Lesson Progress
0% Complete

DDOS is the term for Distributed Denial of Service, an advanced form of Denial of Service (DOS), which affects the Availability component of Information Security, a situation where services or resources are not available to the intended users usually by suspending or interrupting internet connected services maliciously. Causes of DDOS could be unethical competition, a way to vent anger or complaint against an organization or cyber warfare. Sometimes, malware and misconfiguration of security devices could be responsible. Handling a DDOS   incident will follow the IR process of Preparation, Identification, Containment, Eradication, Recovery and Lessons learned for improvement of the IR process. This document assumes the preparation phase which this document is part of is complete.

DoS / DDOS comes in three categories

  1. Volume based attacks where UDP, ICMP and other spoofed-packet floods saturate the bandwidth of the targeted resource. Magnitude is measured in bits per second  
  2. Protocol Attacks including SYN floods, fragmented packets, Smurf DDOs, etc. that render a server or firewall unable to service incoming requests. Magnitude is measured in packets per second
  3. Application layer attacks, including slow POST, HashDos, GET floods, clogging, etc. Like protocol attacks, it is aimed at depleting certain resources in the application. Magnitude is measured in requests per second

Response procedures for new DoS/ DDoS incident

  1. Initial notification to ISOC team by monitoring devices or any other source of notification.
    1. Confirm incident.
    1. If Website unavailable or extremely low, verify this and record your finding.
  2. Determine the appropriate scope of the attack.
    1.  Whether whole site, individual server or servers, group of users.
    1.  Gather as much information as possible including IP addresses, methods, protocols, executables, hostnames, usernames, processes, hosting details, etc.
    1. Determine which application services are affected or could potentially be affected.
  3. Raise incident ticket in ISOC and assign appropriate priority.
  4. If it is an attack against a Web Server/application from outside Unilever, liaise with the WAF team and get the offending originating IP addresses blacklisted.
    1. For a service accessed by specific users, a whitelist of those users may be a better approach thereby blacklisting all others.
    1. Contact with ISP may be necessary to burst the bandwidth to allow more access and blackhole the identified IP addresses.
    1. Contact law enforcement (Follow company procedure for this, typically involving Legal and Senior leadership).
  5. If the DDOS is caused by malware in the system, scope the incident and follow the Malware Incident Handling procedures.
  6. Once contained and threat removed, remember to return services to normal and reset settings that were changed as part of the containment.
  7. Prepare a post incident lessons learned for improvement.

Identification

  1. Review the relevant events in SEIM and collect the following information:
    a) IP address of the internal/external machines that are used to launch the DoS/DDoS attack
    b) Time and date of offence
    c) Geo location of the external machines
    d) Search the correlation and basic events to collect the information that are required
    e) IP address and the host name on the internal asset involved
    f) Any additional information about the host involved (asset name, criticality, owner, etc.)
    g) Search the correlation and basic events to collect the information that are required
  2. Evaluate the external IP address reputation and analyze the events and network traffic if available:
    a) Investigate the malicious IP address and URL using the available information sources (X-Force Exchange, IP Void, etc.) to see if it is/has been associated with malicious/unauthorized activity. (Please be careful not to go directly to any sites thought to be malicious)
    a. Where is the data coming from and where is it going?
    b. Is it associated with known malicious activity or indicators of compromise (e.g., malware, malicious IPs/domains, etc.)?
    c. What type of site/IP/hostname is it? Is it an official affiliated vendor, group, association, etc?
    d. Does it appear to be a legitimate site/IP/hostname?
    e. Are there professional relationships in place? Are they in the same division or industry?
    b) Verify the reliability of the information about the malicious IPs or URLs
    c) Check internal references for authorized exceptions (e.g., CMDB Tool, CSIRT team)
    NOTE: It is the recommended to search the following websites to get more information about the malware and level of risk:
    • https://exchange.xforce.ibmcloud.com/
    • https://www.mcafee.com/threat-intelligence/ip/spam-senders.aspx
    • http://ipremoval.sms.symantec.com/lookup/
    • https://ers.trendmicro.com/reputations
  3. Search for any possible related incident in the ticketing system or the SIEM solution
    a) IP address of the internal/external machines that are used to launch the DoS/DDoS attack
    b) Hostname and IP address of the targetted hosts
    In case of finding relevant incidents, create a master incident ticket and link all the existing tickets with the master ticket
  4. Categorize the incident as Denial of Service and assign the incident to the appropriate team based on the document “SOC Tier 1 – Security Threat Monitoring Process/Procedure”.
    NOTE: Below is the list of available options for the incident types:
     Malicious Code
     Web Application Attack
     Unauthorized Access
     Unauthorized System Activity
     Unauthorized Network Activity
     Suspicious System Activity
     Suspicious Network Activity
     Probes and Scans
     Denial of Service
     Policy Violation
     Device Misconfiguration
     Device Malfunctioning
     Communication with Malicious Network
  5. Collect as much information as possible about the DoS/DDoS attack:
    a) Attack mechanism (e.g., HTTP flood, ping of death, Slowloris, SYN flood, UDP flood)
    b) Domain and owner of the machines that are used to launch the attack
    c) Motivation of the attack
  6. Engage the application owners to identify whether the attack has been effective and has made some services unavailable.
  7. Prioritize the incidents based on the instructions provided in the document “Security Incident Management Process”.
  8. Identify the severity of the incident based on the following scenarios, and assign the incident to the appropriate team based on the document “SOC Tier 2 – Security Incident Triage Process/Procedure”
     Any types of DoS that has targeted the internal servers (e.g., Domain Controller, File Servers)
     Any types of DoS that has targeted the critical external servers (e.g., Web Servers)
     Any types of DDoS that has targeted the internal servers (e.g., Domain Controller, File Servers)
     Any types of DDoS that has targeted the critical external servers (e.g., Web Servers)

Containment

  1. Consider possible short-term containment actions if the attack is launched form external machines:
    a) Block the traffic from the IP addresses that are involved in the DDoS attack
    b) If applicable, notify the DDoS protection provider
    c) Notify the Internet service provider (ISP) about the issue to see if they can help
  2. Consider possible short-term containment actions if the attack is launched form internal machines:
    a) Block the traffic from the IP addresses that are involved in the DDoS attack
    b) If possible, disconnect the machines that are used to launch the attacks from Internet
    c) If there is, any evidence that shows the communication is initiated by malware, change the type of the incident to Malicious Code and follow the instructions in the Malicious Code runbook.
  3. Conduct further network and host forensics as required

Eradication

  1. If there are any unauthorized changes on the protective technology by the internal users or admins, ensure all the user accounts that are associated with the person are disabled.
  2. Take the following actions if applicable:
    a) Review the firewall policies to ensure they are following the best practices
    b) Review the security policies on the IPS
    c) Review the security policies of the proxy servers
    d) Revisit the network configuration on the host
  3. If the incident is left open for an extended period (e.g., 7+ days) Ensure at least one follow-up notification is sent and If they are still unresponsive, escalate to management for action

Recovery

  1. Work with the Threat Intelligence team to refine existing rules or develop new signatures/rules to detect activity, as necessary.
  2. Look for attacker’s artifacts to come back:
    a) High volume of traffic from externa/internal machines
    b) Unusual spike in the volume of inbound traffic

Lessons Learned

  1. Put together a report detailing what happened, why it happened, what could have prevented it, and what you’ll be doing to prevent it from happening again.
  2. Meet with management to go over the report and get their approval for the changes needed to prevent similar incidents in the future.

Identification

  1. Review the relevant events in SEIM and collect the following information:
    a) IP address of the internal/external machines that are used to launch the DoS/DDoS attack
    b) Time and date of offence
    c) Geo location of the external machines
    d) Search the correlation and basic events to collect the information that are required
    e) IP address and the host name on the internal asset involved
    f) Any additional information about the host involved (asset name, criticality, owner, etc.)
    g) Search the correlation and basic events to collect the information that are required
  2. Evaluate the external IP address reputation and analyze the events and network traffic if available:
    a) Investigate the malicious IP address and URL using the available information sources (X-Force Exchange, IP Void, etc.) to see if it is/has been associated with malicious/unauthorized activity. (Please be careful not to go directly to any sites thought to be malicious)
    a. Where is the data coming from and where is it going?
    b. Is it associated with known malicious activity or indicators of compromise (e.g., malware, malicious IPs/domains, etc.)?
    c. What type of site/IP/hostname is it? Is it an official affiliated vendor, group, association, etc?
    d. Does it appear to be a legitimate site/IP/hostname?
    e. Are there professional relationships in place? Are they in the same division or industry?
    b) Verify the reliability of the information about the malicious IPs or URLs
    c) Check internal references for authorized exceptions (e.g., CMDB Tool, CSIRT team)
    NOTE: It is the recommended to search the following websites to get more information about the malware and level of risk:
    • https://exchange.xforce.ibmcloud.com/
    • https://www.mcafee.com/threat-intelligence/ip/spam-senders.aspx
    • http://ipremoval.sms.symantec.com/lookup/
    • https://ers.trendmicro.com/reputations
  3. Search for any possible related incident in the ticketing system or the SIEM solution
    a) IP address of the internal/external machines that are used to launch the DoS/DDoS attack
    b) Hostname and IP address of the targetted hosts
    In case of finding relevant incidents, create a master incident ticket and link all the existing tickets with the master ticket
  4. Categorize the incident as Denial of Service and assign the incident to the appropriate team based on the document “SOC Tier 1 – Security Threat Monitoring Process/Procedure”.
    NOTE: Below is the list of available options for the incident types:
     Malicious Code
     Web Application Attack
     Unauthorized Access
     Unauthorized System Activity
     Unauthorized Network Activity
     Suspicious System Activity
     Suspicious Network Activity
     Probes and Scans
     Denial of Service
     Policy Violation
     Device Misconfiguration
     Device Malfunctioning
     Communication with Malicious Network
  5. Collect as much information as possible about the DoS/DDoS attack:
    a) Attack mechanism (e.g., HTTP flood, ping of death, Slowloris, SYN flood, UDP flood)
    b) Domain and owner of the machines that are used to launch the attack
    c) Motivation of the attack
  6. Engage the application owners to identify whether the attack has been effective and has made some services unavailable.
  7. Prioritize the incidents based on the instructions provided in the document “Security Incident Management Process”.
  8. Identify the severity of the incident based on the following scenarios, and assign the incident to the appropriate team based on the document “SOC Tier 2 – Security Incident Triage Process/Procedure”
     Any types of DoS that has targeted the internal servers (e.g., Domain Controller, File Servers)
     Any types of DoS that has targeted the critical external servers (e.g., Web Servers)
     Any types of DDoS that has targeted the internal servers (e.g., Domain Controller, File Servers)
     Any types of DDoS that has targeted the critical external servers (e.g., Web Servers)

Containment

  1. Consider possible short-term containment actions if the attack is launched form external machines:
    a) Block the traffic from the IP addresses that are involved in the DDoS attack
    b) If applicable, notify the DDoS protection provider
    c) Notify the Internet service provider (ISP) about the issue to see if they can help
  2. Consider possible short-term containment actions if the attack is launched form internal machines:
    a) Block the traffic from the IP addresses that are involved in the DDoS attack
    b) If possible, disconnect the machines that are used to launch the attacks from Internet
    c) If there is, any evidence that shows the communication is initiated by malware, change the type of the incident to Malicious Code and follow the instructions in the Malicious Code runbook.
  3. Conduct further network and host forensics as required

Eradication

  1. If there are any unauthorized changes on the protective technology by the internal users or admins, ensure all the user accounts that are associated with the person are disabled.
  2. Take the following actions if applicable:
    a) Review the firewall policies to ensure they are following the best practices
    b) Review the security policies on the IPS
    c) Review the security policies of the proxy servers
    d) Revisit the network configuration on the host
  3. If the incident is left open for an extended period (e.g., 7+ days) Ensure at least one follow-up notification is sent and If they are still unresponsive, escalate to management for action

Recovery

  1. Work with the Threat Intelligence team to refine existing rules or develop new signatures/rules to detect activity, as necessary.
  2. Look for attacker’s artifacts to come back:
    a) High volume of traffic from externa/internal machines
    b) Unusual spike in the volume of inbound traffic

Lessons Learned

  1. Put together a report detailing what happened, why it happened, what could have prevented it, and what you’ll be doing to prevent it from happening again.
  2. Meet with management to go over the report and get their approval for the changes needed to prevent similar incidents in the future.