Scribd Logo
Upload

Welcome to Scribd!

  • Netscout University - Lab - DoS Host Alerts p2

    Uploaded by

    Elaouni Abdessamad
    4 views6 pages

    Original Title

    Netscout University - Lab _ DoS Host alerts p2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views6 pages

    Netscout University - Lab - DoS Host Alerts p2

    Uploaded by

    Elaouni Abdessamad

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"

    Finished
    Host Anomaly Detection

    Lab Description
    Review the key elements to differentiate a real attack from a false
    positive
    Review the detection and classification process

    Duration:
    30 minutes
    Platform:
    https://slvis1.ne.netscout.com/
    Username:
    NE186
    Password:
    Vafaseyu2!
    ⚠ Please ensure you read each step carefully before performing the required task in the order described.
    1. Examining DoS Host alerts

    1 Login to the Sightline Deployment

    Username: NE186
    Password: Vafaseyu2!

    1. Connect to this URL, if this page is not already open: https://slvis1.ne.netscout.com/


    2. If prompted, you must first authenticate with the lab proxy, after that you will be redirected to the
    Sightline login page.
    3. At the Sightline login page, use the credentials again to login.
    4. Notify the proctor if you are unable to connect to your Sightline.

    2 In the Menu, browse to Alerts > DoS page, use the search box or wizard if needed, search for the
    following alert characteristics:
    Severity: High
    Managed Object: SFPOP, Middlestate, Scouts, University
    Alert Type: DoS Host
    Need Help

    You can find the complete search keyword list in the help, section: Acceptable search keywords and
    values for alerts. To search for a managed object use the syntax of mo:object-name.
    Search String Suggestion: at:"DoS Host" sev:high mo:SFPOP,Middlestate,Scouts,University

    3 By default, alerts are sorted by Start Time, the most recent listed first. You will study the last or most
    recent high alert. Find the following details for the most recent high alert listed:

    ID

    Duration

    https://cx.netscout.com/lab/464/EN 1/6
    25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"

    Finished Importance

    Target IP

    Size in bps

    Size in pps

    4 Click on the alert ID or Mini Graph of the alert you studied to open the alert details.

    5 Answer the following questions if multiple misuse type thresholds were exceeded:

    Misuse type triggered first?

    Misuse type exceeded the most?

    Need Help

    Both the graph and the annotations (last tab) can help you get an idea of the alert timeline (Misuse
    type triggering order).

    6 At a glance, using the Alert Characterization table and Traffic Details tab, find the information relative to
    the alert IP sources:

    Top 1 Source IP Addresses:

    Top 1 Country:

    Top 2 Country:

    Top 1 Source ASN:

    Top 2 Source ASN:

    7 Can you reliably use all of the previously collected top information to characterize your alert?

    When looking at all the TOP X statistic, look at how much traffic each characteristic represents.
    Example:
    ASN 8075 (MICROSOFT-CORP) 9.62 Kpps / 29.42% = Significant
    IP - 13.93.68.35/32 59.00 pps / 0.18% = Not Significant

    8 At a glance, using the Alert Characterization table and Traffic Details tab, find the information relative to
    the alert IP sources:

    Can you find the top UDP/TCP source port?:

    Is the alert traffic most likely composed of client queries/requests or server


    responses?
    When connecting to a server, a legitimate client will in most cases use an ephemeral port that is
    1024+. A server response will in most case use an application port as source in the range of 1 to 1023
    (443 for HTTPS, 53 For DNS).
    Ephemeral port is different from OS to OS, but always above 1024.
    Most Linux Kernel: 32768 to 61000
    Windows XP: 1025–5000
    Windows 7/10, iOS, Mac OS: 49152 to 65535 (IANA standard)

    https://cx.netscout.com/lab/464/EN 2/6
    25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"

    Finished
    9 Packet size distribution is a great tool to help you differentiate real attacks from false positive. If we assume
    the attack target IP is a DNS server, would the packet size distribution displayed in the alert (Summary
    tab) match DNS query/response pattern?

    10 Looking at the Routers tab, can you find through which interface most of the alert traffic was seen as
    coming IN to your network?

    11 What is the DoS Host alert Direction reported in this alert?

    Need Help

    The Direction is shown on the Summary tab and can only be Incoming or Outgoing.

    12 In your opinion, was this alert a real attack or a false positive? Write in a few words the key elements that
    helped you to conclude.

    In a virtual training, send this and the alert ID chosen to your instructor via the WebEx chat function.

    2. Understanding the DoS Host Detection thresholds

    1 We assume that the following configuration is in place, globally and for a managed object called MSU.

    https://cx.netscout.com/lab/464/EN 3/6
    25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"

    Finished

    2 Can you answer the following questions?

    Severity Duration (sec)

    TCP SYN - Trigger Rate

    TCP SYN - High Severity Rate

    DNS Amplification - High Severity Rate (pps)

    https://cx.netscout.com/lab/464/EN 4/6
    25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"

    Finished
    3 If a host belonging to the MSU managed object is receiving 25,000 pps of ICMP traffic for 5 minutes,
    answer the following questions:
    Will an alert be trigger? Yes No

    Misuse type triggered?

    Which Severity? Low Medium High

    Importance in %?
    Make sure you look also at the start latency configured...
    Check Solution

    4 If a host belonging to the MSU managed object is receiving 65,000 pps of DNS traffic for 95 seconds,
    answer the following questions:
    Will an alert be trigger? Yes No

    Misuse type triggered? (can be multiple)

    Which Severity? Low Medium High

    Importance in %?
    Make sure you look also at the start latency configured...
    Check Solution

    5 For the attack traffic from the previous question, if fast flood was enabled, would an alert have been
    triggered?
    Attack size * Attack length = Attack volume
    Attack:
    65 000 pps * 95 seconds = 6.17M packets

    High Sev.
    Alert Threshold: * 60 seconds = X packets
    Threshold
    Check Solution

    6 Well Done, you have just successfully completed this exercise.

    Well Done
    You can click on the button below to report back to the trainer.

    I successfully completed this unit

    How would you rate this lab:

    Tell us what do you think of this lab, and how it could be improved ?

    https://cx.netscout.com/lab/464/EN 5/6
    25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"

    Finished

    Save

    If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu options
    from your browser’s dropdown menu. Need Help

    © Copyright 2022 NETSCOUT, Inc. All rights reserved

    https://cx.netscout.com/lab/464/EN 6/6

    You might also like