CSIRT Description for DFN-CERT
1. Document Information
This document contains a description of DFN-CERT according to RFC 2350. It provides information about the CERT, how to contact the team, and describes its responsibilities and the services offered by DFN-CERT.
1.1 Date of Last Update
This version was published at 2016-03-31.
1.2 Distribution List for Notifications
1.3 Locations where this Document May Be Found
The current version of this document can be found at:
1.4 Document Authenticity
This document can be retrieved from our webserver using TLS/SSL.
2. Contact Information
This section describes how to contact DFN-CERT.
2.1 Name of the Team
DFN-CERT Services GmbH
Incident Response Team
2.3 Time Zone
Central European Time or Central European Summer Time,
2.4 Telephone Number
+49 40/808 077-590
2.5 Facsimile Number
+49 40/808 077-556
2.6 Other Telecommunication
2.7 Electronic Mail Address
2.8 Public Keys and Encryption Information
Our X.509 certificate may be obtained at:
Our current PGP-Key may be obtained at:
2.9 Team Members
Team lead is Christine Kahl. A list of most team members can be found at:
2.10 Other Information
General information about DFN-CERT may be found at:
The DFN-CERT Portal is available at:
2.11 Points of Customer Contact
DFN-CERT prefers to receive incident reports via e-mail. Please use our cryptographic keys above to ensure integrity and confidentiality.
We welcome automatic transfer of bulk data based on established international standards and formats. To negotiate a compatible working solution please contact the team directly before sending data automatically. This will help us to avoid any problems or issues in our tool chain, and ensures, that the data can be used in the best way possible.
2.12 Business Hours
DFN-CERT's hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Thursday, 09:00-16:00 on Friday) except public holidays.
2.13 Emergency Procedure
Team is not reachable outside business hours. Answering machine collects calls outside business hours.
Within this section our mandate is described.
3.1 Mission Statement
DFN-CERT's mission is to coordinate and investigate security incident response for IT-security problems at the level of the German Research Network (DFN).
Our constituency constists of the institutions that are connected to the Internet via the DFN.
DFN-CERT is responible for the following autonomous systems:
288, 553, 680, 1275, 1754, 2857, 5501, 8365, 12643, 12816, 13040, 16108, 20588, 20633, 28714, 29461, 29484, 34520, 34878, 35246, 35739, 38914, 41289, 41969, 42873, 43066, 47610.
3.3 Sponsorship and/or Affiliation
DFN-CERT is the Computer Security Incident Response Team (CSIRT) for the German National Research and Educational Network (Deutsches Forschungsnetz).
Funding is provided by the DFN association (Verein zur Förderung eines Deutschen Forschungsnetzes - DFN-Verein).
DFN-CERT is a founding member of the German CERT alliance (CERT-Verbund), it is an accredited and certified TI (Trusted Introducer) team, and DFN-CERT is a full member of FIRST (Forum of Incident Response and Security Teams).
We coordinate security incidents on behalf of our constituency and at our constituents request.
This section describes our policies.
4.1 Types of Incidents and Level of Support
DFN-CERT addresses all kinds of security incidents which occur, or threaten to occur, within its constituency.
The level of support depends on the type and severity of the given security incident, the amount of affected institutions within our constituency, and our resources at the time.
We expect end users to contact their local systems or network administrators or their computer center.
4.2 Co-operation, Interaction and Disclosure of Information
DFN-CERT will exchange all necessary information with other CSIRTs as well as with other affected parties if they are involved in the incident or incident response process.
All information concerning one or more incidents passed on to other incident response teams, which include details about persons, organizations, IP-addresses, domain-names as well as other information revealing the identity of persons or organizations is anonymized unless explicitly stated otherwise by the persons or organizations in question. No information at all about any incident or vulnerability is given to other persons. German law enforcement personnel requesting information in the course of a criminal investigation is given the requested information within the limits of the court order and the criminal investigation, if they present a valid court order from a German court.
4.3 Communication and Authentication
All e-mail postings containing official statements on behalf of the team or team members should be signed using X.509 or PGP. All e-mail containing confidential information should be encrypted and signed using X.509 or PGP. Information received in encrypted form should not be stored permanently in unencrypted form.
For sensitive information we prefer to use encrypted e-mail. For other communication phone, facsimile, postal service, or unencrypted e-mail may be used.
DFN-CERT supports the Information Sharing Traffic Light Protocol.
4.4 Reaction Time
Usually our first response is timely at the same working day, if not we will respond the following working day.
Our contact information, the business hours and emergency procedure can be found in chapter 2.
This section describes the services DFN-CERT offers.
5.1 Incident Response
DFN-CERT coordinates all activities related to incident response within its constituency. We provide support, help, and advice with respect to the following aspects of incident management:
5.1.1. Incident Triage
- Check if the incident or the incident report is authentic. - Determine which constituents are affected by the incident.
5.1.2. Incident Coordination
- Investigate the initial cause of the incident.
- Contact other affected sites, if necessary.
- Composing announcements to users, if applicable.
- Notify other CSIRTs, if appropriate.
- Maintain current database of sites, networks, domains, and security contacts.
5.1.3. Incident Resolution
- Assure that security incidents are handled properly by the affected organisations.
- Ask for feedback.
- If necessary propose appropriate steps within the the backbone network.
5.2 Proactive Activities
- Advisory service
- Maintain a database of networks, sites and security contacts
- Mailing lists for security information
- Regular tutorials on security topics
- Network scans
- Early warning system
- Regular talks on security topics
5.3 Reactive Activities
- Automated warning service for all sites within the constituency to distribute bulk alerts from various sources.
- Honeypot systems
- Darknet monitoring
6. Incident Reporting Forms
We do not have an incident reporting form. Please report security incidents via encrypted e-mail to firstname.lastname@example.org.
Incident reports should contain the following information:
- Incident date and time (including time zone)
- Source IPs, ports, and protocols
- Destination IPs, ports, and protocols
Preferable the report includes a log file in a common format.
This document is provided 'as is' without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
Use of this document is at the user's sole risk. All users expressly agree to this condition of use.
If you notice any mistakes within this document please send a message to us by e-mail. We will try to resolve such issues as soon as possible.