Code Room
On-callMediumoc-g151
Subject DdosLevel Mid–Senior~35 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

Your web tier starts refusing connections and health checks fail, but CPU, memory, and bandwidth are all low — nothing looks busy. The connection-count dashboard shows worker/connection pools maxed out: thousands of open connections each sending HTTP headers extremely slowly (a byte every few seconds) and never completing the request. Traffic volume in bytes/sec is tiny. It comes from a few hundred IPs. There was no deploy. How do you triage and mitigate this low-bandwidth connection-exhaustion attack?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.