In a post on the ICANN blog, Dave Piscitello outlined some essential tasks for organizations to take should they find themselves the victim of a DDoS. Regardless of the reason for the attack, speed is the one thing that will make all the difference in mitigation and recovery.
“The shared nature of the Internet infrastructure – whether hosting, DNS, or bandwidth – puts many merchants or organizations at risk of becoming collateral damage, as well. If you find that your site or organization is under attack, it’s important that you report such attacks quickly to parties that are best positioned to help you mitigate, weather, and restore normal service,” the ICANN post explains.
According to Akamai, DDoS attacks more than tripled in 2012 when compared to the volume a year previous. In the fourth quarter alone, 768 Akamai customers reported such attacks, with commerce being the hardest hit of all the market segments – followed by media and entertainment, financial institutions, high tech and public sector firms.
“In many ways, DDoS has become the weapon of choice for multiple types of attackers, from political activists to criminals, and potentially even nation-states,” Akamai said.
Akamai’s finding seem to align with those reported by NeuStar last week, when the company said that 35% of organizations surveyed experienced some sort of disruptive DDoS attack last year.
“The consequences of being unprepared to mitigate a DDoS attack can be crippling to businesses,” Alex Berry, a senior vice-president of enterprise services at Neustar, said in a statement.
Avoiding such crippling problems is what ICANN is attempting to do in their post. As a first line of defense, the post says to reach out to the service providers such as the ISP or the NOC that handles the hosting. But that only works if you know the provider’s emergency contact numbers or have access to the support staff that deals with such attacks. Thus, if such information isn’t readily available, it needs to be.
“If you cannot find contacts, or if the contacts you find are unresponsive, try contacting a Computer Incident, Emergency, or Security Incident Response Team (CERT/CIRT/CSIRT), or a Trusted Introducer (TI) team,” the post says. “CERT/CIRT organizations or TI teams will investigate an attack, notify and share information with hosting providers or ISPs whose resources are being used to conduct the attack, and work with all affected parties to coordinate an effective mitigation.”
If the organization believes that a crime is being committed, or if there were threats made before the DDoS attack appeared, law enforcement should be contacted. Likewise, if the services under attack are critical, such as emergency services, then law enforcement needs to be involved in the response. However, they should not be contacted to mitigate an attack.
Finally, ICANN advises organizations to collect as much intelligence as possible about the attack, including timeframes, suspicious on the nature of the attack, traffic analysis – including type and packet characteristics, changes in attack traffic, and assessments of the overall impact.
Additional details can be seen on the ICANN post, including references to additional sources of information and response planning.