0% found this document useful (0 votes)

215 views338 pages

Reference Guide

The document provides an introduction to Arbor Edge Defense (AED), focusing on its role in mitigating DDoS attacks. It outlines the characteristics and deployment options of AED, including its hardware and software configurations, as well as the various modes of operation. Additionally, it discusses the licensing and management of AED systems, emphasizing their importance in protecting servers from potential threats.

Uploaded by

mohamedahmed777y

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

215 views338 pages

Reference Guide

Uploaded by

mohamedahmed777y

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 338

REV2.

2
Product Introduction

Cod

Product Introduction

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

In this module you will...

• Understand the threat of DDoS attacks

• Learn about the characteristics and features of AED

• Compare the deployment options of an AED to monitor and defend servers

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Product Introduction

DDoS Characteristics & AED

AED Product Introduction

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

The challenge: DDoS

How services are impacted by potential threats via internet access

DATA
ISP 1 CENTER
SATURATION

ISP
ISP 2 SATURATION SATURATION SATURATION
Firewall IPS
Load
Balancer

Target
Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Product Introduction

Who’s behind it?

Organized Crime
Ransom, blackmail, extortion, etc.

Hacktivists
Politics, ideology, religion, etc.

Gamers
To win, as revenge for losing, etc.

Students
Canceling exams, manipulating registration, etc.

Booter / Stresser Services

Demonstrations of DDoS capability

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

DDoS attacks can be complex…

• DDoS attacks are often
multi-vector attacks
• DDoS attack vectors often
change during the attack

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
Product Introduction

DDoS is easy to perform…

‘DDoS For Hire’ services are common and affordable

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

NETSCOUT’s solution

ARBOR Edge Defense (AED) at the network edge…

ISP 1

ISP
ISP 2
Firewall IPS
AED Load
Balancer

DATA
Target
CENTER
Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

… the first device on the customer side.

4
Product Introduction

Overview Of AED Appliances

AED Product Introduction

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

NETSCOUT - Arbor Edge Defense Appliance

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
Product Introduction

Control Plane vs Forwarding Plane

MGT GUI

EXT INT
NETSCOUT
AED

Control Plane Forwarding Plane

Management Interface(s) Protection Interfaces
• Access via HTTPS or SSH • Forwards protected traffic
• SNMP management • Operates at Layer1 (Layer3 @ vAED only)
• Cloud Signaling • Non-IP Pass-through: STP, LACP, …
• AIF Feed updates • Supports 802.1q VLANs transparently
• No support for packets with MPLS labels

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Hardware NIC Bypass Option

☞ AED powered-off & no hardware bypass

☞ AED powered-off & hardware bypass running

AED stopped
SW Bypass
☞ AED powered-on & AED software
stopped (software bypass) NIC HW Bypass

☞ AED powered-on & AED software EXT0 INT0

running

• Hardware bypass ensures network connectivity is continued even when the AED is
powered off (enabled by default)
• Software and hardware bypass can be disabled via the CLI

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
Product Introduction

Hardware NIC Bypass (cont.)

View configuration of
/ services aed bypass show
hardware & software bypass

Configures how protection

/ services aed bypass fail open*|closed
interfaces will fail:
open = bypass
e Manually & immediately closed = disconnect
ar
r dw ass force the protection / services aed bypass force open|closed
Ha yp
B interfaces into bypass:
Manually disables all
/ services aed bypass disable
hardware bypass features:
e
ar Enable or disable software
f tw ass / services aed bypass software disable|enable*
So yp bypass
B
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13 *default

Identify Interface Pairs

Fixed Interface Pairing 2
1
EXT0|INT0 EXT1|INT1

EXT2|INT2 || EXT3|INT3

EXT INT

NETSCOUT
AED

ext0 int0 • Interface pairs

reflect interfaces
ext1 int1 brought together
. . during bypass
. . • Require the same
. .
physical properties
ext5 int5
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
Product Introduction

AED-8100 Series

Throughput License: 100 Mbps to 40 Gbps

License Type: File
Protection Interfaces: Console Port:
• Integrated hardware bypass • Location: Front Panel
• Fixed Media NICs • Settings: 115200/8-N-1
– 1 GbE copper or fiber (SX or LX)
– 10 GbE fiber (SR or LR)
– 40 GbE fiber (SR or LR)
Management Interfaces:
• 2x 1G/10G copper ports (mgt0/mgt1)
• Not used for protection
• Management IP address assigned à HTTPS & SSH Access, SNMP, Cloud-Signaling…
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

AED-8100 Back Panel

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
Product Introduction

AED-8100 Supported NIC Configurations

Supports max. 12 Protection Interfaces in total

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

AED-HD1000 Series

Throughput License: 25 to 200 Gbps

License Type: File + Number of Packet Processing Modules (PPMs, Slots 2..9)
Protection Interfaces: Console Port:
• No hardware bypass, recommended to • Location: Front Panel
use external 3296 Inline Bypass Switch
• Settings: 9600/8-N-1
– 10 GbE fiber (SR or LR)
– 100 GbE fiber (SR or LR)

Management Interfaces:
• 2x GbE copper ports (mgt0/mgt1)
• Not used for protection
• Management IP address assigned à HTTPS & SSH Access, SNMP, Cloud-Signaling…
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
Product Introduction

AED-HD1000 Protection Interfaces

• No integrated hardware bypass

• Interchangeable optics
• Maximum of 4x 100GbE + 8x 10GbE interfaces
- 4x 100GbE interfaces QSFP28 (SR4 or LR4)
- 8x 10GbE interfaces QSFP+ (SR4 or PLR4)
v Middle port on each SM = 4x 10GbE interfaces
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

Virtual & Hybrid-Cloud

Limitations
• No shell access
• No appliance-based
licensing
• No hardware bypass

Virtual
AED

vAED supports
• Software bypass for inline mode; enabled by default
• 2 Management Interfaces (mgt0/mgt1)
• 2 Protection Interfaces (ext0/int0)
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

10
Product Introduction

VMware

• vAED on VMware
- VMware vSphere Hypervisor, version 5.5 or later
- Vmware vSphere Client, version 5.5 or later
• vAED Host Requirements
Low End High End
ü 2 or 4 cores ü 4 cores
ü 100 GB disk space ü 100 GB disk space
ü 6 GB RAM ü 12 GB RAM
ü Supports up to 10 Protection Groups ü Supports up to 50 Protection Groups
• vAED recommendation
– Deploy the available OVA file from the Software Download Center for AED

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

VMware Specifics

• Interfaces
– Map all interfaces to different virtual switches, according to your topology
Source Network Interface Description
virtual_mgt0 mgt0 Management Interface
virtual_mgt1 mgt1 Management Interface
virtual_ext0 ext0 External Interface
virtual_int0 int0 Internal Interface

– All protection interfaces need to be configured for promiscuous mode

• Deployment
– By default, the vAED will be running in Monitor Mode

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
Product Introduction

KVM

• vAED on KVM
- Requires a processor that supports hardware virtualization
- This command should return 1 or greater: egrep –c ‘(vmx|smv)’ /proc/cpuinfo
• vAED Host Requirements
Low End High End
ü 2 or 4 cores ü 4 cores
ü 100 GB disk space ü 100 GB disk space
ü 6 GB RAM ü 12 GB RAM
ü Supports up to 10 Protection Groups ü Supports up to 50 Protection Groups
• vAED recommendation
– Deploy the available qcow2 file from the Software Download Center for AED

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

KVM Specifics

• Interfaces
– Map all interfaces to 4 different network bridges, according to your topology

Source Network Physical Interface vAED Interface Description

vmbr0 eth0 mgt0 Management Interface
vmbr1 eth1 mgt1 Management Interface
vmbr2 eth2 ext0 External Port
vmbr3 eth3 int0 Internal Port

– Source network interfaces are mapped to physical interfaces by editing the

/etc/network/interfaces file and restarting network services
– An example of creating a KVM Virtual Machine can be found in the notes of this page

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

12
Product Introduction

Virtual AED Licensing Cloud License Server

Cloud Based Licensing

• Enables horizontal deployment
of AED across multiple
customers, remote offices, etc.
100M License 1G License 500M License
License:
10 Gbps
• Leverage bulk purchase of vAED vAED vAED
Total Mitigation License Pool
and deployed in 100 Mbps
chunks or more

Customer Site A Customer Site B

Customer Data
Center

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

AED Deployment Supported Models

AED Product Introduction

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

13
Product Introduction

Monitor Mode

AED is deployed out-of-line

AED /
• ext# connected to vAED
span/tap – receives
int#
traffic only for visibility
ext#
and reporting
• int# is not connected
Security
– no traffic received Stack
or transmitted

Monitoring only
• Ideal for trials, proofs of concept and testing
• Interim solution to complete configuration and validation prior to final inline installation activity
• No DDOS defense possible
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

Inline-Bridged

AED is deployed in path

• OSI Model –
operates at layer 1 AED /
vAED
• ext# connected to malicious
the internet uplink
ext# int#
• int# connected to the Security
local security posture Stack

like the firewall

Monitoring and DDOS Defense

• First Line of Defense – External Threats (forwards traffic matching protection settings)
• Last Line of Defense – Detect and block outbound communication from compromised hosts
and stop further proliferation of malware or data breach
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

14
Product Introduction

Inline-Routed Mode

AED is deployed in path

• OSI Model –
operates at layer 3
vAED
• ext# connected to malicious
the internet uplink
ext# int#
• int# connected to the Security
local security posture Stack

like the firewall

Monitoring and DDOS Defense

• First Line of Defense – External Threats (forwards traffic if it has a valid route)
• Last Line of Defense – Detect and block outbound communication from compromised hosts
and stop further proliferation of malware or data breach
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

Summary
• Threats caused by DDoS attacks

• AED characteristics and features

• AED deployment options to monitor and defend servers

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30

15
AED UI System Operation

Pike

AED UI System Operation

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

In this module you will...

• Understand the structure and features of the AED GUI

• Complete the initial configuration of an AED and update general system settings

• Understand the AED licensing and license verification

• Discover the ATLAS Intelligence Feed for AED

• See alternative options for managing AEDs from external sources

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
AED UI System Operation

AED UI Configuration

AED UI System Operation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Accessing the GUI

• You must use HTTPS for a secure

connection
– Access via an IPv4 or IPv6 address
– Access is controlled by IP access lists
– AED uses a self-signed certificate by
default
• Can be updated with a custom
certificate
• You complete the AED configuration in
AED UI. For information about
configuring the AED settings, see the
AED User Guide
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
AED UI System Operation

Menu and Status Bar

Fixed page,
no submenus

Advanced tools Configure and

for analysis of view on-demand
blocked hosts and ATLAS
and captured global DDoS
packets reports

Protection monitoring
and configuration System configuration
and maintenance
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

System Information and Online Help

• Navigate the UI menus and pages

– The menus available depend on the assigned user privileges
• Click Help for a new window that contains information about the
page that you are viewing
• Time defaults to the system time zone
– Users can update their account to reflect their own time zone

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
AED UI System Operation

Export Information

• Save current page in several formats

– CSV export
– PDF document
• Email the current page as a PDF file

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

Deployment Modes

• Shows the Deployment

Mode the AED is running in

• Can only be changed in the

CLI and requires AED
services to be stopped

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
AED UI System Operation

Protection Group Mode

Only in Inline Modes

(System Wide change)

• Active = analyzes traffic, detects attacks and mitigates attacks

• Inactive = analyzes traffic and detects attacks, BUT does NOT mitigate attacks
– Note: AED will still report blocked traffic, but traffic is NOT actually blocked
– Does NOT perform DNS Authentication and Spoofed SYN Flood Prevention protections
– Use this mode to initially set your policies for attack detection and mitigation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Protection Level

Only administrators can change it

(system wide change)
• Protection Level
Ø Low = Normal Time
Ø Medium = Uncertain Time (unexpected changes in traffic)
Ø High = Attack Condition (services are affected)
• Change Protection Level
– Enable/disable protections, use more restrictive default values when increasing the Protection Level
– Can be overwritten on a per Protection Group basis
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
AED UI System Operation

Global Configuration
Administration > General

• Services interacting with AED

– NTP
– DNS
– SMTP
– SNMP
– Arbor Enterprise Manager

• General settings
– Language
– System Time Zone
– Data Retention
– Pre-Login Banner
– Top Sources and Destinations
– UI Idle Timeout
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Language, Time Zone, etc.

Administration > General

Language - GUI language: English (default),

French, Japanese, Korean, Russian and Chinese
System Time Zone - System-wide time zone
Date Format - Select the format to display dates:
Language default, mm/dd/yy, dd/mm/yy or yy/mm/dd

Hour Format - Select the display format for the time

NTP Server - Specify up to two NTP servers (IP or
FQDN) , separated by comma

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
AED UI System Operation

SMTP Relay
Administration > General

IP address or hostname and port required

• If necessary, enter the username and password to
access the SMTP server
From Address - Valid sender email address
• If not specified, AED uses report_runner@hostname
Enable Secure SMTP - Check the box for AED to
send emails using SMTPS
• Upload SSL and CA certificates for client
authentication
• By default, AED uses the SSL certificate that it uses
for HTTPS authentication

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

Data Retention
Administration > General

• Data stored up to one year, or until system nears capacity

– Deletes the oldest data first
• Data retention deletes data that contains IP addresses
after the specified number of days
• Delete data older than is the number of days to retain the
data before AED deletes it - range is 7 to 1000

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
AED UI System Operation

SNMP Device Management

Administration > General

Read-Only SNMP polling by a third-party

SNMP monitoring system
• SNMP agent runs only when AED services run è
AED services stopped = SNMP is not available
• Requires an IP access rule
• Download the MIB files to decode SNMP traps

Administration > Files:

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

DNS Configuration
Administration > General

DNS - Servers provide domain name service mappings from

IP addresses to hostnames
• Multiple DNS servers:
– AED uses the first IP address as the primary DNS server
– If the primary DNS server fails, AED tries the subsequent
addresses as backup

Default URL Hostname – Supply a hostname or domain

name as the Default URL Hostname
• URL appears as a link in any report that AED sends via email

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
AED UI System Operation

Link State Propagation

Administration > Interfaces

• AED mirrors the link status between the interfaces of a protection port pair in inline mode
• Improves failover detection if only one link from an interface pair fails (enabled by default)

Interface Down Interface Up

AED waits after one AED waits after the original
interface in a pair goes down down interface reconnects
before it disconnects the before it restores the other
other interface interface

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

Interface Names
Administration > Interfaces

Update the default interface names (int/ext)

to ease daily operation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
AED UI System Operation

Licensed Capabilities for Your AED

AED UI System Operation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

AED License Alerting

AED licenses define the capabilities

of the system
• Throughput Limit - enforced on the
clean traffic that AED forwards (rx from
all interfaces)
• Advanced ATLAS Intelligence Feed
(AIF) subscription (required)

A valid license is required to inspect and mitigate traffic

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

10
AED UI System Operation

AED License Types

Local Flexible License Cloud Flexible License

• Email message contains instructions to • Email message contains your cloud-
download the license file from the based license server ID
license portal • Configure ID to access cloud-based
• The license file covers the licensing for license server and request a
both the throughput limit and AIF throughput limit and AIF from the pool
• Used by: • Used by:
– AED-HD1000 – vAED
– AED-8100

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

Cloud Flexible License

Administration > Licenses

Cloud-Based License Server ID – Unique ID

for cloud-based flexible licensing (vAED only)
• License is managed by a cloud-based
license server
Use Proxy Server – Settings to connect to the
public cloud-based license server if required
• Proxy Username & Password
• Proxy Method: Automatic, Basic, Digest, or NTLM

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
AED UI System Operation

License Management

1. The Server ID is configured

2. Request a Throughput Limit for AED

• Throughput Limit is the amount of clean
traffic that vAED is licensed to forward

• Clean traffic refers to traffic that is not

dropped by a protection setting

3. Request advanced AIF license from the

server

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

License Management (cont.)

4. Validate licensed capabilities

• Black line indicates licensed throughput
• Blue graph indicates amount of clean traffic
forwarded over the previous week
5. License validity
• If communication is lost for a period of 10
days, local licenses will expire and AED will
no longer inspect traffic Current Throughput
Limit, AIF Level and
6. License alerts Expirations will be
• Traffic is at 90% of the Throughput Limit displayed once a
valid licensing
• License expiry is within 30 days request has been
completed

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

12
AED UI System Operation

About the ATLAS Intelligence Feed

(AIF)

AED UI System Operation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

ATLAS Intelligence Feed (AIF)

Active Threat Level Analysis System (ATLAS®)
Arbor’s Security Engineering & Response Team ATLAS Global Collection
(ASERT) engineers and researchers oversee ATLAS
• ATLAS is an infrastructure for continuous gathering and
analyzing of network traffic and threat data
• ASERT adds the “human intelligence” to the analysis
• As new emerging threats are detected:
– Each new threat is analyzed and categorized
– New AIF policy is designed and tested
– ASERT assesses the new policy and determines a
risk level
• This cycle becomes an entry in the AIF database
– Changes are delivered automatically to AEDs ATLAS AIF Feed
configured for AIF Database

AIF leverages ATLAS’s global threat intelligence to protect your network against outbound and inbound threats
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26

13
AED UI System Operation

AIF Indicators

The Summary Page

displays up to 10 AIF
threat categories for
which AED blocked the
most traffic during the
last hour
• 5 for inbound traffic
• 5 for outbound traffic

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

AIF Specific Intelligence

Threat-Specific Intelligence Identifying Technology

Signatures/fingerprints of attack tools
DDoS
IP reputation of today’s botnets launching attacks
Command & Control Botnets

Malware

Location-based Threats
Domain & IP reputation of today’s active threats
Email Threats

Targeted Attacks

Mobile Threats

Non-Threat-Specific Intelligence Identifying Technology

IP-Geo Location
IP reputation/analysis
Web Crawler Identification

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

14
AED UI System Operation

Configure ATLAS Intelligence Feed (AIF)

Administration > ATLAS Intelligence Feed

ATLAS Intelligence Feed - Determine how

and when AED downloads updates
• Manually (Update AIF Now)
• Enable or disable the automatic AIF
updates (and proxy if required)
• Opt-in to the Arbor data-sharing program
Manually Import - Download feed updates
on AIF rules and reputation from
My.NETSCOUT Support Portal
Web Crawlers - Specify which crawlers can
crawl your web sites

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

AIF Version Information

• AIF Components (each is downloaded separately)

o attack_rules - AIF botnet signatures
o geoip_countries - IP location data
o reputation_feed - ATLAS threat policies
o webcrawler_whitelist - List of legitimate search engine web crawlers IPs
• Display information about the latest versions of AIF feed components via the CLI
/ services aed aif versions show
Feed Name Download Time ETag (MD5 hash of the feed) Version
geoip_countries 1612672173 abbb1b8675c6505d480be8fad2b9d880 1612656003052
attack_rules 1612758672 98b82128b98601f6d7acc7514e62416d <unknown>
webcrawler_whitelist 1612465702 0124717e64ed7e48375347f3a8aa19e0 <unknown>
reputation_feed 1612758674 36887c1303f47418fad598d28a2cd547 1612748548
<unknown> is displayed when there is no versioning on the feed
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30

15
AED UI System Operation

API Management - Managing AED

from External Sources

AED UI System Operation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Application Program Interface (API)

Allows customers to create or use their
current custom management portal to
correlate threat alerts and information
across multiple devices - eliminate the
need to interact with multiple UIs
• Automation of repetitive tasks across
multiple AED appliances
• Enterprise: Manage a large security
deployment across dispersed
architecture
• Partners: Manage multiple clients
utilizing current ticketing and
management systems

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32

16
AED UI System Operation

API Automation Examples

☞ Configuration synchronization
☞ Create/manage Protection Groups and Server Types
☞ Change Protection Levels and Deployment Modes
☞ Send and manage manual Cloud Signaling alerts
☞ Allow and Deny List management
☞ Summary Traffic reporting on Protection Groups and AEDs
☞ Get Attack Category statistics per Protection Group
⚠ What cannot be done with AED API:
- Access IPv6 data
- Access Profile Capture Histogram data
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33

API Documentation
https://aed-ip-address/api/aed/doc/v3/endpoints.html

ase
dgeB
le
Know
from
load
wn
Do

Offline-help Online-help
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34

17
AED UI System Operation

Summary
• Structures and features of the AED GUI

• Initial configuration of an AED and updating the system settings

• AED licensing

• ATLAS Intelligence Feed for AED

• AED API Management

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35

Lab Exercise

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

18
AED UI System Operation

Lab Exercise
Hands-on Exercise
1. Pickup your credentials
2. Access online labs

Pickup your Lab Credentials

❑ Go to https://cx.netscout.com
❑ Enter Your Email Address from the
event registration process!
❑ Enter the provided Session Key

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37

Lab Exercise
Hands-on Exercise 20
AED System Configuration min.

Objectives
• Introduction to the AED user interface
• Access the web UI and update general system
settings
• Apply cloud-based licensing and verify licensing
status
• Enable automatic notifications

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38

19
AED UI System Operation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39

20
Automatic Notifications

Sea_Bream

Automatic Notifications

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

In this module you will...

• Learn more about the importance of notifications

• View the different notification formats available on the AED

• Configure AED notifications

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Automatic Notifications

Automatic Notification of Relevant

Events

Automatic Notifications

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Automatic Notifications

Since it is often not possible to permanently monitor the AED's GUI, an automatic
forwarding of all relevant events should be configured.

AED creates alerts to inform when it detects events, conditions or errors in the
system. Notifications about these alerts should be automatically sent by the AED to
inform the appropriate channels.

ü Bandwidth ü Deployment
ü Blocked Host ü Protection
ü Change Log ü System
ü Cloud
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Automatic Notifications

Alert Types
Alert Type Causes
Bandwidth Protection Group traffic exceeded traffic thresholds, or traffic exceeded
90% of AED licensed throughput limit
Blocked Host Hosts were blocked
Change Log Change log entries are created = Audit Trail
Cloud Specific Cloud Signaling events occured
• Cloud Signaling threshold exceeded
• Communictation error with Cloud Signaling server
• …
Deployment The deployment mode has changed
Protection The Global or a Protection Group’s protection level has changed
System Hardware or system component events and other events that affect the
system’s health
Note: If Change Log type is selected along with Cloud, Protection, or Deployment – AED may send duplicate notifications

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Notification Destinations

AED supports notification messages to pre-specified destinations via:

Ø Email
Ø SNMP-Trap
Ø Syslog

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
Automatic Notifications

Email Notifications
Administration > Notifications

From Address – Type the email address that should

appear as the sender, and which should identify the
AED

To Address – The recipient’s email address (valid RFC

822 address)

Alert Types – Select alert type(s) to specify the

events that trigger a notification to this destination

It is not recommended to select Blocked

Host Alert Types to be sent via email is it
can overwhelm the inbox of the receiver

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

SNMP-TRAP Notifications
Administration > Notifications

Host – IP address of SNMP trap receiver

Version – SNMP version to be used,

SNMPv3 requires additional settings

Community – Community string (password) to

authenticate the SNMP-Trap sender

Alert Types – Select alert type(s) to specify

the events that trigger a notification to this
destination

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Automatic Notifications

SYSLOG Notifications
Administration > Notifications

Host – IP address of syslog server

Port – Default destination port is 514

Facility – Value to be used for all sent messages

Severity – Value to be used for all sent messages

Protocol – Specify the layer 4 transport protocol

Syslog Format – Format of sent syslog messages,
selected by type of message receiver used (Common
Event Format, CEF) (Log Event Extended Format, LEEF)

Alert Types – Select alert type(s) to specify the

events that trigger a notification to this destination
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Blocked Host Notifications

Administration > Notifications > Settings
Could flood a destination with too many
notifications during high activity phase
Ø Specify the amount of time to wait
between blocked host notifications for a
specific host
❑ Longer interval = minimize the
number of notifications per blocked
host (default 60 minutes)
To prevent overwhelming the
❑ Shorter interval = more precise record network or the receiving system,
of how often a host was blocked only 1000 blocked hosts per minute
are identified for notifications

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
Automatic Notifications

Summary
• Notifications are important

• Discover the different notification formats

• How to configure AED notifications

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
Upgrade AED

Barbel

Upgrade AED

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

In this module you will...

• Perform tasks to prepare an AED for a software upgrade

• Perform the AED software upgrade procedure

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Upgrade AED

Prepare an AED for a Software

Upgrade

Upgrade AED

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Check Current Software Version

Build codes should be the same
for the ArbOS and AED Image
• AED software includes two packages
☞ ArbOS – Arbor operating system files
☞ Arbor Edge Defense – AED services package
• View installed software using the Web UI
– About link at the bottom of any web UI page
• View installed software using the CLI
/ system version
Version: Arbor Edge Defense 7.1.0.0 (build NJ4J) (arch x86_64)
/ system files show
Installed packages:
ArbOS_7.4 ArbOS 7.4 system files (build NJ4J) (arch x86_64)
Arbor-Edge-Defense-7.1.0.0 Arbor Edge Defense 7.1.0.0 (build NJ4J) (arch x86_64)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Upgrade AED

Download Software
Go to My.NETSCOUT (a.k.a. Support Portal)

https://my.netscout.com/ > Licensing & Downloads

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Identify the Latest Software Version

Your My.NETSCOUT account must be associated with a valid maintenance contract

to allow software downloads

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
Upgrade AED

Download the Necessary Files

• Follow the highlighted download option

• Available software and software versions depend on the active maintenance contract

Be aware that the software you download is subject to export control laws and regulations
See download website for further details

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

Stage Software Files

Administration > Files

Always upload both files!

(arbos and Arbor-Edge-Defense)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Upgrade AED

Check File System Utilization

Local File System

• 10GB of disk is allocated to local file storage
• Check directory status before uploading files

/ system files directory disk:

Directory listing of device disk:
Filename Kbytes Date/Time Type
…
Free space: 10.0G of 10.0G (0% used)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Upload Software via CLI

Upload AED system files

/ system files copy http[s]://hostname/AED_7_2_0/arbos-7.4-OEGF-x86_64 disk:
######################################################################## 100.0%

/ system files copy http[s]://hostname/AED_7_2_0/Arbor-Edge-Defense-7.2.0.0-OEGF-x86_64 disk:

######################################################################## 100.0%

Copy options:
Viewing system files after upload • ftp
• http[s]
/ system files directory disk:
• Scp
Directory listing of device disk: • cdrom
Filename Kbytes Date/Time Type • disk
Arbor-Edge-Defense-7.2.0.0-OEGF-x86_64 1368673 May 1 03:29 Signed package • usb
• flash
arbos-7.4-OEGF-x86_64 174088 May 1 03:28 Signed package
Free space: 8.8G of 10.0G (12% used)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
Upgrade AED

Upgrade an AED to a Newer Software

Release

Upgrade AED

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Upgrade Recommendations

• Always consult the Release Notes for new features and behavior changes
• Perform a full backup (with traffic data)
– Requires an external backup location
– Proceed only after you have ensured that the backup export completed and that all
files are present on the server
• AED upgrade requires CLI access
– Via serial console or
– Via SSH
• AED upgrade process requires two AED reboots and triggers bypass*
– Network connections will bounce

6
Upgrade AED

7. Install the new ArbOS package

Upgrade Procedure / system files install disk:arbos...
8. Reload AED
/ reload now
1. Log into the CLI
9. Log in to the CLI again
2. Verify that new files are uploaded
10. Verify that ArbOS was installed
/ system files directory disk:
/ system files show
3. View currently installed packages
11. Install the new AED package and hand patches
/ system files show
/ system files install disk:arbos...
4. Stop AED services
12. Reload AED (important)
/ services aed stop
/ reload now
5. Save the configuration
13. Log into the CLI again
/ config write
14. Start AED services
6. Uninstall the old AED hand patches and
package / services aed start
/ system file uninstall Arbor-… 15. Save the configuration
/ config write
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

Managing the AED Application

/ services aed stop

Stopping Arbor Edge Defense services...done.

/ services aed show

Arbor Edge Defense state: stopped

/ services aed start

Starting Arbor Edge Defense services................................done.

/ services aed show

Arbor Edge Defense state: started

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
Upgrade AED

Upgrade: Uninstall the Old Package

/ system files uninstall old_packageName

Refer to the output from:

“system files show”
/ system files show
Installed packages:
ArbOS_7.1 ArbOS 7.0 system files (build JLKE) (arch x86_64)
Arbor-Edge-Defense-6.3.1 Arbor Edge Defense 6.3.1 (build JLKE) (arch x86_64)

⚠ If present, uninstall all patches before removing the AED package

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

Upgrade: Install the New ArbOS Package

/ system files install disk:arbos_fileName

Refer to the output from:

“system files directory disk:”
/ system files directory disk:
Directory listing of device disk:
Filename Kbytes Date/Time Type
Arbor-Edge-Defense-7.2.0.0-OEGF-x86_64 1368673 May 1 03:29 Signed package
arbos-7.4-OEGF-x86_64 174088 May 1 03:28 Signed package
Free space: 8.8G of 10.0G (12% used)

+Reboot appliance after successful installation of new ArbOS package

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
Upgrade AED

Upgrade: Install the New AED Package

/ system files install disk:aed_fileName

Refer to the output from:

/ system files directory disk: “system files directory disk:”
Directory listing of device disk:
Filename Kbytes Date/Time Type
Arbor-Edge-Defense-7.2.0.0-OEGF-x86_64 1368673 May 1 03:29 Signed package
arbos-7.4-OEGF-x86_64 174088 May 1 03:28 Signed package
Free space: 8.8G of 10.0G (12% used)

+Install additional patches (if required)

+Reboot appliance after installation of all packages
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

Important Notes

Arbor Enterprise Manager (AEM) provides a single console for the central
management of multiple AED devices
1. Connect the AED to AEM first
– Applicable configurations are copied from the device
2. AED managed by AEM
– Configuration on AEM is periodically pushed to AED and overwrites local changes
Upgrading an AED when managed by the AEM
1. Disconnect the AED from AEM before the upgrade
2. Always upgrade the AEM first
3. Then upgrade the AED
4. Reconnect the AED to AEM

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
Upgrade AED

Lab Exercise

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Lab Exercise
Hands-on Exercise 30
Upgrading AED Software min.

Objectives
• Perform the steps necessary to upgrade your
AED's software to a newer version

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

10
Upgrade AED

Summary
• Tasks recommended to prepare an AED software upgrade

• Steps to perform a successful AED software upgrade

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
Account Management

Trout

Account Management

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

In this module you will...

• Learn about the available account types on an AED

• Understand how to manage accounts

• Use authorization keys to grant privileges to a user in an account group

• Understand TACACS/RADIUS authentication

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Account Management

User Administration on AED

Account Management

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

User Accounts Types

AED supports these authentication types:

• LOCAL – user accounts configured locally

• RADIUS – (optional) integrate AED with an

existing RADIUS implementation
• TACACS+ – (optional) integrate AED with
an existing TACACS+ implementation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Account Management

Local Accounts
Administration > User Accounts

User accounts identify people who use AED

• Default Account: admin/arbor
- Admin Account cannot be deleted
- Change of default password required
• Recommended that you create at least
one additional local user account with
system_admin privilege level
• Account settings define:
- The users’ login information
- The levels of system access
- Non-administrative users can only edit
their own accounts > real name, email,
time zone and password
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Adding new Local Account

Administration > User Accounts
• Required fields include Username, Password
(twice to verify), and Group
• Time zone – the user-specific time
• Group (predefined):
Ø system_admin – full administrative access
to view and configure AED
Ø ddos_admin – limited administrative access,
view and configure DDoS mitigation settings
only
Ø system_user – read access to view events
and run blocked host queries
Ø system_none – access is denied to the AED
Ø standby - to allow access to the standby API
endpoint on a standby AED
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
Account Management

Password Complexity

To create secure and acceptable passwords, they must meet the following criteria

• Contain from 10 to 72 characters, which can include special characters, spaces, and
quotation marks
• Cannot consist of all digits
• Cannot consist of all lowercase letters or all uppercase letters
• Cannot consist of only letters followed by only digits (for example, abcd123)
• Cannot consist of only digits followed by only letters (for example, 123abcd)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

User Groups and Authorization Keys

Predefined Group

Groups organize users by the / services aaa group show system_user

Group system_user (immutable):
different levels of system access api_access API Access
conf_show Show running or saved configuration
• Any user account must be assigned
explore_blocked_hosts Explore historical blocked hosts
to a single group log
• User accounts inherit access levels explore_packets Capture packets in real-time
from the assigned group login_cli Access to the CLI environment
login_ui Access to the Web Interface
• Administrator can add custom groups view_active_cs View active Cloud Signaling
requests
using the CLI
view_filter View AED-wide Filter List
• Administrator assigns authorization view_otf View Outbound Threat Filter
keys to a group view_pg View Protection Groups
view_stix
– Keys determine the level of
system access for users in that
group

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Account Management

Working with Account Groups

• Adding a new group

/ services aaa groups add <name>

• Copy a group
/ services aaa groups copy <existing_group> <new_group>

• Deleting an existing group

/ services aaa groups delete <name>

• Don’t forget to save the configuration changes

/ configure write

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Working with Authorization Keys

Authorization keys control which information and functions will be available to a

user of a certain account group
/ services aaa groups key {add | delete} name key
Add = add an authorization key
delete = delete an authorization key
name = the group name
key = the authorization key to assign

For a list of the 60+ authorization keys available refer to the online Help pages or
the AED User Guide; search for “User group authorization keys”

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
Account Management

Determine the Status of User Accounts

/ services aaa user_hist

NE90|10.2.32.10|UI|0|1612468823|0|ok|
admin|10.2.32.10|UI|0|1612738601|0|ok|
ddos_admin|10.2.32.10|UI|0|1612467504|0|ok|
system_none|10.2.32.10|UI|0|1612467348|0|ok|
system_user|10.2.32.10|UI|0|1612467331|0|ok|

/ services aaa user_hist NE90

NE90|10.2.32.10|UI|0|1612468823|0|ok|

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Lock & Unlock a User Account

• Disable an account
/ services aaa disable_account <username>
/ services aaa disable_account NE90
/ services aaa user_hist NE90
NE90|10.2.32.10|UI|-1|1612468823|-1|disabled|

• Enable an account
/ services aaa enable_account <username>
/ services aaa enable_account NE90
/ services aaa user_hist NE90
NE90|10.2.32.10|UI|0|1612468823|0|ok|

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
Account Management

Number of Login Attempts

• Change the number of allowed login attempts

/ services aaa max_login_failures <number>
number = maximum number of login failures before disabling account

• View the current setting

/ services aaa max_login_failures show raw
5 = the default setting

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

TACACS/RADIUS - 3rd Party

Authentication

Account Management

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

7
Account Management

3rd Party Authentication

TACACS RADIUS
VENDOR
ATTRIBUTE
Arbor 9694
Arbor-Privilege-Level (string)
Examples
service = arbor {
Examples arbor_group = system_admin
Arbor-Privilege-Level = system_admin }
Arbor-Privilege-Level = system_user service = arbor {
arbor_group = system_user
}

If RADIUS or TACACS+ does not return a specific user group, the

system_user group is applied by default. Change the default group using:
/ services aaa groups default set account_group_name

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

TACACS/RADIUS CLI Configuration

/ services aaa radius server set primary 10.10.10.1 encrypted ***** 1812
/ services aaa radius server set backup 10.10.10.2 encrypted ***** 1812
/ services aaa radius accounting set primary 10.10.10.10 encrypted ***** 1813
/ services aaa radius nas_identifier set SightlineTRA1
/ services aaa radius accounting set level login
/ services aaa tacacs server set primary 10.10.10.10 49 encrypted *****
/ services aaa tacacs server set backup 10.10.10.11 49 encrypted *****
/ services aaa tacacs accounting set primary 10.10.10.10 encrypted ***** 49
/ services aaa tacacs tacpass_expiry_notify disable
/ services aaa tacacs accounting set level change
/ services aaa method set local radius tacacs
/ services aaa method exclusive enable

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
Account Management

Authentication Methods

• Methods - Sequence of authentication methods uses by AED

/ services aaa method set local1 radius2 tacacs3

• Exclusive Mode – AED does not authenticate a user against all the configured
methods - it will use the first available method in the order. If the authentication
fails, the user cannot log in with any other method
/ services aaa method exclusive enable

• Accounting – Track and log: logins, configuration changes and interactive

commands
/ services aaa local|radius|tacacs accounting set level level

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

TACACS/RADIUS CLI Configuration Options

• Default Account Group – If there is no group assigned via the TACACS or

RADIUS reply, this account group will be used by default
/ services aaa groups default set groupName

• NAS Identifier – A Network Access Server (NAS) identifier is a string that

identifies the AED appliance
/ services aaa radius nas_identifier set string

• TACACS Password Expiry – Display a warning message when a user’s

TACACS+ password is about to expire
/ services aaa tacacs tacpass_expiry_notify enable|disable

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
Account Management

Recommendation

Specify an idle timeout for UI sessions and for the CLI

• If there is no activity, AED logs the user out of the interface
• Configure the idle timeout for the AED UI
– Administration > General
– The default timeout for the UI is 120 minutes

• Configure the idle timeout for the AED CLI

– / system idle set minutes
– time in minutes (0 - 999) that must elapse before users are logged out due to inactivity
– If you do not want to use any idle timeout, enter 0 to disable (default)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

Lab Exercise

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

10
Account Management

Lab Exercise
Hands-on Exercise 45
Creating User Accounts min.

Objectives
• Create local user accounts for each of the user
group types
• Verify the access capabilities of each user
account type
• Perform user account tasks such as displaying
user account status and managing user account
access

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

Summary
• AED supported account types

• Tasks for managing user accounts

• Authorization keys for granting privileges to a user

• TACACS/RADIUS authentication

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
Account Management

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

12
Data Loss Prevention

Salmon

Data Loss Prevention

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

Unit Summary

• Create a backup schedule for an AED system

• Restore an AED from a recent backup file

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Data Loss Prevention

Working with Backups

Data Loss Prevention

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Data Loss Protection

Protect your system against data loss; this includes:

Loss of system configuration
Loss of historical statistics (graphs and baselines)
Loss of historical events (blocked hosts log)

Use a backup to protect the available data on your AED:

ü Regular time intervals
ü Before you upgrade the system
ü Before you do a massive configuration change
ü Before you perform any maintenance on the system
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Data Loss Prevention

Create a Backup Schedule for Your

AED

Data Loss Prevention

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Planning Your Backup Strategy

1. Types of backups 3. What type of data to backup

a) Full – All files that comprise the full set of data a) Locally – Only the configuration data
b) Incremental – Only files that changed since b) Remote – Remote backups can contain traffic
the last backup data in addition to the configuration data

2. Where to save the backup 4. How often to backup

a) Locally on AED or download to your laptop – Define separately when to run full and
incremental backups
b) Remote backup server
• The backup server must support the Secure – AED saves the last five full backups and the
incremental backups that were made after
File Transfer Protocol (SFTP)
those full backups. The backup process deletes
• Each AED backed up must use a unique the older backups automatically
target directory on the backup server

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
Data Loss Prevention

Available Backups Section

Administration > Backup and Restore

Upload Backup – Upload a backup

file to AED from another location

Back Up Now – Manually create a

backup now

Restore From Selected – Restore

from a selected backup file (grays out
if no backup is selected)

Download Selected – Download backup file from AED to another location, eg:laptop (grays
out if no backup is selected)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

Backup Now

• A manual backup can be full or incremental

– To include traffic data, you must use a remote server
• You might need to back up manually in case of:
– Not using scheduled backups
– Saving the initial system configuration
– Saving configuration outside of the automatic backup schedule
• Save immediately instead of waiting for the next scheduled backup
– Saving a different type of data than what is included in the scheduled backup
• A scheduled backup contains the configuration only; you can create a backup that
includes configuration + traffic data

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Data Loss Prevention

Backup Schedule

Backups are not scheduled by default

Full: Not scheduled
• Includes all data in the backup
Incremental: Not scheduled
• Includes only incremental data since the last
backup
Traffic Data: Excluded if no remote server is used
Default Settings

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Backup Server

• Local selected (default) – stored on the local 10 GB of disk

/ system files directory disk:
Directory listing of device disk:
Filename Kbytes Date/Time Type
Arbor-Edge-Defense-6.4.1-KFK3-x86_64 1018180 Feb 6 03:29 Signed package
arbor-backup-full-signatures.20210204T194504Z.sigtar.gz 362 Feb 4 19:45 Gzip compressed
arbor-backup-full-signatures.20210205T194514Z.sigtar.gz 368 Feb 5 19:45 Gzip compressed
arbor-backup-full-signatures.20210206T194513Z.sigtar.gz 368 Feb 6 19:45 Gzip compressed
arbor-backup-full-signatures.20210207T194513Z.sigtar.gz 435 Feb 7 19:45 Gzip compressed
arbor-backup-full.20210204T194504Z.manifest 1 Feb 4 19:45 Text file
arbor-backup-full.20210204T194504Z.vol1.difftar.gz 25553 Feb 4 19:45 Gzip compressed
arbor-backup-full.20210204T194504Z.vol2.difftar.gz 16165 Feb 4 19:45 Gzip compressed
arbor-backup-full.20210205T194514Z.manifest 1 Feb 5 19:45 Text file
arbor-backup-full.20210205T194514Z.vol1.difftar.gz 25555 Feb 5 19:45 Gzip compressed
arbor-backup-full.20210205T194514Z.vol2.difftar.gz 16801 Feb 5 19:45 Gzip compressed
arbor-backup-full.20210206T194513Z.manifest 1 Feb 6 19:45 Text file
arbor-backup-full.20210206T194513Z.vol1.difftar.gz 25555 Feb 6 19:45 Gzip compressed
arbor-backup-full.20210206T194513Z.vol2.difftar.gz 16801 Feb 6 19:45 Gzip compressed
arbor-backup-full.20210207T194513Z.manifest 1 Feb 7 19:45 Text file
arbor-backup-full.20210207T194513Z.vol1.difftar.gz 25564 Feb 7 19:45 Gzip compressed
arbor-backup-full.20210207T194513Z.vol2.difftar.gz 22506 Feb 7 19:45 Gzip compressed
arbos-7.1-KFK3-x86_64 185615 Feb 6 03:28 Signed package
pravail_ssh_key.pub 1 Feb 4 19:40 Text file
Free space: 8.7G of 10.0G (13% used)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
Data Loss Prevention

Backup Server Settings

Remote Backup Server selected

Server – Hostname or IP address of the server to store the backup

Port – Port on the backup server on which to connect

Directory – Path of the target directory on the backup server

• Path can contain underscores (_) and alphabetical and numerical
characters. Must be an absolute path beginning with (/)

Username – Username to authenticate on backup server

• Cannot contain a space, the at symbol (@), or a slash (/)

Password – If required, type the password twice

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Restore Your AED from a Recent

Backup File

Data Loss Prevention

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

6
Data Loss Prevention

Restore Backup

If you need to restore the backup onto a new appliance, you need to first
complete the initial configuration via the console and make the system
reachable via the network…

Data never restored by a backup

⚠ Summary page - interface's traffic data
⚠ Configuration and imported keys for the Hardware Security Module (HSM) and the Cryptographic
Acceleration Module (CAM) - You must reconfigure the modules and reimport the keys
⚠ Alerts
⚠ Diagnostics packages
⚠ Custom SSL certificates
⚠ IP & Network configuration
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

Restore From a Selected Backup

• The data in AED is restored with the data in the backup that you select
• If an incremental backup is selected, AED also restores the last full backup and
all the intermediate incremental backups up to that selected incremental backup
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
Data Loss Prevention

AED Services are Stopped While Restoring

• The restore process automatically stops and restarts AED services as necessary
• While the services are stopped, AED runs in bypass mode (bypass configuration
dependent)
‒ Either - network traffic passes through the AED unaffected
‒ Or - AED is disconnected; traffic cannot pass through to the connected equipment
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

AED Services Started and System is Restored

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
Data Loss Prevention

Lab Exercise

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Lab Exercise
Hands-on Exercise 30
Backup and Restore min.

Objectives
• Create a local backup of your NETSCOUT AED
system
• Restore the configuration of your NETSCOUT
AED with a local backup file

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
Data Loss Prevention

In this unit, we learned:

• How to create a backup schedule for an AED system

• How to restore an AED from a recent backup file

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

10
Identifying Attacks

Sturgeon

Identifying Attacks

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

In this module you will...

• See a best common practice UI workflow to validate AED statistics for an attack

• Learn about key signs for attack detection

• Checking traffic patterns and packet contents

• Identify blocked sources to verify false positives

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Identifying Attacks

Establishing UI Workflows

Identifying Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. 3

Current State

AED Operational Status - Establish a common process to verify system status and
identify a potential attack

Summary Page Protection Group Page Blocked Host Log

and its sections and its sections

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Identifying Attacks

Summary Page

• Default login page for all users

• Dashboard includes:
– Active alerts if present
– Top Protection Groups by traffic
– Real-time traffic forensics
• Groups with AIF-detected traffic
– Top sources, destinations, and countries
– Traffic on protection interfaces
– Current health of AED
– Identification of web crawler traffic

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Summary Page – Top Protection Groups

• Out-of-the-box the AED includes

only the Default Protection Group,
tracking all IPv4 traffic
• It displays the five most active
Protection Groups during the last
hour (fixed timeframe)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
Identifying Attacks

Summary Page – Overview Section

Shows Passed and Blocked traffic

during the last hour (fixed timeframe)
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

Summary Page – TOP Inbound Countries

Shows the geographical

distribution of all incoming
traffic during the last hour
(fixed timeframe)
• Launch a Packet Capture for a
specific country

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Identifying Attacks

Summary Page – TOP Inbound Source

Top 5 external IP addresses that sent the

most traffic during the last hour (fixed
timeframe)
• Add the IP addresses to the deny list
• Query Blocked Host Log for a specific
IP address
• Launch Packet Capture for a specific
IP address

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Summary Page – TOP Inbound Destinations

Top 5 internal IP addresses that received

the most traffic during the last hour (fixed
timeframe)
• Query the Blocked Host Log for a
specific IP address
• Launch a Packet Capture for a specific
IP address

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
Identifying Attacks

Summary Page – ATLAS Botnet Prevention

• Shows the AIF update status

• Shows the number AIF Threats
downloaded
• Shows AIF matching traffic for each
Protection Group and Protection
Level
– Includes currently not active Protection
Levels
– Blocking is not enforced on matches in a
higher and not active Protection Level

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Summary Page – Web Crawlers Section

Traffic rates caused by crawlers

• Web Crawler traffic identification is an
AIF service
• Web Crawler support for Protection
Settings can be enabled or disabled

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
Identifying Attacks

Summary Page – Interfaces Section

• Displays the activity on the protection

interfaces during the last hour
• Determine the status of the protection
interfaces (up or down)
– If the link status is lost on one side of a
pair of interfaces, AED brings the other
interface down too
• Monitor if any interface is overloaded
– A minigraph that displays traffic as a
high plateau typically indicates an
overload condition

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

Identify a Potential Attack

Identifying Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. 14

7
Identifying Attacks

DDoS Attacks DNS Amplification

SYN / Ack Floods
UDP Flood
HTTP Floods
ICMP Flood
Slowloris
NTP Amplification
R.U.D.Y.
memcached
ISP 1
SATURATION

ISP
ISP 2 SATURATION
Firewall IPS
AED Load
Balancer

DATA
CENTER Target
Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

• AED provides certain “out-of-the-box” protections for all types of DDoS attacks
☞ Get the best protection by ‘optimizing’ AED for your services
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

What an Attack Might Look Like

☞ Are there any sudden increases or spikes in traffic?

❑ Unusual traffic patterns – comparing real-time to historical traffic patterns
❑ Unexpected increases in traffic not tied to any specific event
☞ Are there any changes in the real-time traffic details?
❑ Inbound source traffic
❑ Observed destinations
❑ Geo-location details
❑ Increased AIF Threat or Botnet activity
❑ Protocol and ports targeting the destination
• Are users / administrators indicating problems – unable to connect or poor performance?

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
Identifying Attacks

Information to Gather if Under DDoS Attack

My.NETSCOUT (Support Portal) Knowledge Base Answer

If you are under a DDoS attack and you need mitigation assistance, it may be helpful to gather some
information while the attack is ongoing, if possible:
• Any information as to the details of the attack – available within the AED web-based UI:
– Source Host
– Source Port
– Destination Host
– Destination Port
– Protocol / TCP or UDP traffic
• An unfiltered capture of the traffic
– AED provides a ‘sampled’ packet capture for initial investigations

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

Indicators of a DDoS Attack

• Notifications received from AED AED Summary Page

– email, syslog, or SNMP trap
– You may have received these
notifications first
• Viewing the AED GUI:
– Identify any Top Active Alerts that
indicate an attack:
❑ Total Traffic alert
❑ Blocked Traffic alert
❑ Botnet Traffic alert

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
Identifying Attacks

Summary Page

Is there any activity or change that

align with a suspected attack?
• Top Protection Groups
– Top 5 most active Protection Groups*
– Refreshes about every 60 seconds
• Overview section for Blocked Traffic or
Blocked Hosts

Scrolling Down the Summary Page

Is there any sudden increase in

traffic or recent activity?
• ATLAS Botnet Prevention
– The amount of inbound traffic currently
blocked by the AIF Botnet Signatures
– Traffic that would be blocked at a different
protection level
• ATLAS Threat Categories
– Shows the five ATLAS threat categories
that blocked the most inbound and
outbound traffic during the last hour
– It is a result of the ATLAS Intelligence
Feed settings

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

10
Identifying Attacks

Scrolling Down the Summary Page (cont.)

Is there any sudden increase in traffic or

recent activity?
• Top Inbound Countries
– North Korea à acceptable?
• Add to Deny List if necessary
– Does this activity align with other
indicators?

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

Scrolling Down the Summary Page (cont.)

Is there any sudden increase in traffic or recent

activity?
• Top Inbound Sources – displays Top-5 external Random spikes of
IP addresses seen* traffic from various
source IPs aligns with
– Top Inbound Source activity syncs with destination a larger spike
and Top Protection Group activity towards a single
destination
• Top Inbound Destinations – displays Top-5
internal IP addresses that received most traffic*
• Notice the timing of some IPv6 activity – it
seems peculiar, typically there is no traffic so it
may be nothing

11
Identifying Attacks

Attack Indicators
Protect > Inbound Protection > Protection Groups

Click on the Protection Group

name or follow the menu to view
a specific Protection Group Use the Protection Group page to investigate:
☞ More current results à change time ❑ Current traffic details for this Protection Group
to -5m (last 5 minutes) ❑ What changed, what’s different?
❑ What doesn’t belong here?
☞ If needed – extend time to compare ❑ What ‘Attack Categories’ are indicated?
historical traffic to current traffic
☞ Notice the ‘Total Traffic alert
☞ Traffic details displayed in each
section are specific for that PG

Attack Categories

Identifies observed malicious traffic

• Which ‘Server Type’ protection is currently
blocking traffic?
• Hover your mouse over the minigraphs to
view a larger version of that graph
• Hover your mouse near ‘Category’ for a
context-menu to appear
• Links to the Blocked Hosts Log
• Click the ‘Details’ button to view additional
information about the blocked traffic

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

12
Identifying Attacks

Temporarily Blocked Sources

Displays which host IPs have been

temporarily blocked
• The sources sending the malicious traffic
• The triggered protection Categories
• The protection puts the host on the Deny
List è
– All the hosts traffic is blocked
– Blocking time is 60 sec and repeated
offenses are 300 sec
• Add any valid source IPs to the Allow List
(false positives)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

Web Traffic by URL or Domain

Web Traffic By URL - Displays up to 10

top destination URLs seen during the
selected timeframe

Web Traffic By Domain - Displays up

to 10 of the top domains seen during
the selected timeframe

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26

13
Identifying Attacks

Web Crawlers

Web Crawlers – The top five

search engines with the highest
traffic. Search engines crawlers
are crawling your web site for
information and updates.
IP Location - Displays up to 10
countries that send the most
traffic.
Identify embargoed or banned countries
or determine sources of an attack and
add to the Deny List if required.
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

Protocols and Services

Web Server Protection Group
Protocols - Displays up to 10
protocols that have the highest amount
of inbound traffic. Why is there all of this UDP traffic?

Services - Displays up to 10 services

that have the highest amount of inbound
traffic.

☞ Unexpected protocols or services Is it normal to have this UDP/80 traffic?

could represent an attack

– Extend the time to view history

– Verify protocol and service use
with administrators
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

14
Identifying Attacks

Blocked Host Log

Explore > Blocked Hosts

A record of all hosts that AED has

blocked
• Actively blocked hosts
• Hosts that have been blocked
historically
• Use to:
– Verify Protection Settings
– Identify false positives
– Investigation threats and perform
forensics reporting

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

Reacting to and Mitigating a DDoS

Attack

Identifying Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. 30

15
Identifying Attacks

Mitigation

Ø You suspect an attack that is not actively being blocked

Ø You suspect that more traffic from this attack could be blocked

♺ Raising the Protection Level

☞ Enables additional protections – Example; ICMP Flood Detection default settings are disabled
for the Low Protection Level
☞ Enables lower acceptable threshold values for rate-based protections – Risk of increased false
positives

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31

Raise the Protection Level

• Raise the global Protection Level

– Impacts all Protection Groups following the “Global” Protection
Level and are set to Active Protection Group Mode
– Use caution as malicious traffic will be blocked across all
Protection Groups that follow Global settings è Risk of false
positives for Protection Groups not under attack

• Best practice: Raise the Protection Level of the

affected Protection Group if you can identify the attack
– Impacts only IP prefixes defined in this Protection Group
– AED & PG must be in Active Protection Group Mode
– If the Protection Group has many servers, temporarily
quarantine the specific server or servers being attacked

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32

16
Identifying Attacks

Attack Not Blocked in Low

Increase the Protection Level to Medium

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33

Attack Partially Blocked in Medium

Some bad traffic is blocked, but not all of it yet

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34

17
Identifying Attacks

Attack Blocked in High

Increase the Protection Level to High

Attack Analysis

Medium à High

Low à Medium

More traffic is blocked, the traffic volume passing is now back to normal
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36

18
Identifying Attacks

After the Attack

Once the attack is over, reset the Protection Level to Low

Mitigation Is Not Successful

Ø Even the High Protection Level still does not block the attack
Ø You still suspect more traffic should be blocked

♺ Out-of-the-box settings and current protection settings are not optimized for your
traffic
☞ Update the protection settings as required for the situation – This may required guesswork with
an increased risk of false positives
☞ Optimize thresholds values beforehand during normal operations è Test protections and
threshold values in each protection level using Inactive Mode

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38

19
Identifying Attacks

Block Specific Attack Traffic

Low Medium High
♺ Enable unused protections or change their
settings to capture more misuse traffic
– Protection settings are in the related Server Type
– Update the settings for the current Protection Level
• Deny traffic sourced by IPv4 / IPv6 hosts, CIDRs,
Countries or going to certain Embedded DNS
domains or Embedded URLs
• Use FCAP expressions to filter unwanted or
unnecessary traffic (like an ACL); applies to Layer 3/4
– Determine if it's a temporary or permanent change
♺ Use ‘Advanced Tactics’
- Create a regular expression to match the traffic and add it to the appropriate protection settings
- Applies to all layers of traffic
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39

Service Is Not Restored Despite the Mitigation

Ø AED blocks all attack traffic and only valid traffic is forwarded, but the services
are still not reachable
AED cannot mitigate the attack for reasons beyond its control
⚠ DDoS attack traffic has consumed almost all the uplink bandwidth
⚠ DDoS attack is too large and overloads routers, or the bandwidth provided in front of AED
☞ This condition requires cloud-based mitigation services
– Your local Internet Service Provider (ISP)
– A 3rd party mitigation service such as Arbor Cloud DDoS Protection Services

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 40

20
Identifying Attacks

Security Reports
Reports > Executive Summary or ATLAS Global DDoS

Useful reporting When you participate in

for a Protection Arbor’s data-sharing
Group or all program you are given
Protection Groups access to the ATLAS
when Global DDoS Report
management from ASERT
needs to know
about a recent This additional
DDoS attack or intelligence shows the
ongoing traffic scope of internal threats
threats and trends to your network in the
context of other
networks and the
internet

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 41

Looking At Traffic Patterns And

Packet Content

Identifying Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 42

21
Identifying Attacks

Packet Capture

Allows you to sample packets that AED inspects and see information about packets
in real time
• Displays ~100 packets every 3 seconds
• Results may be fewer if a display filter is applied
• Capture stops automatically after 5000 packets
• Capture is only performed when viewing the Packet Capture Page
– If you leave the Packet Capture page the capture stops, and the results are cleared

☞ Use packet information to configure more targeted protection settings

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 43

Managing a Packet Capture

Explore > Packet Capture Download PCAP

These settings only affect visualization

No packets captured
until clicked

Clear displayed results

Filter settings for

packet capture

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 44

22
Identifying Attacks

Display Filters

Click to expand filter

Active filter items
Click to delete from filter
Displays only packets that
caused a host to get
dynamically blocked Click to add to filter

Source and destination These filters use a fixed-list format with

host filters may be: the usual click-to-select, ctrl-click-to-add
• IP addresses
• CIDR blocks
• Domain names Regular Expression filters are
entered into a simple text box

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 45

Monitoring Traffic
Optionally filter by
Passed or Dropped
condition
Start
Pause
Resume
HTTP request
White/gray
bands are
forwarded TCP flags shown when no
packets application info available

Red/pink
bands are
dropped
packets DNS query

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 46

23
Identifying Attacks

Packet Decode
Select a packet to view
Protection for that
blocked packet Add this source to
the deny list

Packet details

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 47

Export Packets

Click the icon

to export the
packet
capture to a
pcap file

• Selecting packets à export only those selected packets

• No selection à all packets according to the filters will be exported

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 48

24
Identifying Attacks

Launch Packet Capture

1. Go to Explore > Packet Capture 2. Use mouse-over popup menus

• Start capture for this Protection Group

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 49

Identifying Blocked Sources –

Managing False Positives

Identifying Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 50

25
Identifying Attacks

Lists Top 10 Offenders

Per Protection
Group Statistics

Click to add to
the Allow List

Hosts added to the

Allow List will be trusted
and are not processed
against the configured
protections

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 51

Blocked Host Log

Initial page load returns all

blocked hosts without filters

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 52

26
Identifying Attacks

Searching Blocked Host Log

Select/deselect all
Enter host filters
as freeform text

Use the time selector Choose a minimum amount of host

for hosts blocked more traffic observed to cause blocking
than one week ago

Blocked hosts history is limited to 224,000 hosts and one year since last blocked

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 53

Example Search

Amount of blocked
hosts found with
current Filter

No filters are applied until

the search button is clicked

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 54

27
Identifying Attacks

Blocked Host Log Details

. xx . xx

Blocked Host detail appears

by clicking the details button

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 55

Lab Exercise

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 56

28
Identifying Attacks

Lab Exercise
Hands-on Exercise 45
Blocking Unwanted Traffic min.

Objectives
• Identify unwanted traffic in your network
• Appy different NETSCOUT AED filtering
capabilities to block that unwanted traffic

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 57

Summary
• Best common practice UI workflow to validate AED statistics for an attack

• Key markers for detecting an attack

• Checking traffic patterns and packet contents

• Verifying Blocked Sources and false positives

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 58

29
Optimize AED Visibility & Protection (Part A)

Carp-A

Optimize AED Visibility & Protection

(Part A)

Arbor Edge Defense

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

In this module you will...

• Understand the concepts of Protection Groups

• Use Protection Groups to improve visibility into the network traffic

• Use Protection Groups to improve protection by automation

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Optimize AED Visibility & Protection (Part A)

Security Posture

Optimize AED Visibility & Protection

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3

Security Philosophy

Common Security principles are an open or closed policy

Open policy Closed policy
Everything is allowed Everything is denied and
except things that are only few things are
explicitly restricted explicitly allowed

However, a mix of
both is often the best
from an operational
perspective

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Optimize AED Visibility & Protection (Part A)

Security-Triangle
Your design should be based on the balance between Usability,
Functionality and Security
Usability

Your Policy

Functionality Usability Security

Functionality Security
Make sure that Make sure everything Make sure you
everything functions is always easy to provide the maximum
without limitations… use… level of security…

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Improve Traffic Visibility or

Protection on AED

Optimize AED Visibility & Protection

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
Optimize AED Visibility & Protection (Part A)

Recommended Workflow
1. Design Protection Groups NOK
Configure all PGs
2. Perform Profile Capture and STs based on
verify
Run Profile
apply
suggested
your services to Capture
3. Apply suggested values be protected
values

4. Configure filters Verify grouping min 3 relevant Profile

after 24h of days… Capture
5. Verify and tune settings traffic

complete Configure
configuration Filters

several days several days several days

verify
Inactive verify
Inactive verify
Inactive
& high & med & low
NOK NOK NOK

Tuning
Run AED in inactive mode for several days and tune, if necessary repeat a complete step

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

Protection Groups

Protects individually and provides

extensive traffic reporting for a defined
group of hosts
• Represents group of IPv4 or IPv6 hosts
• Protection Group are defined by:
♳ Protected Hosts
• Host IP’s, subnets, or domain names
♴ Server Type
• Protection Settings applied to all
hosts in the Protection Group

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Optimize AED Visibility & Protection (Part A)

Default Protection Group

Protect > Inbound Protection > Protection Groups

Automatically created = “out-of-the-box”

• Cannot be deleted (immutable)
• Matches all traffic to any IPv4 protected host (0.0.0.0/0) if not further defined in other PGs
• Uses Protection Settings from pre-defined Server Type Generic Server

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Adding a new Protection Group

Protect > Inbound Protection > Protection Groups

Protection Groups are added in the

Protection Groups listing page

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
Optimize AED Visibility & Protection (Part A)

Protection Group Limits

Limits are based on the used AED System Type

• Hardware Appliances
– AED-HD1000 appliances
Ø Up to 199 custom PGs + 1 Default PG (IPv4 only)
– All other AED hardware appliances
Ø Up to 99 custom PGs + 1 Default PG (IPv4 only)

• Virtual Appliances
– Up to 49 custom PGs + 1 Default PG (IPv4 only)

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

IPv4 Traffic Matching

Host 192.0.2.2 matches all three PGs, but which is the best match?

When different
Protection length prefixesProtected
Group Name of the Hosts
same network are protected
Setting by Traffic
Matched more than 1
PG, AED matches traffic to the most specific (longest) prefix
All IPv4 traffic, except for the traffic that is
IPv4 Default Protection Group 0.0.0.0/0 Matches 192.0.2.2/32
destined to 192.0.2.0/24

All traffic that is destined to 192.0.2.0/24,

Protection Group 2 192.0.2.0/24 Betterexcept
match forfor 192.0.2.2/32
the traffic that is destined to
192.0.2.2

Protection Group 3 192.0.2.2/32 All traffic

Best Match forthat is destined to 192.0.2.2
192.0.2.2/32

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
Optimize AED Visibility & Protection (Part A)

IPv6 Traffic Matching

Host fe80:22:ab00::3bf:159a:1 matches all three, but which is best match?

Protection Group Name Protected Hosts Setting Matched Traffic

All traffic that is destined to

Protection Group 4 fe80:22:ab00::3bf:159a:1/128
fe80:22:ab00::3bf:159a:1

All the traffic that is destined to

Protection Group 5 fe80:22:ab00::/40 fe80:22:ab00::/40 except for the traffic that is
destined to fe80:22:ab00::3bf:159a:1

Protection Group 6
All IPv6 traffic, except for the traffic that is
(serving as a Default Protection ::/0
destined to fe80:22:ab00::/40
Group for IPv6 hosts)

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

Configure Protection Groups

Protect > Inbound Protection > Protection Groups

Protection Group Name – Should be a unique

and self-explanatory

Protected Hosts – Matching traffic based on:

ü IP Address or CIDR Block
ü Hostname (AED will use DNS for a one-time resolve
hostname à IP Address)

Server Type – Best match of characteristics

with the protected hosts
1. Select a Standard Server Type to
automatically copy these protection settings

2. AED creates a new Custom Server Type with

the name of the Protection Group
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
Optimize AED Visibility & Protection (Part A)

Automatic Server-Type Creation

Protect > Inbound Protection > Protection Groups

Custom Server Type inherits the name of the assigned Protection Group

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

Managing Protection Groups

Protect > Inbound Protection > Protection Groups

Protection Group Mode – Follows the AED

“global” system settings or explicit set a mode
Important: AED mitigates traffic only when the
Protection Mode is Active for both the global
AND the Protection Group. When global is set to
Inactive than traffic is never mitigated.

Protection Level – Follow the AED global

system setting or explicit set a level
Detection and Automation Policy – Alerting
for Total Traffic, Blocked Traffic, and Botnet
Traffic use global settings or explicit set values

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
Optimize AED Visibility & Protection (Part A)

Improve Traffic Visibility by adding

Specific Protection Groups

Optimize AED Visibility & Protection

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

Verify Protection Groups Status

Protection Group Mode

• Inactive – protections are only
simulated and not enforced
• Active – protection are enforced

Alerting configured for Protection Group

Protection Level for this Protection

Group is different to global Protection
Group currently selected

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
Optimize AED Visibility & Protection (Part A)

Detailed Reporting

Per Protection Group specific reporting:

Ø PG Configuration details Ø Web Traffic by URL*
Ø Group Cloud Signaling Ø Web Traffic by
Status Domain*
Ø PG Overview Ø Web Crawlers*
Ø Total PG Traffic Ø IP Location
Ø Attack Categories Ø Protocols
Ø Top Temporary Blocked Ø Services
Sources

*Only when Server Types Generic or Web is used

Configuration Summary

Summary view of details defining a single Protection Group

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

10
Optimize AED Visibility & Protection (Part A)

Displayed Time Period

Change Time Buttons to choose time

period for all data
Period and
Type (bps/pps)
of data to be
displayed
Default is Buttons to display
1 hour bytes or packets

Custom report period Apply custom

report period

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

Traffic Overview

Single-glance at the traffic

statistics from one Protection
Group together with the so-
called Traffic Removal Rate (%)
• Values displayed are summary
values for Total, Passed, Blocked
Traffic over the selected time
period
• Blocked Host count is an average
Attack happening?
over the selected time period

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
Optimize AED Visibility & Protection (Part A)

Total Traffic

Shows the relative amount

of traffic being passed and
blocked for this protection
group

passed and blocked are radio

buttons to enable and disable
displaying within the graph

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

Attack Categories

Shows all Protections

that have been
triggered within the
selected time period
for the selected
Protection Group

Click for more info

12
Optimize AED Visibility & Protection (Part A)

Attack Categories – Detailed Breakdown

Expands/Collapses details

Some of the triggered

Protections allow a
further Breakdown
• Use the Details button to
see more information and
breakdowns

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

Attack Categories – Detailed Breakdown (Cont.)

AIF Botnet Signatures & Basic

Botnet Prevention offer additional
layer of breakdown
• Statistics for low, medium and high
matching
• AIF always matches all rules @ all
protection levels - see how AIF affects
the different protection levels
• AIF uses a cumulative level
– Rules at current level and below are
active

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26

13
Optimize AED Visibility & Protection (Part A)

Drill to Blocked Hosts

Mouse-over shows
popup menu à Access
Blocked Hosts
• Automatically inherits:
– Selected Protection Group
– Selected Attack Category
– Selected Time Frame

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

Temporarily Blocked Sources

List of TOP 10 source

hosts that have been
completely blocked (at
least for 1 minute)

• Verify triggering
Categories
• False positive à Click
Allow List Button to
approve blocked source
host instead

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

14
Optimize AED Visibility & Protection (Part A)

Web Traffic by URL & Domain

Breakdowns by embedded
URL and domains
• Hover cursor over Entry to see the
full URL as alt-text
• Copy entry to clipboard will include
hidden part of URL
• Deny List buttons available
– For all PGs
– For this PG

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

Web Crawlers

Total and passed traffic for Web Crawlers

• Hovering your mouse over the Web Crawler name provides
additional information
• AIF feed provides information about Search Engine Operators
• Enabled Crawlers will be handled more gracefully

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30

15
Optimize AED Visibility & Protection (Part A)

IP Location

Traffic statistics
based on where
source IP addresses
are registered
• Click buttons to block
country sources
• IP Location
information is part of
the AIF feed

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31

Protocols

Breakdown of the Top IP protocols

If a protocol should be blocked, then update the Filter List in the Server Type
assigned to this Protected Service

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32

16
Optimize AED Visibility & Protection (Part A)

Services

Breakdown of the Top Services (Protocol/Port)

If a service should be blocked, then update the Filter List in the Server Type
assigned to this Protected Service

Radio
buttons -
change
displayed
services

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33

Baseline Thresholds - Alert on

Violation

Optimize AED Visibility & Protection

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34

17
Optimize AED Visibility & Protection (Part A)

Bandwidth Alerts

AED can generate bandwidth alerts when the Protection Group traffic exceed one of
the specified baseline threshold
ü Total Traffic – Total amount of data received by that Protection Group
ü Blocked Traffic – Amount of traffic blocked or dropped for this Protection Group
ü Botnet Traffic – Amount of traffic blocked by detected Botnet activity for this
Protection Group

Use automatic notifications to be informed when any of the Baselines exceeded,

and system alert was created

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35

Global Thresholds
Administration > System Alerts > Tab: Settings

• Configure baseline thresholds as a percentage of traffic above a Protection Group’s

baseline (off=0% … 750%)
• Protection Group’s traffic must exceed both the baseline threshold and the minimum
threshold before an alert is generated
• Alerts last at least one hour, the longer the baseline is exceeded, the more the alert’s
expiration time is extended. Expiration time is never > 24 hours after the alert condition
disappeared
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36

18
Optimize AED Visibility & Protection (Part A)

Current Traffic Thresholds

Protect > Protection Group > Select PG > Edit

Use global Threshold Values,

follow hyperlink to see Global
Threshold Configuration

Use manual threshold values

to trigger Threshold Alert

Disable if no alerting is
needed for this Protection
Group & this traffic type

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37

Baselines versus Traffic Thresholds

Protect > Protection Group > Select PG > Edit

Ø Black – Baseline, Traffic of the last 7 days, calculated every hour

Ø Orange – Traffic threshold, used to compare actual traffic to
Examples

Global Threshold Manual Threshold

+ 100% 1000 pps
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38

19
Optimize AED Visibility & Protection (Part A)

Improve Traffic Protection by

Automation

Optimize AED Visibility & Protection

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39

Protection Level Automation

Automatically change the Protection

Level for a Protection Group
• Reduces time to mitigation
• Automatically responds to attacks
• Configurable from AEM
• Support for both IPv4 or IPv6 PGs
– Operates separately from global Protection Level
settings

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 40

20
Optimize AED Visibility & Protection (Part A)

About Protection Level Automation

1. AED initially sets that Protection Group’s protection level to Low

☞ Never changes the Global Protection Level
2. Traffic exceeding Traffic Threshold à
a) AED continues to evaluate average traffic every 5 seconds
b) Average traffic remains above Traffic Threshold, automation activates within 1 minute of traffic
increase
c) AED automatically moves Protection Level from Low à High
d) Remains at High Protection Level for at least 5 minutes

3. AED generates an alert when activated (automated)

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 41

Automation Policy: Total Traffic

Administration > System Alerts > Settings

Alert and automate

using the Global
Total Traffic Alert
Threshold Setting

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 42

21
Optimize AED Visibility & Protection (Part A)

Automation Policy: Total Traffic (Cont.)

Administration > System Alerts > Settings

üProtection Level Automation (enabled)

✘ Global Total Traffic Alert Threshold (disabled)
= No automated protection level & no alerts for Total Traffic

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 43

Automation Policy: Traffic Exceeds

Automate the protection level and alert when traffic exceeds threshold
1. Manually define the total bps and/or pps traffic
2. Automatically changes the Protection Level from Low à High

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 44

22
Optimize AED Visibility & Protection (Part A)

Lab Exercise

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 45

Lab Exercise
Hands-on Exercise 45
Working with Protection Groups min.

Objectives
• Create Protection Groups for the server or
servers that you need to protect.
• Assign to each Protection Group a Server Type
that defines the protection settings that are used
to mitigate traffic.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 46

23
Optimize AED Visibility & Protection (Part A)

Summary
• Understand the concepts of Protection Groups

• Use Protection Groups to improve visibility into the network traffic

• Use Protection Groups to improve protection by automation

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 47

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 48

24
Optimize AED Visibility & Protection (Part B)

Carp-B

Optimize AED Visibility &

Protection (Part B)
Arbor Edge Defense

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

In this module you will...

• Understand the concepts of Server Types

• Learn to work with Server Types

• Optimize protections by using Profile Capture and tuning

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Optimize AED Visibility & Protection (Part B)

Server Types

Optimize AED Visibility & Protection

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3

Server Types

Server Types is a groups of Protections

• Protection settings are configured for low,
medium and high protection levels
• A Protection Group is associated with a single
Server Type
• Server Types classes:
Ø Standard Server Types Ø Custom Server Types
• Pre-configured • Created automatically by adding a new Protection Group
• Can be updated • Named as the Protection Group
• Can not be deleted • Protection settings are copied from the Standard Server
Types chosen
• System Limit: 210 (10 Standard + 200 Custom ST)
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Optimize AED Visibility & Protection (Part B)

Viewing Server Type

• View Protection Group and click on

the Server Type shown
• Select in the Server Type Listing
Page

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

IPv6 Generic Server Type

AED offers one Server Type for IPv6 Protection settings

• Used as a template to create Custom IPv6 Server Types
• Generic IPv6 Server Type is not available until you create an IPv6 Protection
Group

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
Optimize AED Visibility & Protection (Part B)

Generic DNS File Mail RLogin VoIP VPN Web

Settings category IPv6

Available Protections
Server Server Server Server Server Server Server Server
ATLAS Threat Categories x x x x x x x x
STIX Feeds x x x x x x x x
Application Misbehavior x x x x x x
Block Malformed DNS Traffic x x x
Block Malformed SIP Traffic x x
Botnet Prevention x x x
CDN and Proxy Support x x
Each Server Type has a set of relevant DNS Authentication
DNS NXDomain Rate Limiting
x
x
x
x
x
x
pre-defined Protections: DNS Rate Limiting
DNS Regular Expression
x
x
x
x
x
x

• Web Server è No File Server protections Filter List

Flexible Rate-based Blocking
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Fragment Detection x x x x x x x x
• File Server è No DNS-based protections HTTP Header Regular Expression x x x x
HTTP Rate Limiting x x x x
– Optimal inspection and increased AED HTTP Reporting x x x
ICMP Flood Detection x x x x x x x x
performance IP Location Policing x x x x x x x x
Malformed HTTP Filtering x x x
– Why check web server traffic for a DNS Multicast Blocking x x x x x x x x
Payload Regular Expression x x x x x x x x x
attacks, or vice-versa? Private Address Blocking x x x x x x x x
Rate-based Blocking x x x x x x x x x
– There are better ways to block SIP Request Limiting
Spoofed SYN Flood Prevention
x
x x x x x
x
x x x x
mismatched traffic as mentioned above TCP Connection Limiting x x x x x
TCP Connection Reset x x x x x x x x x
TCP SYN Flood Detection x x x x x x x x
TLS Attack Prevention x x x x x
Traffic Shaping x x x x x x x x x
UDP Flood Detection x x x x x x x x

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

Sequence

Countermeasure processing
order for traffic:
External à Internal
Event Driven
Per Packet

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Optimize AED Visibility & Protection (Part B)

Working with Server Types

• Adding new Server Type

• Duplicate Server Type
• Change existing
configuration

Change server type

Another way to create
being configured
a custom server type

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Automatic Server Type Creation

Adding a new Protection

Group automatically creates a
new Server Type

Copy Protection Settings

from this Server Type

Adding new Protection Group adds

a new Service Type automatically

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
Optimize AED Visibility & Protection (Part B)

Restore Default Values

Select Restore Defaults under the Options button

⚠ It erases all custom and profiled protection settings (returns all to factory default)

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Profile Capture - Tuning Protection

Settings

Optimize AED Visibility & Protection

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
Optimize AED Visibility & Protection (Part B)

How to find the right Protection values?

Every Network and every Service has its unique specialties

Finding appropriate Protection Settings requires a certain process to be
followed:
1. Design your Protection Groups
2. Learn based on traffic pattern (Profile Capture)
3. Apply suggested values (Profile Capture)
4. Apply BCP on prefiltering traffic by using Inline Filters
5. Verify and tune settings for all three Protection Levels in inactive mode

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

4. Configure filters Verify grouping min 3 relevant Profile

after 24h of days… Capture
5. Verify and tune settings traffic

complete Configure
configuration Filters

several days several days several days

verify
Inactive verify
Inactive verify
Inactive
& high & med & low
NOK NOK NOK

Tuning
Run AED in inactive mode for several days and tune, if necessary repeat a complete step

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
Optimize AED Visibility & Protection (Part B)

Profile Capture

Traffic pattern learning, used to capture traffic during normal time

• Suggests rate-based protection settings, based on customer traffic pattern
• Used as a start for the protection settings tuning process
1. Capture Profile Data

2. Analyze Profile Data

3. Fine Tune Protection Settings

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

Supported Protections

Network traffic data is captured for the following Protections

Rate-values will be raised to Protection Values Captured
maximum for the length of the profile bps threshold
capture, previous values are stored Rate-Based Blocking
pps threshold
for later usage Fragment Detection Max bps and Max pps
ICMP Flood Detection Max bps and Max pps
⚠ Verify that all Protections in UDP Flood Detection Max bps and Max pps
questions are enabled in the
DNS NXDomain Rate
Protection Level you are currently in DNS NXDomain Rate Limit
Limiting
DNS Rate Limiting DNS Query Rate Limit
⚠ Do not change the Protection Level HTTP Request Limit
or update the Protection Group HTTP Rate Limiting
HTTP URL Limit
prefixes throughout the Profile SIP Request Limiting SIP Source Limit
capture window bps threshold
Flexible Rate-based
pps threshold
Blocking
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16
filters

8
Optimize AED Visibility & Protection (Part B)

Launch Profile Capture – Step 1

Start profile captures on the List Protection Groups page

Protect > Inbound Protection >

Protection Groups

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

Launch Profile Capture – Step 2

Protect > Inbound Protection > Protection Groups

Select Protection Group(s) that should start a Profile Capture

• Click check box in the table

heading row to select all.
• Select the check box(es) for
individual protection groups.

You should not have more than ~20 Profile Captures

simultaneously running

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
Optimize AED Visibility & Protection (Part B)

Launch Profile Capture – Step 3

Protect > Inbound Protection > Protection Groups

Start profile captures for selected Server Type(s)

Click Profile
If a profile capture is already active
for a selected Protection Group,
then the Profile button is
unavailable. To access the Profile
button, deselect any Protection
Groups with active profile capture.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

Launch Profile Capture – Step 4

Protect > Inbound Protection > Protection Groups

Specify how long the Profile Capture should run

Move the Length of capture slider

to specify the duration of the
capture. You can specify from 1
day to 14 days.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

10
Optimize AED Visibility & Protection (Part B)

Launch Profile Capture – Step 5

Protect > Inbound Protection > Protection Groups

Start the Profile Capture process

Click Start

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

Profile Capture Status

Protect > Inbound Protection > Protection Groups

Verify Profile Capture Status in the Protection Group Listing Page

The icon appears when –

a profile capture is active for
the associated server type.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
Optimize AED Visibility & Protection (Part B)

Access Profile Capture Result

Protect > Inbound Protection > Server Type Configuration

Can only be accessed when the Profile Capture…

has been completed
was manually stopped

Click icon to view

profile histogram

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

Profiled Data

Change threshold values to view

how they might affect the
amount of passed traffic
• Drag markers to different
positions
• Enter different values in the
Suggested Settings field
• Revert all or for a specific
protection category, click Revert
All or Revert buttons
• Select Suggested Settings, Previous Settings, or manually select & enter new settings, then click
Save
Caution: once “saved” the Previous Settings (values) will be lost/discarded
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

12
Optimize AED Visibility & Protection (Part B)

Suggested Settings

Using the Suggested Rates Adjusting the Rates

• Note the number blocked and % passed • Adjust with slider or manual entry
• Note the number blocked and % passed
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

Suggested Settings – No Data

☞ Protection did not

match any traffic during
the Profile Capture
window
☞ Protection was turned
off or was not enabled
by default in the
Protection Level used
during the Profile
Capture window

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26

13
Optimize AED Visibility & Protection (Part B)

Profile Capture Results for a specific Protection

Alternatively use the View Profile Histogram Icon that appears next to each
protection setting, if there is available data

Click icon to view a

single profile histogram

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

Histograms

Display observed traffic volumes for a Protection

In alignment with the Protection traffic data captured, there are different types of histograms:

Packets per second Bits per second Request per second

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

14
Optimize AED Visibility & Protection (Part B)

Histogram Scales

Change the scale of the y-axis in the histogram graph

• Linear - Presents the number of hosts on a linear scale, in which the lines in the
graph are proportional to the number of hosts (10, 20, 30, …)
• Log - Presents the number of hosts on a logarithmic scale, in which each unit
increase represents an exponential increase in the number of hosts (1, 10, 100, …)

Y-axis
Scale

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

Histogram Scales – Use Cases

• Log histograms - Useful for seeing values observed from any number of hosts
– Useful for settings Low protection levels

– Helps to include all legitimate observed hosts, even those with extreme usage
• Even a single extreme legitimate client is easily seen

• Linear histograms - Useful for seeing values observed in majority traffic

– Useful for choosing settings for High protection levels

– Helps choose settings that include all typical users

– Hosts with extreme usage are not obvious

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30

15
Optimize AED Visibility & Protection (Part B)

Profile Capture Caveats

During a Profile Capture the AED is not defending the service(s) of that PG with
any rate-based protection
Do not change the Protection Level for that PG during a Profile Capture window
If an attack was experienced during the Profile Capture window, you must repeat
the process
– Profiled Captures for longer periods of time are subject to record attacks or anomalies and
therefore dilute the provided statistics
☞ Only one set of Profiled Capture results per PG is stored on the AED

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31

Lab Exercise

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32

16
Optimize AED Visibility & Protection (Part B)

Lab Exercise
Hands-on Exercise 20
Applying Profile Capture min.

Objectives
• Apply the suggested settings from your Profile
Capture to AED's rate-based protection settings

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33

Summary
• Reviewed the concept behind Server Types

• Worked with Server Types

• Used Profile Capture and tuning to optimize protections

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34

17
Optimize AED Visibility & Protection (Part B)

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35

18
Volumetric Attack

Bass

Volumetric Attack

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

In this module you will...

• Discuss the threats of volumetric DDOS attacks

• Identify countermeasures that are applicable to volumetric attacks

• Understand how to use FCAP Expression Language

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Volumetric Attack

Flooding Attacks

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Volumetric DDoS Attacks

DNS Amplification
UDP Flood
ICMP Flood
NTP Amplification
memcached
ISP 1

ISP g
ISP 2 in
ood
Fl AED Firewall IPS
Load
Balancer

DATA
Target
CENTER Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Volumetric Attack

Flooding Attacks

Sending a huge amount of traffic to overwhelm a service or an

intermediate device or link, often referred as Brute-Force
Attack Characteristic Targets Problems caused

Traffic to Spoofed Server Firewall or

one or or non- network Increased Packet
Load-
more spoofed connection latency loss seen
balancer
protocols Traffic speed performance
or ports

Can look Device Service

like normal Reflection or Router Site Internet Complete
failures
Traffic (but Amplification performance Uplink speed (crashes/ or offline
more of it) Traffic hung)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Layer 3/4 Protection Categories*

• Invalid Packets • ICMP Flood Detection

• ATLAS Threat Categories • UDP Flood Detection
• Email Threats • Fragment Flood Detection
• Location Based Threats • Multicast Blocking
• Campaigns & Targeted Attacks • Private Address Blocking
• Command & Control • Spoofed SYN Flood
• DDoS Reputation Prevention
• Malware • TCP Out-of-Sequence
• Mobile Authentication
• STIX/TAXII • TCP Connection Limiting
• Filter List • TCP Connection Reset
• Rate-based Blocking & Flexible • TCP SYN Flood Detection
Rate-based Blocking • Traffic Shaping
• Payload Regular Expression

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

*Does not reflect the processing order

3
Volumetric Attack

Invalid Packets

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

IPv4 & IPv6 Invalid Packets

Detects and handles various forms of invalid • Takes precedence over denied and allowed
IPv4 or IPv6 TCP/IP packets hosts
• Not user-defined, non-configurable and always-on – Blocks invalid packets from whitelisted hosts
– Designed to drop really “wrong” packets • Details button to lists the reason(s) why traffic
– No changes occur as protection level increases was considered to be invalid – Will drop
packets only
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Volumetric Attack

Reasons Why Packets are Considered Invalid

IPv4 block reasons IPv6 block reasons

• IPv4 header checks: • IPv6 MTU Violation
– Malformed IP header • Duplicate IPv6 Extension Headers
– Bad IP checksum • Out of Order IPv6 Extension Headers
– Short packet • Bad Hop-by-Hop Options
• Fragmentation checks: • Incorrect IPv6 Payload Length
– Incomplete Fragment
• Jumbo Option Inconsistent with IPv6 Header
– Duplicate Fragment
• IPv6 Route Type 0 Headers
– Fragment too long

• Layer 4 checks:
– Short TCP/UDP/ICMP Packet
– Bad TCP/UDP Checksum
– Invalid TCP Flags
– Invalid ACK Number
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Campaigns & Advanced Threats

Information

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

5
Volumetric Attack

Reputation-based Detection for DDoS

ASERT
AIF DATA
ISP 1 Reputation CENTER
Feed

ISP
ISP 2
AED IPS
Load
Balancer

Target
Attack Traffic Applications
ISP ‘n’ Good Traffic & Services

Active DDoS Campaigns Advanced Threats

• Reputation feed includes IP address, • Reputation feed includes IP, DNS, URI, and URL information
protocol ranges and port ranges • Separate IP reputation for inbound and outbound traffic
• DNS reputation applied bi-directionally
• DNS reputation includes hostnames in DNS requests
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

AIF Categories
Category Sub-Category of Threats Category Sub-Category of Threats
• Identifies DDoS attackers based upon IP address • Traffic
• Sinkholes
DDoS indicators from ATLAS
Location-Based
Anonymization
• Scanner
Reputation • Identifies DDoS targets based on indicators from ATLAS Services
Threats • Other
• HTTP Flooder • TOR
• Proxy
IP Geo- • Identify country location à sources of inbound traffic
Location • Identify country location à destinations of outbound traffic Email Threats • Spam • Phishing
• APT • Watering Hole
Web Crawler • Identify inbound connections to web services from known Campaigns and
• Hacktivism • Rootkit
Identification search engines Targeted Attacks • RAT
Command & • Peer-to-Peer • HTTP • IRC • Mobile C&C
Mobile • Spyware
• Malicious App
Control
Malware • Webshell • DDoS Bot
• Ransomware • Dropper
• RAT • Ad Fraud
• Fake Anti Virus • Worm
• Banking • Credential Theft
• Virtual Currency • Backdoor
• Spyware • Other
• Drive By • Exploit Kit
• Social Network • Point of Sale
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
Volumetric Attack

Confidence Index

Confidence Index is reflective of active

malware, botnets, & campaigns in real-time
• Per-Protection Level setting
• When ASERT spots malware and creates a rule,
confidence is set to 100
- Value can range from 1 – 100
- Measure of ASERT’s confidence that traffic matching
a particular rule is not a false-positive
• If malware is spotted less frequently over time, the
Confidence Index is decreased
• If malware frequency increases again, the
Confidence Index increases
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

Inbound Reputation-Based Protection

Use AIF Default or

provide your own
Custom value

• Inbound protection for DDoS using ATLAS IP, DNS, URI, URL Reputation
• Delivered as part of ATLAS Intelligence Feed
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
Volumetric Attack

ATLAS Threat Categories

Radio button
selection

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

Attack Categories

Detail View
& Statistics

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
Volumetric Attack

Block Threats using STIX/TAXII 2.0

IOCs

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Block Threats using STIX/TAXII 2.0 IOCs

STIX 2.0 TAXII 2.0 client

ISP 1
feed
STIX
Active IOCs
ISP
ISP 2
Inbound Outbound
IPS
Threats AED Firewall Threats Load
Threats Balancer

Blocked!
Target
Applications
ISP ‘n’ DATA & Services
CENTER

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
Volumetric Attack

STIX/TAXII

Structured Threat Information eXpression Trusted Automated Exchange of Intelligence

• It’s a standardized language and Information
serialization format used to exchange cyber • It’s an application layer protocol used to exchange
threat intelligence (CTI) cyber threat intelligence (CTI) over HTTPS
• STIX enables organizations to share CTI • It is designed specifically to support STIX
with one another in a consistent and information, which it does by defining an API that
machine-readable manner aligns with common sharing models
• STIX is currently maintained by the OASIS • TAXII is specifically designed to support the
CTI TC (Cyber Threat Intelligence Technical exchange of CTI represented in STIX. It is
Committee) designed for STIX but is not limited to STIX
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

Anomali STAXX

• Anomali STAXX provides bi-directional sharing of threat intelligence from

STIX/TAXII sources that are in the cloud or on-premise
• With Anomali STAXX, you can connect to STIX/TAXII servers, discover and
configure their threat feeds, and pull (download) threat intelligence from those
feeds
• You can also push (upload) selected observables to other STIX/TAXII servers.

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

10
Volumetric Attack

Filter Lists

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

4. Configure filters Verify grouping min 3 relevant Profile

after 24h of days… Capture
5. Verify and tune settings traffic

complete Configure
configuration Filters

several days several days several days

verify
Inactive verify
Inactive verify
Inactive
& high & med & low
NOK NOK NOK

Tuning
Run AED in inactive mode for several days and tune, if necessary repeat a complete step

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
Volumetric Attack

Filter and Filter Lists

Overview
Filter Lists can reduce the processing load on the AED
o Limiting the amount of traffic that needs to go through all countermeasures
o If a packet matches, no further processing is done for that packet

Filter lists are often compared to ACLs

o Drop à Traffic is explicitly dropped
o Pass à Traffic is explicitly whitelisted, no further inspection

AED devices can share their global lists with the Cloud Service Provider
o Local Filter Lists are sent to Cloud Service Provider
o Local changes are automatically synchronized
☞ Allows a common Security posture (local versus cloud)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

Filter and Filter Lists

Actions
Allow Lists (Pass)
o Known partner networks
o Approved remote workers
o Known secure clients

Deny Lists (Drop)

o Security group infected subscriber lists
o Third-party tool bot and infected host lists
o Networks or countries without legitimate use case

Can be configured:
• global (all Protection Groups)
• per Protection Group
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

12
Volumetric Attack

Filter and Filter Lists

Types
Uses IP addresses or CIDR blocks to allow or deny
Global Deny/Allow List
for all PGs

Uses FCAP expressions to identify traffic to allow or

Master Filter List
deny for all PGs

PG Specific Uses FCAP expressions to allow or deny for a

Filter List specific PGs

DNS Regular Expression Regular expressions that search for DNS queries
(Deny Only) and responses for a specific PGs

HTTP Regular Expression Regular expressions that search HTTP queries for a
(Deny Only) specific PGs

IP Location Uses location data to identify traffic from specific

(Deny Only) source country

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

Filter Traffic with FCAP Expression

Language

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

13
Volumetric Attack

Filter and Filter List

Guidelines
☞ Filter Lists are processed from top to bottom
☞ Filter Lists do not have an implicit ‘deny any any’ at the end
☞ Filter Lists containing an IP address and an overlapping CIDR block à most specific match
always takes precedence
☞ Inbound Global Deny/Allow List à incoming Filter, global, CIDR based
Processing Order: Master Filter List à incoming Filter, global, multi-match based
Filter List à incoming Filter, specific PG, multi-match based

☞ AED begins to block (Deny List) or pass (Allow List) traffic immediately when a host was added
☞ It takes several minutes to remove a blocked item from the dynamic deny list and pass its traffic
☞ IPv4 Deny List / Allow List stores a maximum of 20,000 hosts and CIDRs
☞ IPv6 Deny List / Allow List stores a maximum of 12,000 hosts and CIDRs

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

Master Filter List

Master Filter Lists containing drop and/or pass expressions are applied to all active
Protection Groups

• Support FCAP Multi-match statements

• Simplifies control of unwanted traffic as
well as defining known good hosts

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

14
Volumetric Attack

Allow Traffic in Advance 192.168.33.33 192.168.2.9

BGP
Reduce service interruptions AED
by explicitly allowing them in
the Master Filter list

Permit BGP Peering between

192.168.33.33 and 192.168.2.9

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

Surgical Traffic Removal

• Each packet is tested by each of the FCAP expression rules sequentially (top à down)
– Match drop rule à dropped without any further processing
– Match pass rule à passed through without any further processing
– Packets not matching any rule are subject to further validation by protections
• Each Protection Level setting can have a different filter list (getting more restrictive)
Best Practice: Drop all unnecessary traffic globally with the Master
Filter List or specific in the Filter List of a Protection Group
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30

15
Volumetric Attack

FCAP Expressions Basics

Expression Reference
[src | dst] [net | host] addr Matching networks and hosts
[protocol | proto] protocol-name Matching protocols
[protocol | proto] number
{tflags | tcpflags} flags/flag-mask Matching TCP flaps
[src | dst] port {port-name | number } [ .. {port-name | number} ] Matching port or port range
bpp or bytes number [ .. number] Matching IP length or range of lengths
icmptype {icmptype | number} Matching ICMP messages
icmpcode code
tos number Matching Type of Service
ttl number Matching Time to Live
frag Matching Fragments

More information can be found in the User Guide or The Pocket Guide
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31

Identify Required Traffic

Don’
t
think just b
coul lo
all d be ck wha
t y
poss what used
à b ou
ible… is
tech lock
nical
ly

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32

16
Volumetric Attack

Careful use of Pass Statements

Passed traffic is considered safe and is not processed by any protection

Example:

You want to block all UDP traffic except when going to the DNS Server 1.2.3.4

WRONG CORRECT
pass dst 1.2.3.4/32 drop udp and !(dst 1.2.3.4/32)
drop udp
☣ Means you will not be able to ☞Means you drop UDP traffic except
protect host 1.2.3.4 from any attack (!=not) when it's destined to the host
1.2.3.4

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33

Example: Protect a Web server (HTTP Only)

Ø drop not (proto icmp or proto tcp)

Ø drop proto tcp and not (src port 1024..65535 and dst port 80)
Ø drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))

Important
Never just copy examples, modify filter as
required based on your network’s situation:
• Mix of Services or Applications running
• Services needing protection
Do not use these examples
during our lab exercises
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34

17
Volumetric Attack

Example: Protect a Web server (HTTP & HTTPS)

Ø drop not (proto icmp or proto tcp)

Ø drop proto tcp and not (src port 1024..65535 and (dst port 80 or dst port 443))
Ø drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))

Example: Protect an Authoritative DNS Server

Ø drop not (proto icmp or proto udp or proto tcp)

Ø drop proto tcp and not ((src port 53 or src port 1024..65535) and dst port 53)
Ø drop proto udp and not ((src port 53 or src port 1024..65535) and dst port 53)
Ø drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))

18
Volumetric Attack

Example: Protect a Recursive DNS Server

Ø drop not (proto icmp or proto udp or proto tcp)

Ø drop proto tcp and not ((src port 1024..65535 and dst port 53) or (src port 53 and
dst port 1024..65535))
Ø drop proto udp and not ((src port 1024..65535 and dst port 53) or (src port 53 and
dst port 1024..65535))
Ø drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))

Example: Drop Packets using Private IPs

Customer would like to drop any private IPs during mitigation

Ø drop net 0.0.0.0/8
Ø drop net 127.0.0.0/8
Ø drop net 10.0.0.0/8
Ø drop net 172.16.0.0/12
Ø drop net 192.168.0.0/16
Ø drop net 224.0.0.0/4
Ø drop net 240.0.0.0/4
Important
Never just copy examples, modify filter as
required based on your network’s situation:
• Mix of Services or Applications running
• Services needing protection

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38

19
Volumetric Attack

Example: Drop DNS & NTP Amplification Attacks

• DNS Amplification Attack – Drop packets bigger than 512 bytes

Ø drop proto udp and src port 53 and bpp 512..65535
Note: may block legitimate traffic as it drops DNS packets which are bigger than 512 bytes

• NTP Amplification Attack

Ø drop proto udp and port 123 and bpp 220..1500

Important
Never just copy examples, modify filter as
required based on your network’s situation:
• Mix of Services or Applications running
• Services needing protection

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39

Example: Simple Filter

In order to drop all traffic except:

ü ICMP
ü TCP to port 80
ü TCP from ports 53, 80 or 443
ü UDP from port 53

Ø drop not (proto icmp or proto tcp or proto udp)

Ø drop proto tcp not (dst port 80 or src port 53 or src port 80 or src port 443)
Ø drop proto udp not src port 53

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 40

20
Volumetric Attack

Example: Complex Filter

# EXPLICIT ALLOWED
pass src host 1.2.3.4 and proto tcp and port 179 and dst host 5.6.7.8
# FILTERED IP SOURCES
drop net 0.0.0.0/0
drop net 127.0.0.0/8
drop net 10.0.0.0/8
Use Comments (#) to create sections
drop net 172.16.0.0/12
drop net 192.168.0.0/16
drop net 224.0.0.0/4
drop net 240.0.0.0/4
# FILTERED IP PROTOCOLS
drop not (proto udp or proto tcp or proto esp or proto icmp or proto gre or proto ipv6)
# DETAILED IP FILTERS
drop src port 0 and (proto udp or proto tcp)
…
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 41

AED Protection Tuning

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

21
Volumetric Attack

4. Configure filters Verify grouping min 3 relevant Profile

after 24h of days… Capture
5. Verify and tune settings traffic

complete Configure
configuration Filters

several days several days several days

verify
Inactive verify
Inactive verify
Inactive
& high & med & low
NOK NOK NOK

Tuning
Run AED in inactive mode for several days and tune, if necessary repeat a complete step

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 43

Tuning Inactive Mode

Tuning of any Protection Group should be conducted prior going live

• Don’t forget to configure Filter Lists and Filters
• Don’t forget to configure other relevant Protections in the associated Server Type
– Hierarchical structure between the three Protection Levels
– Higher Protection Groups should be stricter
• Test the configuration of the Protection Group in each Protection Level in inactive
mode before switching to active
• Tune configuration when needed and repeating the corresponding tuning cycle

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 44

22
Volumetric Attack

Tuning Inactive Mode

• Place the AED or Protection

Groups into inactive mode
• Now let the AED apply the
existing configuration to the
traffic streams and simulate
what kind of decision will be
made
• Operate the AED for up to 7 days in each of the available Protection Levels,
this allows you to test all possible fluctuations throughout a week cycle.
ü Weekday versus weekend
ü Daytime versus nighttime
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 45

Tuning Inactive Mode

At the end of each observation

period, the statistics of each
individual Protection Group
must be evaluated manually

AED is over blocking

if you are in a none
attack situation!

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 46

23
Volumetric Attack

Tuning Inactive Mode

Identify Over Blocking

☞ Temporarily Blocked Sources
– Who is listed?
– What is the source country?
– What are the Attack Categories?

☞ Attack Categories?
– Which Attack Categories are listed?
– How much traffic is affected?
– Is traffic permanent or periodically
blocked?

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 47

Tuning Inactive Mode

Identify Over Blocking

• Mouse-over shows popup
menu
• Select Blocked Hosts
– Automatically inherits:
• Selected Protection Group
• Selected Attack Category
• Selected Time Frame

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 48

24
Volumetric Attack

Tuning Inactive Mode

Lower range Port: external client à going to a service on protected IP
High range Port: external server à return traffic to protected client IP

Identify Over Blocking

Who was
blocked?
Origin
. xx . xx
Frequency?
Location?
Protected
Destination?
Destination
Traffic Blocked? Blocked Host
Detail appears
Attacks
How many PGs affected? by clicking
Detected?
Multiple PG = Lower Details button
confidence of legitimate

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 49

Attackers sending Excessive Traffic

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

25
Volumetric Attack

Attackers sending Excessive Traffic

Rate-based Blocking Thresholds

1 Gbps and/or 10 Kpps

Virtual Traffic tube

Traffic exceeds configured ‘global’ Rate-based Blocking Threshold (bps or pps)

Source Host is added to the dynamic Deny List

for at least 60 seconds, repeating offenders for 5 minutes
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 51

Rate-based Blocking

• One method to prevent flood, TCP SYN, and protocol attacks, as well as connection
table and request table exhaustion attacks
• AED constantly examines the bit rate and packet rate of traffic from each source host
– If traffic exceeds the bps or pps threshold à AED temporarily blocks the source IP
– Use Profile Capture to identify acceptable use thresholds

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 52

26
Volumetric Attack

Attackers sending Excessive Traffic

Rate-based Blocking Thresholds

1 Gbps and/or 10 Kpps
Flexible Rate-based Blocking - Filter 1
FCAP: proto udp à 25 Mbps

Flexible Rate-based Blocking - Filter 2

FCAP: proto icmp à 10 pps
Virtual Traffic tube

Traffic exceeds configured ‘global’ or ‘flexible’ Rate-based Blocking Threshold (bps or pps)

Source Host is added to the dynamic Deny List

for at least 60 seconds, repeating offenders for 5 minutes
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 53

Flexible Rate-based Blocking

Two configurable filters à target specific traffic streams

• Uses FCAP expressions identifying excessive traffic sent to protected hosts
– Source hosts that exceed configured thresholds are temporarily blocked
• Configure these settings to help prevent flood, TCP SYN, and protocol attacks, as well as
connection table and request table exhaustion attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 54

27
Volumetric Attack

Attackers sending Excessive UDP

Traffic

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

UDP Flooding

UDP is a stateless protocol and there are many legitimate applications

running on the internet that use UDP that are easily abused
Attack Characteristic Targets Problems caused

Traffic to Easy to Server Firewall or

one or spoof network Increased Packet
Load-
more source IP connection latency loss seen
balancer
protocols address speed performance
or ports

Router Device Service

Allows Allows forwarding Site Internet Complete
failures
Traffic Traffic performance Uplink speed (crashes/ or offline
Reflection Amplification (pps) hung)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 56

28
Volumetric Attack

UDP Flood Detection

Blocks excessive amounts of UDP from a source host

• Separate thresholds for bps and pps
• Hosts violating a threshold with Protection Level:
– low à not blocked but UDP traffic is policed down to the configured threshold
– medium or high à temporarily blocked
• Only enabled by default on the Web Server Type for medium and high protection levels

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 57

Attackers sending Excessive

Fragmented Traffic

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

29
Volumetric Attack

Fragmentation Flooding

Packet reassembly is CPU intensive and can only be started once all
fragment have been received, a lot of fragments chains stay incomplete
Attack Characteristic Targets Problems caused

Incomplete Load- Security

Traffic Server Increased
fragment balancer Devices
fragmented CPU load
chains performance processing not
into multiple due to
(fragments due to latency detecting
pieces reassembly
missing) reassembly threats

IPS Firewall Device High CPU

Duplicate Fragments performance failures Load on
performance
Fragments heavily out due to due to (crashes/ or Server & L7
of order reassembly hung) Devices
reassembly

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 59

Fragmentation Detection

Blocks excessive IP fragments usage from a source

• Separate thresholds for bps and pps
• Hosts violating a threshold with Protection Level:
– low à not blocked but UDP traffic is policed down to the configured threshold
– medium or high à temporarily blocked
• Only enabled by default on all Server Type for medium and high protection levels

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 60

30
Volumetric Attack

Attackers sending Excessive ICMP

Traffic

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

ICMP Flooding

ICMP floods attempt to overwhelm the victim

• Sources continuously send ICMP packets
• Impact
– Victim must process all packets and attempt to respond to all of the packets
– Overwhelms the bandwidth in the Data Center access links
– Disables infrastructure due to excessive pps (small routers)
• ICMP Reflection attack
– Sends an Echo Request to the (broadcast) IP with the source address field of the request
packet spoofed to that of the victim

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 62

31
Volumetric Attack

ICMP Flood Detection

• All ICMP traffic from each source is inspected

– If the number of ICMP packets per second exceeds the ICMP Rate, offending host is
temporarily blocked
• Note: Does not solve the problem for reflection attacks when the sources are highly distributed

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 63

Police traffic passing the AED

Volumetric Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

32
Volumetric Attack

IP Location Policing
Useful if you know the countries
PG communicating with

• You can use PG traffic report to

see countries sending traffic during
the peace time
• Uses IP Location Data
• Block, pass or rate limit the traffic
• IPv4 only

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 65

Traffic Shaping

Used as a last resort or when attack vector can’t be isolated

• Better described as Policing or Committed Access Rate
• Drops both legitimate and attack traffic
☞ Get traffic down to a manageable rate
☞ Control flash crowd-like situations
☞ Packets causing the forwarding rate to exceed (bps or pps) are dropped
⚠ Applied before the application decoders, aka before all layer 7 protections
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 66

33
Volumetric Attack

Lab Exercise

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Lab Exercise
Hands-on Exercise 45
Volumetric DDoS Attacks min.

Objectives
• Use the available protections to identify and
block unwanted traffic.
• Monitor the effectiveness of the mitigation.

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 68

34
Volumetric Attack

Summary
• Discussed threats caused by volumetric DDOS attacks

• Identified countermeasures that are applicable to volumetric attacks

• Learned the FCAP Expression Language

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 69

35
State Exhaustion Attacks

Minnow

State Exhaustion Attacks

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

In this module you will...

• Assess DDOS Attack types for a TCP stack

• Difference between half-open and full TCP connections

• Understand the dangers posed by slow attack variants

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
State Exhaustion Attacks

TCP Stack Attacks

State Exhaustion Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

State Exhaustion Attacks

TCP SYN Flood
TCP RST Flood
TCP ACK Flood
TCP FIN Flood

ISP 1

ISP e- n
at tio
ISP 2 St us SATURATION
ha
ExFirewall
IPS
AED Load
Balancer

DATA
Target
CENTER Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
State Exhaustion Attacks

Stack Flood Attack

Sending large amounts of TCP data in order to overwhelm a TCP-

based service and to waste available resources
Attack Characteristic Targets Problems caused

Usually Server Firewall Unable to

Spoofed Allocating
flood of network performance respond to
or non- all TCP
small TCP Stack & connection existing
spoofed Resources
packets table connections
Traffic

Can look Load Unable to

Device
like normal Could use Balancer IPS accept new
failures
Traffic (but Traffic performance performance (crashes/ or connections
more of it) Reflection & connection hung)
table
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Excessive TCP SYN Attack

State Exhaustion Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

3
State Exhaustion Attacks

TCP SYN Attack

Sending large amounts of TCP data in order to overwhelm a TCP-

based service and to waste available resources
Attack Characteristic Targets Problems caused

Server Firewall Unable to

Usually Spoofed Allocating
network performance respond to
flood of or non- all TCP
TCP Stack & connection existing
small spoofed Resources
table connections
packets Traffic

Looks like Load Unable to

Huge Device
normal Balancer IPS accept new
amount of failures
Traffic (but performance performance (crashes/ or connections
idle TCP
more of it) & connection hung)
connections
table
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

TCP Half-Open Connections

Target is to overload this Source IP Source Port TCP Connection Table
table on Server, Firewall,
A 65532
Load-Balancer, …
B 45841
C 8951
… …
Spoofed TC … …
A P SYN
B Y 12895
C
Y

A? K
/AC
P SYN
C
B? it ed T
olic
Uns
C?
Y?
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
State Exhaustion Attacks

TCP SYN Flood Detection

AED intercepts all TCP traffic that originates from a single source and completes the
following checks
• SYN Rate - Maximum number of TCP-SYN packets per second that a source host is
allowed to send
• SYN ACK Delta Rate - Allowable difference between the number of ACK packets and the
number of SYN packets seen per second à Delta Rate ≤ ∑SYN - ∑ACK
• Any source host that exceeds either rates is temporarily blocked (60 sec / 300 sec)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Validating TCP SYN Traffic Sources

State Exhaustion Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

5
State Exhaustion Attacks

TCP 3-Way Handshake

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Spoofed SYN Flood Prevention

AED will now intercept any incoming TCP connection attempt

• TCP traffic is dropped till source host is authenticated
– Unauthenticated source hosts are not blocked only TCP traffic is dropped for enabled ports
– TCP traffic to a destination port on the Except on ports list is ignored (Port 25 by default)

• A source host is only authenticated once:

Ø TCP – Successful completes a TCP 3-way handshake with the AED
Ø TCP+HTTP – Successful competes a TCP 3-way handshake with the AED and performs certain HTTP actions

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
State Exhaustion Attacks

TCP Connection Reset Authentication

Client AED Server

SYN Port 80
Port n
SYN/ACK
ACK Client
Connection established Authenticated

RST
Connection terminated

Port n+x SYN

SYN/ACK

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

Caveats

Some TCP services or TCP stacks may not

handle the TCP RST and Session restart
very well
• SSL/HTTPS: Browsers Error: Connection Reset
• SSH: Exits session, requires manual re-retry
• SSL/IMAPS/POP3S: Client get a Connection
Reset error, some may or may not re-try
• SMTP: For multiple MX records à MTAs will get reset and immediately tries the next
MX record for the mail server
– Round-robin might ensure that the MTA will never get back in time to an authenticated MX record

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
State Exhaustion Attacks

TCP Out-of-Sequence Authentication

Client AED Server
RFC 793 Port n SYN Port 80
ACK Incorrect Sequence
Test 1

RST Client Authenticated

Connection terminated
Retransmit
Port n SYN
Test 2*

SYN/ACK Incorrect Acknowledge number

RST Client Authenticated

Connection terminated

Retransmit
Port n SYN
SYN/ACK
Test 3*

ACK Client Authenticated

Connection established
RST
Connection terminated
*Only if the previous test didn‘t authenticate the client
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

Spoofed SYN Flood Prevention Automation

Automation Threshold allows you to specify a rate above/below when this protection will be
automatically activated/deactivated
SYN rate to any protected host in the PG exceeds threshold à AED activates protection
SYN rate falls below threshold à AED deactivates protection again

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
State Exhaustion Attacks

TCP SYN Flood Prevention Caveats

Spoofed SYN Flood Prevention is not available in “simulation” when the AED or
Protection Group is set to inactive mode
☞ TCP SYN Flood Prevention reporting will be incorrect as the protection is unable to
validate client integrity

⚠ Ensure Two-way communication – Client reply packets must be seen by the

same AED again
No packet-by-packet load-balancing

• Use Spoofed SYN Flood Prevention Automation to lower a potential false positive
rate in normal time

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

TCP Connection Limiting

State Exhaustion Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

9
State Exhaustion Attacks

Source IP Source

Number of Simultaneous Connections A

Port
65532

B 45841
Target is to completely fill
C 8951
this table on Server, Firewall,
C 8952
Load-Balancer,… to prevent
… …

Limit the number of new connections from being

accepted
C 12895

simultaneous open E

F
9842

42568

TCP connections

TCP Connection Table

F 42569

F 42570

from a single … F

F
42571

42572

source host F 42574

F 42575

F 42578

F 42580
…

F 42590

F 42595

… …

H 23321

I 63254
? J 8952

K 12955

… ….

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

TCP Connection Limiting

Limits number of concurrent TCP connections from a single host

• Uses System default values based on the selected Server Type
– Server Type Connection Limit values can be updated via the CLI
• Based on simple connection counter to avoid session state table
• TCP SYN packets dropped for excess connection attempts
– Does not block hosts

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

10
State Exhaustion Attacks

Default Values

Settings are different for the different default Server Types

Default State
Protection Level Low Medium High
Generic and Web Disabled Enabled Enabled
Mail Server Enabled Enabled Enabled
File Server Enabled Enabled Enabled

Concurrent Connections Limit

Protection Level Low Medium High
Generic and Web 100 60 30
Mail Server 16 5 3
File Server 5 3 2

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

TCP Connections no longer used

State Exhaustion Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

11
State Exhaustion Attacks

Idle TCP Connections

No Session usage
No Session teardown ?
Bytes

TCP Session
Activity
Diagram
Session Establsihed à
Session Start à

time

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

TCP Connection Reset

• Handles TCP connections after SYN Authentication

• Keeps hosts from eating up server connection table
• Idle Connection detected à
AED sends a TCP reset to the protected host but not to the attacker
• Enabled Ports
ü 80 (HTTP)
ü 443 (HTTPS)
ü 25 (SMTP)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

12
State Exhaustion Attacks

TCP Connection Reset Modes Bytes

TCP Session
Activity
Diagram
Initial
Timeout
Required
Data (bytes)
time
Established à
Start à

Modes
TCP Connection
Initial Timeout (sec.) + TCP Connection Idle
Timeout (sec.)

a) Idle Timeout (anytime)

b) Initial Timeout + Initial Required Data
c) Track Connections After Initial State = Mode a + Mode b
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

TCP Connection Reset

• Host is blocked if it exceeds the number of Consecutive Violations before Blocking Source
• TCP Connection Reset can protect against flood, slow HTTP post and protocol attacks
• Available Modes
Idle Timeout Initial Timeout + Initial Required Data Both

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26

13
State Exhaustion Attacks

Slow Attack Challenge

AED

HTTP
Services

• Problem: Slowloris and other slow request attack tools try to do only what is
absolutely necessary in order to remain owner of a connection and to evade idle
or initial activity monitoring.
• Solution: Countermeasure for Slowloris and other slow request attacks. Stricter
malformed header checks defeat LOIC and similar attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

Minimum Request Bit Rate

HTTP REQUEST

• Configured under TCP Connection GET /default.html HTTP/1.1

Reset Host: www.peace.com
User-Agent: Mozilla/5.0
• Detects and resets connections with Connection: keep-alive
low sustained bandwidth X-a: b
– Idle connection no longer required X-a: b
for reset X-a: b
X-a: b
• Intended to prevent attacks such as X-a: b
HTTP Slowloris / PyLoris …

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

14
State Exhaustion Attacks

Default Settings

TCP Connection Reset combines several detection methods

• The minimum amount of data (Initial Timeout Required Data) not sent within a certain
length of time (TCP Connections Initial Timeout) after connection was established
Protection Level Initial Timeout Initial Data Minimum Request
(sec) (bytes) Rate (bps)
Low 50 1 -
Medium 25 20 200
High 15 50 1000

• An HTTP or SSL/TLS request is not sent at Minimum Request Bit Rate

(computed using a token bucket with a depth of 60 seconds)

• HTTP header is not sent within 60 seconds

Recommendations

State Exhaustion Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

15
State Exhaustion Attacks

Mitigating TCP Attacks

TCP SYN flood Attacks

• Attempt to consume the connection state tables present in many infrastructure components
• Protections:
- TCP SYN Flood Detection
- Spoofed SYN Flood Prevention
- Rate-based Blocking
- Filter List (FCAP expression) using TCP flag element (tcpflags|tflags)
TCP Protocol Attacks
• Exhaust TCP connections by leaving them in idle state à 3-way handshake was completed
• Protection:
- TCP Connection Reset

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31

Lab Exercise

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

16
State Exhaustion Attacks

Lab Exercise
Hands-on Exercise 30
State-exhausting Attacks min.

Objectives
• Use AED to to identify state exhausting attacks.
• Use AED protections to block TCP-based misuse
traffic
• Monitor the effectiveness of your mitigation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33

Summary
• DDOS Attack types for a TCP stack

• Difference between half-open and full TCP connections

• Dangers posed by slow attack variants

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34

17
State Exhaustion Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35

18
Application Layer Attacks

Eel

Application Layer Attacks

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

In this module you will...

• See more about Layer 7 Attack Characteristics

• Use Payload Regular Expression to remove attack traffic

• Focus on protecting Web Servers and Services

• Focus on protecting DNS Servers and Services

• Focus on protecting SIP Servers and Services

• Understand challenges with Proxy and CDN Servers

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Application Layer Attacks

Layer 7 Attack Characteristics

Application Layer Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Application Layer Attacks GET Flood

POST Flood
DNS Water Torture
SIP Message Flooding

ISP 1

n
ISP at
io
ISP 2 lic er SATURATION
p y
Firewall IPS Ap La
AED Load
Balancer

DATA
Target
CENTER Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Application Layer Attacks

Layer 7 Attacks

Application attacks attempt to cause disruption to the service with

expensive or well-crafted requests
Attack Characteristic Targets Problems caused
High CPU
Directly Increase in
TCP Internet Layer 7 due to
targeted or Resource response
Established used for facing Device
Services intensive time
Connections Reflection Performance
operation

Cross Backend
Can look Stealthy Backend Large
Related System
like normal on low Systems amount of
Services à overload à
Traffic (but traffic used by outgoing
target DNS to intensive
more of it) rates Service data
kill www service SQL queries

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Payload Regular Expression

Application Layer Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

3
Application Layer Attacks

Packet Payload Regular Expression

Types of regular expressions (PCRE format) to match against packets sent

from or sent to the specified ports
• Block content-identifiable attack vectors à drop packets where data matches the pattern
and temporarily block the source host (HTTP Header RegEx and optional on Payload RegEx)
• AED uses the OR operator for multiple regular expressions

Payload RegEx HTTP Header RegEx DNS RegEx

Filter within the payload Filter within HTTP Header Filter within DNS Header
and optionally within the
Import URL Filter Lists to Import DNS Filter Lists to
Layer 4 header
scale scale

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

Payload Regular Expression

• Mitigate all kinds of attacks where it is possible to find a unique signature common to the attack packets
• Only traffic sourced or destined for the configured TCP or UDP ports is inspected
• Each regular expression is applied separately to the packet's payload
• To add multiple regular expressions, press enter after each one
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Application Layer Attacks

Payload Regex from Packet Capture

When viewing a packet in the Packet Capture you can select information from
the Data section and add this to your Payload RegEx

Add payload regex

to Protection Group
The regular expression filters
are applied to individual packets Highlight unique signature
only; not to payload contents that will become regex
that span multiple packets
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Add Payload RegEx to Server Type

Select Server Type

Select Protection
to apply regex
Level to apply regex

You must manually

choose TCP or UDP
ports for matching

Selected payload
automatically copied
to Regular Expression

Save will add regex

to Protection Group

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

5
Application Layer Attacks

Updated Server Type Settings

• TCP and UDP ports must be specified in widget, not auto-filled from packet
• Manually add another Regular Expression (new line)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Example Payload Regular Expression

Match UDP/500 that contains the strings:

www.arbor.net 500

www.arbornetworks.com
*\.(arbor\.net|
mail.arbor.net arbornetworks\.com)$

*\.( \. | \. )$ Payload Regex Elements

– * match on anything (match zero or more times)
– \ escapes a special character (a period)
– | logical OR (“or” operand)
– $ end of string or line-based (this is the end)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
Application Layer Attacks

Protecting Web Servers

Application Layer Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Web Application Attacks

Application attacks attempt to cause disruption to the service with

expensive or well-crafted requests
Attack Characteristic Targets Problems caused
Expensive High CPU
Database Increase in
setup à due to
query à Web Load response
TLS Resource
get long Server Balancer time
connection intensive
listing
negotiation operation

Large Flash traffic Backend Large

download Backend
à Coupons Database Systems amount of System
à flood Server used by
posted to outgoing overload
the return Twitter Service data
path
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
Application Layer Attacks

HTTP/HTTPS Attack Characteristics

• HTTP Floods / GET Floods • Slow GET

– Exploits server with many continuous HTTP GET – Opens many TCP sessions that never close
requests (botnet) and hold resources
– Attempts to consume resources to make the • TCP table space, process table, memory
server unavailable for legitimate users (Brute force – Sends partial HTTP requests, never completes
mode)
a request
– To identify, look for:
– Ex: Slowloris
• Many identical GET requests
• Slow POST
• Large number of different source IP addresses
– Like Slow GET, focuses on pages which have
• Same IPs re-sends same GET requests rapidly forms
– Ex: Siege, HOIC, LOIC • Can’t be cached by CDNs
– Ex: R.U.D.Y.

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

Slow HTTP GET DDoS (Slowloris)

• A single Attacker can take down a web server

• Exploits design flaws in the HTTP protocol
– Small volumes of perfectly legitimate HTTP traffic
– Abuses handling of HTTP request headers GET http://www.google.com/ HTTP/1.1
ssslooowly… Host: www.google.com
Connection: keep-alive
– Sends a partial request: one not ending with a “/n” line
User-Agent: Mozilla/5.0
– This tells server to hold on: the rest of the get request is X-a: b
on its way… X-a: b
– Periodically, each slowloris process sends subsequent X-a: b
HTTP headers, but never completing the request X-a: b
– Affected servers will keep these connections open, X-a: b
filling their maximum concurrent connection pool …
– Eventually denies additional connection attempts from
clients
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

8
Application Layer Attacks

Slow HTTP POST DDoS (R-U-Dead-Yet)

• Abuses HTTP web form fields

POST http://victim.com/
– Iteratively injects one custom byte into a Host: victim.com
web application post field and goes to Connection: keep-alive
sleep Content-Length: 1000000
– Application threads become zombies User-Agent: Mozilla/5.0
awaiting ends of posts… until death Cookie:__utmz=181569312.1294666144.1.1
lurks upon the website
username= AAAAAAAAAAAAAAAAAAAAAAA
• Uses HTTP POST requests AAAAAAAAAAAAAAAAAAAAAAAAAAAAA…
– The HTTP Header portion is complete
and sent in full to the web server

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

Malformed HTTP Filtering

☞ HTTP header need to confirm RFC2616 Section 2.2 “Basic Rules”

- All HTTP requests are inspected and verified
- Detects invalid or blank HTTP requests that attempt to exhaust web server resources
- Exceptions to the RFC constraints on the space character are allowed

☞ Verifies that the entire request is in a legal and consistent format.

Traffic not matching either of the two conditions are dropped and the source is temporarily
blocked

• Most sensitive in High Protection Level and least sensitive in Low Protection Level
• Required also for Botnet Prevention to be enabled
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

9
Application Layer Attacks

Botnet Prevention

• Prevent Slow Request Attacks

– Checks if HTTP request is < 500 bytes and does not end with \n
• Basic Botnet Prevention
– Checks if the HTTP headers are incomplete
• Low & Medium protection level à Host field for HTTP 1.1 is required
• High protection level à Host, User-Agent and Connection fields are required
– Requires Malformed HTTP Filtering to be enabled for corresponding protection level
Offending sources are temporarily blocked

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

Application Misbehavior

• All HTTP traffic from a single source is monitored

• Source Hosts interrupting HTTP request by a TCP FIN are temporarily blocked once they exceed
the configured limit
• Stops botnets from sending multiple small HTTP requests and terminating the connection before
the server had time to respond, causing resource exhaustion on the destination server

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

10
Application Layer Attacks

Extensions to Spoofed SYN Flood Prevention

• HTTP Authentication Method settings appear when TCP+HTTP selected

– Packet received matches destination Port:
• 80, 8080 à Selected HTTP Authentication Method is performed When AED is set to
Inactive mode than
• other à Standard TCP or OOS Authentication is performed Spoofed SYN Flood
Prevention is unable to
authenticate/validate
clients

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

HTTP Soft Reset Authentication

Client SYN AED Server
SYN/ACK Port 80
ACK
Connection established
Port n
GET / HTTP/1.1 302 „Moved
Temporarily“
HTTP/1.1 302 Location: /
Client Authenticated
FIN/ACK
ACK
Connection terminated

SYN
SYN/ACK
ACK
Connection established
Port n+x
GET / HTTP/1.1

Spoofed SYN Flood

Prevention à HTTP
Authentication Method
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
Application Layer Attacks

HTTP Redirect Authentication

Client
SYN
SYN/ACK
AED Server
Port 80
ACK
Connection established

Port n GET / HTTP/1.1 302 „Moved

Temporarily“
HTTP/1.1 302 Location: /KmfPM/
FIN/ACK
ACK
Connection terminated

SYN
SYN/ACK
ACK
Connection established

Port n+x GET /KmfPM/ HTTP/1.1

302 „Moved
Temporarily“
HTTP/1.1 302 Location: /
FIN/ACK
Client Authenticated
ACK
Connection terminated

SYN
Spoofed SYN Flood SYN/ACK
Port n+y ACK
Prevention à HTTP Connection established

Authentication Method GET / HTTP/1.1

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

HTTP JavaScript Authentication

Client
SYN
SYN/ACK
AED Server
Port 80
ACK
Connection established

Port n GET / HTTP/1.1

HTTP/1.1 200 OK (text/html)

FIN/ACK
Constructing: ACK
/MlWVR Connection terminated

SYN
SYN/ACK
ACK
Connection established

Port n+x GET /MlWVR/ HTTP/1.1 302 „Moved

Temporarily“
HTTP/1.1 302 Location: /
FIN/ACK Client Authenticated
ACK
Connection terminated

Spoofed SYN Flood SYN

SYN/ACK
Port n+y
Prevention à HTTP ACK
Connection established

Authentication Method GET / HTTP/1.1

12
Application Layer Attacks

HTTP Rate Limiting

All HTTP requests are inspected and …

• Number of requests per second are compared to the configured Request Limit threshold
• Number of unique HTTP objects per second are compared to the configured URL Limit threshold
/user/login?type=api ∑ ≤ 15/sec.
/index.html ∑ ≤ 15/sec. ∑ ≤ 500/sec.
/images/front.jpg ∑ ≤ 15/sec.

Source host is temporarily blocked if either threshold is exceeded

• Can be used to protect against flooding attacks attempting to overwhelm an HTTP server

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

HTTP Header Regular Expressions

• OR operator for multiple regular expressions

• Applies each regular expression to each line of the HTTP headers and HTTP requests
☞Matching first HTTP request or HTTP header in a connection
Blocks request
Temporarily blocks the source host
☞Not matching first HTTP request or HTTP header in a connection
adds all HTTP requests for that connection to the allow list
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26

13
Application Layer Attacks

Challenge: Web Crawlers

• Search engine web crawlers are a challenge for DDoS mitigation

– Web crawlers act like bots because … they are bots!

• Blocking web crawlers is often unacceptable

– Blocking instantly leads to reduced web site visibility in search results and,
consequently, decrease in search ranking
– It is critical that web crawlers can still reach, and index protected resources even when
those are under attack and need protection

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

Web Crawler Support

Pass traffic from known search engines to

allow legitimate web crawling of your web site
• Server Type settings for web crawlers to bypass
some protections for destinations within that PG
✓ Web crawler protection bypass is allowed
✘ Web crawler traffic has normal protections

• Global list of enabled Web Crawler

– Individual search engine providers can be chosen/
disabled globally (Configure AIF Settings page)

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

14
Application Layer Attacks

Sequence

Countermeasure processing
order for WebCrawler traffic:
External à Internal in Low

Event Driven
Per Packet

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

Sequence (Cont.)

Countermeasure processing
order for WebCrawler traffic:
External à Internal in Medium
Event Driven
Per Packet

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30

15
Application Layer Attacks

Sequence (Cont.)

Countermeasure processing
order for WebCrawler traffic:
External à Internal in High

Event Driven
Per Packet

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31

Web Crawler Reporting

Traffic widget for protection groups of Generic, Web, and DNS Server Types

Hover on mini-graph to
see expanded graph

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32

16
Application Layer Attacks

Protecting a Web Server Select protections as required

based on your network’s situation

• HTTP-based Protections • Layer 3/4 Protections – don’t forget about

these protections as options
– Malformed HTTP Filtering
– Filter Lists – drop everything not Web-related
– Botnet Prevention
• Includes ATLAS Intelligence Feed (AIF) policies – Rate-based Blocking

– HTTP Rate Limiting – TCP-based protections – where appropriate (test

first)
• HTTP Request Limit
• TCP SYN Flood Detection
• HTTP URL Limit
• Spoofed SYN Flood Prevention
– HTTP Header Regular Expression – ** HTTP Authentication option **
– TLS Attack Prevention (HTTPS only) • TCP Connection Limiting
• No decryption – Need CAM or HSM • TCP Connect Reset
• Web Crawler Support – Traffic Shaping
– Only if a CDN is used

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33

Protecting TLS Negotiation for

Secured Services

Application Layer Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

17
Application Layer Attacks

TLS Protocol Protection on AED

Provide protection from common attacks against TLS

• Focus on attacks against the protocol directly
• Attacks that are pre-encryption phase
• Attacks that try to force many crypto operations on the targeted server
• Regardless of port (HTTPS, POP3S, SMTPS)
• Enforces correct TLS protocol usage
• Monitors excessive parameter usage
– Ciphers, Extensions and Compression
AED
TLS

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35

TLS Handshake Attack

Client Server
SYN
SYN-ACK Scope of
• Re-negotiation Attacks - THC-SSL-DoS ACK Mitigation
1. Flood Renegotiation Requests Established

Connect and complete valid SSL handshake “Client Hello”

and immediately request renegotiation of
encryption method “Server Hello”
Ask for Certificate
2. Repeatedly Connect and Disconnect
Client key exchange
Connect and complete valid SSL handshake
and immediately disconnect, and reconnect and Choose Cipher Specs
perform handshake all over Change Cipher Spec

• Malformed Attacks - Pushdo Finished

- Sends garbage packets to port 443 Exchange messages

- Can quickly exhaust CPU on HTTPS server (encrypted with shared secret key)

TLS 1.2
(THC = “The Hacker’s Choice”)
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36

18
Application Layer Attacks

TLS Attack Prevention

• Detects malformed and unreasonably extended TLS / SSL headers

• Detects rate-based and connection exhaustion attacks against TLS / SSL
Offending hosts are always temporary blocked for 5 minutes

What it does What it does not

• SSL Message Validation
• Session Decryption – does not inspect encrypted traffic
• Slow Attack Protection
• Check extension semantics
• Handshake Validation
• Connection Flooding Protection • Enforce acceptable protocol versions

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37

Default Settings

• TLS handshake settings – prevention limits get more restrictive with higher
protection levels
• Some of these values can be updated via the CLI

Protection Level Low Medium High

Enable State Disabled Enabled Enabled
Cipher Limit 512 256 64
Extension Limit 32 24 16
Compression Limit 8 4 2
Max Hello Length 2048 1024 768
Pending connections 8 8 8
per source limit

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38

19
Application Layer Attacks

Default Protected TCP Ports

Port Usage
443 HTTP over TLS (HTTPS)
465 SMTP over TLS (Officially URL Rendezvous Directory for SSM)
563 NNTP over TLS
587 SMTP mail submission (may be TLS)
636 LDAP over TLS
989 FTP data over TLS (FTP control over TLS (port 990) is not protected
992 TELNET over TLS
993 IMAP4 over TLS
994 IRC over TLS
995 POP3 over TLS
5061 SIP over TLS

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39

TLS 1.3 Support

Client Server
SYN
SYN-ACK Scope of
AED inspects TLS 1.3 traffic ACK Mitigation
• Previously would drop TLS 1.3 traffic as Invalid TLS Established

1.2 packets “Client Hello”

• Any invalid TLS 1.3 that can be detected without Key Share
“Server Hello”
decryption will be dropped Key Share, Verify
Certificate, Finished
• AED does not decrypt TLS 1.3 traffic
– Cryptographic Acceleration Module (CAM) does Exchange messages
not support TLS 1.3 (encrypted with shared secret key)

– Hardware Security Module (HSM) does not

TLS 1.3
support TLS 1.3
Faster session negotiation and
more secure than TLS 1.2

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 40

20
Application Layer Attacks

TLS Attack Prevention Reporting

Breakdown of specific
TLS / SSL violations

Each violation type

displays more “Details”

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 41

Protecting DNS Servers

Application Layer Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

21
Application Layer Attacks

DNS Reflection and Amplification Attack

Why use Reflection or Amplification in an Attack?

Attacker
100
Mbps

Query
V R • Hiding Attack traffic
behind well known IP
Direct Attack 100 Mbps addresses
(spoofed traffic)
• Using Amplification
nse Resolver
Respo Ratio: 1:20…100

V R
ps
2 Gb

Victim
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 43

DNS Dictionary Attack

? NOT FOUND!

DNS Cache
DNS Server
Attacker

Attacker requests entries that do not DNS Server overwhelmed with

exist and won't be in the DNS Cache DNS lookups…
Query: abcd.somedomain.com NXDomain: abcd.somedomain.com
Query: efgh.somedomain.com NXDomain: efgh.somedomain.com
Query: ijkl.somedomain.com NXDomain: ijkl.somedomain.com
… …

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 44

22
Application Layer Attacks

Basic NXDOMAIN Attack

? NOT FOUND!

NX
s
Recursive DO
M
rie Name Server AIN
Q ue
S
DN ! FULL!

Attacker Cache

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 45

Block Malformed DNS Traffic

Protects against DNS attacks that attempt to exhaust the resources of DNS servers
• Traffic with destination port of UDP/53 is inspected for compliance with the RFC
specification for DNS (RFC1035)
Malformed packets are dropped
Source host is never blocked
• Ignores the EDNS version and Z flag value of the packet
– These fields cannot be used as attack vectors
– AED will allow all EDNS version and Z flag values to pass when this protection is enabled
– Use Payload Regular Expression protection to inspect EDNS version and/or the Z flag fields of a packet
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 46

23
Application Layer Attacks

DNS Authentication

Protects against DNS attacks from sources that are not valid DNS clients
• Any source that sends UDP DNS request is forced to switch to TCP
– Uses the Truncated Bit (TC) - Indicates that only the first 512 bytes of the reply was returned.
– Source hosts that does not change from a UDP to TCP is considered invalid
Any unverified request is dropped
☞ Source host is never blocked AED in inactive mode is
unable to authenticate /
validate clients

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 47

DNS Rate Limiting

Protects against DNS attacks that attempt to flood DNS servers

• AED inspects all DNS traffic that originates from a single source and records the number
of queries per second
☞ Traffic that exceeds the thresholds is dropped
Source host is temporarily blocked

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 48

24
Application Layer Attacks

DNS NXDOMAIN Rate Limiting

Protects against DNS cache poisoning and dictionary attacks on DNS servers only
• AED monitors DNS response packets for sources that send requests which led to a non-
existent domain (NXDomain) response
Source hosts sending more consecutive failed DNS requests are temporarily blocked

• For this prevention to work, AED must be able to see the DNS response traffic from the
DNS server

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 49

DNS Regular Expression

Inspects DNS traffic and applies each regular expression separately to each line of
the DNS requests
• Up to five regular expressions
• Uses the OR operator for multiple regular expressions
• Use the PCRE format

Traffic that matches an expression is dropped

☞Source host is never blocked
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 50

25
Application Layer Attacks

Protecting a DNS Server Select protections as required

based on your network’s situation

• DNS Servers and Services • Layer 3/4 Protections – don’t forget

about these protections as options
– Block Malformed DNS Traffic
– Filter Lists – drop everything not DNS related
– DNS Authentication
– Rate-based Blocking
– DNS Rate Limiting
– Flexible Rate-based Blocking
– DNS NXDomain Rate Limiting
– Traffic Shaping
– DNS Regular Expression
• If you have a DNS service running on
custom port, you need to modify default
decoder settings

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 51

Protecting SIP Servers

Application Layer Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

26
Application Layer Attacks

SIP Flood
DNS
Server
Session Initiation Protocol (SIP)
3
DNS Query:
• Text-based protocol with a syntax like HTTP Biloxi.com
IP address of Bob’s
• Two types of messages: 2 proxy server

– Request (INVITE, ACK, BYE…) Proxy 4

INTERNET Proxy
Server Server
INVITE: sip:bob@biloxi.com
– Response (Informational, Success…) From: sip:alice@atlanta.com 5
• A single SIP Invite triggers considerable
INVITE: sip:bob@biloxi.com Wireless
resource consumption on the SIP Proxy LAN
From: sip:alice@atlanta.com Network
Server
1 INVITE: sip:bob@biloxi.com
• Numerous Invites consume Proxy Server’s From: sip:alice@atlanta.com
resources User Agent
Bob
• Receivers are flooded with incoming calls
User Agent
Alice

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 53

SIP Malformed

Block attacks that send invalid or blank SIP messages to a server to

exhaust resources or to exploit vulnerabilities
• Basic SIP message types must conform to
RFC 3261
• Message types not defined in RFC 3261 will
be ignored and transparently passed RFC 3261 Section 8.1
• INVITE
• UDP Keepalives are considered valid SIP • ACK
• OPTIONS
packets • BYE
• CANCEL
• MESSAGE

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 54

27
Application Layer Attacks

Block Malformed SIP Traffic

Prevents attacks against the VoIP infrastructure by blocking invalid or blank SIP
requests
• All traffic destined to a SIP ports is inspected
– If the payload of the packet is empty, or is not part of a SIP request
– If the headers are not properly formatted and/or do not have reasonable values
Traffic that is Malformed is dropped
Source host is temporarily blocked

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 55

SIP Request Limiting

Prevents SIP floods against the VoIP infrastructure

• All traffic destined to a SIP port is measured
• SIP Traffic that exceeds request limit is dropped
Source host is temporarily blocked

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 56

28
Application Layer Attacks

Protecting Other Server Types and

CDN/Proxy Support

Application Layer Attacks

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Protecting Other Server Types

• AED also has Server Types pre-configured for:

– Mail Server
– VPN Server
– RLogin Server
– File Server
– Generic

• It is recommended that you create a separate Protection Group for each of the
services you want to protect and assign the Server Type that fits best
– Generic Server Type is the “catch-all” providing flexibility to accommodate specific server types

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 58

29
Application Layer Attacks

CDN and Proxies

Proxy
Server

DATA
CENTER
CDN Proxy
Server Attack = IP of CDN Node n
io
cat r
i
pl ye
Firewall IPS Ap La
AED Load
Balancer

CDN Proxy
Server Attack Traffic
Good Traffic
• Proxy and Content Delivery Network (CDN) servers have special needs
– CDN server forwards content on behalf of many websites
– Proxy server forwards traffic from many user clients
• Source of attack is the CDN / Proxy server IP address
– AED blocking protections will affect all users of that CDN proxy as this source IP is blocked!
– Need a change of behavior for those blocking protections… – but how?
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 59

CDN and Proxy Support

• AED has special handling for sources that are proxies and CDN servers
– Operation is not visible in Web UI
– Separate settings for Low, Medium, and High Protection Level

• When enabled AED looks for a specific field within the HTTP header:
– X-Forwarded-For – Standard method for identifying the originating IP address of a client
connecting to a web server through an HTTP proxy or load balancer
– True-Client-IP – Akamai's method for passing source client IP
– Requires to see traffic via HTTP and not HTTPS
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 60

30
Application Layer Attacks

CDN and Proxy Support Exceptions

Rate-based protections change behavior:

o Rate-based Blocking
• Per Protection Group (PG) only, not applied globally o HTTP Rate Limiting
across the system
o DNS Rate Limiting
• Drops exceeding traffic as defined by each o DNS NXDomain Rate Limiting
protection’s thresholds o SIP Rate Limiting
⚠ Protections no longer block the source IP o TCP Connection Limiting
o TCP Connection Reset
o TCP SYN Flood Detection
o ICMP Flood Detection

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 61

CDN and Proxy Support Exceptions (Cont.)

Blocking protections block flows instead of source host

• A flow is traffic matching a five-tuple of:
o DNS Malformed
Ø Source IP address
o HTTP Malformed
Ø Destination IP address
o SIP Malformed
Ø IP protocol
o SSL/TLS Attack Prevention
Ø Source TCP/UDP port
o HTTP Regular Expression
Ø Destination TCP/UDP port
o Botnet Prevention
• All other protections operate normally
o DNS Regular Expression
o Application Misbehavior

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 62

31
Application Layer Attacks

Lab Exercise

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Lab Exercise
Hands-on Exercise 45
Application Layer Attacks min.

Objectives
• View indicators of application layer-based DDoS
attacks
• Use your AED protections to block that misuse
traffic
• Monitor the effectiveness of your mitigation

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 64

32
Application Layer Attacks

Summary
• Identify Layer 7 Attack Characteristics

• Use Payload Regular Expression to remove attack traffic

• Protecting Web Servers and Services

• Protecting DNS Servers and Services

• Protecting SIP Servers and Services

• Challenges with Proxy and CDN Servers

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 65

33
Outgoing Attacks

Whale

Outgoing Attacks

Arbor Edge Defense

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

In this module you will...

• Use your AED to protect from outbound threats

• Learn to configure Outbound Threat Filter

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

1
Outgoing Attacks

Defending against Outgoing Attacks

Optimize AED Visibility & Protection

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3

• Requires an inline
Outbound Threats deployment mode
• OTF must be enabled
to use Outbound Deny
ISP 1 and Allow List

ISP
ISP 2
Firewall IPS
AED Load
Balancer

DATA
CENTER Target
Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic
SATURATIO
N

Prevents malicious traffic from leaving your network

• A single Outbound Threat Filter (OTF) protects all outbound IPv4 traffic (no need for protection groups)
• Identifies and prevents access to known CNC servers/botnets
• Prevent reflection/amplification attacks from being generated within the internal network

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

2
Outgoing Attacks

Outbound Threat Filter

• Enabled by default
• Use “gear” button to update the configuration
• Displays blocked outbound threat traffic
– Lists protections responsible for blocking
– Lists TOP five ATLAS threat categories

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Outbound Protection Configuration

• Enable / Disable Outbound

Threat Filter
• Protection Mode
• Protection Level
• Protection settings
– AIF Threat Categories blocks any
outbound traffic that matches
threat policies
• Requires AIF Advanced

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

3
Outgoing Attacks

Outbound Threat Filter Protection Mode

Protection Mode determines if malicious outbound traffic is blocked

• Active = Outbound traffic is mitigated as well as monitored
• Inactive = Threats in outbound traffic are monitored only
– Test outbound threat filtering while keeping the rest of the system in the active mode

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

Available Protections

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
Outgoing Attacks

ATLAS Intelligence Feed

• Enable/Disable Threat Categories as desired

• Change the default confidence level if needed
• Detailed statistics on the Summary page
Radio button
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9
selection

STIX Feeds

• Enable/disable the use of STIX indicators of

compromise (IOCs) to block outbound threat
traffic
– Enabled for outbound traffic by default
• Requires additional settings to be configured
prior to using STIX IOCs
• Detailed statistics on the Summary page

Radio button
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10 selection

5
Outgoing Attacks

Payload Regular Expression

Prevent attacks by packets that contain unique data patterns

• Many application layer attacks, and packet repetition attacks can be identified by their
payloads or headers
• Applies regular expressions to individual packets only
– Does not detect matching content that spans multiple packets
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

DNS Rate Limiting

Prevent attacks from legitimate hosts who sent DNS requests to flood DNS servers
• Maximum number of DNS queries per second that a source can send before it is blocked
– Represents what you consider to be a reasonable maximum amount of DNS traffic

Note: If you turn on DNS Rate Limiting for a Protection Group, in the packet capture the outbound
traffic may match the Protection Group instead of the Outbound Threat Filter for displaying

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

6
Outgoing Attacks

Malformed HTTP Filtering

Protects against attacks that exhaust resources by sending invalid or blank HTTP
requests to a server
• Verifies that the HTTP header conforms to RFC 2616 Section 2.2 "Basic Rules“
• Exceptions to the RFC constraints on the space character are allowed
• Verifies that the entire request is in a legal and consistent format
⚠ Violating source hosts will be temporary blocked

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

Outbound Deny / Allow List

Both lists are applied to packets entering the

appliance via internal interfaces
• IPv6 hosts cannot be added to the outbound deny/allow
list
• Regardless of the current protection level
– AED always passes the IPv4 traffic from or to the hosts
on the allow list without further inspection
– AED always blocks the traffic from or to the hosts and
countries on the deny list without further inspection

COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
Outgoing Attacks

Outbound Deny List – Adding Host

Search for
specific host
Adding
a Host

Remove host
Hosts that have
Move host to from Outbound
already been added
Outbound Allow List Deny List
Useful Description
(hover to see complete text)

Outbound Deny List – Adding Country

Countries that have Remove Country

already been added from Outbound Filter

Add Country Add Description Click Add

8
Outgoing Attacks

Outbound Deny & Allow List – Notes

• AED must be configured for Deployment Mode: Inline

• Outbound traffic from hosts on either list will immediately be passed
or blocked with no further inspection
• If a list contains an IP address and a CIDR that overlaps that IP address, the most
specific address always takes precedence
- If 10.2.3.141 is on the outbound allow list, and the CIDR 10.2.3.0/24 is added to the
outbound deny list, 10.2.3.141 remains allowed
• Add host to the Allow List / remove host from Deny List if also temporarily Blocked
☞ Host: Removal from temporarily Blocked sources is immediate
☞ CIDR, Country: Removal from temporarily Blocked sources may take up to 5 minutes

Packet Capture

The Outbound Threat Filter is

available as on option in the Packet
Capture Filter section

9
Outgoing Attacks

Blocked Host Log

The Outbound Threat

Filter is available in the
Protection Group
Listing of the Blocked
Host Log

Lab Exercise

10
Outgoing Attacks

Lab Exercise
Hands-on Exercise 30
Outbound Threats min.

Objectives
• View indicators of an outbound threat from within
your network
• Use the AED outbound threat filter to block the
outbound threat viewed
• Monitor the effectiveness of your mitigation

Summary

• AED protecting from outbound threats

• Configure Outbound Threat Filter

11
Outgoing Attacks

12
Engage Cloud Signaling Services

Zander

Engage Cloud Signaling Services

Arbor Edge Defense

In this module you will...

• Learn when to use Arbor AED cloud signaling

• Distinguish between different cloud signaling request types

• Configure Arbor AED to connect to your provider’s cloud-based services

• Learn how to interpret the Cloud Signaling Widget

1
Engage Cloud Signaling Services

Mitigating Attacks in the Cloud -

Cloud Signaling for DDoS Protection

Cloud Signaling

Mitigation Attempted

Attack traffic is dropped by the AED, but…

• Bandwidth usage remains high and internet uplinks are still saturated
• Users continue reporting server slow or down
Ø Service-disrupting

2
Engage Cloud Signaling Services

Service-disrupting Volumetric DDoS Attacks

ISP 1

ISP N
ISP 2 TIO
RA
TU
SA Firewall IPS
AED Load
Balancer

DATA
CENTER Target
Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

Enterprise or Data Center operators are under a service-disrupting DDoS attack

☞ Handle VOLUMETRIC attacks that exceed the uplink bandwidth capacity upstream
☞ Mitigate application-layer attacks at the customer edge (hybrid DDoS protection)
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Investigate & Mitigate Attack

Customer Feedback: Handling an attack exceeding their uplink bandwidth

capacity and contacting their local ISP…
GOOD
ISP On-Premise
• AED reporting provides detailed ( AED)
information that allows the customer to
reach out to their ISP and request to Better Solutions:
block UDP traffic to that IP ISP / VERY GOOD
MSSP On-Premise + Cloud-based
☞ The ISP is, somehow, able to block the ( AED + Cloud)

traffic from reaching the datacenter and

service is reestablished. BEST
ISP /
On-Premise + Cloud-based
MSSP
& Cloud Signaling
! It took them two hours to mitigate the ( AED + Cloud)

3
Engage Cloud Signaling Services

AED and Cloud Signaling

• Volumetric attacks, pose a serious threat to data center availability

– Such attacks are too large to mitigate at the data center’s premise

• Preferable have AED signal to Cloud Signaling Server

– NOC/SOC engineer can manually “Activate” cloud mitigation
– Or set at a predetermined capacity threshold for more automated protection

• Cloud Signaling reduces time to mitigate DDoS attacks

– Cloud Signaling is the process of requesting and receiving cloud-based mitigation in
real time from an upstream service provider
– Helps to ensure the availability of your data center infrastructure

AED ≥6.7.0.0 supports

Cloud Signaling Workflow Cloud Signalling for
IPv6 Traffic

Cloud-based Subscriber Network Subscriber Network

DDoS Protection
Internet Service Provider

Arbor Sightline &

TM S-based
DDoS Service

SATURATION
1. Service Operating
Normally
NETSCOUT 2. Attack Begins and
AED
Initially Blocked by
NETSCOUT AED
Data Center Network

On-premiseFirewall / IPS / W AF 3. Attack Grows

Exceeding
DDoS Protection Bandwidth
Public Facing Servers

4. Cloud Mitigation
Requested
Cloud Signaling Status
5. Service is re-
established!

4
Engage Cloud Signaling Services

Cloud Signaling Provider

...
x5
• AED supports Cloud Signaling to a
single Cloud Service Provider at a time AED

– Supports up to 5 servers for

redundancy
AED

• Cloud service operators can associate

multiple NETSCOUT AED appliances AED

together

• Customers with multiple ISPs will need

Cloud Signaling Request Types

AED can send requests for the following types of cloud mitigations
☑ Global – sends mitigation request for all IPv4 prefixes on the network
☑ Targeted Prefix – sends mitigation request for those targeted prefixes
which are configured
☑ Protection Group – sends mitigation request for those IPv4
Protection Groups that are configured

5
Engage Cloud Signaling Services

Cloud Signaling Request Types (Cont.)

Global Mitigation - sends mitigation request for all IPv4 prefixes from the AED
• Request is sent when traffic on the appliance exceeds a global threshold
for a specified amount of time.
• Request can be sent manually via the Cloud Signaling widget on the Summary
page

Group Mitigation - sends mitigation request for specific Protection Group(s)

• Must be supported by mitigation provider
• AED does support simultaneous mitigation for >1 Group
• Requested manually via the Protection Group based Cloud Signaling widget

Cloud Signaling Request Types (Cont.)

Targeted Prefix - sends mitigation request for a list of specific prefixes

• Prefixes can be configured & requested if supported by the mitigation provider
• Request is sent when traffic exceeds the configured global threshold and if at
least one IP prefix exceeds a targeted destination threshold
• Include prefixes that you added manually

6
Engage Cloud Signaling Services

AED Cloud Mitigation Start Request

AED automatically requests cloud signaling mitigation, if…

Cloud Signaling is enabled
One of the following it true:
Ø Incoming traffic exceeded global threshold (bps or pps) at least for the
configured Time Interval
Ø Manual mitigation is requested
- A protected prefix is added via the Active Cloud Signaling page
- Someone clicked “Activate” button: ☞ Summary page
☞ Administration > Cloud Signaling page
☞ View Protection Group page

AED Cloud Mitigation Stop Request

AED stops an automatic cloud mitigation if

Automatic Cloud Signaling Threshold is changed to disabled
Incoming traffic (external interfaces) + traffic mitigated in cloud has not exceeded
the threshold for 10 minutes or longer (1-minute measurement)

AED stops a manual cloud mitigation if

Someone clicks Deactivate (Cloud Widget)
☞ Summary page
☞ Administration > Cloud Signaling page
☞ View Protection Group page
Deactivate-Button does not need to be in the same page location as the Activate-
Button that started the mitigation
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

7
Engage Cloud Signaling Services

Cloud Signalling Protocol

Fundamentals

Cloud Signaling

Cloud Signaling Message Types

AED sends the following requests to the Cloud Signaling servers:

• Handshake – Determines if group mitigation (protection groups) is supported
• Heartbeat – Verifies that communication channels are open
• Prefix Update – Sends list of the IPv4 prefixes to cloud signaling servers if group
mitigation or group and targeted mitigations supported

8
Engage Cloud Signaling Services

Handshake Requests

AED initiates a handshake with each cloud signaling server(s)

• When Cloud Signaling is enabled (settings saved)
– Uses TCP port 443 (IPv4 or IPv4/IPv6 ≥6.7.0.0)
– Support Proxy use
– Automatically every 12 hours
– Initial handshake determines cloud signaling provider capabilities
– Negotiates heartbeat parameters
• Uses three modes: Cloud Signaling
– Test Connection Provider never
initiates a TCP
– Normal Connect connection to the AED
– Disconnect
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

Heartbeat Requests

AED and Cloud Signaling Provider exchange heartbeats every minute

• Uses UDP port 7550
• Encrypted and authenticated - Contains replay checks (NTP is important on both sides)
• Heartbeats will not use configured Proxy Settings
• Flag to indicate whether a cloud mitigation is active or not
– List Protection Groups or prefixes included in the cloud mitigation
– Contains dropped bps and pps of any running cloud mitigation(s)
• Mitigation could have been started by:
- Operator > manual AED CS mitigation request Note: Mitigation requests will
- AED > Automatic Cloud Signaling be sent with the next Cloud
Heartbeat scheduled

9
Engage Cloud Signaling Services

Heartbeat Requests Redundancy

AED sends 3 identical UDP heartbeats per minute to each configured

Cloud Signaling Server
• 4 Cloud Signaling Servers = 12 heartbeats each minute from an AED
• Cloud Signaling Provider respond with 3 identical UDP heartbeats to every AED
• AED sends mitigation requests to and accepts mitigation statistics from the Cloud
Signaling Server from which the first legitimate heartbeat was received
- There is no way to specify the Cloud Signaling Servers to be used
- All other heartbeats are de-duplicated by AED

Prefix Updates

• Uses TCP port 443

• Prefix update is initiated if:
Ø a Protection Group’s prefix list was updated
Ø a Protection Group was added or deleted
• Cloud signaling provider support protection group-level or protected prefix
mitigation:
– AED sends a list of the protected host prefixes that are associated with each Protection Groups
– AED sends a list of the protected host prefixes to the Cloud Signaling Server

10
Engage Cloud Signaling Services

Automatic Mitigation Hold-Down Timers

Automatic Cloud Signaling Thresholds have delay timers for start and
stop of mitigations
• Start delay timer: 1 to 10 minutes (configurable)
• Stop delay timer: 10 minutes
• Preventions:
- Upstream mitigation from occurring because of spurious traffic spike
- Upstream mitigation from halting due to temporary pause in attack
- Cycling of mitigation state when traffic levels fluctuate rapidly

Additional Operational Considerations

• AED does not support cloud signaling in FIPS mode

• CIDR blocks mapped to country codes may differ between AED and the cloud service provider
• AED updates Deny / Allow List with the cloud signaling server ≥Sightline 8.2.0
Ø AED connects to a new cloud signaling server
Ø Changes to the cloud signaling configuration
Ø Changes made to the either inbound Deny / Allow List (IPv4, IPv6, Countries and URLs)
Ø Automatically every 12 hours
• AED does not share the following items on the Deny and the Allow List:
– Items that are not assigned to All Protection Groups
– Domains on the inbound deny list
– If more than 1,000 URLs – AED arbitrarily selects 1,000 URLs from the Deny List
– Other Regions under Deny List > Countries
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
Engage Cloud Signaling Services

Configure Cloud Signaling for DDoS

Protection

Cloud Signaling

Enable Cloud Signaling

Administration > Cloud Signaling
Enter required cloud signaling Server and
AED ID information provided by the cloud
signaling Provider
• Configure up to 5 cloud signaling Servers
- Cloud Signaling will function if at least one
configured Cloud Signaling Server is
reachable
- These are Arbor Cloud Servers – should
be used for the DNS based traffic Automatic allowing of proxy
redirection service servers used in the Arbor
Cloud Service
• Enter URL if your cloud signaling provider
has a management portal
- Used to provide a link on the Tools menu
of the Cloud Signaling widget.
You should configure NTP to avoid clock-related problems à
“Connection Error” indicated if “system time is not synchronized”
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

12
Engage Cloud Signaling Services

Automate Cloud-based Mitigation Requests

Enable Automatic Cloud Signaling - Automate

global cloud-based mitigation requests
Global Cloud Signaling Threshold - Specify a bps
and/or pps threshold to indicate the rate that
triggers a global cloud signaling request
Ø Signaling Threshold = Inbound traffic over all interfaces +
Traffic dropped in the Cloud (if running)
• Mitigation request even for inactive protection groups sent

Interval - Specify the amount of time over which the average traffic must meet the Global
Thresholds
• Automatic start delay timer is configurable from 1 to 10 min.
• Automatic stop delay timer is 10 minutes (requests to end mitigation)

Proxy Server Support

Use Proxy Server - enable the configuration of

proxy settings
Proxy Server - IP address or hostname
Port - specify the port number to be used
Proxy Username - if necessary, enter the user
and the password required to access the
proxy server
Proxy Authentication Method - Authentication
can be explicit selected if AED is unable to
detect it via the Automatic option
Heartbeats (UDP/7550) do not utilize the
server, these proxy settings are separate
from the AIF feed proxy settings
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26

13
Engage Cloud Signaling Services

Cloud Signaling Verification

Check Banner Status:

• The connection to the Cloud Signaling server was successful
• The connection with the Cloud Signaling server has taken longer than the
specified time-out period
Check Widget:
• Displays when last signal was received
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

Return traffic from the Cloud via GRE

Cloud Signaling

14
Engage Cloud Signaling Services

GRE Tunneling & Cloud Signaling

AED can serve as a GRE Tunnel endpoint

• Needed for non-local Cloud Mitigation Providers
• Returned cleaned traffic from the Cloud Mitigation Provider

Internet & Cloud

Service Provider
Cloud Signal
Total Traffic
Protected
ISP Network
GRE
Tunnel AED

Terminate GRE Tunnel IPv6 GRE tunnels ≥6.4.0.0

IPv6 traffic encapsulated inside IPv4 tunnels ≥6.4.0.0

Configure a logical IP on an AED mitigation interface pair

• GRE Tunnel can The transit segment,
only be terminated here 248.62.15.0/24
can not be within the
on a single internal list of cloud protected
interface prefixes

• GRE traffic must be Transit

tunnel Segment
received via the tunnel endpoint 248.62.15/0
corresponding source 248.62.15.3
143.15.26.3
external interface

15
Engage Cloud Signaling Services

GRE Static Routes

Configure a Routing Table to route traffic after GRE de-encapsulation

GRE Caveats

• Effective ≤ 1Gbit/s
- For larger traffic volumes the GRE tunnel should be terminated on another network equipment

• < Release 6.3: GRE traffic is not re-inspected

- Traffic would be de-encapsulated and sent straight out of the Interface
- No possibility of engaging countermeasures

• ≥ Release 6.3: Capability of de-encapsulating prior to inspection

- Most countermeasures can be run against the incoming traffic
- Exceptions à Spoofed SYN Flood Prevention, DNS Authentication
- Option is disabled by default for a fresh install or on an upgrade from a previous version

16
Engage Cloud Signaling Services

Inspection of GRE Traffic

Administration > Interfaces

Targeted Cloud Signaling

Initiating a Targeted Cloud Service Request

17
Engage Cloud Signaling Services

Targeted Cloud Signaling

1
Enable Targeted Destination Cloud Signaling -
Check box appears after you enable Cloud
Signaling, if targeted prefixes is supported by cloud
signal provider
Top Sources and Destinations – Must also be
2
enabled
AED starts a targeted cloud mitigation when:
1. Traffic exceeds the Global Cloud Signal Threshold
2. If one or more IPv4 prefixes exceeds a targeted
destination threshold
– AED replaces all prefixes in the global cloud
mitigation with the targeted IPv4 prefixes

Example 1

Large SYN flood @ 80 Mbps

• Attack continues for the 6 minutes
✓ 6 minutes > 5-minute interval
• Top Prefix 100.0.0.20/32 is receiving 45
Mbps of attack traffic
✓ 45 Mbps > 25 Mbps targeted destination threshold

☞ AED takes no action because the global

Cloud Signaling threshold has not been
exceeded (80 Mbps < 100 Mbps)

18
Engage Cloud Signaling Services

Example 2

Large UDP flood @ 125 Mbps

• Attack continues for the 8 minutes
✓ 8 minutes > 5-minute interval
• Top Prefix 100.0.0.9/32 is receiving 90 Mbps
of attack traffic
✓ 90 Mbps > 25 Mbps targeted destination threshold

☞ AED Sends a targeted Cloud Signaling request

to the Cloud Signaling service for prefix
100.0.0.9/32
☞ Adds prefix 100.0.0.9/32 to the list the Active
Cloud Signaling Requests page
☞ AED creates a change log entry
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37

Example 3

Large ICMP flood @ 105 Mbps

• Attack continues for the 7 minutes
ü 7 minutes > 5-minute interval
• Top Prefix 100.0.0.2/32 is receiving 24 Mbps
of attack traffic
✘ 24 Mbps < 25 Mbps targeted destination threshold

☞AED Sends a global cloud-based mitigation

request
☞ AED creates a change log entry

19
Engage Cloud Signaling Services

Targeted Cloud Signaling Alert

Summary Page

Manual Targeted Cloud Signaling

Protect > Active Cloud Signaling

Manually configured targeted prefix will be added to the mitigation request once global
traffic exceeds the defined thresholds
Add Comma-separated
IPs, CIDRs, Hostnames
(one time lookup)

Automatic added
Prefixes cannot be
manually removed

Pu
ll Do
w n

Targeted Duration of cloud-

Hosts Rate triggering
based mitigation mitigation

20
Engage Cloud Signaling Services

Results of manually adding a prefix

Request State Action

No active requests AED sends a targeted prefix request NOTE: NETSCOUT
recommends that prefixes be
Active targeted request AED adds the prefix to the request
added to the Active Cloud
Active global request Global request must be deactivated before Signaling Request page prior to
AED can send a targeted request* deactivating a global request.

Switch from targeted mitigation to global mitigation after prefix limit was exceeded
IP Version Prefix Limit
IPv4 227
IPv6 75
IPv4 + IPv6 varies

Cloud Signal Widget

Monitoring Your Cloud-based Mitigation Status

21
Engage Cloud Signaling Services

Cloud Signaling Widget

Real-time monitoring of the status of

Cloud Signaling

• Widget appears on the Summary

page and Configure Cloud Signaling
Settings page

• Group Cloud Signaling widget

appears on the View Protection
Group Page if the cloud scrubbing
provider supports Protection Group-
level mitigation.

Widget Elements

• Automatically updates the Cloud Signaling status

• Provides manual control of mitigation requests
Cloud Signaling
Server
Your network

Action button
Status information as appropriate
and error messages

Link to Configure
Cloud Signaling page

22
Engage Cloud Signaling Services

Status Overview
Status Available Tasks

The settings for connecting to the Cloud Click Please Configure to go to the Configure
Signaling Server are not configured. Cloud Signaling Settings page.

Cloud Signaling is configured but is not

Click Enable to enable Cloud Signaling.
enabled.

Cloud Signaling is in a normal state. Click Activate to initiate Cloud Signaling manually.

Cloud Signaling requested, but mitigation To stop the mitigation requests, click Deactivate.
has not started.

An error has occurred. Message below If possible, take appropriate action to resolve the
picture describes the error. error.

Hover over the mini-graph to view a larger graph.

Cloud mitigation is in progress.
To stop the mitigation requests, click Deactivate.

Manually Requesting Cloud-based Mitigation

Activate button on widget starts a Deactivate button on widget stops a

manual mitigation manual mitigation

23
Engage Cloud Signaling Services

Mitigation Requested versus Mitigation Activated

Activation sync may take several minutes

Cloud signaling requested Cloud signaling requested

mitigation is not yet started mitigation is running

Deactivating Cloud-based Mitigation

Manual Mitigations Global Threshold Cloud Signaling

– must be stop exceeded – will stop Server triggered
manually automatically mitigation – will
When you deactivate stop automatically
an active mitigation AED initiates cloud
request, only the mitigation request to Cloud Provider
current request is Cloud Signaling initiated mitigation
affected provider network

24
Engage Cloud Signaling Services

Blocked Traffic Graphs

Clicked on mini-
graph

Cloud Mitigation reports traffic blocked (bps) back to AED

• AED includes blocked Cloud Mitigation traffic into total traffic for Automatic Cloud
Signaling Activation and Deactivation decisions
• Multiple AEDs that use the same Cloud Signaling Provider, display a summary of all
blocked data for all those appliances
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 49

Lab Exercise

25
Engage Cloud Signaling Services

Lab Exercise
Hands-on Exercise 60
Using Cloud Signaling min.

Objectives
• Configure cloud signaling for your AED
• Test and monitor cloud signaling status for your
AED
• Mitigate and monitor a volumetric attacks with
cloud signaling support

Summary

• When to use Arbor AED cloud signaling

• Different cloud signaling request types

• Configure Arbor AED to connect to your provider’s cloud-based services

• Interpret the Cloud Signaling Widget

26
Engage Cloud Signaling Services

27
AED Administration

Orca

AED Administration

Arbor Edge Defense

In this module you will...

• See how to use the CLI for common configuration tasks

• See how to use the UI for common configuration tasks

• Use the backup feature to protect against data loss

1
AED Administration

Manage the AED via the Serial

Console or SSH

AED Administration

The following slides

deal with various
Command Line
Interface (CLI)
commands, which
will only be briefly
discussed. Your
student guide
should be used as a
reference for further
information

2
AED Administration

Login to the CLI

Last login: Fri Oct 4 09:00:47 2024 from 172.18.37.20

Arbor Edge Defense v7.2.0.0

Welcome to ArbOS

admin@AED:/#

Password Recovery

If the administrator password is lost, you can perform the password recovery
process

1. Reboot the AED appliance

2. On the console, select boot option: [Serial Console] on-board flash
3. Login with the username: admin and password: arbor
4. Enter: / system disk start all
5. Enter: / service aaa local password admin interactive
6. Enter: / config write aaa
7. Reload the AED appliance and let it boot-up normally

3
AED Administration

Change Admin Password

The default administrator password (arbor) must be changed before you can start
the AED services

admin@AED:/# / services aaa local password admin interactive

Changing password for user admin.
New password:
Re-enter new password:
Password changed
passwd: all authentication tokens updated successfully.

Password Criteria

Enforced minimum level of password complexity

☞ At least 10 characters long*
☞ At most 72 characters long*
☞ Can include special characters, spaces, and quotation marks
⚠ Cannot be all digits
⚠ Cannot be all lowercase letters or all uppercase letters
⚠ Cannot be only letters followed by only digits (such as, abcd123)
⚠ Cannot be only digits followed by only letters (such as, 123abcd)
⚠ Cannot consist of alternating letter-digit combinations (such as, 1a3A4c1)
* System default. Min/max length configurable via CLI.
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

4
AED Administration

Using the CLI

The CLI uses a command hierarchy that allows subsequent commands to be

entered without repeating the beginning
admin@AED:/# ip Entering sub-tree “ip”

admin@AED:/ip# interface media … Only commands starting with “ip” are

available
admin@AED:/ip# / services aed show Use ”/” to execute a command not
available in this command tree branch
admin@AED:/ip/route# .. Go one step back up the tree
admin@AED:/ip#

admin@AED/ip/route# / Go back to the root of the tree

admin@AED:/#

Set the System Name

The system name can be set arbitrarily and is only locally significant

admin@AED:/# / system name set demo

admin@demo:/#

5
AED Administration

Set the Time Manually

Setting the clock is important to allow proper Syslog reporting and to support
advanced features like Cloud Signaling

• Setting the time zone must be done in the GUI, not in the CLI
• It's a good idea to set the time even when you plan to use NTP
• The clock format is MMDDhhmm[[CC]YY][.ss]
- The clock is set in the UTC timezone

admin@AED:/# / clock set 062210222012

Management Interface IP address

• Configure an IP address on the management interface (mgt0)

admin@AED:/# / ip interfaces ifconfig mgt0 10.2.24.76/24

admin@AED:/# / ip interfaces ifconfig mgt0 2620:11e:1001:ebc::34/128

• Configure a static (default) route

admin@AED:/# / ip route add default 10.2.24.1

admin@AED:/# / ping 10.2.24.1

Sending five 64 byte echo request to 10.2.24.1
!!!!!
5 packets transmitted, 5 received, 0% packet loss, time 80ms

6
AED Administration

Check the Management Interfaces

• Check the status of the management interface (mgt0)

admin@AED:/# ip inter show mgt0

mgt0 Gigabit Ethernet, Interface is UP, mtu 1500
Hardware: 00:0C:29:8F:0B:B9
Media: Ethernet autoselect
Status: 1000Mb/s Full
Inet: 192.168.2.19 netmask 255.255.255.0 broadcast 192.168.2.255
Inet6: fe80::20c:29ff:fe8f:bb9 prefixlen 64
Input: 930258 pkts, 125140000 bytes, 0 errors
Output: 55046 pkts, 20423914 bytes, 0 errors, 0 collisions
Interrupts: 0

Interface Media Type

If necessary, the speed and duplex can be set for both the management and
protection interfaces
- You must stop/start AED services
- Copper interfaces of both types are 10/100/1000

/ stop services aed

Management
Interfaces / ip interfaces media mgt0 speed 1000 duplex full

/ services AED mitigation interface media ext0 speed 1000 duplex full
Protection
Interfaces / services AED mitigation interface media int0 speed 1000 duplex full
/ start services aed

7
AED Administration

DNS Servers

Setting DNS in the CLI or the UI is useful to ensure the reachability of services like
AIF Updates and to provide reverse DNS lookups for the UI

admin@AED:/# / service dns server add 10.2.24.222

admin@AED:/# / services dns server

Active DNS Servers:
10.2.24.222

Management Traffic

Traffic types via the AED management interfaces

❑ HTTPS (Web GUI, AIF, Cloud Signaling Handshake, TAXII)

❑ SSH
❑ Ping/ICMP
❑ NTP
❑ DNS
❑ SNMP traffic
❑ Cloud Signaling heartbeats (UDP)

8
AED Administration

Access Control via IP Access Lists

AED's “internal firewall” needs to be configured to allow access

• IP access rules allow you to specify authorized access (inbound connections) on a
per application & per interface & per subnet basis

admin@AED:/# / ip access add https all 10.0.0.0/8

admin@AED:/# / ip access add ping all 0.0.0.0/0
admin@AED:/# / ip access add ssh all 10.0.0.0/8
admin@AED:/# / ip access add https all 2620:11e:1000::/44
admin@AED:/# / ip access add ping mgt0 2620:11e:1000::/44
admin@AED:/# / ip access add ssh mgt0 2620:11e:1000::/44

IMPORTANT: In order to activate the access list, it needs to be committed:

/ ip access commit

Secure Shell Access

SSH access is optional but highly recommended

admin@AED:/# / services ssh start

admin@AED:/# / services ssh show

SSH service status:
Status: running
Port: 22 (default)
Protocol: 2 (default)

9
AED Administration

Check AED Software Version

It is very important to ensure you have the latest code release for AED
• To find the latest version, check the Arbor Technical Assistance Center (ATAC) web
site download area

admin@AED:/# system version

Version: Arbor Edge Defense 7.2.0.0 (build OEGF) (arch x86_64)

Software Packages Installed

Every AED appliance will ship with the software pre-installed on the internal flash
file system

admin@AED:/# sys file show

Installed packages:
ArbOS_7.4 ArbOS 7.4 system files (build OEGF) (arch x86_64)
Arbor-Edge-Defense-7.2.0.0 Arbor Edge Defense 7.2.0.0 (build OEGF) (arch x86_64)

There could be additional patches installed, please pay attention to the

recommended patches on the Electronic Download Site (ESD)

10
AED Administration

Check Appliance Licenses

AED requires both a product and an AIF license

• If you see this, you need to install licenses:
admin@AED:/# / system license show
No licenses are set

• If you see this, you have licenses installed:

admin@AED:/# / system license show
Product: AED
Model: AED-2800-40G
Expires: Never
Key: NP94V-NREPK-9C9DB-MG76S-GHDWS-JMXPS-5PY36-J6AP6-V0M38

Product: ASERT
Model: AED-AIF-ADVANCED
Expires: Thu Aug 15 13:24:55 2025
Key: BBE4P-4PZGR-GX99M-B93Y5-D10B7-A0HT2-P8HEV-6KQMG-PPM82
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

Install Appliance License Keys

Install the product and an AIF licenses once you have obtained them
/ system license set AED "AED-2800-40G" 0EZQ8-MV2N0-TP8YH-2FGRD-9NKBX-586QS-QV4SZ-
RM9LE-HCE1A
/ system license set ASERT ”AED-AIF-ADVANCED expires: 1630699268" 98765-43210-FGHIJ-
ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321

• The best approach is to use copy-and-paste into the CLI using SSH
admin@AED:/# / system license show
Product: Arbor
Model: AED-2800-40G
Expires: Never
Key: 0EZQ8-MV2N0-TP8YH-2FGRD-9NKBX-586QS-QV4SZ-RM9LE-HCE1A

Product: ASERT
Model: PRA-AIF-ADVANCED
Expires: Fri Sep 03 16:01:08 2025
Key: 98765-43210-FGHIJ-ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

11
AED Administration

User Interface Language

The language can also be changed in the GUI; the selection only affects GUI
• The CLI always remains in English
admin@AED:/# / services AED language show
Language: English

admin@AED:/# / services AED language set ?

en (English)
fr (French)
ja (Japanese)
ko (Korean)
ru (Russian)
zh (Mandarin)

Deployment Mode

Determines whether AED needs to forwards any traffic - Setting is also shown in the
status bar of the UI
admin@AED:/# / services aed mode show
❑ Inline = forwarding Deployment mode: inline (inactive)

❑ Inline L3 = forwarding admin@AED:/# / services aed mode set ?

❑ Monitor = no forwarding inline
l3
monitor

admin@AED:/# / services aed mode set inline

12
AED Administration

Initialize the AED Database

• Database initialization is required to clean up the device

- Resets AED databases
- Any existing AED data is erased
admin@AED:/# / services AED database initialize

• Any UI-only configuration is erased

- Any configuration that appears in CLI is retained
• This command removes most remaining customer data from the UI after a trial
- CLI logs will still exist
- For a complete wipe, initialize the disks and (re)install the system

Starting Services

Until starting AED services, the appliance will be in Software Bypass

• Also starts the Graphical User Interface (UI)
– No running AED service = no UI available
• Also starts the SNMP daemon
– No running AED service = no SNMP response

admin@AED:/# / services aed start

Starting Arbor services..................done.

admin@AED:/# / services aed show

Arbor state: started

13
AED Administration

AIF Version Information

• AIF Components (each is downloaded separately)

o attack_rules - AIF botnet signatures
o geoip_countries - IP location data
o reputation_feed - ATLAS threat policies
o webcrawler_whitelist - List of legitimate search engine web crawlers IPs
• Display information about the latest versions of AIF feed components via the CLI
admin@AED:/# / services aed aif versions show
Feed Name Download Time ETag (MD5 hash of the feed) Version
geoip_countries 1612672173 abbb1b8675c6505d480be8fad2b9d880 1612656003052
attack_rules 1612758672 98b82128b98601f6d7acc7514e62416d <unknown>
webcrawler_whitelist 1612465702 0124717e64ed7e48375347f3a8aa19e0 <unknown>
reputation_feed 1612758674 36887c1303f47418fad598d28a2cd547 1612748548
<unknown> is displayed when there is no versioning on the feed
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

AIF Update Download URL

The default URL is https://aif.arbor.net

• This can be modified using the commands shown below
admin@AED:/# / services aed aif url show
Feed Name URL
atlas_global_ddos default
attack_rules default
geoip_countries default
reputation_feed default
webcrawler_allowlist default

admin@AED:/# / services aed aif url [set|show|clear]

admin@AED:/# / services aed aif url set [feed_name] https://myhost.com/here/
admin@AED:/# / services aed aif url show
admin@AED:/# / services aed aif url clear [feed_name]

14
AED Administration

Save Configuration

Ensure you saved the configuration changes to make them persistent in case the
appliance
Ø restarts
Ø is rebooted
Ø is power cycled

admin@AED:/# / conf write

General System Information

…
Check system details and settings System attributes:
admin@AED:/# system show flexlic.enabled = 1
General system information: shell.enabled = 1
System name: AED Idle timeout: 0 (default)
Screen length: 0 Appliance mode: disabled
System timezone: GMT FIPS/CC mode: disabled
HSM: not present
Version: Arbor Edge Defense 7.2.0.0 (build OEGF) (arch x86_64)
Boot time: Mon Sep 16 12:28:52 2024, 17 days 23:34 ago Acknowledgement query: disabled
Load averages: 4.27, 4.33, 4.35 Acknowledgement string: Continue (Yes/No)?
BIOS Version: Core: 5.14; KMB-IXS100: 1.43.0946ABC0 Banner:
Boot Mode: UEFI Welcome to ArbOS
System Board Model: KMB-IXS100
System Model Number: CG2400
Serial Number: CG24038024LC
Processor: 2 x Intel(R) Xeon(R) Silver 4210T CPU @ 2.30GHz (20 total
cores) (40 total threads)
Memory Device: 16384 MB NODE 1 CPU1_DIMM_A1

15
AED Administration

Disk Information

• Check file system utilization

admin@AED:/# / system disk show
Filesystem status:
Filesystem Size/Used Inodes/Used
boot 476M/171M (38%) 126K/338 (1%)
data 85G/1.8G (3%) 43M/260K (1%)
system 7.7G/2.8G (39%) 501K/57K (12%)

• Check the partitions holding files uploaded or backup

admin@AED:/# / system files dir disk:
Directory listing of device disk:
Filename Kbytes Date/Time Type
arbor-backup-full-signatures.20210622T124448Z.sigtar.gz 348 Jun22 14:44 Gzip compressed
…
Free space: 9.9G of 10.0G (0% used)

Verify or Update Server Type Default Values

admin@AED:/# / services aed protection
reset
set
show

admin@AED:/# / services aed protection show

connlimit.denylist_enabled
connlimit.max_conn
idle.header_time
idle.rate_interval admin@AED:/# / services aed protection show connlimit.max_conn
tls.clients_can_alert Generic Server - low: 100 medium: 60 high: 30
tls.early_allowlist Web Server - low: 100 medium: 60 high: 30
tls.max_cipher_suites Mail Server - low: 16 medium: 5 high: 3
tls.max_early_close File Server - low: 5 medium: 3 high: 2
tls.max_extensions Generic IPv6 Server - low: 250 medium: 60 high: 30
tls.max_pending_seconds Overwatch - low: 100 medium: 60 high: 30
tls.min_pending_seconds Remote-Access - low: 100 medium: 60 high: 30
Translate - low: 100 medium: 60 high: 30

16
AED Administration

Logging Files

AED creates several logging files:

admin@AED:/# / services logging show
Logging configuration and status:
Remote syslog host: none
Log files available:
Logname Kbytes Date/Time Type
acdb.log 1860 Aug23 15:35 Text file
backup.log 1 Jun22 14:47 Text file
cherrypy.log 988 Aug23 11:55 Text file
python.log 2 Feb 1 2021 Text file
syslog 31033 Aug23 15:35 Text file
syslog.0.gz 6126 Jun 7 02:16 Gzip compressed
syslog.1.gz 3454 May 7 13:33 Gzip compressed
www_access 25771 Aug23 11:56 Text file
www_error 21 Aug23 09:20 Text file

Logging Files

Accessing AED logging files:

admin@AED:/# / services logging view <logfile-name>

head
tail
continuous
include Regular expression
exclude Regular expression

admin@AED:/# / services logging view syslog include DOWNLOAD-FILE

Jun 7 14:22:39 AED aifu_worker[79068]: [S] #DOWNLOAD-FILE downloading feed
geoip_countries from
https://aif.arbor.net/geo/3.0/?column=country_code&product=Arbor-Edge-
Defense&version=7.2.0.0

17
AED Administration

Manage the AED via the GUI

AED Administration

Install Appliance Cloud License

Administration > Licenses

Virtual AEDs require you to configure a Cloud

License which relies on the appliance having
internet access to periodically verify the
assigned license.

18
AED Administration

System Alerts
Summary

The Top 5 Active Alerts are always shown on the Summary Page

See all active See all alerts no

alerts longer active

System Alerts
Administration > System Alerts

Active and expired alerts can also be found under the System Alerts menu option

19
AED Administration

Diagnostics
Administration > Diagnostics

If you need ATAC support, upload a Diagnostics Package to the case to accelerate
the handling of your ticket analysis

Manage Files
Administration > Files
Upload a new file
to the local disk

Select file(s)
to delete
Currently installed
and used by AED,
but can still be
deleted from disk

20
AED Administration

Manage Logo, Certificate and SNMP MIB Files

Administration > Files

Download certificate
Upload new logo to from Arbor CA
be displayed instead

Download SNMP MIB

definitions for Network
Management Systems

Backups
Administration > Backup and Restore
Create a new backup:
Protect against data loss (configuration and traffic data) • after significant changes
• before maintenance starts
Type of backup (full
or incremental)

Backup time stamp Local backups always

and description exclude traffic data
entered by the user
Download or restore
from a local backup

21
AED Administration

Backups (cont.)
Specify the interval
and Time for Full and
Incremental backups
Administration > Backup and Restore

Schedule automatic Specify local or remote;

backups only remote will include
traffic data

Define backup
location Backup Time Stamp &
description entered by
the user

BCP – Best Common Practice

AED Administration

22
AED Administration

AED Administration

• Initialize the disk and reinstall AED on a new appliance

• Create user accounts for each person accessing the AED
• Leave the admin account as a last resort - do not use it daily
• Prefer Radius or TACACS wherever possible
• Configure IP access lists to be as strict as possible
• Avoid using rules like 0.0.0.0/0
• Use NTP to ensure all devices are time sync’d (especially to a SIEM or Syslog server)
• Configure Syslog to export information to an external server
• When you have finished the AED installation à create a remote backup

Summary

• Use the CLI for common configuration tasks

• Use the UI for common configuration tasks

• Learn about the backup feature to protect against data loss

23
TLS Protected Services

clownfish

TLS Protected Services

Arbor Edge Defense

In this module you will...

• Discuss possible solutions to mitigate attacks using AED's Cryptographic options

• Understand design constraints

• Configure the selected Cryptographic module

• Configure TLS Inspection with the TLS Proxy and nDA

• Review the UI to determine if the attack is being mitigated

1
TLS Protected Services

Why Encryption? Eavesdropping Attack

• Stealing a small set of data
by sniffing or snooping
John Doe
Complete your order Pass123

YouJohn Doe
need to login:
Pass123
Username: John Doe
Password: ***** send

John Doe
Pass123

Encryption Challenge Eavesdropping Attack

• Stealing small set of data
by sniffing or snooping
H(&!”SA
Complete your order J(/!”SE!!”

YouJohn Doe
H(&!”SA
need to login:
Pass123
Username: John Doe
J(/!”SE!!”
Password: ***** send

Application Layer Visibility

• Data is encrypted (unreadable)
H(&!”SA
• Could be legitimate traffic!
J(/!”SE!!”
• Could be attack traffic!

2
TLS Protected Services

Hardware Decryption Module

TLS Protected Services

Using a Crypto Card

DATA
ISP 1 CENTER

ISP
ISP 2
Firewall IPS
AED Load
Encrypted Traffic Balancer
Blocked
Copy
Target
Applications
ISP ‘n’ Decrypted DoS DoS Attack & Services
Attack Traffic Detected
Good Traffic Crypto Module

3
TLS Protected Services

Using a Crypto Card

DATA
ISP 1 CENTER

ISP
ISP 2
Firewall IPS
AED Load
Balancer
Encrypted

Copy
Target
Applications
ISP ‘n’ Attack Traffic Decrypted OK & Services

Good Traffic Crypto Module

Cryptographic Accelerator Module (CAM)

• FIPS: not supported

• Keystore: on disk
• AED Series: AED 2600 & 2800
• Modules: single (slot 4)

4
TLS Protected Services

Hardware Decryption Modules –

CAM Configuration

TLS Protected Services

CAM Configuration Steps

Step 1 – Initialize the Keystore

Be sure the appliance BIOS is version SE5C610.86B.01.01.0019.101220160604 or later
/ services crypto keys local initialize
Enter passphrase (optional, but recommended)

Step 2 – Import Keys

/ services crypto keys local import user-specified-label disk|usb: filename
Each import will prompt for a passphrase (if one was configured in the previous step)

Step 3 – Authorization
The CAM must be authorized to process encrypted traffic (not required if no passphrase was configured)
/ services aed crypto authorize

5
TLS Protected Services

CAM Initialize Keystore

/ services crypto keys local initialize

• AED services must be stopped prior to initializing the keystore

• An optional passphrase can be configured. AED will require you to authenticate
anytime you add keys to or remove keys from the repository
• IMPORTANT: To add or change a passphrase after a key import has been
completed, you must reinitialize the keystore to remove existing keys

CAM Import Keys

/ services crypto keys local import label disk:|usb: file

• Key management is via the CLI

• Up to 2048 RSA and ECDH keys can
be imported for CAM
• Key files must:
– Be copied to disk: or usb:
– Be RSA or ECDH pem-encoded
– Have a .pem or .key extension
– Contain a private key
– RSA ciphers contain a certificate
– Optionally, for ciphers that require a
certificate, a certificate chain can be
included

6
TLS Protected Services

CAM Authorization
/ services aed crypto authorize

• The authorization process provides AED with the credentials to communicate

with the CAM
• This step is only required if the credentials were provided when the keystore was
initialized

CAM Managing Keystore

/ services crypto keys show label

Ø Lists a key in the keystore

Ø Lists all keys if no label is supplied

/ services crypto key local import|initialize|remove

Ø Import keys = add keys
Ø Remove individual keys
Ø Clear all stored keys

7
TLS Protected Services

CAM Zeroizing Keystore

/ services crypto keys local zeroize

May be required if redeploying AED or if you suspect a security breach

Ø Deletes all keys in the keystore
Ø Deletes the passphrase (if any)
Ø Deletes the keystore itself

NOTE: You cannot undo zeroizing the keystore

After zeroizing you must reinitialize the CAM and reauthorize the AED to use the CAM

CAM DIAG – Hardware Present

/ system hardware

“QAT” à Intel’s “QuickAssist

Adapter Technology”

8
TLS Protected Services

CAM DIAG – Firmware & Status

/ services crypto hardware
Returns the card model and its firmware ID and other version information

/ services aed crypto show

Returns the status of the keystore and the CAM hardware; “Nominal” indicates that the module is
authorized

Note: It may take up to 60 seconds after

CAM DIAG – Statistics

/ services crypto stats
Returns decryption statistics; reiterate this command and check for incremented
• RSA & EC key decryption
Requests and Completed
• TLS Key generation
Requests and Completed
• QAT Sessions Initialized
and Removed
• Symmetric cipher
decryption Requests and
Completed

9
TLS Protected Services

CAM DIAG – Restart Driver

/ services crypto restart

Restarts all QAT drivers

NOTE: AED services must be stopped prior to using this command

CAM DIAG – Files

keystore.conf

An encrypted file that contains the keystore

• File is located on the AED disk – not the CAM card
• Not FIPS compliant
• No API endpoints are defined
- Venafi partnership for key management is not supported

cert.conf

A list of imported certificates

• File is located on the AED disk – not the CAM card
• Not FIPS compliant

10
TLS Protected Services

Hardware Decryption Module –

Supported Cipher Suites

TLS Protected Services

Supported TLS Versions

The CAM supports the following versions of the TLS and SSL protocols

TLS 1.0 TLS 1.1 TLS 1.2* TLS 1.3

CAM ü ü ü

*without PFS Support

CAM

11
TLS Protected Services

Supported Cipher Suites

Color Level of Security
IANA Name CAM TLS CAM TLS
1.0/1.1 1.2 Highly secure (RFC 7525)
TLS_RSA_WITH_AES_128_GCM_SHA256 ü ü
Secure
TLS_RSA_WITH_AES_256_GCM_SHA384 ü ü
Weak
TLS_RSA_WITH_AES_128_CBC_SHA X ü
Insecure
TLS_RSA_WITH_AES_256_CBC_SHA X ü

TLS_RSA_WITH_3DES_EDE_CBC_SHA X ü

SSL_RSA_WITH_3DES_EDE_CBC_SHA2 X ü

TLS_RSA_WITH_AES_128_CBC_SHA256 ü ü

TLS_RSA_WITH_AES_256_CBC_SHA256 ü ü

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ü ü

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ü ü

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ü ü

TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ü ü

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ü ü

Supported Cipher Suites

IANA Name CAM TLS CAM TLS Color Level of Security
1.0/1.1 1.2
Highly secure (RFC 7525)
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ü ü
Secure
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ü ü
Weak
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA2 X ü
Insecure
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA2 X ü

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA2 X ü

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA2 X ü

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA2 X ü

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA2 X ü

TLS_RSA_WITH_RC4_128_SHA X X

TLS_RSA_WITH_RC4_128_MD5 X X

TLS_RSA_WITH_DES_CBC_SHA X X

SSL_RSA_WITH_DES_CBC_SHA X X

12
TLS Protected Services

Caveats for CAM

• SSL compression is not supported

• Only TCP/443 traffic is decrypted and is considered as HTTP. Traffic other than HTTP (such
as SPDY, WebSockets) will be dropped as HTTP malformed
• Decryption is supported in inline inactive and active mode if traffic flow is symmetrical
• Traffic passed due to an Allow List or “pass” statement in a filter list is not decrypted
• If AED does not have a certificate to decrypt traffic, it is not decrypted and passed after L3-
L4 and TLS malformed checks
• For traffic that uses ECDH and ECDHE cipher suites, AED only decrypts connections that
negotiate the same EC curve as the static EC private key
• For AED to decrypt ECDHE traffic, the protected server must use a static EC private key
and static curve, which you need to import into the CAM

TLS Proxy

13
TLS Protected Services

TLS 1.x
TLS Proxy downstream upstream

TLS 1.x

• Software-based transparent TLS Proxy (reusing the server IP address)

• Supports TLS 1.3 and Perfect Forward Secrecy (PFS) cipher suites
• Requires symmetrical data flow
• Takes around ~30% of the available packet processing resources
• Appliance support:
– AED 8100 up to ~3600* connections per second
– AED 2800 up to ~2700* connections per second
– AED 2600 up to ~1500* connections per second
If the supported number of connections per second is exceeded, then AED forwards the excess
connections without decryption or inspection and a message appears in syslog

*TLS_RSA_WITH_AES_256_GCM_SHA384 & 2048-bit RSA key & TLS 1.2

TLS Proxy Configuration Steps

Step 1 – Enable the TLS Proxy

Step 2 – Enable decryption at specific protection levels for a

protection group
• AED 8100 only

Step 2 – Initialize the keystore and import keys and certificates

Pay attention to cryptographic key format and Server Name Indication in certificates

Step 3 – Associate keys with protection groups

Protection groups that protect web servers

14
TLS Protected Services

Enable the TLS Proxy

• You can enable and disable all the decryption options from the UI.
1. In the AED UI, select Administration > Decryption
2. On the Configure Decryption Settings page, select Enable TLS Inspection
3. From the list, select TLS Proxy
• CAUTION
– Interface connectivity may be impacted while services are reloading

• You can enable and disable TLS proxy from CLI as well
– AED services must be stopped prior to enabling or disabling the TLS Proxy
/ services aed crypto proxy enable|disable
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

Enable the TLS Proxy

• View the cipher suites and elliptic curves that the TLS proxy supports in the used
software release

/ services aed crypto proxy ciphers|curves list upstream|downstream

• upstream – TLS Connection towards the web server

• downstream – TLS Connection towards the external client

• You can limit the cipher suites and curves for the TLS proxy

/ services aed crypto proxy ciphers|curves set upstream|downstream names

• names – subsets of cipher suites or curves to be supported for the connection

*towards the protected web server

15
TLS Protected Services

Enable the TLS Proxy (cont.)

• Optionally, the TLS Proxy supports a client certificate for the upstream* server
– Use a unique key-certificate pair and associate it with the protection group
– Before you import a key and certificate into the keystore
– To associate a key and certificate with upstream TLS connection

/ services aed crypto upstream set keyName

*towards the protected web server

Keystore and Importing Keys and Certificates

• For downstream decryption you need to import PEM-encoded RSA and EC keys
• Import key and public certificate for the upstream TLS connections, if required
• Key files
– must contain a public certificate
– must be in PKCS#1 or PKCS#8 format

• Before you can import Suggested PEM file structure

the cryptographic keys, -----BEGIN RSA PRIVATE KEY-----

<contents of private key>
you must create a -----END RSA PRIVATE KEY-----
keystore -----BEGIN CERTIFICATE-----
<contents of leaf certificate>
-----END CERTIFICATE-----
<additional certificates to complete certificate chain>

16
TLS Protected Services

Initializing the Keystore

AED services must be stopped prior to initialization the keystore

/ services crypto keys local initialize
Ø Passphrase prompt – enter a string acting as a passphrase
Ø Confirm prompt – if a passphrase was entered, then enter it again

Note: The passphrase cannot be changed without deleting all imported keys

Managing Keys

• Importing Keys
/ services crypto keys local import keyName disk:|usb: file
- file – name of the PEM-encoded file with its extension
Ø Passphrase prompt – enter the passphrase of the keystore

• Removing Keys
/ services crypto keys local remove keyName
- keyName – name of the key
Ø Passphrase prompt – enter the passphrase of the keystore

17
TLS Protected Services

Associate Keys with Protection Groups

• Associate at least one key to a protection group that protects web servers
• CAM cannot decrypt traffic for any protection groups that you associate with the
TLS proxy

/ services aed crypto pg associate keyName pgName host

• keyName – name of the key to associate
• pgName – name of a protection group.
• host – if the server supports Server Name Indication (SNI), enter a fully qualified domain
name (FQDN) that matches the common name in the certificate

Associate Keys with Protection Groups (cont.)

• Listing Keys
/ services crypto keys show

• Disassociating Keys
/ services aed crypto pg disassociate keyName pgName
• keyName – name of the key to disassociate from pgName
• pgName – name of protection group that keyName is associated with

• Listing Keys association

/ services aed crypto pg list

18
TLS Protected Services

Enabling / Disabling Decryption by

Protection Level
On AED 8100 appliances, you can configure decryption for the protection levels of
IPv4 protection groups that are associated with TLS Proxy cryptographic keys.

• Viewing the decryption status for protection levels

/ services aed crypto show verbose

• To enable or disable decryption at all protection levels for a protection group

/ services aed crypto proxy pg decrypt pgName {enable | disable}

• To enable or disable decryption at a single protection level for a protection group

Validating the TLS Proxy Configuration

• Running the TLS Proxy validation script

/ services aed crypto proxy validate

The validation script may return any of the available messages about the TLS Proxy
global decryption settings which can be found in the User Guide along with
instructions how to fix the problem.

19
TLS Protected Services

TLS Fingerprinting for the TLS Proxy

• To improve performance and throughput when you use the TLS Proxy for
decryption
• TLS Proxy uses the fingerprints on pass lists to identify the traffic from TLS clients
that does not need to be decrypted or inspected for application layer attacks
• Two types of TLS fingerprinting
– Manual
• TLS Fingerprint Pass List - apply to all protection groups
– Dynamic
• Dynamic TLS Fingerprint Pass List - for specific protection groups at specific protection levels
• Both types of TLS fingerprinting or just one type can be configured

TLS Fingerprinting for the TLS Proxy (cont.)

• To view the TLS fingerprinting configurations

/ services aed crypto proxy ja3 {manual | dynamic} show
{manual | dynamic}

• Configuring manual TLS fingerprinting

/ services aed crypto proxy ja3 manual {enable | disable}

• Configuring dynamic TLS fingerprinting

/ services aed crypto proxy ja3 dynamic pg pgName {enable | disable}

20
TLS Protected Services

TLS Inspection with nDA

TLS Protected Services

NETSCOUT nGenius Decryption Appliance (nDA)

nDA is an external device that decrypts the TLS traffic and then returns the traffic to
AED for inspection
• You cannot use AED with any other cryptographic module or the TLS proxy
• nDA does not provide bypass functionality

AED nDA

1. AED inspects TLS traffic with L3/L4 Protections

2. AED forwards compliant traffic to nDA
3. nDA decrypt and returns traffic for L7 inspection back to AED
Encrypted
4. AED inspects traffic with L7 Protections and compliant traffic is forwarded back to nDA Plain-Text
5. nDA encrypt the traffic and forwards it upstream

21
TLS Protected Services

Configure nDA Decryption

• Enable or disable TLS inspection using the nDA

/ services aed crypto nda enable|disable

• VLAN to identify traffic from nDA that does not need to be inspected
/ services aed crypto nda vlan set ID

• The default source MAC address for nDA is 00:80:8C:DE:CD:EC; to change:

/ services aed crypto nda mac HH:HH:HH:HH:HH:HH

• View the configured MAC address

/ services aed crypto nda show

• Revert to the default MAC address

/ services aed crypto nda mac default

UI Integration

TLS Protected Services

22
TLS Protected Services

AED UI Configuration

The Cryptographic Module

option is available once
the hardware module has
been installed

SSL Inspection Widget

If a Crypto card is present,

the SSL Inspection widget is
displayed on the Summary
page below Interfaces

Legend is clickable

23
TLS Protected Services

Packet Capture

• Decrypted URLs and domains are displayed on the View Protection Group page
(only if the relevant checkbox is selected)
• Explore à Packet Capture displays only encrypted traffic
– However, it includes the drop reason if something was found after decryption

Summary

• Discuss possible solutions to mitigate attacks using AED's Cryptographic options

• Understand the design constraints

• Configure the selected Cryptographic module

• Configure TLS Inspection with the TLS Proxy and nDA

• Review the UI to determine if the attack is being mitigated

24
Solutions for Managing Multiple AEDs

shark

Solutions for Managing Multiple

AEDs
Arbor Edge Defense

In this module you will...

• Discover AED REST API usage

• Explore the functionality and features of AEM (Arbor Enterprise Manager)

• Browse how to analyze attacks using AEM

1
Solutions for Managing Multiple AEDs

Application Programming Interface

(API)

Solutions for managing multiple AEDs

API Can Be Used With No Additional Cost

API Guide downloaded from the Knowledgebase

2
Solutions for Managing Multiple AEDs

API Online Documentation

https://aed-address/api/aed/doc/v3/endpoints.html

API Pre-Requisites

A token must be generated

Log in to the CLI with your administrator username and password
/ service aaa local apitoken generate userName tokenDescription
userName = the name of a valid AED user
tokenDescription = A brief description of the token. This description is appended to the token.
Enter the following command to view the generated token. This command identifies each user,
and the tokens associated with that user.
/ service aaa local apitoken show

3
Solutions for Managing Multiple AEDs

API Functions

• GET - Retrieves information about the system. You can obtain specific results with the
GET command by passing additional parameters, but in general it returns a large set of
information
• POST - Acts upon an operation or system component. For example, you can use a
POST command to blacklist a host, by acting on the appropriate protection group
• PUT - Replaces an existing resource with a totally new one
• PATCH - Updates only part of a given resource. For example, you can use PATCH to
update a user’s first name only, and all of the other user properties remain unmodified
• DELETE - Removes a host that has already been blacklisted
• OPTIONS - Lists the available options for a given resource

API Example
Administration > Global
curl -X GET -H "X-Arbux-APIToken:vefNeANMfwcdGVIL29iF9ZCoP2LyOHGFxo2Urvqb" –ks \
'https://10.0.1.81/api/aps/v1/general-settings/'

This is the response from

4
Solutions for Managing Multiple AEDs

Managing AED via Console and AEM

Solutions for managing multiple AEDs

Introduction

Provides capabilities to manage multiple AED devices from one central

management console
• AEM provides the ability to manage up to 50 Arbor Edge Defense (AED) devices
• AEM can be installed on an appliance or on a VMware hypervisor
• AEM can manage AED on all platforms (Appliance, VMware, KVM)
• Single Sign On (requires reverse DNS lookups) allow seamless connection to AED
• AEM is the first product to perform this role
• AEM also provides an API
• AEM provides additional countermeasures and features on top of AED

5
Solutions for Managing Multiple AEDs

Licensing

AEM requires a license

• Licenses supported
– APS-Console
– APS-Console-VM
• AEM does not support
cloud-based licenses

Version Compatibility

6
Solutions for Managing Multiple AEDs

AEM replaces APS-Console

Features

• Create and manage protection groups for IPv4 and IPv6 hosts
• Assign protection groups to AED devices
• Centralized reports that aggregate data from multiple AED devices
• Configure server types and protection settings
• Manage Deny and Allow lists
• Monitor network traffic and status of the connected AED devices
• Monitor and respond to AED alerts
• Audit trail assists in monitoring system changes
• Perform profiling simultaneously across multiple AED devices
• Provides SSO for direct access to AEDs when required

7
Solutions for Managing Multiple AEDs

Adding An AED Appliance To AEM

• Simple to add – requires hostname or IP

• Requires zone secret

Add IP or name
of console

Managing An AED Appliance On AEM

• Once the AED is added, AEM will import the configuration for the first time.
subsequently the configuration will be overwritten, and AEM holds the master
version
• Deny and Allow lists are NOT overwritten
• Any new changes should ONLY be performed from AEM; local AED configuration
should only be done during a failure of the console or its communication and will
be overwritten once communication is restored

8
Solutions for Managing Multiple AEDs

Menu Bar

Dashboard

• Click Dashboard in
the menu bar
• View of traffic
flowing through all
AEDs
• Active alerts
• ATLAS Threat
Categories

9
Solutions for Managing Multiple AEDs

Summary Page
Summary of status –
• Last AIF check
• Last Backup
• Total Devices

• System Information
Summary
• Devices with status,
uptime and version

• Audit trail
• Shows recent changes
with descriptions
• Commands performed for
both UI and CLI
• Can be exported

The Dashboard

Displays all traffic inspected by all AED devices in a one-hour time span
• Toggle between time ranges to narrow or expand the search
• Click on Showing to filter down traffic for specific AED devices

10
Solutions for Managing Multiple AEDs

Active Alerts

• Lists all active

alerts for all
connected AED
devices
• Click on any alert
to display
additional details

Active Alerts

Right click on the alert to connect to the AED in question to get more details about
the alert, or to suppress (ignore) the alert.

11
Solutions for Managing Multiple AEDs

Blocked Hosts Log

Explore > Blocked Hosts Log

• View blocked hosts

• Apply filters to reduce the
list of displayed items
• Blocked hosts may also be
filtered externally using a
syslog export

Configuring AED Through AEM

Solutions for managing multiple AEDs

12
Solutions for Managing Multiple AEDs

Deny & Allow Lists

Protect > Inbound Protection > Deny List (added on AEM)

On the managed AED

Add Protection Group

Protect > Inbound Protection > Protection Groups
To create a protection group, click the Add
IPv4/IPv6 Protection Group button
• Provide the following details
✓ Name
✓ Description
✓ Protected Hosts
✓ Protection Level
✓ Protection Mode
✓ Protection Template
✓ Alert Thresholds
• Click Save

13
Solutions for Managing Multiple AEDs

Protection Group
Protect > Inbound Protection > Protection Groups

• Here you can view

details of configured
protection groups and
create new protection
groups
• You can also create
protection groups
using the Add button

Adding a Protection Group

Protect > Protection Groups

14
Solutions for Managing Multiple AEDs

Profile Capture
Protect > Protection Groups> Protections

A Profile Capture can be initiated on AEM; select the AED to be used

Centralized Reporting
Reports > Configure New Report

Custom reports aggregating data from multiple AED’s

15
Solutions for Managing Multiple AEDs

Centralized Reporting (cont.)

Use AEM to Analyse Attacks

Solutions for managing multiple AEDs

16
Solutions for Managing Multiple AEDs

Requirement
Analyzing the attacks

It is outside the capabilities of any

human to be able to process the data
AED forwards, and to update
protections on an AED within a short
timeframe

AED Attack Analysis Feature

• Detect that an attack is in progress

• Configure efficient countermeasures

Attack Analysis
Workflow

Once per minute, Attack

Analysis examines the
traffic forwarded to and
from the protected network
and does attack detection
and configuration
recommendations.

17
Solutions for Managing Multiple AEDs

Attack Analysis on AEM

Alerting and recommendations
• Alert generation
– On detection of a
possible attack
– Alerts displayed on the
Dashboard and
Security Alerts pages
• Recommendations in
– Attack Analysis page
• Includes criteria on
what and where to
apply

Applying the Recommendations

Mitigate the attack

• Simply click the

Review & Apply
button
• Protection
Recommendations
will appear
• A new Protection
Group is created with
the recommended
settings if you select
Apply Only to
Targeted Hosts
COPYRIGHT © 2024 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36

18
Solutions for Managing Multiple AEDs

Enabling Attack Analysis

• Attack Analysis requires an

Adaptive DDoS License on AED
• Attack Analysis is supported
only on AED 8100 appliances
and vAED and cAED devices
that are managed by AEM
• Enable on individual AEDs
• No configuration on AEM is
required

Summary

• The functions REST API provides

• AEM can be used to synchronize multiple AEDs and can be a VM

• AEM can provide configuration and reporting functions

• AEM is required to manage the Attack Analysis feature on AEDs

19
Corporate Headquarters This course material is based on
310 Little Road
Westford, MA 01886, USA
AED Release 7.2.0.0
Toll Free +1 888 357 7667
T +1 978 614 4000
Revised: 30th of October 2024
F +1 978 614 4004

www.netscout.com
Information presented in this document is subject to change without notice.
The contents of this publication may not be reproduced (in any part or as a
whole) without the permission of the publisher. Sightline is a trademark of
Copyright © 2022
NETSCOUT Inc. All other trademarks are the property of their respective
NETSCOUT, Inc.
All rights reserved.
owners.

Virtual AED 7.1.0.0 Installation Guide
No ratings yet
Virtual AED 7.1.0.0 Installation Guide
68 pages
NE - 12 - Outbound Threats
No ratings yet
NE - 12 - Outbound Threats
3 pages
NE - 7 - Working With Protection Groups
No ratings yet
NE - 7 - Working With Protection Groups
6 pages
ThePocketGuide Jan2022
No ratings yet
ThePocketGuide Jan2022
40 pages
Arbor DDOS Protection Training
No ratings yet
Arbor DDOS Protection Training
4 pages
NE - 2 - AED System Configuration
No ratings yet
NE - 2 - AED System Configuration
4 pages
NE - 3 - Upgrading AED Software
No ratings yet
NE - 3 - Upgrading AED Software
5 pages
Netscout Aed Aem
No ratings yet
Netscout Aed Aem
8 pages
NETSCOUT Arbor Edge Defense 2600 Appliance Quick Start Card
No ratings yet
NETSCOUT Arbor Edge Defense 2600 Appliance Quick Start Card
4 pages
AED 2800 Quick Start Card and Insert
No ratings yet
AED 2800 Quick Start Card and Insert
6 pages
Arbor Aed Datasheet
No ratings yet
Arbor Aed Datasheet
9 pages
AED 2600 Installation Guide
No ratings yet
AED 2600 Installation Guide
10 pages
AED STT Unit 01DesignBasics v6.4
No ratings yet
AED STT Unit 01DesignBasics v6.4
32 pages
AED Profile Capture Lab Guide
No ratings yet
AED Profile Capture Lab Guide
3 pages
AEM 7.0.0.0 Release Notes
No ratings yet
AEM 7.0.0.0 Release Notes
22 pages
AEM 7.0.0.0 User Guide
No ratings yet
AEM 7.0.0.0 User Guide
390 pages
Radware DefensePro Datasheet Updated
No ratings yet
Radware DefensePro Datasheet Updated
6 pages
NE - 5 - Backup & Restore
No ratings yet
NE - 5 - Backup & Restore
3 pages
Netscout University - Lab - Payload Regular Expression - DNS
No ratings yet
Netscout University - Lab - Payload Regular Expression - DNS
6 pages
TMS HD1000 (4x100G+8x10G) Installation Guide 2021-09-07
100% (1)
TMS HD1000 (4x100G+8x10G) Installation Guide 2021-09-07
18 pages
Config Guide Ddos Protection
No ratings yet
Config Guide Ddos Protection
100 pages
Radware DefensePro Data Sheet
No ratings yet
Radware DefensePro Data Sheet
6 pages
Virtual AEM 7.0.0.0 Installation Guide
No ratings yet
Virtual AEM 7.0.0.0 Installation Guide
17 pages
TMS Mitigation Status DoS Alert 65153 IPv4
100% (1)
TMS Mitigation Status DoS Alert 65153 IPv4
9 pages
Best Practices - DDoS Protector
No ratings yet
Best Practices - DDoS Protector
4 pages
Netscout University - Lab - TCP SYN Authentication Countermeasure
No ratings yet
Netscout University - Lab - TCP SYN Authentication Countermeasure
3 pages
Arbor Networks SP 8.4 and TMS 8.4.0 Deployment and Appliance Limits 2018-04-16
No ratings yet
Arbor Networks SP 8.4 and TMS 8.4.0 Deployment and Appliance Limits 2018-04-16
19 pages
Netscout University - Lab - Router Profiled Automatic Threshold Configuration
No ratings yet
Netscout University - Lab - Router Profiled Automatic Threshold Configuration
6 pages
TMS 9.6.0.0 Release Notes 2022-05-02
No ratings yet
TMS 9.6.0.0 Release Notes 2022-05-02
24 pages
CCNP Routing Essentials
No ratings yet
CCNP Routing Essentials
30 pages
NE - 9 - Volumetric DDoS Attacks
No ratings yet
NE - 9 - Volumetric DDoS Attacks
9 pages
APS 6.0 Defend Unit 3 View Attack Details - 20180823 PDF
No ratings yet
APS 6.0 Defend Unit 3 View Attack Details - 20180823 PDF
82 pages
APS 6.0 Defend Unit 1 APS Overview - 20180823
No ratings yet
APS 6.0 Defend Unit 1 APS Overview - 20180823
39 pages
Arbor TMS FCAP Cheat Sheet
No ratings yet
Arbor TMS FCAP Cheat Sheet
2 pages
Arbor APS STT - Unit 11 - Protection Setting Details - 25jan2018
No ratings yet
Arbor APS STT - Unit 11 - Protection Setting Details - 25jan2018
88 pages
Arbor APS STT - Unit 10 - Outbound Threat Protection - 25jan2018
No ratings yet
Arbor APS STT - Unit 10 - Outbound Threat Protection - 25jan2018
27 pages
Arbor Networks Help - Configuring Loopback Interfaces PDF
No ratings yet
Arbor Networks Help - Configuring Loopback Interfaces PDF
2 pages
Checkpoint DDOS
No ratings yet
Checkpoint DDOS
48 pages
Arbor Ddos
No ratings yet
Arbor Ddos
13 pages
Security Deployment Strategy: Technical Solution Guide
No ratings yet
Security Deployment Strategy: Technical Solution Guide
57 pages
Arbor APS STT - Unit 12 - Arbor APS Administration - 25jan2018pptx PDF
No ratings yet
Arbor APS STT - Unit 12 - Arbor APS Administration - 25jan2018pptx PDF
83 pages
Sightline 9.3 Release Notes 2020-07-31
No ratings yet
Sightline 9.3 Release Notes 2020-07-31
40 pages
CP R80.10 IPS BestPractices Guide
No ratings yet
CP R80.10 IPS BestPractices Guide
18 pages
APS 6.0 Defend Unit 2 UI and Create PGs - 20180823 PDF
No ratings yet
APS 6.0 Defend Unit 2 UI and Create PGs - 20180823 PDF
106 pages
14 Rules for Faster Web Performance
No ratings yet
14 Rules for Faster Web Performance
97 pages
Arbor APS STT - Unit 08 - Peace Time Tuning - 25jan2018
No ratings yet
Arbor APS STT - Unit 08 - Peace Time Tuning - 25jan2018
30 pages
Configuring Cisco ACS 5.2 For Use With Palo Alto VSA
No ratings yet
Configuring Cisco ACS 5.2 For Use With Palo Alto VSA
10 pages
Ddos Secure Cli User Guide
No ratings yet
Ddos Secure Cli User Guide
372 pages
Arbor-Advanced DDoS Trends and Protection
No ratings yet
Arbor-Advanced DDoS Trends and Protection
43 pages
Arbor APS STT Unit 02 Deployment 25 Jan2018
No ratings yet
Arbor APS STT Unit 02 Deployment 25 Jan2018
50 pages
A10 Training 08 High - Availability
No ratings yet
A10 Training 08 High - Availability
17 pages
Ddos
No ratings yet
Ddos
119 pages
TCP-IP Cheat Sheet
No ratings yet
TCP-IP Cheat Sheet
2 pages
Overview of Dell Digital Locker
No ratings yet
Overview of Dell Digital Locker
14 pages
Arbor APS STT - Unit 05 - Inline Mitigation - 25jan2018
No ratings yet
Arbor APS STT - Unit 05 - Inline Mitigation - 25jan2018
81 pages
NGeniusPULSE Virtual Install Guide
No ratings yet
NGeniusPULSE Virtual Install Guide
24 pages
Arbor APS STT - Unit 13 - SSL Inspection - 25jan2018 PDF
100% (1)
Arbor APS STT - Unit 13 - SSL Inspection - 25jan2018 PDF
40 pages
Arbor APS STT Unit 01 Design Basics 25 Jan2018
No ratings yet
Arbor APS STT Unit 01 Design Basics 25 Jan2018
31 pages
Release Notes: Arbor Edge Defense
0% (1)
Release Notes: Arbor Edge Defense
28 pages
Data Sheet - Arbor Edge Defense Nse21
No ratings yet
Data Sheet - Arbor Edge Defense Nse21
6 pages
DVS Grades
No ratings yet
DVS Grades
1 page
RRB NTPC G Answer Key Compilation English-24-06-2025-Shift-I
No ratings yet
RRB NTPC G Answer Key Compilation English-24-06-2025-Shift-I
18 pages
Https Cssps - Gov.gh Placement Placementslip
No ratings yet
Https Cssps - Gov.gh Placement Placementslip
2 pages
AI Predictions: Seven Deadly Sins
No ratings yet
AI Predictions: Seven Deadly Sins
9 pages
Worksheet MST: Embedded Programming
No ratings yet
Worksheet MST: Embedded Programming
6 pages
Phase Control Thyristor Specs
No ratings yet
Phase Control Thyristor Specs
5 pages
Anand Gore EWM Resume
No ratings yet
Anand Gore EWM Resume
1 page
Statistics in Engineering With Examples in MATLAB and R Second Edition Chapman Hall CRC Texts in Statistical Science Andrew Metcalfe
No ratings yet
Statistics in Engineering With Examples in MATLAB and R Second Edition Chapman Hall CRC Texts in Statistical Science Andrew Metcalfe
55 pages
PFMS
No ratings yet
PFMS
2 pages
Tle 10-2
No ratings yet
Tle 10-2
12 pages
IAM Solutions Design For TechCorp Enterprises
No ratings yet
IAM Solutions Design For TechCorp Enterprises
3 pages
Python Programs
No ratings yet
Python Programs
25 pages
IT Internship Logbook
No ratings yet
IT Internship Logbook
42 pages
Solong: and Thanks For All The Fish!
No ratings yet
Solong: and Thanks For All The Fish!
10 pages
Extracurricular Resume
100% (1)
Extracurricular Resume
4 pages
320D 320+ Parts List
No ratings yet
320D 320+ Parts List
15 pages
MO9 Design and Produce Digital Embroidery
No ratings yet
MO9 Design and Produce Digital Embroidery
148 pages
Report
No ratings yet
Report
12 pages
Wireless Sensor Networks Basics
No ratings yet
Wireless Sensor Networks Basics
17 pages
Information Technology
No ratings yet
Information Technology
9 pages
Christopher Aldora
No ratings yet
Christopher Aldora
3 pages
ICS Unit2
No ratings yet
ICS Unit2
19 pages
ACC 110 Introduction To Computerized Accounting - QuickBooks (PDFDrive)
No ratings yet
ACC 110 Introduction To Computerized Accounting - QuickBooks (PDFDrive)
3,202 pages
Java Tokens Revision
No ratings yet
Java Tokens Revision
2 pages
SKU3液压式压接钳说明书20230417 1687662272600
No ratings yet
SKU3液压式压接钳说明书20230417 1687662272600
8 pages
Excel VBA Macro Cheat Sheet
No ratings yet
Excel VBA Macro Cheat Sheet
3 pages
IOT-UNIT-3 Material
100% (1)
IOT-UNIT-3 Material
19 pages
Screenshot 2025-01-22 at 3.53.47 PM
No ratings yet
Screenshot 2025-01-22 at 3.53.47 PM
5 pages
Design Thinking - September2024
No ratings yet
Design Thinking - September2024
9 pages
GoFeasible Development Approch
No ratings yet
GoFeasible Development Approch
28 pages