These attacks are being launched through popular DDoS tools and can consume bandwidth requiring appropriate proactive actions in coordination with Service Providers.
The network administrators may keep vigil on traffic and any abnormal raise in traffic levels may be reported to CERT-In (firstname.lastname@example.org) immediately.
Actions prior to attacks:
1. Identify critical services and their priority. Develop Business Continuity Plan.
2. Deploy appropriate Intrusion/DDoS Prevention System capable of detecting and mitigating DDoS attacks.
3. Ensure that Intrusion/DDoS Prevention System contain signatures to detect the attacks launched from common DDoS tools.
4. Maintain list of contacts of ISPs, vendors of network and security devices and contact them as appropriate
5. Understand your current environment, and have a baseline of the daily volume, type, and performance of network traffic.
6. Implement Egress and Ingress filtering at router level.
7. Implement a bogon block list at the network boundary.
8. Review the traffic patterns and logs of perimeter devices to detect anomalies in traffic, network level floods (TCP, UDP, SYN, etc) and application floods (HTTP GET)
9. Maintain and regularly examine logs of webservers to detect malformed requests/traffic.
10. In case your SLA with ISP includes DDoS mitigation services instruct your staff about the requirements to be sent to ISP.
Action to be taken if attack occurs:
1. Identify the type of attack such as flooding of particular types of packets/requests (TCP SYN, ICMP, HTTP GET etc) by examining logs of network and security devices such as Router / IPS / IDS / Firewall or DDoS attack Prevention Solutions
2. Identify the attack sources.
3. Block the attack sources at Router/Packet filtering device/DDoS prevention solutions
4. Disable the non essential ports/services
5. Preserve all logs indicating type of attack and attack sources.
6. In case of high volume of DDoS, consult your ISP to block attack sources and apply appropriate rate limiting strategies
7. Allocate traffic to unaffected available network paths, if possible, to continue the services
8. Consult your Business Continuity Plan for appropriate actions in case critical services are affected