Defending Your Network With

Arbor Edge Defense

Reference Guide

UNIVERSITY
Trademark Attributions

© 2022 NETSCOUT SYSTEMS, INC. All rights reserved.

NETSCOUT, the NETSCOUT logo, Network General, the Network General logo, NETSCOUT University, nGenius,
nGeniusONE, Sniffer, InfiniStream, Business Container, Business Forensics, TrueCall, NetVigil and Quantiva are
trademarks of NETSCOUT SYSTEMS, INC. Other brands product names and trademarks are property of their
respective owners. NETSCOUT reserves the right, at its sole discretion, to make changes at any time in its
technical information and specification, and service and support programs.

The information presented in the course and in this training guide is for educational purposes only, and the
appropriate manual or NETSCOUT representative should be consulted for issues relating to actual operation
and maintenance of the products described in the course.

Copyright
© 2022 NETSCOUT SYSTEMS, INC. All rights reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language in any form or by any means without the written permission of NETSCOUT
SYSTEMS, INC. or its suppliers or affiliate companies.
 9/8/2022

Cod

Defending Your Network with

AED

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 1

Our Agenda Today

• Introduction

• Optimizing AED configuration

• Learning traffic characteristics with profile capture

• Indicators of a DDoS attack

• Reacting to and mitigating a DDoS attack

• View and mitigate a TCP-based state exhaustion attack

• View and mitigate an application layer attack

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 2

1
 9/8/2022

Introduction

Arbor Edge Defense

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 3

NETSCOUT Arbor Edge Defense Platform

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 4

2
 9/8/2022

AED Deployment Mode

Monitor Mode

• Detection only
• Typically used in proof of concept
• Report on traffic that would be dropped in inline/active mode

Link Tap /
Port Span

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 5

AED Deployment Mode

Inline Mode

• Detection and mitigation in inline / active mode

• Hardware and software bypass
• Inline / inactive – sub-mode for detection only and to gain confidence in the
configuration

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 6

3
 9/8/2022

The First and Last Line of Defense

“Out-of-the-box” protection DNS TCP SYN HOIC
Amplification TCP Reset LOIC
UDP Flood Ack Flood RUDY
ICMP Flood TCP FIN Slowloris
NTP
Amplification

AED

Automatic & Configurable Protections

Out of the box, on-premise protection from all types of DDoS attacks
“Out-of-the-box protection” = One default protection group for all network traffic
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 7

About Protection Groups

Why do we need more protection groups?

• Default protection group is not enough!

– Each service has its own traffic characteristics:
– Separating services gives better granularity and control of
protections
• Mixing services inside a protection group: Web server Mail DNS VOIP
– Impact thresholds accuracy DNS
– Can block legitimate traffic (false positive)
Mail
– Not having the proper tool to protect against a specific
attack VOIP
NETSCOUT Security
• Web server has no DNS protections, etc.… AED Stack
Web

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 8

4
 9/8/2022

About Protection Groups

Protection Group and Server types

• Protection Groups (PGs)

represent:
– A single server or a specific group
of servers
– Separate PGs needed for IPv4
hosts or IPv6 hosts

• Each PG is associated with a Server Type

What is protected How it is protected
– The server type has the rules used to protect the
protection group

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 9

Server Types Identify the Attack Categories

Generic DNS Mail RLogin VoIP VPN Web
Settings category File Server IPv6
Server Server Server Server Server Server Server
ATLAS Threat Categories x x x x x x x x

• Protections are defined for

STIX Feeds x x x x x x x x
Application Misbehavior x x x x x x
Block Malformed DNS Traffic x x x
each Server Type Block Malformed SIP Traffic
Botnet Prevention
x
x
x
x x
CDN and Proxy Support x x
– Allows for optimal DNS Authentication x x x
DNS NXDomain Rate Limiting x x x
inspection and increased DNS Rate Limiting x x x
DNS Regular Expression x x x
performance Filter List x x x x x x x x x
Fragment Detection x x x x x x x x
– Why test web traffic using HTTP Header Regular
Expressions
x x x x

DNS countermeasures and HTTP Rate Limiting

HTTP Reporting
x
x
x x
x
x
x
vice-versa? ICMP Flood Detection
Malformed HTTP Filtering
x
x
x x x x x
x
x x
x
Multicast Blocking x x x x x x x x
Payload Regular Expression x x x x x x x x x
Private Address Blocking x x x x x x x x
Rate-based Blocking x x x x x x x x x
SIP Request Limiting x x
Spoofed SYN Flood Prevention x x x x x x x x x
TCP Connection Limiting x x x x x
TCP Connection Reset x x x x x x x x x
TCP SYN Flood Detection x x x x x x x x
TLS Attack Prevention x x x x x
Traffic Shaping x x x x x x x x x
UDP Flood Detection x x x x x x x x

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 10

10

5
 9/8/2022

Viewing and Managing Server Type Settings

Protection Settings and Protection Levels
• Protection settings include descriptions
– Web-based context-sensitive Help pages
provide further details

• Three Protection Levels are used to

increase protection
– Enables or disables a protection
– Defines acceptable use traffic thresholds
– Configures filters to match traffic
– Out-of-the-box default values are shown

Low Medium High

“Peace” time “Tense” time “War” time

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 11

11

Protection Level Icons

Protection Levels
Global Protection Level Settings

• Global Protection Level is defined at

the top of every web page
– Current protection level is indicated by a
check mark inside the icon
– Global setting applies to all PGs by
default

• Editing a Protection Group, you can

override the Global Protection Level

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 12

12

6
 9/8/2022

Optimizing AED configuration

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 13

13

Tuning Your Configuration

The ideal configuration

• A good configuration should be restrictive enough to stop attacks from bringing a

service down, but also flexible enough so that any change on the network does
not requires a configuration change on the AED

• Low protection Level

– Designed to cover peace time but should be capable of stopping most common attacks.
• Medium protection level
– Designed to cover tense times where the traffic volume increases unexpectedly
• High protection level.
– War time. The most restrictive protection level for AED.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 14

14

7
 9/8/2022

Tuning Your Configuration

Understanding what is being protected to protect better

• Create protection groups for each service type

– Never mix services inside a single protection group
– Each server type has specific countermeasures for each
service’s traffic characteristics. DNS

WEB

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 15

15

Best Practices
Deny and Allow lists
• AED uses Deny and Allow lists* as filters to block or pass traffic without further
inspection, regardless of the current protection level
– Separate lists for inbound and outbound traffic
– Can Deny/Allow for all protection groups or for individual protection groups
– AED does not automatically Deny or Allow hosts**

• Deny list protect your network from malicious traffic and will drop traffic for:
– IPv4 or IPv6 source hosts; IP Location countries; Embedded DNS domains; Embedded
URLs
• Allow List trusted traffic passes all traffic for:
– IPv4 or IPv6 addresses; Hostname; CIDR

* Previously known as Blacklist/Whitelist

** Some countermeasures temporarily block offending hosts, adding the hosts in a dynamic deny list

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 16

16

8
 9/8/2022

Best Practices
Inbound Deny Lists Management
Options available for
inbound protection:
- Denied Hosts
- Denied Countries
- Denied Domains
- Denied URLs

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 17

17

Best Practices
Outbound Deny Lists Management
Options available for
outbound protection:
- Denied Hosts
- Denied Countries

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 18

18

9
 9/8/2022

Best Practices
Allow Lists Management

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 19

19

Best Practices
Master Filter Lists
• AED can also use a master filter list to block or pass traffic without further
inspection. Has precedence over the Protection Groups.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 20

20

10
 9/8/2022

Tuning Your Configuration

Understanding what is being protected to protect better

• Create filter lists inside each protection group.

• Each packet is tested by each of the FCAP expression rules sequentially through the list
– Immediately drops any packet that matches a drop rule without further protection processing
– Immediately passes any packet that matches a pass rule without further protection processing
– All traffic not matching any rule is subject to further protection processing

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 21

21

Best Practices
Real time visibility with packet capture
Packet capture can be used for traffic analysis.

Two ways to access the profile capture:

- Menu: Explore > Packet Capture
- From the Protection Group Page

Important to know: Not all packets are displayed because they are sampled.
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 25

25

11
 9/8/2022

Real Time Visibility

Packet capture
- Download PCAP

- Click to start capturing

traffic

- Filter settings for packet

capture

- Red/Pink means
dropped traffic.
White/Gray, passed

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 26

26

Real Time Visibility

Packet capture

- Click on any line to show

packet details

- Include shortcuts:
Deny List Source
Add to Payload Regex

- Includes blocking reason

for dropped packets

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 27

27

12
 9/8/2022

Real Time Visibility

Packet capture

• Creating Regular expressions

– A new pop-up window will appear

Select the desired server type, the TCP port and then click the save button.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 28

28

Best Practices
Blocked hosts management

Specify Traffic Direction Enter IPv4 or IPv6 hosts Select /deselect all
filters as freeform text

Use custom time selector for hosts Choose minimum amount of host traffic
blocked more than one week ago observed to cause blocking
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 29

29

13
 9/8/2022

Learning traffic characteristics with

Profile capture

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 30

30

Create a Profile Capture

Use inactive mode to tune your configuration

• Inactive mode = simulation mode

– No traffic will be discarded, but it will provide all traffic information needed to understand
better the traffic characteristics of each Protection Group
• Used at the beginning of installation
• Use it throughout the life of the AED
• As network traffic changes, a rate-based threshold can become obsolete

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 31

31

14
 9/8/2022

Create a Profile Capture

Tuning your Protection Group Settings
• Start the Profile Capture for a single or
multiple server types from the Protection
Groups page

– Select Protection Group(s) to tune

– Click Profile button
– Specify the length of the capture: 1 – 14 days
– Press Start

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 32

32

Protection Settings That May Be Tuned by Profile Capture

Rate-Based Countermeasures on the AED
• AED captures profile data for these protections
• Use Tuning page (later) to setting all rate-based
protections at once based on profile capture
data.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 33

33

15
 9/8/2022

Identifying Profile Capture Status

Which Protection Groups have available Tuning data?

Click the Profile Capture Status icon to display status window

- Optionally click on Protection Group to link to the Profile Capture

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 34

34

Viewing the Tuning Data

Menu: Protect > Server Type Configuration

• View the data that AED measured during the most recent traffic profile capture
• Profile Capture: Completed message at the top of the page
• Click Tune Profiled Settings button to view Tuning page
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 35

35

16
 9/8/2022

Use the Tuning Window to Configure Settings

Best Practice to set all thresholds
Threshold markers can be moved to view
how they can affect the amount of passed traffic

– Drag the markers ( ) to different points

– Enter different values in the suggested settings fields

To revert any changes in a specific protection

category, click “Revert All” or “Revert” buttons

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 36

36

Viewing Traffic Passed or Blocked

Suggested settings Custom settings

• Using the Suggested Rates • Adjusting the traffic rates

• Note the number blocked and % passed – Adjust with slider or manual entry
• Note the number blocked and % passed
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 37

37

17
 9/8/2022

Protection Level Automation

• By default, the protection level needs to be changed manually

– Per protection group or globally

Click in the desired protection level.

• It can be automated per protection group

– It moves the protection level from low to high.
– No option to move it to from low to medium level. Click OK to accept the change.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 38

38

Protection Level Automation cont.

• Reduce time to mitigation

• Configurable from AED or AED Console
• Support for both IPv4 or IPv6 PGs
• Operates separately from global Protection
Level settings

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 39

39

18
 9/8/2022

Protection Level Automation cont.

• A global or a static threshold can be used to

trigger the automation.
• Per protection group configuration.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 40

40

Defending Your Network with AED +

Hands-on Lab #1

Perform Exercise
and follow the
Lab Guide
Proctor
Connect Assistance
to virtual
Lab

Please access the Lab via https://portal.ne.netscout.com/

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 41

41

19
 9/8/2022

Protection Group Protection Low Medium High

web servers Rate-based Blocking 453000 bps 58000 bps 41000 bps

135 pps 20 pps 15 pps

HTTP Rate Limiting 60 req/sec 40 req/sec 28 req/sec

3 url/sec 3 url/sec 3 url/sec

dns servers Rate-based Blocking 78000 bps 78000 bps 78000 bps

150 pps 150 pps 150 pps

DNS Rate Limiting 150 query/sec 150 query/sec 150 query/sec
UDP Flood Detection 78000 bps 78000 bps 78000 bps

150 pps 150 pps 150 pps

NXDomain 300 req/s 150 req/s 50 req/s
files servers Rate-based Blocking 600000 bps 585000 bps 450000 bps

1450 pps 1380 pps 1380 pps

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 42

42

Accessing the NETSCOUT Experience

• https://portal.ne.netscout.com/

• Example logins are not valid

– Username:
• NE33
• NE215
– Password:
• Sozefiro2@
• Qiyofiwi1#

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 43

43

20
 9/8/2022

Using the Student Dashboard

Accessing your AED system and lab guides

Access the lab guides here

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 44

44

Viewing ArborTrade (Victim) Status

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 45

45

21
 9/8/2022

Indicators of a DDoS attack

AED Web-based UI Workflows

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 46

46

What an Attack Might Look Like

Ask yourself !

• Are there any sudden increase or spikes in traffic?

– Compare real-time to historical traffic patterns
– Unexpected increases in traffic patterns not tied to any specific event
• Are there any changes in real-time traffic details?
– Inbound source traffic
– Observed destinations
– Geo-location details
– Protocol and ports targeting the destination
– Increased AIF Threat or Botnet activity
– Does any traffic detail or suspected misuse align with the start of the suspected attack?
– Are users or server administrators indicating problems?
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 47

47

22
 9/8/2022

Workflows to Check Within the AED UI

Identifying where to find sudden changes and traffic details

• Summary page
– Displays multiple sections with real-time traffic forensics
– All data displayed is for the last 60 minutes. Cannot be changed.
– Provides a global view of all traffic through that AED
• Protection Group page
– View real time details for traffic destined to the prefixes in a PG
– Edit specific protections settings for a PG
• Blocked Hosts Log
– Viewing temporarily blocked sources
– Records details of why a host was blocked and actions to change it

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 48

48

Information to Gather if Under DDoS Attack

What information to gather?

• If you are under a DDoS attack and you need assistance in mitigating the attack,
it may then be helpful to gather some information while the attack is occurring:
– Any information as to the details of the attack.
• Source Host
• Source Port
• Destination Host
• Destination Port
• Protocol / TCP or UDP traffic
– An unfiltered capture of the traffic
• AED provides a ‘sampled’ packet capture for initial investigations
Obs: Information taken from support portal (My.Arbor) Knowledge Base ID 4423:

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 49

49

23
 9/8/2022

Indicators of a DDoS Attack

Workflow to be used if you suspect a service is under an attack

• Any notifications received from AED? AED Summary Page

– email
– syslog
– SNMP trap notifications

• Viewing the AED web-based UI:

– Identify any Top Active Alerts, including:
• Total Traffic alert
• Blocked Traffic alert
• Botnet Traffic alert

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 50

50

Indicators of a DDoS Attack

Summary page

Any activity or changes that align with a

suspected attack?
• Top Protection Groups
– Lists the five most active protection
groups
• Summary page timeframe is fixed
• It automatically refreshes every 60 seconds

• Overview section for Blocked Traffic

or Blocked Hosts

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 51

51

24
 9/8/2022

Indicators of a DDoS Attack

Summary page

Any sudden increased recent or potential

activity?
• ATLAS Botnet Prevention
– Amount of inbound traffic currently blocked by
the AIF Botnet Signatures
– Traffic that would be blocked at a different
protection level

• ATLAS Threat Categories

– Shows the five ATLAS threat categories that
blocked the most inbound traffic and outbound
traffic during the last hour

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 52

52

Indicators of a DDoS Attack

Summary page

Any sudden increases in traffic or recent

activity? Check:
• Top Inbound Countries
– North Korea – acceptable?
– Add to Deny list if necessary

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 53

53

25
 9/8/2022

Indicators of a DDoS Attack

Summary page

Any sudden increases in traffic or recent

activity? Check:
• Top Inbound Sources – displays the five
external IP addresses that sent the most
traffic
– Notice that the Top Inbound Source activity
syncs with destination and Top Protection
Group activity
• Top Inbound Destinations – displays the
five internal IP addresses that received the
most traffic
• Analyze IPv6 activity

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 54

54

Indicators of a DDoS Attack

Protection Groups page

• View Protection Group page shows

summary of traffic for last hour (-1h)
• Click on PG link name or follow menu
item to view a specific PG
• Check alerts inside the PG
• Data displayed:
– Refresh approximately every 60
seconds
– Traffic details displayed in each section
are specific for that PG

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 55

55

26
 9/8/2022

Indicators of a DDoS Attack

Protection Groups page

• Update the Time to the last five

minutes (-5m)
– Focus on current traffic details
• Use the PG page to investigate:
– What’s different with this traffic?
– What doesn’t belong here?
– What changes have occurred?
– What Attack Categories are displayed?
• Change the timeframe to compare
historical traffic to current traffic

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 56

56

Indicators of a DDoS Attack

Protection Group page

• Attack Categories – identifies malicious traffic

– Which Server Type protection is currently blocking traffic?
– Hover mouse over the minigraphs to view
a larger version of that graph
– Hover mouse near ‘Category’ to display a
context-menu
• Links to Blocked Hosts Log

– Click ‘Details’ button to view additional information about the blocked traffic

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 57

57

27
 9/8/2022

Indicators of a DDoS Attack

Protection Group page

• Temporarily Blocked Sources

displays which host IPs have been
temporarily blocked
– Which sources sent malicious traffic?
– What kind of malicious traffic sent?
– Sources are not added to deny list
• But it is temporarily blocked for 60
seconds and repeated offenses 300
seconds

– Add to “allow list” any valid source IPs that are blocked (false positives)
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 58

58

Indicators of a DDoS Attack

Protection Group page

• Web Traffic By URL

– Displays up to 10 top destination URLs
– Identifies URLs with the most HTTP
requests

• Web Traffic By Domain

– Displays up to 10 of the top domains
with the most HTTP requests

• Use to verify if each URL and domain

are valid
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 59

59

28
 9/8/2022

Indicators of a DDoS Attack

Protection Group page

• Web Crawlers
– Lists the top five search engines with the
highest traffic
• IP Location
– Lists up to 10 countries that send the
most traffic
– Identify embargoed or banned countries
or determine sources of an attack
– Add to “deny list” when needed

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 60

60

Indicators of a DDoS Attack

Continuing to scroll down the ‘View Protection Group’ page

• Protocols
– Lists up to 10 protocols that have the
Wow, there’s a lot of UDP traffic here
highest amounts of inbound traffic

• Services
– Lists up to 10 services that have the
highest amounts of inbound traffic
– Unexpected protocols or services could There is a lot of UDP/80 traffic here, is that normal?
represent an attack

Web Server Protection Group

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 61

61

29
 9/8/2022

Reacting to and Mitigating a DDoS

Attack

How to Block a Volumetric Attack

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 62

62

Reacting to and Mitigating a DDoS Attack

Attack detected

• Raising the Protection Level:

– Enable additional protections
Example: ICMP Flood Detection default settings is
disabled for the Low Protection Level
• Attack persists?
– Update protection settings as required for the situation
– Ideally you should optimize the thresholds values beforehand
using the Profile Capture tool
– Test server type´s countermeasures using Inactive Mode

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 63

63

30
 9/8/2022

Reacting to and Mitigating a DDoS Attack

Attack identified Adjust Filter

If the source or the traffic details of an attack is found, you can:

• Deny list the traffic source
• Use FCAP expressions
– Create a Filter with the matching traffic pattern (like an ACL)
– Applies to Layer 3 / 4 traffic only
• Use ‘Advanced Tactics’
– Create a regular expression to match the traffic and add to the appropriate protection settings
– Applies to all layers of traffic

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 64

64

Reacting to and Mitigating a DDoS Attack

AED can’t mitigate the attack

• AED is mitigating the attack by blocking inbound traffic, but…

– DDoS attack persists and the inbound traffic is near full link bandwidth
– a DDoS attack is overloading the routers and bandwidth upstream of AED

• Engage cloud-based mitigation services!

– From your local ISP or Arbor Cloud Service

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 65

65

31
 9/8/2022

Using Deny Lists to Block Sources

Menu item: Protect > Inbound Protection > Deny Lists

• Deny lists protect your network from

malicious traffic and drops traffic for:
– IPv4/IPv6 source hosts; CIDRs;
Countries; Embedded DNS domains;
Embedded URLs
– Blocks traffic without further inspection
– Block for “All IPv4/IPv6 Protection
Groups” or a specific protection group

• Use available “Deny lists” that appears

throughout UI

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 66

66

Creating a Filter that Uses FCAP Expressions

• Best practice for optimizing PG protection settings

– Block unnecessary traffic for a PG type
– Can serve as “custom deny list/allow list”
per protection level per PG

• Usage details found in ‘Help’ appendix:

‘Using FCAP Expressions’
– Specify an action: ‘drop’ or ‘pass’
– Basic expressions for: IP, Port, Protocol, etc.
– Specify direction where required: ‘src’ or ‘dst’
– Use “..” to specify ranges
– Use operators: AND, OR, NOT, !, and ()
– # to prepend user comments (use a hashtag)
Some example FCAP Expressions (hint for lab exercise):
#Drop DNS amplification packets:
drop proto udp and src port 53 and bpp 512..65535
#Drop NTP amplification packets:
drop proto udp and port 123 and bpp 220..1500
#Allow proxy access to ArborTrade
pass src host 198.168.100.2/32
#Allow only web-based traffic
drop !(proto TCP and dst port 80 or 443)

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 67

67

32
 9/8/2022

Reacting to and Mitigating a DDoS Attack

Edit the protection settings

If you can identify the type of attack: Low Medium High

• Try to block it by changing the protection
settings that typically block that type of attack

• Must edit the specific protection settings

– Protection's settings are found under the
related Server Type for a PG
– Don’t forget about the current Protection
Level – which setting(s) to modify
– And is this a temporary or permanent
change

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 68

68

Reacting to and Mitigating a DDoS Attack

Protections that are useful against a volumetric DDoS attack
• Create Filter lists to protect specific types of • Layer 3 / 4 Rate-based Protections
services (a best practice)
– Rate-based Blocking (for hands-on lab)
– Web, DNS, SIP, File, etc.
– TCP SYN Flood Detection
• Rate-based protections work best for – ICMP Flood Detection
volumetric DDoS attacks
– UDP Flood Detection
– Define acceptable use policies
– Fragment Flood Detection
• Use Profile Capture to optimize settings
– Traffic Shaping
• A best practice
• Any traffic that matches the specified FCAP
– Sources that exceed the configured thresholds expression and exceeds the configured rate limits
are blocked is dropped
• Not a rate-based protection

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 69

69

33
 9/8/2022

Hands on Lab: Mitigating Volumetric Attacks

Hands-on Lab #2

Perform Exercise
and follow the
Lab Guide
Proctor
Connect Assistance
to virtual
Lab

Please access the Lab via https://portal.ne.netscout.com/

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 70

70

View and mitigate a TCP-based State

Exhaustion Attack

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 71

71

34
 9/8/2022

TCP-based State Exhaustion DDoS Attacks

TCP-based attack characteristics
• Attempt to exhaust the server resources for TCP connections
– Server is unable to handle new connection requests

• Prevents the completion of the TCP three-way handshake

– Source(s) continuously send packets with just the SYN bit set (SYN typically small)
– Victim (Server) must open a connection and send a SYN-ACK back to the source
– Handshake must be completed before a communications port between the client and server can be fully
open and available

• Connection is kept open

– Source ACK’s and then data is exchanged
– Source terminates connection
– Server times out the connection

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 72

72

Effects of TCP-based State Exhaustion Attacks

Data Center
TCP SYN
TCP Reset
Ack Flood
TCP FIN

AED

Automatic & Configurable Protections

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 73

73

35
 9/8/2022

Useful Protections for TCP-based Attacks

Countermeasures

• TCP SYN Flood Detection

– Detects sources sending TCP SYN traffic
above the configured thresholds
– Any traffic that exceeds either rate limit
the source is temporarily blocked

• Spoofed SYN Flood Prevention

– Authenticates new TCP sources with a
Disabled at Low
challenge to the three-way handshake and Medium?
– Two methods to challenge the
handshake
– Drops the traffic from hosts that do not
respond properly
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 74

74

Other Protections for TCP-based Attacks

Countermeasures

• TCP Connection Limiting

– Limits number of concurrent connections
originating from a single host
– Different settings defined for different server
types
• TCP Connection Reset
– Blocks TCP connections that fail to make
significant progress
– Protecting against slow request attacks
such as slowloris and R.U.D.Y.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 75

75

36
 9/8/2022

Hands on Lab: Mitigating TCP-based Attacks

Hands-on Lab #3

Perform Exercise
and follow the
Lab Guide
Proctor
Connect Assistance
to virtual
Lab

Please access the Lab via https://portal.ne.netscout.com/

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 76

76

View and mitigate an Application

Layer Attack

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 77

77

37
 9/8/2022

Effects of Application Layer Attacks

Data Center
DNS Dictionary
LOIC
HOIC
HTTP Flood

AED

Automatic & Configurable Protections

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 78

78

DNS Threat Vectors

DNS attack characteristics
Client-Side Attacks

Reflective Attacks
Server-Side

DNS Servers

DNS Servers Attack

Target
DNS Cache Poisoning

Phishing Servers
DNS Application
Layer Attacks
Attack

"Root Queries" DNS Servers

"Random Queries"
DNS Resolvers "Multiple Queries per Packet"
"NX Domain Reflective"

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 79

79

38
 9/8/2022

DNS Dictionary Attacks

DNS attack characteristics
DNS Cache DB Server

DB Server overwhelmed
with lookups

NXDomain: abcd.somedomain.com
Attacker requests entries that do not NXDomain: efgh.somedomain.com
NXDomain: ijkl.somedomain.com
exist in the DNS Cache: .
.
.
Query: abcd.somedomain.com
Query: efgh.somedomain.com
Query: ijkl.somedomain.com
.
.

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 80

80

AED Protections for DNS Amplification Attacks

Countermeasures

• Block Malformed DNS Traffic

– Verifies a packet contains a payload
that could be part of a valid DNS message
– Evaluates valid DNS requests for compliance with RFC standards

• DNS Authentication
– Protects against the DNS attacks that
originate from a source that is not a valid host
– Forces any clients that send DNS requests to change to TCP before the queries reach the
DNS server
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 81

81

39
 9/8/2022

AED Protections for DNS Amplification Attacks

Countermeasures

• DNS Rate Limiting

– Prevents attacks that misuse DNS
requests to flood DNS servers
– AED inspects all DNS traffic from a single source and records the number of queries per
second

• DNS NXDomain Rate Limiting

– Blocks any host that generates too many consecutive failed DNS requests to non-existent
domains
– Network must be configured so AED sees DNS responses from the DNS server

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 82

82

Application Attacks to Web Servers

HTTP/HTTPS attack characteristics
• HTTP Floods / GET Floods • Slow GET
– Attacker(s) (botnet) exploit a targeted server with – Opens many TCP sessions that never close and hold
continuous HTTP GET requests server resources
– “Brute force” (mode) attempts to consume resources • TCP table space, process table, memory
to make the server unavailable for legitimate users – Sends partial HTTP requests, never completes a
(load testing) request
– HTTP GET requests are normal, to identify misuse – Ex: Slowloris
look for:
• Uses legitimate traffic to attack
• Slow POST
• Look for lots of identical GET requests
– Like Slow GET, focused on pages which have forms
• From a large number source IP addresses
to be completed
• Same source IPs should re-send the same GET requests
rapidly • Can’t be cached by CDNs

– Ex: Siege, HOIC, LOIC – Ex: R.U.D.Y.

– See also POST floods – sends many POST requests

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 83

83

40
 9/8/2022

AED Protections for Web Services

Countermeasures

• Malformed HTTP Filtering

– Protects against source hosts that
exhaust resources by sending invalid or • Low Protection Level
blank HTTP requests to a server – HTTP 1.1 requests must include: Host:

– Verifies that the HTTP header conforms to • Medium Protection Level

RFC 2616 Section 2.2 "Basic Rules“ – HTTP 1.1 requests must include: Host:

– Must be enabled for the ‘Botnet Prevention’ – All requests must include: User-Agent:
protection to work • High Protection – All requests must have:
– Host: User-Agent:
Connection: Accept:
Accept-Encoding: Accept-Language:

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 84

84

AED Protections for Web Services

Countermeasures

• HTTP Rate Limiting

– Limits the rate at which a source
host can send HTTP requests
– Prevent sources from overwhelming the resources of a
web server either by:
• Sending too many requests
• Requesting too many unique HTTP objects • Hints for the hands-on lab:
The web server admin has identified
– Default limits are usually acceptable for acceptable threshold settings:
typical users
• Use Profile Capture to fine tune

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 85

85

41
 9/8/2022

Hands on Lab: Mitigating Application based Attacks

Hands-on Lab #4

Perform Exercise
and follow the
Lab Guide
Proctor
Connect Assistance
to virtual
Lab

Please access the Lab via https://portal.ne.netscout.com/

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 86

86

Summary

• AED basics, optimizing and best practices

• Profile Capture, running and applying the results

• What are the indicators of a DOS attack?

• Reacting to the attack

• Defending against volumetric, state exhaustion, and application layer attacks

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 87

87

42
 9/8/2022

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 88

88

43
NETSCOUT University Course Information
[email protected]
1-866-734-3337