- Record the attack (netflows, server logs, email correspondence with the blackmailers, etc.). These are important for subsequent analysis and for filing any criminal charges against person or persons unknown.
- Make sure that you are able to keep minimum external information channels open, e.g. a static website on which you provide your customers with information and alternative contact details (e.g. telephone, fax, email).
- Analyse the attack and establish a defence strategy:
If the attack originates from a limited number of IP addresses, it may be sufficient to filter these addresses with your router or firewall. If the data volume exceeds your available bandwidth, this will need to be done by your internet service provider (ISP).
Move your attacked system to a different subnetwork, where applicable (for purely IP-based attacks). In this case, look for a solution in close collaboration with your ISP and/or a specialist DDoS mitigation provider.
The source IP addresses of the attack are probably bogus: This is typically the case for SYN, UDP, BGP and SNMP flooding. It makes no sense here to filter the IP addresses, and it could even block legitimate users. You should work together with your ISP to find a solution. Your ISP can divert and filter out this traffic. However, you should also know beforehand what protocols are being used in your system and which ones can be filtered out without any damage. Public websites are generally limited to TCP-based protocols (HTTP, HTTPS, SMTP, etc.), so stateless protocols such as UDP can be filtered without any misgivings (possible exception: DNS).
Attacks on an application: Your application is brought down by a large number of (complex) requests. The attacks generally use TCP as the network protocol. The sender address is therefore difficult to spoof and can be filtered using various criteria.
Attacks on the SSL/TLS protocol: A possible remedy is to establish the SSL connection with a cloud service that subsequently forwards the filtered connection to your systems.
If most of your customers are located in specific countries, GeoIP blocking can be used to filter and/or assign priority. This enables the service to remain available for as long as possible. However, some legitimate users may be filtered out or assigned a low priority.
- Analyse the attack and establish a defence strategy. Prepare for the eventuality that the attacker will try to adjust to your defence measures and will use new tactics. In this case, analyse the DDoS again and take the appropriate countermeasures.
- Notify the NCSC of the incident and contact the police to report (attempted) damage to data (Art. 144bis of the Swiss Criminal Code) and possibly also (attempted) extortion (Art. 156 of the Swiss Criminal Code). Damage to data is also deemed to have occurred if an attack causes data to be temporarily unavailable and thus unusable.
Notes on ransom payments
- The NCSC strongly advises against agreeing to the blackmailers' demands.
- If you are nonetheless considering paying the ransom, the NCSC urgently recommends that you discuss this step with the cantonal police.