Partner Technical Training

Monitoring the Attack with Arbor APS

Partner • Sales • Engineering

APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12
Objectives
At the conclusion of this unit you should understand how to:
• Perform initial configuration using the GUI
• Establish attack characteristics using APS’s Summary Page

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

SCENARIO:
UNDERSTANDING THE
DDOS ATTACK WITH
ARBOR APS

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3

Issue & Context
• A large stock trade Website is suffering intermittent DDoS attacks
• We met with customer and discussed the web infrastructure and services
in order to propose a solution to the issue

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4

Issue: Customer Under Attack
• A large stock trade Website is suffering intermittent DDoS attacks

DATA
ISP 1 CENTER

ISP
ISP 2
IPS
Firewall
Load
Balancer

Target
Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 5

Action: Investigate the Attack Traffic
• Install Arbor APS in the data center connected inline inactive, reporting
on what it sees
DATA
ISP 1 CENTER

ISP Inline Inactive

Mode

ISP 2
IPS
Firewall
Load
Balancer

Target
Applications
ISP ‘n’ Attack Traffic Arbor APS & Services

Good Traffic

Note: For a proof of concept or to avoid network disruption

install in monitor mode using a span port or network tap.
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6
GUI - INITIAL
CONFIGURATION

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7

Complete Initial Configuration via GUI
• Below is a list of tasks to complete the initial configuration:
• Configure DNS
• DNS used to find AIF
• Check if AIF update is working
• Force AIF update
• Set NTP
• optional, unless Cloud-Signaling is configured
• Configure SMTP Server
• to send notification e-mails
• Enable SSL encryption and reporting

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8

Graphical User Interface (GUI)
• Use HTTPS
for access

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9

Welcome to Arbor APS’s GUI

The ultimate test of whether the CLI configuration is OK

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10
Summary Page
• Alerts: DNS and
SMTP are not
configured in UI

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 11

Menu Tabs

Fixed page,
no submenus

Protection
monitoring System
& configuration configuration
& maintenance

Advanced tools for

analysis of filtered
hosts and captured
packets

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 12

Status Bar: Deployment Mode Monitor
Shows deployment mode

• Monitor mode does not forward any traffic, ever

• Traffic blocking is reported the same as Inline mode
• Used for trials and testing via network SPAN

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 13

Status Bar: Deployment Mode Inline
Shows deployment mode

• Inline Bridged mode forwards traffic

• Inline Active sub mode processes traffic through protection group settings and
passes only good traffic.
• Inline Inactive sub mode processes traffic through protection group settings but
does not block any traffic. All traffic would be passed (This is useful during
deployment to ensure good traffic does not get mitigated)

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 14

Status Bar: Deployment Mode Inline Routed (L3)
Shows deployment mode

• Inline Routed (L3) mode forwards network traffic based on static routes configured
on Arbor APS
• Static mitigation routes are configured for the destination network and nexthop.
• vAPS inspects all of the traffic that traverses the specified route and mitigates
any attacks before it routes the traffic to its destination.
• This is supported only on vAPS (No HW Appliance support)

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 15

Initial Configuration in the UI

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 16

General System Settings
• Configure
• Time Zone
• DNS
• NTP Servers
• SMTP
• SNMP

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 17

Administration > ATLAS Intelligence Feed

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18

Configuring AIF
• AIF update cannot
be received until
DNS is configured

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19

AIF Connection Test
• Best Practice: Test AIF with a manual update before relying on automatic
updates

Update button
was clicked

AIF Update
In progress

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20

AIF Configuration
Status of most
recent update
HTTPS proxy
service for AIF
Automatic feed
identification of
authentication Proxy user and
method password optional

Feedback to ATLAS

Selectable if APS cannot

Automatically identify

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 21

Override AIF Download URL (1 of 2)
• Overview
• Default URL is https://aif.arbor.net
• This can be modified using the commands shown below
• Usage
• / services aps aif url [set|show|clear]
• / services aps aif url set [feed_name]
https://www.example.com/feed/version
• / services aps aif url show [feed_name]
• / services aps aif url clear [feed_name]

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22

Override AIF Download URL (2 of 2)
• Example:
/ services aps aif url set attack_rules https://www.abc.com/feed/version
/ services aps aif url show attack_rules
Feed Name URL
attack_rules https://www.abc.com/feed/version
/ services aps aif url clear
/ services aps aif url show attack_rules
Feed Name URL
attack_rules default

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23

 AIF Update Interval – Automatic Updates
• AIF update initiation can be
manual, automatic or both
• Interval for automatic
updates defaults to 24 hours
from previous update Manual AIF
update
initiation

Automatic AIF
update
initiation

Adjustable
update interval

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 24

AIF Version Information - CLI
• Overview
• When the AIF feed components are updated, information related to the updates
is stored by the system. You can use the CLI to view this information
• Usage
• / services aps aif versions show [feed_name]
AIF Timestamp of MD5 hash Feed version <unknown> = no
component feed download of the feed versioning of feed is done.

Feed Name Download Time ETag Version

attack_rules 1494190605 d45dfae8993423a78f0a0548d15e7dbb <unknown>
geoip_countries 1494190604 c0ce84a1b4d222d1e3325e5f40a9e130 1493796462697
reputation_feed 1494190629 dbae95e11982ddfe9c78b3f03376c0a3 1494187344
webcrawler_whitelist 1494190607 dafc58e1ab12d5efd4c0c10b706d0792 <unknown>

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25

AIF Version Information - Syslog
• Overview
• When the AIF feed components are updated, information related to the updates
is also logged. You can view this in syslog
• Example:
May 10 18:41:19 APS aifu[30019]: [S] #DOWNLOAD-FILE downloading feed
reputation_feed from https://aif.arbor.net/repfeed/full/1.0
May 10 18:41:21 APS aifu[30019]: [S] Downloaded reputation_feed in 1.5 seconds.
May 10 18:41:46 APS blogd[30280]: [S] #RECONFIG
May 10 18:41:46 APS aifu[30019]: [S] Parsed reputation_feed in 2.5e+01 seconds.
May 10 18:41:46 APS aifu[30019]: [S] Successfully downloaded reputation_feed file
etag 10e7d1b56090d08fa1d9738d0f12092b revision 1494439359.

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26

AIF Version Information - Syslog

May 10 18:41:19 APS aifu[30019]: [S] #DOWNLOAD-FILE

AIF downloading feed reputation_feed from
component https://aif.arbor.net/repfeed/full/1.0
May 10 18:41:21 APS aifu[30019]: [S] Downloaded
Timestamp reputation_feed in 1.5 seconds.
of feed May 10 18:41:46 APS blogd[30280]: [S] #RECONFIG
download
May 10 18:41:46 APS aifu[30019]: [S] Parsed
reputation_feed in 2.5e+01 seconds.
May 10 18:41:46 APS aifu[30019]: [S] Successfully
downloaded reputation_feed file etag
10e7d1b56090d08fa1d9738d0f12092b revision 1494439359.

MD5 hash of the feed Feed version <unknown> =

no versioning of feed is done.

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 27

ATTACK OVERVIEW:
THE SUMMARY PAGE

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 28

Summary Page
• Intended to give an easily
understood overview of
System status
• Always the first page
loaded at login
• Traffic data shown
is for the last hour

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 29

Top Protection Groups
• Shows traffic per
Protection Group
(color marked)
• Out-of-the-box,
Arbor APS starts
with the “Default
Protection Group”
tracking all traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 30

ATLAS Botnet Prevention
• Shows AIF update
status and how
AIF Prevention is
seeing the botnet
traffic for each
Protection Group
and Level

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 31

Overview

Out of the box - Showing Blocked traffic:

Seems Arbor APS can mitigate the attack!

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 32

ATLAS Threat Categories
• Displays the five ATLAS threat categories that blocked the most inbound
traffic and outbound traffic during the last hour

Detailed Threat
Description

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 33

Top Inbound Countries
• Shows
geographical
distribution of
incoming traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 34

Web Crawlers
• Shows total traffic
and traffic rates
for different
Web Crawlers
• Web Crawler
traffic
identifications is
an AIF service

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 35

Top Inbound Sources
• Shows
address of
host(s)
generating
the most
inbound
traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 36

Top Inbound Destinations
• Provides
visibility into
which hosts
are receiving
most of the
traffic in the
last hour

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 37

Interfaces
• Traffic rates for
protection interfaces
• Based on hardware
interface counters

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 38

SSL Inspection

• Shows total SSL / TLS

traffic and the amount that
is being decrypted by the
appliance

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 39

Lab Exercise
• Preview Lab 2
• Inline Inactive mode out-of-box protection
• Executive Reporting
• View attack impact on Victim web server
• Perform Lab 2
• Estimated Time 45 Minutes
• Review Lab Questions

https://portal.training.arbor.net

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 40

Unit Summary
In this unit we have learned how to:
• Perform initial configuration using the GUI
• Establish attack characteristics using Arbor APS’s Summary Page

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 41

Q&A / THANK YOU

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 42