The French Computer Emergency Response Team (CERT) Societe Generale has released a guide to help businesses prepare and defend against Distributed Denial of Service (DDoS) attacks.
The guide covers preparation, identification, containment, remediation, and aftermath and is the fourth incident response management document released by the CERT.
The CERT said it hopes the document (pdf) will be a useful resource, but that it preferred to “stay under the radar” regarding the prevalence of DDoS and what actions victims typically take.
In Australia, DDoS attacks have remained a problem for businesses.
“DDoS is still a problem and is driven by the same motives,” AusCERT senior information security analyst Zane Jarvis said. “They do it because it works.”
Log review is the most important step in DDoS defence, Jarvis said, because it helps to ascertain if an attack can be blocked.
“We then can work with upstream providers to block the attack, or reach out to the security community to clean infected machines.”
Australian DDoS victims should contact AusCERT as a first response.
Responding to DDoS
- Establish contacts with ISPs and law enforcement, and relevant internal staff.
- Create a whitelist of priority IP address and protocols and map infrastructure.
- Harden potential network infrastructure targets and baseline its performance so an attack can be quickly identified.
- Set the DNS time-to-live settings for potential target infrastructure to about 600 to facilitate DNS redirection.
- Work out a ballpark cost of an attack.
- Review source IP addresses, destination ports, URLs and protocol flags, and be specific about what your ISP should block.
- Find out whether the company received an extortion demand before the attack and establish suspects.
Containment / remediation:
- Disable application bottlenecks, and block DDoS traffic as close to cloud service as possible.
- Consider switching to alternate sites with DNS and blackhole attack traffic to the affected site. Also consider sinkhole routing.
- Set outbound filters to block responses to DdoS traffic.
- Call a national CERT and the police and provide them with detailed notes.
Aftermath / recovery:
- Check with network teams before setting services live.
- Assess what worked, what did not and build the experience into your disaster recovery.