A few days ago I mentioned ddos mitigation. The referenced article [pdf] concerns UFIRT’s actions in the face of a rather unique incident: a DDOS attack planned to occur in 1 week’s time. Incident Response plans are important to a company’s security posture, but not every imaginable incident needs to have an itemized response plan. And while issues like a DDOS likely should not be painstakingly planned out, it should at least be contemplated now and then as a sort of verbal/introspective exercise. What would you do in such a situation? Do you have extra resources, gear, or skills on your team to deal with an adhoc incident like a DDOS? Do you know where to turn for help on short notice? Can you pull a Joe Stewart out of your back pocket? 🙂 It might be a useful exercise for an IR team, or just for a manager or techie to sit back and think about some lazy afternoon…
One thought on “exercise your brain with hypothetical incident response scenarios”
Comments are closed.
I talked briefly to some new incident response strategies in some comments on Anton Chuvakin’s blog here.
Of course, I checked Bejtlich’s blog and found this as well – an old story about “How a Bookmaker and a Whiz Kid Took On an Extortionist — and Won”.
Probably the easiest way to prevent DDoS is to blackhole the target /32 with a BGP trigger on your ISP’s. The biggest problem with DDoS tools is that they usually only target one IP. If you don’t rely on that IP and can globally remove it from the BGP tables while it’s under attack, then the attacker successfully attacks a null route.
You might also try renting a couple of these puppies for a week, but Cisco doesn’t like to share their toys.