25/01/2023 12:05 Netscout University - Lab "Application Layer Attacks" "Application Layer Attacks" "Application Layer Attacks" "Application

plication Lay…

30:02 / 75 min
Application Layer Attacks

Lab Description
Find the attack vectors from the sample packets display.
Use the appropriate Layer 7/Application countermeasure to distinguish legitimate from attack packets.

Duration:
75 minutes
Platform:
https://sightline186.ne.netscout.com
Username:
NE186
Password:
Vafaseyu2!
⚠ Please ensure you read each step carefully before performing the required task in the order described.
1. DNS Regular Expression

1 Login to the Sightline Deployment

Username: NE186
Password: Vafaseyu2!

1. Connect to this URL, if this page is not already open: https://sightline186.ne.netscout.com

2. If prompted, you must first authenticate with the lab proxy, after that you will be redirected to the Sightline login page.
3. At the Sightline login page, use the credentials again to login.
4. Notify the proctor if you are unable to connect to your Sightline.

2 Your colleague reported an issue with the domain 'arbor.net' hosted on the server INFRA_DNS-Auth (172.17.186.21/32).
Check if Sightline reports an ongoing DoS alert against this server.
Check Solution

Because this is a stealthy application layer attack, you will not see any alerts generated by Sightline.

3 To gain insight into the traffic going to the DNS server, you will divert the traffic to the TMS.

Create a manual Threat Management mitigation from the menu Mitigation > TMS and clicking on the Add Mitigation
button.

4 Your mitigation’s name needs to be unique, follow this example to set the name: 2023-01-25 INFRA_DNS-
Auth_Mitigation (Replace the date by today's date)

5 While on the first Mitigation tab, select the Template called None and click on the Apply button.

6 In the Protect tab, in the Protection Prefix text box, enter 172.17.186.21/32

7 You can now launch your mitigation by clicking on Save and Start Mitigation button.

8 By default, the TMS does not decode the application layer information to save processing power. To enable the DNS query
and response decoding, at least one of the DNS countermeasures must be enabled. Therefore enable the DNS Malformed
countermeasure.
https://cx.netscout.com/lab/470/EN 1/6
25/01/2023 12:05 Netscout University - Lab "Application Layer Attacks" "Application Layer Attacks" "Application Layer Attacks" "Application Lay…

30:02 / 75 min

9 Now open the Sample Packets window.

In the Filter Type field, you should now be able to select DNS Regular Expression.
Next click into the Regular Expression textbox but leave it empty.
Now click on the Apply button.

10 As you can see in the sample packets, the arbor.net authoritative server is receiving name resolution requests for
www.google.com. An authoritative server should only receives request for the managed domains, in this case only for
*.arbor.net

11 Close the Sample Packets window. Back on the mitigation page, expand and use the DNS Regular Expression
countermeasure to drop the “inappropriate” DNS queries. Currently we only consider the google.com queries to be
inappropriate. All other queries should not be dropped for now.

Check Solution

Configuration:

https://cx.netscout.com/lab/470/EN 2/6
25/01/2023 12:05 Netscout University - Lab "Application Layer Attacks" "Application Layer Attacks" "Application Layer Attacks" "Application Lay…

30:02 / 75 min

Verification:

12 Upon saving your DNS Regular Expression, you should get a similar result:

https://cx.netscout.com/lab/470/EN 3/6
25/01/2023 12:05 Netscout University - Lab "Application Layer Attacks" "Application Layer Attacks" "Application Layer Attacks" "Application Lay…

30:02 / 75 min

13 Your system administrator colleagues are now reporting that the DNS service is responding again, but is still very slow.
The number of DNS queries are still higher than usual. You will continue your investigation and check if there is more
illegitimate traffic that should be blocked.

2. Payload Regular Expression

1 Open Sample Packets again and select a Filter Type of DNS Regular Expression again with a blank regular expression.
Filter by Passed Packets only.
Need Help

2 When looking at the displayed packets can you see on some packets a recurring pattern or something out of place?
Try to analyse one of the suspicious packets by selecting it and looking into the detailed packet decode section.
Need Help

Can you see a FQDN in the Match column for all displayed DNS packets?

3 Do you see why the FQDN failed to display on some packets?

Check Solution

https://cx.netscout.com/lab/470/EN 4/6
25/01/2023 12:05 Netscout University - Lab "Application Layer Attacks" "Application Layer Attacks" "Application Layer Attacks" "Application Lay…

In the detailed packet decode section you can see that the Queries field contains strange ASCI values.
30:02 / 75 min

4 The Payload Regular Expression countermeasure allows you to drop packets based on the packet content. Can you build
a regex to drop all packets containing a unique part of this recurring string of characters?
Payload regular expression allows you to drop both on the hexadecimal value or on its ASCII corresponding values.
The \x switch is instructing the interpreter to expect a heXadecimal value.
Check Solution

To drop on the following string of hexadecimal values de ad be ef, the regex expression would be \xde\xad\xbe\xef

5 After configuring the correct UDP port for filtering, selected the Drop Traffic action and click Save on the Payload Regular
Expression countermeasure. You should start to see dropped traffic.
Per Countermeasures graph view

6 Bonus Question – Only do this question if at least 35 minutes are left to complete the lab:
Can you modify your regex to match only the packet containing the ‘de ad be ef’ exactly X character from the end. X being
the number of ASCII characters or hexadecimal groups after the selected string.
A group of two hexadecimal counts as one character: aa 0b 7e --> .{3}. In Regex ^ means the beginning and $ the end.
Check Solution

The solution for this question should be either: \xde\xad\xbe\xef.{13,14} or ^.{13,14}\xde\xad\xbe\xef

7 Going back to your DNS Regular Expression, update the configuration to drop all DNS queries not matching the
arbor.net or netscout.com domain.

Need Help

8 If you disable your previously configured Payload Regular Expression countermeasure by removing all its configuration,
are the ‘de ad be ef’ packets now dropped by the DNS Regular Expression countermeasure?

https://cx.netscout.com/lab/470/EN 5/6
25/01/2023 12:05 Netscout University - Lab "Application Layer Attacks" "Application Layer Attacks" "Application Layer Attacks" "Application Lay…

30:02
9 / 75Now
min
click Stop to end your mitigation.

10 Looking at the attack received, could you explain why no alert was triggered in Sightline?

Check Solution

The traffic rates itself were not big enough to trigger an alert on bps or pps. Instead the content of the packets caused
issues on the server. This is a special phenomenon of a pure application-based attack...

11 Well Done, you have just successfully completed this exercise.

Well Done
You can click on the button below to report back to the trainer.

I successfully completed this unit

How would you rate this lab:

Tell us what do you think of this lab, and how it could be improved ?

Save

If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu options from your
browser’s dropdown menu. Need Help

© Copyright 2022 NETSCOUT, Inc. All rights reserved

https://cx.netscout.com/lab/470/EN 6/6