NETWORKDDOSINCIDENTRESPONSE

CHEATSHEET

CollaboratewithyourBCP/DRplanningteam,to
understandtheirperspectiveonDDoSincidents.

Ifthebottleneckisaparticularafeatureofan
application,temporarilydisablethatfeature.

Tipsforrespondingtoanetworkdistributeddenialof
service(DDoS)incident.

Hardentheconfigurationofnetwork,OS,and
applicationcomponentsthatmaybetargetedbyDDoS.

Ifpossible,addserversornetworkbandwidthtohandle
theDDoSload.(Thisisanarmsrace,though.)

GeneralConsiderations

Baselineyourcurrentinfrastructuresperformance,so
youcanidentifytheattackfasterandmoreaccurately.

Ifpossible,routetrafficthroughatrafficscrubbing
serviceorproductviaDNSorroutingchanges.

AnalyzetheAttack

Ifadjustingdefenses,makeonechangeatatime,so
youknowthecauseofthechangesyoumayobserve.

DDoSattacksoftentaketheformoffloodingthe
networkwithunwantedtraffic;someattacksfocuson
overwhelmingresourcesofaspecificsystem.
Itwillbeverydifficulttodefendagainsttheattack
withoutspecializedequipmentoryourISPshelp.
Often,toomanypeopleparticipateduringincident
response;limitthenumberofpeopleontheteam.

UnderstandthelogicalflowoftheDDoSattackand
identifytheinfrastructurecomponentsaffectedbyit.
Reviewtheloadandlogsofservers,routers,firewalls,
applications,andotheraffectedinfrastructure.

Configureegressfilterstoblockthetrafficyoursystems
maysendinresponsetoDDoStraffic,toavoidadding
unnecessarypacketstothenetwork.

IdentifywhataspectsoftheDDoStrafficdifferentiateit
frombenigntraffic(e.g.,specificsourceIPs,destination
ports,URLs,TCPflags,etc.).

WrapUptheIncidentandAdjust

Ifpossible,useanetworkanalyzer(e.g.tcpdump,ntop,
Aguri,MRTG,aNetFlowtool)toreviewthetraffic.

Ifnecessary,adjustassumptionsthataffectedthe
decisionsmadeduringDDoSincidentpreparation.

ContactyourISPandinternalteamstolearnabouttheir
visibilityintotheattack,andtoaskforhelp.

AssesstheeffectivenessofyourDDoSresponse
process,involvingpeopleandcommunications.

IfcontactingtheISP,bespecificaboutthetrafficyoud
liketocontrol(e.g.,blackholewhatnetworksblocks?
ratelimitwhatsourceIPs?)

Considerwhatrelationshipsinsideandoutsideyour
organizationscouldhelpyouwithfutureincidents.

Findoutwhetherthecompanyreceivedanextortion
demandasaprecursortotheattack.

1.

Preparation:Establishcontacts,defineprocedures,
andgathertoolstosavetimeduringanattack.

Ifpossible,createaNIDSsignaturetofocusto
differentiatebetweenbenignandmalicioustraffic.

2.

Analysis:Detecttheincident,determineitsscope,
andinvolvetheappropriateparties.

ConfirmDNStimetolive(TTL)settingsforthesystems
thatmightbeattacked.LowertheTTLs,ifnecessary,to
facilitateDNSredirectioniftheoriginalIPsgetattacked.

Notifyyourcompanysexecutiveandlegalteams;upon
theirdirection,considerinvolvinglawenforcement.

3.

Mitigation:Mitigatetheattackseffectsonthe
targetedenvironment.

MitigatetheAttacksEffects

4.

EstablishcontactsforyourISP,lawenforcement,IDS,
firewall,systems,andnetworkteams.

WhileitisverydifficulttofullyblockDDoSattacks,you
maybeabletomitigatetheireffects.

Wrapup:Documenttheincidentsdetails,discuss
lessonslearned,andadjustplansanddefenses.

AdditionalDDoSResponseReferences

DocumentyourITinfrastructuredetails,including
businessowners,IPaddressesandcircuitIDs;preparea
networktopologydiagramandanassetinventory.

AttempttothrottleorblockDDoStrafficasclosetothe
networkscloudaspossibleviaarouter,firewall,load
balancer,specializeddevice,etc.

Understandbusinessimplications(e.g.,moneylost)of
likelyDDoSattackscenarios.

Terminateunwantedconnectionsorprocesseson
serversandroutersandtunetheirTCP/IPsettings.

IftheriskofaDDoSattackishigh,considerpurchasing
specializedDDoSmitigationproductsorservices.

Ifpossible,switchtoalternatesitesornetworksusing
DNSoranothermechanism.BlackholeDDoStraffic
targetingtheoriginalIPs.

DDoSincidentsmayspandays.Considerhowyourteam
willhandleaprolongedattack.Humansgettired.
Understandyourequipmentscapabilitiesinmitigating
aDDoSattack.Manyunderappreciatethecapabilities
oftheirdevices,oroverestimatetheirperformance.

PrepareforaFutureIncident
IfyoudonotprepareforaDDoSincidentinadvance,
youwillwasteprecioustimeduringtheattack.
ContactyourISPtounderstandthepaidandfreeDDoS
mitigationitoffersandwhatprocessyoushouldfollow.
CreateawhitelistofthesourceIPsandprotocolsyou
mustallowifprioritizingtrafficduringanattack.Include
yourbigcustomers,criticalpartners,etc.

Considerwhatpreparationstepsyoucouldhavetaken
torespondtotheincidentfasterormoreeffectively.

KeyDDoSIncidentResponseSteps

DenialofServiceAttackDetectionTechniques
http://www.computer.org/portal/site/dsonline...
ASummaryofDoS/DDoSPrevention,etc.Techniques
http://sans.org/reading_room/whitepapers/intrusion/1212.php
NetworkProtocolsandToolsCheatSheets
http://packetlife.net/cheatsheets/

ThischeatsheetincorporatesinsightsfromDanielFairchild,ChrisLemieux,PeterMcLaughlin,JoseNazario,DonaldSmith,JimTuttle,andLennyZeltser.ItwascompiledbyLennyZeltser,andisdistributed
accordingtotheCreativeCommonsv3AttributionLicense.Fileversion1.3.Morecheatsheets?