Approved by CTS GARR on the 23/1/2007
This document describes the incident handling procedure in use at GARR-CERT.
Communication between GARR-CERT and involved entities are usually performed by digitally signed electronic mail.
The procedure consists in the following steps:
- When GARR-CERT receives a report about an incident, it verifies that at least one of involved entities belongs to its own constituency. If this is not the case, then GARR-CERT tries to forward the message to the appropriate external CSIRT.
- GARR-CERT assigns an unique ID number to the incident, and sends a report to the local Access Point Manager (APM), the manager of the router connecting the involved site to the GARR Network. The APM is also asked to forward the information to the local people involved. In this communication GARR-CERT specifies the maximum time allowed to solve the problem. GARR-CERT then replies to the entity that signalled the incident, sending a first report which includes the assigned ID. In case of particularly severe issues, e.g. those with penal relevance, the communication sent to the local APM will also includes a formal invitation to filter out the involved node without further confirmation request, in case the problem cannot be solved within the time limit specified. A copy of this message will be also be sent to GARR-NOC (the Network Operations Centre). In this case we proceed to step 5.
- If the incident is solved within the requested time frame, we proceed to step 9.
- If the incident is not solved within the requested time frame, GARR-CERT asks the local APM to filter the involved network/computer/service on his/her local router. In this notification GARR-CERT indicates the maximum time allowed to the APM for the action.
- If the APM acts within the time limit, we continue with step 8.
- If the local APM does not act within the requested time, GARR-CERT sends to GARR-NOC the request to filter the involved network/computer/service. If the deadline for the filtering action was outside GARR-CERT working hours, GARR-NOC will proceed without the GARR-CERT formal request.
- GARR-NOC install the filters as requested and notifies GARR-CERT.
- GARR-CERT verifies that the network/computer/service causing the problem is filtered and sends a report of "neutralized problem" to all the involved parties.
- When the local people communicate that the problem is solved, GARR-CERT, after a successful verification, sends a request to remove the applied filters to the local APM or GARR-NOC. Then GARR-CERT sends a communication of "problem solved" to all the involved parties and it closes the incident.
The maximum allowed time for solving the problems are as follows:
- Open mail relay: 3 days;
- Nodes that are source of hostile actions (port scan, attacks, etc.): 1 day;
- Nodes used for DoS attacks: 5 hours.
- Incidents with penal relevance 4 hours.