Domain Name System Server Denial of Service and Stolen Documents
Other
Scenario 1:
Domain Name System (DNS) Server Denial of Service (DoS)
On a Saturday afternoon, external users start having problems accessing the organization’s public websites. Over the next hour, the problem worsens to the point where nearly every access attempt fails. Meanwhile, a member of the organization’s networking staff responds to alerts from an Internet border router and determines that the organization’s Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both the organization’s public DNS servers. Analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. Also, all the DNS requests from that address come from the same source port.
The following are additional questions for this scenario:
1. Whom should the organization contact regarding the external IP address in question?
2. Suppose that after the initial containment measures were put in place, the network administrators detected that nine internal hosts were also attempting the same unusual requests to the DNS server. How would that affect the handling of this incident?
3. Suppose that two of the nine internal hosts disconnected from the network before their system owners were identified. How would the system owners be identified?
Scenario 3:
Stolen Documents
On a Monday morning, the organization’s legal department receives a call from the Federal Bureau of Investigation (FBI) regarding some suspicious activity involving the organization’s systems. Later that day, an FBI agent meets with members of management and the legal department to discuss the activity. The FBI has been investigating activity involving public posting of sensitive government documents, and some of the documents reportedly belong to the organization. The agent asks for the organization’s assistance, and management asks for the incident response team’s assistance in acquiring the necessary evidence to determine if these documents are legitimate or not and how they might have been leaked.
The following are additional questions for this scenario:
1. From what sources might the incident response team gather evidence?
2. What would the team do to keep the investigation confidential?
3. How would the handling of this incident change if the team identified an internal host responsible for the leaks?
4. How would the handling of this incident change if the team found a rootkit installed on the internal host responsible for the leaks?
- Procedures (Individual Sections – Identify the name of the student in the paper who prepared their section)
- Risk:
- Preparation
- Detection and Analysis
- Containment
- Eradication
- Recovery
- Post-Incident Activity
- Risk:
