Security Incident Reports: When DDoS Meets TYPO3

Structured templates and forensic protocols for security incident reports. Featuring automated CVE correlation for DDoS attacks and TYPO3-specific reporting guidelines.
Kurt Dirnbauer
Kurt Dirnbauer
CEO
Stable
SecurityTYPO3DevOpsOpen Source

Overview

  • Cyberattacks are becoming more complex, response times shorter – a Security Incident Report is the central control instrument of any defence strategy.
  • Field-tested templates for DDoS post-mortems and TYPO3 security incidents, including automated CVE correlation.
  • Modular report templates according to NIST SP 800-61 and SANS with objective severity ratings (NCISS, CVSS, DRS).
  • DDoS analysis with automated mapping of known vulnerabilities via CVE correlation and metrics such as Peak Bandwidth and attack vectors.
  • Forensic checklist for compromised TYPO3 instances: system inventory, sys_log, fileadmin, and tt_content.
  • PGP-encrypted email template for secure reporting to the TYPO3 Security Team with embargo compliance.

Table of Contents  

Strategic Basis

Frameworks, Severity Rating, Blameless Culture

Master Template

Metadata, Timeline, IoCs

DDoS Analysis

Metrics, Impact, CVE Mapping

TYPO3 Forensics

Inventory, Vulnerabilities, Checklist

Reporting Process

Guidelines, PGP Template, Embargo

Conclusion

Key Takeaways, Resources

Why Structured Incident Reports?  

The threat landscape encompasses two extremes: Massive DDoS attacks that flood networks with data volumes of several terabits per second, and targeted application attacks on CMSs like TYPO3, which can remain undetected for months. A structured report bridges the gap between technical analysis and strategic risk management.

DDoS Attacks

  • Volumetric: Record attacks reach 7.3 Tbps (terabits per second)
  • Multi-vector: Combination of different attack methods simultaneously
  • Volatile: Leave no files behind – traces only in network logs

TYPO3 Compromises

  • Deeply embedded in business logic
  • Often undetected for months (Dwell Time)
  • Distinguishing Core vs. Extension is critical for responsibilities

Harmonising Frameworks  

Various organisations use different standards – this leads to inconsistent reports. This guide combines two proven approaches:

  • SANS Model: 6 phases from Preparation to Lessons Learned
  • NIST SP 800-61: Risk-based approach with 4 core phases

SANS: 6 Phases

NIST SP 800-61: 4 Phases

Real-Time Documentation

Documentation begins in the identification phase – not in hindsight. The "logbook principle" prevents cognitive bias and data loss. Consolidation into the post-mortem occurs later.

Severity Rating  

Subjective assessments ("The attack felt severe") are useless. Objective evaluation is based on:

Rating SystemFocusApplication
NCISS (CISA)Functional impact, information loss, recovery effortGeneral incident evaluation
DDoS Resiliency Score7 levels from simple floods to multi-vector attacksSpecific to DDoS
CVSSTechnical severity of vulnerabilitiesCVE rating

Blameless Post-Mortems  

Modern incident response does not look for scapegoats, but rather systemic failures. Instead of "Admin X forgot to apply the patch", the report asks: "Why did the process allow an unpatched system to remain in production?"

Methods such as the 5 Whys or Fishbone diagrams in RCA support this philosophy.

Master Template  

The template is modular: A core module for every incident, supplemented by specialised modules for DDoS or TYPO3.

Module A: Metadata  

This section serves as a quick orientation for C-level executives and external stakeholders – concise and free of technical jargon.

FieldExamplePurpose
Incident-IDINC-2026-0142Unique reference
Erkennungszeitpunkt2026-01-21T14:32:00ZStart of the timeline
SeverityHigh (NCISS 7.2)Prioritisation
StatusContained / Eradicated / ClosedCurrent status
Lead AnalystM. SchneiderResponsibility

Executive Summary (max. 200 words):

The narrative follows the Situation → Complication → Resolution schema:

"On 23 October 2026, our monitoring systems registered a massive surge in traffic to the primary web servers. Analysis confirmed a targeted DDoS attack, which briefly led to performance degradation. In parallel, attempted attacks exploiting a vulnerability in the TYPO3 backend were detected. By rerouting the traffic to a specialised filtering provider and immediately deploying security updates, normal operations were restored within 45 minutes. No personal data was stolen."

Module B: Timeline  

The timeline is the heart of forensic reconstruction – precise timestamps detailing actions and system reactions.

Anomaly Detection

Monitoring registers 400% traffic surge to the load balancer

Security team alerted

Automated notification sent to the on-call analyst

Classification

Confirmation: Combined DDoS attack (network and application layer)

Countermeasures activated

Traffic rerouting to a specialised filtering provider initiated

Normal operations

All systems back under normal load

Module C: Technical Analysis  

Here you gather facts for further analysis and system hardening.

Attack Vectors (TTPs): Description via the MITRE ATT&CK Framework – a public knowledge base of adversary tactics

Example: MITRE ATT&CK Mapping
T1498 - Network Denial of Service
└── T1498.001 - Direct Network Flood
└── T1498.002 - Reflection Amplification

T1190 - Exploit Public-Facing Application
└── TYPO3 Deserialization (CVE-2026-004)

IoCs:

DDoS Post-Mortem  

DDoS attacks leave no files on hard drives – the analysis relies exclusively on log data from network devices and filtering providers.

DDoS Metrics  

Different metrics reveal different vulnerabilities. An attack with low bandwidth but an extremely high packet rate can be more devastating than a pure data flood attack.

MetricUnitTargeted Bottleneck
Peak BandwidthGbps / TbpsUplink capacity
Packets per SecondMppsFirewall State Tables
Requests per SecondRPSApplication Layer
Unique Source IPsAnzahlBotnet size (if not spoofed)
Attack DurationMinuten/StundenResource exhaustion
Spotting Diversionary Tactics

Check whether the massive data attack served as a diversion while a stealth attack (e.g., Slowloris) was simultaneously targeting the application.

Impact Assessment  

The severity is evaluated across three dimensions:

Operational Impact

  • Loss of availability (total outage vs. slowdown)
  • Collateral damage on shared infrastructure
  • Affected services (API, VPN, email)

Financial Impact

  • Costs for traffic filtering (excess usage)
  • Lost revenue (for e-commerce)
  • Personnel costs for incident handling

Reputational Impact

  • Public perception (social media)
  • Loss of trust among B2B partners
  • Media coverage

DRS: Evaluation of attack complexity on a scale of 1-7:

Level 4: Sophisticated (Multi-vector, up to 5 Gbps)57%
Level 6: Advanced (State-Sponsored, HTTPS Floods)86%
Level 7: Extreme (Hyper-volumetric, Zero-Day)100%

Automated CVE Correlation  

What is a CVE?

CVE (Common Vulnerabilities and Exposures) is a standardised system for identifying security vulnerabilities. Each known vulnerability is assigned a unique identifier (e.g., CVE-2024-1234), which is used consistently worldwide – by security researchers, vendors, and IT teams.

Amplification Attacks: When Servers Become Amplifiers

In amplification attacks (also known as reflection attacks), attackers abuse third-party servers to act as amplifiers. The mechanism:

  1. A small request is sent to a vulnerable server – with a spoofed sender address (the victim's IP).
  2. The server responds to the apparent sender with a significantly larger volume of data.
  3. The victim is flooded with responses they never requested.

The Amplification Factor describes the amplification ratio: some protocols multiply the traffic by 500 times or more. With 100 Mbps of bandwidth, an attack exceeding 50 Gbps can be generated.

Relevance of CVE Correlation:

  1. Self-assessment: Are vulnerable services active within your own infrastructure? Are your own systems potentially acting as reflectors?
  2. Threat Intelligence: Which known vulnerabilities are currently being exploited globally – and is there a need for action?
Protocol/PortCVEAmplification FactorDescription
NTP (123/UDP)CVE-2013-5211556xMonlist command
Memcached (11211/UDP)CVE-2018-100011551.000xUDP-Reflection
SLP (427/UDP)CVE-2023-295522.200xService Location Protocol
DNS (53/UDP)Multiple28-54xOpen Resolver
SSDP (1900/UDP)Multiple30xUPnP Discovery
Integration into the Report

Example Entry: 'Traffic analysis shows that 40% of the UDP flood originated from source port 427. Deep Packet Inspection confirmed payloads typical for CVE-2023-29552. This points to a botnet utilising unpatched VMware ESXi instances as reflectors.'

TYPO3 Forensics  

With TYPO3 as an enterprise CMS, making a precise distinction is vital: vulnerabilities in the TYPO3 Core (responsibility: TYPO3 GmbH/Association) versus vulnerabilities in extensions (responsibility: agency/developers). This distinction dictates reporting channels and responsibilities.

System Inventory  

Before beginning the analysis, document the exact state of the system.

AspectTo DocumentSecurity Relevance
TYPO3 VersionExact version incl. patch levelLTS vs. Sprint? ELTS available?
InstallationComposer vs. Legacy (Non-Composer)Composer enables auditing
PHP EnvironmentVersion, Extensions, disable_functionsDangerous functions active?
ExtensionsList of all loaded extensions + versionsFlag abandoned extensions
ServerOS, Webserver, PHP-HandlerKnown vulnerabilities?
Note on ELTS

TYPO3 v11 and older no longer receive security patches without an ELTS contract.

Vulnerability Classes  

Forensic Checklist  

In the event of a suspected compromise (defacement, spamming, unexplained admin logins):

Log Analysis: var/log/typo3_*.log – search for unusual backend logins, IP addresses
User Accounts: Check be_users and fe_users for unknown entries
File System: find fileadmin/ -name "*.php" -mtime -7 – PHP files in upload folders
Core Integrity: Compare checksums against official releases
Scheduler Tasks: Check tx_scheduler_task for suspicious entries
Extension Audit: composer audit or manual comparison with security bulletins
TypoScript: Check sys_template for injected JavaScript snippets

TYPO3 Security Team  

Reporting vulnerabilities to the TYPO3 Security Team follows strict rules. The team operates on the principle of responsible disclosure.

Due Diligence in Security Reporting

Reporting to the Security Team requires thorough preparatory work. Ensure that the suspected vulnerability is reproducibly documented and does not stem from a misconfiguration in your own environment. Poorly researched reports tie up valuable resources from the volunteer team and delay the processing of genuine security issues.

Preparatory Measures  

Before Reporting

  • Do not discuss publicly – no posts in Slack, StackOverflow, or forums
  • Verification – is the flaw reproducible in a currently supported version?
  • Communicate securely – emails must be PGP-encrypted

Encryption Data

PGP ensures that only the Security Team can read the report:

Email Template  

This template meets the requirements of the TYPO3 Security Team:

security@typo3.org – PGP Signed/Encrypted
Subject: Suspected Vulnerability in [Extension/Core] - [Short Description]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear TYPO3 Security Team,

I am writing to report a suspected security vulnerability in accordance 
with your coordinated disclosure policy.

1. VULNERABILITY METADATA
-------------------------
Project:              [Extension Key or "TYPO3 Core"]
Affected Versions:    [e.g., 11.5.0 - 11.5.24]
Tested Version:       [Your test environment]

After Reporting  

Confirmation

The Security Team confirms receipt of the report.

Evaluation

The team reviews the report and contacts the extension author if necessary.

Fixing

A patch is developed and tested in a private repository.

Advisory

Security Bulletin (e.g., TYPO3-CORE-SA-2026-001) + patched version are released simultaneously.
Observe the Embargo

Strict silence must be maintained between reporting and publication. Any premature discussion enables zero-day attacks and endangers all TYPO3 installations worldwide.

Conclusion  

A Security Incident Report combines technical excellence with communicative clarity. The template presented here integrates global standards (NIST/SANS) with the specific requirements of DDoS attacks and the TYPO3 security architecture.

DDoS + CVE Mapping

Traffic data is transformed into actionable threat intelligence. Which global vulnerabilities are being weaponised against us?

TYPO3 Forensics

Standardised reporting channels and forensic depth build trust and strengthen the open-source community.

Faster Response

Consistent application of these templates minimises the recovery time and legal risks.

Security is not a state, but a process – and this report is the protocol of that process.

Using as an AI Skill  

The methodology of this article is available as a machine-readable skill for AI assistants. With it, Claude, ChatGPT, or other LLMs can generate structured incident reports according to NIST/SANS standards.

webconsulting-skills Repository

The skill is part of our open-source collection for AI-supported IT workflows: github.com/dirnbauer/webconsulting-skills

Example Prompts for the AI Assistant:

Back to the list

Let's talk about your project

Get in touch

Locations

  • Mattersburg
    Johann Nepomuk Bergerstraße 7/2/14
    7210 Mattersburg, Austria
  • Vienna
    Ungargasse 64-66/3/404
    1030 Wien, Austria

Parts of this content were created with the assistance of AI.