Creating a DDoS Action Plan, Part 2: Incident Response

Creating a DDoS Action Plan, Part 2: Incident Response

August 4

In last week’s post, I went over some useful measures for preventing DDoS (Distributed Denial of Service) attacks. Because no prevention plan is 100% effective, you need to put responsive measures in place to make your DDoS action plan as close to being foolproof as possible.

This is by no means an exhaustive list, but it should get you in the right frame of mind to put together your DDoS incident response plan.

Measure 1. Know the signs of an active DDoS attack.

How can you tell a DDoS attack from, say, a misconfiguration in your network? Akamai security expert Bill Brenner says it’s pretty straightforward:

When you’re dealing with configuration problems, it’s usually a slower, ongoing series of issues; not necessarily something that will knock out the performance of a whole site. If site performance takes a sudden nosedive or is ground to a halt, that’s usually a good indication that a DDoS attack is in play.

Analyst Linda Musthaler expanded on Brenner, with the help of US-CERT (United States Computer Emergency Readiness Team):

  • Unusually slow network performance opening files or accessing websites
  • Unavailability of a particular website
  • Inability to access any website
  • A dramatic increase in the number of received spam emails

Measure 2. Call your ISP or hosting provider ASAP.

No doubt you have your ISP and/or hosting provider on speed dial. Call them immediately, says Paul Rubens of eSecurity Planet:

[T]ell them you are under attack and ask for help…Depending on the strength of the attack, the ISP or hoster may already have detected it, or they may themselves start to be overwhelmed by the attack. If an attack is large enough, the first thing a hosting company or ISP is likely to do is “null route” your traffic — which results in packets destined for your Web server being dropped before they arrive. To get the website back online, your ISP or hosting company may divert traffic to a “scrubber” where the malicious packets can be removed before the legitimate ones are be sent on to your Web server.

This measure also applies to your MSP if you’re using one. And don’t forget about the SLAs in your contracts; it’s a good bargaining chip to have in these types of situations.

Measure 3. Implement some general rules to help mitigate the attack.

This measure probably belonged in my previous post as a corollary to reviewing and updating your existing security plan, but I decided it would have a greater impact here (I’m assuming you are not reading this in the throes of a DDoS attack). In any event, you can do several things on your end to mitigate the impact of a DDoS attack.

Services company Neustar provided these general rules of thumb for DDoS mitigation:

  • Turn down any unnecessary port or protocol. Implement your Access Control List entries to stop all other protocols and ports from entering your network.
  • Execute your IP blacklist. “Become familiar with trusted security related websites that have lists of IP addresses known for delivering malicious traffic. These IP addresses, or ranges, can be added to an IP blacklist so their traffic will never reach your infrastructure.”
  • Block invalid and malformed packets from entering your network. If you don’t have the technology to handle this, consider outsourcing this task to your MSP or another security specialist.

Do you have other DDoS mitigation tips to suggest? Let us know in the comments!

Photo credit: Mark Steele via Flickr