MY Arbor Best Practices - v1

Mitigation Best Practices
Peter Ngai
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

Packet Capture Methods

Sample Packets
– Within a mitigation, use Sample Packets to perform captures and also view the traffic
processed by the TMS
– Traffic shown will be a random sample, not a packet-by-packet capture

Sample Packets
– While in Sample Packets screen, can filter through the traffic using one of five means
• FCAP Filter
• DNS Regex
• HTTP Regex
• SIP Regex
• Payload Regex
– Filtered traffic has no bearing on the actual mitigation

• Does not delete or drop any traffic
• Acts much like a Wireshark filter to show only traffic you want to see

Sample Packets
– Packets in red show the countermeasure that blocked/dropped it

Sample Packets
– Click a packet to view the packet header and payload

Sample Packets
– Export the sampled traffic using Record Sample
• Creates a PCAP file

tmsdump
– Sample Packets from the GUI works really well in many cases
– Since the capture performed by GUI is sampled, there is chance you may miss a
necessary packet
– Use tmsdump from system shell to see a full packet capture
– To enable shell:
• From CLI - / system attributes set shell.enabled = 1
• Type shell to “drop” to the system shell

tmsdump
tmsdump -h
Usage: tmsdump <args>
-D rx | tx Filter on traffic direction (intf only)
-a drop | pass Filter on traffic action (intf only)
-c <count> Exit after processing <count> packets (default=1000)
-d Show instance distribution
-f <filter> Specify BPF packet filter expression
-i <intf> Read from interface
-l List available interfaces and subhosts
-m <mit_id,...> Filter on mitigation IDs (intf only)
-p <ip:port,ip:port,...> Specify dump ports directly
-q Suppress display output
-r <file> Read from pcap dump file (`-' for stdin)
-s <subhost>:[<instance>] Read from given subhost only (<instance> optional)
-S Disable stripping of internal headers
-t <timeout> Capture packets for <timeout> seconds
-w <file> Write to pcap dump file (`-' for stdout)
-W <file> Same as -w but also print display output
-X Show raw packet data in hex and ASCII

tmsdump
– Examples:
tmsdump -i tms0
tmsdump -i tms0 -f 'proto 6 and dst port 80' -X
tmsdump -i tms0 -f 'dst port 53' -w - | tshark -V -i -
tmsdump -i tms0 -w - | tcpdump -n -r -
tmsdump -i tms0 -w pcapfile.pcap -c 100
tcpdump -i mgt0 -w - | tmsdump -r -

tmsdump
– While using tmsdump –w, save the file on a big directory / partition to avoid running out of
space
– For example:
mkdir /base/data/soc
cd /base/data/soc
tmsdump -i ext0 -w your.pcap
– Can use -c to set the number of packets and try to make smaller captures to save space
and processor/memory usage

tmsdump
• Sometime, you might have logical interface with VLANs,

– tms-DIAG> tmsdump –i logical0 –D rx –c 50000 –w /base/data/soc/capture.pcap –f
‘udp and port 53’
• To download the pcap file

– Drop to shell on TMS/APS
– Change the password of ‘root’ by doing ‘passwd root’
• Do NOT use simple password
• ‘root’ account will be revoked on next reboot
– Do SCP on your laptop to your current directory
• scp root@192.168.1.1:/base/data/soc/capture.pcap ./

tmsdump
– View only Dropped traffic by using the –a drop argument
tmsdump -a drop -c 1 -i tms0
Running for 1 packets. Use -c <count> to change.
1514 bytes RX on tms0 (localhost) received at Sun Apr 10 03:12:53 2016
eth 00:1f:12:84:73:8a 00:50:49:ff:ff:ff type 0x0800 (IPv4)
ip 23.201.20.156 (80) -> 141.211.196.164 (60048) proto 6 (TCP)
len 1500 sum 0x2c06[hw] ttl 57 tos 0x00 hl 20 DF
tcp .A...... seq 3228092362 ack 2617180539 win 4072 sum 0x8911[hw] urp
0x0000
mit matched mitigation id 2 (”test")
geo address matches geoip region US
drop by countermeasure "filter" ("filtered")
ext filter rule id 0

tmsdump
– Alternatively, use –a pass to view only passed traffic
tmsdump -a pass -c 1 -i tms0
Running for 1 packets. Use -c <count> to change.
64 bytes RX on tms0 (localhost) received at Sun Apr 10 03:15:15 2016
eth 00:1f:12:84:73:8a 00:50:49:ff:ff:ff type 0x0800 (IPv4)
ip 35.2.0.55 (54477) -> 17.173.220.4 (443) proto 6
(TCP)
len 40 sum 0xa129[hw] ttl 59 tos 0x00 hl 20 DF
tcp .A...... seq 2359837444 ack 3175312311 win 8191 sum 0xafba[hw] urp
0x0000
mit matched mitigation id 2 (”test")
geo address matches geoip region US
pass by pktengine, no countermeasure violations

Mitigation Performance

Mitigation Order of Preference
• Thumb of rule
– L3 > L4 > L5 > L7
– Address Filterlist > BW Filterlist (FCAP) > Rate Based > Authentication > REGEX
• Filterlist is the most effective way to drop attacks and much less CPU demanding
• REGEX is CPU intensive but it is flexible & versatile

Mitigation Order of Preference
Less
7 Application
WWW, DNS, VoIP,…
6 Presentation Application Rate Based, Authentication, REGEX
Preference
5 Session
TCP/UDP…
4 Transport Transport B/W Filterlist
3 Network Network IP…

Address Filterlist
More 2 Data Link Data Link & Framing
1 Physical Physical Raw signal
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

OSI 17
TCP/IP
Reflection/Amplification Attacks

Reflection/Amplification Attacks (Volumetric)
– It is usually UDP. UDP is stateless. Source can be spoofed.

– It is usually on Layer 3/4
– It amplifies packets in size & targeting victim’s bandwidth, BPS
– e.g. Amplification attacks
• DNS/53
• SSDP/1900
• NTP/123
• Chargen/19
• In general, any UDP based applications can be one of them, Memcached/11211
– It is easy to defense by
• Black-/White-Filter list – drop by source port
• Flexible Zombie – rate-limit and blacklist by source port
• Payload REGEX – if you can conclude a pattern

Reflection/Amplification
What are Reflection/Amplification attacks?
Amplification DDoS Attack

• Is when an attacker makes a relatively small request that generates a larger
response/reply. This is true of most (not all) server responses.
Reflection DDoS Attack
• A DDoS attack in which forged requests are sent to a very large number of
Internet connected devices that reply to the requests. Using IP address spoofing,
the ‘source’ address is set to the actual target of the attack, where all replies are
sent. Many services can be exploited to act as reflectors.
A Reflection/Amplification DDoS Attack combines both techniques to create a
DDoS attack which is both high-volume and difficult to trace back to its point(s) of
origin.
Five Common Reflection/Amplification Vectors
• chargen – 30-year-old tool for testing network link integrity and performance. Seldom
(ever?) used these days for its original intended purpose. Senselessly, absurdly
implemented in the modern age by clueless embedded device vendors.
• DNS – the Domain Name System resolves human-friendly names into IP addresses. Part
of the ‘control-plane’ of the Internet. No DNS = no Internet.
• NTP – Network Time Protocol provides timesync services for your
routers/switches/laptops/tablets/phones/etc. The most important Internet service you’ve
never heard of.
• SNMP – Simple Network Management Protocol. Used to monitor and optionally
configure network infrastructure devices, services, etc.
• SSDP – Simple Services Discovery Protocol acts as a poorly designed-and-implemented
services enumeration system for the poorly-designed-and-implemented UPnP.

Reflection Amplification Attacks
Amplification Factor
• https://www.us-cert.gov/ncas/alerts/TA14-017A

Five Common Reflection/Amplification Attacks
Abbreviation Protocol Ports Amplification # Abusable
Factor Servers
CHARGEN Character UDP / 19 ~17.75x Tens of thousands

Generation (~90K)
Protocol
DNS Domain UDP / 53 ~160x Millions (~30M)
Name
System
NTP Network UDP / 123 ~1000x Over One Hundred Thousand
Time (~128K)
Protocol
SNMP Simple UDP / 161 ~880x Millions

Network (~5M)
Management
Protocol
SSDP Simple UDP/1900 ~20x/83x Millions
Service Discovery (2M)
Protocol

NTP

NTP

NTP

SSDP
HTTPU responses, dstip = victim, srcport = 1900
…
Victim
Bad Guy M-SEARCH packets, srcip = victim, dstport = 1900

NTP Attack Mitigation Best Practices
• Black-/White-List / Filter List

– drop proto udp and (src port 123 or dst port 123) and not bpp 76
• Flexible Zombie
– Classifier: proto udp and (src port 123 or dst port 123) and not bpp 76
– Suggested rates: 8bps/8pps
• These measures will break ntptrace and other administrative functions but not ntp
timesync requests

SSDP Attack Mitigation Best Practices
• Black-/White-list filter-list
– drop proto udp and src port 1900
• Flexible zombie
– Classifier: proto udp and src port 1900
• Payload Regex
– \x75\x75\x69\x64
– \x75\x70\x6e\x70

Chargen Attack Mitigation Best Practices
• Flexible zombie

SNMP Attack Mitigation Best Practices
• Flexible zombie

Universal Reflection/Amplification Filterlist
• Black/White-filter list that you may put in advance

drop udp and src port 19
drop udp and (src port 123 or dst port 123) and not bpp 76
drop udp and src port 53 and frag
• Of course, if you are protecting HTTP server with NO other services, you may do
this
drop not (proto udp or proto tcp or proto icmp)
drop proto tcp and not (dst port 80 or dst port 443 or dst port 53)
drop proto udp and not (dst port 53 or src port 53 or src port 123 or
dst port 123)
drop udp and frag and src port 53
drop proto udp and (src port 123 or dst port 123) and not bpp 76
drop tflags S/SAFRPUEW and bpp 100..1500
drop tflags SEW/SAFRPUEW
DNS Reflection Amplification Attack
Source IP of Victim (v) spoofed when query sent
to resolver, resolver receives, responds to v. 55-
byte query elicits 4200-byte response
Quer
y r
v
Attacker - a
Res ponse Resolver - r

r v
A botnet with as few as 20 DSL-connect homes (1 Mbps
upstream each) can generate 1.5 Gbps of attack traffic with
DNS reflective amplification attack vectors such as those
Victim - v employed for root server attacks in early 2006 (1:76
amplification factor). Most enterprises have little more than
155 Mbps Internet connectivity.
DNS 101
• RFC 1035 specified that UDP DNS messages must be restricted to 512 bytes
(NOT including IP/UDP headers)
• If message exceeded 512 bytes, it must fall over to TCP
• RFC 2671 specified an extension, EDNS0
• EDNS0 allows UDP response over 512 bytes and leads to UDP fragmentation
• This explains why DNS reflective attack always comes with fragmented packets
• Attacker always wants big reply that is why they usually do ANY record query
• RFC1035 specified the domain specification

DNS – RFC 1035/1123
Reference
• Upper & lower case letters are allowed

– Same spelling but different case are treated as identical
• Must follow the rules for ARPANET host name
– Start with a letter, e.g. A-Z, a-z or \x41-\x5A, \x61-\x7A
– End with a letter or digit, e.g. A-Z, a-z, 0-9 or \x30-\x39
– Have as interior characters only letters, digits, & hyphen, e.g. A-Z, a-z, 0-9, “-” or \x2D
– Labels must be 63 characters or less
Name/FQDN
– Name (FQDN) must be 255 characters or less
– e.g. www.abcd.com
label label label

DNS Reflection Amplification Attack
Mitigation options
• Drop all fragmented IP packets with Black/White filter-list

– drop udp and frag and src port 53
• Drop all DNS packets with ANY record by DNS REGEX
– Inbound Replies
– Resource Record Types = ANY/* (255)
– Malicious domains that give big replies
• Drop all DNS packets with ANY record by Payload REGEX
– Specify the UDP dst port (usually this is NOT random)
– \x00\xff\x00\x01
– Malicious domains that give big replies

UDP Reflection/Amplification
Protection

UDP Reflection/Amplification Protection
– 11 predefined filters for common UDP reflection and amplification attacks

• Each filter has an option to add arbitrary match terms to improve specificity
– 2 custom filters
• Same arbitrary match terms as a predefined filter, but with no predefined filter expression
• Not restricted to UDP – could be any protocols
• Remember to add "proto udp" to filter if UDP restriction is desired
– All filters are FCAP syntax with implicit "drop"
– Implemented for both IPv4 and IPv6 mitigations

In IPv4 mitigation status
In IPv6 mitigation status

• Expanded presentation in mitigation status

• Usual countermeasure layout
Settings
Blocked
Traffic
Graph
Blocked
Traffic
Rates
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY Blocked 40Host Lists
IPv4 settings
IPv6 settings

Filter Name IPv4 or IPv6 Predefined FCAP Match

chargen Both proto udp and src port 19
DNS Both proto udp and src port 53
L2TP Both proto udp and src port 1701 and bytes 520..65535
mDNS Both proto udp and src port 5353
MS SQL RS Both proto udp and src port 111
NetBIOS Both proto udp and (src port 137 or src port 138)
IPv4 proto udp and src port 123 and not bytes 76
NTP
IPv6 proto udp and src port 123 and not bytes 96
rpcbind Both proto udp and src port 111
RIPv1 IPv4 only proto udp and src port 520
SNMP Both proto udp and (src port 161 or src port 162)
SSDP Both proto udp and src port 1900

• All Non-DNS Filters checkbox

– Shortcut selector
• Allows quick selection of most filters
• Protects critical DNS operations from
accidental filtering by mass enable
– Operates intuitively
• Click to select enables all filters except
DNS
• Click to deselect disables all filters except
DNS
• Individual filter selections may be
changed afterward

• Some familiar controls

• Enable checkbox
• Action to Apply
– Blacklist Hosts
– Drop Traffic
• Download Blocked Hosts
• Download Top Blocked Hosts

• Additional Match Criteria

• Add terms to any filter to match specific
attack details
– Appended to predefined expression with implicit
"and"
• FCAP Wizard available
– IPv4 mitigations only
Click to
• Test Filter option expand
• Opens Sample Packets using current
filter expression
– With or without additional criteria
– IPv4 mitigations only

• Custom Filters
– Intended for R/A attacks not blocked by
predefined filters
– No predefined match criteria
• Not restricted to UDP
– Must include "proto udp" in match expression to
filter only UDP
– Otherwise identical to predefined R/A
filters Click to
expand
• A custom filter match expression copied
from the predefined expression of a
different R/A filter would have the same
result

• Avoid overuse of "not" terms

– Many "not" terms in filters will reduce
performance

• Mitigation full/new configuration page

• Same settings as mitigation status

• No Test Filter button on full

configuration page
• Nothing to sample if mitigation is not
running
• Mitigation might not yet be running

• Internal implementation is FCAP

– Internal engine is identical copy of
Black/White filter engine
• Differences are all in UI presentation and Both are
filter presets FCAP
• An R/A custom filter works exactly the same

as a Black/White inline filter
– UDP Reflection/Amplification is later than
Black/White Lists in processing order
• Choose B/W inline or R/A custom for a drop
filter to apply before or after
– Packet Header Filtering
– IP location Filter Lists
– Zombie Detection

State Exhaustion Attacks

State Exhaustion Attacks
TCP
• Protocol attacks
– It is usually TCP. TCP is stateful. Source could be either spoofed or NOT spoofed.
– It is Layer 4.
– SYN flood: It never completes 3-ways handshake (Half Open). Source could be spoofed.
– Connection Flood: It completes 3-ways handshake (Full Open). Source could not be
spoofed.
– It can be defensed by
• Invalid Packets
• B/W Filterlist
• SYN authentication
• Flexible Zombie

FCAP Best Practice (Black/White Filterlist)
HTTP/HTTPS
• Example:
! Web HTTP & HTTPS:-
drop not (proto icmp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 80) or (src port 1024..65535
and dst port 443))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
drop tflags S/WEUAPRSF and not (bpp 44 or bpp 48 or bpp 50 or bpp 52 or bpp 60 or bpp
64)
! Drop FIN flood

drop tflags F/F and not (bpp 40 or bpp 52)
! Drop RST flood except RST from SSL

drop tflags R/R and not (bpp 40 or bpp 52) and not (dst port 443)
Authoritative DNS
• Example: Authoritative DNS
drop not (proto icmp or proto udp or proto tcp)
drop proto tcp and not ((src port 53 or src port 1024..65535) and dst port 53)
drop proto udp and not ((src port 53 or src port 1024..65535) and dst port 53)
! Drop UDP packet without Data/Payload

drop proto udp and (bpp 28 or bpp 541..1500)
drop proto udp and (src port 0 or dst port 0)
64)

drop tflags R/R and not (bpp 40 or bpp 52)
Recursive DNS (Cache)
• Example: Recursive DNS
drop not (proto icmp or proto udp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 53) or (src port 53 and dst
port 1024..65535))
drop proto udp and not ((src port 1024..65535 and dst port 53) or (src port 53 and dst
port 1024..65535))
drop proto udp and (src port 0 and dst port 0)
64)

drop proto udp and frag and src port 53
drop proto udp and src port 53 and not (bpp 29..540)
FCAP Best Practice (BW Filterlist)
Mail Server
• Example: Mail Server

drop not (proto icmp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 25) or (src port 25 and dst
port 1024..65535))
64)


FCAP Filters
CAUTION!!
– The previous rules should be modified as needed, based on the services and applications
running on the servers/services being protected
– They must *not* be copied/pasted without prior validation!
– Please test it before using them!!

TCP Header
Reference

TCP SYN Authentication
• TCP SYN Authentication is very

effective to stop spoofed SYN flood
• Best to keep it off if no attack to
minimize false positive
• Turn it ON when it is needed
– Automate TCP SYN Authentication
based on Host

Automatically mitigate TCP SYN flood attacks
using TCP SYN Authentication
n Mitigation Template n Mitigation
Administration>Mtigation>Template→Counter measures Mitigation>All Mitigations→Mitigation→Countermeasures

Application-layer Attacks

Application-layer Attacks
TCP/UDP
• Application Layer attacks
– It is usually TCP. TCP is stateful and it is an end-to-end connection after 3-ways handshakes. Source cannot be
spoofed
– It is on Layer 7
– It amplifies the loading on victim’s CPU, memory and resources (e.g. DB read/write)
– Application layer attacks example
• HTTP GET flood
• Randomized HTTP flood
• XMLRPC flood
• Slowloris
• DNS Dictionary Attack
– It is not easy to defense without advance knowledge
• AIF
• Payload REGEX
• Find a way to screen out a particular group of source IP addresses launching the attacks and filter them by filter-list

DNS Water Torture Attacks
§ AKA: Slow Drip, pseudo-random label

prepending, dictionary-based label-substitution -
used by Mirai botnet.
§ Botnet sends flood of DNS requests to DNS

Recursive Servers with randomized prefix
attached to valid domain. (e.g.
xyz4433.yahoo.com, 123rtd,yahoo.com)
§ Because domain is not cached, Recursive

servers flood Authoritative DNS server with
queries.
§ Impact: Causes increased load and resource

exhaustion on DNS Recursive and Authoritative
servers – slowing or denying service to domain.

DNS Dictionary Attack
• It is random generated NXDomain DNS Cache DB Server
DB Server
overwhelmed with
lookups
Attacker requests entries
that do not exist in the DNS NXDomain: abcd.somedomain.com
NXDomain: efgh.somedomain.com
Cache: NXDomain: ijkl.somedomain.com
.
Query: abcd.somedomain.com
.
Query: efgh.somedomain.com .
Query: ijkl.somedomain.com
.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY
. 64
Mitigation options
• Enable DNS passive UDP authentication

– Arbor recommended
• Drop all the abnormal domains by REGEX
– Easiest way
• Drop hostname that contains capital letter(s) by REGEX
– Caveat: RFC 4343 says DNS is case insensitive
• Drop hostname that is more than 3 levels by REGEX
• Enable DNS active TCP authentication
– Caveat: The firewalls in front of the DNS servers have to open TCP/53 port

Mitigation options
• Enable DNS Scoping to match attacked domains

– Make a list of all good hostnames in a DNS filter list
– Apply the DNS filter list and select logical ‘AND’ in DNS REGEX countermeasure
– Drop all unmatched traffic
– Caveat: DNS Scoping allows 5 only

Authoritative DNS Zone Enforcement
Zone Transfer
1. SP Authoritative
1. When an authoritative DNS server and DNS DNS Server
zone is specified, Arbor SP/ CLI will an on-
demand or scheduled do a DNS zone
transfer from the authoritative server.
2. SP DNS
Reg
2. SP will parse the information, and generate Ex
DNS regular expressions for all records TMS
found for the given zone. ( BIND-formatted
zone files are supported)
bad
3.
3. The DNS filter lists can be used as queries
whitelists in the DNS Regular Expression Clients/Recursive Authoritative
countermeasure to block malicious requests DNS Servers TMS DNS Servers
for DNS information outside of the DNS good
zone(s). (i.e. TMS blocks requests for queries
entries that are not in the filter lists and
forwards requests that are)

Import DNS Zone Information for Mitigations
• Filter List settings

– Administration>Mitigation>Filter List → Add Filter List
Specify update interval
Entries Schedule For Custom, it uses crontab format
Select DNS type Select DNS Zone Transfer

Specify Authoritative Server and
target zone name
• Administration>Mitigation>Filter List-
>[Entries]
dig
$ dig @192.168.210.90 example.net axfr
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.210.90 example.net axfr

; (1 server found)
;; global options: +cmd
example.net. 300 IN SOA victim.example.net. root.example.net. 4 300 300
600 900
example.net. 300 IN NS victim.example.net.
example.net. 300 IN MX 10 mx.example.net.
example.net. 300 IN A 10.0.0.1
cname.example.net. 300 IN CNAME www.example.net.
host3.example.net. 300 IN A 10.0.0.3
mx.example.net. 300 IN A 10.0.0.2
quad.example.net. 300 IN AAAA fe80::fedc
victim.example.net. 300 IN A 192.168.210.90
www.example.net. 300 IN A 10.0.0.1
example.net. 300 IN SOA victim.example.net. root.example.net. 4 300 300
600 900
;; Query time: 1 msec
;; SERVER: 192.168.210.90#53(192.168.210.90)
REGEX that are generated from the ;; WHEN: Fri Apr 20 14:02:10 JST 2018
entries in the DNS zone ;; XFR size: 11 records (messages 1, bytes 300)

• Mitigation Template: • Mitigation:

– Administration>Mitigation>Template-> – Administration>Mitigation>Template-
[Payload] >[Payload]
Select Inbound Queries
Select Unmatched Traffic
Select predefined
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. |
Filter List
CONFIDENTIAL & PROPRIETARY 70

MY Arbor Best Practices - v1

Uploaded by

Copyright:

Available Formats

MY Arbor Best Practices - v1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MY Arbor Best Practices - v1

Uploaded by

Copyright:

Available Formats

Mitigation Best Practices

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3

– Filtered traffic has no bearing on the actual mitigation

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

• Sometime, you might have logical interface with VLANs,

• To download the pcap file

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

3 Network Network IP…

1 Physical Physical Raw signal

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

– It is usually UDP. UDP is stateless. Source can be spoofed.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

Amplification DDoS Attack

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

CHARGEN Character UDP / 19 ~17.75x Tens of thousands

SNMP Simple UDP / 161 ~880x Millions

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26

Bad Guy M-SEARCH packets, srcip = victim, dstport = 1900

• Black-/White-List / Filter List

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31

• Black/White-filter list that you may put in advance

Res ponse Resolver - r

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34

• Upper & lower case letters are allowed

label label label

• Drop all fragmented IP packets with Black/White filter-list

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37

– 11 predefined filters for common UDP reflection and amplification attacks

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38

In IPv4 mitigation status

In IPv6 mitigation status

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39

• Expanded presentation in mitigation status

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 41

Filter Name IPv4 or IPv6 Predefined FCAP Match

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 42

• All Non-DNS Filters checkbox