When our Incident Response team is called to assist with mitigating a DDoS attack, we engage with multiple security and IT teams. In most cases, we discover that teams lack DDoS knowledge. This may seem trivial, but it holds back an organization from responding efficiently to an attack.
When DDoS knowledge is missing and an attack occurs, the discussion is too basic and yields no action. “Why didn’t our vendor stop the attack?” is probably the most common question. On the other hand, when DDoS know-how exists, there’s a much more pragmatic discussion with questions such as “should we reduce the SYN protection threshold”, or “our defense is working well, but why are we getting false positives?” (Meaning that mitigation is too aggressive).
To effectively manage and mitigate a DDoS attack, there are four different teams or functions that should have DDoS knowledge.
NOC/SOC groups need to identify a DDoS attack and immediately trigger an escalation. If an attack that started at 2 am on Sunday is only identified on Monday morning, it means that a commercial site may have been down for full six hours before any action has even started.
It’s true that team members don’t need to be DDoS experts. However, they should be familiar with the key attack types so that they can identify an attack early on and quickly escalate the event.
Security team members should have substantial DDoS knowledge and skills. They should be familiar with all types of attacks, understand protection gear and capabilities, know which attack vectors will be stopped by which component, and be fully familiar with the game plan for different attack scenarios.
For example, if you were to ask a security team member how application attacks are stopped, then a good answer might be “we use JavaScript web challenges to block the attack on the commercial site, a rate-limit rule to block the attacks on the login API, and a signature to block another low-and-slow attack.”
Like the security team, network team members should be acquainted with network and applicative attacks, with a particular focus on network defense mechanisms and handling routers and network equipment affected by an attack.
They must be able to identify which network segments were attacked, and be proficient with response mechanisms, such as diverting traffic to scrubbing centers by changing DNS or BGP settings, handling various issues with GRE tunnel, troubleshooting, etc.
Effective DDoS mitigation also requires the overall management of a crisis and the synchronization of teams and activities. Often, there is no formal definition as to who the top ‘owner’ of a DDoS attack is. While typically a CIO may take this role, he/she may be absent. It’s also important that the top manager be familiar enough with DDoS attacks and procedures.
The last item that is typically missing is a DDoS playbook, which describes different scenarios and the specific actions to be taken in each case. Clear, written procedures for each team help ensure that correct, effective actions are taken, particularly during the stressful hours of an attack.