Scenario #4 PeakFlow Detection

This section includes the steps required to run Scenario #4:

1. Scenario Explanation Describes the background and use cases for PeakFlow detection.
2. Scenario Environment Explains the scenario diagram (see Demo Lab Diagrams in
DefenseFlow Demo Lab Preparation document).
3. Scenario Steps Overview Explains each step of the scenario demo.
4. Configuration Demonstrates the scenario configurations in APSolute Vision
5. Run DDoS Attack and Verify Detection
6. Verify PeakFlow Detection in Pending Actions
7. Mitigation without Effect on Legitimate Traffic Display mitigation and verify legitimate
traffic.
For PeakFlow configurations, see Demo Lab Diagrams in DefenseFlow Demo Lab
Preparation document.

Scenario Explanation

PeakFlow detection enables providers to use their own PeakFlow device as a detection with
DefenseFlow Security Control Plane.
In this scenario, you configure the ASR9K_PE router to send NetFlow statistics on the upstream
port towards PeakFlow. PeakFlow analyzes the netflow information and configures to send alert
to DefenseFlow when specific threshold is reached. Once DefenseFlow get the alert, it tiggers
the relevant Operation to mitigate the attack in the Scrubbing center.

Scenario Environment

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 59
Scenario Steps Overview

1. The attacker starts to attack the protected object.

2. NetFlow information flows between the ASR9K_PE and the PeakFlow.

3. PeakFlow detects the attack from the NetFlow statistics (60 seconds duration) and signals to
DefenseFlow.
4. DefenseFlow trigger the workflow and copies the template policies and the baselines to the
Scrubbing Center DefensePro.

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 60
5. DefenseFlow advertises (pending user confirmation) the protected object network to the
ASR9K_PE with the Scrubbing Center DefensePro as a next hop.
6. Traffic towards the protected object is diverted to the Scrubbing Center DefensePro.
7. Clean traffic is sent out from DefensePro towards the protected object.

Configurations

The scenario is built from the following configurations:

For more information regarding the DefenseFlow configuration blocks, refer to DefenseFlow
Configuration Review in DefenseFlow Demo Lab Preparation document.
Protected Object PO_250 is configured with action mode User Confirmation, the
protected network is 155.1.250.0/24, the PO workflow is
PeakFlowDetectionDiversionToSc , and DefenseFlow uses community 65000:150 to
advertise this PO:

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 61
 Click Show Policy to display the configurations that DefensePro copies onto the mitigation
device (if the mitigation device is a managed device). The configuration template
configuration is located in the relevant operation.

Workflow PeakFlowDetectionDiversionToSc PeakFlowDetection object for

detection, workflow rules are configured with the enter criteria set to when an attack starts
and exit criteria set to when the attack terminates. After the enter criteria is matched,

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 62
 Detection PeakFlowDetection is configured with the External Detector with
PeakFlow_Lab:

Operation Mitigation, with actions Divert and Mitigate, and the

diversion uses the ASR9K_PE network element using the BGP community. For mitigation,
the operation uses the SC-HT device and copies the configuration from Security Template
Basic, delegate from detector is enabled but not work on this scenario (since no DP as a
Detector), Granular mitigation enables DefenseFlow to create protection policy per host:

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 63
 Mitigation The SC-HT DefensePro is installed in the Scrubbing Center. When
DefenseFlow diverts traffic to that mitigation device, it uses the configured target address
155.1.12.153 (DefensePro physical interface address). The SC-HT is configured as
Managed Device, meaning that DefenseFlow configures it (with security policies and
baselines):

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 64
 Network elements (diversion) ASR9K_PE is used to divert traffic towards the Scrubbing
Center DefensePro (SC-HT). Because DefenseFlow uses BGP advertisements to steer the
traffic to the Scrubbing Center, BGP peering is required:

Control Element PeakFlow configuration with the relevant driver:

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 65
Run DDoS Attack and Verify Detection

Run a TCP SYN flood attack with a bandwidth rate of ~120M/350kpps. This attack should be
detected by PeakFlow within the next NetFlow update period (up to 60 seconds).
1. To run the attack, double-click the Kali Terminal icon in the management station desktop.
This opens a terminal window for the Kali station (for more information, see Legitimate
Traffic Generation Tools in DefenseFlow Demo Lab Preparation document).
2. Run the following command (write it in the Kali ):
hping3 155.1.250.155 --flood -S -p 80 --rand-source
This command floods the protected network server with port 80 SYN packets with random
sources.
3. Verify the attack packets in the attacked Web server, run the webserver capture
terminal in the management station desktop. This script displays a live capture of SYN
packets arriving at the webserver D station.

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 66
Verify DefenseFlow Detection in Pending Actions

Note: The protected object action is configured with the User Confirmation action. To divert
the traffic to the mitigation device, confirm the action.

Mitigation without Effect on Legitimate Traffic

To mitigate the attack towards the Scrubbing Center, you need to confirm that the attack has
started.
1. Double click the pending action PO_250 in the Pending Actions pane. This displays the
attacked IP address. You can also change the community in the BGP advertisement.

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 67
2. Select divert specific IP address and Submit, DefenseFlow configures the protection
policies and the baselines on the Scrubbing Center DefensePro. Verify the configurations in
the Scrubbing Center DefensePro:

3. After DefenseFlow finishes updating DefensePro, it advertises the protected object network
to the diversion router ASR9K_PE. Verify DefenseFlow announcements in APSolute Vision:

4. To verify the diversion, log in to the ASR router and run the following command:
Show bgp summary

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 68
 The output indicates that now you receive one network from the DefenseFlow for diversion.
5. To view the received network for diversion, run the command show ip bgp:

6. Verify attack detection in the Scrubbing Center DefensePro:

7. Verify that there are no new SYN packets in the Web server capture terminal:

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 69
8. Terminate the attack. Go to the Kali terminal window and press Ctrl + C. Go to the
DefenseFlow Current Attack Table pane in APSolute Vision and, one minute after
termination, verify that the attack status is Terminated:

9. To revert diversion back from the Scrubbing Center, in the Pending Actions pane select
PO_250.
Note: you need to wait 1 to 2 minutes before you receive the End pending action.

10. Select Confirm End and click Submit.

11. Verify that there are no BGP announcements in DefenseFlow:

DPaaD, Netflow Detection, SmarTap, PeakFlow Detection: DefenseFlow Demo Lab

version 2, February 08, 2017 Page 70