A Distributed Denial of Service (DDoS) Attack, unlike most other cyber threats, is a lethal form of threat that is almost impossible to eliminate, and its “planned” execution can have a deadly effect on the target. This form of cyberattack is still as dreaded as it was a decade ago. This attack, unlike other forms of cyber-attack, targets the limitations of IT systems which all organizations have, and hence all are vulnerable to a DDoS attack by default. Additionally, tools to generate such attacks are freely available and easy to use. On the other hand, enterprises are generally ill prepared to handle these attacks.
Given below is quick checklist that an enterprise can use as a good starting point to assess their readiness to handle a DDoS attack.
More information regarding ways an organization can prepare it self to withstand a DDoS attack can be found at my SANS article with name Preparing to withstand a DDoS Attack
Question | Yes | No | Don’t Know | ||||||
Preparation Phase | |||||||||
Does any of current ISP(s) provide Anti-DDoS service | X | ||||||||
Have important point of contacts for ISP(s) been identified and documented for quick coordination call? | X | ||||||||
Do we know level of support to expect from ISP(s) during attack? | X | ||||||||
Have critical assets been identified for prioritizing traffic for it? | X | ||||||||
Is process to deal with extortion demand in place? | X | ||||||||
Has DDoS impact analysis done? | X | ||||||||
Can the mission critical services be enabled from other site? | X | ||||||||
Does DNS record for critical hosts have short TTL for quick IP Address change? | X | ||||||||
Identification Phase | |||||||||
Is baseline network usage pattern identified? May be using MRTG or Flow for easy identification of attack | X | ||||||||
Are logs/events from critical servers and devices been fed to SIEM system for timely alerting? | X | ||||||||
Is service uptime for critical services been monitored and alerted using NMS? | X | ||||||||
Is resource monitoring and alerting enabled on servers and network devices using NMS? | X | ||||||||
Are mission critical public services (e.g., corporate website, mail server, DNS servers) being monitored from Internet? | X | ||||||||
Are critical mail boxes (tech-contact, abuse., etc) been monitored? | X | ||||||||
Does NIDS have DoS/DDoS specific signatures enabled and tuned? | X | ||||||||
Containment Phase | |||||||||
Can ISP(s) be asked to black hole/null route traffic for a host or subnet? | X | ||||||||
Can we initiate black hole/null route on ISP(s) network using BGP community modification? | X | ||||||||
Can ISP(s) be asked to perform mitigation of DDoS attack? | X | ||||||||
Is there any Anti-DDoS service provider engaged to help during attack? | X | ||||||||
Are anti-spoofing rules enabled in border devices to prevent spoofing attacks from being originated from inside network? | X | ||||||||
Are anti-bogon rules enabled in border devices? | X | ||||||||
Are out-of-band access available for critical network devices? | X | ||||||||
Is process in place to quickly enable access lists/other filtering in border network devices? | X | ||||||||
Are border device limits and capability information documented and readily available? | X | ||||||||
Does border network devices have control plane policing enabled? | X | ||||||||
Is dedicated anti-DDoS equipment installed and operational? | X | ||||||||
Is someone identified to perform negotiations with extortionist if need be? | X | ||||||||
Eradication Phase | |||||||||
Is a comprehensive DDoS incident response method available? | X | ||||||||
Has the DDoS incident response tested? | X | ||||||||
Is the DDoS incident response document getting regular updates? | X | ||||||||
Recovery Phase | |||||||||
Is process in place to test if the mission critical services are working as they should? | X | ||||||||
Is asset-to-business owner information available to verify functionality of server/service post an attack? | X |