Professional Documents
Culture Documents
PL AY B O O K
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Table of Contents
Introduction4
Why You Should Read This Guide 4
Who Is This Guide For? 4
2
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Responding to an Attack 22
Early Detection 22
Establishing a War Room 22
Working with Other Teams 22
Marketing, Sales and Customer Management 22
Corporate Communications 23
Legal 23
Post-Attack Steps 24
Process Analysis 24
Attack and Mitigation Analysis 24
DDoS Glossary 25
3
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Introduction
Why You Should Read This Guide
Distributed denial of service (DDoS) attacks can wreak havoc with network operations teams.
DDoS attacks are crafted to saturate and overwhelm network resources until they are rendered
unavailable to their intended users. As such, this type of cyber threat “crosses the line”
between security and network operations.
Network ops teams, which are responsible for ensuring the performance and availability of
enterprise applications and services to external users, have a vested interest in protecting
their production environment from DDoS attacks. Rather than dealing with daily operations,
network and capacity planning, network ops teams that do not have the proper mitigation
measures in place may find themselves spending long days and sleepless nights investigating
the source of DDoS attacks and trying to stop them.
Studies show that it’s not a matter of if your organization is going to be targeted by a DDoS
attack, but when. Accordingly, good preparation is essential for making sure your organization
is ready to quickly identify and respond to DDoS attacks. Organizations that engage in pre-
emptive DDoS response planning are far more likely to limit potential damage and act in an
effective manner than those that try to improvise their way through a DDoS-induced crisis.
4
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
According to our Q2 2015 DDoS Global Threat Landscape Report, not only are DDoS attacks
larger than ever before, they are also more frequent and longer in duration. The largest
network attack mitigated in Q2 2015 was 253 Gbps, while the largest application layer assault
amounted to 179,700 requests per second.
Normal state
To make matters worse, attackers are more relentless than ever. Once targeted, victims of
application layer DDoS attacks are hit once a week on average. Over 20 percent of all network
layer attacks last over five days.
5
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Given the relative simplicity and low cost of instigating a DDoS attack, as well as the relative
impunity perpetrators enjoy, these disturbing trends are hardly surprising. Booter/Stresser
(i.e. DDoS for hire) services that can be ordered online for as little as $10 a pop and free DoS
toolkits make it simple for practically anyone to launch an attack. Our statistics show that
single-vector attacks associated with botnets-for-hire accounted for more than 40 percent of
all network layer attacks.
• Cyber vandalism — Cyber vandals target information infrastructures primarily for the
thrill and notoriety associated with bringing down a major website or online service. This
is their way of making a statement or leaving their mark on the cybersphere. Botnets,
downloadable attack tools, and hijacked servers are the tool of choice for cyber vandals,
while readily available botnet-for-hire services leave no online network, application,
service, or website immune from danger. Cyber vandals also may employ “script kiddies”
to do their malicious coding.
• Personal rivalry — A personal grudge or anger can also be the motivation behind DDoS
attacks. This is the cyber equivalent of taking the air out of the tires of your boss’ car after
getting fired. Using DDoS-for-hire services, it’s simple and cheap to launch an attack that
will bring down a rival’s personal router or home computer. This type of personal attack
is also quite common in the gaming world, where players launch DDoS attacks against
gaming servers to gain a competitive edge or to avoid imminent defeat.
• Hacktivism — As the name implies, this type of “hacker” is typically motivated by a political
or social cause. Hacktivists use DDoS attacks as a means to express their criticism of
everything from governments and politicians, to “big business” and current events. If they
disagree with you, your site is going to go down (a.k.a. “tango down”). Anonymous is a
well-known example of a hacktivist group.
6
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
• Cyber warfare — State-sponsored DDoS attacks are being used to silence government
critics and internal opposition, as well as a means to disrupt critical financial, health, and
infrastructure services in enemy countries. Unlike conventional warfare, it only takes a
small number of DDoS attackers and a minimal investment to inflict substantial punitive
damage and register dissent with a government’s actions or policies.
What Are the Different DDoS Attack Methods and How Do They
Affect Your Website?
DDoS assaults are intended to do just what the name implies — render websites and other
online services unavailable to their intended users. Such attacks are generally divided into two
categories:
• Network layer attacks clog the “pipelines” connecting your network, website, or online
service to the Internet and include UDP Flood, SYN Flood, NTP Amplification, DNS
Amplification, SSDP Amplification, IP Fragmentation, and more. These are almost always
high-capacity DDoS barrages, measured in bits-per-second (bps, commonly Gbps) and
packets-per-second (PPS, commonly KPPS/MPPS). While high bitrate attacks aim to
consume the target’s upstream bandwidth, high packet-rate attacks target the processing
capacity of networking devices. It should be noted that SYN Floods can cause particular
issues, as by flooding a target with requests to open new connections, it consumes its
entire connection pool.
These attacks are almost always executed by botnets. Network saturation is the primary
goal, but as the capacity of these attacks will have an effect on most service providers,
they can also cause severe operational damages such as account suspension and massive
overage charges.
DNS amplification attacks, are an example of network layer attacks. In such an attack, the
attacker spoofs the source address and uses the target’s IP by sending a small, specially
crafted DNS query to an “open” DNS server, which responds with a large reply (x200
larger than the query) to the spoofed IP — the target. Unless mitigated, the attack will result
in network saturation, causing denial of service for legitimate users.
Largest network layer attack in Q2 2015, pealing at over 250 Gbps (shown in Zabbix)
7
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
• Application layer attacks seek to overload the resources upon which an application is
running by sending a large number of requests that require resource-intensive handling
and processing. Also known as Layer 7 attacks and measured in Requests per Second
(RPS), this category includes HTTP floods, slow attacks (Slowloris, RUDY), DNS Query
Flood attacks, and those targeting vulnerabilities in operation systems, web applications,
and communication protocols. This causes high CPU and memory usage that result in
increased latency, eventually hanging or crashing the application or operating system
completely. Layer 7 penetrations typically mimic legitimate user traffic so as to evade an
organization’s common security measures (including network layer anti-DDoS solutions).
They do not require high volumes, for even a rate of 50 — 100 requests/second is enough
to cripple most mid-sized websites.
• Multi-vector attacks
Many DDoS attacks consist of long, complex, multi-staged assaults that resemble
advanced persistent threats (APT). These employ different methods and can last days,
weeks, and even months at a time. While DDoS assaults do not attempt to breach your
security perimeter per se, they are often used to smokescreen other malicious activities
or to take down security appliances (e.g. web application firewalls) that can lead to
compromised servers and data breaches.
As shown by our 2014 DDoS Impact Survey, every hour of an unmitigated DDoS attack costs
organizations an average of $40,000. The cost and probability of a specific company getting
hit depends on a number of factors, including the organization size, industry, and type of
preventive measures in place. Today, with a substantial percentage of attacks lasting for days,
and half of all targets being repeatedly hit, a worst-case scenario entails losses of hundreds of
thousands — if not millionsof dollars.
60%
customers affected
Percentage of
40%
20%
0%
Had to Replace Had a Virus Experienced Theft of Loss of
Hardware or or Malware Loss of Customers Intellectual
Software Installed Customer Trust Data Property
8
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
What you can do to minimize the damage is to prepare your organization in advance to
quickly identify and respond to DDoS attacks. This starts with risk assessment and building a
DDoS protection strategy aligned with your company’s business needs.
Risk Assessment
The first step in preparing your organization to deal with a DDoS incident is to understand the
scope of your risk. Important basic questions include:
• How and when will I know I’m targeted? Will it be too late?
The impact of an extended outage due to a DDoS incident can be measured in terms of lost
revenue and resources required to recover an asset. This risk needs to be evaluated against
the cost of implementing DDoS protection for the asset. With this information in mind, it’s time
to prioritize your concerns and examine various mitigation options within the framework of
your security budget.
9
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
As this playbook is intended to address the needs of network ops teams, we have chosen
to focus primarily on a strategy for mitigating network layer DDoS attacks that impact core
infrastructure services, including web servers, email servers, FTP servers, and back office CRM
or ERP platforms.
Deployment Modes
What follows is a brief description of the different methods for deploying your DDoS
mitigation solution:
Besides the fact that not every company owns an entire C-class, a minor drawback to using
the BGP routing-based approach is that latency may increase during attacks. This happens
because traffic must first be routed through the scrubbing network for cleansing (in the
absence of CDN technology to counteract the extra travel distance the data incurs).
• Dedicated IP
For smaller organizations wishing to protect multiple service types and protocols, but
without a full C-class IP range, this is similar to IP-based protection. In this deployment
mode (and unlike BGP), the protection provider assigns you a “dedicated IP address” from
its own IP range. Using this address, all incoming traffic passes through the provider’s
network where it is inspected and filtered. A redundant, secure symmetric GRE tunnel
is used to forward clean traffic to the origin IP and to return outbound traffic from the
application to the users.
10
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
11
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Upon detecting a DDoS attack, withdraw your BGP announcements for any affected subnet
and instruct your DDoS mitigation provider to announce the subnet on your behalf. From
that point on, your DDoS mitigation provider acts as the ISP, advertising all protected IP
ranges. This results in all traffic being redirected through a network of distributed scrubbing
centers. All incoming traffic is inspected and filtered, and clean traffic is securely forwarded
to the origin server on the enterprise network via GRE tunneling. Outbound traffic is returned
asymmetrically via your upstream provider.
Can I leave BGP routing “always on” to defend my infrastructure against DDoS attacks?
By definition, the fact that all traffic gets routed through a third party network adds latency
and hampers the user experience. Enterprises with time-sensitive applications, such as
online trading sites or gaming sites, cannot tolerate any latency. Thus, network ops teams
prefer to activate BGP routing only in the case of a DDoS attack to maintain optimal network
performance in routine situations. Naturally, when under attack, a certain amount of latency is a
small price to pay in order to ensure network availability.
Moreover, many organizations are wary of having all their traffic going through a third party
network all the time due to dependency-related issues. However, always-on BGP routing is an
option offered by some DDoS mitigation providers.
12
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
1. The monitoring service provider collects and “learns” the client’s network traffic (NetFlow
and sFlow statistics) to determine a baseline definition of normal traffic patterns in terms
of volumes, file types, IP addresses, and other variables.
2. Network Ops sends a sample of live traffic at pre-defined intervals (e.g. every 10 seconds).
The monitoring service analyzes the statistics.
3. The statistics are compared to the baseline using the 95th percentile bandwidth usage
calculation. If the service finds an abnormal spike in traffic, file type, etc., it sends an alert.
The client determines the level of deviation from the baseline that triggers an alert.
4. Identification and mitigation of DDoS attacks is performed in accordance with the DDoS
mitigation provider’s SLA, which defines the duration of time from the moment you’re
attacked until mitigation begins. This includes the time it takes to recognize the attack,
send an alert, make the BGP announcement to divert incoming traffic to the DDoS
mitigation provider network (in some cases this is done by the DDoS Mitigation provider),
and actually mitigate the attack.
1. This screenshot shows the total bandwidth consumption for an enterprise under a DDoS
attack. The attack peaked at 31.1 Gbps and 40.8 million packets per second.
2. This screenshot drills down into the bandwidth consumption, showing the types of
packets being received. As can be seen this example, the vast majority of DDoS traffic was
comprised of Large SYN packets.
13
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Based on the magnitude of this DDoS attack, eToro needed a solution that could be
activated for an entire subnet and that was able to safeguard its services against both
floods of web traffic and direct-to-IP DDoS attacks. Moreover, as its infrastructure
was still “under fire,” it required an anti-DDoS solution that could be onboarded
immediately.
With these needs in mind, eToro contacted Incapsula about its Infrastructure DDoS
Protection service. This on-demand service leverages Border Gateway Protocol (BGP)
routing to safeguard critical network infrastructure from volumetric and protocol-
based DDoS attacks, such as UDP, SMTP or SYN Floods, executed directly or via DNS/
NTP amplification. The solution protects all core services (web, email, FTP) from DDoS
attacks, as well as protecting against direct-to-IP attacks.
Working closely with the Incapsula networking team, traffic to eToro’s sites was re-
routed from eToro’s ISP to Incapsula scrubbing centers using BGP announcements.
Within half an hour, all incoming traffic to eToro’s IP ranges was being routed through
Incapsula for inspection and filtering. Legitimate traffic was securely forwarded to
eToro’s network using GRE tunneling. Outbound traffic continued to flow normally via
eToro’s ISP.
Application layer DDoS attacks are much more difficult to detect than large-scale network
attacks. These stealthy assaults are performed by DDoS bots, designed to establish a full
three-way TCP connection and to mimic legitimate web traffic (e.g. browsers and other non-
malicious bots). When defending against these stealthy and complex attacks, success does not
depend how big you are, but rather how smart your security technology is and how well it can
be utilized.
14
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Accordingly, your traffic profiling solution should cover the following essential detection and
mitigation capabilities:
• Client Classification
Client classification is all about identifying, classifying, and blocking malicious bots with no
manual intervention and a low false-positive rate. Client classification lets you identify and
filter out these bots by comparing signatures and examining attributes such as IP and ASN
info, HTTP headers, cookie support variations, JavaScript footprint and other telltale signs.
It also distinguishes between humans and bot traffic, between “good” and “bad” bots, and
identifies AJAX and APIs.
• IP Reputation
IP reputation is another powerful tool that can be used to quickly filter out bad bots. DDoS
mitigation services that operate global networks and protect large numbers of customers
are positioned to perform wide-scale analysis on automated clients. Once a bad bot is
identified, a signature is created for it. All traffic across the network is then screened using
that signature. This type of crowdsourcing enables disparate websites across the entire
network to actively participate in their own security, thereby benefitting the whole.
• Progressive Challenges
Progressive challenges are designed to ensure the optimal balance between strong DDoS
protection and an uninterrupted user experience. The idea is to minimize false positives
by using a set of transparent challenges (e.g. cookie support, JavaScript execution, etc.) to
provide pinpoint identification of the client (human or bot, “good,” or “bad”).
15
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
In this scenario, DNS redirection can be used to reroute all website traffic (HTTP/HTTPS)
through your DDoS protection provider’s network (usually integrated with a CDN). Once traffic
enters the provider’s network, various inspection layers identify and filter out malicious DDoS
traffic while legitimate traffic continues to flow unhindered to your protected websites. DNS
redirection allows for fast and easy onboarding, since it doesn’t require additional hardware or
software and lets you keep your existing hosting and application infrastructures.
16
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Website performance is critical for Mobile Nations’ e-commerce sites, as even the
slightest delay can be the difference between completing an online transaction, or
losing the consumer’s business altogether. Since Incapsula DDoS Protection is built on
top of a global CDN, using this service has also helped to accelerate page load times
by optimizing all content delivery.
Deployed as an always-on service, proxy solutions can be used to safeguard DNS servers
from targeted DDoS attacks. To set this up, a proxy is deployed in front of your protected DNS
servers, where it inspects all incoming DNS requests. It filters out malicious requests, ensuring
that only safe queries reach your origin DNS server. Additionally, it also blocks attempts to use
your server as a platform for DNS amplification attacks targeting other servers.
Depending on the TTL settings of your name server, implementing a DNS proxy solution can
potentially be accomplished in minutes (but could take as long as 24 hours). Once enabled,
the proxy becomes your authoritative DNS server, while you continue to manage your DNS
zone files outside of the proxy network.
If you use an external DNS provider, a proxy service can help you avoid huge bills by
offloading large volumes of malicious traffic sent to the DNS server. Moreover, it reduces the
chances of being blacklisted from their service due to DDoS attacks originating from your site.
DNS proxies offer an added benefit in that they can also function as caching servers. If the
proxies are deployed globally, such as on a CDN, they can cache DNS requests and return
results locally — thereby accelerating DNS server response times.
17
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
18
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Ideally, your DDoS response team should include representatives from network operations,
marketing and sales, customer service/support, legal, and IT security. These stakeholders
should collaborate in developing your plan and establishing the roles/responsibilities of each
team member — both in terms of planning and execution.
For example, today many DDoS attacks are targeted against DNS servers — often an Achilles’
heel of network security. Even if your online systems are protected, a successful attack against
your DNS server can render it unavailable; protecting it is critical.
You also need to be aware that if you get hit by a DDoS attack larger than the bandwidth
capacity from your ISP, it doesn't matter how redundant your configuration is — your pipe
is going to get saturated and your network will go down. Consider system redundancy and
disaster recovery options that can help you get back online quickly in the event of a prolonged
barrage.
Tier 2 and Tier 3 ISPs, in particular, do not always have the bandwidth capacity to absorb large
volumetric attacks, which also can result in service degradation for their other customers.
"Troublemakers" targeted by DDoS attacks will simply be dropped or their traffic will be
null routed by the ISP due to the collateral damage to other customers. Following attack
19
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
suppression, it can require the adoption of a DDoS mitigation service as a condition for the
provisioning of future services to your organization.
Many ISPs already offer such a service to their customers. In such a case, be sure you
understand its options for defending against DDoS attacks. Additionally, confirm your
understanding of SLAs regarding response times.
In this regard, here are some helpful questions to ask your ISP:
• What type of DDoS attacks is it able to protect against (e.g. network layer, application
layer)?
Shorter TTLs can cause heavier loads on name servers because the DNS records must be
updated more frequently, however they allow for DNS changes to be propagated more
rapidly.
If you’re using an on-demand, DNS-based DDoS mitigation solution, your TTL needs to be
lowered prior to experiencing a DDoS attack. A low TTL equates to a faster reaction; this is the
time it takes to get traffic routed through your solution. For example, if your TTL is set at three
hours, then time-to-mitigation is the time it takes you to notice the attack plus three hours for
TTL.
DDoS Testing
Test the effectiveness of your DDoS mitigation service periodically. Particularly if you are using
an on-demand solution, such as BGP routing, you don’t want to wait for an actual attack to
discover whether everything is in working order. Verify that all relevant parties understand
how the mitigation is deployed (and in case of on-demand — how and how quickly), check that
settings are tweaked to suit your system, your systems and applications continue to function
properly, traffic continues to arrive, and that there is no negative impact on your users.
For testing purposes, it is recommended to turn on your DDoS mitigation measures for a two-
hour period every 3 — 4 months (once a year at an absolute minimum). Certify your systems
and applications continue to function properly, traffic continues to arrive, and there is no
20
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
negative impact on your users. Some DDoS mitigation providers bill on a per-incident fee. You
may want to contact your provider prior to testing to ensure that you won’t incur undue fees.
Also consider using third party DDoS testing (i.e. pentesting) to simulate an attack against your
IT infrastructure so you are prepared when the moment of truth arrives. You can test against a
wide variety of attacks — not just those you are familiar with.
Maintenance Aspects
Five years ago, switching IP addresses was a fairly common, short-term method for avoiding
DDoS attacks. Today this method is no longer effective, as massive network attacks often target
an entire IP range (a.k.a. a subnet). Since the impact on your ISP remains the same, you still run
the risk of being kicked off its service.
Moreover, today’s DDoS attacks are DNS-aware. Even if your new IP address belongs to a
different ISP, the attack is still able to reach its target destination. Switching ISPs works as long
as your secondary ISP is being protected from the attack. This means that its anti-DDoS service
is already in place and your new IP address is hidden.
Preparation Checklist
S TE P ACTIVITY DE TAILS/TIMETABLE
1 Build DDoS • Identify people and departments that need to be involved
response team
• Define roles and responsibilities
2 Create DDoS • Define resources, tools, and procedures required to minimize the
response plan risk and costs of a DDoS incident
• Plan should cover the steps below
21
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Responding to an Attack
Early Detection
Early detection plays a pivotal role in minimizing the impact of a DDoS assault. Even before
bringing down your networks or systems, frontline appliances are affected, attack volume
increases, and performance further degrades each second a penetration goes unnoticed.
Don’t rely on manual monitoring to get the job done. For best results, we recommend
coupling automatic edge router monitoring with instant triggering of mitigation measures to
achieve 24×7 DDoS mitigation while eliminating time-consuming manual procedures.
Monitor your network and application traffic to look for early warning signals that may indicate
a DDoS attack, such as spikes in traffic or abnormal volumes of traffic from a particular country
or IP address. Attackers often perform dry runs as a way of assessing their target’s ability to
defend against a particular type of attack. Detecting these limited-scope attacks can help you
prepare for the onslaught to follow.
In addition, keep an eye on social media (particularly Twitter) and public waste-bins like
Pastebin.com to discover online buzz that may offer hints that your organization is being
targeted for an attack.
Important: Your organization’s email may not be available during this time. Verify that your
response plan documents, team contact information (and other key personnel), as well as that
of your ISP and DNS providers, is kept in a secure location independent of Internet access. A
hard copy of all of this information may be essential.
22
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Providers of services to other businesses (B2B), in particular, should decide how transparent
you need to be when disclosing the details of a DDoS attack, since this information could also
impact your clients’ customers. You may want to prepare financial compensation to customers
in advance. This includes making plans for potential discounts and service credits, as well as
having your call center and customer outreach teams on call following a service outage.
Corporate Communications
Communicating with media, partners, and the general public soon after a DDoS attack is vital
for preserving your organization’s reputation. The public will know that your site, service, or
other systems are down — keeping it secret simply fuels fears. Instead, it’s better to explain to
customers the difference between a DDoS assault and other types of cyber attacks that place
customer data at risk.
A communications plan helps your organization minimize brand damage and reduce the
financial impact of a DDoS attack, while also preparing it in advance to answer questions from
customers, the press, and shareholders (as applicable).
Legal
There are few, if any, government-mandated requirements for DDoS mitigation or incident
reporting. This is partly due to the relative newness of such multi-vector assaults. It can also be
attributed to the fact that DDoS attacks typically don’t fall under established areas of regulation
in relation to data breaches.
This could be changing, however. Given the prevalence of cyber attacks (including a number
of high-profile DDoS attacks) in recent years on financial institutions and other businesses,
regulators and investors are focusing an increasing amount of attention toward cyber security
risk disclosures. The U.S. Securities and Exchange Commission (SEC) already requires
corporations to disclose to investors the cyber security risks they face, just as they disclose
other material operational risk.
23
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Post-Attack Steps
Following a DDoS incident, there is more to do than simply cleaning up and returning to
business as usual. Take the time to review the lessons learned and make adjustments where
necessary.
Process Analysis
By analyzing gaps in your DDoS response plan execution from both a technical and business
standpoint, you can adjust it to improve execution during future incidents. Here are some
items to evaluate:
• Consider those preparation steps you could have taken to respond to the incident faster
or more effectively.
• Adjust assumptions that affected the decisions made during DDoS incident preparation (if
necessary).
• Consider what relationships inside and outside your organizations could help you with
future incidents.
• What type of DDoS attack targeted you? Was it volumetic, application layer, or something
else? What was its size and duration?
• Which equipment helped you mitigate, even it was only partially successful?
The behavior of your network under attack will help you decide whether you need to upgrade
equipment and/or switch to a different DDoS protection service. It will also help you focus your
protection (or redundancy) on the systems that need it most.
24
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
DDoS Glossary
Application DDoS Attacks
These attacks seek to overload resources upon which an application is running, for example,
by making excessive log-in, database-lookup, or search requests. This type of attack typically
mimics legitimate user traffic so as to evade an organization’s common security measures
(including network layer anti-DDoS solutions). Also known as Layer 7 attacks.
Bot
A web robot, or simply “bot,” is a computer that is under control of a third party.
Botnet
A botnet is a network of bots (“zombies”) that can be controlled as a single entity by a
command and control system. Botnets are used to launch DDoS attacks.
DNS
The Domain Name System (DNS) is the way that Internet domain names are located and
translated into Internet Protocol (IP) addresses. A domain name is a meaningful and easy-to-
remember “handle” for an Internet address.
25
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Scrubbing Centers
Scrubbing centers are technical facilities designed for filtering malicious DDoS traffic from
inbound traffic streams when mitigating DDoS attacks. Learn more about our high-powered
scrubbing centers.
SSL Floods
Decrypting SSL traffic on the server side requires 15 times more resources than encrypting the
traffic on the client side. SSL floods exploit this asymmetry to overwhelm web servers, which
are typically able to handle up to 300 concurrent SSL requests.
SYN Flood
A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (i.e. the
“three-way handshake”). The client tries to establish a TCP connection with the host server, but
26
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
doesn’t respond to the host server’s request for acknowledgement. The host system continues
to wait for acknowledgement for each of the requests, tying up resources until no new
connections can be made, and ultimately resulting in denial of service.
UDP Flood
This type of attack floods random ports on a remote host with numerous UDP packets,
causing the host to repeatedly check for the application listening at that port, and (when no
application is found) reply with an ICMP Destination Unreachable packet. This process saps
host resources, and can ultimately lead to its inaccessibility
Volumetric Attacks
Volumetric DDoS attacks are also known as floods. DDoS attackers seek to overwhelm the
target with excessive data, often using reflection and amplification DDoS techniques. See also
Layer 3 and Layer 4 attacks.
27
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Given the sensational nature of cyber attacks, you can anticipate that a DDoS attack could
carry unwanted publicity along with it. Have a communications plan ready so you know how
you are going to notify and respond to any media inquiries if the scale of the attack warrants a
response.
Perpetrators often ask for a few hundred dollars. Kept intentionally small, the demand is
seen as affordable to a small business — or easy to hide in the expense report of a mid-level
manager within a larger company. The offenders are playing arbitrage — they easily rent a
botnet for $500 and then send out $500 ransom notes to 10 or more companies, calculating
that some will pay.
28
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
Paying ransom is not recommended. First, there is no guarantee that the attacker will honor
their commitment. If a target is seen as willing to pay, the initial requested amount may
be raised. Additionally, once an organization is known to pay, there is no guarantee the
perpetrator won’t return — much like organized crime extortion and “protection money”
schemes.
3. Alert your response team and try to weather the attack using an effective DDoS mitigation
solution.
4. Inform your legal team of the attack and send them a copy of the ransom note.
Depending on its length and impact, public companies may decide to disclose the event.
29
The Imperva Incapsula
Network Ops DDoS Playbook PL AY B O O K
WEBSITE DDOS
SECURITY PROTECTION
Application
Delivery
CONTENT
LOAD
DELIVERY
BALANCER
NETWORK
Only Incapsula provides enterprise-grade website security and performance without the need
for hardware, software, or specialized expertise. Unlike competitive solutions, Incapsula uses
proprietary technologies such as client classification to identify bad bots, and big data analysis
of security events to increase accuracy without creating false positives.
© 2016, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula, Skyfence, CounterBreach 30
and ThreatRadar are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarks
or registered trademarks of their respective holders.
imperva.com