Last updated: 
3 weeks 2 days ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

Simple preparations for DDoS attacks

Thursday, December 5, 2013 - 16:09
You can call CSIRT for help
 
If you suspect that your institution is suffering from a DDoS attack you can call on Janet CSIRT for assistance. We can help you understand and analyse the traffic, and in most cases can work with our network operations centre and transit partners to filter traffic. Where possible we work with other network providers to eliminate the sources of the attack.
 
Remove DDoS sources from your own network
 
Janet have been making a concerted effort to remove sources of DDoS attacks from our network. Not only does this protect the reputation of the network, but it also indirectly supports other network operators who are dealing with these issues. 
Make sure that your network has no open DNS resolvers or chargen services accessible to the outside world. These services are frequently abused and used to amplify and bounce traffic against targets on Janet and elsewhere on the Internet. Whilst the effect of the reflected traffic on your network may be minimal, you can appreciate the pain and cost to the network operators at the receiving end of the attack.
 
Distribute services
 
If you are under a sustained attack you may decide to move critical services elsewhere, either to a location that's unaffected to by the attack or by moving the target to a CDN specially designed to filter DDoS attacks (these services can be costly).
It is preferable to plan how you might do this before an attack occurs. Consider reducing the TTL of important DNS records so that services can be quickly moved. Check that your DNS infrastructure provides you with true redundancy whilst under a sustained attack (the Janet secondary name server service can help you with this).
 
Improve monitoring of your network
 
It is difficult to respond to an attack when you have no visibility or awareness of what's taking place. Often the target of the attack, and not Janet, is in a better position to monitor the situation. Do your logging tools allow you to respond to an attack? Consider where your organisation is in terms of logging maturity.
 
  1. No logging at all
  2. Proprietary, device specific logging
  3. Central standardised logging
  4. Basic log monitoring
  5. Advanced correlation, analysis and alerting
 
Learning to analyse traffic
 
Sometimes the logging available from your network devices is not sufficient to tell you everything you need to know about an attack. Simple deep packet inspection with free tools such as wireshark can provide a powerful insight into an attack. Does your architecture allow this sort of monitoring at the right points in the network? Janet runs training courses on the use of wireshark.
 
These last two points, logging and traffic analysis are particularly critical time savers. Instead of struggling to understand the problem before deciding to call Janet CSIRT you can immediately inform us of the nature of the attack and ask us to take action to filter and block traffic.