Scribd Logo
Upload

Welcome to Scribd!

  • Netscout University - Lab _Understand the structure of the mitigation page

    Uploaded by

    Elaouni Abdessamad
    4 views5 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views5 pages

    Netscout University - Lab _Understand the structure of the mitigation page

    Uploaded by

    Elaouni Abdessamad

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    25/01/2023 12:10 Netscout University - Lab "TMS Mitigation Workflow"

    Finished
    TMS Mitigation Workflow

    Lab Description
    Search and find Mitigations related to alerts
    Understand the structure of the mitigation page
    Save a snapshot of the alert traffic for investigation or future reference
    Understand the role of Mitigation Templates

    Duration:
    30 minutes
    Platform:
    https://sightline186.ne.netscout.com
    Username:
    NE186
    Password:
    Vafaseyu2!
    ⚠ Please ensure you read each step carefully before performing the required task in the order described.
    1. Searching for Existing Mitigations

    1 Login to the Sightline Deployment

    Username: NE186
    Password: Vafaseyu2!

    1. Connect to this URL, if this page is not already open: https://sightline186.ne.netscout.com


    2. If prompted, you must first authenticate with the lab proxy, after that you will be redirected to the Sightline login page.
    3. At the Sightline login page, use the credentials again to login.
    4. Notify the proctor if you are unable to connect to your Sightline.

    2 During this first part, we will learn how to search for running or existing mitigations; this will become handy when you
    review the effectiveness of an auto-mitigation. Browse to Alerts > DoS

    3 Using the search textbox, search for alerts for the managed object INFRA_Web-Public: ac:"DoS" INFRA_Web-Public

    4 As the alert are sorted by start time, the first listed should be the alert from our previous lab exercise. Open the alert by
    clicking on the Alert ID or the MiniGraph.

    5 Reviewing the alert, can you find if a TMS mitigation was ever started for this anomaly?
    Can you note the full name of the mitigation? Need Help

    The Annotations tab should display the full history of the alerts and its related events.

    Next, go back to your mitigation. On the Summary tab, in the MITIGATIONS section, expand the TMS Mitigations listing
    and click on the mitigation name.

    https://cx.netscout.com/lab/467/EN 1/5
    25/01/2023 12:10 Netscout University - Lab "TMS Mitigation Workflow"

    Finished

    6 Once back in your mitigation from the previous lab exercise, answer the following questions:
    Is the mitigation still Active? Yes No

    Which Template is used?

    Which Protection Prefixes are mitigated?

    7 We will modify two elements of this active mitigation, the mitigation Template and the Protection Prefixes. When clicking
    on the Edit button at the top of the Summary pannel, can you modify those two settings?

    8 To enable you to modify the mitigation Template used, click on the Edit Full Configuration link, next the Save button.

    9 On the Edit TMS Mitigation page, on the Mitigation tab, select the Default IPv4 template and click on Apply.

    10 Your colleagues from the server monitoring team reported that all servers within the public website were experiencing
    issues. At the moment, your mitigation is only protecting one server of the pool. In the Protect tab, modify your Protection
    Prefixes to include the other Web server, from 172.17.186.20/32 to 172.17.186.20/32, 172.17.186.30/32
    Example below:

    11 To save your new settings and return to the mitigation, click on Save and View Listing. Find and open your most recent
    mitigation.

    12 Will applying a new template to an existing mitigation erase all custom configuration done on the mitigation?

    Review the IPv4 Deny/Allow List configuration details.

    13 Reviewing the now enabled countermeasures, can you find...


    One packet driven countermeasure?

    One event driven countermeasure?

    Check Solution

    Packet driven: TCP SYN Authentication, DNS Authentication, DNS Malformed, HTTP Malformed, SIP Malformed

    https://cx.netscout.com/lab/467/EN 2/5
    25/01/2023 12:10 Netscout University - Lab "TMS Mitigation Workflow"

    Finished Event driven: Zombie Detection, TCP Connection Reset, HTTP Rate Limiting, SIP Request Limiting

    14 Is any traffic being dropped by the mitigation? If yes, which countermeasure is dropping the most?

    Above the graph, you can review the amount of traffic drop by countermeasure by clicking on the Per
    Countermeasure tab.

    15 Can you find on the graph or the chart:

    The amount of traffic in pps received by TMS:

    The percentage of dropped traffic in bps:

    The percentage of dropped traffic in pps:

    16 Your colleagues asked you if you could save a snapshot of the attack traffic for future review. Can you, using the Sample
    Packets, record a PCAP capture of the traffic and save it to your hard drive?

    Check Solution

    In the sample packet windows, find the Record button, the capture file will automatically be provided by your browser
    after 60 seconds or 5000 packets, whichever comes first.

    17 Reach out to your instructor and let him know: User NE186 is ready for phase 2.In online trainings use the chat function
    available in WebEx.

    Wait until you receive a confirmation to continue.

    18 Wait 1 minute and then find the link to your alert in the countermeasure Summary pannel and open the page.

    19 Reviewing the alert against your managed object, answer the following questions :
    Is the alert still listed as ongoing? Yes No

    What was the duration of the alert ?

    Need Help

    https://cx.netscout.com/lab/467/EN 3/5
    25/01/2023 12:10 Netscout University - Lab "TMS Mitigation Workflow"

    Finished You will find this information in the top left corner of the alert details page.

    20 While on the Summary tab of your alert, have a look at the Dropped Traffic graph to find a visualisation of the amount
    traffic dropped by the selected mitigation method.

    21 You will now review the status of your mitigation. To open the mitigation again, use the quick link provided directly in the
    alert page (MITIGATIONS section on the Summary tab).

    22 When you are back on your mitigation page, answer the following questions:
    Is this mitigation still active? Yes No
    If the mitigation is still running, why was it not stopped automatically when the alert stopped?

    Check Solution

    A manually started mitigation must also be manually stopped again, only an auto-mitigation would be automatically
    stopped based on the auto-mitigation settings configured.

    23 Stop your mitigation.

    24 Well Done, you have just successfully completed this exercise.

    Well Done
    You can click on the button below to report back to the trainer.

    I successfully completed this unit

    How would you rate this lab:

    Tell us what do you think of this lab, and how it could be improved ?

    https://cx.netscout.com/lab/467/EN 4/5
    25/01/2023 12:10 Netscout University - Lab "TMS Mitigation Workflow"

    Finished

    Save

    If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu options from your
    browser’s dropdown menu. Need Help

    © Copyright 2022 NETSCOUT, Inc. All rights reserved

    https://cx.netscout.com/lab/467/EN 5/5

    You might also like