Professional Documents
Culture Documents
Finished
TMS Mitigation Workflow
Lab Description
Search and find Mitigations related to alerts
Understand the structure of the mitigation page
Save a snapshot of the alert traffic for investigation or future reference
Understand the role of Mitigation Templates
Duration:
30 minutes
Platform:
https://sightline186.ne.netscout.com
Username:
NE186
Password:
Vafaseyu2!
⚠ Please ensure you read each step carefully before performing the required task in the order described.
1. Searching for Existing Mitigations
Username: NE186
Password: Vafaseyu2!
2 During this first part, we will learn how to search for running or existing mitigations; this will become handy when you
review the effectiveness of an auto-mitigation. Browse to Alerts > DoS
3 Using the search textbox, search for alerts for the managed object INFRA_Web-Public: ac:"DoS" INFRA_Web-Public
4 As the alert are sorted by start time, the first listed should be the alert from our previous lab exercise. Open the alert by
clicking on the Alert ID or the MiniGraph.
5 Reviewing the alert, can you find if a TMS mitigation was ever started for this anomaly?
Can you note the full name of the mitigation? Need Help
The Annotations tab should display the full history of the alerts and its related events.
Next, go back to your mitigation. On the Summary tab, in the MITIGATIONS section, expand the TMS Mitigations listing
and click on the mitigation name.
https://cx.netscout.com/lab/467/EN 1/5
25/01/2023 12:10 Netscout University - Lab "TMS Mitigation Workflow"
Finished
6 Once back in your mitigation from the previous lab exercise, answer the following questions:
Is the mitigation still Active? Yes No
7 We will modify two elements of this active mitigation, the mitigation Template and the Protection Prefixes. When clicking
on the Edit button at the top of the Summary pannel, can you modify those two settings?
8 To enable you to modify the mitigation Template used, click on the Edit Full Configuration link, next the Save button.
9 On the Edit TMS Mitigation page, on the Mitigation tab, select the Default IPv4 template and click on Apply.
10 Your colleagues from the server monitoring team reported that all servers within the public website were experiencing
issues. At the moment, your mitigation is only protecting one server of the pool. In the Protect tab, modify your Protection
Prefixes to include the other Web server, from 172.17.186.20/32 to 172.17.186.20/32, 172.17.186.30/32
Example below:
11 To save your new settings and return to the mitigation, click on Save and View Listing. Find and open your most recent
mitigation.
12 Will applying a new template to an existing mitigation erase all custom configuration done on the mitigation?
Check Solution
Packet driven: TCP SYN Authentication, DNS Authentication, DNS Malformed, HTTP Malformed, SIP Malformed
https://cx.netscout.com/lab/467/EN 2/5
25/01/2023 12:10 Netscout University - Lab "TMS Mitigation Workflow"
Finished Event driven: Zombie Detection, TCP Connection Reset, HTTP Rate Limiting, SIP Request Limiting
14 Is any traffic being dropped by the mitigation? If yes, which countermeasure is dropping the most?
Above the graph, you can review the amount of traffic drop by countermeasure by clicking on the Per
Countermeasure tab.
16 Your colleagues asked you if you could save a snapshot of the attack traffic for future review. Can you, using the Sample
Packets, record a PCAP capture of the traffic and save it to your hard drive?
Check Solution
In the sample packet windows, find the Record button, the capture file will automatically be provided by your browser
after 60 seconds or 5000 packets, whichever comes first.
17 Reach out to your instructor and let him know: User NE186 is ready for phase 2.In online trainings use the chat function
available in WebEx.
18 Wait 1 minute and then find the link to your alert in the countermeasure Summary pannel and open the page.
19 Reviewing the alert against your managed object, answer the following questions :
Is the alert still listed as ongoing? Yes No
Need Help
https://cx.netscout.com/lab/467/EN 3/5
25/01/2023 12:10 Netscout University - Lab "TMS Mitigation Workflow"
Finished You will find this information in the top left corner of the alert details page.
20 While on the Summary tab of your alert, have a look at the Dropped Traffic graph to find a visualisation of the amount
traffic dropped by the selected mitigation method.
21 You will now review the status of your mitigation. To open the mitigation again, use the quick link provided directly in the
alert page (MITIGATIONS section on the Summary tab).
22 When you are back on your mitigation page, answer the following questions:
Is this mitigation still active? Yes No
If the mitigation is still running, why was it not stopped automatically when the alert stopped?
Check Solution
A manually started mitigation must also be manually stopped again, only an auto-mitigation would be automatically
stopped based on the auto-mitigation settings configured.
Well Done
You can click on the button below to report back to the trainer.
Tell us what do you think of this lab, and how it could be improved ?
https://cx.netscout.com/lab/467/EN 4/5
25/01/2023 12:10 Netscout University - Lab "TMS Mitigation Workflow"
Finished
Save
If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu options from your
browser’s dropdown menu. Need Help
https://cx.netscout.com/lab/467/EN 5/5