Just like any major emergency, IT managers must prepare a playbook to follow in case a DDoS attack occurs.
What follows are some of the most important considerations every manager needs to consider when creating their DDoS playbook: it's about 75% preparation, 25% organized action.
Situation awareness
Every business operates within the context of certain realities. There are the human, political realities: are there competitors, activists or people who might have something against your organization? Your team should be actively monitoring social media for indications of growing tension.
And then there are known technological realities: what device types and browsers normally access your public websites? What is within the range of normal legitimate traffic and what is not?
Document what's normal, what's not, how to monitor for it, and what to do about it when things change.
Know thy network, and protect it
In order to effectively protect your network, you and your team must understand it completely. Establish the following practices, share in a safe location, and update regularly:
- Create a detailed depiction of your network topology. This will ensure everyone is working from the same page and will be useful for team coordination while under attack.
- Establish baselines. Collect baseline measurements of all network activity as it relates to your public access points. Examples are graphing and threshold alerts for bits per second and packets per second on major ingress and egress links in your network. You should also identify all critical services (for example, DNS, web servers and databases) running in your network and define monitoring indices to assess health in real time.
- Defend from the edge. Deploy technology at the edge of your network to defend as best as possible. Understand it may have limited capabilities, but can be of use in thwarting a small attack or identifying a ramping attack.
- Give yourself options. Design a secure remote access configuration, preferably out of band, to allow for remote management of your systems while under attack.
Create a strong DDoS response team
Help your people be successful by designating a strong team leader and making sure everyone knows and understands their responsibilities. Include the following:
- Who should be notified and when (emergency contact info for your ISP, your own senior management, customer service and PR managers)?
- What info needs to be collected and when, and where is it logged?
- What action needs to be taken to protect infrastructure or service?
- What is the escalation path for critical decisions?
Communicate the DDoS plan
It's not enough to have created a DDoS plan, but you need to share it and staff needs to know exactly when to initiate a DDoS response.
It should be part of orientation for new staff, with hard copies at stations and version in your wiki or online shared resources. Run drills periodically, including contacting your ISP.
Partner when necessary
If an attack is beyond the capabilities of your team or your ISP, make sure you have done your research and know which expert you want to call.
There are companies whose sole expertise is preparing for and defending against sophisticated and large scale DDoS attacks.
Make sure you understand your needs and vendors' service offerings beforehand so that when the need arises, you will have taken that difficult decision-making process out of the equation.
- Jag Bains is Chief Technology Officer for DOSarrest Internet Security. A 15-year veteran in the service provider arena, he has extensive network design experience as well as working with enterprise customers.
