Procedure for detection of and response to Distributed Denial of Service cyber attacks on complex enterprise systems

The increasing frequency, rising costs, and growing sophistication of cyber attacks on DoD, agency and commercial enterprise systems are dramatically reducing the quality of end-user services and compromising mission effectiveness. Of those attacks, one of the more severe is Distributed Denial-of-Service (DDoS) through which an attacker can disrupt, and possibly shutdown, local network enclaves and global net-centric enterprise systems. Previous attempts to overcome this threat include intrusion detection and prevention systems (IDS/IPS), firewalls, and packet scanning software. However, none of these approaches individually achieves prevention or provides sufficient countermeasures to overcome and resolve DDoS threats. This paper presents a detailed procedure for identifying both the on-set of DDoS attacks and corresponding countermeasures to prevent or limit their effects. This procedure applies a hybrid approach that adapts to changing DDoS attack scenarios. Concrete examples provided for each step of the procedure identify the key tools to proactively prevent or respond to DDoS events. Simulated results demonstrate the effectiveness of the procedure for a representative DDoS attack scenario.