MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2017

MA-675.072017: MyCERT Advisory – DDoS Best Practices

Date first published: 13/7/2017

1.0 Introduction
Distributed denial of service (DDoS) is a type of cyber threat created by the attackers to bring down networks, web-based applications, or services, unavailable to legitimate users. By overwhelming the targeted network infrastructure, web-based application or network service with high volume of data or requests, the target system either responds too slow as to be unusable or crashes completely. 

The data volumes required to do this are typically achieved by botnets, which are networks of remotely controlled infected machines known as zombies that are normally used as DDoS agents in a DDoS attack.

2.0 Impact
 Slow network performance.
 May disable a web-based application, network service or an entire operating system crashing endlessly.
 Disconnection of a wireless or wired Internet connection.
 Drastic increase in spam emails.
 May affect a company’s revenue, reputation and productivity.

3.0 Affected Products/Systems
Hit system resources like bandwidth, disk space, processor time or routing information.

4.0 Recommendations
a. Organizations should start planning for DDoS attack in advance, not to wait until it happens as it is much harder to respond after an attack is already under way;
b. In the event of a DDoS attack, organizations must immediately report the matter to their ISPs for assistance to mitigate the attack;
c. Organizations may subscribe to ISPs who can offer DDoS mitigations services that helps organizations respond during a DDoS attack. Even if there is no formal DDoS Mitigation services provided by the ISP, they should be able to offer the type of assistance to the affected organization for mitigating the attack;
d. Apart from ISPs, organizations may subscribe with providers who specialize in DDoS mitigation. In which during a DDoS attack, traffic to the victim's network will be rerouted to the mitigation center where it is scrubbed, and legitimate traffic is then forwarded to the organization; 
e. Check the possibilities offered by Geo-IP blocking. If your customers are 
predominantly from Malaysia and neighbouring countries, you can predefine a 
profile that either gives priority to IP addresses from this region or blocks other IP addresses. In the event of an attack, you can activate this profile and thus very 
quickly increase your options for action and secure additional protection;
f. Organizations are recommended to report the DDoS attack to Cyber999 and report it to the relevant authority responsible for cyberattacks for assistance.

Generally, MyCERT advises the users and administrators to be updated with the latest security announcements and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442 
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Cyber999 Mobile Apps: IOS Users or Android Users