What to do if you think you are under a DDoS attack
Easier said than done I know, but if you take the time and advice in setting up a company policy on handling an incident, you will minimise the wider chain reaction, often caused by not being prepared (often the chaos reaction an attacker is looking to provoke). Pulling out random cables and shutting down random services is never the solution.
Talk to a SecureNet Consulting adviser, to either help you through the process, provide technical assistance or recommend a suitable DDoS protection service provider.
3. Contact your ISP
Try to identify and isolate the systems under attack, before contacting your carrier network provider, who might simply turn off all your organisation's connections.
If your web servers or systems are hosted with a hosting provider, you might be in better hands, because these guys tend to have specific hardware and experts in place to deal with these kind of situation on a regular basis. ISPs and hosting providers might provide DDoS mitigation and protection services. If you do sign up, make sure there is a service level agreement in place.
4. Communications and media
Are your email and web server on the same IP address? Many companies host their email, VoIP system, Intranet, databases, primary storage - in the same co-location behind the same network connection that hosts their web sites and services. If you do get hit by a DDoS attack and you are unprepared, the most important thing to remember is: Do not let anyone over ride your own security protocols.
Get your highly skilled staff into your data centres. If you are offline due to DDoS attack, it is likely that your IT staff will be unable to log in to the remotely hosted hardware in your data centers. The easy solution is to physically get them there. They can console in to the hardware and will actually see what is going wrong. This will result in a much faster resolution to the problem.
7. Monitor and Record
8. Understand The Nature of The Attack
There’s a reason you are the target for this attack. Obviously there are a lot of reasons for any given attack, yet understanding the attacker’s motivation is key to creating a better defense strategy. Some people know they are being extorted and some people feel it’s a competitor trying to shut them down. Others have a customer that has annoyed someone so the attacker takes down the whole company just to silence one customer. Maybe shutting down the attacker’s target for awhile may actually save the entire ship. Go with your gut on this, make a hypothesis and test it.
As soon as possible, convene all the key discussion makers in the incident policy process - and review what you have learnt from the event: did your strategy work, or where do you need to make improvements.
Consider your options going forward:
Contact us today to discuss your requirements in more detail.
Easier said than done I know, but if you take the time and advice in setting up a company policy on handling an incident, you will minimise the wider chain reaction, often caused by not being prepared (often the chaos reaction an attacker is looking to provoke). Pulling out random cables and shutting down random services is never the solution.
- call in the lead decision makers (into what some people like to call their board or war room) assigned for such an incident,
- do not just start turning off or making changes to your systems - risking untracked / recorded changes.
Talk to a SecureNet Consulting adviser, to either help you through the process, provide technical assistance or recommend a suitable DDoS protection service provider.
3. Contact your ISP
Try to identify and isolate the systems under attack, before contacting your carrier network provider, who might simply turn off all your organisation's connections.
If your web servers or systems are hosted with a hosting provider, you might be in better hands, because these guys tend to have specific hardware and experts in place to deal with these kind of situation on a regular basis. ISPs and hosting providers might provide DDoS mitigation and protection services. If you do sign up, make sure there is a service level agreement in place.
4. Communications and media
- It is important to have the appropriate managers in-house to rehears what actions to take, who to communicate with and what to say in the event of an attack that might be aimed at damaging the organisations brand or reputation.
- this will include preparing responses for the media, customers, stakeholders and internal staff.
- make sure you keep an offline copy of all your key contacts (if you are under attack and all your contact information is on the CRM system you can not access, then you will be wasting a lot of time trying to reach people).
- prepare and know where to go to to setup temporary alternative web hosting contracts. You can setup a message telling customers 'sorry we are down, but you can contact us here' landing page, by flipping your DNS to the cluster of hosted servers. This will give your customers more confidence in your service, and your attackers may get bored as it would seem the attack has not completely shut everything down. If this plan does not work, at least you have diverted some of the attack away from your network.
Are your email and web server on the same IP address? Many companies host their email, VoIP system, Intranet, databases, primary storage - in the same co-location behind the same network connection that hosts their web sites and services. If you do get hit by a DDoS attack and you are unprepared, the most important thing to remember is: Do not let anyone over ride your own security protocols.
- Identify and prioritise critical services that should be maintained during the attack and decide which resources can be turned off or blocked as needed to limit the effects of the attack.
- If you are still offline after a longer period of time than you prefer, then request your provider give you a new server IP. run your email on a separate server / service.
Get your highly skilled staff into your data centres. If you are offline due to DDoS attack, it is likely that your IT staff will be unable to log in to the remotely hosted hardware in your data centers. The easy solution is to physically get them there. They can console in to the hardware and will actually see what is going wrong. This will result in a much faster resolution to the problem.
7. Monitor and Record
- When dealing with an attack you may find it difficult to set up a traffic monitoring port on your main routers. Assuming you have access to the Ethernet, you could bridge a hub in-line and connect a laptop to the hub to sniff and/or analyse the traffic. This is important, as monitoring the data stream will help you to determine how to filter it.
8. Understand The Nature of The Attack
There’s a reason you are the target for this attack. Obviously there are a lot of reasons for any given attack, yet understanding the attacker’s motivation is key to creating a better defense strategy. Some people know they are being extorted and some people feel it’s a competitor trying to shut them down. Others have a customer that has annoyed someone so the attacker takes down the whole company just to silence one customer. Maybe shutting down the attacker’s target for awhile may actually save the entire ship. Go with your gut on this, make a hypothesis and test it.
- Beware of smoke screens. Don’t turn a DDoS attack into an all-hands-on-deck. DDoS attacks are disruptive and throw people off-guard. Organisations start pulling people away from their regular duties to help with response and mitigation. A DDoS attack can mask the attempt by the infiltrators to breach other parts of the network. Attackers may take advantage of this distraction to commit fraud or steal intellectual property.
As soon as possible, convene all the key discussion makers in the incident policy process - and review what you have learnt from the event: did your strategy work, or where do you need to make improvements.
Consider your options going forward:
- Over provisioning bandwidth,
- Review your security platforms
- Over provisioning DNS servers
- Build-in High Availability for your DNS
- Set Response Rate Limit by Source IP Address
- Set Response Rate Limit by Destination IP Address
- Use Cloud-based Anycast Secondary Servers
Contact us today to discuss your requirements in more detail.
+44(0)7714 209927
+44(0)1273 329753
|
 |