diff --git a/roles/ai3-prometheus/templates/rules/alerts_ddos.yml b/roles/ai3-prometheus/templates/rules/alerts_ddos.yml
new file mode 100644
index 0000000000000000000000000000000000000000..264fe5434b78b077039675e81d12d1838fe4f597
--- /dev/null
+++ b/roles/ai3-prometheus/templates/rules/alerts_ddos.yml
@@ -0,0 +1,16 @@
+groups:
+- name: roles/ai3-prometheus/templates/rules/alerts_ddos.conf
+  rules:
+
+  - alert: DDoS
+    expr: sum((sum(instance:node_network_packets_total:rate5m{device=~"en.*"}) by (host)) * on (host) role{role="frontend"}) > 100000
+    for: 5m
+    labels:
+      scope: global
+      service: nginx
+      severity: page
+    annotations:
+      summary: 'Suspected incoming DDoS'
+      description: 'High network packet count on public frontends'
+      runbook: '[[ alert_runbook_fmt | format("DDoS") ]]'
+