Don't Panic!
You will inevitably be affected by a Distributed Denial of Service (DDoS) attack at some point. A DDoS attack is a shock to the system and how you react is everything. When it happens, stay calm and accept it. Someone comfortable at making the right decisions needs to take control of the situation. There is no quick fix DIY on the spot solution. Any reaction has to be a coordinated and communicated team effort.
Typical knee-jerk reactions to the shock of the attack may be to hastily turn off the network's firewalls and re-configure the load balancers. Don't let anyone put in untracked change requests and emergency upgrades. Continue to follow your company's policies. Step back, analyze the problem, isolate the actual device that fails in the chain, and make an informed adjustment.
Set Up A Command Center
Convert your conference room into a Command Center. Get everyone that influences the organization into that room. This includes marketing, IT, the CEO. It ensures everyone is on the same page and will allow leaders to lead. Do not have three technical people along the stack making decisions or changes that may conflict with each other.
Assign just one person to be the technical lead to coordinate changes and communication with the Hosting provider and your Network Carrier.
Initiate Communication
Understand whom to communicate with and who is responsible for what when it happens. Who are the people that will be asking questions? What will you explain? What will be their reaction? If you do not know this, no one will do anything – least of all the right thing – for you.
Who is your carrier, and who are your connections? The command center may form, which provides direction and gives orders, but it might not communicate outside of that command group. You need to tell people which services you are shutting down and changes you are making – to avoid more internal panic.
To minimize the impact of an attack, different people inside and outside of the organization need to be informed and updated about different things. What do I mean by this?
For example: If you call your carrier and say to them, "we are under DDoS attack," the most common reaction of a host is to blackhole your IP address and turn your organization off.
However, if you are specific: "Host.example.com was attacked. It is on IP 10.10.42. It was hit by UDP flood at exactly this time. These are the IP addresses that were hitting us. Can you tell us what you saw?" your hosting provider still won't be happy, but the evidence you will receive will be so much better.
If you do not know what you are talking about, you will not know what to ask for, and your host, in turn, will not know what to give you. Negative press concerning your organization may be an attacker's real goal. If a customer or the press talks during an attack, let them talk. There is no need to confirm that the DDoS is working, as this will likely draw in more attackers.
Defense In-Depth
Are your email and web server on the same IP address? Is your VOIP server in the same data center on the same host, vulnerable to the same DDoS attack? Many companies host their email, VoIP system, IRC, Wiki, databases, primary storage, and so forth in the same co-location behind the same network connection that hosts their web sites and services.
If you get hit by a DDoS attack and are unprepared, the most important thing to remember is: Do not let anyone override your security protocols!
a) Identify and prioritize critical services that should be maintained during the attack and decide which resources can be turned off or blocked as needed to limit the attack's effects.
b) Lower your DNS TTL to 30min (or 5min) in anticipation of making future A record changes. Even if you don't make changes, it is better to make this adjustment than to find out your TTL is set to 24 hours when you are ready to make a move. Set your TTL back to normal after the DDoS event has passed.
Monitoring and Recording
Record –pcap evidence.
Request your hosting provider's logs and graphs for routers and servers within 24 hours. Similarly, request logs and graphs from the carrier/owner of the attacking IP within 24 hours. You need to be able to go to your provider and identify the IPs or the IP range that is attacking you. UDP (can be massive), ICMP, and SYN floods can be faked, thus cannot be used as evidence. ON THE OTHER HAND, TCP GET floods cannot be spoofed (due to the TCP handshake)! If it's a GET flood, then this is the evidence that can be used to prosecute.
Consider Locating Staff At Your Data Centers
If you are offline due to a DDoS attack, your IT staff will likely be unable to log in to the remotely hosted hardware in your data centers. The easy solution is to get them there physically. They can console in to the hardware and will see what is going wrong. This will result in a much faster resolution to the problem.
Find An Old Hub
When dealing with an attack, you may find it difficult to set up a traffic monitoring port on your main routers. Assuming you have access to the Ethernet, you could bridge a hub in-line and connect a laptop to the hub to sniff and/or analyze the traffic. This is important, as monitoring the data stream will help you to determine how to filter it. Pulling out random cables and shutting down random services is never the solution!
Understand The Nature of The Attack
There's a reason you are the target for this attack. There are many reasons for any given attack, yet understanding the attacker's motivation is key to creating a better defense strategy. Some people know they are being extorted, and some people feel it's a competitor trying to shut them down. Others have a customer who has annoyed someone, so the attacker takes down the whole company to silence one customer. Maybe shutting down the attacker's target for a while may save the entire ship. Go with your gut on this, make a hypothesis, and test it.
Your DDoS Attack May Be A Smokescreen
Don't turn a DDoS attack into an all-hands-on-deck. DDoS attacks are disruptive and throw people off-guard. Organizations start pulling people away from their regular duties to help with response and mitigation. A DDoS attack can mask the attempt by the infiltrators to breach other parts of the network. Attackers may take advantage of this distraction to commit fraud.
The latest generation of DDoS attacks can be used to help disguise efforts to commit fraud or steal intellectual property. While fraud could mean account takeovers and unauthorized wire transactions at financial services organizations and retailers, it could also refer to theft of intellectual property and sabotage.
For example, a new scheme, which has recently hit several financial institutions, involves the takeover of a banking institution's payment switch. These takeovers, which were waged in conjunction with a DDoS attack, are likely to have led to millions of dollars worth of fraud.
Document Everything
Your organization has fallen prey to cybercrime. But what proof do you have? Without gathered and documented evidence, law enforcement will be unable to take action. During the attack, lock down all your logs and assign someone within the company to be the custodian of these records. Save server logs, weblogs, email logs, any packet capture, network graphs, reports – anything – including a timeline of events.
Call Your ISP
Does your ISP have an escalation process you must follow? If required, call early in the attack to open a ticket. Your ISP also has hardware that may be capable of filtering or rate-limiting the attack. The more you know about the attack and point them in the right direction, the more they can help you. ISPs and hosting providers might provide DDoS mitigation and protection services. If you do sign up, make sure there is a service level agreement.
In the meantime, though, there are some free services you can request:
- Null routing of the target IP address
- Router ACLs of the top attacking source addresses
- New IP addresses
- Detailed traffic reports
You may find an expert at the ISP that knows how to fix these problems, and this exercise will have been time well spent.
