Ref Guide - Defending Your Network With AED - 220912
Ref Guide - Defending Your Network With AED - 220912
UNIVERSITY
Trademark Attributions
NETSCOUT, the NETSCOUT logo, Network General, the Network General logo, NETSCOUT University, nGenius,
nGeniusONE, Sniffer, InfiniStream, Business Container, Business Forensics, TrueCall, NetVigil and Quantiva are
trademarks of NETSCOUT SYSTEMS, INC. Other brands product names and trademarks are property of their
respective owners. NETSCOUT reserves the right, at its sole discretion, to make changes at any time in its
technical information and specification, and service and support programs.
The information presented in the course and in this training guide is for educational purposes only, and the
appropriate manual or NETSCOUT representative should be consulted for issues relating to actual operation
and maintenance of the products described in the course.
Copyright
© 2022 NETSCOUT SYSTEMS, INC. All rights reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language in any form or by any means without the written permission of NETSCOUT
SYSTEMS, INC. or its suppliers or affiliate companies.
9/8/2022
Cod
1
9/8/2022
Introduction
2
9/8/2022
• Detection only
• Typically used in proof of concept
• Report on traffic that would be dropped in inline/active mode
Link Tap /
Port Span
3
9/8/2022
AED
4
9/8/2022
10
5
9/8/2022
11
12
6
9/8/2022
13
14
7
9/8/2022
WEB
15
Best Practices
Deny and Allow lists
• AED uses Deny and Allow lists* as filters to block or pass traffic without further
inspection, regardless of the current protection level
– Separate lists for inbound and outbound traffic
– Can Deny/Allow for all protection groups or for individual protection groups
– AED does not automatically Deny or Allow hosts**
• Deny list protect your network from malicious traffic and will drop traffic for:
– IPv4 or IPv6 source hosts; IP Location countries; Embedded DNS domains; Embedded
URLs
• Allow List trusted traffic passes all traffic for:
– IPv4 or IPv6 addresses; Hostname; CIDR
16
8
9/8/2022
Best Practices
Inbound Deny Lists Management
Options available for
inbound protection:
- Denied Hosts
- Denied Countries
- Denied Domains
- Denied URLs
17
Best Practices
Outbound Deny Lists Management
Options available for
outbound protection:
- Denied Hosts
- Denied Countries
18
9
9/8/2022
Best Practices
Allow Lists Management
19
Best Practices
Master Filter Lists
• AED can also use a master filter list to block or pass traffic without further
inspection. Has precedence over the Protection Groups.
20
10
9/8/2022
• Each packet is tested by each of the FCAP expression rules sequentially through the list
– Immediately drops any packet that matches a drop rule without further protection processing
– Immediately passes any packet that matches a pass rule without further protection processing
– All traffic not matching any rule is subject to further protection processing
21
Best Practices
Real time visibility with packet capture
Packet capture can be used for traffic analysis.
Important to know: Not all packets are displayed because they are sampled.
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 25
25
11
9/8/2022
- Red/Pink means
dropped traffic.
White/Gray, passed
26
- Include shortcuts:
Deny List Source
Add to Payload Regex
27
12
9/8/2022
Select the desired server type, the TCP port and then click the save button.
28
Best Practices
Blocked hosts management
Specify Traffic Direction Enter IPv4 or IPv6 hosts Select /deselect all
filters as freeform text
Use custom time selector for hosts Choose minimum amount of host traffic
blocked more than one week ago observed to cause blocking
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 29
29
13
9/8/2022
30
31
14
9/8/2022
32
33
15
9/8/2022
34
• View the data that AED measured during the most recent traffic profile capture
• Profile Capture: Completed message at the top of the page
• Click Tune Profiled Settings button to view Tuning page
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 35
35
16
9/8/2022
36
37
17
9/8/2022
38
39
18
9/8/2022
40
Perform Exercise
and follow the
Lab Guide
Proctor
Connect Assistance
to virtual
Lab
41
19
9/8/2022
web servers Rate-based Blocking 453000 bps 58000 bps 41000 bps
42
• https://portal.ne.netscout.com/
43
20
9/8/2022
44
45
21
9/8/2022
46
47
22
9/8/2022
• Summary page
– Displays multiple sections with real-time traffic forensics
– All data displayed is for the last 60 minutes. Cannot be changed.
– Provides a global view of all traffic through that AED
• Protection Group page
– View real time details for traffic destined to the prefixes in a PG
– Edit specific protections settings for a PG
• Blocked Hosts Log
– Viewing temporarily blocked sources
– Records details of why a host was blocked and actions to change it
48
• If you are under a DDoS attack and you need assistance in mitigating the attack,
it may then be helpful to gather some information while the attack is occurring:
– Any information as to the details of the attack.
• Source Host
• Source Port
• Destination Host
• Destination Port
• Protocol / TCP or UDP traffic
– An unfiltered capture of the traffic
• AED provides a ‘sampled’ packet capture for initial investigations
Obs: Information taken from support portal (My.Arbor) Knowledge Base ID 4423:
49
23
9/8/2022
50
51
24
9/8/2022
52
53
25
9/8/2022
54
55
26
9/8/2022
56
– Click ‘Details’ button to view additional information about the blocked traffic
57
27
9/8/2022
– Add to “allow list” any valid source IPs that are blocked (false positives)
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 58
58
59
28
9/8/2022
• Web Crawlers
– Lists the top five search engines with the
highest traffic
• IP Location
– Lists up to 10 countries that send the
most traffic
– Identify embargoed or banned countries
or determine sources of an attack
– Add to “deny list” when needed
60
• Protocols
– Lists up to 10 protocols that have the
Wow, there’s a lot of UDP traffic here
highest amounts of inbound traffic
• Services
– Lists up to 10 services that have the
highest amounts of inbound traffic
– Unexpected protocols or services could There is a lot of UDP/80 traffic here, is that normal?
represent an attack
61
29
9/8/2022
62
Attack detected
63
30
9/8/2022
64
65
31
9/8/2022
66
67
32
9/8/2022
68
69
33
9/8/2022
Perform Exercise
and follow the
Lab Guide
Proctor
Connect Assistance
to virtual
Lab
70
71
34
9/8/2022
72
Data Center
TCP SYN
TCP Reset
Ack Flood
TCP FIN
AED
73
35
9/8/2022
74
75
36
9/8/2022
Perform Exercise
and follow the
Lab Guide
Proctor
Connect Assistance
to virtual
Lab
76
77
37
9/8/2022
Data Center
DNS Dictionary
LOIC
HOIC
HTTP Flood
AED
78
Reflective Attacks
Server-Side
DNS Servers
Phishing Servers
DNS Application
Layer Attacks
Attack
79
38
9/8/2022
DB Server overwhelmed
with lookups
NXDomain: abcd.somedomain.com
Attacker requests entries that do not NXDomain: efgh.somedomain.com
NXDomain: ijkl.somedomain.com
exist in the DNS Cache: .
.
.
Query: abcd.somedomain.com
Query: efgh.somedomain.com
Query: ijkl.somedomain.com
.
.
80
• DNS Authentication
– Protects against the DNS attacks that
originate from a source that is not a valid host
– Forces any clients that send DNS requests to change to TCP before the queries reach the
DNS server
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. 81
81
39
9/8/2022
82
83
40
9/8/2022
– Must be enabled for the ‘Botnet Prevention’ – All requests must include: User-Agent:
protection to work • High Protection – All requests must have:
– Host: User-Agent:
Connection: Accept:
Accept-Encoding: Accept-Language:
84
85
41
9/8/2022
Perform Exercise
and follow the
Lab Guide
Proctor
Connect Assistance
to virtual
Lab
86
Summary
87
42
9/8/2022
88
43
NETSCOUT University Course Information
[email protected]
1-866-734-3337