25/01/2023 12:07 Netscout University - Lab "State Exhaustion Attacks"

Finished
State Exhaustion Attacks

Lab Description
Examine the details of a TCP SYN attack and use the TCP SYN Authentication countermeasure to
mitigate traffic for the customer managed object.

Duration:
25 minutes
Platform:
https://sightline186.ne.netscout.com
Username:
NE186
Password:
Vafaseyu2!
⚠ Please ensure you read each step carefully before performing the required task in the order
described.

1. TCP SYN Attack

1 Login to the Sightline Deployment

Username: NE186
Password: Vafaseyu2!

1. Connect to this URL, if this page is not already open:

https://sightline186.ne.netscout.com
2. If prompted, you must first authenticate with the lab proxy, after that you will be
redirected to the Sightline login page.
3. At the Sightline login page, use the credentials again to login.
4. Notify the proctor if you are unable to connect to your Sightline.

2 Monitor the deployment for new DOS alerts, go to Alerts > Ongoing. Answer the following
questions by reviewing the most recent alert listed.

For which managed object is an alert reported?

What is the alert type of this alert?

Which misuse types are reported for this alert?

Is the alert a fast flood alert? Yes No

What is the importance of the alert?

https://cx.netscout.com/lab/469/EN 1/3
25/01/2023 12:07 Netscout University - Lab "State Exhaustion Attacks"

Finished
3
Select the alert and use the Summary and Traffic Details tabs to identify the following
information:

What protocol(s) are reported?

What destination port(s) are reported?

4 In the Traffic Detail tab, looking at the TCP Flags statistics (near the bottom of the page),
does the percentage shown for SYN packets represent normal usage for a TCP application?

5 Click on the Mitigate Alert button and select Threat Management to begin mitigating this
alert.

6 We keep the provisioned mitigation configuration and select Save and Start for this
mitigation.

7 The TCP SYN Authentication countermeasure should be the primary countermeasure in use.
Enable this countermeasure and select the option(s) allowing users to connect to both HTTP
and HTTPS server seamlessly.
Which selection avoids browsers error of “The TCP Connection was reset by the server”?
Check Solution

Enable Out-of-sequence Authentication

8 Monitor the status of your mitigation on this mitigation dashboard:

Are you passing any traffic?

How can you tell if you are passing traffic?

Are you blocking any traffic?

9 Is the TCP SYN Authentication countermeasure currently dropping only the TCP SYN
packets or dropping all TCP traffic from unauthenticated sources?

10 If you wanted to drop all TCP traffic from unauthenticated sources until they establish a
brand new TCP connection, which option should to enabled?

Check Solution

https://cx.netscout.com/lab/469/EN 2/3
25/01/2023 12:07 Netscout University - Lab "State Exhaustion Attacks"

Finished You would need to disable the tcp-retransmit authentication on the TMS. This
authentication method is turned off when the option Enable Spoofed Flood
Protection is selected.

11 Using the Sample Packets, can you find the source of a valid packet?

Need Help

The filtering option, show “Passed Packets” should help you out. Be patient as the
sample packet is sampled and the amount of passed packets is very low.

12 Close the Sample Packets window.

13 Stop your mitigation.

14 Well Done, you have just successfully completed this exercise.

Well Done
You can click on the button below to report back to the trainer.

I successfully completed this unit

How would you rate this lab:

Tell us what do you think of this lab, and how it could be improved ?

Save

If you would like a copy of this lab select either the Print or the Save Page As (Control-S)
menu options from your browser’s dropdown menu. Need Help

© Copyright 2022 NETSCOUT, Inc. All rights reserved

https://cx.netscout.com/lab/469/EN 3/3