GB973 CyberOps Metrics: Guide for DDoS Mitigation v0.7

This guide intends to offer its audience best practice guidance with a set of KPIs that can be applied as is, or as a starting point for discussion. The KPIs prescribed within this document will not solve all DDoS problems. They are intended to assist in identifying where you can probe deeper into your process and make some improvements to enhance security, specifically. Some metrics are also more broadly useful.

DDoS refers to Distributed Denial of Service attacks whereby spurious requests overwhelm the ability of one or more networks or computers to service legitimate requests. It is Distributed when multiple (distributed) computers simultaneously send requests to the target, possibly via multiple routes. Some firewalls are known to fail open from such DDoS attacks in such a way that they no longer act as firewalls and pass all traffic through, thus exposing the otherwise-protected systems to other forms of attack. In the current threat landscape, the most common form of DDoS attack comes from botnets. A botnet is a group of many (thousands to millions) of computers, either physical or virtual, that can be centrally controlled to make attacks of various kinds ranging from spam to DDoS. Often these botnets are assembled by compromising individual computers in a way that the user is not aware that the machine is being used for malicious purposes, rendering the device a zombie in the botnet.

General Information

Document series: GB973
Status: TM Forum Approved
Document type: Best Practice
Team approved: 30-Apr-2013
IPR mode: RAND
TM Forum Approved: 30-Aug-2013