Read through Metasploit’s blog titled Pathetic DDoS vs Security Sites. It documents several key steps that many companies do not know with how to mitigate some of the impact of a DDOS attack. In this case we have a DDOS targeting a specific domain – metasploit.com. Step 1 is to classify the attack. Traffic analysis – via tools like DNS logs, Netflow, IDPs, and other tools allowed Metasploit to classify where the attack was happening – the IP address and domain metasploit.com.
Next, Metasploit changes the DNS A record and services for other domains to another IP address from the one targeted. This is step 2, moving services off the targeted IP and (in this case) domain name.
Step 3 is changing the DNS A record to 127.0.0.1. The goal is to have any new look-ups for this domain to be “poisoned,” sending all packets to the computer’s local loopback. This is a often over looked step. Many would think it would not be of use – with many of the BOTs in the DDOS attack using DNS implementations which would not refreash the DNS cash until the PC reboots. But, that is short sighted. DDOS attacks like the one experienced by Metasploit, Packet Storm and Milw0rm lask for days (and in some cases weeks). Over time, moving the targeted domain to 127.0.0.1 would have a mitigated impact.
Step 4 is overlooked in the blog article. It is at this point where you need help. At a minimum, it is time for a dRTBH. Destination Based Remote Trigger Blank Hole (dRTBH) is a tool your upstream Services Provider (SP) can use to move the packet drops on your network to the edge of their network. Yes, the DDOS attack is stil underway, but the packets being dropped on your network are now moves elsewhere.
At this point, you network is restored to “partical service.” You can choose to go in several directions:
- Asking your SP for their “Clean Pipes” service – which restores full services through some clean up boxes.
- Working with your, SP, their peers, and the security operations community to track the attack to the BOTs – then backtace the attack to the controller – then either shutting down the controller or continuing the backtrace to he human driving the attack.
- Wait out the attack until the people driving the attack get tired.
A word of warning. Humans drive DDOS attacks. In fact, I don’t like calling them DDOS attacks. I refer to them as extorision and retribution. These humans who have a retribution attack on Metasploit, Packet Storm and Milw0rm are watching. Assume that they will not just go away. They will shift their attacks – to a new domain, a new IP address, a new attack profile, or move it up to the SP whose routers are providing services to the SP.