This document (download here) describes recommended proceedings on how to act in case of DDoS attack against an institution or a company in the Czech Republic. It describes cooperation between the victim of such an attack and the security department CERT or CSIRT. Second, it gives several concrete recommendations for administrators of communication networks and of others infrastructures based on the IP protocols.

Definition of terms

Autonomous system (AS): collection of connected internet protocol routing prefixes under the control of one technical administrator, using interior routing and a common metrics to direct packages in the AS framework and using outer direction protocol to direct packages into other ASs.

Bone network infrastructure: means a set of technical and administrative tools for operating an AS

Administrator of bone network infrastructure: organization that disposes of technical and administrative tools for operating an AS

Cyber attack: action with purpose of causing damage of computer systems by limitation of their services or by putting them out of service completely, of obtaining or misusing electronic data without authorization, or of obtaining unauthorized rights on somebody else's computer system

DoS cyber attack: cyber attack with purpose of limiting or eliminating computer systems services. As a general rule, it is done either through generating substantial amount of fraudulent requirements that overload system; either via transmission paths attacks on weak spots in target system or on transmission paths themselves.

DDoS cyber attack: cyber attack of the DoS type, which is coordinated from many network knobs at the same time.

IP spoofing: sending datagrams with fake source address with purpose of covering real network position and identity of the attacker

IP squatting: temporary or permanent unauthorized usage of IP addresses' space for communication. In a narrow sense it is a propagation of prefixes through BGP protocol which were not attributed to the said propagating autonomous system by a relevant regional authority.

Detection of attack

An inseparable and very important part of any ICT environment is its monitoring. If the correctly installed monitoring tools exist, then detection of non-standard activities on the basis of anomalies is usually very quick.

After the detection of non-standard activities it is necessary to analyze anomalies and confirm the attack. It is crucial to monitor not only single systems, but also network operations. After confirmation of attack in progress it is necessary to contact immediately Internet provider and relevant security team (CERT or CSIRT).

Contact between victim of attack and relevant CERT/CSIRT team

Mutual contact should be possible. Contact information of governmental and national CERT or CSIRT teams are the following:

In order to allow members of CERT or CSIRT team to contact representatives of your institution or company, it is necessary to have pre-defined contact information also from your part. It is important to choose well the contact person. It must be somebody who has knowledge of the general IT infrastructure in organization and at the same time has possibility to approve concrete counter-measures. Together with contacting CERT or CSIRT team you should also contact your Internet provider and ask him for available information and cooperation during solution of the attack.

What you can expect from CERT or CSIRT teams during DDoS attack

Governmental CERT is currently working on improvement of communication channels between specified security workplaces from state, commercial and academic spheres.

This will allow more efficient reaction to potential next attacks, as well as quick information sharing between concerned parties.

After you report an attack and after you send relevant information, members of these teams will be able to contact you quickly back and provide you with help especially in following areas:

  • global view on what is happening and what type of attack the victim is facing
  • invitation of concerned parties to the conference
  • help with definition of rules for system operations filtration

On the other hand, it is necessary for you to be able to provide all available information that might help solving the attack.

What you cannot expect from CERT or CSIRT teams during DDoS attack

DDoS attacks use the nature of the Internet itself, so there is no absolute defense against them. Their impacts can be mitigated, but it is always necessary to find a compromise between investments in defense tools and potential extent of damage. This issue is covered by so called risk analysis, the latter being taken into account in the prepared law on cyber security. Czech National Cyber Security Center (NCSC), Governmental CERT or National CSIRT cannot be considered as organizations capable of preventing all future attacks. Their role is above all the one of coordinating. Security of concrete subjects is always solely in hands of a local administrator.

Important questions you should ask yourself before being attacked

How quickly are you able to notice/diagnose an incident with the help of network data, servers logs, IPS, firewall? Do you collect and preserve these logs?

How quickly are you able to assure cooperation of your Internet provider? Do you know what he can do for you in case of attack, whom you should contact, how the escalation will proceed onward?

Do you have prepared procedures, including all necessary contact information and specific roles in case the attack happens?

Do you operate the infrastructure of services which operate on the Internet separately from the infrastructure of services which operate only internally? Will the internal part be touched in case of an attack on public services?

Hav

e you considered the possibility of fast increase of the capacity of a server farm and of internet connectivity? Potentially, the possibility of using private or public cloud?

Do you know about limits of your network, its narrow places and its non-redundant elements? Does your bone network infrastructure contain the SPOF (Single Point Of Failure)?

Is your device able to treat SYN-cookies (is it able of defense against DDoS attack of the SYN flood type)?

Recommendations for administrator of communication network and of other infrastructures based on IP protocol

AS administrators should adopt measures and establish processes to increase security and resistance of the IP networks administered by them. Recommended measures are:

  • protection of control plane routers against DoS attacks;
  • protection against attacks on router protocol BGP of the DoS type;
  • protection against IP squatting with the help of filtration.

AS administrators and administrators of end networks should adopt recommended measures that consist in:

  • protection against IP spoofing;
  • passive monitoring of operations and data preservation;
  • active reaction to incoming attack through intensification of monitoring and through collection of forensic information;
  • active reaction to incoming attack through blocking the attack.

Measures recommended here above are not exhaustive.

Protection of control plane routers

The purpose of the control plane routers protection is to resist diverse DoS attacks which are about to decommission leading logics of the routers and to cause collapse in some part of the network, potentially cause the domino effect in the whole network. Administrators of bone network infrastructure should follow recommendations by producers of their routers in order to assure protection against attacks on control plane. Installation of the Control Plane Policing is an example of such control.

Protection against attacks on router BGP protocol of the DoS type

Administrators of bone network infrastructure should use the MD5 authentication of BGP datagrams according to [RFC 2385], potentially react to other dangers described in [RFC 4272].

Protection against IP squatting with the help of filtering

Administrators of bone infrastructure should use concrete income and outcome filters for BGP and deduce or at least control their content in relevant public router databases according to [RFC 2650].

Protection against IP spoofing

Administrators of bone infrastructure in cooperation with their customers, who administer end networks, should filter operations in direction towards end networks with the help of reverse-path filters, if it is technically possible in accordance with [BCP 38]. The purpose of this measure is to avoid spread of DoS attack with fake source addresses and spread of all attacks through reflectors from end networks towards other AS. Administrators of end networks should then assure that all outgoing networks' operations contain a source IP address from the assigned range and that it is not a fake address.

Passive monitoring of operations and data preservation

Administrators of bone infrastructure and administrators of end networks should passively monitor operations on their routers with the help of export NetFlow, IPFIX and the like, potentially at least packet dump, and preserve recorded data retrospectively for several days. 10 days are considered the necessary minimum, and in order to reduce volume of this data, NetFlow sampling up to 1:200 can be used. Passive monitoring of operations should serve especially for identification of attacks and administrators of network infrastructure should have overview of operations on the level of source and target IP address, source and target ports, protocol, direction of communication (entry interface) and precise time information.

Active reaction to incoming attack in form of monitoring intensification and of forensic data preservation

Administrators of network infrastructure and administrators of end networks should be able to obtain detailed information about operations from concrete direction and towards concrete addresses and they should capture suspect data flow and export it for the analysis in pcap format.

Active reaction to incoming attack in form of blocking the attack

Administrators of bone infrastructure and administrators of end networks should be able to block suspect data flow or a set of data flows on the basis of specific content in protocol headlines, or at least on the basis of source and target IP address, TCP ports and flags and UDP port. Administrators of bone infrastructure can offer to their customers remote-triggered blackhole services or other form of automatization of suspect operations elimination.

Links

[BCP 38]

P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. Tech. rep. BCP 38, RFC 2827. May 2000.http://www.rfc-editor.org/rfc/rfc2827.txt..

[RFC 2385]

A. Heffernan. Protection of BGP Sessions via the TCP MD5 Signature Option. Tech. rep. RFC 2385. Aug. 1998.http://www.rfc-editor.org/rfc/rfc2385.txt..

[RFC 2650]

D. Meyer et al. Using RPSL in Practice. Tech. rep. RFC 2650. Aug. 1999.http://www.rfc-editor.org/rfc/rfc2650.txt..

[RFC 4272]

S. Murphy. BGP Security Vulnerabilities Analysis. Tech. rep. RFC 4272. Jan. 2006.http://www.rfc-editor.org/rfc/rfc4272.txt..