APS 6.0 Defend Unit 3 View Attack Details - 20180823 PDF

Defending Against DDoS
Attacks using Arbor APS
Unit 3: Viewing and Understanding the Attack

Details
Objectives
At the conclusion of this unit you will learn to:

• Analyze the Summary and Protection Group Widgets
to understand and isolate an attack
• Leverage FCAP filter expressions for effective
mitigation
• Understand the functionality of Dropped Packets vs.
Blocked Hosts
• Identify Blocked Hosts and how to Whitelist or
Blacklist hosts
• Understand when an attack has been mitigated
©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 2

DETECTING AN ATTACK

Attack Identification Workflow
List of tasks to complete:

• Look at the Summary page
• Look at Protection Group details
– Check for blocked traffic
– Check attack categories
• Raise the Protection Level
• Check for mitigation effectiveness
• Check for valid hosts and services blocked
– Whitelist to re-establish service

Traffic Significantly Increased Suddenly
Network/Server monitoring trigger alerts

Seeing the Attack Traffic
APS is active, but attack mostly not be blocked…

Recall: Protections per Standard Server Type
Generic RLogin VoIP
Settings category DNS Server File Server Mail Server VPN Server Web Server IPv6
Server Server Server
ATLAS Threat Categories x x x x x x x x
Application Misbehavior x x x x x x
Block Malformed DNS Traffic x x x
Block Malformed SIP Traffic x x
Botnet Prevention x x x
CDN and Proxy Support x x
DNS Authentication x x x
DNS NXDomain Rate Limiting x x x
DNS Rate Limiting x x x
DNS Regular Expression x x x
Filter List x x x x x x x x x
Fragment Detection x x x x x x x x
HTTP Header Regular
x x x x
Expressions
HTTP Rate Limiting x x x x
HTTP Reporting x x x
ICMP Flood Detection x x x x x x x x
Malformed HTTP Filtering x x x
Multicast Blocking x x x x x x x x
Payload Regular Expression x x x x x x x x x
Private Address Blocking x x x x x x x x
Rate-based Blocking x x x x x x x x x
SIP Request Limiting x x
Spoofed SYN Flood Prevention x x x x x x x x x
TCP Connection Limiting x x x x x
TCP Connection Reset x x x x x x x x x
TCP SYN Flood Detection x x x x x x x x
TLS Attack Prevention x x x x x
Traffic Shaping x x x x x x x x x
UDP Flood Detection x x x x x x x x

Attack Protections
Protections
– Identify attacks by a specific traffic pattern or behavior
then
– Determine how APS will deal with the traffic or the host that
generated the traffic (by source IP)
• Defined and configurable for each Server Type
• Can be categorized into:
– Layer 3/4 protections
– Application-layer protections

Layer 3/4 Protections
Layer 3/4
• Filter List
• Invalid Packets
• ATLAS Threat Categories
• Multicast Blocking
• Private Address Blocking
• Payload Regular Expression
• Rate-based Blocking
• Fragment Flood Detection
• ICMP Flood Detection
• UDP Flood Detection
• TCP SYN Flood Detection
• Spoofed SYN Flood Prevention
• TCP Out-of-Sequence
Authentication
• TCP Connection Limiting
• TCP Connection Reset
• Traffic Shaping

Application-Layer Protections
Web Servers (HTTP) DNS Servers

• Malformed HTTP Filtering • ATLAS Threat Categories
• Application Misbehavior • DNS Authentication
• HTTP Rate Limiting • Malformed DNS Traffic
• Botnet Prevention • DNS Rate Limiting
• Includes AIF signatures • DNS NXDomain Rate
• Payload Regular Expression Limiting
• Spoofed SYN Flood Prevention • DNS Regular Expression
• HTTP Authentication option
• HTTP Header Regular AIF Category
Expression § Email Threats
SSL Secured Services § Location Based Threats
• TLS Attack Prevention § Targeted Attacks
SIP Servers § Command & Control
• Block Malformed SIP Traffic § DDoS Reputation
• SIP Request Rate Limiting § Malware
§ Mobile

Inbound Protection Settings
• Protection settings are configurable

– Default settings from factory can be modified and reset to default if necessary

Blocking Attack Traffic
• Protections either:
– Drop offending packets
• Service-based protections that track host behavior and will discard
packets for unexpected events
• Signature-based protections (such as AIF) that recognize malicious
data in packet contents
– Or, block hosts by dropping all it’s packets
• The host was Blacklisted by an administrator
• Some protections detect that host actions are a part of the attack and
temporarily block the host
– Initially, offending host is blocked for 60 seconds
– If host offends again within 10 minutes, it is blocked for 300 seconds
– If CDN and Proxy Detection is enabled in the Protection Group, some protections do
not block a source detected as a CDN or Proxy host
Note: In both cases the host

will be reported in the
Blocked Hosts page!

Inbound Host-Blocking Protections
• Inbound Host-Blocking Protections include

– Filter lists, ICMP Flood Detection*, Fragment Flood Detection*,
UDP Flood Detection*, Rate Based Limiting, TCP Connection
Reset, DNS Query Rate Limiting, DNS NXDomain Rate Limiting,
Malformed HTTP Filtering, HTTP Rate Limiting,
Block Malformed SIP Traffic, SIP Request Limiting,
TLS Negotiation, Botnet Prevention, Application Misbehavior
• If “CDN and Proxy Detection” is enabled in the
Protection Group, some Protections do not block a
host that was identified as a CDN or Proxy
* Not always. See specific Protection information for details

Protection – Filter Lists for Surgical Removal
• Each packet is tested by each of the FCAP expression rules

sequentially through the list
– Immediately drops any packet that matches a drop rule without further
protection processing
– Immediately passes any packet that matches a pass rule without further
protection processing
– All traffic not matching any rule is subject to further protection
processing
• Each Protection Level setting can have different filter lists

New: Master Filter Lists – Global Protection
APS-wide FCAP Filter Configuration - Support a global

blacklist/whitelist using FCAP instead of just IP address.
drop proto udp and src port 123 and not (bpp 36 or bpp 46 or bpp 76 or bpp 220)
• Master Filter Lists, containing drop and/or pass expressions may now
be applied to ALL active Protection Groups
• Simplifies control of unwanted traffic, as well as known good hosts

Specific Protection – Filter Lists
• Can serve as black/white list per Protection Level, per

protected service
• Provides an easy solution to the problem of the ICMP
reflection
– Write an FCAP expression
drop proto icmp dst host 1.2.3.4
to drop all ICMP packets going to the victim (1.2.3.4)
• Since the filter rules act on every packet anyway, it is
not a blocking protection

Filter List Examples (1 of 2)
drop udp and port 53

drop tcp and port ssh
pass src 198.168.1.0/24
drop dst port 22 or 23 or 25
pass dst 198.168.1.0/24
drop dst 1.2.3.4 port 22 port 80
pass udp and not (src 1.2.3.4)
drop !(proto TCP and dst port 80 or 443)

Customized for Web services Protection Group

Filter List Examples (2 of 2)
• In order to drop all traffic except

– ICMP
– TCP to port 80
– TCP from ports 53, 80 or 443
– UDP from port 53
Use the following simple filter list:
drop not (proto 1 or proto 6 or proto 17)

drop proto 6 not (dst port 80 or src port 53 or src port
80 or src port 443)
drop proto 17 not src port 53

Filter List Notes
• Be very careful with “pass” rule ordering

– Passed traffic is considered safe and will not be processed through any
further protections
– Example: suppose you have a DNS server at 1.2.3.4 and want to block all
UDP traffic except when it is directed to it
The following filter statements

pass dst 1.2.3.4
drop udp
mean that we will not be able to protect 1.2.3.4 from any attacks
Instead use
drop udp and !(dst 1.2.3.4)
and we will still be able to protect 1.2.3.4 from attacks

Reputation-Based Detection
ASERT
DATA
ISP 1 AIF Reputation Feed
CENTER
ISP
ISP 2
IPS
Load
Balancer
Attack Traffic Target

Good Traffic Applications &
ISP n Services
• Active DDoS Campaigns

– Reputation feed includes IP address, protocol ranges and port ranges
• Advanced Threats
– Reputation feed includes IP and DNS information
– Separate IP reputation for inbound and outbound traffic
– DNS reputation applied bi-directionally
– DNS reputation includes hostnames in DNS requests
• IP & DNS reputation filters are packet dropping protections
Inbound Reputation-Based Protection
Use AIF default

or provide a
custom value
• Inbound protection using ATLAS IP and DNS Reputation

– Delivered as part of ATLAS Intelligence Feed
– Depends on the presence of an AIF update file
• Enable AIF Botnet Signatures
– AIF regular expression matches any of the HTTP headers and/or HTTP requests

AIF Category - Standard Policies
AIF STANDARD • AIF subscription

determines which AIF
components are
Category Sub-Category of Threats updated
Identifies DDoS attackers based upon IP address • Utilizes IP and DNS
indicators from ATLAS
DDoS Threats Identifies DDoS targets based on indicators from ATLAS Reputation data to
HTTP Flooder identify attacks based
Identify location by country for sources of inbound
IP Geo-Location Identify location by country for destinations of outbound on:
traffic – Signature matching
Web Crawler Identify inbound connections to web services from
– IP Location data
Identification known search engines)
Peer to Peer – Web Crawler
Command and Identification
HTTP
Control IRC – Command & Control
Webshell DDoS Bot
Ransomware Dropper
– Malware
RAT Ad Fraud
Fake Anti Virus Worm
Malware Banking Credential Theft
Virtual Currency Backdoor
Spyware Other
Drive By Exploit Kit
®
Social Network Point of Sale
©2018 ARBOR CONFIDENTIAL & PROPRIETARY 22
AIF Category - Advanced Policies
AIF ADVANCED • Block incoming attacks

based on ASERT
confidence level
Category Sub-Category of • Confidence level
Threats determined by events
Traffic Anonimization Services
TOR are reflective of active
Location Based Proxy malware, botnets, &
Threats Sinkholes campaigns in real time
Scanner
Other • NOT based on a one time
Email Threats
Spam analysis of a threat with
Phishing the only outcome being
APT
Hacktivism
a signature
Targeted Attacks RAT
Watering Hole
Rootkit
Mobile C&C
Mobile Spyware
Malicious App

Confidence Index
• ATLAS threat categories (IP & DNS reputation) block incoming attacks based
on ASERT’s Confidence Index
• Confidence Index is reflective of active malware, botnets, & campaigns in
real time
– Per-Protection Level setting
– When ASERT spots malware and creates a rule, confidence is set to 100
• Value can range from 1 – 100
• Measure of ASERT’s confidence that traffic matching a particular rule is not a false-positive
– If malware is spotted less frequently over time, the Confidence Index is decreased
– If malware frequency increases again, the Confidence Index increases

Threat Categories On Summary Page
Radio button selection

Drill-down Within Blocked Host log

ATTACK DETECTION AND MITIGATION

APS Sees Attack - Partially
Increase Protection Level to Medium

More Of The Attack Is Identified
Some bad traffic blocked, but not all of it yet

Raise Protection Level
Increase the Protection level to High

Protection Levels
• Protection levels allow easy risk / benefit choices

Protection Use Case
Level
Low Normal conditions. Low-risk protection and blocking is
done. No tolerance for false positives
Medium Significant attack. Stricter prevention settings. Unusual
good traffic may be dropped
High Heavy attack. Ok to drop some normal traffic as long as
most traffic to hosts is protected
Click to change
Protection Level

Protection Level – Associated Settings
• Each Server Type has separate settings for each of the

three protection levels
Low Medium High

Attack Is Fully Identified And Mitigated
More traffic is blocked, traffic volume passing is now “normal”

APS Mitigated The Attack

Attack Successfully Mitigated
• This attack was blocked with default settings

• Though necessary to go to higher Protection Levels
• Pre-defined settings make reaction during attack easier

Attack Is Over, Normal Life Is Back
Once attack is over, reset Protection Level to low

Really? Check Blocked Hosts
• At higher protection levels there is a chance that valid hosts

and services are flagged as attackers
– Ex: E-mail servers, DNS servers, Database Servers, VPNs
• Once identified and confirmed, you should Whitelist those
valid hosts
• Recommended Practice à Experiment taking service levels to
Medium and High during normal operations (before any
attack) so that you can identify any potential issues in advance
– When doing this make sure you start in Inactive sub-mode and, after
adjustments based on what you learned, do it again in Active sub-mode

IDENTIFYING BLOCKED SOURCES

Temporarily Blocked Sources Panel
• Lists top offenders (but not all offenders)

Click to whitelist sources

Search for Blocked Hosts
Initial page load returns all

blocked hosts without filters
Search for Blocked Hosts – Options
Enter hosts filters

as freeform text Select/deselect all
Use Time selector for

hosts blocked more Choose minimum amount of host
than one week ago traffic observed to cause blocking
• Blocked hosts history is limited to 224,000 hosts and

one year since last blocked
Filtered Search for Blocked Hosts
Filter settings used to No filters are applied until

find current results Search button is clicked

Blocked Host Details
Blocked Host Detail appears

by clicking Details button
WHITELISTS AND BLACKLISTS

Blacklists and Whitelists
• Blacklists will drop traffic for

– Source hosts
– IP Location countries
– Embedded DNS domains
– Embedded URLs
• Whitelists will allow all traffic for
– IP address
– Hostname
– CIDR
• The APS does not automatically blacklist or whitelist hosts
• Separate lists can be applied to inbound and outbound traffic
• Blacklist and Whitelist for multiple the APS appliances can be managed
centrally using the Arbor Networks NSI Threat Console
• Note: Invalid Packets takes precedence over whitelist

Updating Blacklists and Whitelists
• Blacklist and Whitelist additions are possible via direct entry or by clicking
from breakdown widgets
– Clicking on Blacklist or Whitelist button in a widget will add that item to the
permanent blacklist or whitelist
– Blacklisting and whitelisting of both IPv4 and IPv6 traffic for all protection groups
• If the blacklists or whitelists contain an IP address and a CIDR that overlaps
that IP address, the most specific address always takes precedence
• Invalid Packets protection takes precedence over the whitelist
• IPv4 blacklist-whitelist table stores a maximum of 20,000 hosts and CIDRs
• IPv6 blacklist-whitelist table stores a maximum of 12,000 hosts and CIDRs

Traffic Affects of Blacklisting and Whitelisting
• The APS begins to block or pass traffic immediately

• It can take several minutes to remove an unblocked item from
the blacklist and pass its traffic
• Temporarily Blocked Sources are dynamically updated only by
protections, but:
– When you whitelist a host that is temporarily blocked, it is removed
from the Temporarily Blocked Sources list immediately
– When you do the same for a CIDR that contains temporarily blocked
hosts, those hosts are removed from the Temporarily Blocked Sources
list within five minutes

Inbound Whitelists Management
Protect > Whitelists
Hosts are listed by IP address
Click to move to blacklist
Click to remove
Blacklists Management
Protect > Blacklists
• Manage and search Blacklists here

Add Countries to the Blacklist
IP Location information to establish Country

origination is part of the AIF updates

IDENTIFYING THE ATTACK TRAFFIC SIGNATURE
Using Packet Capture

Capturing Packets @ Summary Page
• Using mouse-over popup menu you can:

– Check hosts blocked for this protection group
– Start live capture of packets for this protection group

Real-Time Packet Visibility
Download PCAP
These setting affect only visualization
No packets captured
until clicked
Clear displayed results
Filter settings for

packet capture
Real-Time Packet Visibility – Filters
Click to show or hide filter

Active filter items
Click to delete from filter
Click to add to filter
• Source and destination host filters may be:

– Simple IP addresses
– CIDR networks
– Domain names
Real-Time Packet Visibility – Filters
• Other filters use familiar

formats
These filters use fixed-list format with

usual click-to-select, ctrl-click-to-add
Regular Expression filters are

entered into simple text box

Analysis of Packets Causing Host Block
• Packet capture with this filter shows only packets that caused
a host to get blocked.
– This is very useful in troubleshooting and tuning process.

Real-Time Packet Visibility – Results (1 of 2)
Start
Pause
Resume
• Start/Pause/Reset button changes during capture

• Results kept in window until Reset or until user leaves page
• Optionally, filter by whether packet is Passed or Dropped

Real-Time Packet Visibility – Results (2 of 2)
HTTP request
TCP flags when no

application info
DNS query
• Red/pink bands indicate dropped packets

• White/gray bands are forwarded packets
• Basic application info shown when known

Real-Time Packet Visibility – Operation
• Packet Capture is sampling to make sure that APS is not

overwhelmed by packet analysis
– Tries to find about 100 packets every 3 seconds
– Results may be fewer if filter is restrictive
• Packet Capture buffer holds 5000 packets
– Capture stops when buffer is full
• Packet Capture occurs only while user is viewing
results on this page
– Capture stops and results clear if user leaves page

Real-Time Packet Visibility – Details
Select a packet to view
Blacklist this source
Packet Details
• Select hex or text

payload data
• Add it to a Payload
Regular Expression
Protection that protection category
blocked packet
Protection – Payload Regular Expression (1 of 3)
• Flexible alternative to handling all kinds of attacks

where it is possible to find a unique signature
common to the attack packets
– Note: Be careful as this can easily drop legitimate traffic also
• Traffic destined for the configured TCP or UDP ports is
inspected and each regular expression is applied separately to
the packet's payload

Enhanced Payload RegEx Control
• Payload Regular
Expressions may now
be leveraged against
Source Ports
• Previously only
Destination Ports were
configurable
• Specific ports, port
ranges or all ports may
also be specified for
greater DDoS
protection

• Multiple regular expressions filters can be entered; one per

line
– Multiple regular expressions are ORed for matching
• Any packet whose payload matches any expression is
dropped, but the source host is not blocked
• The regular expression filters are applied to individual packets
only; not to payload contents that span multiple packets

Example:
500
*\.(arbor\.net|
arbornetworks\.com)$
– Matches UDP traffic on port 500 that contains the strings:

• www.arbor.net
• www.arbornetworks.com
• mail.arbor.net

Use Packet Capture to Generate a Payload Regex
Add payload regex

to Protection Group
Highlight text that

will become regex

Add Payload Regex to Server Type
Select Server Type

and Protection Level
to apply regex
Manually choose
TCP or UDP ports
Selected payload
automatically copied
to Regular Expression
Save will add regex

to Protection Group
Select contents in hex-encoded variant of

raw data for automatic character escape

Updated Server Type Payload Regex Settings
• Regular expression from packet capture details becomes part of

Server Type Payload Regular Expression protection
– TCP and UDP ports must be specified in widget, as not auto-filled from
packet

Protection – HTTP Header Regular Expression
• All HTTP Traffic is inspected and each regular

expression is applied separately to the HTTP headers
and HTTP requests
– Any traffic that matches any expression is dropped
– The source host is temporarily blocked for 60 seconds
– HTTP Header Regular Expressions can be used to target specific

HTTP traffic that may not be valid

Protection – DNS Regular Expression
• All DNS Traffic on UDP/53 is inspected and each

regular expression is applied separately to the DNS
requests
– Any DNS request in the packet that matches any expression, is
dropped

FLOW CAPTURE FINGERPRINT EXPRESSION LANGUAGE
Configurable Filters to Drop or Pass Traffic

Using FCAP Expressions
• Flow Capture (FCAP) fingerprint expression language is used in:

– Configurable Filter Lists
– Traffic Shaping Protection
• Consists of the following components:
– Basic expressions – IP address, port, protocol, etc.
– Action expressions — drop or pass traffic
– Operators AND, OR, NOT, !, and ()
– Direction – src, dst
– Comments – user comments (#)
• No implied “drop all” at the end
– Any and all traffic not filtered is processed by enabled protections
• Usage details in APS User Guide Appendix or Help button in Web UI

Basic FCAP Expressions
Expression Reference
[src | dst] [net | host] addr Matching networks and hosts
[protocol | proto] protocol-name Matching protocols
{protocol | proto} number

{tflags | tcpflags} flags/flag-mask Matching TCP flapgs
[src | dst] port {port-name | number } [ .. {port- Matching port
name | number} ]
bytes number [ .. number] (range 100..102) Matching IP length
icmptype {icmptype | number} Matching ICMP messages
icmpcode code
tos number Matching Type of Service
ttl number Matching Time to Live
frag Matching Fragments

Important: Filter List Best Practices
Important: When implementing filters in your corporate

network:
• Do not just copy and paste the following examples

• Modify the filter as required based on:
– Services and/or applications running on the servers
– Services being protected
• Also, do not implement in our lab systems

– It will block much of the attack traffic
– It will not allow you to learn how the APS works
– It will not allow you to learn how the protections work
– That is not the goal of the labs

Filter List Example 1: Web Server with HTTP Only
• drop not (proto icmp or proto tcp)
• drop proto tcp and not (src port 1024..65535 and dst port 80)
• drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11

and icmpcode 1))
• Important: Do not just copy and paste the examples

• Modify as required based on:

Filter List Example 2: Web server with HTTP and HTTP/S
• drop not (proto icmp or proto tcp)
• drop proto tcp and not (src port 1024..65535 and (dst port 80 or dst port
443))

and icmpcode 1))


Filter List Example 3: Authoritative DNS Server
• drop not (proto icmp or proto udp or proto tcp)
• drop proto tcp and not ((src port 53 or src port 1024..65535) and dst port
53)
• drop proto udp and not ((src port 53 or src port 1024..65535) and dst port
53)

and icmpcode 1))

Filter List Example 4: Recursive DNS Server
• drop not (proto icmp or proto udp or proto tcp)
• drop proto tcp and not ((src port 1024..65535 and dst port 53) or (src port
53 and dst port 1024..65535))
• drop proto udp and not ((src port 1024..65535 and dst port 53) or (src port
53 and dst port 1024..65535))

and icmpcode 1))


Filter List Example 5
Customer would like to drop any private IPs during mitigation:

• drop net 127.0.0.0/8
• drop net 10.0.0.0/8
• drop net 172.16.0.0/12
• drop net 192.168.0.0/16
• drop net 224.0.0.0/4
• drop net 240.0.0.0/4

Filter List Example 6
• DNS amplification attack – drop packets bigger than 512 bytes

– drop proto udp and src port 53 and bpp 512..65535
– Note: may block legitimate traffic as it drops DNS packets which are
bigger than 512 bytes
• Drop NTP amplification traffic

– Drop proto udp and port 123 and bpp 220..1500

Summary
In this unit you have learned about:

• Analyzing the Summary and Protection Group widgets
to view indicators of a DDoS attack and use that
information to isolate and mitigate that same attack.
• Leveraging FCAP expressions to filter misuse traffic
for effective mitigation.
• When Arbor APS drops packets versus blocking IPs
(hosts).
• Identifying Blocked Hosts and how to whitelist or
blacklist hosts.
• Understanding when an DDoS attack has been
mitigated.

Lab Exercise
• Lab 2 – Blocking Unwanted Traffic

– Use Blacklists to block traffic
– Use FCAP Expressions to block traffic
• Lab Review

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY

APS 6.0 Defend Unit 3 View Attack Details - 20180823 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

APS 6.0 Defend Unit 3 View Attack Details - 20180823 PDF

Загружено:

Авторское право:

Доступные форматы

Defending Against DDoS

Attacks using Arbor APS

Unit 3: Viewing and Understanding the Attack

At the conclusion of this unit you will learn to:

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 2

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 3

List of tasks to complete:

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 4

Network/Server monitoring trigger alerts

APS is active, but attack mostly not be blocked…

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 7

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 8

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 9

Web Servers (HTTP) DNS Servers

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 10

• Protection settings are configurable

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 11

Note: In both cases the host

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 12

• Inbound Host-Blocking Protections include

* Not always. See specific Protection information for details

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 13

• Each packet is tested by each of the FCAP expression rules

• Each Protection Level setting can have different filter lists

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 14

APS-wide FCAP Filter Configuration - Support a global

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 15

• Can serve as black/white list per Protection Level, per

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 16

drop udp and port 53

drop !(proto TCP and dst port 80 or 443)

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 17

• In order to drop all traffic except

Use the following simple filter list:

drop not (proto 1 or proto 6 or proto 17)

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 18

• Be very careful with “pass” rule ordering

The following filter statements

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 19

Attack Traffic Target

• Active DDoS Campaigns

Use AIF default

• Inbound protection using ATLAS IP and DNS Reputation

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 21

AIF STANDARD • AIF subscription

AIF ADVANCED • Block incoming attacks

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 23

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 24

Radio button selection

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 25

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 26

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 27

Increase Protection Level to Medium

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 28

Some bad traffic blocked, but not all of it yet

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 29

Increase the Protection level to High

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 30

• Protection levels allow easy risk / benefit choices

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 31

• Each Server Type has separate settings for each of the

Low Medium High

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 32