Security Incident Reports: DDoS and TYPO3

Field-tested templates and forensic checklists for security incident reports, with automated CVE correlation for DDoS attacks and TYPO3-specific reporting guidance.
Kurt Dirnbauer
Kurt Dirnbauer
CEO
Stable
AI-translated
SecurityTYPO3DevOpsOpen Source

Overview

  • As cyberattacks grow more complex and response times shrink, the security incident report becomes the central control point of any defence strategy.
  • Field-tested templates for DDoS post-mortems and TYPO3 security incidents, including automated CVE correlation.
  • Modular report templates aligned with NIST SP 800-61 and SANS, with objective severity ratings (NCISS, CVSS, DRS).
  • DDoS analysis that automatically maps known vulnerabilities through CVE correlation, alongside metrics such as peak bandwidth and attack vectors.
  • Forensic checklist for compromised TYPO3 instances: system inventory, sys_log, fileadmin, and tt_content.
  • PGP-encrypted email template for secure reporting to the TYPO3 Security Team with embargo compliance.

Table of Contents  

Strategic Basis

Frameworks, Severity Rating, Blameless Culture

Master Template

Metadata, Timeline, IoCs

DDoS Analysis

Metrics, Impact, CVE Mapping

TYPO3 Forensics

Inventory, Vulnerabilities, Checklist

Reporting Process

Guidelines, PGP Template, Embargo

Conclusion

Key Takeaways, Resources

Why Structured Incident Reports?  

The threat landscape spans two extremes: massive DDoS attacks that flood networks with several terabits of traffic per second, and targeted application attacks on a CMS like TYPO3 that can go undetected for months. A structured report bridges technical analysis and strategic risk management.

DDoS Attacks

  • Volumetric: Record attacks reach 7.3 Tbps (terabits per second)
  • Multi-vector: Combination of different attack methods simultaneously
  • Volatile: They leave no files behind, only traces in network logs

TYPO3 Compromises

  • Deeply embedded in business logic
  • Often undetected for months (Dwell Time)
  • Telling Core from Extension apart is critical for assigning responsibility

Harmonising Frameworks  

Different organisations follow different standards, which leads to inconsistent reports. This guide combines two proven approaches:

  • SANS Model: 6 phases from Preparation to Lessons Learned
  • NIST SP 800-61: Risk-based approach with 4 core phases

SANS: 6 Phases

NIST SP 800-61: 4 Phases

Real-Time Documentation

Documentation starts in the identification phase, not in hindsight. The "logbook principle" guards against cognitive bias and data loss; consolidation into the post-mortem comes later.

Severity Rating  

Subjective judgements ("The attack felt severe") are useless. Objective evaluation rests on:

Rating SystemFocusApplication
NCISS (CISA)Functional impact, information loss, recovery effortGeneral incident evaluation
DDoS Resiliency Score7 levels from simple floods to multi-vector attacksSpecific to DDoS
CVSSTechnical severity of vulnerabilitiesCVE rating

Blameless Post-Mortems  

Modern incident response hunts for systemic failures, not scapegoats. Instead of "Admin X forgot to apply the patch", the report asks: "Why did the process allow an unpatched system to remain in production?"

Methods such as the 5 Whys or Fishbone diagrams in RCA support this philosophy.

Master Template  

The template is modular: a core module for every incident, supplemented by specialised modules for DDoS or TYPO3.

Module A: Metadata  

This section gives C-level executives and external stakeholders a quick orientation: concise and free of technical jargon.

FieldExamplePurpose
Incident-IDINC-2026-0142Unique reference
Detection Time2026-01-21T14:32:00ZStart of the timeline
SeverityHigh (NCISS 7.2)Prioritisation
StatusContained / Eradicated / ClosedCurrent status
Lead AnalystM. SchneiderResponsibility

Executive Summary (max. 200 words):

The narrative follows the Situation → Complication → Resolution pattern:

"On 23 October 2026, our monitoring systems registered a massive surge in traffic to the primary web servers. Analysis confirmed a targeted DDoS attack, which briefly led to performance degradation. In parallel, attempted attacks exploiting a vulnerability in the TYPO3 backend were detected. By rerouting the traffic to a specialised filtering provider and immediately deploying security updates, normal operations were restored within 45 minutes. No personal data was stolen."

Module B: Timeline  

The timeline is the heart of forensic reconstruction: precise timestamps detailing actions and system reactions.

Anomaly Detection

Monitoring registers 400% traffic surge to the load balancer

Security team alerted

Automated notification sent to the on-call analyst

Classification

Confirmation: Combined DDoS attack (network and application layer)

Countermeasures activated

Traffic rerouting to a specialised filtering provider initiated

Normal operations

All systems back under normal load

Module C: Technical Analysis  

This is where you gather the facts that drive further analysis and system hardening.

Attack vectors (TTPs): Described using the MITRE ATT&CK Framework, a public knowledge base of adversary tactics

Example: MITRE ATT&CK Mapping
T1498 - Network Denial of Service
└── T1498.001 - Direct Network Flood
└── T1498.002 - Reflection Amplification

T1190 - Exploit Public-Facing Application
└── TYPO3 Deserialization (CVE-2026-004)

IoCs:

DDoS Post-Mortem  

DDoS attacks leave no files on disk, so the analysis relies entirely on log data from network devices and filtering providers.

DDoS Metrics  

Different metrics reveal different weaknesses. An attack with low bandwidth but an extremely high packet rate can be more devastating than a pure data flood.

MetricUnitTargeted Bottleneck
Peak BandwidthGbps / TbpsUplink capacity
Packets per SecondMppsFirewall State Tables
Requests per SecondRPSApplication Layer
Unique Source IPsCountBotnet size (if not spoofed)
Attack DurationMinutes/HoursResource exhaustion
Spotting Diversionary Tactics

Check whether the massive data flood served as a diversion while a stealth attack (e.g. Slowloris) targeted the application at the same time.

Impact Assessment  

Severity is assessed across three dimensions:

Operational Impact

  • Loss of availability (total outage vs. slowdown)
  • Collateral damage on shared infrastructure
  • Affected services (API, VPN, email)

Financial Impact

  • Costs for traffic filtering (excess usage)
  • Lost revenue (for e-commerce)
  • Personnel costs for incident handling

Reputational Impact

  • Public perception (social media)
  • Loss of trust among B2B partners
  • Media coverage

DRS: Evaluation of attack complexity on a scale of 1-7:

Level 4: Sophisticated (Multi-vector, up to 5 Gbps)57%
Level 6: Advanced (State-Sponsored, HTTPS Floods)86%
Level 7: Extreme (Hyper-volumetric, Zero-Day)100%

Automated CVE Correlation  

What is a CVE?

CVE (Common Vulnerabilities and Exposures) is a standardised system for identifying security vulnerabilities. Each known vulnerability is assigned a unique identifier (e.g., CVE-2024-1234), which is used consistently worldwide – by security researchers, vendors, and IT teams.

Amplification Attacks: When Servers Become Amplifiers

In amplification attacks (also known as reflection attacks), attackers abuse third-party servers as amplifiers. The mechanism works like this:

  1. A small request is sent to a vulnerable server with a spoofed sender address (the victim's IP).
  2. The server replies to the apparent sender with a far larger volume of data.
  3. The victim is flooded with responses it never requested.

The amplification factor captures this ratio: some protocols multiply the traffic 500-fold or more. With just 100 Mbps of bandwidth, an attacker can generate an attack exceeding 50 Gbps.

Why CVE correlation matters:

  1. Self-assessment: Are vulnerable services running in your own infrastructure? Could your systems be acting as reflectors?
  2. Threat intelligence: Which known vulnerabilities are being exploited globally right now, and is action required?
Protocol/PortCVEAmplification FactorDescription
NTP (123/UDP)CVE-2013-5211556xMonlist command
Memcached (11211/UDP)CVE-2018-100011551.000xUDP-Reflection
SLP (427/UDP)CVE-2023-295522.200xService Location Protocol
DNS (53/UDP)Multiple28-54xOpen Resolver
SSDP (1900/UDP)Multiple30xUPnP Discovery
Integration into the Report

Example entry: 'Traffic analysis shows that 40% of the UDP flood originated from source port 427. Deep packet inspection confirmed payloads typical of CVE-2023-29552. This points to a botnet using unpatched VMware ESXi instances as reflectors.'

TYPO3 Forensics  

With TYPO3 as an enterprise CMS, one distinction is vital: vulnerabilities in the TYPO3 Core (the responsibility of TYPO3 GmbH/Association) versus vulnerabilities in extensions (the responsibility of the agency or developers). This distinction determines reporting channels and accountability.

System Inventory  

Before you start the analysis, document the exact state of the system.

AspectTo DocumentSecurity Relevance
TYPO3 VersionExact version incl. patch levelLTS vs. Sprint? ELTS available?
InstallationComposer vs. Legacy (Non-Composer)Composer enables auditing
PHP EnvironmentVersion, Extensions, disable_functionsDangerous functions active?
ExtensionsList of all loaded extensions + versionsFlag abandoned extensions
ServerOS, Webserver, PHP-HandlerKnown vulnerabilities?
Note on ELTS

TYPO3 v11 and older no longer receive security patches without an ELTS contract.

Vulnerability Classes  

Forensic Checklist  

In the event of a suspected compromise (defacement, spamming, unexplained admin logins):

Log Analysis: var/log/typo3_*.log – search for unusual backend logins, IP addresses
User Accounts: Check be_users and fe_users for unknown entries
File System: find fileadmin/ -name "*.php" -mtime -7 – PHP files in upload folders
Core Integrity: Compare checksums against official releases
Scheduler Tasks: Check tx_scheduler_task for suspicious entries
Extension Audit: composer audit or manual comparison with security bulletins
TypoScript: Check sys_template for injected JavaScript snippets

TYPO3 Security Team  

Reporting vulnerabilities to the TYPO3 Security Team follows strict rules. The team works on the principle of responsible disclosure.

Due Diligence in Security Reporting

Reporting to the Security Team takes thorough preparation. Make sure the suspected vulnerability is documented reproducibly and does not stem from a misconfiguration in your own environment. Poorly researched reports tie up the volunteer team's resources and delay genuine security issues.

Preparatory Measures  

Before Reporting

  • Keep it off public channels – no posts in Slack, StackOverflow, or forums
  • Verify – is the flaw reproducible in a currently supported version?
  • Communicate securely – emails must be PGP-encrypted

Encryption Data

PGP ensures that only the Security Team can read the report:

Email Template  

This template meets the TYPO3 Security Team's requirements:

security@typo3.org – PGP Signed/Encrypted
Subject: Suspected Vulnerability in [Extension/Core] - [Short Description]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear TYPO3 Security Team,

I am writing to report a suspected security vulnerability in accordance 
with your coordinated disclosure policy.

1. VULNERABILITY METADATA
-------------------------
Project:              [Extension Key or "TYPO3 Core"]
Affected Versions:    [e.g., 11.5.0 - 11.5.24]
Tested Version:       [Your test environment]

After Reporting  

Confirmation

The Security Team confirms receipt of the report.

Evaluation

The team reviews the report and contacts the extension author if necessary.

Fixing

A patch is developed and tested in a private repository.

Advisory

Security Bulletin (e.g., TYPO3-CORE-SA-2026-001) + patched version are released simultaneously.
Observe the Embargo

Maintain strict silence between reporting and publication. Any premature discussion opens the door to zero-day attacks and puts every TYPO3 installation worldwide at risk.

Conclusion  

A security incident report combines technical excellence with communicative clarity. The template here brings together global standards (NIST/SANS), the specific demands of DDoS attacks, and the TYPO3 security architecture.

DDoS + CVE Mapping

Traffic data becomes actionable threat intelligence. Which global vulnerabilities are being weaponised against us?

TYPO3 Forensics

Standardised reporting channels and forensic depth build trust and strengthen the open-source community.

Faster Response

Consistent application of these templates minimises the recovery time and legal risks.

Security is not a state, but a process – and this report is the protocol of that process.

Using as an AI Skill  

The methodology behind this article is available as a machine-readable skill for AI assistants. With it, Claude, ChatGPT, and other LLMs can generate structured incident reports to NIST/SANS standards.

webconsulting-skills Repository

The skill is part of our open-source collection for AI-supported IT workflows: github.com/dirnbauer/webconsulting-skills

Example Prompts for the AI Assistant:

Back to the list

More articles

Let's talk about your project

Get in touch

Locations

  • Mattersburg
    Johann Nepomuk Bergerstraße 7/2/14
    7210 Mattersburg, Austria
  • Vienna
    Ungargasse 64-66/3/404
    1030 Wien, Austria

Parts of this content were created with the assistance of AI.