Did you all see the NIH DDoS attack in the news from last weekend? It was a big deal, and happened on my watch. I spent 25 hours between Sat/Sun battling that crap.
Ooof, no, I missed that news, I was taking some easy time, recovering from a cold.
Welcome to the club. Not one you really want to be in, but it happens. I have not had to do a DDoS incident response yet, but have done a few incident response to other things that have made the news. I remember my first was in a medium sized town, company hit over the weekend. We got sent out and got to town late Monday. In the morning doing the hotel breakfast I see the company on the morning news. They were one of if not the largest employer in the town, and had sent everyone home Monday and didn't expect to recall anyone Tuesday.
If you haven't already document everything you remember. Especially anything you did to try to handle the incident if it worked or not. One is for identifying anything weird that shows up in the next few weeks from changes made during the incident. Two is for the next time it happens.
-Otanx
The more you do post-incident, the better your prep for the next one in terms of minimizing impact.