boot

The Pocket Guide

Arbor Security Products

January 2022
 The Pocket Guide
Glossary 3
Hardware Appliance Overview

➔ Front Panel SP6000/7000/7500 5

➔ SP-6000 5
Sightline ➔ SP-7000 5
➔ SP-7500 6
➔ SP-Insight 8000 6

➔ TMS-2300 6
➔ TMS-2600 & 2800 7
TMS ➔ TMS-5000 7
➔ TMS-8100 7
➔ HD-1000 8

➔ APS-2600 & 2800, APS Console 7000, AED-2600 & 2800 11

➔ AED-8100 12
APS/AED
➔ AED-HD1000 13
➔ NETSCOUT 3296 Inline Bypass Switch 14

CLI Command Reference

 APS & AED 15

 Sightline & TMS 18

Mitigation
 TMS & APS/AED - FCAP Traffic Filtering 23
 TMS & APS/AED - Regular Expression 27
 TMS - Packet Header Filtering 29
 Other Types - BGP Flow Specification 31

Appendix
 AED Countermeasure Sequence 32
 Sightline & ArbOS - REST API Matrix 34
 Sightline & TMS - BGP Signaling Capabilities 34
 Sightline Alert Search Keywords 35
 Personal Notes 36
 Arbor Cloud Details 39

Page 2 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Glossary
AED NETSCOUT® Arbor Edge Defense
AIF® NETSCOUT® ATLAS Intelligence Feed
AMS 24/7 Arbor Managed Services
API Application Programming Interface
APM-E High Performance Packet Processing Card - NETSCOUT ® Arbor TMS-5000 Series
APS NETSCOUT® Arbor Availability Protection System
ArbOS NETSCOUT® Arbor Operating System
AS | ASN Autonomous System Number (BGP)
ASERT NETSCOUT® Arbor Security Engineering & Research Team
ATAC NETSCOUT® Arbor Technical Assistance Center
BGP Border Gateway Routing Protocol
BLO Blacklist Offloading via BGP FlowSpec or OpenFlow from Arbor TMS
bpp Bytes per packets
Bypass In Bypass mode, all packets received from one port are transmitted to the adjacent port
CAM Cryptographic Acceleration Module for AED-2600/2800 or APS-2600/2800
CLDAP Lightweight Directory Access Protocol
CLI NETSCOUT® Arbor Command Line Interface, available via Console or SSH connection
Cloud Signaling | CLD Dynamic signaling between APS or AED on premise and a cloud-based DDoS solution
Community BGP communities - Capability for tagging routes and for modifying BGP routing policy
DDoS Distributed Denial of Service
DNS Domain Name Service to resolve names into IP addresses
DS NETSCOUT® Arbor Sightline - Data Storage Appliance
DSCP Differential Service Code Point – Quality of Service (QOS) for IP
EOM NETSCOUT Software Status: End of Maintenance
EOS NETSCOUT Software Status: End of Support
FCAP (Flow Capture) fingerprint expression language
Flow Includes details such as about client and server IP address, protocol, ports, and so on that were used
FlowSpec Signals IP traffic parameters together with an action which needs to be perform between two devices
Fragment Breaking an IP packet into smaller pieces (fragments)
GA NETSCOUT Software Status: General Availability
GLBP Gateway Load Balancing Protocol
HSM Hardware Security Module
HSRP Hot Standby Router Protocol, automatic default gateway service
HTTP Hypertext Transfer Protocol
ICMP Internet Control Message Protocol - Send error messages and operational information within a network
IOC Indicator of Compromise - a threat signature
IPMI Intelligent Platform Management Interface - autonomous interface from computer subsystem
IPSEC Group of protocols to encrypt communication between two devices
ISAKMP Internet Security Association and Key Management Protocol
L2TP Layer Two Tunneling Protocol
Leader NETSCOUT Sightline - Central management function within a Deployment
LR Long Range tranceiver optics – mostly single-mode fibre connections
MCM-C Management Card - NETSCOUT® Arbor TMS-4000 and TMS-5000 Series
mDNS Multicast DNS
MemCache general-purpose distributed memory-caching system
MGT Management Interfaces on an NETSCOUT® Arbor TMS Appliance or APS Appliances

CONFIDENTIAL & PROPRIETARY Page 3

 The Pocket Guide
MM Management Card - NETSCOUT® Arbor HD-1000
mode active APS/AED inspects traffic and enforces decission on traffic
mode inactive APS/AED inspects traffic and only simulates decission on traffic
MPO Multi-fiber Push On - is a type of optical connector
Netbios Network Basic Input/Output System that enables applications on different computers to communicate
NTP Network Time Protocol
NXDOMAIN Non-existent Internet Domain Names Definition
PG | Protection Group Group of IP addresses that will be protected in the same way
PPM High Performance Packet Processing Card - NETSCOUT® Arbor HD-1000
Profile Capture Learning mode of rate-based protections
Protection Available check on traffic or source IP sending traffic through the APS/AED
PSM Switch and Control Blade - NETSCOUT® Arbor TMS-4000 and TMS-5000 Series
qinq IEEE 802.1ad - QinQ allows multiple VLAN tags to be inserted into a single frame
QSFP+ Quad (4-channel) Small Form-factor Pluggable Optics Transceiver – 4 × 10GBit/s
QSFP28 QSFP28 (quad small form-factor pluggable 28) is designed for 100G applications.
RADIUS Remote Authentication Dial-In User Service: providing Authentication, Authorization & Accounting
Regex Regular-Expression
RFC Request for Comments - IETF
RIPv1 Routing Information Protocol Version 1
rpcbind Remote Procedure Calls portmapping service
RT BGP Extended Community – Route Target
SFP | SFP + Small Form-factor Pluggable – pluggable network interface module
Sightline NETSCOUT® Arbor Sightline
SIP Session Initiation Protocol that include voice, video and messaging applications
SM0, SM1 Switch Module + Shelf Manager + Line Card - NETSCOUT® Arbor HD-1000
SMB Server Message Block, file server protocol
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SOAP Simple Object Access Protocol - Messaging protocol specification for exchanging structured information
SQL Structured Query Language to access and manage databases
SR Short Range tranceiver optics – mostly multi-mode fibre connections
SSDP Simple Service Discovery Protocol
SSH Secure Shell
SSL Secure Sockets Layer - standard for encrypted connections
ST | Server Type Group of protection settings that are applied to certail IP addresses
STIX Structured Threat Information eXpression, standardized language for describing cyber threat information
TACACS Terminal Access Controller Access Control System - Authentication protocol
TAXII Trusted Automated eXchange of Intelligence - messages shareing cyber threat information
TCP Transmission Control Protocol - Standard defining how to establish and maintain a network conversation
Telnet Bidirectional interactive text-oriented communication
TFTP Trivial File Transfer Protocol
TLS Transport Layer Security - deprecated, predecessor of SSL
TMS NETSCOUT® Arbor TMS - Threat Mitigation System
TRA NETSCOUT® Arbor Sightline - Traffic & Routing Analysis Appliance
UDP User Datagram Protocol - Communications protocol primarily used for low-latency applications
UI NETSCOUT® Arbor Sightline - User Interface Appliance
USB Universal Serial Bus, supports only FAT format

Page 4 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
VGA Video Graphics Array – monitor or display interface
VRF Virtual Routing and Forwarding – Logical routing instance
WS-Discovery Web Services Dynamic Discovery
ZTP Zero Touch Provisioning

Hardware Appliances Overview

Front Panel SP6000/7000/7500
1 Power button 8 Chassis ID button
2 System reset button 9 NIC1/NIC2 activity LED
3 Chassis information LED 10 Hard drive activity LED
4 Fan status LED 11 Power alarm LED
5 Critical alarm LED 12 Minor alarm LED
6 Major alarm LED 13 RJ45 serial console port
7 NMI (non-maskable interrupt) button
An alarm LED that is blinking green, solid amber, or solid red indicates
an error condition

SP-6000

1 DB-9 serial console port: 9600/8-N-1 5 Ethernet ports (eth1-eth3, top to bottom)
2 VGA connector 6 Ethernet ports (eth4-eth11)
3 Ethernet port (eth0) 7 AC power supply
4 4x USB ports (USB2.0)

SP-7000

1 VGA connector 8 2x ground studs for DC input

2 2x USB ports (USB2.0)
3 Not supported
4 2x USB ports (USB3.0)
5 Ethernet ports (eth0, left and eth1, right)
6 2x 10GbE fiber Ethernet ports (eth6 and eth7)
7 4x 1GbE coper Ethernet ports (eth2-eth5)
9 Power supply 2 (DC shown). Pin 1 (bottom) ground,
pin2 (middle) -48Vdc terminal and pin 3 (top) – return
terminal
10 Power supply 1 (AC shown)
Either two AC or two DC power supplies
! Front RJ-45 serial console: 9600/8-N-1

CONFIDENTIAL & PROPRIETARY Page 5

 The Pocket Guide
SP-7500
1 VGA connector
2 UBS1(top), USB2(bottom) (USB3.0)
3 Not supported
4 UBS3(top), USB4(bottom) (USB3.0)
5 eth0: 10GBASE-T Ethernet (@1G or 10G)
6 eth1: 10GBASE-T Ethernet (@1G or 10G)
7 4x10 GbE SFP+ coper/fiber (eth2-eth5)
SP-Insight 8000
1 Power supply 1 (AC model)
2 Power supply 2 (AC model)
3 DB-9 serial console: 115200/8-N-1
4 VGA connector
5 Not supported
Front Panel:
TMS-2300
1 DB-9 serial console port: 9600/8-N-1
2 VGA connector
3 Management Ethernet port (mgt0)
4 4x USB ports (USB2.0)
Page 6
8 2x ground studs for DC input
9 Power supply 2 (DC shown). Pin 1 (bottom) ground,
pin2 (middle) -48Vdc terminal and pin 3 (top) – return
terminal
10 Power supply 1 (AC shown)
Either two AC or two DC power supplies
! Front RJ-45 serial console: 115200/8-N-1
6 2x USB ports (USB3.0)
7 2x 1GbE coper Ethernet ports (eth0 and eth1)
Can be used for management or data
8 4x 10GbE coper Ethernet ports (eth2-eth5)
Can be used for management or data.
1
2
Power button and LED
Unit ID button and LED*
5 Remote management LED*
6 Major alarm LED*
3 eth0 activity LED 7 Reset button and LED
4 eth1 activity LED *not supported
5 Management Ethernet ports (mgt1-mgt3, top to bottom)
6 Ethernet ports (tmsx0 and tmsx1) - Mitigation only
7 Ethernet ports (tmsx2 - tmsx5) - Mitigation only
8 AC power supply
CONFIDENTIAL & PROPRIETARY
 The Pocket Guide
TMS-2600 & 2800

1 VGA connector 8 2x ground studs for DC input

2 2x USB ports (USB2.0)
3 Not supported
4 2x USB ports (USB3.0)
5 Management Ethernet port (mgt0)
6 Management Ethernet port (mgt1)
7 8x 10GbE Ethernet ports (tms0-tms7)
4x 1GbE coper Ethernet ports (tms8-tms11)
9
Power supply 2 (DC shown). Pin 1 (bottom) ground, pin2
(middle) -48Vdc terminal and pin 3 (top) – return terminal
10 Power supply 1 (AC shown)
Either two AC or two DC power supplies
! Front RJ-45 serial console: 9600/8-N-1

TMS-5000

TMS-8100

1 VGA connector 8 2x ground studs for DC input

2 UBS1(top), USB2(bottom) (USB3.0)
3 Not supported
4 UBS3(top), USB4(bottom) (USB3.0)
5 mgt0: 10GBASE-T Ethernet (@1G or 10G)
6 mgt1: 10GBASE-T Ethernet (@1G or 10G)
7 8x10 GbE SFP+ (tms0-tms7), 8x1 GbE SFP (tms8-tms15)
9 Power supply 2 (DC shown). Pin 1 (bottom)
ground, pin2 (middle) -48Vdc terminal and pin
3 (top) – return terminal
10 Power supply 1 (AC shown)
Either two AC or two DC power supplies
! Front RJ-45 serial console: 115200/8-N-1

CONFIDENTIAL & PROPRIETARY Page 7

 The Pocket Guide
HD-1000

1 RJ-45-serial console port - SM0: 9600/8-N-1
2 4x 10GbE ports (tms0.0-tms0.3) SFP+ SR/LR
3 4x 10GbE ports (tms0.4.0-tms0.4.3) QSFP+ SR/LR
with breakout cable
4 1x 1GbE Management Ethernet port (mgt0)
5 RJ-45-serial console port -SM1: 9600/8-N-1
6 4x 10GbE ports (tms1.0-tms1.3) SFP+ SR/LR
7 4x 10GbE ports (tms1.4.0-tms1.4.3) QSFP+ SR/LR
with breakout cable
8 1x 1GbE Management Ethernet port (mgt1)

1 RJ-45-serial console port SM-320G-0: 9600/8-N-1
2 1x100 GbE port (tms0.0) QSFP28 (SR4 or LR4)
3 4x 10GbE ports (tms0.1.0-tms0.1.3) QSFP+ SR4/LR4
with breakout cable
4 1x100 GbE port (tms0.2) QSFP28 (SR4 or LR4)
5 1x 1GbE Management Ethernet port (mgt0)
6 RJ-45-serial console port SM-320G-1: 9600/8-N-1
7 1x100 GbE port (tms1.0) QSFP28 (SR4 or LR4)
8 4x 10GbE ports (tms1.1.0-tms1.1.3) QSFP+
SR4/LR4 with breakout cable
9 1x100 GbE port (tms1.2) QSFP28 (SR4 or LR4)
10 1x 1GbE Management Ethernet port (mgt1)

DC Power Connection

Obtain four DC power cables and four crimp

terminals (two each for each DC PSU). #8 AWG
THHN 90 C rated cable and Panduit LCBX8-10F-L
crimp terminals are recommended. DC cables and
crimp terminals are not available from NETSCOUT

Page 8 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Chassis containing PPM-20G (max. 160G throughput)

Chassis containing PPM-50G (max. 400G throughput)

Mixing PPM-20G and PPM-50G within the same chassis requires the
1500W power supplies and Sightline Release 9.0

Comparison between PPM-20G and PPM-50G

CONFIDENTIAL & PROPRIETARY Page 9

 The Pocket Guide

HD-1000 - Manual Start-up and Shutdown

This insert describes how to manually start up and Fast Manual Shutdown
shut down the TMS HD1000 appliance using the
IMPORTANT: Before you do a fast manual
chassis power button. It also tells you how the LEDs
shutdown, first try a clean manual shutdown. A
on the front and rear panels appear during a manual
clean shutdown helps preserve data integrity.
start-up and shutdown.

To perform a fast manual shutdown, press and

hold the chassis power button for four seconds.
All components will shut down immediately. The
LEDs appear as follows before and after the fast
shutdown:
The LEDs are on the chassis faceplate and on the
faceplate of each module in the chassis. The
modules include SM0, SM1, MM, and all PPMs. To
locate these modules, see the front panel and rear
panel illustrations in this Quick Start Card.

If you have difficulty with manual start-up or

shutdown, contact the Arbor Technical Assistance
Center (https://support.arbor.net).
Note: After a fast shutdown, the red CRT (critical
Initial Start-Up alarm) LED on the chassis turns on.

When you connect facility power to the TMS

HD1000, the appliance starts up automatically. You Start-up after Shutdown
do not have press the chassis power button to start If power is connected to the TMS HD1000, but the
up manually. green power LEDs are off, the appliance is off. To
restart the appliance manually, press and quickly
release the chassis power button. The LEDs
Clean Manual Shutdown appear as follows during manual startup:
To perform a clean manual shutdown, press and
quickly release the chassis power button. A clean
shutdown takes up to five minutes to complete. The
LEDs appear as follows before, during, and after the
clean shutdown:

Note: Led sequence in tables are based on PPM-20G,

the order of LEDs on the PPM-50G are reversed.

Page 10 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

APS-2600 & 2800, APS Console 7000, AED-2600 & 2800

Front-Panel
1 Power button 8 Chassis ID button
2 System reset button 9 NIC1/NIC2 activity LED
3 Chassis information LED 10 HDD activity LED
4 Fan status LED 11 Power alarm LED
5 Critial alarm LED 12 Minor alarm LED
6 Major alarm LED 13 RJ-45 serial console: 9600/8-N-1
7 NMI Button

Generic Chassis Overview

1 VGA Connector 9 2x ground studs for DC input

2 USB0 (bottom) and USB1 (top)
3 Remote Management NIC – NOT SUPPORTED
4 USB2 (bottom) and USB3 (top)
5 Management Ethernet port (mgt0)
6 Management Ethernet port (mgt1)
7 1GbE (fiber or copper) or 10 GbE fiber ports
8 4x 1GbE ports, coper (or fiber)
10 Power supply 2 (DC module shown). The -48V
terminals are on the top and the return terminals (+)
are on the bottom.
11 Power supply 1 (AC model shown)
Either two AC or two DC power supplies
! Front RJ-45 serial console: 9600/8-N-1

Supported NIC Configuration for AED-2800

! Please note the slot distribution shown below, this must be strictly followed.

Slot1: 10 GbE
One or
Slot2: Not used
two
10 GbE Slot6: 10 GbE
Slot7: Not used

Two Slot1: 10 GbE

10 GbE
Slot2: Not used
+
one Slot6: 10 GbE
1 GbE Slot7: 1 GbE

CONFIDENTIAL & PROPRIETARY Page 11

 The Pocket Guide

AED-8100
Front-Panel
1 Power button 8 Chassis ID button
2 System reset button 9 NIC1/NIC2 activity LED
3 Chassis information LED 10 HDD activity LED
4 Fan status LED 11 Power alarm LED
5 Critial alarm LED 12 Minor alarm LED
6 Major alarm LED 13 RJ-45 serial console: 115200/8-N-1
7 NMI Button

Generic Chassis Overview

1 VGA Connector 8 2x ground studs for DC input

2 USB0 (bottom) and USB1 (top)
3 Remote Management NIC – NOT SUPPORTED
4 USB2 (bottom) and USB3 (top)
5 Management Ethernet port (mgt0)
6 Management Ethernet port (mgt1)
7 Protection Ports (see supported NIC configuration)
9 Power supply 2 (DC module shown). The -48V
terminals are on the top and the return terminals (+)
are on the bottom.
10 Power supply 1 (AC model shown)
Either two AC or two DC power supplies
! Front RJ-45 serial console: 9600/8-N-1

Supported NIC Configuration for AED-8100

! Please note the slot distribution shown below, this must be strictly followed.

One, Slot1: 1 GbE

two or Slot2: Not used
three Slot6: 1 GbE
1 GbE
Slot7: 1 GbE

One or Slot1: 10 GbE optional

two Slot2: empty
10 GbE
Slot6: 10 GbE
Slot7: Not used

One
10 GbE Slot1: 1 GbE
+ Slot2: 1 GbE optional
one or Slot6: 10 GbE
two
Slot7: Not used
1 GbE

Page 12 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Two Slot1: 10 GbE

10 GbE
Slot2: Not used
+
one Slot6: 10 GbE
1 GbE Slot7: 1 GbE

Slot1: 40 GbE optional

One or
Slot2: Not used
two
40 GbE Slot6: 40 GbE
Slot7: Not used

One
40 GbE Slot1: 10 GbE
+ Slot2: 10 GbE optional
one or Slot6: 40 GbE
two
Slot7: Not used
10 GbE

AED-HD1000

1 RJ-45-serial console port SM-320G-0: 9600/8-N-1
2 1x100 GbE port (ext0) QSFP28
3 4x 10GbE ports (ext2/int2, ext3/int3) QSFP+ with
breakout cable
4 1x100 GbE port (int0) QSFP28
5 1x 1GbE Management Ethernet port (mgt0)
6 RJ-45-serial console port SM-320G-1: 9600/8-N-1
7 1x100 GbE port (ext1) QSFP28
8 4x 10GbE ports (ext4/int4, ext5/int5) QSFP+ with
breakout cable
9 1x100 GbE port (int1) QSFP28
10 1x 1GbE Management Ethernet port (mgt1)

AED-HD1000 Port Numbering

CONFIDENTIAL & PROPRIETARY Page 13

 The Pocket Guide

AED-HD1000 Slot Numbering

NETSCOUT 3296 Inline Bypass Switch

1 Modul Bays Nr 1 (left), Nr 2 (right) 6 Bypass Module: 3296-SG-MMPO-2B

2 Segment Bypass Status (on=inline, off=bypass) 7 Bypass Module: 3296-SG-MM-2B
3 USB Port for Power and bypass heartbeat link 8 Bypass Module: 3296-SG-SM-2B (100 GbE)
4 Power LED (green=ok) 9 Bypass Module: 3296-SG-SM-2B (10 GbE)
5 Modul Bays Nr 3 (left), Nr 4 (right) Same module with 10 GbE instead of 100GbE

NETSCOUT 3296 Modules

Module Cables per bypass module
3296-SG-MMPO-2B • Two Ethernet patch cables
• Two 100 GbE multi-mode fiber optic cables, SR4 with MPO connectors
3296-SG-MM-2B • Four Ethernet patch cables
• One 4 x 10 GbE multi-mode MPO fiber optic cable, SR4 with LC breakout connectors
3296-SG-SM-2B 100 GbE bypass module:
• Two or four Ethernet patch cables
• Two or four 100 GbE single-mode fiber optic cables, LR4 with LC connectors
10 GbE bypass module:
• Four Ethernet patch cables
• One 4 x 10 GbE single-mode MPO fiber optic cable, PLR4 with LC breakout connectors

Page 14 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Command Reference - APS & AED
Global System
/ help global or help or ?
/ users
/ clock
/ config show
/ config write
Remote Access
/ ip access show
/ ip access add proto int source-ip
/ ip access delete proto int source-ip
/ ip access commit
IP + Interface - Configuration and Verification
/ ip arp show
/ ip route show
/ ip route add default next-hop-ip
/ ip route add network/mask next-hop-ip
/ ip interface show [brief|name]
/ ip interface identify int [sec]
/ ip interface ifconfig name up|down
/ ip interface ifconfig name ip/mask
/ ip interface ifconfig name ip/mask alias
/ ip interface vlan int vlan-id
/ ip interface media name
/ ip interface media name speed 10|100|1000 duplex full|half
/ ip interface media name mtu value
/ services aed mitigation vlan-qinq show|enable|disable
/ services aed mitigation vlan-qinq ethertype type
/ services aps|aed mitigation interface media name speed
10|100|1000 duplex full|half
/ services aps|aed mitigation interface media name mtu value
/ services aps|aed mitigation interface media int auto
/ services aps|aed mitigation interface int ip/mask
/ services aps|aed mitigation route add net nexthop
/ system hardware interface name
/ system hardware interface name pause-frame
/ system hardware interface name dump-regs
/ ip interface counter [name]
/ ip interface counter [name] clear
System Initialization
/ services aps|aed database initialize
/ services aps-console data initialize
CONFIDENTIAL & PROPRIETARY
see available command sub options
list all CLI connected users on appliance
show or set the system clock
show only the running Arbos configuration
save current configuration
show active and inactive IP access rules
add IP access rule for remote access by protocol, ingress
interface and source IP address or range.
proto: bgp, cloudsignaling, https, ping, snmp, ssh
delete an IP access rule
commit inactive IP access rules.
(Issue config write if changes should persist after reboot)
show ARP entries (management interfaces only)
show IP routing configuration
add default gateway configuration
add static route configuration
show network interface configuration. The option brief provides
a table formatted output or specify an interface name.
Identify appliance by activating the identification led on a MGT
port
administratively enable or disable interface
configure IP address on management interface
configure alias/secondary IP address on management interface
adding VLAN subinterface on management interface (mgt0,
mgt1)
check physical interface settings for management or mitigation
interfaces
configure physical interface settings for management and also
mitigation interfaces (≤ 5.9)
set the interface MTU, values supported 1500..9216 byte (≤ 5.9)
show, enabe or disable VLAN Q-in-Q tag support (≥ 6.2)
set the ethertype used when AED generates own packets (≥ 6.2)
configure interface settings for mitigation interfaces (≥ 5.10)
set interface MTU, values supported 1500..9216 byte (≥ 5.10)
remove all interface specific settings, like on hw changes (≥6.5)
set ip address on mitigation interface, only in L3 mode available
add static route for protection interface, only in L3 mode available
show protection interface settings (≥ 6.0)
show protection interface pause parameters (≥ 6.0)
show protection interface register information (≥ 6.0)
show interface counters
clear interface counters
initialize the APS. Warning all data will be lost!
initialize the APS-Console. Warning all data will be lost!
Page 15
 The Pocket Guide
License Management and AIF
/ system license set Pravail, AED or APS-CONSOLE …
/ system license set ASERT …
/ system license show
/ services aps|aed aif version show
/ services aps|aed aif url set|show|clear
Service and System Verification
/ services aps|aed show|start|stop
/ services aps-console show|start|stop
/ services ssh show
/ services ntp show
/ services dns show
/ system show
/ system file show
/ system file check
/ system file directory disk:
/ system file copy disk:filename …
CLI System Configuration Commands
/ system banner set
/ system timezone set zone
/ system name set name
/ system idle set minutes
/ services aps|aed mode set inline|monitor
/ services aps|aed bypass show
/ services aps|aed bypass disable
/ services aps|aed bypass fail closed|open
/ services aps|aed bypass software enabled|disabled
/ services aps|aed bypass force closed|open
/ services aps|aed protection show
/ services aps|aed protection reset option ST level
/ services aps|aed protection set option ST level value
Device Authentication and API access
/ services aaa show
/ services aaa radius …
/ services aaa tacacs …
/ services aaa method set local radius tacacs
/ services aaa method exclusive enable/disable
/ services aaa local password admin interactive
/ services aaa local apitoken show
/ services aaa local apitoken generate user description
Page 16
configure appliance license with type
configure AIF license
show installed licenses (incl. types and valid period)
show installed AIF packages and their version
configure AIF update source
show status, start or stop software on the APS appliance
show status, start or stop software on the APS-Console appliance
show SSH configuration and status
show NTP configuration and status
show DNS service details
show General system information
show installed software packages
check installed package integrity
list contents of local file system
copy file to or from device via ftp, http, https or scp
configure a specific banner for console and SSH connections
set time zone of the device, also available in the UI
configure device name
configure idle timeout for console and SSH connections
switch between Arbor Networks APS deployment modes
show bypass configuration
disable hardware bypass
configure hardware bypass failure mode
enable or disable software bypass
force hardware bypass to fail open or closed
show protection configuration
reset protection configuration value to factory default
modify protection configuration:
option: connlimit.blacklist_enabled, connlimit.max_conn,
idle.header_time, idle.rate_interval,
tls.clients_can_alert, tls.early_whitelist,
tls.max_cipher_suites, tls.max_extensions, …
ST: Server Type name
level: Low, medium or high
value: Value to apply
Please consult Arbor if you are unsure about the effects of
changing any of the above advanced parameters.
show AAA configuration, status and local accounts
configure Radius server for user authentication
configure Tacacs server for user authentication
configure authentication sequence
with exclusive authentication and the TACACS+ server is
operational, but the user does not have a TACACS+ account, then
that user cannot log in at all. APS only tries to
authenticate with the next method listed if the TACACS+ server is
not operational or is unreachable on the network.
change the password of the admin account by typing it twice into
the CLI.
show manually generated tokes for Rest API usage
generate new token for Rest API
CONFIDENTIAL & PROPRIETARY
 The Pocket Guide
/ services aaa local apitoken remove token remove Rest API token from the system
/ services aaa local apitoken clear show local active alerts
https://aps-hostname/api/aps/doc/v1/endpoints.html online documentation about Rest API on APS appliance
https://aps-hostname/api/aps/doc/v2/endpoints.html online documentation about Rest API on APS appliance (≥ 5.12)
Crypto Support
/ system hsm key show|import|remove show, import or remove a key from the HSM module
/ system hsm init officer-name user-name fips|non-fips initialize HSM, set Crypto Officer username and Crypto User
persist|nopersist username, select fips mode, select if credentials are persistent
/ system hsm services authorize|deauthorize authorize or deauthorize the HSM module
/ system hsm stats show statistics on the HSM module operation
/ system hsm zeroize zeroized/remove all informations from the HSM module
/ system crypto keys local initialize initialize CAM module (≥ 6.2.1)
/ system crypto keys local import label disk:|usb:filename import crypto keys to CAM module (≥ 6.2.1)
/ system crypto keys local remove label remove a crypto key by label from CAM module (≥ 6.2.1)
/ system crypto keys local zeroize zeroized/remove all informations from CAM module (≥ 6.2.1)
/ system crypto hardware show hardware and software details of CAM module (≥ 6.2.1)
/ system crypto stats show statistics on CAM module operation (≥ 6.2.1)
/ service aed crypto authorize authorize the CAM module (≥ 6.2.1)
/ service aed crypto show show operational status of CAM module (≥ 6.2.1) and TLS Proxy
/ service aed crypto pg associate [keyName] [pgName] host keyName = name of the key
pgName = name of a PG
host = fully qualified domain name (FQDN) for the SNI host, must
match the common name in the certificate (≥ 6.4.0)
/ service aed crypto pg list list of the keys and their associations( ≥ 6.4.0)
/ service aed crypto pg disassociate [keyName] [pgName] disassociate a key from a single PG or from all (≥ 6.4.0)
/ services crypto cert_stats show [startTime endTime] [certs] statistics for passed traffic for each SSL certificate
[startTime endTime] = statistics covering UTC time period
(Format: YYYY-MM-DDTHH:MM:SS, default last 24h)
[certs] = The number of certificates to return (default 10)
Troubleshooting
/ traceroute, traceroute6 trace route to host for IPv4 or IPv6 (none mitigation interfaces)
/ ping, ping6 ping a network host for IPv4 or IPv6 (none mitigation interfaces)
/ ip interface snoop interface filter watch traffic on MGT interface. filter: PCAP expression
create diagnostics package. Please provide in case of a support
/ system diagnostics
ticket with ATAC.
/ services logging show show available log files
/ services logging view syslog options view system internal syslog messages
/ system hardware show hardware details: CPU, Memory, SN, …
/ system disk show show system disk configuration

CONFIDENTIAL & PROPRIETARY Page 17

 The Pocket Guide
Command Reference – Sightline & TMS

TRA/DS
Leader

TMS
Global System

UI
/ help global or help or ? see available command sub options - ✓ ✓ ✓
/ users list all CLI connected users on appliance - ✓ ✓ ✓
/ clock show or set the system clock - ✓ ✓ ✓
/ config show show the running configuration - ✓ ✓ ✓
/ config write or revert save or revert current configuration - ✓ ✓ ✓
/ config clear clear config on TMS to restart ZTP process (≥ 8.2) - - - ✓
/ config rcs diff|history|show show Configuration Commit History (≤9.2) ✓ - - -
Remote Access
/ ip access show show active and inactive IP access rules - ✓ ✓ ✓
add IP access rule for remote access by protocol, ingress -
/ ip access add proto int source-ip interface and source IP address or range. ✓ ✓ ✓
proto: cloudsignaling, bgp, https, ssh, ping, snmp, ssh, ...
/ ip access delete proto int source-ip delete an IP access rule - ✓ ✓ ✓
/ ip access commit commit inactive IP access rules. (config write to persist reboot) - ✓ ✓ ✓
System Initialization
configure device as a leader
ip: own management IPv4
/ services sp bootstrap leader ip secret role ✓ - - -
secret: shared zone secret
role: PI, CP
configure device as a non-leader (≤ 9.0.2)
ip: is the IPv4 address of the leader
/ services sp bootstrap non-leader ip secret role - ✓ ✓ -
secret: shared zone secret
role: PI, BI or CP
configure device as a non-leader (≥ 9.0.2)
ip: is the IPv4 address of the leader
/ services sp bootstrap non-leader ip own-ip
own-ip: is the IPv4 address of this device - ✓ ✓ -
secret role
secret: shared zone secret
role: PI, BI, CP or AC* *(≥9.4.0.0)
configure TMS
/ services tms bootstrap ip secret ip: is the IPv4 address of the leader - - - ✓
secret: shared zone secret
IP + Interface Configuration and Verification
/ ip arp show show ARP entries (management interfaces only) - ✓ ✓ ✓
/ ip route show show IP routing configuration - ✓ ✓ ✓
/ ip interface show [brief] show network interface configuration. - ✓ ✓ ✓
/ ip interface counter int [clear] show or clear interface counters - - - ✓
/ ip interfaces ring_rx_buf_size intf rx-buf-size configure interface rx buffer size (≥ 9.0) - ✓ ✓ -
/ ip interfaces ifconfig int ip/M state configure interface ip address/mask & interface state (≥ 9.2) - ✓ ✓ ✓
/ ip interfaces ifconfig int dhcp enable|disable enable or disable dhcp on management interface - ✓ ✓ ✓
/ ip interface show sfp show SFP details, also on TMS (≥ 9.4.0.0) - ✓ ✓ ✓
/ system hardware sfp show SFP details (< 9.4.0.0) - - - ✓
/ system hardware interface name pluggable- show SFP and SFP+ details (≥ 9.1 and < 9.4.0.0) -
- - ✓
module-info
/ system hardware interface name pause-frames show interface pause frames settings (≥ 9.1) - - - ✓
/ system hardware interface name dump-regs Dump all registers from interface hardware (≥ 9.1) - - - ✓
/ system hardware 10g-mgmt show/enable/dis. flip 10G interfaces from mitigation to management (≥9.3) - - - ✓
CLI System Configuration Commands
/ system banner set configure a banner for console and SSH connections - ✓ ✓ ✓
/ system name set hostname configure device name - ✓ ✓ ✓
/ system idle set seconds configure idle timeout for console and SSH connections - ✓ ✓ ✓

Page 18 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
/ services aaa local advanced harden_password configure hardened password usage for local accounts - ✓ ✓ ✓
/ services aaa max-login_failures set number enable max login failures protection - ✓ ✓ ✓
/ services aaa password_length min number increase the minimum length of the account passwords - ✓ ✓ ✓
/ services aaa password_length max number increase the maximum length of the account passwords - ✓ ✓ ✓
/ services aaa local accounting set level lvl enable command accounting by setting lvl = commands ✓ - - -
/ services aaa local advanced hide non-local user data from User Account Login Records
✓ - - -
hide_none_local_history enable page
/ services aaa logging remote set host udp/tcp send AAA log messages to a remote syslog host
✓ - - -
port
/ services sp model address_space auto auto-discover and append your local IPv4 address space ✓ - - -
/ services sp model subscribers enable enable subscriber monitoring + AIF Threat Indicators (≥9.3) ✓ - - -
/ services sp preferences login_timeout set sec set idle timeout period for the UI ✓ - - -
/ services sp device edit name asidnsflow set comma separated list of the IP addresses of the devices that
✓ - - -
prefix will be providing DNS flow to configured ASI Collector
/ services sp device edit name configure UI appliance to be be used for cloud signaling only
✓ - - -
cloud_signalling_only set enable|disable and disable API + graphical interface on this device
/ services sp device edit name deployment configure 10G managements ports on a HD-1000 appliance
✓ - - -
mgmt._ports_10g enable|disable (≥9.3)
Service and System Verification
/ services aaa show show AAA configuration, status and local accounts - ✓ ✓ ✓
/ services dns show show DNS servers and their state - ✓ ✓ ✓
/ services dns server add ip add a DNS server - ✓ ✓ ✓
/ services ssh show show SSH server state - ✓ ✓ ✓
/ services ntp show show NTP servers and their state - ✓ ✓ -
/ services ntp server add ip add a NTP server - ✓ ✓ -
/ services sp show|start|stop show status, start or stop software on Sightline appliance - ✓ ✓ -
system backup management -
/ services sp backup options ✓ ✓ -
options: show, create, stop, export, import …
/ services sp device leader show show name of the deployment leader - ✓ ✓ -
system backup management on TMS (≥ 8.4) -
services backup options - - ✓
options: show, create, stop, export, import …
/ services tms show|start|stop show status, start or stop software on TMS appliance - - - ✓
/ services tms show alert show local active alerts - - - ✓
/ services tms show arp show ARP entries (mitigation interfaces only) - - - ✓
/ services tms show blacklist show IP address count currently on dynamic blacklist - - - ✓
/ services tms show interface rate show mitigation interface processing rates - - - ✓
/ services tms show interface status show mitigation interface status - - - ✓
/ services tms show mitigation show running mitigations and their traffic rates - - - ✓
/ system file show show installed software packages - ✓ ✓ ✓
/ system file directory disk: list contents of local file system - ✓ ✓ ✓
/ system file copy disk:filename … copy file to or from device via ftp, http, https or scp - ✓ ✓ ✓
/ system hardware show hardware details: CPU, Memory, SN, … - ✓ ✓ ✓
Network and Data Configuration and Verification
/ services tms deployment bgp show neighbors show BGP neighbor status - - - ✓
/ services tms deployment bgp show routes show BGP route advertisement status - - - ✓
/ services tms show gre show reinjection GRE tunnel status - - - ✓
/ services sp data bgp show show BGP neighbor status - - ✓ -
/ services sp router edit name bgp configure an explicit source IP address for the BGP peering
✓ - - -
update_source set ip with this router
/ services sp router edit name bgp configure router preselected in UI for blackhole or flowspec
✓ - - -
default_mitigations type enable|disable mitigations

CONFIDENTIAL & PROPRIETARY Page 19

 The Pocket Guide
BGP shared memory size details, Options:
/ services sp device edit name bgp show: show current shared memory size
✓ - - -
shared_memory_size options set size: set shared memory size in MB
clear: return to default value
/ services sp router edit name snmp configure an explicit source IP address for the SNMP polling
✓ - - -
local_ip_address set ip of this router.
/ services sp router edit name snmp configure data encryption for SNMPv3, default: DES, or AES-
✓ - - -
priv_protocol AES/DES 128 (≥ 8.3)
/ services sp router edit name advanced poll virtual and IfMib from alcatel router
✓ - - -
poll_alcatel_ifmib
/ services sp router edit name flow enable missing flow tracking per source UDP port
✓ - - -
use_src_port_for_v9 enable|disable
use IPFIX exporterIPv4Address from FlowProxy for managed
/ services sp router edit name flow is_proxy ✓ - - -
router indentification
License Management
/ services sp license flexible capability show licensed deployment limits ✓ ✓ - -
import new local license file, also required on the backup
/ services sp license flexible import disk:file ✓ ✓ - -
leader.
/ services sp license flexible server enable or disable the cloud based licensing
✓ ✓ - -
cloud_licensing enable|disable
/ services sp license flexible server option configure cloud based server details, Options: port, url, … ✓ ✓ - -
/ services sp license flexible refresh manual refresh a cloud-based flexible license file ✓ ✓ - -
/ services sp license flexible clear Licensing (hidden command) (≥ 9.1)
✓ - - -
clear_all_ts|clear_llsd|clear_dmvd
Arbor Sightline – Insight
/ services sp device insight enable or disable the restriction of flow based on managed
✓ ✓ - -
limit_ingestion_mos enable|disable object.
/ services sp device insight limit_mo_set add or remove a managed object from the set of restricted
✓ ✓ - -
add|delete name managed objects.
/ services sp device insight limit_mo_set clear clear all restricted managed objects. ✓ ✓ - -
/ services sp device insight limit_mo_set show show the current set of restricted managed objects. ✓ ✓ - -
/ services sp device insight enable or disable the restriction to a set of routers.
✓ ✓ - -
limit_ingestion_routers enable|disable
/ services sp device insight limit_router_set add or remove a router from the set of restricted routers.
✓ ✓ - -
add|delete name
/ services sp device insight limit_router_set show or clear all restricted routers.
✓ ✓ - -
show|clear
/ services sp managed_objects edit name scrub any of the nested managed objects on ingestion into
✓ ✓ - -
scrub_insight_mo_match enable|disable Insight
Unique CLI Configuration Commands
/ services sp managed_objects edit name prevent double-counting traffic for external customer
✓ - - -
treat_external_as_internal Managed-Objects
/ services sp managed_objects edit name use DNS information from ISNG to match regular expressions
✓ - - -
dynamic_match regex_uris of managed objects (≥ 9.2)
check on Sightline for manual mitigations: If a CIDR is already
/ services sp mitigation tms prefix_check enable ✓ - - -
being mitigated, instead of using the TMS to check & suspend
/ services sp mitigation auto-mitigation disable check on Sightline for auto-mitigations, if a CIDR is
✓ - - -
prefix_check disable already being mitigated, rely on TMS to check & suspend
/ services sp mitigation sample_packets configure sample packets max. packets
✓ - - -
max_packets set val
/ services sp mitigation sample_packets configure sample packets max. time
✓ - - -
max_second set val
/ services sp mitigation nexthop custom IPver configure ipv4/ipv6 nexthop for blackhole
✓ - - -
add name ip ip

Page 20 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
/ services sp mitigation nexthop custom IPver
delete name
/ services sp mitigation tms edit_locked
enable|disable
/ services sp mitigation tms flowspec
log_all_changes enable|disable
/ services sp mitigation auto-mitigation
exclude_prefix v4|v6 set prefix-list
/ services sp auto-config irr ip_address set ip
/ services sp data mft alert_dbsize set value
/ services sp data mft alert_age set value
/ services sp preferences whois add ip
/ services sp preferences
hide_sensitive_information mitigation
enable|disable
/ services sp preferences
hide_sensitive_information mitigation
prompt_for_redaction enable|disable
/ services sp preferences
flowspec_required_fields dst_prefix|src_prefix
enable|disable
/ services sp remote_services atf import
disk:filename
/ services sp remote_services aif server set ip
/ services sp alerts system_errors type
notifications enable
/ services sp notification smtp port set port
/ services sp notification webhooks option
/ services aaa groups default set account-group
/ services sp device edit name metrics type set
value
/ services sp tms
mitigation_return_retry_interval set minutes
/ services tms registry main|mitigation pending
/ services tms registry main set logger
default_local_logging_enable = 1
/ services tms registry main set interface GID
lacp_fast_timer = 1
/ services tms registry main set patch_panel
GID promiscuous = 1
/ services tms registry main set interface GID
static_arp a.b.c.d = 00:07:07:07:07:07
/ services tms registry main set status
suppress_alerts nexthop = "interface:a.b.c.d"
/ services tms deployment fec enable int
/ system hardware fec enable int
Cloud Signaling
/ services sp mitigation filter delete filtername
Managing Wizard Reports
/ services sp reports custom find_old
CONFIDENTIAL & PROPRIETARY
delete ipv4/ipv6 nexthop for blackhole
✓ - - -
lock mitigation settings for non-scoped Sightline users on
✓ - - -
mitigation configuration page, enabled by default
log all changes to flowspec filter announcements to local
✓ - - -
syslog for auditing reasons (≥9.3.5)
Comma-seperated list of IP prefixes that should never be
✓ - - -
auto-mitigated (≥9.5.0.0)
change Internet Routing Registry server IP ✓ - - -
limit MFT alert data collection based on alert length in Mbytes ✓ - - -
limit MFT alert data collection based on alert length in days ✓ - - -
add a Whois resolution server ✓ - - -
hide sensitive information from managed service users on
TMS Mitigation Status page, this includes template name, ✓ - - -
Managed Object name, TMS group, annotations, … (≥9.3.5)
enable redaction prompt which is displayed for non-managed
services users when they share the TMS Mitigation Status ✓ - - -
page as a PDF or email. (≥9.3.5)
require or not require a source or destination prefix entered
when starting a flowspec mitigation, when disabled the ✓ - - -
system uses as source 0.0.0.0/0 or ::/0 (≥9.5.0.0)
import AIF signatures manually
✓ - - -
configure the AIF server ip address ✓ - - -
enable event forwarding for system errors.
✓ - - -
Type: cpu_load, disk_space, …
configure port for smtp communication ✓ - - -
configure Webhook settings. Options: retry_count_limit,
✓ - - -
retry_count_max, retry_seconds_limit, retry_seconds_max
change the default TACACS+/Radius user group, will be use
✓ - - -
when none is provided
configure metrics for appliance health monitoring. Type:
✓ - - -
bgp_routes, managed_objects_matched_per_flow, …
mitigation orchestration return time (≥ 9.0)
✓ - - -
Show pending configuration updates - - - ✓
log blocked host to file blocked_hosts.log - - - ✓
enable LACP fast timers for an interface - - - ✓
enable promiscuous mode on physical interface of a TMS - - - ✓
appliance
configure a static ARP entry for the mitigation interfaces - - - ✓
suppress alerts for next-hop unreachable alerts for a specific - - - ✓
interface and next-hop IP
enable Forward Error Correction on HD1000 interface -
- - ✓
(100GE) (≤ 9.1)
enable Forward Error Correction on HD1000 interface -
- - ✓
(100GE) (≥ 9.2)
delete a filter list synchronized via Cloud Signaling after the
✓ - - -
APS or AED has been removed
find orphaned Wizard report none-leader (≥ 8.2) - ✓ - -
Page 21
 The Pocket Guide
/ services sp reports custom find_old copy all|id copy orphaned Wizard report to leader (≥ 8.2) - ✓ - -
/ services sp reports custom check check for reports with missing definitions (≥ 8.2) ✓ - - -
REST API Details
https://sp-hostname/api/sp/vx/ URL Rest API end point (see REST Version Matrix for details) ✓ - - -
https://sp-hostname/api/sp/doc/index.html Online REST API documentation ✓ - - -

Troubleshooting
/ traceroute, traceroute6 trace route to IPv4 / IPv6 host through MGT interfaces - ✓ ✓ ✓
/ ping, ping6 ping a IPv4 / IPv6 host through MGT interfaces - ✓ ✓ ✓
/ ip interface snoop interface filter watch traffic on local interface. filter: PCAP expression - ✓ ✓ ✓
create diagnostics package. Please provide in case of a -
/ system diagnostics ✓ ✓ ✓
support ticket with ATAC.
/ system disk show see the disk utilization and the RAID status - ✓ ✓ ✓
/ system disk expand expand disk size, only supported for sda4 file systems - ✓ ✓ -
/ services logging view syslog options view system internal syslog messages - ✓ ✓ ✓
/ services logging export syslog dst copy syslog logging file to local disk or scp destination (≥ 9.2) - ✓ ✓ -
/ services logging remote set host prot port send syslog messages to remote host via tcp|udp (≥ 9.2) - ✓ ✓ ✓
/ services sp iprep classification show show AIF Threat Indicator details (≥9.3) ✓ - - -
/ services sp data database resync resync the global database between UI devices, the Sightline - ✓ - -
service must be stopped (≥ 8.2)
/ services sp analyze pcap disk:file generate RegEX expression from uploaded pcap file (≥ 9.2) ✓ - - -
/ services sp deployment [disk:filename] gather deployment overview, output can also be written to file
✓ - - -
on internal flash-disk.
/ services sp data flow view int ip records view flow information received through an interface.
ip: all or IP-Address of one router ✓ - - -
records: all records or first record only
/ services sp data snmp view ip comm oid test SNMPv2 query towards router
ip: address of the router
✓ - - -
comm: snmp community
oid: specific OID, else use ‘system’
/ services sp alerts system_errors show show configured handling of system errors detected ✓ - - -
generate a test notification
type: email, email_xml, snmp, syslog,
/ services sp notification test type destination ✓ - - -
webhook (≥ 9.2)
destination: default or an explicit group
/ services sp backup failover activate switch manually to a backup leader - ✓ - -
/ services sp portal soap age set days threshold when SOAP log entries will be auto deleted ✓ - - -
/ services sp portal login_page clear custom login page to be set back to default ✓ ✓ - -
/ services sp device edit name arf set on|off enable or disable ARF (fcap matching) binning ✓ - - -
/ services sp device zone_secret show see the configured zone secret in clear text (hidden
✓ ✓ ✓ -
commands command)
/ services sp mitigation tms learning end_all stop all running learning mitigations ✓ - - -
/ services sp mitigation tms stop name stop a running mitigation by it’s name ✓ - - -
/ services sp certificate show check validity period of installed certificate ✓ - - -
/ reload reboot the appliance ✓ ✓ ✓ ✓
/ reload [hard] reboot the TMS appliance, [hard] = with full power cycle - - - ✓
/ services tms firmware upgrade start firmware upgrade (≤ 9.1) - - - ✓
/ system hardware firmware start firmware upgrade (≥ 9.2) - - - ✓
/ services tms tms-ping ipv4|ipv6 addr intf ping from a mitigation interface with src interface - - - ✓
/ services tms tms-traceroute ipv4|ipv6 addr intf traceroute from a mitigation interface with src interface - - - ✓

Page 22 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Mitigation: TMS & APS/AED - FCAP Traffic Filtering

Actions
drop <expression> drop traffic matching condition, default behavior if not specified
pass <expression> allow (aka trusting), exempt traffic from all other countermeasures
Traffic not matching any of the above FCAP actions will be sent to the next enabled countermeasure.

Filter Elements
[src|dst] (host|net) <address> matches a host as IP source, destination or either address
[src|dst] <address>/<mask> matches a host as IP source, destination or either address
(proto|protocol) <name> matches IP protocol by name
(proto|protocol) <number> matches IP protocol by number
(proto|protocol) <number>..<number> matches IP protocol by a range of numbers
[src|dst] port <name> matches TCP or UDP packets send to/from or either by name
[src|dst] port <number> matches TCP or UDP packets send to/from or either by number
[src|dst] port <number>..<number> matches TCP or UDP packets send to/from or either by range
(tflags|tcpflags) <tcp-flags> matches TCP packet on included TCP Flags
(bytes|bpp) <size> matches packet equal to length
(bytes|bpp) <size>..<size> matches packet within range of length
icmptype <icmptype> matches ICMP packets based on message type
icmpcode <number> matches ICMP packets based on message code
tos <value> matches IP packets based on Type of Service setting
ttl <value> matches IP packets based on their included TTL value
frag matches IP packets that are fragments
(not|!) (proto|port|bpp|icmp…) negate adjacent element. Not supported for IP addresses
[and|or] often used with brackets to nest individual expressions

ICMP Type/Code TCP Flags

icmp-echoreply 0/0 icmp-echo 8/0 S SYN Synchronize
icmp-redirect 5/0-3 icmp-unreach 3/0-15 A ACK Acknowledgement
icmp-tstamp 13/0 icmp-tstampreply 14/0 F FIN Final
icmp-timxceed 15/0 icmp-ireqreply 16/0 R RST Reset
icmp-routeradvert 11/0 icmp-reastimxceed 11/1 P PUSH Push
icmp-sourcequench 9/0 icmp-fragneed 3/4 U URG Urgent
icmp-paramprob 4/0 or any type/code combination W CWR Congestion Window Reduced
ECN-Echo (Explicit Congestion
Traffic Filtering Concept E ECE
Notification - Echo)

CONFIDENTIAL & PROPRIETARY Page 23

 The Pocket Guide

All examples provided should first be tested in inactive mode, even if they are
normally used without further constraints. However, it is possible that your valid
traffic requires adjustments to prevent over blocking.

Filter Examples
drop 0.0.0.0/0 discard all traffic
drop proto udp and not dst port 53 discard all UDP except for dst port 53
drop src host 10.1.1.1 and dst 192.168.2.1/32 discard traffic from host 10.1.1.1 toward host 192.168.2.1
drop not (proto icmp or proto tcp) discard all IP protocols except ICMP and TCP
discard all ICMP packets with a size between 200 and 2000
drop proto icmp and bytes 200..2000
bytes
drop proto tcp and not (src port 1024..65535 and (dst port 80 or dst discard all TCP except when the source port is within 1024
port 443)) to 65535 and the destination port is either 80 or 443
discard ICMP except for “fragmentation needed and DF set”
drop proto icmp and not ((icmptype 3 and icmpcode 4) or
used by Path MTU Discovery and “Fragment Reassembly
(icmptype 11 and icmpcode 1))
Time Exceeded”
drop proto udp and port 123 and not bpp 76 discard NTP packets that are not 76 bytes (NTP Response)
discard TCP except when source port is within 1024 to
drop proto tcp and not ((src port 1024..65535 and dst port 25) or 65535 and the destination is 25 or when the source port is
(src port 25 and dst port 1024..65535)) 25 and the destination is within 1024 to 65535, therefore
allowing inbound and outbound SMTP connections.
drop proto tcp and dst port 80 and tflags S/S discard TCP packet when the SYN flag is present
drop proto tcp and dst port 80 and tflags /S discard TCP packet when the SYN flag is not present
drop proto tcp and dst port 80 and tflags S/SAFRPUEW discard TCP packet when the SYN flag is the only flag set
Example: Web Server (HTTP and HTTPS)
drop not (proto icmp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 80) or (src port 1024..65535 and dst port 443))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: Authoritative DNS server
drop not (proto icmp or proto udp or proto tcp)
drop proto tcp and not ((src port 53 or src port 1024..65535) and dst port 53)
drop proto udp and not ((src port 53 or src port 1024..65535) and dst port 53)
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: Recursive DNS server
drop not (proto icmp or proto udp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 53) or (src port 53 and dst port 1024..65535))
drop proto udp and not ((src port 1024..65535 and dst port 53) or (src port 53 and dst port 1024..65535))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: SMTP MTA
drop not (proto icmp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 25) or (src port 25 and dst port 1024..65535))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))

Page 24 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Example: Protecting a Black Box (Update where appropriate!)

# explicit approve critical infrastructure communication

pass src host x.x.x.x and proto tcp and port 179

# drop non-legitimate source addresses

drop src net 0.0.0.0/8
drop src net 10.0.0.0/8
drop src net 127.0.0.0/8
drop src net 172.16.0.0/12
drop src net 192.168.0.0/16
drop src net 240.0.0.0/4
drop src net 224.0.0.0/4

# drop your own prefixes if these are not expected to be seen coming via the internet
drop src net [your own prefix(es)]

# drop traffic from protocols normaly not needed

drop not (proto udp or proto tcp or proto esp or proto icmp or proto gre or proto ipv6)

# drop traffic often used in DDOS volumetric attacks

drop proto icmp and bytes 200..2000
drop proto udp and port 19
drop proto udp and port 69
drop proto udp and port 111
drop proto udp and (src port 123 or dst port 123) and not (bpp 36 or bpp 46 or bpp 76 or bpp 220)
drop proto udp and (port 137 or port 138)
drop proto udp and (port 161 or port 162)
drop proto udp and port 389
drop proto udp and port 520
drop proto udp and port 1434
drop proto udp and port 1701
drop proto udp and port 1900
drop proto udp and port 3283
drop proto udp and port 3702
drop proto udp and port 5353
drop proto udp and port 11211 and bpp 1420

# drop traffic normally not used via the internet, stop scanning…
drop proto tcp and dst port 23
drop proto tcp and dst port 445

# drop DNS queries, if there is no DNS service running on the protected host!
drop proto udp and dst port 53 !
# drop DNS replies, if there is no external DNS resolution done by the protected host!
drop proto udp and src port 53
!

CONFIDENTIAL & PROPRIETARY Page 25

 The Pocket Guide

Mitigate Fragmented Attack Traffic – Fragments reported as src and dst port 0

The TMS reassembles fragmented packets if they are complete sets before evaluating them against
active countermeasures. However, UDP amplification attacks causing congestion are likely to result
in complete sets. After reassembling a packet from a complete set of fragments, the TMS identifies
the source and destination ports and displays them in the sample packets window.

The Sample Packets Shown section shows actually a UDP packet with a size of 15000 bytes, which was
initially broken into 10 fragments (assuming a MTU of 1500 bytes). It also highlights that the packet
was actually forwarded.

The frag keyword match fragmented packets to be reassembled, with can be used in an FCAP
expression like the one below entered into the Black/White (Deny/Allow) Lists countermeasure.

If the mentioned FCAP filter is applied, we can now see that the previously forwarded traffic is now
dropped by the TMS.

Page 26 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Mitigation: TMS & APS/AED – Regular Expression

Anchors Notations
start of string or ^arbor matches arbor123 but not 123arbor Italics Regular
^
line-based: start of any line expression
end of string or arbor$ matches 123arbor but not arbor123 text Matching text
$
line-based: end of any line
\b word boundary \barbor\b matches arbor but not arbor123 text Alt matching
\B not word boundary \barbor\B matches arbor123 but not arbor or 12arbor12 text
\Barbor\B matches 123arbor123 but not 123arbor
Character Classes Metacharacters*
\c control character (Ctrl+x) \cC matches CTRL-C ^ $ [ ]
\s white space (“ “) arbor\s123 matches arbor 123 but not arbor123 { } ( )
\S not white space, not (“ “) arbor\S123 matches arbors123 but not arbor 123 \ . * +
\d digit [0-9] arbor\d matches arbor1, arbor2 but not 1arbor ? < >
\D not digit, not [0-9] \Darbor matches aarbor but not 1arbor *must be escaped with “\”

\w word[A-Za-z0-9_] \warbor matches 1arbor, aarbor, 12345arbor but not Logical OR

arbor or @arbor | logical or
\W not word, not [A-Za-z0-9_] \Warbor matches @arbor but not 1arbor or aarbor (.*\.com|.*\.net) matches
\xhh hexadecimal character hh \x00\xFF matches hex char 00FF arbor.com or arbor.net
Quantifiers
* 0 or more arbo* matches arbor, arboooor, arbr, arb but not rbo Special Characters (hex)
*? 0 or more, ungreedy arbo*? matches arbor, arboooor, arbr, arb but not rbo \ escape character
+ 1 or more arbo+ matches arbor, arboooor but not arbr \n new line (0A)
+? 1 or more, ungreedy arbo+? matches arbor, arboooor but not arbr \r carriage return (0D)
? 0 or 1 arbo? matches arbor, arbooor, arbr but not rbor or aror \t tab (09)
?? 0 or 1, ungreedy arbo?? matches arbor, arbooor, arbr but not rbor or aror \f form feed (0C)
{3} exactly 3 a{3} matches aaarbor but not aaaarbor \a alarm BEL char (07)
{3,} 3 or more a{3,} matches aaarbor, aaaaaaaaarbor but not aarbor [\b] backspace
{3,5} 3,4 or 5 a{3,5} matches aaarbor, aaaarbor, aaaaarbor, \e escape
aaarboraaa but not aarbor
{3,5}? 3,4,5, ungreedy a{3,5}? matches aaarbor, aaaarbor, aaaaarbor but not aarbor
Ranges Literal Text Span
. any char except \n (hex \x0a) a. matches arbor and azbor but not a \Q Begin literal string
(a|b) A or b (a|z) matches arbor, arboz but not brbor \E End literal string
(…) group of chars (arb) matches arbor, arborarb but not aror Escapes metacharacters
[abc] range, a or b or c [abc] matches arbor, aabbcc but not dddd between \Q and \E
[^abc] range, not a or b or c [^abc] matches dddd, arbor but not abc \QGET /cgi/page.cgi?id=1\E
[a-z] lowercase letter between a and z [a-z] matches arbor but not ARBOR or
[^a-z] not lowercase letter between a and z [^a-z] matches ARBOR, 1234 but not arbor GET \/cgi\/page\.cgi\?id=1
[A-Z] uppercase letter between A and Z [A-Z] matches ARBOR but not arbor
[^A-Z] not uppercase letter between A and Z [^A-Z] matches arbor, 1234 but not ARBOR
[0-9] digit between 0 and 9 [0-9] matches 1234 but not arbor
[^0-9] not digit between 0 and 9 [^0-9] matches ARBOR, arbor but not 1234
Pattern Modifiers Important Notes
(?mod) turns on modifier for rest of expression HTTP and payload regex are case sensitive (TMS ≥ 8.0)
(?-mod) turns off modifier for rest of expression DNS regex is case insensitive (TMS ≥8.0)
(?mod:<expression>) turns on modifier for expression in <...> Back references not supported
(?-mod:<expression>) turns off modifier for expression in <...> Assertions not supported
(?i) case insensitive \p {xx}, \P {xx}, \C, \R, \K not supported
(?-i) case sensitive Logical AND is not supported
(?# comment) adds comment
(?m) multiline match
(?s) single line match

CONFIDENTIAL & PROPRIETARY Page 27

 The Pocket Guide
Payload Regular Expression
Payload regular expressions treat the payload as a single input string. Payload regular expression can match on hex (\x77\x77\x77)
characters, ASCII (www) characters or a combination of the two (\x77w\x77).
Multiline and single line pattern modifiers can be used in payload regular expressions. (m?) Changes the behaviour of ^ and $ to match
next to newlines within the input string. ^ matches after any newline. $ matches before any newline. (?s) Changes the behaviour of . (dot)
to match all characters, including newlines, within the input string.
41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a Accept: */*\r\n ^\x41.*\x2f\x2a\x0d$ fails; (?m)^\x41.*\x2f\x2a\x0d$ succeeds
48 6f 73 74 3a 20 31 2e 31 2e 31 2e 31 0d 0a Host: 1.1.1.1\r\n \x41\x63.*\x48\x6f fails; (?s)\x41\x63.*\x48\x6f succeeds
In DNS queries, the Byte right before each label indicates the length of the label. \x03 indicates that the next label is 3 Bytes long.
A domain query for www.arbornetworks.com would be \x03www\x0darbornetworks\x03com. 10 Byte labels are preceded by \x0a and 13
Byte labels are preceded by \x0d. Be aware that in plain text \x0a and \x0d are \n (newline) and \r (carriage return) respectively. These two
characters are treated differently in regular expressions. Be sure to use the proper hex values for the field length fields or use (?s) single
line pattern modifier to allow “.” to match a newline. (?s)www.arbornetworks.com
DNS attack to mail.arbornetworks.com => \x04mail\x0darbornetworks\x03com or (?s)mail.arbornetworks.com
HTTP attack to www.arbornetworks.com => www\x2earbornetworks\x2ecom or \x77\x77\x77\x2earbornetworks\x2e\x63\x6f\x6d
DNS reflection attacks typically use Type=ANY, where the type field is “00ff” for ANY. Mitigate with domain\x03com\x00\x00\xff
Common DNS Type fields: A \x01, AAAA \x1c, PTR \x0c, MX \x0f, SOA \x06, NS \x02, TXT \x10

HTTP Header Regular Expression

HTTP header regular expressions treat each line of the HTTP header as a unique string. Each regular expression in the HTTP header regex is
applied to each HTTP header. If any of the regular expressions match any of the headers, then the packet matches and the appropriate
action is taken. HTTP headers are divided along the boundary of \r\n and exclude \r\n in the header string.
Regular expression spanning multiple headers across the \r\n boundary will not match.
HTTP headers should follow case sensitive canonical format of: Camel-Back: value
Deviations may indicate malware: Camel-Back:value or
Camel-Back: value or
Camel-back: value or
CAMEL-BACK: value or
Camel -Back: value
Common HTTP headers and approximate percent of legitimate requests containing each case sensitive header:
Host: 99,9% Accept-Language: 87,5% Via: 16,2% If-None-Match: 6,9% X-NovINet: 1,9% DNT: 0,6%
User-Agent: 97,9% Referer: 78,2% UA-CPU: 14,8% Content-Length: 5,0% Range: 1,3% From: 0,4%
Connection: 97,7% Cookie: 42,3% If-Modified-Since: 13,4% x-flash-version: 4,9% CUDA_CLIIP: 1,1%
All others
Accept: 93,8% Accept-Charset: 35,3% X-IMForwards: 12,9% Content-Type: 4,5% X-Forwarded-For: 0,9%
less than 0,5%
Accept-Encoding: 90,4% Keep-Alive: 25,1% Cache-Control: 10,5% Pragma: 2,3% X-Dropbox-Locale: 0,7%
Examples: 1) GET flood to /page.cgi?id=dosme HTTP/1.1 ^\/page\.cgi\?id\=dosme HTTP\/1\.1$
2) GET flood to Host: www.domain.com ^Host: www\.domain\.com$ or ^\QHost: www.domain.com\E$
3) Incorrect capitalization of User-Agent: (?-i)^User-agent or (?-i)^User-Agent

DNS Regular Expression

DNS regular expressions treat the Name field of the DNS packet as a unique string. Each DNS regular expression is applied to the Name field
for each DNS packet. If any of the regular expressions match the Name field in a DNS packet, it is a match, and the appropriate action is
taken.
Examples: 1) Query flood to www.arbornetworks.com www\.arbornetworks\.com or w{3}\.arbornetworks\.com
2) Random 8-character dictionary attack to domain.com [A-Za-z0-9_]{8}\.domain\.com
3) Attack to mail and smtp.domain.com (mail|smtp)\.domain\.com

Page 28 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Mitigation: TMS – Packet Header Filtering
Basic Rules
• max 1024 characters long (including spaces)
• all text must be lower case
• leading and trailing spaces are optional, but they are required for operators that use text characters such as ‘gt’
• ip.frag_offset + ip.flags.mf not supported because packet fragments are reassembled before countermeasures are invoked
Type Operator Allowed Formats
AND and &&
Boolean OR or ||
NOT not !
equal to eq ==
not equal to ne !=
greater than gt >
Comparison
less than lt <
greater than or equal to ge >=
less than or equal to le <=
Bitwise Bitwise and bitwise_and &

Filter Elements
IP Filters ICMP Filters TCP Filters UDP Filters
ip icmp tcp udp
ip.hdr_len icmp.checksum tcp.option_kind udp.checksum
ip.len icmp.code tcp.checksum udp.dstport
ip.version icmp.type tcp.dstport udp.length
ip.addr + (IP or CIDR) tcp.flags udp.port
ip.dsfield tcp.flags.{ack|push|reset|syn|fin|cwr|ecn|ns|urg} udp.srcport
ip.dsfield.{dscp|ecn} tcp.hdr_len
ip.dst + (IP or CIDR) tcp.options.{sack_perm|mss_val}
ip.flags tcp.port
ip.flags.{df|rb} tcp.srcport
ip.proto tcp.window_size_value
ip.src + (IP or CIDR)
ip.ttl

Example
tcp.window_size_value > 10000 and TCP window size is greater than 10.000 and TCP selective
tcp.options.sack_perm && tcp.options.mss_val ge 1450 acknowledgement is enabled and TCP MSS value is greater
and not tcp.port & 1 than or equal to 1450 bytes and the TCP port (bitwise verified)
is not 1, aka is not ‘an uneven port number’.
Release ≥9.5.0.0
The syntax in the Packet Header Filtering countermeasure for the ip.flags field has changed. The new
syntax matches the syntax that Wireshark uses. Although the ip.flags field is a 3-bit field, Wireshark treats
it as a full byte. The Packet Header Filtering countermeasure previously treated ip.flags as a 3-bit field, but
now also treats it as a full byte.

Match previous syntax new syntax

ip.flags & 2 ip.flags & 0x40
Don't Fragment (DF)
ip.flags == 2 ip.flags == 0x40

CONFIDENTIAL & PROPRIETARY Page 29

 The Pocket Guide

Filter Element Examples

IPv4 Header

TCP Header

UDP Header

ICMP Header

Page 30 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Mitigation: Other Types – BGP Flow Specification

Extended Communities
Extended Community Action Type Encoding Notes Sightline TMS
TMS: Blacklist
traffic-rate drop or Police 0x8006 2-byte as + 4-byte rate-shaper   8.1
offload only
traffic-VRF Redirect by RT (ASN) 0x8008 2-byte AS, 4-byte Value 1234:5678  
redirect IPv4 Redirect by RT (IPv4) 0x8108 4-byte IPv4 Address, 2-byte Value 1.2.3.4:5678  8.1 
redirect AS Redirect by RT (ASN) 0x8208 4-byte AS, 2-byte Value 1.2.3.4L:5678  8.1 
6-bytes Simpson draft
redirect-IP Redirect to IP nexthop 0x0800  8.1 
(all bits 0, last bit = C [copy bit]) used by Cisco
5 zero bytes, DSCP encoded in 6
traffic-marking set DSCP 0x8009  9.1 
least significant bits of 6th byte

Sightline Mitigation
To filter using the destination prefix, type the destination CIDR block
to match. Only one CIDR block is allowed in this field.

To filter using protocol numbers type the protocol numbers or

ranges to match. Example: 6 or 10-20

To filter using the source prefix, type the source CIDR block to
match. Only one CIDR block is allowed in this field.

To filter using the source port, type the source port number or range
to match. Example: 32768-49151,49159-65535

To filter using the destination port, type the destination port number
or range to match. Example: 80

To filter using the ICMP type or code, type the ICMP type or code
values or ranges in the appropriate fields: Example: 3,16-255

To filter using TCP flags, type the TCP flag numbers to match. The
common flag numbers are 1=fin, 2=syn, 4=rst, 8=psh, 16=ack,
32=urg, 64=ece, and 128=cwr. Example: 18 (SYN/ACK)

To filter on packet lengths, type the packet lengths or ranges to

match. Example: 1501-65535

To filter on packet DSCP (0-63), type the DSCP number or range.

To filter using a fragmentation bitmask, type an integer that

indicates the fragmentation bitmask value.
1 = Don't fragment 2 = Is a fragment
4 = First fragment 8 = Last fragment

discard default, BGP Type 0x8006 [ASN, Rate:0]

traffic-rate bits per second, BGP Type 0x8006 [ASN, Rate:>0]
traffic-marking DSCP value, BGP Type 0x9006

CONFIDENTIAL & PROPRIETARY Page 31

 The Pocket Guide

AED Countermeasure Sequence

Per Packet Sequence

Page 32 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Event Driven Sequence

CONFIDENTIAL & PROPRIETARY Page 33

 The Pocket Guide

Sightline - REST API Matrix

The Arbor Sightline REST API is updated on a regular basis, which results in version changes and
deprecation of existing API functionality.

Release & REST API Version

Status 1 2 3 4 5 6 7 8 9
8.2 EOS ✓ ✓ X X X X X X X
8.3 EOS ✓ ✓ ✓ X X X X X X
8.4 EOM ✓ ✓ ✓ ✓ X X X X X
9.0 EOM ✓ ✓ ✓ ✓ ✓ X X X X
9.1 GA ✓ ✓ ✓ ✓ ✓ ✓ X X X
9.2 GA ✓ ✓ ✓ ✓ ✓ ✓ ✓ X X
9.3 GA ✓ ✓ ✓ ✓ ✓ ✓ ✓ X X
9.3.5 GA X X X ✓ ✓ ✓ ✓ ✓ X
9.4.0.0 GA X X X ✓ ✓ ✓ ✓ ✓ ✓
9.5.0.0 GA X X X X ✓ ✓ ✓ ✓ ✓

The Sightline REST API output is in the JSON API format. The responses use return links to refer to
other resources and support pagination. When you make a request to the REST API, you can
specify which API version to use., to use the version 3 alerts endpoint:
https://sightline.example.com/api/sp/v3/alerts/

If a request contains no version information, it defaults to the latest version. In most cases, the
Sightline REST API keeps the full functionality of still-supported previous versions. However, there
could be a situation where an older endpoint provides only partial functionality or is removed
entirely. More information can be found in the Arbor Sightline and TMS API Guide for the used
software release.

ArbOS - REST API Matrix

The ArbOS REST API allows an authorized user to perform administrative tasks such as rebooting
the device, stopping services, and installing software packages. The ArbOS REST API is updated on
a regular basis, which results in version changes and deprecation of existing API functionality .

REST API Release & Status

Version 9.3.5 GA 9.4.0.0 GA 9.5.0.0 GA
1 ✓ ✓ ✓
2 X ✓ ✓

Sightline & TMS - BGP Signaling Capabilities

Route Announce FlowSpec FlowSpec Diversion FlowSpec
Device

analytics Mitigation Filter BLO

Route
IPv4 IPv6 VPNv4 IPv4 IPv6 IPv4 IPv6 IPv4 VPNv4 IPv6 VPNv6 IPv4 IPv6
TRA ✓ ✓ ✓ ✓ ✓ ✓ ✓* ✓ ✓** ✓ ✓** X X
TMS X X X ✓ ✓ X X X X X X ✓ ✓
min. Release: 9.1*, 9.2**

Page 34 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Sightline Alert Search Keywords

Attribute Supported keyword and values Examples
resource • resource:managed-object, fingerprint, and/or ➢ resource:object3,service123
(a service, fingerprint, or service name ➢ mo:object1
managed object) • mo:managed object-name ➢ service:new_serv1
• fingerprint:fingerprint-name
• service:service-name

The resource keyword searches for alerts that involve

services, fingerprints, and managed objects. This search is
case-insensitive, and Sightline matches on partial resources.
router name • ro:router-name ➢ router:789xyz
• router:router-name ➢ ro:router123
➢ router:routerabc
device name • appliance:appliance-name ➢ appliance:app123
• collector:appliance-name ➢ collector:my_appliance
• device:appliance-name ➢ device:example_device
Each keyword returns the same search results. Collector
returns all devices with the entered appliance name, even
they are not collectors.
alert ID • ID ➢ 12345
• alert_id:ID ➢ alert_id:23456
alert class • ac:alert-class ➢ ac:TMS
• alert_class:alert-class ➢ alert_class:TMS
Alert-Classes: BGP, Cloud Signaling, Data, DOS, System Error,
System Event, TMS and Traffic
severity level • severity ➢ low
• sev:severity ➢ sev:low
• severity:severity ➢ severity:high,low
alert type • alert type ➢ BGP Trap”
• at:alert-type ➢ at:“BGP Trap”
• alert_type:alert-type ➢ alert_type:“BGP Trap”
Alert-Types: BGP Down, BGP Instability, Cloud Signaling Fault,
Cloud Signaling Mitigation Request, DOS, Flow Down, GRE Down,
Hardware Failure, Interface Usage, License Alert, Managed Object
Threshold, SNMP Down, TMS Fault, …
alert status • alert-status ➢ ongoing
• sts:alert-status ➢ sts:recent
• status:alert-status ➢ status:all
Status: all, ongoing, recent, ended, stopped, done or completed
classification • classification:classification ➢ classification:“No Attack”
• ax:classification ➢ ax:“network failure”
Classifications: False Positive, Flash Crowd, Network Failure,
Possible Attack, Trivial, Verified Attack
annotation • annotation ➢ Critical
• ann:annotation ➢ ann:Critical
• alert_annotation:annotation ➢ alert_annotation:Critical
• comment:annotation ➢ comment:”this is critical”
prefix • prefix:CIDR block ➢ prefix:10.0.0.0/8
➢ prefix:0.0.0.0/0 < all IPv4 Alerts
➢ prefix:0::0/0 < all IPv6 Alerts

CONFIDENTIAL & PROPRIETARY Page 35

 The Pocket Guide

Personal Notes:

Page 36 CONFIDENTIAL & PROPRIETARY

The Pocket Guide

Personal Notes:

CONFIDENTIAL & PROPRIETARY Page 37

 The Pocket Guide

Personal Notes:

Page 38 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Arbor Cloud Details
Unlimited
Type 1 Mitigation 6 Mitigations Always On Flow Monitoring
Mitigations
CLD-ENT- CLD-EN- CLD-EN-
Enterprise not available CLD-ENT-ESS+-*
CONNECT-* ALWAYS-ON-* FLOWDETECT-*
Service
not available CLD-SP-DDOS CLD-SP-CT*G-OP* not available not available
Providers

Arbor Cloud Options

Option Enterprise Service Provider
Additional/Redu. GRE Location CLD-DDOS-BGP-LOCATION* CLD-DDOS-BGP-LOCATION*
Additional Mitigations CLD-EN-CONNECT-*-MIT CLD-SP-DDOS-ADDITIONAL-MIT*
Sightline Signaling SVC-IMP-SPCS SVC-IMP-SPCS
Additional Hosts CLD-EN-DDOS-DNS-HOSTS* not applicable
SSL Inspection CLD-DDOS-DNS-SSL not applicable
Additional Clean Traffic CLD-ENT-ESS+-ADDL-1G CLD-1G-ADDL
CLD-ECX-DIRECT-CNCT-SETUP CLD-ECX-DIRECT-CNCT-SETUP
Physical Direct Connect
CLD-ECX-DIRECT-CNCT-10G CLDECX-DIRECT-CNCT-10G
Direct Connect via ECX CLD-ECX-L2CONN-* CLD-ECX-L2CONN-*
Managed APS/AED SVC-APS-DDOS-MANAGED-1 not applicable
Managed Sightline/TMS Contact your Account Team Contact your Account Team

Arbor Cloud Configuration Options (all available for free)

APS/AED Cloud Signaling
Automitigation*
Route Triggered Mitigation*
Route Suppression*
BGP Traffic Engineering*
To be noted in provisioning worksheet.
Ability to automatically start mitigations upon APS/AED Cloud Signaling, Sightline
Signaling or other mechanisms.
Ability to use BGP to trigger traffic diversion.
Cannot be used in conjunction with Route Suppression.
Ability to receive the protected prefix via BGP to automatically withdraw it.
Cannot be used in conjunction with Route Triggered Mitigation.
Ability to use BGP to dynamically advertise current location of protected prefixes.
* Must be raised to Account Team & SOC at pre-sale time

CONFIDENTIAL & PROPRIETARY Page 39

 The Pocket Guide

Contacts
CORPORATE HEADQUARTER
NETSCOUT
310 Littleton Road
Westford, MA 01886-4105, USA

 +1 978-614-4000 SCAN ME
 +1 888-357-7667 (Toll-free)
 [email protected]

www.NETSCOUT.com/arbor-ddos
Arbor Cloud
 +1 844-END-DDoS|  +1 734-794-5099
Portal: https://config.arborcloud.netscout.com/
mail: [email protected]

Arbor Technical Assistance Center

 +1 781-362-4301 |  +1 877-272-6721
Customers: https://arbor.custhelp.com/
Partners: https://partnercenter.arbornetworks.com/

Stay up-to-date

Copyright © 2022 NETSCOUT Systems, Inc. All Rights Reserved.

3.2201.01

CONFIDENTIAL & PROPRIETARY