How to Create an Emergency DDoS Response Plan

Oliver Sears

On my way home from visiting a customer last week, I was thinking about a question that he had raised. He asked me “What is the best way to prepare for a DDoS attack?”

A DDoS attack is a special type of Denial of Service attack. Malicious traffic is generated from a multitude of sources and orchestrated from one central point. The fact the sources are distributed all over the world makes it incredibly difficult to block and mitigate.

Knowing how to stop a DDoS attack quickly could be the difference between being able to ‘shrug it off’ and continue operationally, or being put out of business. This is because a successful DDoS attack can be hugely detrimental to an organization. If you have suffered a DDoS attack, you are not alone. Even the largest organisations have fallen victim to DDoS attacks such as PlayStation, Google and even Amazon. But you don’t need to be one of the big guns to be prepared for a DDoS attack.  Below is my step-by-step guide on how to best prepare in the case of a DDoS attack.

Anticipate Single Points of Failure

Finding the vulnerable points in your network better enables you to protect them.  Potential DDoS targets include websites, DNS servers, web apps, file servers, email servers, trading platforms, banking platforms, data center, APIs.

Be Able To Identify The Attack as Early as Possible

You need to be able to identify when you are under attack. A lot of DDoS attacks go unnoticed for quite some time and the longer it goes on the more damage that can be done. The sooner you can establish the traffic causing problems on your website is DDoS traffic the sooner you can stop the attack.

To do this, familiarize yourself with your typical inbound traffic so you know what normal traffic looks like. Many DDoS attacks start as sharp increases in traffic and if you know what your standard traffic looks like it will be easier to spot any changes. 

Make Sure You Know If You Need to Report The Incident

If the incident which affects personal information, do you know if have an obligation under the GDPR to report the incident to the Information Commissioner’s Office (ICO). The ICO website provides further guidance on what constitutes a notifiable breach, and how to prepare and respond to breaches.  If your organisation is an Operator of Essential Services (OES), you should also consider whether you need to inform your Competent Authority of the incident. The National Cyber Security Centre (NCSC) provides dedicated guidance for OES organisations.

Open Communications With Your ISP or Hosting Provider

If you have noticed unfamiliar traffic on your website or network and think it may be due to a DDoS attack then call your ISP or hosting provider and ask them for clarity. It’s a good idea to have emergency contacts within your ISP to hand, or even a specific process in place, so you can contact them quickly if this happens. 

Call a DDoS Mitigation Specialist

With larger attacks, you have a better chance of staying online if you use a specialist DDoS Mitigation company. These organizations have large-scale infrastructure and use of a variety of technologies – such as scrubbing centers – as well as many years expertise in these specific areas.

These services do come with a cost attached, but this needs to be weighed up against the potential financial and reputational loss should you suffer from such an attack.

Test Your Mitigation

Don’t forget to test your mitigation – it is no good thinking you are protected and only finding out it doesn’t work when you actually suffer an attack. This needs to be done regularly to ensure that you are keeping up with the constantly evolving techniques of cyber criminals.

Create a DDoS Response Playbook 

For you and your team to respond quickly to a DDoS attack it is vital you have a DDoS Response Plan which can document – in detail – every step of a pre-planned response if, or rather when, an attack is detected.

Obviously there is a lot more to a playbook than the overview I have covered here so if you would like to create your own, download our guide on How to Build a DDoS Response Playbook with DDoS Testing and check out the NCSC guidance.

Testing is an important part of mitigation and likewise you need to test what is in your playbook.  This ensures everyone knows what they should do and when in the event of an attack, and the feedback from this enables you to update the plan if necessary.

Conclusion

However big or small you are, you need to have something in place to deal with DDoS attacks.  With attacks increasing all the time, it is vital to start this process as soon as possible.

Find out more about how we can help you with DDoS Mitigation and DDoS Testing, Contact Us or give us a call on 0845 625 9025.

Suffering a DDoS attack right now? Call our DDoS Incident Response Hotline that operates 24/7 +44 (0) 333 444 3367