ICANN weighs in on how to respond to DDoS attacks

ICANN has released a basic primer on what organisations should do when experiencing a DDoS attack, highlighting that it isn't law enforcement's job to stop them.

The Internet Corporation for Assigned Names and Numbers (ICANN) has weighed in on what organisations should do if they find themselves under a distributed denial-of-service (DDoS) attack.

Its senior security technologist Dave Piscitello has prepared a basic primer for what the organisation thinks victims should do if they experience an attack, writing up his recommendations on the organisation's blog.

Piscitello recommends that organisations contact their national law enforcement agency if they believe a crime is being committed, but emphasised that organisations should not expect them to be able to mitigate an attack.

"You should contact law enforcement if your organisation received a threat prior to the attack, or received a demand for money in return for not being attacked, or if you believe that critical infrastructure or delivery of a critical service (such as Emergency 911) is threatened," Piscitello said.

Australian Federal Police have repeatedly stated that activities such as participating in DDoS attacks can attract criminal convictions and jail time of between two and 10 years imprisonment.

On actually stopping an ongoing attack, Piscitello recommended contacting the victim's hosting provider.

"They will contact 'upstream' providers and the ISPs that route traffic from the DDoS attack sources to notify these operators of the nature and suspected origins of the attack. These operators will investigate, and will typically revoke routes or take other measures to squelch or discard traffic close to the source," he wrote.

As a last resort, when hosting providers are unable to help, he recommends going to a computer emergency response team, who will investigate an attack and contact hosting providers on the victim's behalf.

To aid in an investigation, Piscitello said that victims should gather as much relevant information as possible, including the times of attacks, possible motives, the type of traffic used in attacks, the impact of it, and any changes in how the attack is carried out over time.