Sunday, April 7, 2013

An In-Depth Look at DDoS – Part 3: DDoS Do's and Don'ts

In part 2 of our DDoS series, we shared some ways to go about protecting yourself against a potential attack. So what should you do in the meantime? Prepare of course!!
Here's a List of DDoS Preparations You SHOULDConsider:
  1. If you went through the time and money to protect your network from a DDoS attack you better be setting up process and procedure on how to act once it happens. If you’re lucky you’ll never need to put these into action, but if you’re not (and you should assume that you will get hit at some point) you’ll be happy they are in place.
  2. Each department should know exactly what they’re doing if a DDoS attack happens and how to respond to an attack once one occurs. There should be written instructions per team that’s involved on what to do during an attack (this isn’t cookie cutter and will change) and how they should sound alarm if they see something that smells like DDoS.
  3. The teams should meet on a scheduled basis to review any incidents, either at the company or in the news, and discuss what they can do in order to make the procedure better.
  4. There should also be “Red Team” drills that incorporate getting your DDoS incident management team in a room to discuss potential scenarios of attack and how they would react. 
The keys here are to be consistent with the meetings and clear with the documentation.
Here are a few things you SHOULDN’T do regarding a DDoS that can make things much worse:
  1. Don’t take this opportunity to be the first time you speak with law enforcement.Make sure you have a working relationship with local and federal law enforcement before an incident occurs. When the time comes, and hopefully it won’t, you’ll already have the contact and procedure of reporting incidents. Many of these attackers are testing sites and selling the information to the highest bidder. You might not see tangible effects of the alerting them right away, but speaking with law enforcement when appropriate can potentially help them piece together something a lot larger and take down an attacker before they wreak havoc.
  2. Never, ever trust one solution. If you hear a vendor say they’re the end-all-be-all solution for DDoS attacks walk the other way. You need layers of protection that start at your policy and procedures and move into hardening your environment. Additionally, seek help from the ISPs and potentially a third party mitigation solution. One-stop-shops don’t work for DDoS… just say no!
  3. Do Not Communicate with the Attacker. If the attacker tries to contact you don’t communicate with them if possible. Anything written should be sent to your law enforcement contacts, and anything verbal, if called, should let them know that anything you say will be recorded and that law enforcement is involved. That’s all - keep it cool.

Read the rest of my three part series on DDoS here on Algosec's blog:

No comments:

Post a Comment