Professional Documents
Culture Documents
CHEATSHEET
CollaboratewithyourBCP/DRplanningteam,to
understandtheirperspectiveonDDoSincidents.
Ifthebottleneckisaparticularafeatureofan
application,temporarilydisablethatfeature.
Tipsforrespondingtoanetworkdistributeddenialof
service(DDoS)incident.
Hardentheconfigurationofnetwork,OS,and
applicationcomponentsthatmaybetargetedbyDDoS.
Ifpossible,addserversornetworkbandwidthtohandle
theDDoSload.(Thisisanarmsrace,though.)
GeneralConsiderations
Baselineyourcurrentinfrastructuresperformance,so
youcanidentifytheattackfasterandmoreaccurately.
Ifpossible,routetrafficthroughatrafficscrubbing
serviceorproductviaDNSorroutingchanges.
AnalyzetheAttack
Ifadjustingdefenses,makeonechangeatatime,so
youknowthecauseofthechangesyoumayobserve.
DDoSattacksoftentaketheformoffloodingthe
networkwithunwantedtraffic;someattacksfocuson
overwhelmingresourcesofaspecificsystem.
Itwillbeverydifficulttodefendagainsttheattack
withoutspecializedequipmentoryourISPshelp.
Often,toomanypeopleparticipateduringincident
response;limitthenumberofpeopleontheteam.
UnderstandthelogicalflowoftheDDoSattackand
identifytheinfrastructurecomponentsaffectedbyit.
Reviewtheloadandlogsofservers,routers,firewalls,
applications,andotheraffectedinfrastructure.
Configureegressfilterstoblockthetrafficyoursystems
maysendinresponsetoDDoStraffic,toavoidadding
unnecessarypacketstothenetwork.
IdentifywhataspectsoftheDDoStrafficdifferentiateit
frombenigntraffic(e.g.,specificsourceIPs,destination
ports,URLs,TCPflags,etc.).
WrapUptheIncidentandAdjust
Ifpossible,useanetworkanalyzer(e.g.tcpdump,ntop,
Aguri,MRTG,aNetFlowtool)toreviewthetraffic.
Ifnecessary,adjustassumptionsthataffectedthe
decisionsmadeduringDDoSincidentpreparation.
ContactyourISPandinternalteamstolearnabouttheir
visibilityintotheattack,andtoaskforhelp.
AssesstheeffectivenessofyourDDoSresponse
process,involvingpeopleandcommunications.
IfcontactingtheISP,bespecificaboutthetrafficyoud
liketocontrol(e.g.,blackholewhatnetworksblocks?
ratelimitwhatsourceIPs?)
Considerwhatrelationshipsinsideandoutsideyour
organizationscouldhelpyouwithfutureincidents.
Findoutwhetherthecompanyreceivedanextortion
demandasaprecursortotheattack.
1.
Preparation:Establishcontacts,defineprocedures,
andgathertoolstosavetimeduringanattack.
Ifpossible,createaNIDSsignaturetofocusto
differentiatebetweenbenignandmalicioustraffic.
2.
Analysis:Detecttheincident,determineitsscope,
andinvolvetheappropriateparties.
ConfirmDNStimetolive(TTL)settingsforthesystems
thatmightbeattacked.LowertheTTLs,ifnecessary,to
facilitateDNSredirectioniftheoriginalIPsgetattacked.
Notifyyourcompanysexecutiveandlegalteams;upon
theirdirection,considerinvolvinglawenforcement.
3.
Mitigation:Mitigatetheattackseffectsonthe
targetedenvironment.
MitigatetheAttacksEffects
4.
EstablishcontactsforyourISP,lawenforcement,IDS,
firewall,systems,andnetworkteams.
WhileitisverydifficulttofullyblockDDoSattacks,you
maybeabletomitigatetheireffects.
Wrapup:Documenttheincidentsdetails,discuss
lessonslearned,andadjustplansanddefenses.
AdditionalDDoSResponseReferences
DocumentyourITinfrastructuredetails,including
businessowners,IPaddressesandcircuitIDs;preparea
networktopologydiagramandanassetinventory.
AttempttothrottleorblockDDoStrafficasclosetothe
networkscloudaspossibleviaarouter,firewall,load
balancer,specializeddevice,etc.
Understandbusinessimplications(e.g.,moneylost)of
likelyDDoSattackscenarios.
Terminateunwantedconnectionsorprocesseson
serversandroutersandtunetheirTCP/IPsettings.
IftheriskofaDDoSattackishigh,considerpurchasing
specializedDDoSmitigationproductsorservices.
Ifpossible,switchtoalternatesitesornetworksusing
DNSoranothermechanism.BlackholeDDoStraffic
targetingtheoriginalIPs.
DDoSincidentsmayspandays.Considerhowyourteam
willhandleaprolongedattack.Humansgettired.
Understandyourequipmentscapabilitiesinmitigating
aDDoSattack.Manyunderappreciatethecapabilities
oftheirdevices,oroverestimatetheirperformance.
PrepareforaFutureIncident
IfyoudonotprepareforaDDoSincidentinadvance,
youwillwasteprecioustimeduringtheattack.
ContactyourISPtounderstandthepaidandfreeDDoS
mitigationitoffersandwhatprocessyoushouldfollow.
CreateawhitelistofthesourceIPsandprotocolsyou
mustallowifprioritizingtrafficduringanattack.Include
yourbigcustomers,criticalpartners,etc.
Considerwhatpreparationstepsyoucouldhavetaken
torespondtotheincidentfasterormoreeffectively.
KeyDDoSIncidentResponseSteps
DenialofServiceAttackDetectionTechniques
http://www.computer.org/portal/site/dsonline...
ASummaryofDoS/DDoSPrevention,etc.Techniques
http://sans.org/reading_room/whitepapers/intrusion/1212.php
NetworkProtocolsandToolsCheatSheets
http://packetlife.net/cheatsheets/
ThischeatsheetincorporatesinsightsfromDanielFairchild,ChrisLemieux,PeterMcLaughlin,JoseNazario,DonaldSmith,JimTuttle,andLennyZeltser.ItwascompiledbyLennyZeltser,andisdistributed
accordingtotheCreativeCommonsv3AttributionLicense.Fileversion1.3.Morecheatsheets?