Organizations in any sector, in any vertical market, and in any part of the world depend on the Internet in order to function. They must be able to operate at the speeds and scale of the internet and be prepared to withstand attacks at internet speeds as well. Distributed denial-of-service (DDoS) attacks are one of the biggest threats any organization will face.
A business’s failure to withstand a DDoS attack and effectively and rapidly recover can result in loss of revenue, compliance failures, impacts to brand reputation and public perception, and so on. Therefore, it’s critical that your business has a plan of action when a DDoS attack occurs. This plan, like any business continuity plan, will be a living document that is tested and refined over years and even decades.
The methodology (or lifecycle) for dealing with a DDoS attack is composed of six phases: preparation, detection, classification, traceback, reaction, and postmortem. These critical components should be part of every DDoS response plan. Each phase informs the next, and the cycle improves with each iteration.
Preparation
Preparation is the most important phase. This is where you get the DDoS protection tools, the people, the processes, the best practices, and the communications plan together so you are ready to deal with a DDoS attack. That includes training, practicing, and rehearsing your plan. The plan must also encompass the entire scope of all the different elements, processes, and procedures necessary to keep your organization able to execute on its mission in the face of these attacks.
Detection
Organizations that lack good visibility into their internet traffic often don’t even understand that they are under attack: They realize they were under attack only after suffering outages—sometimes lasting for days or even weeks. Having the tools to detect that you’re under attack and to alert you that something abnormal and potentially harmful is taking place is paramount. Any further steps in the cycle depend on your ability to reliably detect an attack in the first place.
Classification
Once you’ve detected an attack, you need to determine what type of attack it is, and what’s being targeted. This includes determining the size and characteristics of the attack in order to classify it. Having an incomplete picture will lead to less effective steps along the cycle and potentially could make things worse by moving you to react inappropriately.
Traceback
Once you classify the attack, then you need to understand where this attack traffic ingresses and egresses your network. You want to use automation for detection, classification, and traceback as much as possible due to the speed and accuracy at which determinations can be made versus trying to perform this by hand.
Reaction
Now you are informed enough about the attack to perform mitigation. The key to a successful reaction is successfully mitigating the attack and maintaining availability over the course of the attack. It is critical to identify and classify an attack so you can choose the most appropriate DDoS mitigation action.
Postmortem
After the attack, have a postmortem call where everything that was done is reviewed. Discuss what could be done better so the lessons learned during the process of working these steps can be fed back into the preparation phase to improve the plan. This will allow you to be more prepared the next time.
Building the Incident Response Team
Decide if this is a dedicated team or a contextual one where individuals are tasked when needed. Include stakeholders from any relevant group such as infrastructure and service administrators, management, legal, communications/PR, and possibly external parties such as vendors/suppliers, partners, and key customers.
Keys to Successful Incident Handling: Develop (and Improve) Your Plan
If you fail to plan, you are planning to fail. Successful handling of a DDoS attack is entirely dependent on your preparedness and the readiness of your plan. Your DDoS response plan will be the structure supporting all six phases outlined above. It will be a living document, tailored to the environment and refined through practice and occasional real-world use.
However, the only way to know if your plan is accurate and thorough is via periodic rehearsals. These should include both internal-only rehearsals and full rehearsals involving all stakeholders and external parties.
Successfully Handling DDoS Attack Incidents
Successful mitigation won’t happen by accident. It happens by having a comprehensive, tested plan and executing it as rehearsed.
Remember: Work the plan. Iterate through the six phases. Test the plan. Maintain internal and external communications throughout the incident. And don’t forget the postmortem!
For a more detailed look at DDoS planning and response, check out our DDoS Response Playbook .