Security Experts:

Creating a DDoS Attack Action Plan

Defending Against DDoS Attacks: Do You Have an Action Plan in Place?

In my career I have been asked how to respond to a DDoS attack. What do you do? Who do you call? Ghost Busters? What are the options?

If you do business it means that you rely on the Internet in some capacity, even if just for email. Determining whether or not you are being victimized isn’t always because many attacks and compromises leave no trace. Some are obvious by design. DDoS, or Distributed Denial of Service, attacks are very much in-your-face type of attacks. Funny that DDoS can wipe many organizations off the Internet attacks and they still scratch their heads and wonder why their internet link is up, but no traffic is going through it! There has been a raise in these types of attacks over the last few years. DDoS attacks are common; the miscreants typically use computers that are infected by a virus, or a bot net, which have become commoditized. Anyone can rent a bot net for a huge DDoS attack, and pay for it with a credit card! (Even a stolen credit card.) The DDoS client, which sends the attack traffic, is a simple light weight program that is readily available on line. Hackivests have deployed several well-made DDoS tools to their legions to use against their targets.

Defending Against DDos AttacksIf you are being attacked with a DDoS attack, the target – a web server – mail server – DNS server – or even parts of an application, will slow down and stop from over use. The finite “stuff” that provides the service will be used up by the bad guys leaving nothing for legitimate users. A DDoS attack that does not stop a service for an extended, or business impacting time frame, is not a successful attack. If there is no business impact then it is not successful.

Assume you are in the throws of a large-scale attack: your DNS servers are down, your uplink to your service provider is at 100%, the pps on your routers are through the roof. You say to yourself, “Self, I think we are being DDoSed! Now what do I do?”

I am assuming you do not have a DDoS mitigation service, if so all your problems should go away. So, here is what you need to do, in this order:

Define the scope of the attack. What exactly is being attacked? Web services, mail, DNS, the entire network? This is typically done by having the IT and Network teams check their NMS to see which devices are peaking out on CPU/ Memory/ Network. If you don’t have a NMS, to check individual devices for the same. If the attack is against web services it is usually obvious because the web page stops working and you get a timeout error. If your services are cloud-based or hosted, get your service provider on the phone and find out what they are seeing on the upstream link. They will almost certainly have a sophisticated NMS that will make the attack visible.

Mitigate the attack the best you can. Do this by turning on all of the DDoS options on your network equipment. Most routers and switches and Proxies and Firewalls come with limited DDoS filtering options. This allows them to timeout half open connections and other odd packets at a much more aggressive rate, closing a session before they can clog a machine. Look for any obvious trends in the attack traffic, like source IP or subnet. By design, the attack traffic comes at you from the four corners of the internet and aggregates on you, making that type of filtering difficult. Call your service provider to see if they have any capacity to filter traffic bound for your network, which you might have to pay for. Sadly, if the attack volume is large, then the aggregating DDoS traffic will overwhelm your service provider’s local distribution network. This will essentially cause collateral damage to their network and other customers who have the bad luck to be logically on the same service provider infrastructure. They will then black-hole your route, essentially completing the DDoS attack by routing all traffic destined to your network to dev/null. Dev/null is sad. Once you go to dev/null, you are never seen again, ever.

Call an expert. If you have an existing relationship with a computer consultancy call them right away and see if they can point you in the right direction. A network security guy will be able to help direct the mitigation, ask the right questions of your service providers, and help pick up the pieces and provide an after action report on improving your chances of stopping an attack the next time. Expect a bill for about $250/ hour.

Call the cops. Do not call the police to ask for help, just to report the crime. They have zero interest helping you with the immediate problem, although it is against the law to DDoS someone. Unless you are Amazon, or a big name, do not expect anyone in law enforcement to be as concerned by your attack as you are. Law Enforcement tends to be way behind the power curve when it comes to dealing effectively with all cyber crime. Do not call the local police emergency number. Call the non-emergency number to get the ball rolling. Expect a lot of questions because local police typically do not deal with these things, nor do they have any expertise. Expect someone to take a report, but do not expect anyone to hunt down the bad guys and arrest them. A word of caution: Check the local disclosure laws. Once the cops know, then there is a chance the whole world will know.

Post Facto. After the attack is over, which they all are at some point, then figure out the who, what, and why. Consider probabilities vs. benefits when considering mitigation strategies. Some organizations are more prone to DDoS attacks, and some organizations can be hurt worse than others. Ask yourself, are you in a high-risk industry? Digital rights, copy write enforcement, government or political affiliations, gaming, gambling, or adult entertainment? These are higher risk.

Does your business depend on near 100% uptime or you lose money? Gaming, bank, B2C or B2B ecommerce? These industries are susceptible to extortion rackets – pay or be DDoSed. If the probably of another attack is low, and the business consequence is low, plan your mitigation strategy and budget with that in mind. If the probably is high, and the consequence high, plan likewise.

Develop processes and procedures to deal with these things so you don’t have to invent a plan during the problem. Consider infrastructure modifications to limit the depth and damage of a DDoS attack, consider a DDoS service, and update your BCDR plan. Plan, plan, plan.

Subscribe to the SecurityWeek Email Briefing
view counter
Adam Rice runs ALR Systems, LCC, an independent Security Consultancy. He has over 17 years of leadership experience within the security industry. He has filled several CSO and CISO roles, as well as positions in senior roles within Security Professional Services, Operations, and Managed Security Services. Adam has broad expertise in the establishment and management of global corporate security organizations and the management of all risks to his customers to include physical security, information security, personnel security, and executive security. Adam also spent 23 years with the US Army’s Special Forces, as an Operational Senior Special Forces NCO, with time in the regular Army and National Guard.