In the last few weeks, maybe even months we've been seeing an increase in the number of Distributed Denial of Service (DDOS) attacks on different sites. Today, according to Ahnlabs in Korea, a number of government sites are under attack. Yesterday it was word press, and recently we also had sourceforge and no doubt a number of others that I've forgotten to mention.
So is DDOS the new black? We know that the majority of the malicious files and traffic we see are somehow related to making money, but realistically I can't quite see how this is doing the trick.How is money being made?Are the current attacks going to serve as examples? Give some money or else? I don't know how effective that would be as most of the organisations seem to be dealing with the DDOS attacks relatively well.
So why are we seeing these increases? Are they being reported more? Are they easier to do? Are they test runs for something better later on, or maybe even nation states testing their processes. Let us know if you've been under attack, recently. I'd be interested to know how you dealt with it and if you have some packets you can share, even better. If you know why you were targeted I'd be interested to know.
Now for dealing with a DDOS attack.
The best will be to stop the packets from reaching you in the first place. To stop them as far away from your environment as possible, especially if link saturation is the problem. This will likely need the cooperation of your ISP. You will find some are more willing to help you deal with an attack than others.
If you manage to identify a particular characteristic of the packets being sent, then you might be able to get a firewall, router, IDS, or IPS to deal with the traffic. These types of devices will be better at coping with this than your web or mail server. Check you firewalls, many have the capability to drop traffic based on certain thresholds or characteristics and they may be enough to
But lets put this in the context of an incident handling process. Hopefully you remember the six steps:
This will be the most important step. Firstly you will need to decide what you are going to do in the event of a DDOS attack on your infrastructure. Will you pull the plug yourself and just ride it out? or will you take steps ab and c to deal with the attack. Best to sort this out before it happens rather than whilst it is happening.
Make sure you understand what your ISP will and won't do for you in the event of a DDOS attack on your sites.
If you have an approach to deal with the DDOS, make sure it is documented. Nothing worse than having to figure things out whilst the attack is underway.
Have the capability to grab packets in place. They will be invaluable.
How do you identify an attack? Often it is because someone receives a phone call saying xyz is very slow/unavailable. You may have an IDS/IPS/Firewall throwing up alert. So that is how you notice.
What to do next. Well hopefully you have managed to capture some packets, or at a minimum log records. You will need to look at these and see if you can identify a common factor.
Using the information discovered, you may be able to configure an upstream device to drop the malicious packets. Your ISP or a vendor may be able to help mitigate the attack and contain the damage done.
You will likely also need to examine the targets to ensure they have not been compromised. l
If the targets have been compromised you will need to deal with those. Your incident handling plan, developed in the preparation stage, should have enough information to allow you to deal with this new issue.
Often when the attack is not successful it will drop off, so I guess it is self eradicating.
Once the attack is over, determine what else may need to cleaned, replaced, hardened.
Standard practice after any incident is the lessons learned. Go through the attack, see where you went wrong and where you went right. Develop an approach to deal with
I've made a start, if you can add to it let us know via the contact form or comments.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.