Partner Technical Training

Initial System Tuning & Inline Mitigation

Partner • Sales • Engineering

APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12
Objectives
At the conclusion of this unit you should understand how to:
• Obtain attack details in the Protection Group page
• Identify Blocked Hosts and how to Whitelist or Blacklist hosts
• Use Inactive and Active sub-modes

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

SCENARIO:
ATTACK MITIGATION
WITH ARBOR APS

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3

Issue & Context
• Arbor APS is deployed in “Inline Inactive” mode
• Arbor APS reports show that it can solve the problem
• A good part traffic is showing as “blocked”
• Traffic is not mitigated due deployment mode of Inline Inactive
• Customer decides to put Arbor APS Inline Active immediately

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4

Issue: Site Still Unavailable
• Arbor APS reports show that it can solve the problem but is not mitigating
the traffic
• A good part traffic is showing as “blocked”
DATA
ISP 1 CENTER
Inline Inactive
Mode

ISP
ISP 2
IPS
Firewall
Load
Balancer

Target
Arbor APS Applications
ISP ‘n’ Attack Traffic & Services
Good Traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 5

Action: Change Inactive Mode to Active
• Arbor APS is now in Active mode and mitigates the attack by dropping
bad traffic

DATA
ISP 1 CENTER

ISP
ISP 2
IPS
Firewall
Load
Balancer

Target
Arbor APS Applications
ISP ‘n’ Attack Traffic & Services
Good Traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6

INLINE MODE

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7

Inline Inactive Sub Mode

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8

INLINE Deployment Mode
ISP

ISP

• Forwards all traffic in both directions

• Layer 2 - “bump in the wire”
• All protection interfaces have hardware bypass!
• No MAC address change, no IP interaction
• Pass-through for non-IP frames, such as STP or LACP PBDUs
• Supports 802.1q VLANs transparently
• No support for packets with MPLS labels

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9

INLINE Sub-Modes
Arbor APS blocks malicious traffic according
Active to protection group settings for this
protection level

Arbor APS forwards all traffic. Arbor APS

reports the traffic that it would block if in
Inactive Active sub-mode
• A test mode for prevention settings

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10

INLINE Sub-Modes
• Sub-mode selected via the GUI at any time
• When going into Inline mode, default submode is Inactive
• Monitor mode and Inline-Inactive sub-mode are similar, except:
• Inline-Inactive mode does NOT forward invalid packets
• Monitor mode does no packet forwarding

Click to change inline

deployment sub-mode

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 11

IMPROVING TRAFFIC
VISIBILITY BY CREATING
PROTECTION GROUPS

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 12

Protection Groups
• Protection Groups protect and provide extensive traffic analysis
for a defined group of hosts
• Protection Groups are defined by a combination of:
1. A list of protected internal hosts
• host IPv4, host IPv6, subnet, CIDR, or domain name
2. A Server Type
• A global object that defines protection settings for the Protection Group
it is associated with
• The traffic information that appears on this page is for incoming traffic. It does not include
server response traffic
• Use the information on this page to monitor how effectively APS is mitigating attacks
and to decide whether you need to take action to block the traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 13

Adding a Protection Group – 1 of 2
• Protection Groups are added in the List Protection Groups page

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 14

Adding a Protection Group – 2 of 2

• Must define a
name, the list
of addresses
for the
protected
hosts
and a
Server Type

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 15

Adding an IPv6 Protection Group
Hostnames will be
resolved and displayed
as IPv6 addresses

Generic IPv6
Server Server
Type

Note: When both an IPv4 and IPv6 address is resolved for the DNS
hostname, Arbor APS will display the above message warning the
user that IPv4 addresses will not be protected by the IPv6 PG
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 16
Configuring a Protection Group

• The new
Protection
Group is
available

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 17

Protection Group Options
Click edit button to change

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18

Protection Group Options Configuration

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19

Prefix Matching - Protection Groups
Arbor

• When different length

prefixes of the same
network are
protected by more
than 1 PG, APS
matches traffic to Arbor
the most specific
(longest) prefix

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20

Active / Inactive per Protection Group
• Protection Groups have individual selection of Active or Inactive protection
mode

• If Deployment Mode is Monitor or Inline Inactive, then Protection Groups are always Inactive
regardless of this setting

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 21

Protection Level Setting
• Protection Groups have individual selection of Protection Level
• By default it tracks the Global Protection Level

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22

Server Types
• Every Protection Group is associated with a
Server Type
• Arbor APS has two classes of Server Types
• Standard Server Types
• Custom Server Types
• Custom types are derived from Standard
types

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23

Protection Group Server Type
• Clicking on the Server Type
link brings you to its Settings Click to change settings
configuration page of the Server Type

Amount of time that Protection

Group has been configured

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 24

Server Types and Attack Preventions
• Attack Prevention settings are defined for each Server Type’s configuration
• Each Server Type has a set of pre-defined Preventions. For example,
• Web Server does not have any DNS Preventions
• DNS Server does not have any HTTP Preventions
• This allows for optimal inspection and increased performance
• Why test a Web Server traffic for DNS attacks, or vice-versa?

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25

IPv6 Generic Server Type
• Arbor APS offers one Server Type for IPv6 mitigation settings
• Custom IPv6 Server Types can be defined
• The Generic IPv6 Server Type is not available in the UI until you create
an IPv6 Protection Group

• Note: If Arbor APS is managed by our Central Management Platform:

• You cannot add custom IPv6 Protection Groups or custom IPv6 Server Types
• IPv6 hosts cannot be added to the inbound blacklist or whitelist
• To enable IPv6 items on the APS you must remove any connection
to a Central Manager

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26

Preventions per Standard Server Type
Settings Category Generic Server DNS Server File Server Mail Server RLogin Server VoIP Server VPN Server Web Server IPv6 Generic
ATLAS Threat Categories x x x x x x x x
Application Misbehavior x x x x x x
Block Malformed DNS Traffic x x
Block Malformed SIP Traffic x x
Botnet Prevention x x x
CDN and Proxy Support x x
DNS Authentication x x
DNS NXDomain Rate Limiting x x
DNS Rate Limiting x x
DNS Regular Expression x x
Filter List x x x x x x x x x
Fragment Detection x x x x x x x x
HTTP Header Regular Expressions x x x x
HTTP Rate Limiting x x x x
HTTP Reporting x x x
ICMP Flood Detection x x x x x x x x
Malformed HTTP Filtering x x x
Multicast Blocking x x x x x x x x
Payload Regular Expression x x x x x x x x x
Private Address Blocking x x x x x x x x
Rate-based Blocking x x x x x x x x x
SIP Request Limiting x x
Spoofed SYN Flood Prevention x x x x x x x x x
TCP Connection Limiting x x x x
TCP Connection Reset x x x x x x x x
TCP SYN Flood Detection x x x x x x x x
TLS Attack Prevention x x x x x
Traffic Shaping x x x x x x x x x
UDP Flood Detection x x x x x x x x

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 27

Server Type Configuration
• Configuration of attack Preventions for the Selected Server Type

Change server type One way to add a

being configured custom server type
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 28
Custom Server Types

Click to add a new

custom server type

Select to edit existing

custom server types

• Custom server types are copies of standard server types

• Same available preventions as standard type
• A copy from Generic Server makes all available
• Intended so that prevention settings may be set differently than standard server type
• Existing Custom Server Types may also be duplicated
• Available for both IPv4 and IPv6 Protection Groups

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 29

Adding a Custom Server Type

Specify name of
new server type

Select existing
server type to
duplicate

• Custom server types may also

be added from the Options /
Duplicate pull down menu

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 30

Restoring Prevention Settings
• It is possible to reset the Prevention Settings to their default values
by selecting “Restore Defaults” in the “Options” button

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 31

UNDERSTANDING
ATTACK DETAILS:
PROTECTION GROUP PAGE

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 32

Protection Groups
• Arbor APS uses a combination of protection groups and server types to
define the hosts to protect and the protection settings to use for those hosts
• APS uses the protection settings to match traffic behavior and identify attacks
• The View Protection Group page allows you to view information in real time
about the traffic that is destined for the prefixes in the protection group

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 33

Viewing Protection Groups

Search for a
Protection Group

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 34

Default Protection Group
• The IPv4 Default Protection Group is provided “out-of-the-box”
• Reports on all traffic seen, to any host (0.0.0.0/0)
• Uses protection settings defined by ASERT to detect and mitigate basic DDoS
attacks
• The IPv4 Default Protection Group is mandatory
• Cannot be deleted (but can be made Inactive)
• Catch all. Will report on all traffic not reported under other Protection Groups
that are created later
• Out-of-the-box, there is no IPv6 Default Protection Group
• You can define one creating an IPv6 Protection Group matching the “::/0” prefix

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 35

Protection Group Page
• Extensive traffic details:
• Group details
• Group Cloud Signaling Status*
• Overview
• Total Protection Group Traffic
• Attack Categories
• Top Temporary Blocked Sources
• Web Traffic by URL*
• Web Traffic by Domain*
• Web Crawlers*
• IP Location*
• Protocols * Provided for IPv4
Protection Groups
• Services

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 36

Protection Group Page Details

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 37

Reporting Options
• Time Period
• bps x pps

Buttons to choose time Buttons to display

period for all data bytes or packets

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 38

Time Period Controls
Predefined report Button for custom
period buttons report period

Default is
1 hour

Apply custom
Custom report period
report period

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 39

Protection Group Overview
• Single-glance
overview of
protection group
performance

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 40

Total Protection Group Traffic
• Clearly shows
the relative
amounts of
traffic being
passed and
blocked for this
protection group

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 41

Blocked Sources: Who to Blame
• Click buttons to
whitelist sources
• This widget
shows those
sources that
have been
completely
blocked for at
least 1 minute

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 42

Attack Categories
• Shows which
Preventions
have been
triggered

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 43

Attack Categories - Details

Click for more info

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 44
Attack Categories Details Data
• Amount of detailed information varies for different protection types

Click again to hide details

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 45

Attack Categories Details Breakdowns
• Some
preventions
include detailed
breakdowns

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 46

Attack Categories Details Data: Botnet
• Botnet Prevention
Details shows
• Currently
blocked traffic
• Traffic that
would be
blocked
at higher
protection
levels

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 47

Attack Categories Details Data:
AIF Botnet Signatures
• AIF preventions offer same
breakdown format as Botnet
• “Details” include stats for low /
medium / high matching
• AIF is always matching all
rules at all protection levels
• Only way to know how
protection level affects
AIF matching

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 48

Attack Categories Details Data:
ATLAS Threat Categories
• When enabled, APS blocks both
inbound and outbound traffic
which matches the Threat
Category
• Identifies categories of known
threats by traffic patterns
defined by:
• IP address
• DNS names
• Threat Categories that are tested
are determined by the AIF license
• Standard
• Advanced

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 49

Attack Categories Details Data
• Using mouse-
over popup
menu you can
start see hosts
blocked by
specific
prevention

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 50

URL & Domain
• Breakdowns by
embedded URL and
domain part of URL
• Hover cursor over “…”
for full URL as alt-text
• Copying “…” to
clipboard will actually
copy hidden part of URL
• Blacklist buttons
available for these URLs

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 51

Web Crawlers
• Shows Total and Passed traffic for specific Web Crawlers
• Hovering your mouse over the Web Crawler name provides additional
information

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 52

IP Location – Where the Attack Comes From

• Click buttons to block country sources

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 53

Protocols – Where It is Hitting

• Breakdown of the Top protocols

• If a protocol needs to be blocked, enter it
in the filter list for the Protected Service

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 54

Services – Where It is Hitting
Radio buttons to
change view

• Breakdown of the Top Services (Protocol/Port)

• If a service needs to be blocked, enter it in the filter list for the Protected
Service

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 55

IDENTIFYING BLOCKED
SOURCES

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 56

Temporarily Blocked Sources Panel
• Lists top offenders
(but not all offenders)
• Click buttons to
whitelist sources
• IPv4 PGs only

This widget shows those sources

that have been completely blocked
for at least 1 minute
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 57
Search for Blocked Hosts
Arbor

Initial page load

returns all
blocked hosts
without filters

This tool lists sources that have:

• At least 1 packet dropped
• Not passed DNS Authentication
• Not passed Spoofed SYN Flood prevention
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 58
Search for Blocked Hosts - Options
Enter IPv4 or
Specify Traffic IPv6 hosts filters Select /
Direction as freeform text deselect all

Use custom time selector Choose minimum amount

for hosts blocked more of host traffic observed to
than one week ago cause blocking
• Blocked hosts history is limited to 224,000 hosts and one year
since last blocked
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 59
Filtered Search for Blocked Hosts

Filter settings used No filters are applied

to find current until Search button
results is clicked
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 60
IPv6 Filtered Search for Blocked Hosts
Select IPv6 Protection Group

Blacklisted Source Blacklist Attack Category

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 61
Blocked Host Details

Blocked Host
Detail appears
by clicking
Details button

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 62

ELIMINATING COLLATERAL
DAMAGE

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 63

Blacklists & Whitelists
• APS uses blacklisting to protect your network from malicious traffic,
and it uses whitelisting to allow trusted traffic.
• APS uses the blacklists and whitelists as filters to block or pass traffic
without further inspection, regardless of the current protection level
• Blacklists & Whitelists are manually configured by administrators
• APS does not blacklist or whitelist hosts automatically

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 64

Blacklists & Whitelists
• Blacklists will Drop traffic for
• Source addresses and subnets
• IPv4
• IPv6
• IP Location countries
• Embedded domains
• Embedded URLs
• Whitelists will Allow all traffic for
• Source addresses and subnets
• IPv4
• IPv6 (inbound only)

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 65

Blacklists & Whitelists - Update
• Temporarily Blocked Sources are dynamically updated only by Preventions
• Blacklist and Whitelist additions are possible via direct entry or by clicking
from breakdown widgets
– Clicking on “Blacklist” or “Whitelist” in a widget will add that item
to a permanent blacklist or whitelist

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 66

Blacklists Management
• Manage
and search
Blacklists
here

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 67

Add Countries to the Blacklist
• IP Location
information
to establish
Country
origination
is part of the
AIF Feed

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 68

Blacklist Rules
• Items can be added to or
removed from Blacklists for
Countries, URI Domains, or URLs
from buttons on top elements
detected within protection groups
• Blacklisting by URI Domains and
URL is not supported for IPv6
• Items can be removed here from
all four Blacklists
• Items can be manually added
here only for some Blacklists
(i.e. not URLs)

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 69

Whitelists Management
Hosts are listed by IP address

Click to move Click to

to blacklist remove
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 70
Adding a Host to the Whitelist

Click to add
New host to be whitelisted

• Blacklist hosts work the same

• Note: IPv6 hosts can only be blocked inbound on a global basis (not by PG)

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 71

Whitelisted Hosts

New hosts are added

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 72

BLOCKING THE ATTACK

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 73

Going Into Active Sub-mode

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 74

Mitigation Starts

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 75

Site Is Up Again

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 76

Traffic at Interfaces Confirms Mitigation
• Traffic transmitted
by int0 (towards
the web server)
reduced

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 77

Mitigation Effective, Attacker Quits

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 78

Lab Exercise
• Preview Lab 3
• Build Protection Groups
• Change Inline Protection Mode
• Mitigate Attack with out-of-box protections
• Perform Lab 3
• Estimated Time 30 Minutes
• Review Lab Questions

https://portal.training.arbor.net

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 79

Unit Summary
In this unit we have learned how to:
• Obtain attack details in the Protection Group page
• Identify Blocked Hosts and how to Whitelist or Blacklist hosts
• Use Inactive and Active sub-modes

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 80

Q&A / THANK YOU

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 81