Denial of Service (DoS) and Distributed Denial of Service (DDoS) Incident Response Plan
- brencronin
- Mar 18
- 2 min read
Updated: Mar 23
Incident Response Phases: P.I.C.E.R.L for DoS and DDoS attacks
Incident response follows the P.I.C.E.R.L framework: Planning, Identification, Containment, Eradication, Recovery, and Lessons Learned.
DoS/DDoS - Planning Phase
Identify publicly available servers, systems, and resources susceptible to DDoS attacks.
Understand potential DDoS traffic sources and data flow to public-facing infrastructure.
Assess protection mechanisms within the data path, including:
Internet access points and routers
Application gateways
DDoS protection mechanisms
Web Application Firewalls (WAFs)
Firewalls and Intrusion Prevention Systems (IPS)
Server host protection mechanisms
Network and server resource capacities
Define alerting mechanisms for DDoS attacks from various monitoring systems.
Establish contact points with upstream service providers for DDoS traffic mitigation.
Integrate DDoS detection and response strategies into the IR plan.
Conduct tabletop exercises and simulation testing to evaluate the plan’s effectiveness.
Azure-hosted simulations using partners such as Breaking Point Labs, Maze Bolt, RedButton, and Red Wolf.
Ensure targeted public IP addresses are under Azure DDoS Protection before testing.
DoS/DDoS - Identification Phase
Methods for detecting DoS/DDoS attacks include:
DDoS protection service alerts
Network Management Systems (NMS) detecting service availability loss
User experience reports of service disruptions
Open-source threat intelligence identifying planned or ongoing DDoS attacks
Attack Characterization:
Identify affected systems and data paths under attack.
Determine attack sources and methods, including targeted ports and protocols.
Common DDoS attack types:
Application-layer attacks (Layer 7) – Overload network resources with legitimate-seeming HTTP requests.
Protocol attacks (State-exhaustion attacks) – Overwhelm network infrastructure using Layer 3 or 4 protocols (e.g., ICMP floods).
Volumetric attacks – Utilize amplification techniques (e.g., botnets) to consume available bandwidth.
DoS/DDoS - Containment Phase
Containment strategies include:
Rate limiting – Restricting traffic volume to prevent server overload.
Null routing (Blackholing) – Directing malicious traffic to a non-existent route.
Upstream provider intervention – Engaging service providers (e.g., Microsoft, Verizon, AT&T, Lumen) to block DDoS traffic before reaching enterprise networks.
DoS/DDoS -Eradication Phase
Full eradication is not possible as attacking systems are outside the organization’s control.
DDoS traffic is mitigated through proactive blocking and network resilience enhancements.
Strengthen system defenses against future attacks.
DoS/DDoS - Recovery Phase
Restore full service availability for legitimate users.
Ensure system resilience under continued attack conditions.
Validate security controls and confirm normal operations.
DoS/DDoS - Lessons Learned Phase
Analyze attack details:
How did the DDoS attack occur?
Who were the threat actors behind the attack?
What alerting mechanisms were triggered?
What additional mitigation strategies can be implemented?
Did the system maintain availability during the attack? If not, determine impact and recovery time.
Document insights and update the IR plan for improved future response.
References
Azure App GW:
Azure WAF:
Opmerkingen