0A9F E785 1857 50AD 05CA A188 A708 1DB6 7F35 2F2A
Denial of Service (DoS) Playbook
A Denial of Service (DoS) Attacks Playbook is a formal response guide that defines how an organization detects, responds to, mitigates, and recovers from DoS and Distributed Denial of Service (DDoS) attacks.
Introduction
Overview
In the event of a cybersecurity incident, it is important that any organisation can respond, mobilise, and execute an appropriate level of response to limit the impact of a cybersecurity attack or breach. Although all cybersecurity incidents are different in their nature and technologies used, it is possible to group common cybersecurity incident types and methodologies together. This is to provide an appropriate and timely response depending on the cybersecurity incident type. Incident specific playbooks provide incident managers and stakeholders with a consistent approach to follow when remediating a cybersecurity incident.
A cybersecurity incident response playbook is a set of predefined steps and procedures that outline how to respond to a specific type of cybersecurity incident. For each playbook, the steps and procedures are structured according to the National Institute of Standards and Technology (NIST) Incident Response Lifecycle. The plan outlined in this playbook is developed to assist the constituency of the South African National Research and Education Network (SA NREN) in responding to Denial of Service (DoS) Attacks. Denial of Service (DoS) attacks are malicious attempts by hackers to make a website, network, or service unavailable by overwhelming it with a flood of traffic or other disruptive activities.
Purpose
The purpose of the SANReN CSIRT Denial of Service (DoS) Playbook is to provide guidance on the appropriate and timely response to a Denial of Service (DoS) cybersecurity incident or attack.
Scope
This document has been designed for the sole use of the SA NREN constituency.
Review Cycle
This document is to be reviewed for continued relevancy by the SANReN CSIRT team at least once every 12 months; following any major cybersecurity incidents or as access to new information becomes available.
Preparation
Outlining the recommended steps required to prepare the constituent to respond to a Denial of Service (DoS) attack in a timely and effective manner.
| Activity | Description | Action(s) |
| Maintain documentation | Implement, maintain, and review cybersecurity incident procedures. Maintain and regularly update technical documentation. Ensure up-to-date incident response policies. Define the roles and responsibilities. | Create a Cyber Incident Response Plan. Document network topology. Assign roles and responsibilities. Define escalation paths. |
| Identify assets | Maintain an understanding of the constituent’s environment: Keep a list of all company-owned domains. Maintain a list of all company-owned assets. Document key services, applications, and dependencies. | Maintain an asset inventory and list of end-use devices. Maintain a list of business-critical assets. |
| Implement Monitoring & Detection Tools | Deployment of appropriate tools and technologies to monitor for the occurrence of unusual network traffic or patterns. | Establish a baseline - analyze historic traffic data and define normal network behaviour. |
| Review available information | Review cybersecurity incidents and the outputs. Review threats to the constituency, risks & vulnerabilities. | View SANReN CSIRT weekly articles, alerts, and advisories. |
Detection and Analysis
Providing the recommended steps to follow to enable detection of a DoS attack and conduct the investigation of the collected data to determine the scope and impact of the attack.
Detect
| Activity | Description | Action(s) |
| Detect Unusual Activities | Slow or unresponsive services. Excessive resource consumption (CPU, memory, bandwidth). Unexpected system or service crashes. | Monitor resources of business-critical assets. Check availability and uptime of critical services. |
| Detect Abnormal Traffic | Identify unusual spikes in network traffic. Repeated requests to the same resource, especially from unusual or unexpected IP addresses. Analysing whether a single source IP is sending a large number of requests, which could indicate a flood attack Detection of traffic coming from unexpected geographical regions, which could indicate an attempt to exploit networks from outside the target region | Monitor firewall logs, IDS/IPS alerts, and network anomalies. Implement network-level filters to drop or limit traffic from identified malicious sources. Use Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) to filter out abnormal requests. Segment critical systems or services to limit the reach of a potential DoS attack. Work with the SANReN CSIRT and the Tertiary Education and Research Network of South Africa (TENET) for further investigation. |
| Identify Attack Type | Determine whether it's volumetric, protocol-based, or application-layer DoS. | Analyse traffic patterns and attack sources. |
| Assess Impact | Evaluate the impact on services and infrastructure. | Identify affected systems and notify stakeholders. |
Analyse
| Activity | Description | Action(s) |
| Erratic Application Behavior | Applications may fail to load, slow down, or become unresponsive due to the overwhelming traffic from the DoS attack. | Implement traffic filtering at various levels of the network, including IP blacklisting or rate-limiting requests to prevent overload. This can be done using firewalls or Intrusion Prevention Systems (IPS). |
| Port Scanning | Attackers may attempt to find open or vulnerable ports on the server by sending packets to various ports (common in DDoS attacks). | Monitor and analyse network traffic for unusual scanning behaviour. Implement port-blocking strategies, intrusion detection systems (IDS), and network segmentation to mitigate risks. |
| Unexpected Traffic Patterns | The activity may involve abnormal traffic patterns, such as repeated access to the same resources (e.g., DNS or HTTP requests) from a large number of different IPs or from a single source. | Establish internal reporting lines for quick response. Review firewall and network device logs to detect patterns. Contact the SANReN CSIRT and TENET for further insights on traffic patterns. |
| Determine the severity | Consider the following: The number of affected assets. The number of services affected. Preliminary business impact. | Assess severity based on affected assets, impact, and service status. Consult the internal security team, legal department, and/or the SANReN CSIRT team for further assistance. |
| Reporting | Continuous reporting as the investigation progresses to ensure all relevant parties are up to date. | Establish appropriate communication methods (e.g., email or website – internal or external) Inform employees. |
Containment, Eradication and Recovery
Outlining the necessary steps to isolate the DoS attack and subsequent threats, eliminate and remove the effects of the DoS attack, and recover to resume normal operations.
Containment
| Activity | Description | Action(s) |
| Contain Attack | Prevent the spread of an ongoing attack and minimize its impact on the network and critical assets. | Isolate and remove endpoints from the network. Activate incident response protocols. |
| Isolate Compromised Systems | Remove infected or compromised systems from the network to prevent further damage or data loss. | Isolate endpoints from the production network. Disconnect affected machines. Move them to a separate Virtual Local Area Network (VLAN). Monitor for continued unusual activity. |
| Traffic Mitigation | Mitigate network traffic issues caused by DoS attacks, such as rate limiting, traffic filtering, and robust firewalls, along with monitoring and adapting to evolving threats | Activate traffic filtering mechanisms (firewalls, intrusion prevention systems). Implement rate-limiting or blackhole routing for malicious IPs. |
Eradication
| Activity | Description | Action(s) |
| Clear Malicious Traffic | Remove any lingering attack traffic still affecting the network. | Use traffic filtering, rate limiting, and IP blacklisting to block attack sources. |
| Reset Affected Systems | Restore normal operations by clearing temporary disruptions. | Restart servers, flush DNS caches, and reset network devices. |
| Patch Exploited Weaknesses | Fix vulnerabilities that were leveraged in the DoS attack. Strengthen network infrastructure to prevent future DoS attacks. | Apply security updates, adjust firewall rules, and harden system configurations. Identify and disconnect infected machines, scan for malware, and remove infections. Implement load balancing, increase bandwidth capacity, and configure redundancy mechanisms. |
Recovery
| Activity | Description | Action(s) |
| Restore Services | Recover systems based on business impact analysis and business criticality. Ensure all affected systems and applications are back to full functionality. | Gradually restore services in a controlled manner. Verify system stability and confirm network availability. |
| Validate System Integrity | Conduct a vulnerability scan of all systems. Establish and improve monitoring for suspicious behaviour. Confirm that no unauthorized changes or lingering effects remain post-attack. | Implement necessary patches. Conduct security audits, check for data corruption, and compare with backups. |
| Reinforce Network Security | Strengthen defences to prevent reoccurrence of similar attacks. | Update firewall rules, enhance intrusion detection systems, and fine-tune access controls. Monitor the network traffic for residual threats. |
Post Incident Activity
Recommended steps to conduct after the DoS attack has been investigated and resolved to ensure lessons are learned and improvements are put into place.
| Activity | Description | Action(s) |
| Deploy Preventative Measures | Put measures in place to prevent future DoS attacks. | Implement network segmentation to minimize attack impact. Ensure regular system and software updates. Deploy DDoS protection services. |
| Lessons learned | Process the incident, review strategies and revisit preparations for potential future incidents. | Hold a “lessons learned” meeting. Questions to be discussed: How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? Update security policies and response procedures based on lessons learned. |
| Incident Reporting | Instruct employees on how to report issues during a DoS attack. | Provide a clear reporting protocol through email or an internal portal for quick escalation of network issues. |
| User awareness training | Teach employees how DoS attacks can impact systems and networks. Train employees to avoid unsafe websites or actions that could trigger DoS attacks. | Conduct training sessions: Include signs of disruption in internal communications. Encourage reporting of unusual system behaviour. |
Checklist
| Action | Completed | |
| Detection and Analysis | Detection and Analysis | Detection and Analysis |
| 1. | Configure firewalls to filter out known attack signatures and restrict unnecessary traffic. | |
| 2. | Analyse logs to identify IP addresses, geolocation, or other indicators of the attack's source. | |
| 4. | Determine which services, assets, or systems are being affected by the attack. | |
| 5. | Report the Denial of services incident to the appropriate internal personnel and external organizations – SANReN CSIRT and TENET. | |
| Containment, Eradication and Recovery | Containment, Eradication and Recovery | Containment, Eradication and Recovery |
| 6. | Temporarily isolate the affected systems to minimize the impact on the rest of the network. | |
| 7. | Set up rate limiting on servers or networks to mitigate the impact of excessive requests and reduce overload. | |
| 8. | Use network-based filtering to block known attack signatures or protocols used during the DoS attack. | |
| 9. | Restart systems and services that were impacted by the DoS attack to return them to normal functionality. | |
| 10. | Strengthen firewall configurations, intrusion detection/prevention rules, and system hardening to prevent future attacks. | |
| Post-Incident Activity | Post-Incident Activity | Post-Incident Activity |
| 11. | Conduct a “Lessons Learned” meeting. | |
| 12. | Create a post incident report – share with relevant parties. |
Contact Us: |
CSIRT: |
|
Heloise: |
|
Kgwadi: |
|
Zoya: |
|
Anele: |
