Management Procedure

Procedura Approvata dal CTS GARR il 17/6/2020
sostituisce Procedura gestione incidenti 23-01-2007

Here you will find the GARR-CERT procedure for the management of security incidents involving GARR




Contacts for security incidents
Each organisation connected to GARR network must appoint a local technical contact point, the APM (Access Port Manager). The APM manages the connection with GARR network and is technical liaison between the organisation and GARR also for the management of security incidents. The APM definition is available on the GARR institutional website.

Communication between GARR-CERT and involved organisations are usually performed via digitally signed e-mails

Protection from distributed external attacks
Since October 2019, GARR network is equipped with an automatic system for the mitigation of some types of external attacks, which are distributed and aimed at creating disservices (DDoS - Distributed Denial of Service). This system is based on Corero|Juniper technology. When some indicators exceed the threshold values, the network devices react and selectively eliminate the traffic corresponding to this type of attack by applying temporary filters, thus allowing the individual nodes to maintain normal network functionality. The procedure is automatic, without any user intervention. The indicators to be used and the respective threshold values ​​are configured by GARR-NOC.

In some special cases, incident management involves filtering one or more network addresses on routers managed by GARR. We would like to emphasize that the application of these filters is always intended to protect and safeguard the functionality of the network and the connectivity services available to users of the GARR network. In the most evident case in which GARR IPs are the direct or indirect targets of an external attacke, the request for intervation of filtering by CERT/NOC often comes from users (APMs) themselves, asking to recover access to their devices and possibly intervene on their configurations in order to mitigate the problem also at the local level. In the event that GARR IPs are clearly the source of illicit traffic and there is no response from the APM in the expected times, the IPs involved are filtered by GARR (with the criteria described in the security incident management procedure), in order to protect its users and prevent any possible legal consequences. Three months after the filtering, in the absence of a response from the APM, GARR will proceed to inform the APA and the GARR Delegate of the competent Authority (escalation).




The procedure consists in the following steps:

  1. When a security issue occurs to an organisation connected to GARR network, GARR-CERT evaluates the opening of a security incident and decides: its priority, the resolution procedures and the communications with the subjects involved.
  2. GARR-CERT assigns an unique ID number to the incident (Ticket ID).
    • In the event that a GARR entity or user is the victim of the illegal event, go to point 3.
    • In the event that the the illegal event originates from GARR entity or user, go to point 4.
    • In the event that the illegal event originates from one or more sources and is intended against multiple GARR users, go to point 8.
  3. GARR-CERT informs the APM and the appropriate contacts for the system originating the abuse origin. In cases of particular gravity and urgency, GARR-CERT assesses whether it to apply a temporary filter (through GARR-NOC) in order to mitigate the attack, when not already applied by the automatic DoS mitigation system.
    • If the abuse ends and the reference contact for the system originating it does not respond, go to point 6.
    • If the contact for the system that originated the abuse responds, go to point 7.
    • The incident is closed on its own after the abuse ends.
  4. GARR-CERT asks the APM to resolve the incident within a time commensurate with the seriousness of the case (below, some examples of issue resolution times). Whenever possible, GARR-CERT also provides useful tips, if necessary. If deemed appropriate, GARR-CERT also responds to those who reported the accident.
  5. GARR-CERT proceeds in one of the following ways, depending on the seriousness of the case:
  6. GARR-CERT does not receive any communication: the incident is automatically closed.
  7. GARR-CERT receives the communication of the issue resolution and, when technically possible, verifies the actions taken before closing the incident and alerting all parties involved. If a filter has been applied by GARR-NOC, GARR-CERT requests its removal and waits for confirmation before closing the incident.
  8. Having analysed the attack through the available monitoring tools, GARR-CERT and NOC coordinate to apply a filter on the GARR backbone. A notification is sent to the appropriate contacts for the network or networks originating the abuse, to the users involved (individually or though the APM mailing list) and eventually the news is published following the communication channels of GARR [web, social]. The closure of the incident and the removal of the filters on the backbone are subject to verification of the end of the attack.

Types of incidents currently treated (with indication of the incident response time)
Depending on the type, below are listed the expected time required for the APM to resolve the incident starting from the notification. In case the APM needs more time to resolve the incident, it is necessary to make an explicit request to GARR-CERT.


Even outside the NOC and CERT operating hours, In the event of an incident which significantly impacts user connectivity, such as a distributed SYNFlood, the managers of GARR-NOC and CERT decide how to:

Other cases that expose users to serious security problems, for example in the case of ongoing data breaches involving particular data, can also be treated as a precaution as in the previous point (a).

Regulatory references

The updating of GARR Security Incident Management Procedure is due, in addition to the evolution of the types of threats to the network and user systems, also to the evolution of the regulations in force in Italy related to cybercrime.
Before the recent directives contained in the Minimum Security Measures for the Public Administration (AgID, 26/4/2016 - and transposition in Italy of the European Regulation for the Protection of Personal Data (Legislative Decree 101/2018 -, cybercrime appears for the first time in Italy with Law 547 of 1993, which introduces changes and additions to the Criminal Code and the Criminal Procedure Code regarding cybercrime.

These are, to date, the cybercrimes punished by the Italian Penal Code (Courtesy Translation):