NE - 9 - Volumetric DDoS Attacks

15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks
AED Training
Volumetric DDoS Attacks
Overview
Description
In this lab you will use your NETSCOUT AED system to block volumetric DDoS attacks that are targeting
systems within your network.
Objectives
After completing this lab exercise, you will be able to:

Use the available protections to identify and block unwanted traffic.
Monitor the effectiveness of the mitigation.
Estimated Completion Time
The estimated completion time for this lab is 45 minutes.
Lab Topology
Please ensure you read each step carefully before performing the required task in the order described.
If you are asked for your [POD] number in this lab, use the number that is part of your NE
username.
Example: Username NE312 => [POD] = 312
Monitoring AED Reporting Indicators for a DDoS Attack

Now that you AED's protection settings are updated and optimized for your network, you will monitor for
indicators of DDoS attacks. Once a DDoS attack is suspected and confirmed, you will take action to block
that attack.
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 1/9
1. Skip to Step 3 if a tab to the AED web UI is open. If not, then from your NETSCOUT Experience user
dashboard click on the AED link to open a new tab to the web UI.
2. Login to your AED web UI with:
Username: NE102
Password: Kinemumo4^
Alternative: Username: admin & Password: Welcome123!
3. Go to the AED's Summary page, click either the NETSCOUT | Arbor Edge Defense logo or
the Summary menu item, either options will load the Summary page.
4. Ensure that the Deployment Mode is set to Active and the Protection Level is set to Low (globaly and
for every PG).
This is the starting state or initial protection state for your AED, the state your AED should remain when
no attacks are present and traffic is typical for your network use. This state will minimize the possible
blocked false positives that might occur in a higher state abd these will only be used when needed.
5. Ask the instructor to start the first attack towards your network.
6. View Summary page for any changes or details that may indicate that an attack is occurring. Check
this list for indicators of an attack and record your observations in the text box below.
Top Protection Groups

Are there any changes in the traffic rates for any Protection Group?
Overview
Is there any blocked traffic?
Is there an indication of blocked hosts?
ATLAS Botnet Prevention
Is there any activity indicated? And if so at which level(s)?

ATLAS Threat Category
Is there any activity indicated? And if so which catgories?
Top Inbound Countries
Any changes?
Top Inbound Sources, or Top Inbound Destinations
Any changes? Do these align with other changes?

Interfaces
Are there any changes in the traffic that synchonize with other suspected indicators?
Enter your observations and details that you suspect are indicators of an attack here:
7. View the details of the Protection Group you believe is being attacked.
When viewing the Protection Group, you should change the time frames to view current traffic (-5m -
best when under attack), to recent traffic (-1hr), and/or to historical traffic (-24h, -7d, or From...), so that
you can compare changes to the traffic details.
Common Protection Group page indicators to investigate:
Any indicators of Blocked Traffic or Blocked Hosts?
Does traffic match any Attack Categories? If so, which category?
Any Temporarily Blocked Sources reported?
Any changes in the other sections on the page, including the Protocols and Services sections?
Record the attack details that you observed here:
Check Solution
Look for the Protection Group "web servers"
8. What is the Status of the Server or Service Attacked
Use the link on the NETSCOUT Experience dashboard to view the Victim, the ArborTrade server, what is
this servers status?
Does the server continue to refresh?
Any reported problems from server administrators?
Any noticeable performance changes to this server or servers?
Record any observation about the server status here:
Check Solution
Even if the web service apparently continues to work, we still want to suppress the attack and thus
protect the server from unnecessary data traffic and also ensure that there can be no outage at a
later point in time.
9. Additional Resources to Further Analyse Attack Traffic
Optional details you may want to investigate and analyse further include:
If "blocked hosts" was observed during your investigation:
View that activity at the menu item Explore > Blocked Hosts.
Update the timeframe (-5m) to narrow the resuts and view recently blocked hosts.
Use "Search" box and select the "Attack Category" (observed) to narrow the results and focus on
specific traffic.
View "Details" of which hosts were blocked and why they were blocked.
View the Details for an ongoing blocked host.
View and/or save a Packet Capture:
Use Explore > Packet Capture to obtain a sample of packets.
Use the Filter criteria on the left panel to narrow your focus on the packet capture results.
Record any additional traffic details or characeristics here:
10. Mitigate the Attack Traffic - Counteractive Measures
What action could you do, or what protection do you think, might block the attack traffic you have
observed? Implement your countermeasures...
11. Mitigate the Attack Traffic - Result
Monitor the effectiveness of that choice, were you successful in blocking the traffic?
If you were not successful, have a look to the Solution button below:
Check Solution
Where you able to identify this attack as UDP traffic to port 80? If you are not using the QUIC
protocol on your web server this should be unexpected traffic. A deeper analyse of the content
would have shown that this is garbage traffic...
Have you tried changing the Protection Level to Medium or High?
Have you tried to enable the UDP Flood Detection in the Protection Group called web servers?
Have you tried to configure a filter statement in the Filter List in the Protection Group
called web servers like drop proto udp and dst port 80
12. When you succesfully defeated this attack, ensure that the Deployment Mode is set to Active and the
Protection Level is set to Low.
13. Ask your instructor to stop the first attack and proceed after your intructor confirmed that the attack
was stopped.
14. A Second Attack
Wait two minutes then ask your instructor to start the second attack...
Overview
Any changes?
Interfaces
Check Solution
Check Solution
The the web service apparently continues to work as the AED is stopping this attack already by its
default protection settings.
Is there any action required to block the entire attack, or is it done already automatically?
If you were not successful, have you tried changing the Protection Level to Medium or High, or any
other options to mitigate the traffic?
Check Solution
The protection that is stopping this attack is Invalid Packets. Its the first performed protection and
is enabled by default. Therefore there is no other protection available that could be used as an
alternative as all other would be performed after the Invalid Packets protection...
21. Ask your instructor to stop the second attack and proceed after your intructor confirmed that the
attack was stopped.
22. A Thrid Attack
Wait two minutes then ask your instructor to start the third attack...
Overview
Any changes?
Interfaces
Check Solution
Check Solution
Even if the web service apparently continues to work, we still want to suppress the attack and thus
protect the server from unnecessary data traffic and also ensure that there can be no outage at a
later point in time.
26. Additional Resources to Further Analyse Attack Traffic
Optional details you may want to investigate and analyse further include:
If "blocked hosts" was observed during your investigation:
View that activity at the menu item Explore > Blocked Hosts.
Update the timeframe (-5m) to narrow the resuts and view recently blocked hosts.
Use "Search" box and select the "Attack Category" (observed) to narrow the results and focus on
specific traffic.
View "Details" of which hosts were blocked and why they were blocked.
View the Details for an ongoing blocked host.
View and/or save a Packet Capture:
Use Explore > Packet Capture to obtain a sample of packets.
Use the Filter criteria on the left panel to narrow your focus on the packet capture results.
Record any additional traffic details or characeristics here:
Is there any action required to block the entire attack, or is it done already automatically?
If you were not successful, have a look to the Solution button below:
Check Solution
Where you able to identify this attack as UDP traffic to port 123? If you are not using the Network
Time Protocol on your web server this should be unexpected traffic. A deeper analyse of the content
would have shown that this is garbage traffic...
Have you tried changing the Protection Level to Medium or High?
Have you tried to enable the UDP Flood Detection in the Protection Group called web servers?
Have you tried to configure a filter statement in the Filter List in the Protection Group
called web servers like drop proto udp and port 123
30. Ask your instructor to stop this third attack.
31. Lab Review
Class review of each attack experienced during this lab exercise including:
What indicators were observed for each DDoS attack and what you should have seen.
What steps, if any, you took to mitigate each attack.
Identification of other possible methods you could use mitigate that same attack.
First Attack: UDP Port 80 Flood – during review record the different methods students used to block
the traffic
Second attack: TCP Flags Packet Flood (a.k.a. all flags or xmas tree) – record the different methods
students used to block traffic.
Third attack: NTP Reflection – record the different methods students used to block traffic.
32. Good work!
You have successfully viewed the indicators of three different volumetric-based DDoS attacks and
applied protecions to mitigate each.
33. Please notify the instructor that you have completed this lab exercise.
If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu
options from your browser’s dropdown menu.
Depending on which browser you are using, to access these menu options select either:
Select "File" from the your browser's menu, then choose either:
1.) Print > Print to PDF

2.) Save Page As > Web Page Complete.
Or select the three dot vertical ellipsis, then choose either:

Or select the three line hamburger menu button, then choose either:

Select whichever method that works best with your browser.
This completes the lab exercise for the quick installation script for your AED. For more information about the
configuration settings for your AED's installation, refer to the AED Quick Start Card / Installation
Guide and/or the Arbor Edge Defense User Guide.
Version 6.8.0.0.2203.11 EN
© Copyright 2022 NETSCOUT, Inc. All rights reserved

NE - 9 - Volumetric DDoS Attacks

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NE - 9 - Volumetric DDoS Attacks

Uploaded by

Copyright:

Available Formats

15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks

After completing this lab exercise, you will be able to:

Monitor the effectiveness of the mitigation.

Estimated Completion Time

The estimated completion time for this lab is 45 minutes.

Example: Username NE312 => [POD] = 312

Monitoring AED Reporting Indicators for a DDoS Attack

2. Login to your AED web UI with:

Alternative: Username: admin & Password: Welcome123!

Top Protection Groups

Is there any blocked traffic?

Is there an indication of blocked hosts?

ATLAS Botnet Prevention

Is there any activity indicated? And if so at which level(s)?

Is there any activity indicated? And if so which catgories?

Top Inbound Countries

Top Inbound Sources, or Top Inbound Destinations

Any changes? Do these align with other changes?

Common Protection Group page indicators to investigate:

Any indicators of Blocked Traffic or Blocked Hosts?

Does traffic match any Attack Categories? If so, which category?

Any Temporarily Blocked Sources reported?

Record the attack details that you observed here:

Look for the Protection Group "web servers"

8. What is the Status of the Server or Service Attacked

Any reported problems from server administrators?

Any noticeable performance changes to this server or servers?

Record any observation about the server status here:

9. Additional Resources to Further Analyse Attack Traffic

If "blocked hosts" was observed during your investigation:

View the Details for an ongoing blocked host.

View and/or save a Packet Capture:

Use Explore > Packet Capture to obtain a sample of packets.

Record any additional traffic details or characeristics here:

10. Mitigate the Attack Traffic - Counteractive Measures

11. Mitigate the Attack Traffic - Result

Have you tried changing the Protection Level to Medium or High?

14. A Second Attack

Top Protection Groups

Is there any blocked traffic?

Is there an indication of blocked hosts?

ATLAS Botnet Prevention

Is there any activity indicated? And if so at which level(s)?

ATLAS Threat Category

Is there any activity indicated? And if so which catgories?

Top Inbound Countries

Top Inbound Sources, or Top Inbound Destinations

Any changes? Do these align with other changes?

Common Protection Group page indicators to investigate:

Any indicators of Blocked Traffic or Blocked Hosts?

Does traffic match any Attack Categories? If so, which category?

Any Temporarily Blocked Sources reported?

Record the attack details that you observed here:

Look for the Protection Group "web servers"

17. What is the Status of the Server or Service Attacked

Does the server continue to refresh?

Any reported problems from server administrators?

Any noticeable performance changes to this server or servers?

Record any observation about the server status here:

18. Mitigate the Attack Traffic - Counteractive Measures

19. Mitigate the Attack Traffic - Result

22. A Thrid Attack