Document Sample
ddos-incident-cheat-sheet Powered By Docstoc
					NETWORK DDOS INCIDENT RESPONSE                                             Collaborate with your BCP/DR planning team, to                              If the bottle neck is a particular a feature of an
CHEAT SHEET                                                                understand their perspective on DDoS incidents.                             application, temporarily disable that feature.
                                                                           Harden the configuration of network, OS, and                                If possible, add servers or network bandwidth to handle
Tips for responding to a network distributed denial -of-
service (DDoS) incident.                                                   application components that may be targeted by DDoS.                        the DDoS load. (This is an arms race, though.)
                                                                           Baseline your current infras tructure’s performance, so                     If possible, route traffic through a traffic-scrubbing
General Considerations
                                                                           you can identify the attack faster and more accurately.                     service or product via DNS or routing changes.
DDoS attacks often take the for m of flooding the
                                                                           Analyze the Attack                                                          If adjusting defenses, make one change at a time, so
network with unwanted traffic; some attacks focus on
                                                                           Understand the logical flow of the DDoS attack and                          you know the cause of the changes you may observe.
overwhelming resources of a specific system.
                                                                           identify the infrastructure components affected by it.                      Configure egress filters to block the traffic your systems
It will be very difficult to defend against the attack
                                                                           Review the load and logs of servers, routers, firewalls,                    may send in response to DDoS traffic, to avoid adding
without specialized equipment or your ISP’s help.
                                                                           applications, and other affected infrastructure.                            unnecessary packets to the network.
Often, too many people participate during incident
response; limit the number of people on the team.                          Identify what aspects of the DDoS traffic differentiate it                  Wrap-Up the Incident and Adjust
                                                                           from benign traffic (e.g., specific source IPs, destination                 Consider what preparation steps you could have taken
DDoS incidents may span days. Consider how your team
                                                                           ports, URLs, TCP flags, etc.).                                              to respond to the incident faster or more effectively.
will handle a prolonged attack. Humans get tired.
                                                                           If possible, use a network analyzer (e.g. tcpdump, ntop,                    If necessary, adjust assumptions that affected the
Understand your equipment’s capabilities in mitigating
                                                                           Aguri, MRTG, a NetFlow tool) to review the traffic.                         decisions made during DDoS incident preparation.
a DDoS attack. Many under-appreciate the capabilities
of their devices, or overestimate their performance.                       Contact your ISP and internal teams to learn about their                    Assess the effectiveness of your DDoS response
                                                                           visibility into the attack, and to ask for help.                            process, involving people and communications.
Prepare for a Future Incident
                                                                           If contacting the ISP, be specific about the traffic you’d                  Consider what relationships inside and outside your
If you do not prepare for a DDoS incident in advance,
                                                                           like to control (e.g., blackhol e what networks blocks?                     organizations could help you with future incidents.
you will waste precious time during the attack.
                                                                           rate-limit what source IPs?)                                                Key DDoS Incident Response Steps
Contact your ISP to understand the paid and free DDoS
mitigation it offers and what process you should follow.                   Find out whether the company received an extortion                          1.    Preparation: Establish contacts, define procedures,
                                                                           demand as a precursor to the attack.                                              and gather tools to save time during an attack.
Create a whitelist of the source IPs and protocols you
must allow if prioritizing traffic during an attack. Include               If possible, create a NIDS signature to focus to                            2.    Analysis: Detect the incident, deter mine its scope,
your big customers, critical partners, etc.                                differentiate between benign and malicious traffic.                               and involve the appropriate parties.
Confirm DNS time-to-live (TTL) settings for the systems                    Notify your company’s executive and legal teams; upon                       3.    Mitigation: Mitigate the attack’s effects on the
that might be attacked. Lower the TTLs, if necessary, to                   their direction, consider involving law enforcement.                              targeted environment.
facilitate DNS r edirection if the original IPs get attacked.              Mitigate the Attack’s Effects                                               4.    Wrap-up: Document the incident’s details, discuss
Establish contacts for your ISP, law enforcement, IDS,                     While it is very difficult to fully block DDoS attacks, you                       lessons learned, and adjust plans and defenses .
firewall, systems, and network teams.                                      may be able to mitigate their effects.                                      Additional DDoS Response References
Document your IT infrastructure details, including                         Attempt to throttle or block DDoS traffic as close to the                   Denial-of-Service Attack-Detection Techniques
business owners, IP addresses and circuit IDs; prepare a                   network’s “cloud” as possible via a router, firewall, load         tal/site/dsonline...
network topology diagram and an asset inventory.                           balancer, specialized device, etc.
                                                                                                                                                       A Summary of DoS/DDoS Prevention, etc. Techniques
Understand business implications (e.g., money lost) of                     Terminate unwanted connec tions or processes on                   
likely DDoS attack scenarios.                                              servers and routers and tune their TCP/IP settings.
                                                                                                                                                       Network Protocols and Tools Cheat Sheets
If the risk of a DDoS attack is high, consider purchasing                  If possible, switch to alternate sites or networks using          
specialized DDoS mitigation products or services.                          DNS or another mechanism. Blackhole DDoS traffic
                                                                           targeting the original IPs.

 This cheat sheet incorpora tes insights from Daniel Fai rchild, Chris Lemieux, Peter McLaughlin, Jose Na za rio, Donald Smi th, Jim Tuttle, a nd Lenny Zel tser. It was compiled by Lenny Zel tser, and is dis tributed
 a ccording to the Crea ti ve Commons v3 “Attribution” Li cense. File version 1.3. More chea t sheets ?

Shared By: