|
|
|
|
|
|
by viraptor
1976 days ago
|
|
|
From my experience handling on-call during DDoS, there's not much drowning in alerts. You mute alerts about things being down. Then look at ways to drop the biggest / isolated types of traffic. Then analyse what is affected and start logging the impact. I don't believe anything would be missed: security monitors would alert different people / channels than service ops, post-incident review would look at alerts raised, any weird traffic would be looked at during "isolate and kill traffic" stage. Volume is not the only way to notify about anomalies. Poisoned data entries / canaries, outbound traffic which should never exist, unexpected DNS queries, and many others will trigger regardless of DDoS. |
|
|