Академический Документы
Профессиональный Документы
Культура Документы
Protections
– Identify attacks by a specific traffic pattern or behavior
then
– Determine how APS will deal with the traffic or the host that
generated the traffic (by source IP)
• Defined and configurable for each Server Type
• Can be categorized into:
– Layer 3/4 protections
– Application-layer protections
Layer 3/4
• Filter List
• Invalid Packets
• ATLAS Threat Categories
• Multicast Blocking
• Private Address Blocking
• Payload Regular Expression
• Rate-based Blocking
• Fragment Flood Detection
• ICMP Flood Detection
• UDP Flood Detection
• TCP SYN Flood Detection
• Spoofed SYN Flood Prevention
• TCP Out-of-Sequence
Authentication
• TCP Connection Limiting
• TCP Connection Reset
• Traffic Shaping
• Protections either:
– Drop offending packets
• Service-based protections that track host behavior and will discard
packets for unexpected events
• Signature-based protections (such as AIF) that recognize malicious
data in packet contents
– Or, block hosts by dropping all it’s packets
• The host was Blacklisted by an administrator
• Some protections detect that host actions are a part of the attack and
temporarily block the host
– Initially, offending host is blocked for 60 seconds
– If host offends again within 10 minutes, it is blocked for 300 seconds
– If CDN and Proxy Detection is enabled in the Protection Group, some protections do
not block a source detected as a CDN or Proxy host
drop proto udp and src port 123 and not (bpp 36 or bpp 46 or bpp 76 or bpp 220)
• Master Filter Lists, containing drop and/or pass expressions may now
be applied to ALL active Protection Groups
• Simplifies control of unwanted traffic, as well as known good hosts
mean that we will not be able to protect 1.2.3.4 from any attacks
Instead use
drop udp and !(dst 1.2.3.4)
and we will still be able to protect 1.2.3.4 from attacks
ASERT
DATA
ISP 1 AIF Reputation Feed
CENTER
ISP
ISP 2
IPS
Load
Balancer
• ATLAS threat categories (IP & DNS reputation) block incoming attacks based
on ASERT’s Confidence Index
• Confidence Index is reflective of active malware, botnets, & campaigns in
real time
– Per-Protection Level setting
– When ASERT spots malware and creates a rule, confidence is set to 100
• Value can range from 1 – 100
• Measure of ASERT’s confidence that traffic matching a particular rule is not a false-positive
– If malware is spotted less frequently over time, the Confidence Index is decreased
– If malware frequency increases again, the Confidence Index increases
• Blacklist and Whitelist additions are possible via direct entry or by clicking
from breakdown widgets
– Clicking on Blacklist or Whitelist button in a widget will add that item to the
permanent blacklist or whitelist
– Blacklisting and whitelisting of both IPv4 and IPv6 traffic for all protection groups
• If the blacklists or whitelists contain an IP address and a CIDR that overlaps
that IP address, the most specific address always takes precedence
• Invalid Packets protection takes precedence over the whitelist
• IPv4 blacklist-whitelist table stores a maximum of 20,000 hosts and CIDRs
• IPv6 blacklist-whitelist table stores a maximum of 12,000 hosts and CIDRs
Click to remove
©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 48
Blacklists Management
Protect > Blacklists
Download PCAP
No packets captured
until clicked
• Packet capture with this filter shows only packets that caused
a host to get blocked.
– This is very useful in troubleshooting and tuning process.
Start
Pause
Resume
HTTP request
DNS query
Packet Details
• Payload Regular
Expressions may now
be leveraged against
Source Ports
• Previously only
Destination Ports were
configurable
• Specific ports, port
ranges or all ports may
also be specified for
greater DDoS
protection
Example:
500
*\.(arbor\.net|
arbornetworks\.com)$
Manually choose
TCP or UDP ports
Selected payload
automatically copied
to Regular Expression
Expression Reference
[src | dst] [net | host] addr Matching networks and hosts
[protocol | proto] protocol-name Matching protocols
icmpcode code
tos number Matching Type of Service
ttl number Matching Time to Live
frag Matching Fragments
• drop proto tcp and not (src port 1024..65535 and dst port 80)
• drop proto tcp and not (src port 1024..65535 and (dst port 80 or dst port
443))
• drop proto tcp and not ((src port 53 or src port 1024..65535) and dst port
53)
• drop proto udp and not ((src port 53 or src port 1024..65535) and dst port
53)
• drop proto tcp and not ((src port 1024..65535 and dst port 53) or (src port
53 and dst port 1024..65535))
• drop proto udp and not ((src port 1024..65535 and dst port 53) or (src port
53 and dst port 1024..65535))