Professional Documents
Culture Documents
AED Training
Volumetric DDoS Attacks
Overview
Description
In this lab you will use your NETSCOUT AED system to block volumetric DDoS attacks that are targeting
systems within your network.
Objectives
Lab Topology
Please ensure you read each step carefully before performing the required task in the order described.
If you are asked for your [POD] number in this lab, use the number that is part of your NE
username.
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 1/9
15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks
1. Skip to Step 3 if a tab to the AED web UI is open. If not, then from your NETSCOUT Experience user
dashboard click on the AED link to open a new tab to the web UI.
Username: NE102
Password: Kinemumo4^
3. Go to the AED's Summary page, click either the NETSCOUT | Arbor Edge Defense logo or
the Summary menu item, either options will load the Summary page.
4. Ensure that the Deployment Mode is set to Active and the Protection Level is set to Low (globaly and
for every PG).
This is the starting state or initial protection state for your AED, the state your AED should remain when
no attacks are present and traffic is typical for your network use. This state will minimize the possible
blocked false positives that might occur in a higher state abd these will only be used when needed.
5. Ask the instructor to start the first attack towards your network.
6. View Summary page for any changes or details that may indicate that an attack is occurring. Check
this list for indicators of an attack and record your observations in the text box below.
Overview
Any changes?
Are there any changes in the traffic that synchonize with other suspected indicators?
Enter your observations and details that you suspect are indicators of an attack here:
7. View the details of the Protection Group you believe is being attacked.
When viewing the Protection Group, you should change the time frames to view current traffic (-5m -
best when under attack), to recent traffic (-1hr), and/or to historical traffic (-24h, -7d, or From...), so that
you can compare changes to the traffic details.
Any changes in the other sections on the page, including the Protocols and Services sections?
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 2/9
15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks
Check Solution
Use the link on the NETSCOUT Experience dashboard to view the Victim, the ArborTrade server, what is
this servers status?
Does the server continue to refresh?
Check Solution
Even if the web service apparently continues to work, we still want to suppress the attack and thus
protect the server from unnecessary data traffic and also ensure that there can be no outage at a
later point in time.
Optional details you may want to investigate and analyse further include:
View that activity at the menu item Explore > Blocked Hosts.
Update the timeframe (-5m) to narrow the resuts and view recently blocked hosts.
Use "Search" box and select the "Attack Category" (observed) to narrow the results and focus on
specific traffic.
View "Details" of which hosts were blocked and why they were blocked.
Use the Filter criteria on the left panel to narrow your focus on the packet capture results.
What action could you do, or what protection do you think, might block the attack traffic you have
observed? Implement your countermeasures...
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 3/9
15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks
Monitor the effectiveness of that choice, were you successful in blocking the traffic?
If you were not successful, have a look to the Solution button below:
Check Solution
Where you able to identify this attack as UDP traffic to port 80? If you are not using the QUIC
protocol on your web server this should be unexpected traffic. A deeper analyse of the content
would have shown that this is garbage traffic...
Have you tried to enable the UDP Flood Detection in the Protection Group called web servers?
Have you tried to configure a filter statement in the Filter List in the Protection Group
called web servers like drop proto udp and dst port 80
12. When you succesfully defeated this attack, ensure that the Deployment Mode is set to Active and the
Protection Level is set to Low.
13. Ask your instructor to stop the first attack and proceed after your intructor confirmed that the attack
was stopped.
Wait two minutes then ask your instructor to start the second attack...
15. View Summary page for any changes or details that may indicate that an attack is occurring. Check
this list for indicators of an attack and record your observations in the text box below.
Are there any changes in the traffic rates for any Protection Group?
Overview
Any changes?
Interfaces
Are there any changes in the traffic that synchonize with other suspected indicators?
Enter your observations and details that you suspect are indicators of an attack here:
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 4/9
15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks
16. View the details of the Protection Group you believe is being attacked.
When viewing the Protection Group, you should change the time frames to view current traffic (-5m -
best when under attack), to recent traffic (-1hr), and/or to historical traffic (-24h, -7d, or From...), so that
you can compare changes to the traffic details.
Any changes in the other sections on the page, including the Protocols and Services sections?
Check Solution
Use the link on the NETSCOUT Experience dashboard to view the Victim, the ArborTrade server, what is
this servers status?
Check Solution
The the web service apparently continues to work as the AED is stopping this attack already by its
default protection settings.
Is there any action required to block the entire attack, or is it done already automatically?
Monitor the effectiveness of that choice, were you successful in blocking the traffic?
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 5/9
15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks
If you were not successful, have you tried changing the Protection Level to Medium or High, or any
other options to mitigate the traffic?
Check Solution
The protection that is stopping this attack is Invalid Packets. Its the first performed protection and
is enabled by default. Therefore there is no other protection available that could be used as an
alternative as all other would be performed after the Invalid Packets protection...
20. When you succesfully defeated this attack, ensure that the Deployment Mode is set to Active and the
Protection Level is set to Low.
21. Ask your instructor to stop the second attack and proceed after your intructor confirmed that the
attack was stopped.
Wait two minutes then ask your instructor to start the third attack...
23. View Summary page for any changes or details that may indicate that an attack is occurring. Check
this list for indicators of an attack and record your observations in the text box below.
Are there any changes in the traffic rates for any Protection Group?
Overview
Any changes?
Interfaces
Are there any changes in the traffic that synchonize with other suspected indicators?
Enter your observations and details that you suspect are indicators of an attack here:
24. View the details of the Protection Group you believe is being attacked.
When viewing the Protection Group, you should change the time frames to view current traffic (-5m -
best when under attack), to recent traffic (-1hr), and/or to historical traffic (-24h, -7d, or From...), so that
you can compare changes to the traffic details.
Any changes in the other sections on the page, including the Protocols and Services sections?
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 6/9
15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks
Check Solution
Use the link on the NETSCOUT Experience dashboard to view the Victim, the ArborTrade server, what is
this servers status?
Check Solution
Even if the web service apparently continues to work, we still want to suppress the attack and thus
protect the server from unnecessary data traffic and also ensure that there can be no outage at a
later point in time.
Optional details you may want to investigate and analyse further include:
View that activity at the menu item Explore > Blocked Hosts.
Update the timeframe (-5m) to narrow the resuts and view recently blocked hosts.
Use "Search" box and select the "Attack Category" (observed) to narrow the results and focus on
specific traffic.
View "Details" of which hosts were blocked and why they were blocked.
Use the Filter criteria on the left panel to narrow your focus on the packet capture results.
Is there any action required to block the entire attack, or is it done already automatically?
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 7/9
15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks
Monitor the effectiveness of that choice, were you successful in blocking the traffic?
If you were not successful, have a look to the Solution button below:
Check Solution
Where you able to identify this attack as UDP traffic to port 123? If you are not using the Network
Time Protocol on your web server this should be unexpected traffic. A deeper analyse of the content
would have shown that this is garbage traffic...
Have you tried to enable the UDP Flood Detection in the Protection Group called web servers?
Have you tried to configure a filter statement in the Filter List in the Protection Group
called web servers like drop proto udp and port 123
29. When you succesfully defeated this attack, ensure that the Deployment Mode is set to Active and the
Protection Level is set to Low.
Class review of each attack experienced during this lab exercise including:
What indicators were observed for each DDoS attack and what you should have seen.
What steps, if any, you took to mitigate each attack.
Identification of other possible methods you could use mitigate that same attack.
First Attack: UDP Port 80 Flood – during review record the different methods students used to block
the traffic
Second attack: TCP Flags Packet Flood (a.k.a. all flags or xmas tree) – record the different methods
students used to block traffic.
Third attack: NTP Reflection – record the different methods students used to block traffic.
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 8/9
15/9/22, 15:50 NE | 9 - Volumetric DDoS Attacks
You have successfully viewed the indicators of three different volumetric-based DDoS attacks and
applied protecions to mitigate each.
33. Please notify the instructor that you have completed this lab exercise.
If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu
options from your browser’s dropdown menu.
Depending on which browser you are using, to access these menu options select either:
Select "File" from the your browser's menu, then choose either:
Or select the three line hamburger menu button, then choose either:
This completes the lab exercise for the quick installation script for your AED. For more information about the
configuration settings for your AED's installation, refer to the AED Quick Start Card / Installation
Guide and/or the Arbor Edge Defense User Guide.
Version 6.8.0.0.2203.11 EN
https://portal.ne.netscout.com/dashboard/lab_guide/445/45085/ 9/9