Distributed Denial of Service Mitigation and Contingency

[Gary Flynn <flynngn () JMU EDU>]

Hi,

In a contingency management planning meeting today we were
discussing distributed denial of service attack scenarios,
ways to minimize their effects, and response strategies.
We were wondering how other institutions viewed the risk
and what they were doing in this area.

If you'd be willing to share your thoughts, experiences, and
techniques, online or offline, in full or in part, I'll
collect and summarize responses anonymously ( assuming I get
any ).


1. What is the threat or probability of a distributed denial of
   service attack against your institution over the next three
   years?

   If the answer is "unknown" or "unknown but finite":

   a. What amount of one time and recurring expenditure would
      be justified to help preserve services during limited, low
      grade attacks where probability is unknown? Where would
      you spend it?

   b. What amount of one time and recurring expenditure would
      be justified to attempt to preserve services in face of
      overwhelming traffic where probability is unknown
      and success is doubtful? Where would you spend it?

2. Do you have a device that preserves services in the face
   of a TCP SYN type denial of service attack? If so, what
   kind.

3. Do you have a device that preserves services in the face
   of an ICMP flooding denial of service attack? If so, what
   kind.

4. Do you have a device that preserves services in the face
   of a UDP bandwidth flooding attack? If so, what kind?

5. Do you have a device that preserves DNS services in the
   face of a UDP DNS request flooding attack? If so, what
   kind and how does it differentiate good requests from
   bad?

6. Does your ISP provide mitigation of denial of service
   attacks? If so, what services do they offer? Traffic
   filtering? Source tracking? Rate limiting? Something
   else?

7. What type of contingency plans do you have for
   a large, sustained inbound denial of service attack
   that overwhelms available bandwidth for days or longer?

8. Have you been the victim of a distributed denial of service
   attack? If so,

   a. How many?
   b. What type?
   c. When?
   d. What level of traffic?
   e. What percentage of your bandwidth?
   f. How effective were your prevention techniques at preserving
      services?
   g. How effective were your response techniques at preserving
      services?
   h. How effective were your response techniques at tracing
      and stopping the attack?
   i. Anything you'd do differently?
   j. How long and in what ways were university services
      affected?
   k. Do you know what instigated the attack?




Thanks for any and all responses.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature