How to Report a DDoS Attack

Dave Piscitello, on behalf of the ICANN Security Team

DDoS attacks are serious problems. While ICANN’s role in mitigating these threats is limited, the Security Team offers these insights to raise awareness on how to report DDoS attacks

Distributed Denial of Service attacks have increased in scale, intensity and frequency. The wide range of motives for these attacks – political (hacktivism), criminal (coercion), or social (malice) – makes every merchant or organization with an online presence a potential target. The shared nature of the Internet infrastructure – whether hosting, DNS, or bandwidth – puts many merchants or organizations at risk of becoming collateral damage, as well. If you find that your site or organization is under attack, it’s important that you report such attacks quickly to parties that are best positioned to help you mitigate, weather, and restore normal service.

I’m under attack. What should I do? Whom should I call?

Any Internet service – web, DNS, Internet voice, mail – can be the target of a DDoS attack. If your organization uses a hosting provider for a service that is attacked, first contact the hosting provider. If your organization hosts the network or Internet service that is under attack, first take measures to contain or dampen the attack. Next, call the service provider that provides Internet access for your network. Most hosting providers and ISPs post emergency contacts on their web sites and many include at least general contact numbers on bills. If you only have a general contact number, explain that you are under attack and ask the customer care agent to escalate (forward) your call to operations staff with the ability and authority to investigate.

Helping Hands

Traffic associated with a single DDoS attacks may originate from hundreds or thousands of attack sources (typically compromised PC or servers). In many cases, your hosting provider or your Internet access provider should act on your behalf (and in self-interest). They will contact “upstream” providers and the ISPs that route traffic from the DDoS attack sources to notify these operators of the nature and suspected origins of the attack. These operators will investigate and will typically revoke routes or take other measures to squelch or discard traffic close to the source.

If you cannot find contacts, or if the contacts you find are unresponsive, try contacting a Computer Incident, Emergency, or Security Incident Response Team (CERT/CIRT/CSIRT), or a Trusted Introducer (TI) team. CERT/CIRT organizations (find a national list here) or TI teams will investigate an attack, notify and share information with hosting providers or ISPs whose resources are being used to conduct the attack, and work with all affected parties to coordinate an effective mitigation.

Should I contact Law Enforcement?

Contact your national law enforcement agency if you believe that a crime is being committed; for example, you should contact law enforcement if your organization received a threat prior to the attack, or received a demand for money in return for not being attacked, or if you believe that critical infrastructure or delivery of a critical service (such as Emergency 911) is threatened.

Contact law enforcement to report a crime, not to mitigate an attack. DDoS attacks are criminal acts in many jurisdictions. By filing a report, you and other victims provide valuable information that may be relevant in any subsequent investigation or prosecution of the attackers.

Provide Good Intel

At an operational level, you, your hosting provider or ISP should gather as much information related to the attack as possible. The Operations Security Trust Forum recommends collecting the following kinds information:

1. Provide as much time information as possible: identify the start of attack, end of attack, whether the attacks are repeated, and whether there are observable patterns or cycles to the attacks.
2. Share any insights or suspicions you have regarding the nature of the attack. Does it appear to correlate with a geo-political event? Did you receive threatening correspondence prior to or during the attack and if so, what was the nature of the threat?
3. Provide detailed traffic information including: type of traffic (ICMP, DNS, TCP, UDP, application), source and targeted IP addresses and port numbers, packet rate, packet size, and bandwidth consumed by the attack traffic.
4. Describe any unique traffic or packet characteristics you observe. Is the attack targeting a particular virtual host or domain? What have you observed from application protocol headers? Have you observed any unusual patterns of flag settings in underlying protocols (TCP, UDP, ICMP, IP)?
5. Identify any changes you observe in the attack over time (i.e., to packet sizes, rates, unique IPs seen per epoch, protocols, etc.). These may be indications that the attacker is reacting to mitigation efforts you or others have implemented.
6. Provide your assessment of the impact; for example, explain whether you are managing the attack using mitigations and assistance, or that your services or performance is {moderately, severely} affected, or that your services have been disrupted entirely.

Don’t Wait Until You Are a Victim

If you have not already prepared a plan to respond to a DDoS attack, please consider doing so. The article Preparing for the (Inevitable) DDOS Attack offers a checklist of contacts, information, and mitigation strategies. Some helpful resources to better understand different kinds of DDoS Attacks, mitigation techniques and how your organization can help reduce the overall threat of these attacks are included below:

• SAC004, Securing The Edge
• SAC008, DNS Distributed Denial of Service (DDoS) Attacks [PDF, 963 KB]
• BCP 38, Network Ingress Filtering
• BCP 140, Preventing Use of Recursive Nameservers in Reflector Attacks
• Protecting the World from YOUR Network
• Mitigating DNS Denial of Service Attacks
• The Worrisome Threat of DNS DDoS Amplification Attacks
• Do More to Prevent DDoS Attacks
• Firewall Best Practices – Egress Traffic Filtering
• Distributed Denial of Service (Attacks/Tools)