# DDoS Mitigation and Resilience One-sentence definition: Architect and operate defenses to absorb, deflect, or block volumetric and protocol attacks. ## Key Facts - Upstream scrubbing centers/CDNs; anycast distribution; autoscale where possible. - Rate-limits, SYN cookies, connection limits; block amplification vectors. - Runbooks with provider contacts; pre-authorized diversion. - Test failover and TTLs; protect DNS with redundant providers. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose layered DDoS plan with practiced cutover. **Mnemonic:** “**Soak, shape, shift**.” ## Mini Scenario Q: DNS under attack—what keeps it up? A: Anycast + multiple DNS providers and caching. ## Revision Checklist - Two technical controls. - Cutover prep. - DNS protection. ## Related [[Network Segmentation and NAC]] · [[Intrusion Detection and Prevention (NIDS NIPS HIDS HIPS)]] · [[Business Continuity Operations and Crisis Communications]] · [[Incident Response Lifecycle (NIST-Style)]] · [[Identity Resilience and DR]] · [[Domain 7 - Index]]