Let’s assume you already have a DDoS protection solution installed on premises. You have even run DDoS testing, identified potential weak links, and tweaked your DDoS protection configuration to the optimal settings.
Now comes the next stage. How will you identify that a DDoS attack is taking place? What are the warning signs? And how can you confirm that it’s indeed an attack and get your team to react promptly to mitigate it?
Here are 3 tips to help you set up your on-premises DDoS technology and prepare your team to efficiently recognize and mitigate a DDoS attack.
DDoS attack identification is typically handled by SOC and NOC teams. The natural tendency of SOC teams is to focus on blocked traffic as an indicator of an attack. NOC teams, on the other hand, often look for website failures.
Instead, the key indicator of a DDoS network attack is actually pipe saturation. It is caused by a sudden spike in traffic that points, with high probability, to the involvement of an illegitimate source.
You should analyze traffic utilization data to identify and set a Gbps threshold for triggering an alert regarding a potential DDoS attack. In practice, this requires going through a trial-and-error tuning process, using a network monitoring tool like PRTG, until you reach a setting that correctly identifies when traffic overflow is due to hostile activity.
Note that if you are using on-premises protection, you should define the same threshold for the ‘inner leg’ of your network connected to your DDoS protection solution. This will provide additional mitigation of network attacks that succeeded in bypassing your DDoS protection component.
Once you have set your pipe saturation threshold, you’ll want to write down the exact actions to be taken by each of the relevant NOC and SOC team members when an alert is triggered.
First, who gets the alert? Typically, this will be a member of the tier 1 NOC team. That person then notifies someone in a higher-level role, such as a security manager in charge of mitigation operations.
Next comes verification of the DDoS attack. The security manager needs to determine that a DDoS attack is indeed underway before escalation procedures can be undertaken.
Once the attack is confirmed, escalation procedures should follow a written attack mitigation playbook. These procedures may include, for example, how traffic is diverted to a scrubbing center or even just the names of appropriate contacts at an ISP.
Focus attention on your off-hours response. Your procedures should be maximally effective for identifying and responding to an attack during off hours, say at 2:00 AM on the weekend.
Practice makes perfect. Without practicing your DDoS playbook, you’ll never know if your procedures only work on paper.
One option is to conduct a tabletop session, during which all personnel who would normally handle a DDoS attack, such as NOC and SOC team members and management, gather to discuss their response to a given scenario.
A better option is a DDoS “game day”, when you actually simulate an attack and assess the entire operational response, including systems, processes, and team behavior. This allows your teams to build “muscle memory” for faster and smoother reaction time in the event of a real emergency.
A game day requires more careful preparation, however, including defining the exact DDoS attack scenario, preparing the environment for the simulation, and scheduling and notifying participants. You also need to know exactly how you will be executing the simulation, as well as what tools and parameters you’ll use for analyzing the game day results.
When your on-premises threat mitigation technology is in order and your teams are trained, you can confidently and intelligently respond to a DDoS attack. That’s because you can quickly bring the full capabilities of your defenses and your team to the battle, making it possible to rapidly retake control of a targeted network.
As the Malay proverb has it, “Prepare the umbrella before it rains.”