DoS Guidance - Response plan

Created:  31 Jan 2018
Updated:  31 Jan 2018
You should design your service, and plan your response to an attack, so that the service can continue to operate, albeit in a degraded fashion.

You're likely to do better at defending a DoS attack if you have a response plan ready to enact. We recommend your plan includes:

  • Graceful degredation
  • Dealing with changing tactics
  • Retaining administrative access during an attack
  • Having a scalable fall-back plan for essential services, for example where it is imperative that customers are able to contact you.

Like any backup or continuity provisions, you should periodically test your plan.

Graceful degredation

Consider how you will best serve some of the needs of some of your users during an attack. For example, you may:

  • Prioritise access based on its source (eg limit access to only UK IP addresses)
  • Disable dynamically generated content (eg site search or customer specific product recommendations which are compute or database intensive)
  • Restrict dynamically generated content to authenticated users

Dealing with changing tactics and repeated attacks

It is not uncommon for DoS attacks to occur in waves, ie, another attack will occur when you successfully repel the first attack. Each wave may attempt to overwhelm your systems in different ways as the attacker works out what protections you have in place or are able to deploy. Be prepared for follow-on attacks and try to avoid deploying and exhausting all of your staff to deal with the first wave, leaving no one able to deal with further issues.

Retaining administrative access

You should consider how you will manage the service when it’s under attack, and ensure that if it’s managed remotely, your management access is unlikely to be affected by an attack on the service itself. For example, you could provide management access via a different network or subnet and constrain access to a whitelist of trusted locations. Take care not to rely on public DNS zones that are also likely to be targeted.

Restoring services

You should ensure that you have backups of configuration files for devices and servers. This includes services you rely on, but are hosted by third parties. For example, DNS configuration files. You should have tested re-deploying your infrastructure from backups to gain confidence that the process works. This is especially important in a destructive DoS attack where an attacker has gained access to your system and tampered with it. However, it can also be necessary in other DoS scenarios where a failure requires you to re-deploy parts of your system.

Consider putting in place alternative mechanisms to support critical services or functions, which might include manual processes. For example supporting the ability for customers to make contact with you when the normal mechanisms may be unavailable.  

Was this guidance helpful?

We need your feedback to improve this content.

Yes No