15/9/22, 15:53 NE | 11 - Application Layer Attacks

AED Training
Application Layer Attacks
Overview
Description

In this lab you will view indicators of application layer attacks and you will use AED protections to
mitigate that type of misuse traffic

Objectives

After completing this lab exercise, you will be able to:

View indicators of application layer based DDoS attacks.

Use your AED protections to block that misuse traffic.

Monitor the effectiveness of your mitigation.

Estimated Completion Time

The estimated completion time for this lab is 45 minutes.

Lab Topology

Please ensure you read each step carefully before performing the required task in the order described.

If you are asked for your [POD] number in this lab, use the number that is part of your NE
username.

Example: Username NE312 <=> [POD] = 312

Monitoring AED Indicators for a DDoS Attack

Now that you AED's protection settings are updated and optimized for your network, you will monitor for
indicators of DDoS attacks. Once a DDoS attack is suspected and confirmed, you will take action to block
that attack.

1. Skip to Step 3 if a tab to the AED web UI is open. If not, then from your NETSCOUT Experience user
dashboard click on the AED link to open a new tab to the web UI.

2. Login to your AED web UI with your NETSCOUT Experience user credentials.
Username: NE102
https://portal.ne.netscout.com/dashboard/lab_guide/447/45085/ 1/6
15/9/22, 15:53 NE | 11 - Application Layer Attacks

Password: Kinemumo4^

or

Username: admin
Password: Welcome123!

3. Go to the AED's Summary page, click either the NETSCOUT | Arbor Edge Defense logo or
the Summary menu item, either options will load the Summary page.

4. Ensure that the Deployment Mode on your AED is set to Active and the Protection Level is set
to Low (globaly and for every PG).

5. Ask the instructor to start the first attack towards your network.

6. Review the indicators of your AED for any DDoS attack, recall that you can:

Review Summary page for attack indicators.

View the Protection Group Page under attack, click on link PG name or go to Protect > Inbound
Protection > Protection Groups.

View Blocked Host log if/where appropriate, Explore > Blocked Hosts
View Packet Capture if needed, Explore > Packet Capture.

Check the status of the ArborTrade server.

It make take 3-5 minutes for the server to fail, to become unresponsive.

Identify an action or protection that should mitigate the attack.

Record the attack details and your observations here:

Were you successful mitigating the attack? If so, provide your details.

If you were not successful, have a look to the Solution button below:

Check Solution

Based on how you chose to mitigate this attack, you might suspect that you have blocked
yourself from access the ArborTrade server, a so called "false positive".

Check Explore > Blocked hosts for source IP address 192.168.100.2.

If 192.168.100.2 is listed in the Blocked Hosts Log, use the Details button to view further
information.

And then click Allow List for that IP address as it a known good source (this IP is the address
of the VPN proxy that you use to access the NETSCOUT Experience lab resources).

It may take one minute for the Allow List to take effect if you were blocked.

7. When you succesfully defeated this attack, ensure that the Deployment Mode is set to Active and the
Protection Level is set to Low.

8. Ask your instructor to stop the first attack and proceed after your intructor confirmed that the attack
was stopped.

9. Second Attack

https://portal.ne.netscout.com/dashboard/lab_guide/447/45085/ 2/6
15/9/22, 15:53 NE | 11 - Application Layer Attacks

Wait two minutes then notify your instructor that you are ready for the second attack.
Review Summary page for attack indicators.

View the Protection Group Page under attack, click on link PG name or go to Protect > Inbound
Protection > Protection Groups.

View Blocked Host log if/where appropriate, Explore > Blocked Hosts

View Packet Capture if needed, Explore > Packet Capture.

Check the status of the ArborTrade server.

You may notice the the ArborTrade server become sluggish, slow down, and/or possibly
fail/timeout.

Identify an action or protection that should mitigate the attack.

Record the attack details and your observations here:

Once you have identified the attack, record how you would mitigate this attack traffic:

Check Solution

Look for the Protection Group called web servers.

Have you noticed that the Section Web Traffic By URL now has a new top used URL >>
x.x.x.x/arbor ?

Have you tried to put this URL onto the Deny List?

Have you looked into the packets and noticed that these are TCP SYN packet with an HTTP GET
Request? You work with a Filter like drop proto tcp and tflags S/SA and bpp 100..1500

10. When you succesfully defeated this attack, ensure that the Deployment Mode is set to Active and the
Protection Level is set to Low.

11. Ask your instructor to stop the second attack and proceed after your intructor confirmed that the
attack was stopped.

12. Third Attack

Wait two minutes then notify your instructor that you are ready for the third attack.

Review the indicators of your AED for any DDoS attack, recall that you can:

Review Summary page for attack indicators.

View the Protection Group Page under attack, click on link PG name or go to Protect > Inbound
Protection > Protection Groups.

View Blocked Host log if/where appropriate, Explore > Blocked Hosts

View Packet Capture if needed, Explore > Packet Capture.

Identify an action or protection that should mitigate the attack.

Record the attack details and your observations here:

https://portal.ne.netscout.com/dashboard/lab_guide/447/45085/ 3/6
15/9/22, 15:53 NE | 11 - Application Layer Attacks

Were you successful mitigating the attack? If so, provide your details.

Check Solution

Look for the Protection Group called dns servers.

There is noticable more DNS traffic to the DNS server, you could try to inrease the Protection
Level to medium or high only for the Protection Group of your DNS server. (Protect >
Protection Groups > dns servers > Edit button)

13. When you succesfully defeated this attack, ensure that the Deployment Mode is set to Active and the
Protection Level is set to Low.

14. Ask your instructor to stop the third attack and proceed after your intructor confirmed that the attack
was stopped.

15. Fourth Attack

Wait two minutes then notify your instructor that you are ready for the fourth attack. Attack Vectors to
change that often is not unusual...

Review Summary page for attack indicators.

View the Protection Group Page under attack, click on link PG name or go to Protect > Inbound
Protection > Protection Groups.

View Blocked Host log if/where appropriate, Explore > Blocked Hosts

View Packet Capture if needed, Explore > Packet Capture.

Identify an action or protection that should mitigate the attack.

Record the attack details and your observations here:

Were you successful mitigating the attack? If so, provide your details.

Check Solution

Look for the Protection Group called file servers.

You could try to increase the Protection Levels for this Protection Group to medium or high.

https://portal.ne.netscout.com/dashboard/lab_guide/447/45085/ 4/6
15/9/22, 15:53 NE | 11 - Application Layer Attacks

Have you looked into the packets and noticed that these are TCP ACK packet contain this
string, which could be usefull for the Payload Regular Expression?

Payload Regular Expression = ftp.ftp.arbortrade.net.bin.hash.put.rootkit.bin.bye

Have you thought about using a Flexible Rate-based Blocking - Filter x for this particular
traffic?

FCAP Expressions proto tcp and dst port 21 and bpp 91

Packet per Second Threshold = 10 pps

16. When you succesfully defeated this attack, ensure that the Deployment Mode is set to Active and the
Protection Level is set to Low.

17. Ask your instructor to stop the fourth attack.

18. Lab Review

Review of each attack experienced during this lab exercise including:

What indicators were observed for each DDoS attack and what you should have seen.

What steps, if any, you took to mitigate each attack.

Identification of other possible methods you could use mitigate that same attack.

First Attack: BroBot attack towards the ArborTrade (Victim) – during review record the different
methods students used to block the traffic

Second attack: HTTP Get Flood – record the different methods students used to block traffic.

Third Attack: DNS dictionary attack – during review record the different methods students used to
block the traffic

Forth attack: FTP attack – record the different methods students used to block traffic.

19. Good work!

You have successfully viewed the indicators of application layer based DDoS attacks and applied
protecions to mitigate each.

20. Please notify the instructor that you have completed this lab exercise.

https://portal.ne.netscout.com/dashboard/lab_guide/447/45085/ 5/6
15/9/22, 15:53 NE | 11 - Application Layer Attacks

If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu
options from your browser’s dropdown menu.

Depending on which browser you are using, to access these menu options select either:

Select "File" from the your browser's menu, then choose either:

1.) Print > Print to PDF

2.) Save Page As > Web Page Complete.

Or select the three dot vertical ellipsis, then choose either:

1.) Print > Print to PDF

2.) Save Page As > Web Page Complete.

Or select the three line hamburger menu button, then choose either:

1.) Print > Print to PDF

2.) Save Page As > Web Page Complete.

Select whichever method that works best with your browser.

This completes the lab exercise for the quick installation script for your AED. For more information about the
configuration settings for your AED's installation, refer to the AED Quick Start Card / Installation
Guide and/or the Arbor Edge Defense User Guide.

© Copyright 2022 NETSCOUT, Inc. All rights reserved

https://portal.ne.netscout.com/dashboard/lab_guide/447/45085/ 6/6