Preparation

1 Identification
2 Containment
3
Objective: Establish contacts, define procedures, Objective: Detect the incident, determine its Objective: Mitigate the attack’s effects on the
and gather information to save time during an scope, and involve the appropriate parties. targeted environment.
attack.
Analyze the attack  If the bottleneck is a particular feature of an application,
Internet Service Provider support  Understand the logical flow of the DDoS attack and identify temporarily disable that feature.
 Contact your ISP to understand the DDoS mitigation services the infrastructure components affected by it.
it offers (free and paid) and what process you should follow.
 Understand if you are the target of the attack or a collateral  Attempt to throttle or block DDoS traffic as close to the
 If possible, subscribe to a redundant Internet connection. victim network’s “cloud” as possible via a router, firewall, load
 If possible, subscribe to an Anti-DDoS service provider.  Review the load and log files of servers, routers, firewalls, balancer, specialized device, etc.
applications, and other affected infrastructure.
 Establish contacts with your ISP and law enforcement entities.
Make sure that you have the possibility to use an out-of-band  Identify what aspects of the DDoS traffic differentiate it from
communication channel (e.g.: phone).  Terminate unwanted connections or processes on servers
benign traffic
- Source IP addresses, AS, etc
and routers and tune their TCP/IP settings.
Inventory
- Destination ports
- URLs
 Create a whitelist of the IP addresses and protocols you must
allow if prioritizing traffic during an attack. Don’t forget to include  If possible, switch to alternate sites or networks using DNS
your critical customers, key partners, etc. - Protocols flags or another mechanism. Blackhole DDoS traffic targeting the
original IP addresses.
 Document your IT infrastructure details, including business Network analysis tools can be used to review the traffic
owners, IP addresses and circuit IDs, routing settings (AS, etc); Tcpdump, Tshark, Snort, Argus, Ntop, Aguri, MRTG
prepare a network topology diagram and an asset inventory.
 Set up an alternate communication channel between you
 If possible, create a NIDS signature to focus to differentiate
Network infrastructure and your users/customers (e.g.: web server, mail server, voice
between benign and malicious traffic.
 Design a good network infrastructure without Single Point of server, etc.)
Failure or bottleneck.
 Distribute your DNS servers and other critical services (SMTP, Involve internal and external actors
 Contact your internal teams to learn about their visibility into  If possible, route traffic through a traffic-scrubbing service or
etc) through different AS. product via DNS or routing changes (e.g.: sinkhole routing)
the attack.
 Harden the configuration of network, OS, and application
components that may be targeted by DDoS.  Contact your ISP to ask for help. Be specific about the traffic
you’d like to control:  Configure egress filters to block the traffic your systems
 Baseline your current infrastructure’s performance, so you can - Network blocks involved may send in response to DDoS traffic (e.g.: backsquatter traffic),
identify the attack faster and more accurately. - Source IP addresses to avoid adding unnecessary packets to the network.
 If your business is Internet dependent, consider purchasing - Protocols
specialized DDoS mitigation products or services.  Notify your company’s executive and legal teams.
 In case of an extortion attempt, try to buy time with the
 Confirm DNS time-to-live (TTL) settings for the systems that fraudster. For example, explain that you need more time in
might be attacked. Lower the TTLs, if necessary, to facilitate DNS order to get management approval.
redirection if the original IP addresses get attacked. 600 is a good Check the background
TTL value.  Find out whether the company received an extortion
demand as a precursor to the attack.
 Depending of the criticality of your services, consider setting-
 Search if anyone would have any interest into threatening
If the bottleneck is at the ISP’s side, only the
up a backup that you can switch on in case of issue.
your company ISP can take efficient actions. In that case, work
Internal contacts closely with your ISP and make sure you share
 Establish contacts for your IDS, firewall, systems, and network - Competitors information efficiently.
teams. - Ideologically-motivated groups (hacktivists)
- Former employees
 Collaborate with the business lines to understand business
implications (e.g., money loss) of likely DDoS attack scenarios.
 Involve your BCP/DR planning team on DDoS incidents.
The “preparation” phase is to be considered as the most
important element of a successful DDoS incident response.
 Remediation
4 Aftermath
6 Incident Response Methodology
Objective: Take actions to stop the Denial of Objective: Document the incident’s details,
Service condition. discuss lessons learned, and adjust plans and
defences.
 Contact your ISP and make sure that it enforces
remediation measures. For information, here are  Consider what preparation steps you could IRM #4
some of the possible measures: have taken to respond to the incident faster or
more effectively. DDoS incident response
- Filtering (if possible at level Tier1 or 2) Guidelines to handle Distributed Denial of Service incidents
- Traffic-scrubbing/Sinkhole/Clean-pipe  If necessary, adjust assumptions that affected ___________________________________________________
- Blackhole Routing the decisions made during DDoS incident IRM Author: CERT SG / Vincent Ferran-Lacome
preparation. IRM version: 1.4
 If the DDoS sponsors have been identified,
consider involving law enforcement.  Assess the effectiveness of your DDoS E-Mail: [email protected]
This should be performed upon the direction of response process, involving people and Web: https://cert.societegenerale.com
your company’s executive and legal teams. communications. Twitter: @CertSG

 Consider what relationships inside and outside

Technical remediation actions can mostly be
your organizations could help you with future
enforced by your ISP.
incidents. Abstract
 Collaborate with legal teams if a legal action is This Incident Response Methodology is a cheat sheet dedicated
in process. to handlers investigating on a precise security issue.
Who should use IRM sheets?

Recovery
5 

Administrators
Security Operation Center
CISOs and deputies
 CERTs (Computer Emergency Response Team)
Objective: Come back to the previous
functional state. Remember: If you face an incident, follow IRM, take notes
and do not panic. Contact your CERT immediately if
needed.
Assess the end of the DDoS condition
 Ensure that the impacted services are
reachable again.
 Ensure that your infrastructure performance is Incident handling steps
back to your baseline performance.
6 steps are defined to handle security Incidents

Rollback the mitigation measures  Preparation: get ready to handle the incident
 Identification: detect the incident
 Switch back traffic to your original network.  Containment: limit the impact of the incident
 Remediation: remove the threat
 Restart stopped services.  Recovery: recover to a normal stage
 Aftermath: draw up and improve the process
Ensure that the recovery-related actions are IRM provides detailed information for each step.
decided in accordance with the network teams.
Bringing up services could have unexpected
side effects. This document is for public use