Back when I first began experimenting with technology the only term
in my vocabulary was denial of service attack (DoS). I was a script
kiddy using a small program called FateX on my parents AOL dial up.
Using this program one could send an “IM Bomb” to other users of the
service that were logged into IM. This would force a log out of the
service and leads into the definition of this type of attack. “In
computing, a denial-of-service attack (DoS attack) or distributed
denial-of-service attack (DDoS attack) is an attempt to make a machine
or network resource unavailable to its intended users”
(“Denial-of-service attack,”).Today we have what is known as a distributed denial of service attack – an attack that comes from multiple locations, not just a teenagers PC.
There are many ways of performing DoS and DDoS attacks against targets, Wikipedia has a great page on the various methods.
It is safe to assume that at some point your network will come under a DDoS attack, having a plan and incident response is highly recommended and almost a necessity today.
Before a DDoS
Every organization should have at least one individual that understands a DDoS attack. Whether it is the onsite tech guru of a small organization, the external tech service supplier for a small to medium company, or the IT security individual / group at larger organizations, they need to have an intermediate knowledge of how these attacks are performed and a plan of what to do when it happens.The Plan
What can one do before a DDoS? Simple: plan. There are a few recommended techniques that will benefit the department overall.1) Establish a relationship with your ISPs. This does not mean the sales guy! Call your ISP and setup a meeting to discuss your account, request a technical rep be onsite as well. During this meeting discuss with them how they handle your traffic, what sits between your office, the hub you are connected to and their backbone. What are the numbers for the 24/7 NOC, who are the managers in charge of it? How do they help with DDoS attacks?
The purpose of this meeting is to get as much information from them as possible so during an attack your team has a quick reference sheet to turn to. This sheet should provide NOC numbers, escalation numbers, and how this ISP handles DDoS attacks (as well as other types of attacks). You would be surprised how many organizations know nothing of their ISP.
2) Plan for as much capacity as possible. Not many organizations have the funds to do this, consider you lucky if yours does. After performing an analysis of the network traffic over a few months one can see how much capacity is needed, take the largest peak traffic and multiply it by 10. This is not a cure-all, but will ensure that the hardware can handle smaller attacks.
3) Configure remote monitoring and alerting. Let us assume that you have internal monitoring that can detect DDoS or other anomalies, great! Unfortunately now that your links are saturated or your systems are offline, how will you get alerted? Your internal systems are either offline or too saturated to send that text message or email. Solution: remote monitoring. A client I have worked with in the past needed to ensure the highest uptime for their internal email system as well as receive alerts during outages. They configured remote monitoring of their service that alerted yahoo and gmail accounts of the department. Senior members of the team had their phones configured with the IT department accounts.
4) Be active in the local IT Security community. Join the local chapter of the FBI InfraGuard, the HTCIA, etc… Contact the local police department, the state police department and the FBI. Meet with the cyber security people from each organization and ask what you should do during a cybercrime. Ensure that you have all of the appropriate contact information after these meetings.
During a DDoS
We have a plan in place and our worst fears our realized: an unknown organization has decided to begin a DDoS attack. The senior members of the IT team just received an email to the group yahoo and gmail accounts that all services are down. An onsite tech has been dispatched and has informed the team that we are receiving 30Gbps aggregated across all links which is bringing down certain network devices as well as systems.The Plan
1) Gather as much information about the attack as possible:- What type of attack
- Can the source(s) of the traffic be identified
- Is a particular system being targeted
3) Immediately contact the ISPs. Pull out the ISP sheet let them know what is going on, provide as much info as possible and see if they can help identify and drop the traffic from their systems. If you are not getting the response you require, escalate to the senior members of their team.
4) Continually check all systems to ensure that the DDoS is not a distraction for another attack or causing other issues with the affected systems.
After a DDoS
The attack has either subsided or been successfully repelled. Now the tedious work begins.Start by collecting all of the logs over the course of the attack. Review them to determine where the traffic was coming from and what type of traffic was being sent. Work with your ISPs to identify as much information about the attack as possible. Pull out the list of IPs and determine their location, let the abuse contact of each ISP know (through WHOIS).
Once all the information has been collected call your contact at the local police department. Let them know what happened, what information you have, if they can assist or if you should escalate to the State or FBI. Once it has been determined who you need to speak with pass all of the information you have to them and hope they can identify the source and cause.
Go through every system to ensure they are operating optimally. Check for any anomalous issues and verify that no system has been compromised. Change passwords.
Finally evaluate your response to the incident as there are always areas to improve. Fine tune the plan and bring all of your staff out for a few beers, you just survived your first DDoS.
Posts
No comments:
Post a Comment