detected!" You quickly realized that a distributed and intense flood of requests, tens of times larger than normal traffic, was directed at your main servers. This is a clear **large-scale DDoS attack**! Your website has started to slow down, and some users are even experiencing access problems.
Learning Note: The speed of initial response is vital in DDoS attacks. While using your own existing capacities can be a quick solution, ISP support is necessary for larger attacks.
Phase 2: Contacting the CDN/DDoS Protection Provider
Time 0:45 - Response from CDN Provider!
Although your on-prem solutions provided some relief, the magnitude of the attack continues. With the approval of the CISO and CTO, you initiated an emergency call with your CDN and DDoS protection provider (e.g., Cloudflare, Akamai). You explained the situation in detail. The provider stated they could deploy their traffic scrubbing service at full capacity, but full activation and traffic redirection would take **approximately 15-30 minutes**.
During this waiting period, what will you do to ensure business continuity?
Learning Note: The deployment time for external mitigation solutions in DDoS attacks is crucial. Managing internal resources during this period is critical to minimizing downtime.
Phase 3: Traffic Diversion and Damage Control
Time 1:30 - Traffic Scrubbing Has Begun!
Your CDN provider has intervened and started to clean the attack traffic. The initial signals are positive; the system load is gradually decreasing. However, the attackers seem to have changed tactics; they are focusing on Layer 7 (application layer) attacks, targeting specific API endpoints and session management. This is a smarter type of attack focused on resource exhaustion rather than bandwidth.
CTO Onur Güngor calls: *"The attack intensity has decreased, but we still have access issues! The APIs have slowed down. We continue to receive complaints from our customers. What are we doing about this Layer 7 attack?"*
Learning Note: Layer 7 DDoS attacks are more sophisticated and cause service interruptions through resource consumption. Application layer measures like rate limiting and CAPTCHA are important against such attacks.
Phase 4: Communication and Reputation Management
Time 2:30 - Media and Customer Pressure!
The impact of the DDoS attack has spread to the public. Complaints are snowballing on social media, and some news sites are headlining ÇOLHAK Technology's service interruptions. The fact that a major e-commerce launch is scheduled for this week infuriates CEO Ayfer Yıldız: *"This situation is jeopardizing the launch! Our credibility is shaken. What are we going to tell the customers? What will our financial losses be?"*
The PR team and your legal advisors are requesting an urgent meeting regarding the content and timing of the public announcement.
Learning Note: In cybersecurity incidents, the communication strategy directly affects reputation and customer trust. Transparency is often the best approach.
Phase 5: Post-Attack Recovery and Lessons Learned
Time 3:30 - Attack Under Control!
Thanks to the full support of your CDN provider and your proactive interventions, the DDoS attack is finally under control. Traffic has returned to normal levels, and your services are fully accessible. However, it's time to assess the impacts of the attack and strengthen your infrastructure against future potential attacks. You are holding a post-crisis meeting with the CISO, CTO, and CEO.
With the lessons learned from this major DDoS attack, how will you strengthen your future defenses?
Learning Note: Lessons learned after DDoS attacks are critical for future resilience. Technology investments, training, and architectural changes provide long-term protection.
Phase 6: Investigation and Attribution
Time 4:30 - On the Attacker's Trail
The attack has been completely stopped, and the systems are stable. CISO Melih Kaan now wants you to focus on finding out who attacked and why. The digital forensics team has analyzed the attack vectors, source IPs, and traffic patterns, identifying three possible suspects.
Suspect 1: Disruptor Tech (Rival Company)
Motive: To sabotage ÇOLHAK Technology's major e-commerce launch and gain a market advantage. Evidence: The attack was a sophisticated Layer 7 (application layer) attack specifically targeting API endpoints related to the new product. This may indicate they have inside knowledge of your company's operations.
Suspect 2: Digital Justice Front (Hacktivist Group)
Motive: To protest ÇOLHAK Technology's recently announced and publicly debated data policies. Evidence: During the attack, numerous posts criticizing your company were made from social media accounts associated with the group. The attack was high-volume but less complex, focusing on Layer 3/4 (network layer).
Suspect 3: Crypto-Lock Gang (Ransomware Group)
Motive: Purely financial. To demand a ransom by taking the company's services offline. Evidence: 24 hours before the attack, a low-profile email, which had landed in the spam folder and was overlooked, was found demanding a payment of 5 BTC to "prevent disruptions to your services." The botnet used was also seen in previous attacks associated with this group.
Now it's decision time: In light of the evidence gathered, who do you believe is behind the attack? This decision will affect the legal process and future defense priorities.
Post-DDoS Crisis Assessment Report
The simulation is complete. Below is a detailed breakdown of your DDoS crisis management performance.
