This chapter covers the incident response process specifically for Distributed Denial-of-Service (DDoS) attacks, a critical topic for the CompTIA CySA+ CS0-003 exam. DDoS attacks are among the most disruptive threats, and knowing how to detect, analyze, contain, and mitigate them is essential for any security analyst. Approximately 10-15% of the Incident Response domain questions (Objective 3.2) relate to DDoS response, often focusing on identification of attack types, mitigation techniques, and post-incident activities. Mastering this chapter will help you answer scenario-based questions about network flooding, application-layer attacks, and the proper use of tools like flow analysis and scrubbing centers.
Jump to a section
A DDoS attack incident response is like an emergency room (ER) managing a sudden surge of critically ill patients. Normally, the ER handles a steady flow of patients, but during a mass casualty event, hundreds of patients arrive simultaneously, overwhelming resources. The triage nurse (the detection system) quickly assesses each patient's severity—those with life-threatening conditions (malicious traffic) are flagged, while the walking wounded (legitimate traffic) are directed to a waiting area. The ER doctor (incident response team) then decides on immediate actions: they might divert new ambulances to other hospitals (traffic blackholing via BGP), set up a temporary triage tent outside (rate limiting at the perimeter), or call in extra staff (scale up mitigation resources). Some patients may be given a temporary bandage (TCP SYN cookies) to stabilize them until a bed opens. The goal is to keep the ER functioning for those who truly need care, even if some non-critical patients experience delays. Just as the ER must continuously reassess and adapt as new patients arrive, the incident response team must monitor the attack's evolution and adjust countermeasures dynamically.
What is a DDoS Attack Incident Response?
A Distributed Denial-of-Service (DDoS) attack aims to overwhelm a target system—server, network, or application—with a flood of traffic from multiple sources, rendering it unavailable to legitimate users. Incident response for DDoS is a structured process to detect, analyze, contain, eradicate, and recover from such an attack, while preserving evidence for potential legal action. Unlike many other security incidents, DDoS attacks often require real-time coordination with ISPs, cloud providers, and third-party mitigation services. The CySA+ exam expects you to understand the incident response lifecycle (NIST SP 800-61) applied to DDoS, including preparation, detection, analysis, containment, eradication, recovery, and lessons learned.
How DDoS Incident Response Works Internally
The response follows a multi-phase process:
Preparation: Before an attack, organizations should have a DDoS response plan, including contact lists, traffic baselines, and agreements with mitigation providers. Tools like flow collectors (NetFlow, sFlow) and anomaly detection systems are deployed.
Detection and Analysis: When traffic spikes, analysts examine flow data, logs, and packet captures. They classify the attack type (volumetric, protocol, application-layer) and identify characteristics like source IPs, ports, and traffic patterns. For example, a SYN flood shows a high ratio of SYN packets to completed handshakes.
3. Containment: Immediate actions to stop or reduce the attack's impact. This may involve: - Blackholing: Null-routing the target IP at the ISP level via BGP community strings (e.g., RTBH). - Rate limiting: Throttling traffic to the target at the perimeter firewall or router. - Scrubbing: Redirecting traffic through a cloud-based scrubbing center (e.g., Cloudflare, Akamai) that filters malicious packets. - Access control lists (ACLs): Blocking source IPs or IP ranges, though this is often ineffective due to IP spoofing.
Eradication and Recovery: After the attack subsides, remove temporary filters, restore normal routing, and ensure the system is clean. For application-layer attacks, patch vulnerabilities or adjust configuration (e.g., increase connection limits).
Post-Incident Activities: Conduct a root cause analysis, update the DDoS response plan, and implement proactive measures like improved monitoring or CDN integration.
Key Components, Values, and Defaults
BGP Flowspec: An extension to BGP that allows distribution of traffic filtering rules (e.g., rate-limit, drop) to routers. Common action values: traffic-rate (rate-limit in bytes per second), discard (drop), redirect (to next-hop).
NetFlow v9 / IPFIX: Standard flow export protocols. Default sampling rate often 1:1000 on high-speed links. Key fields: source/destination IP, port, protocol, packet count, byte count, timestamps.
SYN cookies: A defense against SYN flood attacks. Enabled by default in many OS kernels (Linux: sysctl -w net.ipv4.tcp_syncookies=1).
Connection limits: Web servers may set LimitRequestLine (Apache default 8190 bytes) or client_max_body_size (nginx default 1 MB) to prevent slow attacks.
Rate limiting: Common values: 10 requests/second per IP for login pages; 1000 pps at network edge.
Configuration and Verification Commands
On a Linux server (iptables/nftables):
# Rate limit incoming SYN packets to 100 per second
iptables -A INPUT -p tcp --syn -m limit --limit 100/s -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROPOn a Cisco router (control-plane policing):
! Limit ICMP to 1 Mbps
policy-map COPP
class ICMP
police 1000000 200000 exceed-action drop
!
control-plane
service-policy input COPPBGP RTBH (Remote Triggered Blackhole):
! On the trigger router
ip route 192.0.2.1 255.255.255.255 Null0 tag 666
! On the edge router, match route-tag and propagate
ip route 192.0.2.1 255.255.255.255 Null0Flow analysis with nfdump:
nfdump -R /data/nfcapd -s ip/bytes -n 10 -t 2024/05/01.12:00-2024/05/01.13:00Interaction with Related Technologies
DDoS response intersects with: - CDN: Content Delivery Networks like Cloudflare absorb volumetric attacks by caching content and filtering at edge nodes. - WAF: Web Application Firewalls protect against application-layer attacks (e.g., HTTP floods, SQLi) by inspecting payloads. - IPS/IDS: Intrusion Prevention Systems can drop malicious traffic based on signatures, but may be overwhelmed by high volume. - BGP: BGP is used for blackholing (RTBH) and traffic diversion to scrubbing centers. - DNS: DNS amplification attacks require securing DNS servers with rate limiting and response rate limiting (RRL).
Understanding these interactions is key for the exam—questions often ask which combination of tools is appropriate for a given attack type.
Prepare and Establish Baselines
Before an attack, establish normal traffic baselines: average bandwidth, packets per second, connection rates, and protocol distribution. Deploy flow monitoring (NetFlow, sFlow) and configure alerting thresholds (e.g., 200% of normal bandwidth). Have a DDoS response plan with contact info for ISP, cloud provider, and internal teams. Test mitigation procedures regularly. On the exam, expect questions about baseline values and threshold settings.
Detect and Classify the Attack
When alerts trigger, analyze flow data and logs to confirm it's a DDoS. Identify attack type: volumetric (high bandwidth), protocol (SYN flood, fragmented packets), or application-layer (HTTP GET flood). Use tools like tcpdump, Wireshark, or nfdump. Look for anomalies: all traffic to one port, single source IP range, or many incomplete TCP handshakes. Record start time, duration, and attack vectors. The exam tests your ability to distinguish attack types from traffic patterns.
Contain and Mitigate Immediately
Act quickly to reduce impact. For volumetric attacks, contact ISP to enable BGP blackholing or divert traffic to a scrubbing center. For protocol attacks, enable SYN cookies or configure rate limiting on edge devices. For application attacks, deploy WAF rules to block malicious patterns. Consider scaling up resources (auto-scaling groups) to absorb traffic. Document all actions. The exam emphasizes containment speed—delaying can cause total outage.
Eradicate and Recover
Once the attack subsides, remove temporary blocks and filters. Verify system integrity—check for backdoors or malware that may have been planted during the attack. Restore normal routing, disable scrubbing, and test that legitimate users can access services. Monitor closely for recurrence. In the exam, know that eradication may involve patching vulnerabilities that were exploited in application-layer attacks.
Post-Incident Review and Improve
Conduct a lessons-learned meeting. Analyze what worked and what didn't. Update the DDoS response plan, improve monitoring thresholds, and consider additional protections like CDN or DDoS mitigation service. Document metrics: attack duration, peak bandwidth, mitigation effectiveness. The exam expects you to know that post-incident activities include updating policies and training staff.
Enterprise Scenario 1: E-commerce Site Under Volumetric Attack
A large online retailer experiences a sudden traffic spike from 10 Gbps to 200 Gbps during Black Friday. The attack is a UDP flood targeting port 53 (DNS). The security team immediately contacts their ISP to activate BGP RTBH for the targeted IP. They also have a pre-arranged scrubbing service (e.g., Arbor Networks) that automatically redirects traffic after a threshold is exceeded. The scrubbing center filters out UDP packets with spoofed source IPs and forwards clean traffic via GRE tunnel. The site stays up with minor latency increase. Challenge: The scrubbing center had a 5-minute activation delay, causing brief outage. Post-incident, they reduced the threshold and implemented automatic failover.
Enterprise Scenario 2: Financial Institution Hit by Application-Layer Attack
A bank's online portal is targeted by a slow HTTP POST attack (Slowloris variant) that keeps connections open by sending partial headers. The attack uses only 100 bots but ties up all server connection slots. The WAF initially fails to detect it because traffic appears legitimate. The incident response team analyzes logs, identifies the pattern (many connections with Content-Length: 1000 but never completing), and creates a custom WAF rule to drop connections that exceed 30 seconds without sending complete headers. They also increase the server's MaxClients and KeepAliveTimeout settings. After mitigation, they implement a rate limit of 5 concurrent connections per source IP. The exam often tests Slowloris recognition and mitigation.
Enterprise Scenario 3: Gaming Company Facing Multi-Vector Attack
An online gaming platform suffers a combined SYN flood and DNS amplification attack. The SYN flood saturates the uplink, while DNS amplification (using open resolvers) targets the game authentication server. The team uses multiple mitigations: at the edge router, they enable TCP SYN cookies and apply ACLs to block DNS traffic from non-authorized resolvers. They also use BGP Flowspec to rate-limit DNS responses to 1 Mbps. The ISP assists with blackholing the amplified traffic. The challenge is that the attack changes source IPs every minute, making ACLs ineffective. The solution is to use a cloud-based DDoS protection service that performs behavioral analysis. This scenario illustrates the need for layered defenses, a key exam concept.
What CS0-003 Tests on DDoS Incident Response
The CySA+ exam (Objective 3.2) focuses on your ability to respond to DDoS incidents within the NIST incident response framework. Key areas: - Attack identification: Given traffic logs or flow data, classify the attack type (volumetric, protocol, application). - Mitigation techniques: Choose the correct containment method for a given scenario (e.g., blackholing for volumetric, SYN cookies for SYN flood, WAF for HTTP flood). - Tools: Know when to use flow analysis, packet capture, and log analysis. - Post-incident: Understand the importance of updating baselines and response plans.
Common Wrong Answers and Why
Always block source IPs: Many candidates choose to block attacking IPs, but DDoS often uses spoofed or botnet IPs that change rapidly. This is ineffective and can block legitimate users.
Immediately shut down the server: This stops the attack but also denies service to legitimate users—defeating the purpose of mitigation. The goal is to maintain availability.
Use only on-premises mitigation: For large volumetric attacks, on-premises equipment may be overwhelmed. Cloud-based scrubbing is often necessary.
Ignore application-layer attacks: Some think only bandwidth matters, but slow attacks can bring down servers with low bandwidth. The exam tests recognition of application-layer attacks.
Specific Numbers and Terms on the Exam
SYN flood: Look for a high ratio of SYN to SYN-ACK packets (e.g., >90% incomplete handshakes).
ICMP flood: High volume of ICMP echo requests.
DNS amplification: Small query results in large response (amplification factor up to 50x).
NTP amplification: Similar, using monlist command (factor up to 500x).
BGP RTBH: Uses a /32 route to Null0; community string often 65535:666.
Scrubbing center: Also called 'DDoS mitigation service' or 'cloud-based scrubbing'.
Edge Cases and Exceptions
Low-and-slow attacks: May not trigger high-bandwidth alerts. Must use application-layer monitoring.
Encrypted traffic (HTTPS): WAF may not inspect payload; use TLS termination at WAF.
IoT botnets: Attacks from many IPs with limited bandwidth each; rate limiting per IP may not help.
Reflection attacks: Source IP is the reflector, not the attacker; blocking reflector IPs may block legitimate services.
How to Eliminate Wrong Answers
If the scenario mentions 'high bandwidth', eliminate application-layer options.
If the scenario mentions 'incomplete TCP handshakes', choose SYN flood and SYN cookies.
If the scenario mentions 'spoofed IPs', blackholing is more effective than ACLs.
If the scenario mentions 'slow connection', consider application-layer attack and WAF.
Always map the attack characteristic to the most effective mitigation, considering scalability and impact on legitimate traffic.
DDoS incident response follows NIST SP 800-61 phases: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned.
Volumetric attacks (e.g., UDP flood) require network-level mitigation: BGP blackholing or cloud scrubbing.
Protocol attacks (e.g., SYN flood) are mitigated using SYN cookies or rate limiting on edge devices.
Application-layer attacks (e.g., HTTP flood, Slowloris) require WAF rules, connection limits, and rate limiting per IP.
BGP RTBH uses a null route to drop traffic to the target IP; community string often 65535:666.
Flow analysis (NetFlow, sFlow) is key for detecting DDoS—look for anomalies in packet rates, byte rates, and protocol distribution.
Always validate that an attack is ongoing before taking action; false positives can cause self-inflicted denial of service.
Post-incident activities include updating baselines, improving monitoring thresholds, and conducting a root cause analysis.
DDoS attacks can be multi-vector; layered defenses (network, transport, application) are essential.
The exam expects you to choose mitigation based on attack type: blackholing for volumetric, SYN cookies for SYN flood, WAF for HTTP floods.
These come up on the exam all the time. Here's how to tell them apart.
On-Premises Mitigation
Requires upfront hardware investment (e.g., Arbor APS).
Limited by internet link capacity (e.g., 10 Gbps).
Low latency as traffic is processed locally.
Full control over filtering rules and policies.
May be overwhelmed by large volumetric attacks (>100 Gbps).
Cloud-Based Mitigation
Pay-as-you-go or subscription model.
Scalable to absorb multi-terabit attacks.
Adds latency due to traffic diversion (e.g., 5-20 ms).
Filtering rules managed by provider, less customization.
Effective against volumetric attacks; scrubbing centers have massive bandwidth.
Mistake
DDoS attacks only involve high bandwidth.
Correct
Application-layer attacks can use low bandwidth (e.g., Slowloris sends partial HTTP headers at a slow rate) but still exhaust server resources. The exam tests both volumetric and low-bandwidth attacks.
Mistake
Blocking the attacker's IP addresses will stop the attack.
Correct
DDoS attacks often use spoofed IP addresses or large botnets with thousands of IPs. Blocking IPs is ineffective and can block legitimate users if the IPs are spoofed. The correct approach is to use rate limiting, blackholing, or scrubbing.
Mistake
A firewall can always stop a DDoS attack.
Correct
Firewalls process traffic at the application layer and have limited throughput. Volumetric attacks can overwhelm the firewall itself. Network-level mitigations like BGP blackholing or cloud scrubbing are needed for large attacks.
Mistake
DDoS attacks are always malicious and intentional.
Correct
Sometimes traffic spikes due to legitimate reasons (e.g., flash crowds, product launches). Incident response must first confirm it's an attack by analyzing traffic patterns and comparing to baselines.
Mistake
Once the attack stops, the incident is over.
Correct
Post-incident activities are crucial: analyze logs, update response plans, patch vulnerabilities, and improve monitoring. The exam expects you to know that recovery includes verification and improvement.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The first step is to confirm that it is indeed a DDoS attack and not a legitimate spike (e.g., flash crowd). Analyze flow data and logs to identify the attack type (volumetric, protocol, application) and its characteristics. Then implement containment measures appropriate for the attack type. Do not immediately block all traffic or shut down servers—maintain availability for legitimate users. On the exam, the correct first action is often 'analyze traffic patterns' or 'classify the attack'.
SYN flood attacks are mitigated by enabling SYN cookies on the server or edge device. SYN cookies encode the initial sequence number so that the server does not allocate resources until the handshake completes. Alternatively, rate-limit incoming SYN packets (e.g., iptables: `--limit 100/s`). The exam expects you to know that SYN cookies are a kernel-level defense and that they can be enabled via `sysctl -w net.ipv4.tcp_syncookies=1` on Linux.
BGP blackholing (RTBH) is a technique where the target IP is advertised with a next-hop of Null0, causing all traffic to that IP to be dropped at the ISP's edge. It is used for volumetric attacks that saturate the internet link. The drawback is that it drops all traffic, including legitimate users. It is a last-resort containment method. On the exam, blackholing is the correct answer when the attack is overwhelming the link and other mitigations fail.
DNS amplification attacks are detected by monitoring DNS query/response sizes. A small query (e.g., 60 bytes) results in a large response (up to 4000 bytes). Flow analysis shows high traffic volume on UDP port 53 with many responses from external DNS servers. The source IP in the response is the victim's IP (spoofed). Mitigation includes blocking DNS responses from external servers to internal IPs, or using DNS RRL (Response Rate Limiting) on authoritative servers. The exam tests recognition of amplification factors.
A scrubbing center is a cloud-based service that filters malicious traffic from a DDoS attack before forwarding clean traffic to the target network. Traffic is redirected via BGP or DNS to the scrubbing center, which uses deep packet inspection, rate limiting, and behavioral analysis to drop attack packets. It is effective for large volumetric attacks. The exam may ask about 'traffic diversion to a scrubbing center' as a containment step.
Slowloris sends partial HTTP headers to keep connections open, exhausting server connection pools. Mitigation includes: increasing the server's maximum connection limit, reducing the timeout for incomplete requests (e.g., `KeepAliveTimeout`), using a WAF to detect and drop slow connections, and rate-limiting connections per IP. The exam tests recognition of slow attacks and the need for application-layer defenses.
Post-incident activities include: conducting a lessons-learned meeting, analyzing the attack's effectiveness and response timeliness, updating the DDoS response plan, adjusting monitoring thresholds, and implementing proactive measures (e.g., CDN, DDoS mitigation service). Also, preserve logs and packet captures for potential legal action. The exam expects you to know that this phase is critical for improving future responses.
You've just covered DDoS Attack Incident Response — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?