SpectraSecure User Guide

733-XXXX Rev. A

Contents

NETSCOUT SYSTEMS, INC.

Westford, MA 01886
Telephone: 978.614.4000
Fax: 978.614.4004

Web: http://www.netscout.com
Use of this product is subject to the End User License Agreement available at http://www.NetScout.com/legal/terms-and-
conditions or which accompanies the product at the time of shipment or, if applicable, the legal agreement executed by and
between NETSCOUT Systems, Inc. or one of its wholly-owned subsidiaries ("NETSCOUT") and the purchaser of this product
("Agreement").

Government Use and Notice of Restricted Rights: In U.S. government ("Government") contracts or subcontracts, Customer
will provide that the Products and Documentation, including any technical data (collectively "Materials"), sold or delivered
pursuant to this Agreement for Government use are commercial as defined in Federal Acquisition Regulation ("FAR") 2.101
and any supplement and further are provided with RESTRICTED RIGHTS. All Materials were fully developed at private expense.
Use, duplication, release, modification, transfer, or disclosure ("Use") of the Materials is restricted by the terms of this
Agreement and further restricted in accordance with FAR 52.227-14 for civilian Government agency purposes and 252.227-
7015 of the Defense Federal Acquisition Regulations Supplement ("DFARS") for military Government agency purposes, or the
similar acquisition regulations of other applicable Government organizations, as applicable and amended. The Use of Materials
is restricted by the terms of this Agreement, and, in accordance with DFARS Section 227.7202 and FAR Section 12.212, is
further restricted in accordance with the terms of NETSCOUT'S commercial End User License Agreement. All other Use is
prohibited, except as described herein.

This Product may contain third-party technology. NETSCOUT may license such third-party technology and documentation
("Third- Party Materials") for use with the Product only. In the event the Product contains Third-Party Materials, or in the event
you have the option to use the Product in conjunction with Third-Party Materials (as identified by NETSCOUT in the
Documentation provided with this Product), then such Third-Party Materials are provided or accessible subject to the applicable
third-party terms and conditions contained in the "Read Me" or "About" file located in the Software, on an Application CD
provided with this Product, in an appendix located in the documentation provided with this Product, or in a standalone
document where you access other on-line Product documentation. To the extent the Product includes Third-Party Materials
licensed to NETSCOUT by third parties, those third parties are third-party beneficiaries of, and may enforce, the applicable
provisions of such third-party terms and conditions.

Open-Source Software Acknowledgment: This product may incorporate open source components that are governed by the
GNU General Public License ("GPL") or licenses similar to the GPL license ("GPL Compatible License"). In accordance with the
terms of the GPL Compatible Licenses, NETSCOUT will make available a complete, machine-readable copy of the source code
components covered by the GPL Compatible License, if any, upon receipt of a written request. Please identify the NETSCOUT
product and open source component, and send a request to:

NETSCOUT SYSTEMS, INC

Open Source Code Request
310 Littleton Road
Westford, MA 01886
Attn: Legal Department
To the extent applicable, the following information is provided for FCC compliance of Class A devices:

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of
the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency
energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case
users will be required to correct the interference at their own expense.

Modifications to this product not authorized by NETSCOUT could void the FCC approval and terminate your authority to
operate the product. Please also see NETSCOUT's Compliance and Safety Warnings for NetScout Hardware Products
document, which can be found in the documents accompanying the equipment, or in the event such document is not
included with the product, please see the compliance and safety warning section of the user guides and installation
manuals.

i
No portion of this document may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or
machine form without prior consent in writing from NETSCOUT. The information in this document is subject to change without
notice and does not represent a commitment on the part of NETSCOUT.

The products and specifications, configurations, and other technical information regarding the products described or referenced
in this document are subject to change without notice and NETSCOUT reserves the right, at its sole discretion, to make changes
at any time in its technical information, specifications, service, and support programs. All statements, technical information,
and recommendations contained in this document are believed to be accurate and reliable but are presented "as is" without
warranty of any kind, express or implied. You must take full responsibility for their application of any products specified in this
document. NETSCOUT makes no implied warranties of merchantability or fitness for a purpose as a result of this document or
the information described or referenced within, and all other warranties, express or implied, are excluded.

Except where otherwise indicated, the information contained in this document represents the planned capabilities and intended
functionality offered by the product and version number identified on the front of this document. Screen images depicted in
this document are representative and intended to serve as example images only.

Copyright 2009-2021 NETSCOUT Systems, Inc. All rights reserved.

Contacting NETSCOUT SYSTEMS, INC.

Customer Care
The best way to contact Customer Care is to submit a Support Request:
https://my.netscout.com/mcp/Support/Pages/Home.aspx

Telephone: US Toll Free: +1-888-357-7667; International Toll Free: +800 4764 3337.
Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time (EST).

When you contact Customer Support, the following information can be helpful in diagnosing and solving problems:
— Your organization’s name, contact name, phone number, and location of system
— Type of nGenius 3900 series switch model
— SpectraSecure serial number
— SpectraSecure Software version
— Detailed description of the problem, or source of the problem based on its symptoms
— Error text messages, supporting screen images, logs, and error files, as appropriate

Sales
Call 800-357-7666 for the sales office nearest your location.

ii
iii
Chapter 1 About This Document
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Contacting NETSCOUT Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
NETSCOUT Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Chapter 2 Using SpectraSecure

Logging in to the SpectraSecure Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Configuring and Starting a DDoS Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Configuring and Starting a DDoS Batch or an Automation Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Re-Running a DDos Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Analyzing DDos Attack Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Uploading Custom IP-Tables to SpectraSecure Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Standard Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Report Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
External Access-Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
PCAP Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

1
2
 Chapter 1
About This Document

This document describes the system software and graphical user interface of the NETSCOUT SYSTEMS,
INC. (NETSCOUT®) SpectraSecure Software.

IMPORTANT
Please read and understand the SpectraSecure Software User Guide
(this document) before operating the software.

Related Documentation
For information related to this publication, refer to the following:
• SpectraSecure Administrator Guide
This document provides information on how to install, upgrade, and configure the SpectraSecure
software.
For product warranty information, go to my.netscout.com.

Contacting NETSCOUT Customer Support

Customer Care:
The best way to contact Customer Care is to submit a Support Request:
https://my.netscout.com/mcp/Support/Pages/Home.aspx
Telephone: In the US, call 888-357-7667; outside the US, call +8004764 3337.
Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time (EST).
When contacting Customer Support, the following information can be helpful in diagnosing
and solving problems:
— Your organization’s name, contact name, phone number, and location of system
— Your NETSCOUT MasterCare ID
— SpectraSecure serial number
— SpectraSecure Software version
— Detailed description of the problem, or source of the problem based on its symptoms
— Error text messages, supporting screen images, logs, and error files, as appropriate

NETSCOUT Web Site

Visit our Web site at http://www.netscout.com.

About This Document 1-1

1-2 NETSCOUT Web Site
 Chapter 2
Using SpectraSecure

This chapter describes how to log on to the SpectraSecure console, configure an attack, and analyze the
attack test results.
• Logging in to the SpectraSecure Console
• Configuring and Starting a DDoS Attack
• Configuring and Starting a DDoS Batch or an Automation Attack
• Re-Running a DDos Attack
• Analyzing DDos Attack Test Results
• Uploading Custom IP-Tables to SpectraSecure Endpoint
• Standard Tests
• Report Generation

Logging in to the SpectraSecure Console

This section describes how to log in to the SpectraSecure console.

Perform the following to access the console:

1 Go to the SpectraSecure login page: http://security.spectrasecure.com
2 Enter your user name and password.

3 Click Login.

Using SpectraSecure 2-1

Configuring and Starting a DDoS Attack
This section describes how to configure and start a DDoS attack.

Perform the following to configure and start a test:

1 Log on to the SpectraSecure web interface: http://security.spectrasecure.com/
The main screen is displayed

2 Configure the settings for the test, as described in the following table.

Parameter Description

EndPoint Select the desired EndPoint from the list. The Ports parameter will
auto-populate based on this selection.

Ports Select the desired Ports from the list. Ports already in use will not be available
for selection.

Attack Profile Select an attack profile from the list.

Attack Suite Select an EndPoint specific automation or a batch profile from the list.
Note: When using an attack suite all configuration details are pre-configured per EndPoint
for the selected profile. All remaining configuration controls are disabled.

Attack Parms Select a common attack profile from the list.

2-2 Configuring and Starting a DDoS Attack

 Parameter Description

Source IP Address and Enter the IP address(es) and Port number of the simulated network elements.
Port

Sequential Select IP addresses from the Source IP Address range sequentially. If

unchecked (default), IP addresses are selected randomly.

Destination IP address Enter the IP address and Port number of the network element you are testing.
and Port Note: The Port number should match the specific protocol and service being tested.
Examples: port 80 for HTTP, port 53 for DNS, and port 5060 for SIP.

Gateway IP Address If a gateway exists, enter the gateway IP Address.

Next Hop Mac MAC address of the next hop, if known. When the specified destination will not
be ARP-ed.

Test Duration Select the desired test duration from the list. The durations range from 5
minutes to 1 hour or Continuous.

Test Bandwidth Select the desired bandwidth from the list. The bandwidths range from 1 Mbps
to 10 Gbps.

NUMA Node Enter the starting NUMA node and relative core to execute the test.

3 Click Start Test.

After the test is started, SpectraSecure will:

• Prepare the required resources and initiate the test actions
• Start collecting and displaying test statistics

Note: Under normal circumstances, you will allow the test to run through to completion (based on the Test
Duration that you selected), but you can stop the test at any time by clicking Stop Test under the Manage
column in the Active Attacks window.

Configuring and Starting a DDoS Batch or an Automation Attack

This section describes how to configure and start a DDoS batch or an automation attack.
Perform the following to configure and start a test:
1 Log on to the SpectraSecure web interface: http://security.spectrasecure.com/.
The main screen is displayed

Using SpectraSecure 2-3

 2 Configure the settings for a batch or an automation test, as described in the following table.

Parameter Description

EndPoint Select the desired EndPoint from the list.

Attack Suite Select the desired Automation or Batch suite from the list for the selected
EndPoint.

Note: When using an attack suite all configuration details are pre-configured per EndPoint
for the selected profile. All remaining configuration controls are disabled.

3 Click Start Test.

The Active Attacks panel provides an integrated view of related batches and attacks as shown
below.

2-4 Configuring and Starting a DDoS Batch or an Automation Attack

 After the test is started, SpectraSecure will:
• Prepare the required resources and initiate the test actions
• Display the attack, batches grouped as a collection in the active and historical panels
• Start collecting and displaying test statistics

Note: Tests and batch's that are part of a batch or an automation cannot be stopped independently. Stopping
a batch or an automation will effect the test as a collection and will stop all related tests and batch's

Note: Tests and batch's that are part of a batch or an automation cannot be removed independently.
Removing a batch or an automation will remove all of the related tests, batch's and all related statistics
collected

Re-Running a DDos Attack

SpectraSecure maintains a history of the DDoS attacks that have been run. This section describes how
to re-run a DDoS attack.

Perform the following to re-run a test:

1 Select History from the SpectraSecure tool bar.
The History screen is displayed.
2 Click Restart Test under the Manage column of the desired test.

Using SpectraSecure 2-5

Analyzing DDos Attack Test Results
This section describes how to analyze your DDoS attack test results.

When you start a test, SpectraSecure starts transmitting packets to the test’s destination IP address and
port number. You can analyze the test progress and results from the traffic origination and termination
sides (SpectraSecure displays transmit and receive statistics throughout the duration of the test).

Statistic Description

Bandwidth The total instantaneous transmit and receive bandwidth across all test ports.

Packets Per Second The total instantaneous number of transmitted and received packets per
second across all test ports.

Throughput The instantaneous percentage of the actual test bandwidth being generated.

2-6 Analyzing DDos Attack Test Results

Uploading Custom IP-Tables to SpectraSecure Endpoint
This section describes how to use SpectraSecure controller to upload custom IP-address data to the
endpoint. This data is stored at the endpoint in the form of an IP-table file. This file can then be
provisioned as the Source for the traffic generated.
IP-data can be uploaded to SpectraSecure in two ways:
• Text file with comma separated entries. Each entry can be a Single IP-Address or a range in CIDR
format or a range specified as beginIP-endIP
• STIX file containing IOC in the IP-address format.

To upload a new file:

1 Switch to Endpoint screen by select 'Endpoint' in the left navigator pane.
2 Select the endpoint from the list in the bottom window.

3 Click on 'Select File' from right pane. Browse to file on the controller.

4 Select 'Upload'
5 Successfully uploaded IP tables shall be available as a selectable source address in the 'DDoS'
tab.

Using SpectraSecure 2-7

Standard Tests
This section provides details of the standard tests defined in the S3StandardTestSuite.txt, which is
included in the SpectraSecure installation.
All the tests defined in the standard test suite assume that two ports of SpectraSecure are connected to
SUT.
• Port zero is connected to the ingress port of the SUT
• Port one is connected to the egress side of SUT
S3StandardTestSuite.txt also defines the default parameter profiles. The default parameter profiles
define the source and destinations for the transmitter and receiver tests as listed below:

Profile Source Destination

Name Description Source IP Port Destination IP Port

Default Originating 10.20.15.100/16 4500 10.20.14.100 80

Tx Bad attack traffic

Default Originating 10.30.15.100/16 4500 10.30.14.100 80

Tx Good good traffic

IPv6 Originating fd00:db8::370:7000/102 4500 fd00:db8::370:10 80

Default IPv6 attack
Tx Bad traffic

IPv6 Originating fd00:db8::470:7000/102 4500 fd00:db8::370:10 80

Default IPv6 good
Tx Good traffic

Default Terminating 10.20.14.100 80 10.20.15.100/16 4500

Rx Bad attack traffic

Default Terminating 10.30.14.100 80 10.30.15.100/16 4500

Rx Good good traffic

IPv6 Terminating fd00:db8::370:10 80 fd00:db8::370:7000/102 4500

Default IPv6 attack
Rx Bad traffic

IPv6 Terminating fd00:db8::470:10 80 fd00:db8::470:7000/102 4500

Default IPv6 good
Rx Good traffic

Standard tests can be easily adapted to SUT specific address-ranges by either re-defining them in the
standard test suite file or through the UI.
The test suite defines two types of tests:

2-8 Standard Tests

 • Penetration Attack tests: These tests measure the efficacy of SUT defenses to block attack traffic.
The criteria tests if attack traffic above the threshold of 1% is getting through.

Test Name Traffic Description

Attack Flood UDP 64 Bytes UDP 64-byte Packets with set payload

Attack Flood DNS Query DNS Query with set URL

Attack Flood SIP UDP SIP registration for a set UE

Registration

Attack Flood ICMP Ping ICMP Ping Payload

Attack Flood ICMP TTL ICMP TTL Payload

Attack Flood TCP SYN TCP-SYN flood from range of IP-Addresses

Attack Flood TCP SYNACK TCP-SYNACK flood from range of IP-Addresses

Attack Flood TCP RST TCP-RST flood from range of IP-Addresses

Attack Flood IP Short 140-byte short fragments

Fragments

Attack Flood IP Overlapped IP packet flood with overlapping fragments

Fragments

• Throughput tests: These tests measure the ability of the SUT defenses to classify and permit
good traffic. The criteria tests for dropped packets over the set threshold of 1% of the transmitted
traffic.

Test Name Traffic Description

Throughput Test UDP 570 UDP 570-byte Packets with set payload
Bytes

Throughput Test UDP IMIX UDP IMIX traffic pattern

Traffic Mix Throughput Batch Traffic mix of valid UDP, TCP and ICMP packets

In addition to the StandardTestSuite file, users can define their own custom test suite file for customizing
batch and automation tests.
Custom tests can be enabled by specifying 'CustomTestSuite' in the S3Config.txt. Endpoint reads both
Standard and Custom test suite file at the boot up and makes them available in the UI.

Note: The custom test suite should not re-define test/batch and automation profiles used in the Standard
test-suite file.

Using SpectraSecure 2-9

Report Generation
This section describes how to create a detailed report for completed tests, view the generated report,
and download the generated report to the client machine.
Reports may be generated for one or more completed tests. When multiple tests are selected, a single
detailed consolidated report is generated. Generated reports are saved by date, time and user as a PDF
document in the Reports folder on the web server.
To generate a consolidated report for a set of selected tests, in the applications 'Completed Tests' tab,
select the 'Generate Report' toolbar button. The report generated is streamed to the client and is
viewable in the Report Viewer.

Report Viewer displays the generated report as PDF document along with the associated file name on the
server in the left panel.

2-10 Report Generation

 To list all available reports at the server, select the refresh toolbar button in the Report Viewer which will
enumerate the reports located in 'Reports' folder and present the first listed report for viewing.

Selecting the 'Generate Report' toolbar button without selecting any tests, defaults to retrieving and
enumerating available reports at the server, as shown below.

Reports can be removed from the server by selecting 'Delete Selected Reports' toolbar button in the
Report Viewer dialog. Currently displayed report can be downloaded and saved as a PDF document locally
by selecting the download toolbar button.

Using SpectraSecure 2-11

External Access-Control System
SpectraSecure supports the use of TACACS+ server for external access-control. This feature allows the
Admin-user to add users to SpectraSecure deployment with different levels of privilege maintained on
an external TACACS+ server.
• To Configure TACACS+ server:
Access Settings Menu and select the 'Configure TACACS+' option.

2-12 External Access-Control System

 • To Login with TACACS + users:
Simply use the credentials configured on an externally maintained TACACS+ server. Username is
first checked against external server if configured.

PCAP Import
SpectraSecure allows importing PCAP trace to craft new attack vector.
The following guidelines apply to the pcap-trace to be imported:
• Currently only PCAP file are supported. PCAPNG is not supported.
• Supported Data Link Types. Only these:
– 1: ETHERNET
– 113: LINUX COOKED
• Supported Ether Types:
– 0x0800: IPv4
– 0x86DD: IPv6
– 0x8100 VLAN
– 0x9100: VLAN QINQ
– 0x88A8: VLAN AD
• Supported IP Protocols: (For GRE, the 'encapsulated' ether type must be IPv4 or IPv6)
– 17: UDP
– 6: TCP
– 47: GRE (Generic Routing Encapsulation)
• PCAP trace should only contain the desired PDUs.
Workflow:
• Push the selected PCAP-trace to the selected endpoint.
Select Endpoint

Using SpectraSecure 2-13

 Switch to Endpoint view

Access the PCAP Models tab

2-14 PCAP Import

 Access the file import dialog and select the desired PCAP trace

Select the type of PCAP upload.

Retain Only Payload: Enable this option to keep only the 'payload' from each packet in the PCAP file when
writing Pdu files. When enabled, SepctraSecure will minimally recreate the Ethernet/IP/UDP/TCP layers
from scratch, for the packets built for traffic generation. When disabled, these layers are kept structurally
the same as the packets from PCAP trace.
• PCAP trace once imported to an Endpoint, will be available for DDOS traffic generation. Select
'Pcap Replay' attack from the Attack Profiles.

Using SpectraSecure 2-15

2-16 PCAP Import
 A new drop-down menu will show up for selecting previously imported PCAP traces. Select the desired
pcap -trace and configure rest of the parameters to start generating the traffic modeled after the trace.

To delete a previously added PCAP file and the imported data, select the required entry by clicking the
list button shown below, then 'Delete'.

Using SpectraSecure 2-17

2-18 PCAP Import
NETSCOUT SYSTEMS, INC.
310 Littleton Road
Westford, MA 01886-4105
Tel. 978 614-4000
888-999-5946
Fax 978-614-4004
E-mail info@netscout.com
©NETSCOUT SYSTEMS, INC. All rights reserved.
Web www.netscout.com
733-XXXX Rev. A