SL DDOS Detection Mitigation Admin Course 1.16a - R9.5.0.0

REV1.
16
NETSCOUT – Sightline/TMS
Chapters
1. Onboarding New Customers
2. Automate Mitigations
3. TMS Groups
NETSCOUT University
CONFIDENTIAL & PROPRIETARY
NETSCOUT - Technical Trainings

Terms and Conditions
Presentations, documents or other information

provided during this training are NetScout
Confidential Information and may not be disclosed
to any third party or used for any other purpose
than this training without the express written
permission of NetScout. For more details refer to
the Non-Disclosure Agreement (NDA) executed
between NetScout and the company that sent
trainees to take part in this training.
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1
NETSCOUT University Onboarding

CONFIDENTIAL & PROPRIETARY Customers - 1
Onboarding New Customers
Sightline/TMS
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

Unit Summary
• Create Managed Object
• Configure Detection Settings
• Launch and use Learning Mitigation
• Configure Mitigation Templates
• Use inactive Mitigation for verification

Continual Improving Services
Unit 1: Onboarding New Customers

Continual Improving Services

Overview
Adjust Thresholds Adjust Settings False Positive
False packet drops?
YES Positive ? YES
Configure Start Configure Configure
Managed verify Learning Mitigation & verify
• Run Inactive
NO Filter Lists
Object Mitigation Template Mitigation
• Name & Tags • Check DOS Alerting • Start Multiple • Customer • Use Learned Dataset NO
• Host Detection after 24h instances if Specific Deny & • Consider specific
• Profiled Detection • Check Traffic different type of Allow List customer information
Reports servers behind Configure
MO Auto- • Assign new
Mitigation Template to MO
Provisioning / Onboarding Process
Continual Service Improvement DDOS

Attack
Mitigation YES
Review and Successful? Monitor
Update* Auto/User
verify Attack and
Mitigation Attack Ended Mitigation
Mitigation
Template NO
Tune
Counter-
*if needed measures
ITIL terminology - https://wiki.en.it-processmaps.com/index.php/ITIL_CSI_-

_Continual_Service_Improvement

Managed Object Configuration


Overview
This flowchart highlights most of the necessary steps

Adjust Thresholds Adjust Settings
False False Positive
YES Positive ? YES packet drops?
Configure Configure
Start Learning Configure • Run Inactive
Managed verify Mitigation & verify
NO Mitigation Filter Lists Mitigation
Object Template
• Name & Tags • Check DOS • Start Multiple • Customer • Use Learned Dataset NO • Assign new
• Host Detection Alerting after 24h instances if Specific Deny & • Consider specific Template to MO
• Profiled Detection • Check Traffic different type Allow List customer
Reports of servers information
behind MO
Onboarding Process


Configuration
Administrator > Monitoring > Managed Objects

Configuring a new Managed Object, you need to select the Object
Type, for our customers we will use type Customer


Configuration (Cont.)
Unique Customer
Name
System-
Description
associated Tag
Custom Tag
Custom Tag - Helps searching and build grouped reports. Here we

used Geographic, Customer Industry and DDOS Service Level as tags

‘Classical’ Flow Information
Managed Object Configuration Refresher
Sightline does a longest match of the source & destination IP from the
flow with the prefixes in BGP
11 Fields
‘Classical’ Flow Information
Src IP Dst IP Src Port Dst Port Proto Input Intf Output Intf ToS Flags Bytes pkts
BGP Prefix Next Hop AS path Community

Information
BGP Information
19 Fields
‘Super’ Flow Information
Source Destination Dst Src Proto In Out ToS Flags Bytes pkts
IP Prefix NextHop ASPath Com IP Prefix NextHop ASPath Com Port Port Intf Intf
match for Managed Object

All other attributes are matched based on the prefix to source/destination IP match. For instance, a particular flow
will match a particular prefix and therefore that same flow will match that prefix’s ASPath, next-hops, and
communities as well.


Managed Object Match 19 Fields

CIDR Block CIDR Group

• Can be IPv4, IPv6, or a combination of • Used to provide detailed baselines on a
both per-prefix basis for DoS alert detection
• Used to monitor traffic and detect anomalies against the managed object
for resources that are static
– Networks whose IP addresses don’t change
over time (static customers, labs, router
loopback addresses)
– Critical resources in the network (DNS, SMTP,
Web servers)
CIDR Blocks - One or more CIDR block prefixes of the form A.B.C.D/N. Use spaces to separate multiple
prefixes. All CIDRs listed will be treated in aggregate for traffic reporting and DoS alert detection.
CIDR Groups - One or more CIDR block prefixes (of the form A.B.C.D/N) followed by the name you
would like to assign to this group and a semicolon. Use spaces (no commas) to separate multiple
prefixes. Each line should contain one or more prefixes and one group name. (This match type is not
available to scoped view users.) Each CIDR listed will be treated individually for DoS alert detection but
all CIDRs will be treated in aggregate for traffic reporting.



BGP Matching Peer ASNs

• Used to monitor BGP resources that are dynamic • Used for downstream BGP
– BGP customers, market segments, network regions, groups of Customers
customers, strategic ASNs, groups of providers
– Preferred method for monitoring BGP customers and not • Used for upstream BGP Peers
directly monitoring customer prefixes
– Can match both IPv4 and IPv6
• AS Path Regular Expression
• Community
• Boolean Expression
Advanced Boolean Matching - A matching expression including the other match types and the
operators: and, or, not. Note that advanced boolean matches cannot include SubASNs and CIDR blocks
entries cannot be parented by a clause that contains either the AND or NOT operator. For more
information on the FCAP language used for advanced boolean matches, see the "The FCAP Language"
appendix in the User Guide.
ASPath Regular Expression - A Cisco style, string based AS regular expression
Communities – A regular expression including one or more BGP communities in the form of X:Y, where
X represents the AS number and Y represents a number of local significance to AS X. Use commas (no
spaces) to separate multiple communities. The range of each X and Y must be within 0-65535.



FCAP Interfaces
• Used to monitor specific applications, attack vectors • Boundary defined for MO
or market verticals
– VOIP, DNS, SMTP, web, P2P, etc
– 40-byte packet traffic, etc.
• Match flows on any specified combination of
characteristics in the flow
Interfaces – Arbor Sightline bases this match on the defined interface boundary of the managed object.
Peer ASNs – One or more AS numbers of a peering network. These must be within the range of 1-65535
and must be unique across all customers.
Local ASN/SubAS - The AS number of a sub or local AS on your network. These must be within the
range of 1-65535 and must be unique across all customers.
Application ID - The ID number of an application. Arbor Sightline maps application ID numbers to
names, descriptions, and ports that is in sync with the mapping on the TMS devices.
TMS Ports – The TMS port (in, out, auto). Arbor Sightline maps the selected port to the managed object,
so traffic is into or out of the managed object. TMS ports represent a network boundary around a
managed object.
TMS VLANS - The VLANs associated with a TMS device. TMS VLANs require inline or span port TMS
deployment, not off-ramp TMS deployment.
Flow Filter - A fingerprint expression used to define which flows to match on.


Managed Object Match
IPv4 and IPv6

CIDR Blocks can
Match
be used within the

same MO
56K character limit

Refine Match 1 by
using an FCAP as
an additional filter


Dynamic DNS Matching Dynamic DNS Matching is

available since Release ≥9.3
Requirements:
➢ Sentinel License Any source going to mapped IP
* → a.b.x.d(ott.at)
➢ ISNG/vStream DNS
Probe Match Only if source resolved the mapped IP
w.x.y.z → a.b.x.d(ott.at)
1 - 10 domains RegEx
whose traffic is considered if
a corresponding mapping is
available in Sightline
*.ott.at = a.b.x.d TTL=xx
You need to permit the communication with the ISNG, therefore on the leader configure:
/ services sp device edit <name-of-leader-appliance> asidnsflow set <src-ip-probe>


DNS Request
Dynamic DNS Matching Type: A
news.ott.at
MO1 DNS
• Match *.ott.at w.x.y.z DNS Response
• Service IP Address only Type: A
Dyn match: * → a.b.c.d (nn) Reponse: a.b.c.d
MO2
• Match *.abc.org ISNG
Monitoring DNS
• Service IP Address only Request and Replies
UDP/6900
DNSName: news.ott.at
QueryIP: w.x.y.z
ServiceIP: a.b.c.d
Leader TTL: nn
Sightline
There are two managed object configured by dynamic DNS matching. Sightline requires DNS updates
from NETSCOUT vStream to learn which IP addresses currently resolve to the configured domains.
The vStream Probe sees the DNS resolution of a client asking for ”news.ott.at” as soon the probe sees
the reply from the DNS Server it will update Sightline with the DNS binding information that news.ott.at is
equal to IP address a.b.c.d for the length of the TTL value.
Every NetFlow record that includes the IP address a.b.c.d will now be considered equal to *.ott.at domain
and will be matched and binned to the configured managed object.


Configuration (Cont.) DNS Request
Type: A
Dynamic DNS Matching bla.abc.org
MO1 e.f.g.h DNS

• Match *.ott.at DNS Response
• Service IP Address only Type: A
Dyn match: * → a.b.c.d (nn) Reponse: a.b.c.d
MO2
• Match *.abc.org ISNG
Monitoring DNS
• Service IP Address only Request and Replies
Dyn match: * → a.b.c.d (nn)
UDP/6900
DNSName: bla.abc.org
• Service IP Address and Client IP
QueryIP: e.f.g.h
Dyn match: e.f.g.h → a.b.c.d (nn) ServiceIP: a.b.c.d
Leader TTL: nn
If multiple domains resolve to the
same IP but you need to individually
monitor those, then you must use
“Service IP and Client IP” matching Sightline
Phase II.
Sightline has already learned that the IP address a.b.c.d is equal to the domain *.ott.at.
Now another client in the network tries to resolve an IP address for a resource called “bla.abc.org”, as
soon as the vStream sees the reply it will update Sightline with the information. In this case the resolved
IP address is again a.b.c.d, that means on that IP addresses are multiple different domains/services
hosted.
Managed Object configured to match on Service IP only will not be able to differentiate if the traffic
towards a.b.c.d is due to accessing *.ott.at or *.abc.org. So they will match both cases and are vulnerable
to overreporting.
Managed Objects configured to match on Service IP and Client IP will be able to differentiate if traffic is
targeting *.ott.at or *.abc.org as it has a list of client that explicit asked for a DNS resolution for *.abc.org
like on Managed Object 2. Whereas this overcomes potential overreporting it also requires that the DNS
requests and DNS replies for all clients are seen by the vStream and that all these information are send to
Sightline, which requires a proper sizing especially for the NETSCOUT vStream probes in the network.


Every Managed Object requires a boundary definition Default/Network/Global
• Default / Network / Global Local

Boundary – all interfaces that
are marked as external and
represent external connectivity.
Boundary
Manually selected
• Local Boundary – Set of explicit interfaces
selected interfaces where the
customer is connected.
Interface
Classification Rule
Boundaries are not used for
Host Detection or Profiled
Router Detection


Sightline can alert when Traffic towards a Managed Object exceeds or

falls below a certain threshold. Traffic is measured in 5-minute intervals.
Threshold Alerting
Mbps
High Threshold Alert

Severity Medium
80
Expected operating
bandwidth of
customer traffic
10
Low Threshold Alert
Severity Medium


Sightline uses a hierarchy in the Host Detection Settings
Three configuration options per Managed Object

• Default (System defaults)
• Shared (Preferred)
– Shared Host detection “template” for one or more MOs
– Template can be re-used for “similar” MOs Default Detection Settings
• Custom (only in exceptional cases)
Custom Shared
– Unique MO specific settings
– Cannot be reused MO MO MO MO MO


Shared Host Detection Settings

• Multiple Shared Host Detection templates can be created
• ‘Default’ is the global template that is used unless configured otherwise
Select which Select Detection Template
routers should be
considered for
Host Alerting ≥9.3.5 Click Edit Shared Settings
Host Detection
to configure


Administration > Detection > Shared Host Detection Settings

Each Shared Host Detection Setting can be applied individually or to
multiple MOs
Verify that the

default settings Pay attention to
are applicable to Gbps, Mbps, Kbps
your network else and Mpps, Kpps
adjust them
accordingly


Administration > Detection > User-Defined Misuse Types

Create new Misuse Types using FCAP expressions
• Up to 5 user-defined Misuse
Types can be created
• Can be assigned to an
automatic UDP filter
− Used by UDP Reflection/Amplification Protection countermeasure
− Used by Flow Spec Auto-Mitigations
• Can be enabled/disabled in the Shared Detection Settings



Detection Exclusion for Host Detection ≥9.3

• Exclude IP Addresses or CIDR from triggering Host Alerts
• Source (external) and Destination (internal) to the Managed Object defined Match
Exclude source CIDR

from Host Detection
Detection Exclusions
(Outside to the MO)
Exclude destination CIDR*

from Host Detection
(Inside the MO)

*CIDR is not validated against MO Match definition
• Not limited to CIDR block or group match MOs

• Supported: IPv4 or IPv6 or Both
• 65K Character Limit
• No checks that the exclusions fall within the MO


Profiled Router Detection is advised for Managed Object

• With stable and predictable traffic
• Matching large block of infrastructure
A
More Traffic than Usual
B Managed
Same Traffic than Usual +/- 0% Object
C
Less Traffic than Usual D
Overall traffic increase is reasonable, E

Network not at Risk. Avoid False Positive +5%
due to single customer network event


Profiled Router Thresholds

automatically re-
calculated every 8
hours using recent
traffic statistics
Sensitivity during the first

week to prevent False
Positives. (Profiling
requires 7 days of traffic )


False Positive Monitoring
Adjust Thresholds
False
YES Positive ?
Configure
Managed verify
Start Learning
Object NO Mitigation
• Name & Tags • Check DOS

• Host Detection Alerting after 24h
• Profiled Detection • Check Traffic
Reports
Single target triggering the

same misuse-types multiple
times per day
• Target constantly under attack?
• TCP RST threshold is too low, MO
host detection settings threshold
need to be adjusted

Learning Mitigation

Learning Mitigation
Overview

Configure Configure
Object Template
behind MO
Onboarding Process

Learning Mitigation
Configuration
Administration > Monitoring > Managed Objects

Start a new Learning Mitigation
Learning Mitigation
New Learning Mitigation
Copy Learning
Mitigation results
from a similar
Managed Object

Learning Mitigation Multiple Learning

Configuration (Cont.) Mitigation can be run
per MO to learn
different services
Use a clear naming structure:

MO-Name_Service-Type_Date
Specify prefix, else the

complete MO address
space is used
The period and duration is very import, the larger the

amount of client connections recorded, the better.
Prefer running it during service busiest hours
Don’t forget to commit else Learning

Mitigation will not start as scheduled
It is highly recommended to give each Learning Mitigation a clear and meaningfull name, this should
include the Name of the Managed Object that was learned, which services were targeted like all for the
complete Managed-Object or Keywords like DNS, WEB, MAIL, VPN, PROXY, … The name should also
include the date when the learning was conducted, to ensure that over time when this process is repeated
that you identify which is the most decent set of information and will be more reliable in the mitigation
cycle.
Example:
Managed-Object-Name_Server-Type_Date => Bank-of-xxx_DNS_20200503

Learning Mitigation
Mitigation Listing
Click the name of the learning

mitigation to view results Launched by system user
Learning Mitigation can only be stopped in the CLI
Sightline counts all running learning mitigations toward your licensed mitigation limit. If you are approaching your
limit, while running one or more learning mitigations, and then try to start a regular mitigation, Sightline stops the
learning mitigation to allow the regular mitigation to start.
Learning mitigations can only be stopped in the CLI, use the command to stop all running learning mitigations
together: / services sp mitigation tms learning end_all

Learning Mitigation
Results
Learned dataset shows a

snapshot of seen traffic rates
for several different rate-
based countermeasures
• Zombie Detection
• TCP Connection Reset
• HTTP Rate Limiting
• DNS Rate Limiting
• DNS NXDomain Rate Limiting
• SIP Request Limiting
Sightline counts all running learning mitigations toward your licensed mitigation limit. If you are approaching your
limit, while running one or more learning mitigations, and then try to start a regular mitigation, Sightline stops the
learning mitigation to allow the regular mitigation to start.

Adding Filter Lists

Adding Filter Lists

Overview

Configure Configure
Object Template
behind MO
Onboarding Process

Adding Filter Lists

Types
Deny/Allow List Uses FCAP expressions to identify traffic
IP Address List Uses CIDR blocks to allow or deny
≥9.3.x NEW
≥9.3.x ASERT provided list of IP addresses from known
AIF List attack reflectors
Regular expressions that search for DNS queries

DNS List and responses
HTTP/URL List Regular expressions that search HTTP queries
Uses GeoIP data to identify traffic from specific

IP Location countries

Adding Filter Lists

Administration > Mitigation > Filter Lists

Create a new
filter list from
the filter listing
page
AIF Filter Lists
37
Amount of included
IPs or CIDRs

Adding Filter Lists

Specify filter type and enter or upload filter list elements
Manually enter
filter list
Or upload local
file contents as
filter list
Filter Types
IPv4 Deny/Allow – An FCAP filter based on ports, protocols, IPv4 addresses, etc.
IPv6 Deny/Allow – An IPv6 FCAP filter based on ports, protocols, IPv6 addresses, etc.
DNS – A list of DNS regular expressions.
IP Location – A list of countries, as defined by their IP addresses.
IPv4 Address – A list of IPv4 addresses and CIDR blocks.
IPv6 Address – A list of IPv6 addresses and CIDR blocks.
URL – A list of URL regular expressions.
Sightline validates IPv4 Deny/Allow, IPv4 Address, IPv6 Address, URL, and DNS filters when you
configure and save them. If Sightline cannot validate a filter, the Filter List Validation Errors window
appears.

Adding Filter Lists

IP Location filter type requires a selection from a list of Countries
IP Location Filter Lists have two primary use cases.

If the legitimate client user base for a protected prefix is entirely within a known geographic area, a IP Location
filter list can be used to define that area for mitigations. Any mitigation for that prefix can then use that IP Location
filter list to drop all traffic outside of that area. Additional mitigation countermeasures can then be used against
attackers from within the legitimate user area without the need to apply those countermeasures to all attackers
worldwide.
Alternatively, if attacks are repeatedly launched from a particular geographic region that is unfriendly to the
Sightline customer, an IP Location filter list can be used to define that unfriendly area. Any mitigation then can use
that IP Location filter list to drop all traffic from sources within that area, and any additional countermeasures will
then be applied only to stray attackers outside of that area.

Adding Filter Lists

Schedule automatic updating from external sources (Optionally)
Updating the list

may take several
minutes depending
upon the size and
complexity

Adding Filter Lists

Limits
Total # Entries HD1000 2800 2300
IPv4 CIDR 2,000,000* 2,000,000* 2,000,000*
IPv6 CIDR 1,272,800* 1,272,800* 1,272,800*
Flists per 32 32 32
Mitigation
HTTP/URL 10,000 10,000 10,000
DNS 10,000 10,000 10,000
B/W Filter List 85,000 85,000 85,000
& Fingerprints bytes bytes bytes
*Summary over all running mitigations in a TMS
This table includes the Filter List mitigation limits for each series of appliances. In addition, there is a limit of
85.000 bytes (of FCAP expressions) for the combined size of Deny/Allow filter list and Deny List Fingerprints.

Adding Filter Lists

The new Managed Object is using APS/AED Cloud Signaling, ensure

the system will use the provided Filter Lists during a mitigation
Enable Auto-
Mitigate on Alert, if
desired
Cloud Signaling
Use provided
Filter List in
Mitigations

Building Mitigation & Templates

Building Mitigation Template

Overview

Configure Configure
Object Template
behind MO
Onboarding Process


Overview
Combine mitigation parameters TMS

Group
with a pre-set group of IPv4 or
IPv6 countermeasures that can Diversion BGP
Signalling
Prefix
be used to thwart an attack.
Template
Globally configured and can be Counter- Timeout

measures length
assigned to multiple Managed
Objects. Filter
Lists
Mitigation templates are preset groups of countermeasures and countermeasure settings that can be used to pre-
populate the settings of a TMS mitigation.
Mitigation templates are intended to be used as a tool to quickly set the countermeasure settings of a TMS
mitigation, allowing a mitigation to be started with minimal time and effort. With mitigation templates configured,
Arbor Sightline can even be configured to perform an automatic mitigation response.
A TMS mitigation template named “Default” always exists in the system configuration. Its settings are used as
default mitigation settings by any mitigation that is not set to use a different template. Networks that have one
generic template for initial attack response often choose to make it the Default template.


Template Concepts
Generic Template Resource-based Template Attack-based Template
• Enable most common • Optimized for the type • Optimized for a

countermeasures as a of resource protected specific attack
“catch-all”
• Work with the • Operators choose
• Default template can customer to design from a list of pre-
be used for this defined defense
• Template mainly pre- templates
applied to managed
object • A series of simple
templates for common
attack conditions
There are many strategies for building mitigation templates which will vary depending on customer needs. Some
ideas for mitigation templates are as follows:
Generic Template – A generic template enables some or all of the most common countermeasures. The purpose
of a generic template is to allow operators to quickly configure mitigations to block likely attacks as soon as
possible, before knowing anything about the attack, thereby reducing the impact of an attack as soon as possible
and easing pressure on operations staff until they can more carefully analyze the attack.
When more is known about an attack, the mitigation can be modified or replaced to adjust the countermeasures and
other settings. Most TMS implementations include at least one generic template to be used as a typical first
response.
Resource-based templates – Resource-based templates are mitigation templates that are set according to the
characteristics of a particular resource to be protected. For example, a web server would likely have HTTP
Authentication and Zombie filtering, but would not have a need for DNS or SIP countermeasures. A resource-
based template typically uses the Deny/Allow List to block all traffic that is not accepted by the resource, and also
enables countermeasures that are relevant for. Resource based templates are typically used in conjunction with
auto-mitigations.
(Continued on next page)

Continue
The mitigation template is associated with an Arbor Sightline managed object so that a mitigation using those
template settings is automatically activated whenever Sightline detects high-impact anomalous traffic toward the
resources defined by that managed object.
An example resource-based template for a DNS server group might use the Deny/Allow List to permit SSH and
SNMP traffic to and from operations center networks and to block all other traffic except for TCP port 53 and UDP
port 53, and to enable DNS Authentication and other DNS-related countermeasures.
Attack-based templates – Attack-based templates are mitigation templates that are set according to the
characteristics of a particular type of attack. The purpose of attack-based templates is to allow security-
knowledgeable administrators to create a collection of pre-defined defenses for various attack types. Operators are
then able to choose mitigation settings from the template collection based on the suspected attack. Settings
guesswork by operators is thus minimized and response time is decreased.
Some attack-based templates may be quite simple, yet still be useful. An example template for TCP SYN attacks
might enable only the TCP SYN Authentication and Zombie Detection countermeasures, and perhaps add a
Deny/Allow List rule to drop packets that have SYN set along with any of FIN, URG, or PSH.


Configuration
Administration > Mitigation > Templates

• Reuse a Resource-based or Generic template by using the “Copy of Existing
Template”
• Adapt your new customer thresholds using the learning mitigation results
Create new IPv4- or
IPv6-Template
Copy based on
existing template
By default, the mitigation template that is applied to all Managed Objects is the system-defined ”’Default
IPv4/IPv6’ template, which contains countermeasure settings for the most common types of DDoS attacks. This
might not be the most appropriate template given the asset under protection, therefore it might make sense to make
additional templates based on your needs.
Mitigation Templates can be managed by navigating to the Administration > Mitigation > Templates hierarchy
within the WebUI. All existing Mitigation Templates will be listed here and they can be edited or deleted. New
Mitigation Templates can be created by selecting the "Add Template" button.


Template configuration looks the same as within the mitigation

configuration
• Name - Unique and
should be meaningful
• Description - A brief Description

summary of its
targeted use case You can Lock settings to
prevent these from being
modified during mitigation
When configuring a Mitigation Template, you will notice that the configuration looks identical to the configuration
of an actual mitigation. This is because the template settings will ultimately populated into a live mitigation and
determine which countermeasures are activated within that mitigation.
Select Enable CDN Proxy Support to prevent the blocking of a content delivery network (CDN) proxy. This
setting is a global setting that applies to all countermeasures in a mitigation that can block a source IP address
(more on this later).


Protection Prefixes - Determine which prefixes will be diverted to TMS

• Empty = the alert target host/prefixes IP (default)
• Limit/Enforce the scope of the mitigation to prefixes that are critical and vulnerable
Use Less Specific
Diversion Prefixes
• Sightline/TMS will
advertise /24 diversion
Protect
route(s) including the
protection prefixes
• Allow the diversion route to
be propagated on the
Internet


• Specify TMS Group that should be used when mitigating the attack
TMS Appliances
• Select Announce Route to permit Sightline/TMS BGP route advertisements


One-Time display of Learning Mitigation Data Set into the Template

Countermeasures
Sample size 120kbps is the highest

(number of unique source rate seen during
sources seen) normal operation
Threshold =
highest value +
safety margin


Configure any other

countermeasures
that are appropriate
Deny/Allow List IP Based Filter Lists

• Enter any specific filter that should • Select any IPv4 Address Filter Lists to
deny or allow traffic for the resources deny or allow CIDR that are appropriate
within this managed object
for the managed object
• Select from a global list of defined • IP Location Filter Lists allow traffic
filter lists (like the Default IPv4 from various regions of the world to be
Deny/Allow)
passed or dropped

Building Mitigation
Template assignment
Assign a mitigation
template to a
Managed Object to
be used in case of
Mitigation
an User-Initiated
and / or Auto-
Mitigation

Building Mitigation
BGP Diversion
Influence the distribution

of the BGP diversion
Mitigation
information in your
network by adding BGP
communities.
Available per Managed

Object Configured Diversion Communities
are merged with those configured on
the used TMS group

Inactive TMS Mitigation


Overview

Configure Configure
Object Template
behind MO
Onboarding Process


Configuration
Mitigation > Threat Management

Select the Managed Object and
add Protection Prefixes you want to
check against the template
Run Mitigation in Inactive Mode
Protect
(simulation, no real drop)
Mitigation
Select created Template

and click Apply


Run inactive mitigation and review the number of false positive drops
DNS Rate Limiting

thresholds need to
be re-evaluated
Drops are too high

for normal time
Balancing
• During the attack, passing legitimate traffic is a must. But some Traffic Removal
necessary countermeasure could drop some legitimate traffic.
• Inactive Mitigation allow you to check and tune the amount of
legitimate traffic drop.

Knowledge Check
Onboarding New Customers
Q1: What Managed Object types exist in Q3: Learning Mitigation can be launched in
Sightline? parallel to a mitigation that is protecting the
same IP Address
a) City
a) True
b) Customer
b) False
c) Country
d) Profile Q4: Where are Filter Lists configured?
a) Within the Mitigation template
Q2: Which Detection Mechanism uses misuse
types? b) Within the Managed Object settings
a) Profiled Router c) Globally
b) Traffic Thresholds
c) Profiled Network
d) Host Detection
Solution: Q1: b,d Q2: d Q3: b Q4: c

If you are asked for your POD-NUMBER during

Lab Exercise the exercises, use the following syntax:
Your Username: NE182 ➔ POD-NUMBER: 182
• Online Lab Access: https://portal.ne.netscout.com/

• Environment: Sightline
• Credentials: Provided by the Instructor Step1
• Time to Complete: 60 minutes

Step2
• Lab Objectives: Onboarding
Customers
– Introduction to Sightline’s user interface
• Launch Learning Mitigations
• Build Mitigation Template tailored to customer
• Run an Inactive Mitigation

In this Unit, we learned about:

• Create Managed Object
• Configure Detection Settings
• Launch and use Learning Mitigation
• Configure Mitigation Templates
• Use inactive Mitigation for verification



Automate Mitigations
Sightline/TMS
NETSCOUT University Automate

CONFIDENTIAL & PROPRIETARY Mitigations - 1
Unit Summary
• Requirements for an auto-mitigation
• Available auto-mitigation options
• Build and use a hierarchical mitigation setup

Auto-Mitigation
Unit 2: Automate Mitigations

Auto-Mitigation
Alert-Triggered
An auto-mitigation is initiated when the following is true

1 Alert level is High
2 The alert is a Host alert (optionally: Profiled Router or Network)
3 The alert direction is Incoming
4 The alert has no other existing mitigations
5 No other mitigation exists that is diverting the exact same prefix

Attacked destination falls within the constraint prefixes defined
6 within the Customer MO (if configured)

Auto-Mitigation
Mitigation Hierarchy
Unique assignment using the longest match

x.x.x.0/24 x.x.x.0/24
x.x.x.0/29 x.x.x.1/32 x.x.x.1/32

x.x.x.2/32
x.x.x.1/32
WEB Presence 1
WEB Presence 2
WEB Presence 1
WEB Presence 1
WEB Servers
Data Center
Data Center
+

Auto-Mitigation
Configuration
Administration > Mitigation > Global Settings

Global TMS Mitigation Settings
Enable Auto-Mitigation
as a configuration option
Enable Profiled Alerts to

trigger auto-mitigation

Auto-Mitigation
Administration > Monitoring > Managed Objects

Scope IP address range that is
allowed to be auto-mitigated
Note: A list of prefixes can be
globally excluded from all auto-
mitigation via the CLI ≥9.5.0.0
Mitigation
Assign IPv4 and IPv6

Mitigations Template
Prefixes that you want Sightline to exclude from all auto-mitigations, enter:
/ services sp mitigation auto-mitigation exclude_prefixes [v4|v6] set

list_of_prefixes
• list_of_prefixes = a comma-separated list of IP‘s
NOTE: This command overwrites previously specified IPv4 or IPv6 prefixes!
You also need to save the configuraion by entering: / config write

Auto-Mitigation
Mitigation
• TMS – Use the Threat Mitigation System to stop the attack.

• IPv4 Blackhole – Only signal a BGP Blackhole route to the network and suppress
traffic.
• TMS + IPv4 Blackhole - Use the Threat Mitigation System to stop the attack till
the attack size exceeds a threshold and then the system will signal an additional
BGP Blackhole route to the network and suppress traffic.

Auto-Mitigation
Mitigation
Ending Auto-Mitigations
DOS Attack default
DOS Attack stop delayed
DOS Attack hard stop
DOS Attack stopped by operator
DOS Attack auto to manual
User changed auto-mitigations settings and pressed Save

9
Mitigation

Auto-Mitigation
Mitigation: TMS only Reuse allows protection prefixes to be

added to a running mitigation, avoiding to
start a new mitigation
Do not use
complete MO IP
space, instead
Mitigation
identify top
attacked prefix

Auto-Mitigation
Mitigation: IPv4 Blackhole only Specify BGP

Communities (if needed)
Select Nexthop to be
used on advertisement
Mitigation
Select routers that

should receive BGP
Blackhole route

Auto-Mitigation
Mitigation: TMS & IPv4 Blackhole

No Mitigation
Reuse support
Do not use
complete MO IP
space, instead
identify top
Mitigation
attacked prefix

Auto-Mitigation
Mitigation: TMS & IPv4 Blackhole (Cont.)

Threshold (over all
involved TMS) that need
and/or to be exceeded
Configure
Communities and
Mitigation
select next hop
Routers that will

receive the BGP
Blackhole route

Auto-Mitigation Drop Traffic or

Rate Limit ≥9.4.0.0
Mitigation: FlowSpec by Misuse Type

Auto-FlowSpec advertisements
for configured Host Misuse Types
Select Routers Select FlowSpec Rules

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14 FlowSpec Rule Elements

Auto-Mitigation
Mitigation: Sightline Signaling Automatic Mitigation Requests ≥9.5.0.0
Select one or
more Providers
As agreed, I need your assistance on customer important.com

Auto-Mitigation
Multi-Layer Defense
Situation 1: TMS Mitigation only

Upstream Peer Network Edge
2 Gbps – Legitimate Traffic
4 Gbps – TCP ACK Flood
9 Gbps
3 Gbps – TCP SYN Flood
TMS
(10Gbps)
80 Gbps – DNS Amplification Attack
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16 Sightline

Auto-Mitigation
Multi-Layer Defense
Situation 2: TMS & FS Mitigation

4 Gbps – TCP ACK Flood !

17 Gbps
9 Gbps
TMS
(10Gbps)
Gbps––NTP
88Gbps NTPAmplification
AmplificationAttack
Attack

Auto-Mitigation
Multi-Layer Defense
Situation 3: BH Mitigation - To upstream carrier protecting peering


! 89 Gbps
TMS
(10Gbps)
8 Gbps – NTP Amplification Attack
80 Gbps – DNS Amplification Attack

Auto-Mitigation
Multi-Layer Defense
Situation 4: Sightline Signal - To upstream carrier protecting both


! 89 Gbps
TMS
(10Gbps)
8 Gbps – NTP Amplification Attack
Sightline 80 Gbps – DNS Amplification Attack
Sightline Signal
Sightline

Knowledge Check
Automate Mitigations
Q1: Which Alert Direction is required for DOS Q3: You can change the countermeasure
Alerts to be automatically mitigated? settings on a running auto-mitigation, and it
will still automatically stop when the
a) Outgoing
triggering DOS alert ended.
b) Incoming
a) True
Q2: An IP prefix can be part of several
b) False
running mitigation simultaneously.
a) True
b) False
Solution: Q1: b Q2: b Q3: b

If you are asked for your POD-NUMBER during

Lab Exercise the exercises, use the following syntax:
Your Username: NE182 ➔ POD-NUMBER: 182
• Online Lab Access: https://portal.ne.netscout.com/

• Environment: Sightline
• Credentials: Provided by the Instructor Step1
• Time to Complete: 50 minutes

Step2
• Lab Objectives: Automate Mitigations
– Introduction to Sightline’s user interface

• Configure Flowspec Auto-mitigation Settings
• Configure Auto-mitigation on Managed Objects
• Review Alert Auto-Mitigations


• Requirements for an auto-mitigation
• Available auto-mitigation options
• Build and use a hierarchical mitigation setup



TMS Groups
Sightline/TMS
NETSCOUT University
CONFIDENTIAL & PROPRIETARY TMS Groups - 1
Unit Summary
• Locations and traffic distribution
• Group Configuration
• Group Orchestration
NETSCOUT University
Locations and Traffic Distribution
Unit 3: TMS Groups
NETSCOUT University

Overview
Distributed Centralized
TMS
TMS TMS
TMS
West East
TMS
TMS
• Small attack footprint • Bigger attack footprint

• Limited scalability • Scalability, supports Redundancy
NETSCOUT University

Redundancy
Ensure your network has
• Scrubbing Centers use an IP enough free capacity
Anycast, the IGP routing protocol
selects the closest location
• In the event of an outage the traffic

is routed by the IGP routing
protocol to the remaining Scrubbing TMS
TMS
Center
West East
IP Anycast
IP Anycast
NETSCOUT University

Traffic Diversion
TMS
BGP
Route
Diversion a.b.c.d
B “a.b.c.d/255.255.255.255, NH:TMS”
TRA
versus
TMS
BGP
FlowSpec
Diversion a.b.c.d
FlowSpec
B “Destination Prefix:a.b.c.d/32, redirect to TMS”
enabled interface
TRA
NETSCOUT University

Load Sharing
Traffic Distribution between TMS in the same Location

Scrubbing Center
ECMP
Load
Layer 3 Traffic Balancing Balancing
Could be a Router, Switch
or Load Balancer
COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7 TMS
NETSCOUT University

TMS Group Design
DC1
DC2
North - South Data Center 1 & 2
Platinum
Gold
Best Effort
Managed Service Classes

NETSCOUT University
TMS Group Configuration
Unit 3: TMS Groups
NETSCOUT University

Configuration
Administration > Mitigation > TMS Groups

TMS groups should have a unique name, additional information can be
listed in the description field
Description
NETSCOUT University

Specified BGP diversion parameters will

overwrite the individual TMS
configuration:
• Nexthops
• Communities
Diversion
• Flowspec redirect
Ensure that these nexthops

and redirect targets are
known to all routers that
serve the TMS Group
NETSCOUT University

TMS Appliances
Select complete
TMS appliances
or individual
interfaces as TMS
Group Members
NETSCOUT University

• Define the TMS Group
Deployment
behaviour if a member fails
Defaults
• Define required pre-
Mitigation Preconditions
conditions before a TMS
Groups accepts a any new
Mitigation
NETSCOUT University

If DNS Authentication countermeasure in Active UDP mode is used, the TMS should
know for which DNS Authoritative Servers 6 it should use which IP 7 for ‘redirecting’
during the authentication process.
Prefix of protected DNS Server IP used for Redirect

Authoritative Servers
: Authentication
Act. DNS Auth.
NETSCOUT University
Mitigation Orchestration
Unit 3: TMS Groups
NETSCOUT University
Overview
The volume of attacks can change over time and therefore any current
combination of mitigations carried out simultaneously can lead to a
TMS appliance being overloaded according to its maximum capacity
Oversubscribed
bps
Maximum throughput of TMS Group
+C
+B
Mitigation C
Mitigation B A
Mitigation A
t
NETSCOUT University
Configuration
Administration > Mitigation > Global Settings

• Allow a mitigation to be returned to the
original TMS Group
• Interval in which the capacity is checked if a

mitigation can be returned
• Pause time where mitigation is present on

the initial and the new TMS Group to ensure
the network can converge
• Time the capacity must be exceeded on any

TMS in a group to start a mitigation move
NETSCOUT University
• On the TMS Group configure the bandwidth threshold that must be exceeded
before a mitigation can be moved
Based on licensed limit or

maximum appliance
throughput
• Specify the TMS Group to which the mitigation should be moved to (if there are
enough resources available)
NETSCOUT University
Monitoring
When a mitigation is moved due to the Orchestration, Sightline will

generate a corresponding alert and update the annotations
• Successful:
• Failed:
NETSCOUT University
Knowledge Check
TMS Groups
Q1: By default, the failure of an individual Q3: Mitigation Orchestration is only used in
TMS would not bring down the complete TMS case of a TMS Group failure.
Group.
a) True
a) True
b) False
b) False
Q2: Which statement about TMS Groups is
true?
a) TMS Groups are created for a one-click hitless
software upgrade procedure
b) TMS Groups combine alerts of individual TMS
Appliances
c) TMS Groups control where a TMS mitigation will
be performed
Solution: Q1: b Q2: c Q3: b
NETSCOUT University

• Locations and traffic distribution
• Group Configuration
• Group Orchestration
NETSCOUT University
NETSCOUT University
NETSCOUT University
CONFIDENTIAL & PROPRIETARY
Corporate Headquarters This course material is based on
310 Little Road
Westford, MA 01886, USA
Arbor Sightline Release 9.5.0.0
Toll Free +1 888 357 7667
T +1 978 614 4000
Revised: 21st of March 2022
F +1 978 614 4004
www.netscout.com
Information presented in this document is subject to change without notice.
The contents of this publication may not be reproduced (in any part or as a
whole) without the permission of the publisher. Sightline is a trademark of
Copyright © 2022
NETSCOUT Inc. All other trademarks are the property of their respective
NETSCOUT, Inc.
All rights reserved.
owners.

SL DDOS Detection Mitigation Admin Course 1.16a - R9.5.0.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SL DDOS Detection Mitigation Admin Course 1.16a - R9.5.0.0

Uploaded by

Copyright:

Available Formats

REV1.

1. Onboarding New Customers

NETSCOUT - Technical Trainings

Presentations, documents or other information

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

NETSCOUT University Onboarding

Onboarding New Customers

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

NETSCOUT University Onboarding

• Configure Detection Settings

• Launch and use Learning Mitigation

• Configure Mitigation Templates

• Use inactive Mitigation for verification

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3

NETSCOUT University Onboarding

Continual Improving Services

Unit 1: Onboarding New Customers

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

NETSCOUT University Onboarding

Continual Improving Services

Continual Service Improvement DDOS

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

ITIL terminology - https://wiki.en.it-processmaps.com/index.php/ITIL_CSI_-

NETSCOUT University Onboarding

Managed Object Configuration

Unit 1: Onboarding New Customers

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

NETSCOUT University Onboarding

Managed Object Configuration

This flowchart highlights most of the necessary steps

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

NETSCOUT University Onboarding

Managed Object Configuration

Administrator > Monitoring > Managed Objects

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

NETSCOUT University Onboarding

Managed Object Configuration

Custom Tag - Helps searching and build grouped reports. Here we

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

NETSCOUT University Onboarding

Managed Object Configuration Refresher

BGP Prefix Next Hop AS path Community

match for Managed Object

NETSCOUT University Onboarding

Managed Object Configuration

Managed Object Match 19 Fields

CIDR Block CIDR Group

NETSCOUT University Onboarding

Managed Object Configuration

Managed Object Match 19 Fields

BGP Matching Peer ASNs

NETSCOUT University Onboarding

Managed Object Configuration

Managed Object Match 19 Fields

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

NETSCOUT University Onboarding

Managed Object Configuration

Managed Object Match

IPv4 and IPv6

be used within the

56K character limit

COPYRIGHT © 2022 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

NETSCOUT University Onboarding