The following incident has occurred:

A. The network department observes a sudden increase (i.e. spike) in firewall drops, identifying
traffic that is targeted to their primary DNS server and originating from multiple sources. Since the
client utilizes an ISP, the same notification is received from the ISP.

B. Utilizing common well known port ranges for DNS (UDP:53) and HTTP (TCP:80), the attack
vectors look as follows:

 Attack 1 is identified as “Incoming UDP Misuse Attack.”

 Attack 2 is identified as “Fragmentation Misuse.”
 Attack 3 is identified as “Profiled UDP Attack” and utilizes Simple Service Discovery
Protocol (SSDP) traffic.
 Attack 4 is identified as “Bandwidth Attack” and appears to be a combined UDP:1900 as
well as fragmented TCP traffic.

C. The attack targets the company’s primary business functions, the front facing webpage which has
an e-commerce engine and is successful in bringing down the organization’s website.

What has just happened? How can the organization resume normal business operations? How could
the organization better prepare for such an attack? What can the ISP do in this case?

To approach such a problem from a Certified Information Systems Security Professional (CISSP)
standpoint. I would go back to the Incident Response (IR) plan to deal with and adhere to the
documentation, and apply the tools, and procedures to locate, classify, and address the
problem. As a result, this situation is simple, and various strategies could be employed to
strengthen and restore the organization to regular operation.
In the current situation, a distributed denial of service attack (DDoS) was deployed, which
involves flooding the network, services, and servers with packet traffic from several locations. It
is impossible to block the attacks because the attacks are dispersed and originated in various
locations. The types of attacks mentioned are incoming User Datagram Protocol (UDP) misuse
attacks, fragmentation misuse, profile UDP attack that utilizes Simple Service Discovery Protocol
(SSDP) traffic and bandwidth attack that uses a combined UDP 1900 Port.
It is crucial to understand the network ports layout because, as far as I can tell, quite a few ports
were used throughout the attacks. On the network layer of the Open Systems Interconnection
(OSI) model, the Domain Name Server (DNS) uses port 53 to convert human-readable web
addresses names into numeric Internet Protocol (IP) addresses, while HTTP uses port 80, which
is dedicated to the World Wide Web and is used to load web pages.
These ports, which range from 0 to 1023 are intended for popular TCP/IP applications and are
regarded as well-known ports. Not to mention the combined bandwidth UDP 1900 port, which
is recognized as the registered port range from 1024 to 49151 and is designed for usage by
providers for particular server applications.
The organization's primary DNS server, which houses a front-facing webpage with an e-
commerce engine, was the target of the attention, and the attackers were able to successfully
access the website.
I will list a few strategies the organization could adopt to instantly reduce the risk and restart its
regular operations. The organization could engage a DDoS mitigation service provider to absorb
the overwhelming traffic from the attacker in real time. The organization could consider this by
working with the Internet Service Provider (ISP) to enhance bandwidth temporarily to help the
network handle the increased traffic while the information technology (IT) security team
resolutely addresses the issues, thereby continuing operations. The organization could switch to
its redundant DNS servers and backup strategies to help distribute the loads and bring the e-
commerce website back online, respectively. For an organization to retain transparency and
trust, it is crucial to notify stakeholders, including customers and employees, as appropriate.

For the organization to reduce any risk and better prepare for future attacks, some key area
points must be considered. It is important to update the IR documentation plan, examine the
attacks to better understand them, and modify security measures as needed. DDoS mitigation
strategies include the use of a DDoS services provider to handle associated attacks and
configure firewall rules to filter and block IP addresses of malicious traffic and to separate
legitimate traffic from attackers' traffic. Thus, preventing the attackers' traffic from gaining
access to the network. Implementing and rolling out intrusion detection and prevention systems
(IDS and IPS) to track traffic patterns and stop malicious traffic. System patching and updating
software regularly can help to reduce future attacks. It is recommended to establish an
encrypted connection across networks and encrypt transit data packets since the link between
the ISP and the organization could be considered a Point-to-Point (P2P) connection that employs
a Virtual Private Network (VPN). It is essential to continuously monitor the network for threats
and carry out regular security audits and penetration testing to identify any gaps and
vulnerabilities. To assist in restoring operations and mitigating any necessary risks, the
organization should have a strong redundancy and recovery plan. Additionally, it is essential to
educate employees on the best security practices and how to identify and report suspicious
activities to reduce risks.
An ISP could use traffic filtering techniques to identify unusual traffic spikes by preventing and
filtering packets and IP addresses of malicious traffic before it reaches the networks of trusted
customers. In the case of an attack, implementing rate and bandwidth restrictions could help to
control the amount of traffic travelling to its customers' networks, while the attacks are being
resolved on both sides. The ISP could temporarily give its customers more bandwidth to meet
the extra demand, thereby supporting its customers' ongoing operations and upholding their
confidence. Additionally, the ISP could provide DDoS services to its customers as a backup to aid
with the stress caused by bandwidth traffic, which would support their ongoing business
operations. The ISP must keep in touch with its trusted customers to exchange details about the
attacks, give updates on the mitigation process, and work together to address issues.

In conclusion, a robust IR, redundancy, and recovery strategy is essential for an organization to
reduce risks and resume operations with the least amount of downtime, if it has ever faced risks
in the future. The security logs must be examined to understand the attacks. Based on the
study, the IR strategy should be amended as necessary, and firewall rules that filter packets
must be changed to avoid risks. It should invest in cutting-edge security solutions like Next
Generation Firewalls (NGFW), penetration testing, and regular security audits to plug any holes
and harden its networks to be prepared for any impending attacks.

Hello Patrick, you present some strong justifications for how the organization could reduce DDoS attacks.
A few additional significant components on the ISP side of the network should be included. The ISP could
help the organization further prevent the threat from occurring before it even reaches the organization
by setting up a traffic filtering system that detects unusual packet spikes and filters IP addresses. It
should impose a bandwidth restriction to reduce the volume of traffic entering its customers' networks.
The connection between its network and the customers' networks must also be encrypted. It should
momentarily enhance bandwidth that supports customers' ongoing operations to support those
customers' continued operations. The ISP must stay in touch with consumers and cooperate with them
to reduce risks on both sides of the network.

Hello Sahir, just a few more to add to the fascinating suggestions you made: the organization might take
advantage of its redundancy plan to quickly restore the DNS server and website so that it can resume as
usual. Do not forget to inform stakeholders, customers, and employees about the attacks encountered
and the mitigating measures taken. The organization must implement employee training on security
procedures and how to spot and report any potential threats.

ISPs need to have firewall rules in place to filter packets and find unusual traffic spikes to decrease risk
before they enter the networks of the customers. To mitigate the impact of the attacks, it should offer a
bandwidth quota monitoring approach that keeps the customers' networks from becoming
overburdened with increased traffic. Also, a temporary increase in bandwidth could ensure that more
traffic may reach its customers' networks and maintain functionality, while the issues are being resolved
by the IT team. Being a DDoS service provider might be a smart idea to handle some heavy demand. To
further reduce network dangers on both sides, the ISP needs to connect with its customers.