一键导入
cloudflare-incident-response
DDoS/attack emergency response runbook — detect, assess, mitigate, monitor, de-escalate
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
DDoS/attack emergency response runbook — detect, assess, mitigate, monitor, de-escalate
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Deploy and manage Cloudflare Workers — upload scripts, configure routes, manage secrets, view analytics
Cloudflare zone health dashboard — DNS, security, tunnels, WAF, DDoS status
Manage Cloudflare R2 storage buckets and objects — create, list, inspect, delete buckets and objects
Manage Cloudflare Workers KV namespaces and key-value pairs — create, list, read, write, delete
Live integration test for all Cloudflare MCP tools — read + safe writes with cleanup
Manage Cloudflare DNS records — add, list, update, delete records with verification across multiple zones
| name | cloudflare-incident-response |
| description | DDoS/attack emergency response runbook — detect, assess, mitigate, monitor, de-escalate |
Emergency response runbook for DDoS attacks and active security incidents. This is a 5-phase workflow: DETECT → ASSESS → MITIGATE → MONITOR → DE-ESCALATE.
IMPORTANT: Every mitigation action in Phase 3 requires explicit user confirmation. This skill never auto-remediates.
Fire all of these tool calls in parallel immediately:
cloudflare_under_attack_status — is Under Attack Mode already active?cloudflare_security_events — security events from the last 1 hour (short window for active attack)cloudflare_ddos_analytics — DDoS analytics from the last 1 hourcloudflare_zone_health — zone activation and health statusProduce an immediate Incident Detection Summary:
INCIDENT DETECTION — [Zone] — [Timestamp]
Under Attack Mode: ON / OFF
Zone Health: active / inactive
Security Events (1h): [count]
DDoS Analytics: [attack windows count]
ASSESSMENT: ACTIVE ATTACK / SUSPECTED ATTACK / NO ATTACK DETECTED
If no attack indicators are found, report clearly and stop. Offer to run a full security audit via the cloudflare-security-audit skill instead.
Analyze the data from Phase 1 to characterize the attack:
Traffic Analysis:
Attack Type Classification:
Current Mitigation Status:
Severity Level:
Present the full assessment to the user before proceeding to mitigation.
Present each mitigation step to the user one at a time and wait for confirmation before executing.
Step 1 — Enable Under Attack Mode (first response)
Explain: "This adds a JS challenge to all visitors. Legitimate browsers pass automatically in ~5 seconds. API clients and bots will be blocked. This is the primary defense against L7 HTTP floods."
Ask: "Should I enable Under Attack Mode for [zone]?"
If confirmed: call cloudflare_security_level_set with action under_attack.
Verify: call cloudflare_security_level_get to confirm the change.
Log: record timestamp and action taken.
Step 2 — Block Top Attacking IPs
From the Phase 2 analysis, identify the top source IPs contributing to the attack. Present the list: "These are the top [N] IPs. Should I block them?"
For each confirmed IP: call cloudflare_ip_access_create with mode block.
Note: limit to IPs with clear attack signatures — avoid blocking legitimate IPs.
Log all blocked IPs with timestamp.
Step 3 — Country-Level Block (if attack is geographically concentrated)
Only suggest this if >80% of attack traffic originates from 1-3 countries AND those countries are not primary user traffic sources.
Explain the business impact: "Blocking [country] will affect ALL visitors from that country, including legitimate users."
Ask: "Should I add a challenge rule for [country]? (Note: this affects all [country] visitors)"
If confirmed: call cloudflare_ip_access_create with the country code and mode challenge (not block, to avoid false positives).
Log the country challenge rule with timestamp.
Step 4 — Custom WAF Rule (if L7 flood pattern identified)
If a specific URI path, user agent, or request signature characterizes the attack:
Construct a Cloudflare Ruleset Language expression. Example:
(http.request.uri.path eq "/api/login" and cf.threat_score gt 10)(http.user_agent contains "attacker-bot")(http.request.rate gt 100 and http.request.uri.path starts_with "/api")Show the expression to the user and explain what it matches.
Ask: "Should I create a WAF block rule for this pattern?"
If confirmed: call cloudflare_waf_create_custom_rule with action block and the expression.
Log the rule ID and expression with timestamp.
After mitigation steps are applied, wait 2-5 minutes and then re-assess.
Fire in parallel:
cloudflare_security_events — last 15 minutescloudflare_ddos_analytics — last 15 minutescloudflare_zone_health — current zone healthReport mitigation effectiveness:
Effectiveness verdict:
Escalation if mitigations are not effective:
When attack has clearly subsided (Phase 4 shows >90% reduction and stable zone health):
Disable Under Attack Mode: Explain impact, ask confirmation, call cloudflare_security_level_set to restore previous level (typically medium). Verify.
Review temporary IP blocks: Call cloudflare_ip_access_list. Review the blocks created during this incident. Recommend keeping them for 24-48 hours as attacks often resume. Ask user if any should be removed now.
Review temporary WAF rules: Call cloudflare_waf_list_custom_rules. Identify rules created during this incident. Ask user: "These WAF rules were created during the incident. Should any be kept permanently or should I remove them?" Execute deletions with cloudflare_waf_delete_custom_rule upon confirmation.
Generate Post-Incident Summary:
POST-INCIDENT SUMMARY — [Zone] — [Date]
Attack Type: [classification]
Duration: [start time] to [end time]
Peak Volume: [events/hour at peak]
Mitigations Applied:
- [timestamp] Under Attack Mode enabled
- [timestamp] Blocked IPs: [list]
- [timestamp] Country challenge: [countries]
- [timestamp] WAF rules created: [rule IDs]
Resolution:
- [timestamp] Under Attack Mode disabled
- Retained blocks: [list]
- Removed temp rules: [list]
Recommendations:
1. [recommendation]
2. [recommendation]
challenge (not block) to minimize impact on legitimate users.cloudflare-security-audit for pre/post-incident analysis.cloudflare_under_attack_status — check/verify Under Attack Mode statuscloudflare_security_events — security event log with time range filtercloudflare_ddos_analytics — DDoS analytics with time range filtercloudflare_zone_health — zone health and activation statuscloudflare_security_level_set — enable/disable Under Attack Mode and set security levelcloudflare_security_level_get — verify current security levelcloudflare_ip_access_create — block or challenge specific IPs, CIDRs, ASNs, or countriescloudflare_ip_access_delete — remove IP access rules during de-escalationcloudflare_ip_access_list — list all IP access rulescloudflare_waf_create_custom_rule — create targeted WAF block rulecloudflare_waf_delete_custom_rule — remove temporary WAF rules after de-escalationcloudflare_waf_list_custom_rules — list custom rules for review