Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

Creating a DDoS Attack Action Plan

Defending Against DDoS Attacks: Do You Have an Action Plan in Place?

In my career I have been asked how to respond to a DDoS attack. What do you do? Who do you call? Ghost Busters? What are the options?

Defending Against DDoS Attacks: Do You Have an Action Plan in Place?

In my career I have been asked how to respond to a DDoS attack. What do you do? Who do you call? Ghost Busters? What are the options?

If you do business it means that you rely on the Internet in some capacity, even if just for email. Determining whether or not you are being victimized isn’t always because many attacks and compromises leave no trace. Some are obvious by design. DDoS, or Distributed Denial of Service, attacks are very much in-your-face type of attacks. Funny that DDoS can wipe many organizations off the Internet attacks and they still scratch their heads and wonder why their internet link is up, but no traffic is going through it! There has been a raise in these types of attacks over the last few years. DDoS attacks are common; the miscreants typically use computers that are infected by a virus, or a bot net, which have become commoditized. Anyone can rent a bot net for a huge DDoS attack, and pay for it with a credit card! (Even a stolen credit card.) The DDoS client, which sends the attack traffic, is a simple light weight program that is readily available on line. Hackivests have deployed several well-made DDoS tools to their legions to use against their targets.

Defending Against DDos AttacksIf you are being attacked with a DDoS attack, the target – a web server – mail server – DNS server – or even parts of an application, will slow down and stop from over use. The finite “stuff” that provides the service will be used up by the bad guys leaving nothing for legitimate users. A DDoS attack that does not stop a service for an extended, or business impacting time frame, is not a successful attack. If there is no business impact then it is not successful.

Assume you are in the throws of a large-scale attack: your DNS servers are down, your uplink to your service provider is at 100%, the pps on your routers are through the roof. You say to yourself, “Self, I think we are being DDoSed! Now what do I do?”

I am assuming you do not have a DDoS mitigation service, if so all your problems should go away. So, here is what you need to do, in this order:

Define the scope of the attack. What exactly is being attacked? Web services, mail, DNS, the entire network? This is typically done by having the IT and Network teams check their NMS to see which devices are peaking out on CPU/ Memory/ Network. If you don’t have a NMS, to check individual devices for the same. If the attack is against web services it is usually obvious because the web page stops working and you get a timeout error. If your services are cloud-based or hosted, get your service provider on the phone and find out what they are seeing on the upstream link. They will almost certainly have a sophisticated NMS that will make the attack visible.

Mitigate the attack the best you can. Do this by turning on all of the DDoS options on your network equipment. Most routers and switches and Proxies and Firewalls come with limited DDoS filtering options. This allows them to timeout half open connections and other odd packets at a much more aggressive rate, closing a session before they can clog a machine. Look for any obvious trends in the attack traffic, like source IP or subnet. By design, the attack traffic comes at you from the four corners of the internet and aggregates on you, making that type of filtering difficult. Call your service provider to see if they have any capacity to filter traffic bound for your network, which you might have to pay for. Sadly, if the attack volume is large, then the aggregating DDoS traffic will overwhelm your service provider’s local distribution network. This will essentially cause collateral damage to their network and other customers who have the bad luck to be logically on the same service provider infrastructure. They will then black-hole your route, essentially completing the DDoS attack by routing all traffic destined to your network to dev/null. Dev/null is sad. Once you go to dev/null, you are never seen again, ever.

Advertisement. Scroll to continue reading.

Call an expert. If you have an existing relationship with a computer consultancy call them right away and see if they can point you in the right direction. A network security guy will be able to help direct the mitigation, ask the right questions of your service providers, and help pick up the pieces and provide an after action report on improving your chances of stopping an attack the next time. Expect a bill for about $250/ hour.

Call the cops. Do not call the police to ask for help, just to report the crime. They have zero interest helping you with the immediate problem, although it is against the law to DDoS someone. Unless you are Amazon, or a big name, do not expect anyone in law enforcement to be as concerned by your attack as you are. Law Enforcement tends to be way behind the power curve when it comes to dealing effectively with all cyber crime. Do not call the local police emergency number. Call the non-emergency number to get the ball rolling. Expect a lot of questions because local police typically do not deal with these things, nor do they have any expertise. Expect someone to take a report, but do not expect anyone to hunt down the bad guys and arrest them. A word of caution: Check the local disclosure laws. Once the cops know, then there is a chance the whole world will know.

Post Facto. After the attack is over, which they all are at some point, then figure out the who, what, and why. Consider probabilities vs. benefits when considering mitigation strategies. Some organizations are more prone to DDoS attacks, and some organizations can be hurt worse than others. Ask yourself, are you in a high-risk industry? Digital rights, copy write enforcement, government or political affiliations, gaming, gambling, or adult entertainment? These are higher risk.

Does your business depend on near 100% uptime or you lose money? Gaming, bank, B2C or B2B ecommerce? These industries are susceptible to extortion rackets – pay or be DDoSed. If the probably of another attack is low, and the business consequence is low, plan your mitigation strategy and budget with that in mind. If the probably is high, and the consequence high, plan likewise.

Develop processes and procedures to deal with these things so you don’t have to invent a plan during the problem. Consider infrastructure modifications to limit the depth and damage of a DDoS attack, consider a DDoS service, and update your BCDR plan. Plan, plan, plan.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.