Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
Uploaded by Duong Nguyen

Arbor Networks APS 6.0 User Guide 2018-09-14

Arbor Networks APS
User Guide
Version 6.0
Legal Notice
The information contained within this document is subject to change without notice. Arbor Networks,
Inc. makes no warranty of any kind with regard to this material, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. Arbor Networks, Inc. shall not be
liable for errors contained herein or for any direct or indirect, incidental, special, or consequential
damages in connection with the furnishings, performance, or use of this material.
Copyright © 2018 Arbor Networks, Inc. All rights reserved. Arbor Networks, NETSCOUT, the Arbor
Networks logo, Peakflow, ArbOS, Pravail, Cloud Signaling, Arbor Cloud, ATLAS, We see things others
can’t.™ and Arbor Networks. Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All
other brands may be the trademarks of their respective owners.
Document Number: APS-UG-60-2018/09
14 September, 2018
Contents
Preface
How to Use the Arbor Networks APS Documentation
Conventions Used in this Guide
Contacting the Arbor Technical Assistance Center
12
13
15
Part I: APS Implementation
Chapter 1: Introduction to Arbor Networks® APS
About APS
What You Can Do with APS
About the APS Appliance
Viewing the APS License Information
About the APS License Options
About the ATLAS Intelligence Feed Licensing
Viewing System Information
About the APS User Interfaces
Chapter 2: Introduction to Arbor Networks APS
About vAPS
Accessing vAPS
About Cloud-Based Licensing for vAPS
Configuring Cloud-Based Licenses for vAPS
Viewing vAPS License Information in the UI
Viewing vAPS License Information in the CLI
Releasing the Local Licenses on vAPS
Chapter 3: Implementing APS
Implementing APS for Trial or Monitoring Only
Implementing APS for Active Mitigation
About the APS Deployment Models
Network Connectivity Models
About the Deployment Modes
About the Layer 3 Deployment Mode
Setting the Protection Mode (Active or Inactive)
Network Placement Models
Deployment for Redundancy
Cloud Signaling Deployment Models
About SSL Inspection with APS
Chapter 4: Managing APS from APS Console
About Managing APS Devices from APS Console
About the APS Console - APS Data Synchronization
Chapter 5: Getting Started with APS
Logging in to and out of the UI
Editing Your User Account
Navigating the APS UI
Saving and Emailing Pages from the UI
APS User Guide, Version 6.0
19
20
23
26
27
29
31
32
34
35
36
37
38
42
46
49
51
53
54
57
59
60
63
65
66
69
71
72
75
77
78
80
85
86
87
89
91
3
APS User Guide, Version 6.0
93
Viewing Graphs in the UI
Chapter 6: Configuring APS
About the APS Configuration
Configuring the General Settings
Configuring a Pre-Login Banner
Configuring the Idle Timeout for UI Sessions
About SNMP Polling
Changing the Language of the APS User Interface
Configuring APS for APS Console Management
About User Accounts
Configuring User Accounts
Locking and Unlocking a User Account
Configuring the ATLAS Intelligence Feed
About Bandwidth Alerts
Configuring Global Thresholds for Bandwidth Alerts
About Notifications
Configuring Notifications
Configuring Backup Settings
Using a Custom SSL Certificate for User Authentication
Connecting to a Remote Syslog Server
Configuring Interfaces and GRE Tunneling
Configuring Routes
Adding a Custom Logo to the UI
Chapter 7: Configuring SSL Inspection with the Hardware Security Module
About the Hardware Security Module Configuration
Configuring the Hardware Security Module
Managing the Keys for the Hardware Security Module
Managing the Hardware Security Module
Viewing the Hardware Security Module Status
Chapter 8: Managing Server Types
About the Server Types
Adding and Deleting Custom Server Types
Changing the Protection Settings for Server Types
About Traffic Profiling for Protection Configuration
Capturing Traffic Profiles
Using Traffic Profile Data to Configure Protection Settings
Restoring the Default Protection Settings
Chapter 9: Configuring Protection Groups
About Protection Groups
About the Protection Levels
Adding Protection Groups
Automating the Protection Level for a Protection Group
Editing and Deleting Protection Groups
Viewing the Status of Protection Groups
Chapter 10: Configuring the Protection Settings
About the Protection Settings Configuration
About the Outbound Threat Filter
Configuring the Outbound Threat Filter
Validating the Outbound Threat Filter Configuration
Application Misbehavior Settings
ATLAS Intelligence Feed Settings
4
95
96
100
106
107
108
110
111
113
114
117
119
123
126
128
131
135
138
140
141
145
146
149
150
152
155
158
160
161
162
167
169
171
173
175
178
179
180
185
188
193
194
196
199
201
203
205
206
209
210
Proprietary and Confidential Information of Arbor Networks Inc.
Block Malformed DNS Traffic Settings
Block Malformed SIP Traffic Settings
Botnet Prevention Settings
CDN and Proxy Support Settings
DNS Authentication Settings
DNS NXDomain Rate Limiting Settings
DNS Rate Limiting Settings
DNS Regular Expression Settings
Fragment Detection Settings
HTTP Header Regular Expressions Settings
HTTP Rate Limiting Settings
HTTP Reporting Settings
ICMP Flood Detection Settings
Malformed HTTP Filtering Settings
Multicast Blocking Settings
Payload Regular Expression Settings
Private Address Blocking Settings
Rate-based Blocking Settings
SIP Request Limiting Settings
Spoofed SYN Flood Prevention Settings
TCP Connection Limiting Settings
TCP Connection Reset Settings
TCP SYN Flood Detection Settings
TLS Attack Prevention Settings
Traffic Shaping Settings
UDP Flood Detection Settings
Chapter 11: Configuring Filter Lists to Drop and Pass Traffic
About Filter Lists
Configuring Master Filter Lists
Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter
Chapter 12: Managing the Blacklists and Whitelists
About Blacklisting and Whitelisting Traffic
About the Capacity of the Blacklists and Whitelists
Viewing and Searching the Inbound Blacklist
Creating and Editing the Inbound Blacklist
Viewing and Searching the Inbound Whitelist
Creating and Editing the Inbound Whitelist
Creating and Editing the Outbound Blacklist
Creating and Editing the Outbound Whitelist
Chapter 13: Managing the ATLAS Intelligence Feed
About the ATLAS Intelligence Feed
About the ATLAS Threat Policies
About the ATLAS Confidence Index
About Web Crawler Support
Requesting AIF Updates and Updating the AIF Manually
Viewing the Status of ATLAS Intelligence Feed Updates
Viewing the AIF Traffic Statistics for a Protection Group
214
215
216
218
219
220
221
222
223
224
225
227
228
229
230
231
234
235
236
237
240
241
243
245
247
249
250
251
253
255
257
258
262
264
267
270
272
274
276
279
280
283
285
288
289
291
292
Part II: Threat Management
Chapter 14: Monitoring System Health and Identifying Attacks
Workflow for Routine System Monitoring
Proprietary and Confidential Information of Arbor Networks Inc.
297
298
5
APS User Guide, Version 6.0
Viewing Alerts
Viewing Bandwidth Alerts
Viewing the System Overview
Viewing the CPU Status and Memory Status
Viewing the Status of the APS Protection Interfaces
Chapter 15: Viewing APS Traffic
Viewing the Traffic Summary
Viewing the Top Protection Groups on the Summary Page
Viewing the ATLAS Botnet Prevention Information on the Summary Page
Viewing the ATLAS Threat Categories on the Summary Page
Viewing the Top Web Crawlers on the Summary Page
Viewing the Top Inbound Countries on the Summary Page
Viewing the Top Inbound Sources on the Summary Page
Viewing the Top Inbound Destinations on the Summary Page
Viewing the Status of SSL Inspection
Viewing the Traffic Activity for a Protection Group
Viewing the Traffic Overview for a Protection Group
Viewing the Attack Categories for a Protection Group or Outbound Threat Filter
Viewing Temporarily Blocked Sources
Viewing the Top URLs for a Protection Group
Viewing the Top Domains for a Protection Group
Viewing the Top Web Crawlers for a Protection Group
Viewing the Top IP Locations for a Protection Group
Viewing the Top Protocols for a Protection Group
Viewing the Top Services for a Protection Group
Viewing the Outbound Threat Activity
Chapter 16: Mitigating Attacks
About Attack Mitigation
Indicators of Attacks and Mitigations
Mitigating an Attack by Raising the Protection Level
Changing the Protection Level
Identifying and Blocking an Attack
Chapter 17: Mitigating Attacks in the Cloud
About Cloud Signaling for DDoS Protection
Types of Cloud Mitigations
About GRE Tunneling and Cloud Signaling
How APS Communicates with the Cloud Signaling Servers
Configuring and Enabling Cloud Signaling
About Rate-Based Cloud Mitigation
About Manually Pushing an Attack Mitigation to the Cloud
Manually Requesting and Stopping a Global Cloud Mitigation
Manually Requesting and Stopping a Targeted Cloud Mitigation
Manually Requesting and Stopping a Group Cloud Mitigation
Viewing Targeted Cloud Signaling Activity
Viewing Global and Group Cloud Signaling Activity
About the Cloud Signaling Widget
About the Arbor Cloud DDoS Protection Service
Setting Up the Arbor Cloud DDoS Protection Service
Chapter 18: Traffic Forensics
About the Blocked Hosts Log
Viewing the Blocked Hosts Log
Information on the Blocked Hosts Log Page
6
300
302
304
306
307
309
310
313
314
316
317
318
320
322
323
324
327
329
335
337
339
341
343
345
347
349
351
352
355
359
361
363
367
368
371
372
375
378
384
387
390
391
393
394
396
397
402
404
405
406
408
413
Proprietary and Confidential Information of Arbor Networks Inc.
About Capturing Packets
Capturing Packet Information
Information on the Packet Capture Page
Configuring Regular Expressions from Captured Packets
417
418
421
425
Part III: APS Reporting
Chapter 19: Managing and Viewing Reports
About the Executive Summary Report
About the ATLAS Global DDoS Report
Configuring On-Demand Reports
Configuring and Editing Scheduled Reports
Viewing and Deleting Generated Reports
Viewing and Deleting Scheduled Reports
429
430
434
435
438
440
442
Part IV: APS Maintenance
Chapter 20: Managing APS
Viewing the Change Log
Managing Diagnostics Packages
Managing the Files on APS
About Backups
Backing Up APS Manually
Restoring APS from Backups
How Restoring Backups Affects the APS Console - APS Synchronization
Downloading and Uploading Backup Files
447
448
450
452
454
457
458
461
463
Part V: Advanced Configuration
Chapter 21: Using the Command Line Interface (CLI)
About the Command Line Interface (CLI)
About the Connections to the Command Line Interface
Logging in to and out of the APS Command Line Interface
Getting Help in the CLI
About the CLI Command Components
Entering CLI Commands
Navigating the CLI Command Hierarchy
Editing Command Lines
Viewing Statuses in the CLI
Chapter 22: Configuring User Groups and Authentication
About User Groups
Adding and Deleting User Groups
Assigning Authorization Keys to User Groups
Setting the Authentication Method for RADIUS and TACACS+
Configuring RADIUS Integration
Configuring TACACS+ Integration
Changing the Default User Group for RADIUS and TACACS+
Chapter 23: Configuring the Bypass Settings
About Hardware Bypass and Software Bypass
Configuring Hardware Bypass and Software Bypass
Chapter 24: Configuring Advanced Settings for the Protection Interfaces
Configuring the Speed, Duplex Mode, and MTU for the Protection Interfaces
Proprietary and Confidential Information of Arbor Networks Inc.
467
468
469
471
473
474
475
477
478
480
481
482
483
484
490
492
494
496
497
498
499
501
502
7
APS User Guide, Version 6.0
Configuring VLAN Subinterfaces
Troubleshooting the Protection Interfaces
504
507
Chapter 25: Configuring Other Advanced Settings
509
510
511
513
516
518
519
Setting the System Clock
Setting the Deployment Mode
Configuring Static Routes for the Protection Interfaces on vAPS
Overriding the AIF Feed URLs
Viewing AIF Version Information
Advanced File Management from the Command Line Interface
Chapter 26: Installing, Upgrading, and Reinstalling APS
Installing the License Keys for APS and AIF
Installing APS
Upgrading the APS Software
Reinstalling APS
521
522
524
527
530
Appendixes
Appendix A: APS Communication Ports
APS Communication Ports
Appendix B: DDoS Attacks and APS Protections
DDoS Attacks: The Threat
About DDoS Botnets
DDoS Attack Categories
Volumetric Attack Types and Protections
About ICMP Flood Attacks and UDP Flood Attacks
About HTTP Flood Attacks
About Uncommon IP Protocol Flood Attacks
State Exhaustion Attack Types and Protections
About TCP SYN Flood Attacks
About IP Fragmentation Attacks
About TCP Protocol Attacks
About Slow HTTP Attacks
Application Attack Types and Protections
About DNS Amplification Attacks
About HTTP Cache Abuse Attacks
About Malformed HTTP Attacks
Appendix C: Bypass and Link State Propagation Benchmarks
535
536
538
539
541
543
544
545
546
547
548
549
550
551
552
553
554
556
557
558
Performance Benchmarks for Hardware Bypass, Software Bypass, and Link State
Propagation
559
Appendix D: Using FCAP Expressions
563
564
566
571
573
574
Available FCAP Expressions
FCAP Expression Reference
Logical Operators for Compound FCAP Expressions
FCAP Expressions that Indicate Direction
Examples of FCAP Expressions
Appendix E: Using Regular Expressions
About Regular Expressions
Appendix F: Notification Formats
Email Notification Formats and Examples
SNMP Notification Examples
8
577
578
579
580
584
Proprietary and Confidential Information of Arbor Networks Inc.
Syslog Notification Format and Examples
587
Glossary
591
Index
601
Proprietary and Confidential Information of Arbor Networks Inc.
9
APS User Guide, Version 6.0
10
Proprietary and Confidential Information of Arbor Networks Inc.
Preface
This guide explains how to configure and use Arbor Networks® APS (APS).
Audience
This guide is intended for enterprise security operators and engineers who are
responsible for securing the internet data center edge from threats against availability.
These operators and engineers should have fundamental knowledge of their network
security policies and network configuration.
In this section
This section contains the following topics:
How to Use the Arbor Networks APS Documentation
12
Conventions Used in this Guide
13
Contacting the Arbor Technical Assistance Center
15
APS User Guide, Version 6.0
11
APS User Guide, Version 6.0
How to Use the Arbor Networks APS Documentation
Using this guide
This guide includes instructions and information about using the APS web user interface
(UI). It also contains instructions and information about configuring advanced settings in
APS, including those that can only be configured using the command line interface (CLI).
The instructions assume that you have completed the installation steps in the Arbor
Networks® APS Quick Start Card or the Arbor Networks® vAPS Installation Guide .
Related publications
See the following guides for more information about APS and vAPS:
Reference documentation
Document
Contents
APS Quick Start
Card
Instructions and requirements for installing APS.
APS Online Help
Online help topics from the User Guide . The Help is contextsensitive to the APS UI page from which it is accessed.
Virtual APS
Installation Guide
Instructions and requirements for installing and configuring the
vAPS virtual machine.
APS API
Programmer’s
Guide
Reference information plus a simple code sample that you can
experiment with to learn the basics of the APS API quickly.
This guide is installed with APS. You can access it at the following
link:
https://IP_address/help/APS_PG_HTML5/APS_PG.htm
IP_address = the IP address or hostname for your APS
Online APS API
Documentation
The APS API doc is installed with APS. You can access it at the
following link:
https://IP_address/api/aps/doc/v2/endpoints.html
IP_address = the IP address or hostname for your APS
12
Proprietary and Confidential Information of Arbor Networks Inc.
Preface
Conventions Used in this Guide
This guide uses typographic conventions to make the information in procedures,
commands, and expressions easier to recognize.
Conventions for procedures
The following conventions represent the elements that you select, press, and type as you
follow procedures.
Typographic conventions for procedures
Convention
Description
Examples
Italics
A label that identifies an
area on the graphical user
interface.
On the Summary page, view the
Active Alerts section.
Bold
An element on the graphical
user interface that you click
or interact with.
Type the computer’s address in the
IP Address box.
Select the Print check box, and then
click OK.
SMALL CAPS
A key on the keyboard.
Press ENTER.
To interrupt long outputs, press CTRL
+ C.
Monospaced
A file name, folder name, or
path name.
Also represents computer
output.
Navigate to the
Monospaced
bold
Information that you must
type exactly as shown.
Type https:// followed by the IP
address.
Monospaced
italics
A file name, folder name,
path name, or other
information that you must
supply.
Type the server's IP address or
hostname.
>
A navigation path or
sequence of commands.
Select Administration > Files .
Navigate to the Configure User
Accounts page (Administration >
User Accounts).
Select Settings > Files .
Navigate to the User Accounts page
(Settings > User Accounts ).
Proprietary and Confidential Information of Arbor Networks Inc.
C:\Users\Default\Favorites
folder.
Expand the Addresses folder, and
then open the readme.txt file.
13
APS User Guide, Version 6.0
Conventions for commands and expressions
The following conventions show the syntax of commands and expressions. Do not type
the brackets, braces, or vertical bar in commands or expressions.
Typographic conventions for commands and expressions
14
Convention
Description
Monospaced bold
Information that you must type exactly as shown.
Monospaced
italics
A variable for which you must supply a value.
{ } (braces)
A set of choices for options or variables, one of which is required.
For example: {option1 | option2}.
[ ] (square brackets)
A set of choices for options or variables, any of which is optional.
For example: [variable1 | variable2].
| (vertical bar)
Separates the mutually exclusive options or variables.
Proprietary and Confidential Information of Arbor Networks Inc.
Preface
Contacting the Arbor Technical Assistance Center
The Arbor Technical Assistance Center is your primary point of contact with Arbor
Networks® for all service and technical assistance issues.
Contact methods
You can contact the Arbor Technical Assistance Center as follows:
Phone US toll free — +1 877 272 6721
n
n
Phone worldwide — +1 781 362 4301
n
Support portal — https://support.arbornetworks.com
Submitting documentation comments
If you have comments about the documentation, you can forward them to the Arbor
Technical Assistance Center. Please include the following information:
n Title of the guide
n
Document number (listed on the reverse side of the title page)
n
Page number
Example
APS-UG-60-2018/09
APS User Guide
Page 9
Proprietary and Confidential Information of Arbor Networks Inc.
15
APS User Guide, Version 6.0
16
Proprietary and Confidential Information of Arbor Networks Inc.
Part I:
APS Implementation
APS User Guide, Version 6.0
18
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 1:
Introduction to Arbor Networks® APS
This section describes the Arbor Networks® APS product, its key features, and its
hardware and licensing options.
In this section
This section contains the following topics:
About APS
20
What You Can Do with APS
23
About the APS Appliance
26
Viewing the APS License Information
27
About the APS License Options
29
About the ATLAS Intelligence Feed Licensing
31
Viewing System Information
32
About the APS User Interfaces
34
APS User Guide, Version 6.0
19
APS User Guide, Version 6.0
About APS
The Arbor Networks® APS secures the internet data center edge from threats against
availability — specifically from application-layer, distributed denial of service (DDoS)
attacks.
Key features
APS contains the following key features:
Focuses on the customer edge.
n
n
Ensures application availability.
n
Provides immediate protection from threats.
n
Provides complete DDoS protection within a single user interface.
n
Provides advanced DDoS blocking.
n
Prevents volumetric DDoS attacks by signaling upstream ISPs (Internet Service
Providers) and MSSPs (Managed Security Service Providers) who are members of the
Arbor Networks Cloud Signaling Coalition.
The Cloud Signaling Coalition is a partnership of ISPs and MSSPs that support the Cloud
Signaling technology for shortening mitigation time through automated responses and
communications.
n
Prevents emerging botnet and application-layer attacks.
n
Provides real-time and historical traffic forensics and reports.
Focus on the customer edge
An increasing number of DDoS attacks directly target specific applications and in some
cases, a specific organization. These low-bandwidth attacks use application knowledge to
strain edge servers or lower the availability of an application. Detection of these
application-level attacks requires packet-level visibility that is not always cost effective or
possible within a service provider network.
APS has complete visibility into packet-level data. By deploying close to the customer edge,
APS can focus on newer and better detection methods without the performance
constraints of the service provider level. This deployment model allows APS to detect and
block the low-bandwidth attacks that target the enterprise infrastructure.
Application availability
The users of data center and cloud services expect those services to be highly available.
Both volumetric attacks and application-layer DDoS attacks can bring down critical data
center services. While other security devices focus on integrity and confidentiality, APS
focuses on availability threats.
Immediate protection
After a minimum amount of initial setup, APS can monitor and even mitigate your network
traffic immediately. No learning period is required for effective protection; a user with little
time or knowledge of network security can allow APS to run nearly automatically.
20
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 1: Introduction to Arbor Networks® APS
Complete DDoS protection
Neither on-premises DDoS protection nor cloud-based DDoS protection alone can
provide 100 percent availability. For example, cloud services cannot efficiently or cost
effectively detect lower-level application DDoS attacks. Conversely, large-bandwidth attacks
cannot be mitigated at the customer edge.
APS ensures complete protection by providing both customer-edge mitigation of
application-layer attacks and upstream mitigation of volumetric attacks.
Advanced DDoS blocking
The default protection settings in APS provide protection from the most common types of
DDoS attacks. These attacks include TCP stack attacks, host or pipe flooding,
fragmentation attacks, resource exhaustion, connection state attacks, botnet attacks, and
vulnerability exploits. You can customize these settings to provide more directed
protection for specific groups of hosts.
Prevention of volumetric DDoS attacks
Recent DDoS events have been dominated by high-bandwidth, volumetric attacks that
usually originate from internet bots or large-scale botnets. The size of these volumetric
DDoS attacks continues to increase, which makes them a serious threat to data center
availability.
The ability to mitigate attacks on-premises is limited by the capacity of the organization’s
provisional bandwidth. When attack traffic exceeds a specified threshold, APS can request
and receive cloud-based mitigation of volumetric attacks in real time from an upstream
cloud service provider. This process is called Cloud Signaling.
See “About Cloud Signaling for DDoS Protection” on page 368.
Prevention of emerging botnet and application-layer attacks
APS uses the dynamic ATLAS Intelligence Feed (AIF) to detect and stop emerging threats
against the data center’s infrastructure and services.
Botnets change and update constantly to thwart detection. Arbor’s security team keeps up
with these changes, identifies new DDoS threats, and continually updates the feed with the
new threat data. Because the AIF updates are delivered automatically, the APS protection
data stays current without the need for software upgrades.
See “About the ATLAS Intelligence Feed” on page 280.
Traffic forensics and reporting
Access to accurate and real-time traffic forensics is critical to helping you understand your
network's traffic. APS reports traffic statistics in real time, at both the summary level and
detail level, and in easy-to-understand formats.
APS provides the information that helps you to decide whether a threat requires
mitigation. You can determine the source of the attack and its location, and find out what
is being attacked. You can also view the traffic sources, such as URLs, domains, or
countries, that might need to be blocked.
When you monitor an ongoing mitigation, APS helps you to assess the mitigation’s
effectiveness. You can quickly see which traffic is passed and which traffic is blocked, and
Proprietary and Confidential Information of Arbor Networks Inc.
21
APS User Guide, Version 6.0
you can determine which protection categories are responsible for the mitigation. You can
also view the source hosts that have been blocked.
You can adjust many of the mitigation criteria directly in the reporting areas and view the
results immediately, without moving to other areas of the product.
See “Viewing the Traffic Summary” on page 310 and “Viewing the Traffic Activity for a
Protection Group” on page 324 .
22
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 1: Introduction to Arbor Networks® APS
What You Can Do with APS
You can implement APS with a minimum of configuration and receive near-immediate
protection from availability threats. Because many of the key functions are automated,
your network security personnel can successfully protect your internet data center with
varying levels of interaction:
n Hands-off
A user with little time or knowledge of network security can allow APS to run nearly
automatically. For example, this user might interact with APS only to monitor traffic,
change the global protection level during attacks, and review the traffic statistics.
n
Reactive
A user who has some knowledge of network security can customize settings over time
based on attack experience. For example, this user might block traffic from a specific
domain that is the source of frequent attacks, or whitelist the address of a partner site.
n
Proactive
An advanced user can plan the organization’s protection policies, based on experience
during a testing period or during attacks in an active implementation. For example, this
user might create additional protection groups and change protection settings.
What you can do with APS
APS protects your internet data center from threats against availability by performing or
allowing you to perform the following key tasks:
What you can do with APS
Key task
Description
Automatically protect
against attacks by using
behavior-based
protection settings.
APS uses a combination of protection groups and server
types to define the hosts to protect and the protection
settings to use for those hosts. APS uses the protection
settings to match traffic behavior and identify attacks.
See “About Protection Groups” on page 180 and “About
the Protection Settings Configuration” on page 201 .
Automatically protect
against application-layer
attacks by using
signature-based
protection settings.
APS regularly downloads data from Arbor’s ATLAS
Intelligence Feed (AIF), which contains the signatures of
known and emerging application-layer DDoS attacks. APS
can automatically block the traffic that matches the
signatures.
See “About the ATLAS Intelligence Feed” on page 280.
Protect a specific host or
group of hosts.
You can create custom protection groups to protect either
IPv4 hosts or IPv6 hosts with the most appropriate
protection settings for those hosts. See “Adding Protection
Groups” on page 188 and “Adding and Deleting Custom
Server Types” on page 167 .
Proprietary and Confidential Information of Arbor Networks Inc.
23
APS User Guide, Version 6.0
What you can do with APS (Continued)
Key task
Description
Refine the protection
settings.
You can change the behavior-based protection settings that
define clean traffic and attack traffic. Typically, users refine
these settings over time based on testing and their
experience with blocking attacks. APS can simplify the
configuration of certain rate-based protection settings by
capturing statistical data about your network traffic.
See “Changing the Protection Settings for Server Types” on
page 169.
Automate specific
settings
You can automate the following protection group settings:
n The protection level for protection groups. See
n
Monitor the system’s
operations.
“Automating the Protection Level for a Protection
Group” on page 193.
Spoofed SYN Flood Prevention. See “Spoofed SYN Flood
Prevention Settings” on page 237.
The diagnostic and reporting features in APS allow you to
monitor its operations to ensure that it always provides
optimum protection from DDoS attacks. See “Workflow for
Routine System Monitoring” on page 298.
Mitigate an attack.
Typically, APS can mitigate most attacks automatically.
However, when an attack is not mitigated automatically, the
user must take some action to block the attack traffic.
See “About Attack Mitigation” on page 352.
Adjust the level of
protection that APS
provides when traffic is
normal and when you
are under attack.
You can change the protection level, which defines the
strength of protection and the associated risk of blocking
clean traffic. You can change the global protection level and
you can change the protection level for a specific protection
group. A protection group’s setting overrides the global
protection level for that protection group.
See “Changing the Protection Level” on page 361.
Signal to a cloud service
provider for help with
mitigating volumetric
attacks.
When an attack exceeds the capacity of your provisional
bandwidth, APS can request protection from a cloud service
provider. You can allow APS to initiate requests when traffic
reaches a specified threshold, or you can initiate a request
manually.
See “About Cloud Signaling for DDoS Protection” on
page 368.
24
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 1: Introduction to Arbor Networks® APS
What you can do with APS (Continued)
Key task
Description
View information about
your network’s traffic.
Summary and protection group reporting make it easy to
see whether APS is protecting your network.
See “Viewing the Traffic Summary” on page 310 and
“Viewing the Traffic Activity for a Protection Group” on
page 324 .
Blocked host reporting and packet captures provide forensic
information about the traffic that APS inspects.
See “About the Blocked Hosts Log” on page 406 and
“About Capturing Packets” on page 417 .
Use third-party
monitoring systems to
poll APS for
management
information.
APS supports polling by third-party SNMP monitoring
systems, which allows you to fit your APS workflow into
existing network monitoring tools.
Extend APS functionality
for your own use.
The APS application programming interface (API) allows you
to access and extend APS functionality. The APS API is
accessible via an HTTP REST interface using JSON as the data
serialization format. You can use .net, C, Java, Perl, Python, or
other languages to access the API.
The documentation for the APS API is installed on APS. For
links to the documentation, see “How to Use the Arbor
Networks APS Documentation” on page 12.
Manage multiple APS
devices from APS
Console.
The APS Console UI provides an enterprise-wide view of all
the APS devices that are under APS Console management.
APS Console also allows you to perform several tasks on
multiple APS systems and their protection groups. For
example, you can blacklist and whitelist hosts, change the
protection level and protection mode, view alerts and traffic,
and view blocked hosts.
See “About SNMP Polling” on page 108.
See “About Managing APS Devices from APS Console” on
page 78.
Proprietary and Confidential Information of Arbor Networks Inc.
25
APS User Guide, Version 6.0
About the APS Appliance
The APS appliance is a single, stand-alone device that is easy to install and set up. The
appliance is deployed at ingress points to an enterprise to detect, block, and report on key
categories of Distributed Denial of Service (DDoS) attacks . By default, APS begins to protect
all of the hosts in your enterprise as soon as you put APS into an active protection mode.
The APS appliance is bypass capable. You can configure APS to fail open (bypass) or fail
closed (disconnect) if a power failure, hardware failure, or software failure occurs. If you
configure software bypass, APS bypasses the protection interfaces when a software failure
occurs.
By default, hardware bypass is set to fail open and software bypass is enabled.
See “Configuring Hardware Bypass and Software Bypass” on page 499.
APS is available in several models and license options. The license options determine the
throughput limit for APS. The license enforces the throughput limit on the clean traffic that
APS forwards. Clean traffic refers to traffic that is not dropped by a protection setting.
See “About the APS License Options” on page 29 for more information about how the
license affects the throughput limit.
Deployment best practices
Most APS deployments follow these deployment guidelines:
Deploy the appliance at the data center’s premises, on the internet edge of the data
center’s network.
n
n
Ensure that the APS is external to all of the additional security devices including
firewalls, Intrusion Prevention Systems (IPS), and level balancing systems. APS protects
these devices from direct attacks or indirect attacks.
n
Deploy the APS appliance in an inline deployment without associating an IP address
with either the inbound interface or the outbound interface.
Note
If you deploy vAPS in the layer 3 mode, you must specify routes for the protection
interfaces. See “Configuring Static Routes for the Protection Interfaces on vAPS” on
page 513.
n
Deploy the APS appliance inline or out-of-line through a span port or network tap
(monitor mode). In the inline mode, APS monitors and mitigates the traffic. In the
monitor mode, the mitigations are not performed; use this mode in a trial
implementation or for monitoring purposes. See “Network Connectivity Models” on
page 60.
n
Deploy the APS appliance upstream or downstream from the router. See “Network
Placement Models” on page 69.
n
To ensure Cloud Signaling integrity, provision a separate, out-of-band management
network between the data center and the cloud service provider. As a result, the Cloud
Signaling component remains available even when the entire data center link is
saturated in both directions or is completely offline.
See “About the APS Deployment Models” on page 59 for information about deploying
APS.
26
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 1: Introduction to Arbor Networks® APS
Viewing the APS License Information
If you are a system administrator, then you can view information about the licensed
capabilities for APS on the Licenses page. The licensed capabilities are the APS throughput
limit and the ATLAS Intelligence Feed (AIF) level.
Viewing license information
To view information about the licensed capabilities for the APS:
Select Administration > Licenses .
n
On the Licenses page, you can view the following information:
APS license information
Information
Description
Throughput Limit for
Clean Traffic
The amount of clean traffic that APS is licensed to forward. Clean
traffic refers to traffic that is not dropped by a protection setting.
Expiration
The expiration date for the throughput license.
Current AIF Level
The AIF level that is configured for your system (None, Standard,
or Advanced).
Expiration
The expiration date for the AIF license.
About the throughput information on the Licenses page
The Throughput for Clean Traffic graph represents the amount of clean traffic that APS
forwarded over the previous week. Use this information to monitor APS and determine
when it is near or above the licensed capacity. You also can use this information to verify
the success of an upgrade to a license that has a higher throughput limit.
Below the graph, the Throughput Limit for Clean Traffic section indicates the amount of
throughput for which APS is licensed. A black horizontal line identifies this limit on the
graph. This throughput limit is not absolute; it allows for a buffer that accommodates
occasional traffic spikes. APS continues to forward clean traffic until the traffic exceeds the
buffer. At that point, APS may start to drop clean traffic.
Note
If you restart your system, the horizontal line may drop to zero. After the restart is
complete, the correct limit is restored.
The traffic segments in blue represent the clean traffic that APS forwarded. The traffic
segments in red represent the clean traffic that APS dropped after the buffer was
exceeded.
Viewing license limit alerts
If the amount of clean traffic that APS forwards exceeds 90 percent of its license limit,
alerts appear on the Summary page and System Alerts page. If you are a system
administrator, a
(context menu) icon appears to the right of the alert name on these
pages.
Proprietary and Confidential Information of Arbor Networks Inc.
27
APS User Guide, Version 6.0
The View Limit option on this context menu opens the Licenses page, on which you can
view license details.
You can configure notifications to send messages when a license alert occurs. License
alerts are included when you configure bandwidth notifications. See “Configuring
Notifications” on page 131.
28
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 1: Introduction to Arbor Networks® APS
About the APS License Options
The license options determine the throughput limit for APS. These license options let you
scale your deployment to the size of your network.
It is important to know the throughput limit so that you understand the amount of clean
traffic that the APS can pass. See “About the throughput limit” below.
You can view the APS throughput limit on the Licenses page and the About page. See
“Viewing the APS License Information” on page 27 and “Viewing System Information” on
page 32
Note
These license options apply to APS only. For vAPS license information, see “About CloudBased Licensing for vAPS” on page 38.
ATLAS Intelligence Feed (AIF) licensing
When you subscribe to the AIF, you receive a license key that corresponds to the
subscription level (Standard or Advanced) that you purchase. The subscription level
determines which components of the AIF are included when you receive the AIF updates.
See “About the ATLAS Intelligence Feed Licensing” on page 31.
About the throughput limit
Every APS model is licensed for a throughput limit. The throughput limit is enforced on the
clean traffic that APS forwards. Clean traffic refers to traffic that is not dropped by a
protection setting.
Regardless of which license you purchase, the throughput limit is not absolute; it allows
for a buffer that accommodates occasional traffic spikes.
If the amount of traffic that APS forwards exceeds 90 percent of the license limit, an alert
appears on the Summary page and System Alerts page.
You can configure notifications to send messages when a license alert occurs. License
alerts are included when you configure bandwidth notifications. See “Configuring
Notifications” on page 131.
Throughput limits for APS appliances
The throughput limits for APS appliances are as follows:
Throughput limits for APS appliances
Model
Throughput limit
Upgrade options
APS 2002
500 Mbps
2003, 2004
APS 2003
1 Gbps
2004
APS 2004 (upgrade
from APS 2002 and APS
2003 only)
2 Gbps
none
APS 2104
2 Gbps
2105, 2107, 2108, 2109
Proprietary and Confidential Information of Arbor Networks Inc.
29
APS User Guide, Version 6.0
Throughput limits for APS appliances (Continued)
Model
Throughput limit
Upgrade options
APS 2105
4 Gbps
2107, 2108,2109
APS 2107
8 Gbps
2108, 2109
APS 2108
10 Gbps
2109
APS 2109
15 Gbps
none
APS 2600-100
100 Mbps
2600-500, 2600-250, 2600-1, 26002, 2600-5, 2600-10, 2600-15, 260020
APS 2600-250
250 Mbps
2600-500, 2600-1, 2600-2, 2600-5,
2600-10, 2600-15, 2600-20
APS 2600-500
500 Mbps
2600-1, 2600-2, 2600-5, 2600-10,
2600-15, 2600-20
APS 2600-1
1 Gbps
2600-2, 2600-5, 2600-10, 2600-15,
2600-20
APS 2600-2
2 Gbps
2600-5, 2600-10, 2600-15, 2600-20
APS 2600-5
5 Gbps
2600-10, 2600-15, 2600-20
APS 2600-10
10 Gbps
2600-15, 2600-20
APS 2600-15
15 Gbps
2600-20
APS 2600-20
20 Gbps
none
APS 2800-10
10 Gbps
2800-20, 2800-30, 2800-40
APS 2800-20
20 Gbps
2800-30, 2800-40
APS 2800-30
30 Gbps
2800-40
APS 2800-40
40 Gbps
none
About license upgrades
You can upgrade APS to a model with a higher throughput limit by purchasing and
installing an upgrade license. You can upgrade one model to another model within the
same appliance configuration.
For information about adding a new license, see “Installing the License Keys for APS and
AIF” on page 522 .
30
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 1: Introduction to Arbor Networks® APS
About the ATLAS Intelligence Feed Licensing
The ATLAS Intelligence Feed (AIF) is available by subscription. Based on your needs, you
can subscribe to the Standard feed or the Advanced feed. The level of feed to which you
subscribe determines the contents of the AIF updates that you receive.
When you subscribe to the AIF, you receive a license key that corresponds to your
subscription level. You install the AIF license key when you install APS and when you
renew or upgrade your AIF subscription. See “Installing the License Keys for APS and AIF”
on page 522.
Note
vAPS uses cloud-based licenses instead of a license key. See “About Cloud-Based
Licensing for vAPS” on page 38.
Tiered licensing for ATLAS Intelligence Feed
The following table shows which components of the feed are available with each
subscription level.
Important
These components are subject to change as ASERT updates the feed.
Available components by AIF subscription level
AIF component
Standard feed
Advanced feed
AIF Botnet Signatures
X
X
IP location data
X
X
Web crawler list
X
X
Command and Control threat category
X
X
Malware threat category
X
X
DDoS Reputation threat category
X
X
Location-based Threats threat category
X
Email Threats threat category
X
Targeted Attacks threat category
X
Mobile threat category
X
If an Advanced AIF subscription expires and you renew it at the Standard level, your AIF
feed no longer includes the Advanced feed components. However, the Advanced threat
categories continue to appear in the UI. For example, the traffic history that is related to
those threat categories can appear on pages such as the Blocked Hosts Log page. The
Advanced threat categories also appear in the ATLAS Intelligence Feed settings. Although
you can enable those threat categories, they no longer include any threat policies that
would affect traffic.
Proprietary and Confidential Information of Arbor Networks Inc.
31
APS User Guide, Version 6.0
Viewing System Information
The About page displays information about the APS device and the Arbor Software License
Agreement. The About page also displays information about the licensed throughput limit
and the current throughput rate for your APS.
See “About the APS License Options” on page 29.
Viewing the system information for an APS device
To view the system information:
1. In the lower-right corner of any page in the UI, click the About link.
2. On the About page, you can view any of the following information:
l
l
l
l
System Information — View information about the throughput limit, installed
software, and hardware. This information includes the model number, serial
number, and license expiration date.
Note
If you are using vAPS, Arbor Networks® vAPS appears in the Model field.
License — Scroll down to view the entire Arbor Software License agreement.
Associated licenses — At the bottom of the page, click the copyright notice and the
associated license link.
GPL-based software licenses — At the bottom of the page, click the
support@arbor.net link to email a request for copies of additional licenses that
are based on the General Public License (GPL).
About the throughput information on the About page
The Throughput for Clean Traffic graph represents the amount of clean traffic that APS
forwarded over the previous week. Use this information to monitor APS and determine
when it is near or above the licensed capacity. You also can use this information to verify
the success of an upgrade to a license that has a higher throughput limit.
Below the graph, the Throughput Limit for Clean Traffic section indicates the amount of
throughput for which APS is licensed. A black horizontal line identifies this limit on the
graph. This throughput limit is not absolute; it allows for a buffer that accommodates
occasional traffic spikes. APS continues to forward clean traffic until the traffic exceeds the
buffer. At that point, APS may start to drop clean traffic.
Note
If you restart your system, the horizontal line may drop to zero. After the restart is
complete, the correct limit is restored.
The traffic segments in blue represent the clean traffic that APS forwarded. The traffic
segments in red represent the clean traffic that APS dropped after the buffer was
exceeded.
Viewing license limit alerts
If the amount of clean traffic that APS forwards exceeds 90 percent of its license limit,
alerts appear on the Summary page and System Alerts page. If you are a system
administrator, a
(context menu) icon appears to the right of the alert name on these
pages.
32
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 1: Introduction to Arbor Networks® APS
The View Limit option on this context menu opens the Licenses page, on which you can
view license details.
You can configure notifications to send messages when a license alert occurs. License
alerts are included when you configure bandwidth notifications. See “Configuring
Notifications” on page 131.
Proprietary and Confidential Information of Arbor Networks Inc.
33
APS User Guide, Version 6.0
About the APS User Interfaces
You can view data and configure settings using the web user interface (UI) and the
command line interface (CLI).
About the UI
The UI provides a web view of APS. You can use the UI to configure system settings, view
reports, and detect and mitigate attacks.
The APS UI uses the HTTPS protocol for secure sessions. The certificate is based on Arbor
Networks’ Certificate Authority (CA). However, you can use your own certificate. See “Using
a Custom SSL Certificate for User Authentication” on page 138.
See “Logging in to and out of the UI” on page 86 and “Navigating the APS UI” on
page 89.
About the CLI
The command line interface (CLI) allows you to enter commands and navigate through
the directories on the APS appliance.
Typically, the CLI is used to install and upgrade the software and to complete the initial
configuration. However, you can configure some of the advanced functions only by using
the CLI.
See “About the Command Line Interface (CLI)” on page 468.
34
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 2:
Introduction to Arbor Networks APS
This section describes Arbor Networks® Virtual APS (vAPS) and its key features and
licensing options. vAPS is the version of APS that runs on a hypervisor or in the cloud.
Note
See the Arbor Networks® vAPS Installation Guide for instructions on how to create and
configure a vAPS.
In this section
This section contains the following topics:
About vAPS
36
Accessing vAPS
37
About Cloud-Based Licensing for vAPS
38
Configuring Cloud-Based Licenses for vAPS
42
Viewing vAPS License Information in the UI
46
Viewing vAPS License Information in the CLI
49
Releasing the Local Licenses on vAPS
51
APS User Guide, Version 6.0
35
APS User Guide, Version 6.0
About vAPS
vAPS is the virtual machine version of APS that runs on a hypervisor or in the cloud
(Amazon Web Services). vAPS contains all of the APS software packages and
configurations, and provides you with a hardware-independent resource. You only need
to install the virtual machine and configure its network settings.
Supported interfaces
vAPS provides the following interfaces:
2 management interfaces: mgt0 and mgt1
n
Note
vAPS on Amazon Web Services (AWS) only uses one management interface, eth0,
which maps to mgt0.
n
2 protection interfaces: ext0 and int0
For vAPS on AWS, the protection interfaces map to eth1 (ext0) and eth2 (int0).
Unsupported features and functions
vAPS does not support the following features and functions:
NTP
n
However, on KVM and VMware, the vAPS synchronizes its clock with the hypervisor,
which can have NTP enabled.
n
Shell access
About vAPS installation
To install vAPS, you create a virtual machine and then you configure its settings. For
installation and configuration instructions, see the Arbor Networks® vAPS Installation
Guide .
Licensing vAPS
vAPS uses cloud-based licenses, which you configure in the vAPS UI. You need to
configure cloud-based licenses for each instance of vAPS. See “About Cloud-Based
Licensing for vAPS” on page 38.
If vAPS does not have a valid license when it is set to layer 3 mode, then the system does
not pass traffic or process mitigations.
Accessing vAPS
After the initial installation and configuration, you can access vAPS through any supported
web browser.
For a list of the supported web browsers, see the Arbor Networks® APS Release Notes.
36
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 2: Introduction to Arbor Networks APS
Accessing vAPS
After you install and configure vAPS, you can access it through any supported web
browser.
For a list of the capabilities and limitations of vAPS, see “About vAPS” on the previous
page.
Accessing the vAPS
You can access vAPS in the following ways:
In a browser window, enter https://IP_address
n
n
In a terminal window, enter ssh admin@IP_address
IP_address = the IP address of the management interface on vAPS
For vAPS installation instructions, see the Arbor Networks® vAPS Installation Guide .
Proprietary and Confidential Information of Arbor Networks Inc.
37
APS User Guide, Version 6.0
About Cloud-Based Licensing for vAPS
vAPS uses cloud-based licenses that allow you to configure the licensed capabilities for the
system. You can license the following capabilities:
n The throughput limit for vAPS.
The throughput limit is enforced on the clean traffic that vAPS forwards. Clean traffic
refers to traffic that is not dropped by a protection setting.
n
The ATLAS Intelligence Feed (AIF) level.
Cloud-based licensing is available for vAPS only. For APS licensing information, see “About
the APS License Options” on page 29.
If vAPS does not have a valid license when it is set to layer 3 mode, then the system does
not pass traffic or process mitigations.
Overview of cloud-based licensing
With cloud-based licensing, vAPS accesses a cloud-based license server and the server
downloads local copies of the cloud-based licenses. After you download local copies of
the cloud-based licenses, vAPS requires contact with the cloud-based license server to
function correctly.
vAPS communicates with the cloud-based license server on the standard HTTPS port, 443.
If vAPS is behind a firewall, Arbor recommends that you configure a proxy server through
which vAPS accesses the license server.
If vAPS cannot communicate with the license server, the local licenses expire 10 days after
they were last refreshed. See “Refreshing local copies of the cloud-based licenses” on
page 44.
If the local licenses expire, your ability to use vAPS is severely limited. See “About license
expiration” on the facing page.
If you decommission vAPS, then release the local licenses on vAPS first. If you do not
release the licenses first, then the capacity that is assigned to them is unavailable to other
systems until the local licenses expire. The licenses expire 10 days after you decommission
vAPS.
Configuring access to the cloud-based license server
If you are a system administrator, you configure access to the cloud-based license server
on the Licenses page (Administration > Licenses ). See “Configuring Cloud-Based
Licenses for vAPS” on page 42.
How to obtain cloud-based licenses
You purchase cloud-based licenses for vAPS from your Arbor Networks sales
representative. After you purchase a license, you receive an email that contains your cloudbased license server ID. Use this ID to configure access to the cloud-based license server.
See “Configuring access to the cloud-based license server” on page 42.
About throughput licensing
After you configure access to a cloud-based license server, you request a throughput limit
38
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 2: Introduction to Arbor Networks APS
for vAPS. You can combine the value of one or more of your vAPS licenses to attain this
throughput limit. See “Requesting a throughput limit for vAPS” on page 43.
Regardless of the throughput limit that you license on vAPS, the limit is not absolute; it
allows for a buffer that accommodates occasional traffic spikes.
If the amount of traffic that vAPS forwards exceeds 90 percent of its licensed limit, an alert
appears on the Summary page and System Alerts page. You can configure notifications to
send messages when a license alert occurs.
License alerts are included when you configure bandwidth notifications. See “Configuring
Notifications” on page 131.
About AIF licensing
If you purchase an AIF subscription, you can configure access to a cloud-based license
that corresponds to the subscription level (Standard or Advanced). The subscription level
determines which components of the AIF are included when you receive AIF updates. See
“Requesting an AIF license for vAPS” on page 44.
Viewing the licensed capabilities on vAPS
You can view information about the licensed capabilities for vAPS on the Licenses page in
the UI and in the command line interface (CLI). See “Viewing vAPS License Information in
the UI” on page 46 and “Viewing vAPS License Information in the CLI” on page 49.
About license expiration
On the Licenses page, the Expiration fields display the dates on which the licenses expire
on the cloud-based license server. If the license server contains multiple licenses for a
capability, the Expiration field reflects the first date on which a licensed capability expires.
After a license expires, the Expiration field reflects the next date on which a license for that
capability expires.
If no licenses for a capability are available on the license server, vAPS clears the Expiration
field. Without a throughput license, vAPS passes traffic without inspecting it. Without an
AIF license, vAPS cannot detect and block traffic that matches AIF HTTP header signatures
or AIF threat policies that are enabled.
Note
You can view all of the available licenses for a capability by using the command line
interface (CLI). See “Viewing the available cloud-based licenses” on page 49.
Proprietary and Confidential Information of Arbor Networks Inc.
39
APS User Guide, Version 6.0
Status of cloud-based licenses
vAPS informs you about the status of your cloud-based licensing in the following ways:
Cloud-based licensing status information
Method
Description
Expiration messages for local
licenses
If local licenses expire in 9 or fewer days, a message
appears on the Licenses page, in the Cloud-Based
License Server section. This message provides the
following information:
n the date and time of the last successful refresh
n the date and time when the local licenses expire or
expired
If your local licenses expired, contact the Arbor
Technical Assistance Center (ATAC) at
https://support.arbornetworks.com/.
Expiration messages for Cloudbased licenses
If cloud-based licenses expire in 30 or fewer days, a
message appears on the Licenses page, in the
Licensed Capabilities section. This message displays
one of the following warnings:
n the date and time when the throughput license
expires or expired, and the throughput limit that is
available after the expiration date
n the date and time when the current AIF level
expires or expired, and the AIF level that is
available after the expiration date (Standard,
Advanced, or None)
If your cloud-based licenses expired, contact ATAC at
https://support.arbornetworks.com/.
40
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 2: Introduction to Arbor Networks APS
Cloud-based licensing status information (Continued)
Method
Description
System alerts
If issues occur with your cloud-based licenses or local
licenses, vAPS generates alerts on the Summary page
and System Alerts page. See “Viewing Alerts” on
page 300.
Status message
Status messages indicate the result of an event:
success, failure, or already in progress. Any messages
about problems that need further action remain until
the problem is resolved.
Status messages appear in the following locations on
the Licenses page:
n
n
n
n
messages that indicate the result of an event, such
as a request for a different throughput amount,
appear at the top of the Licenses page
throughput issues appear above the Current
Throughput Limit field
AIF issues appear above the Current AIF Level field
server connection issues appear in the CloudBased License Server section
Proprietary and Confidential Information of Arbor Networks Inc.
41
APS User Guide, Version 6.0
Configuring Cloud-Based Licenses for vAPS
System administrators can configure the licensed capabilities for vAPS on the Licenses
page. The capabilities that you can license are the throughput limit for vAPS and the ATLAS
Intelligence Feed (AIF) level. The licenses for these capabilities are available from a cloudbased license server.
See “About Cloud-Based Licensing for vAPS” on page 38.
Note
Cloud-based licensing is available for vAPS only. For APS licensing information, see
“About the APS License Options” on page 29.
License configuration process
The process to license vAPS consists of the following steps:
Steps to configure vAPS licenses
Step
Action
1
Configure access to the cloud-based license server. See “Configuring access to
the cloud-based license server” below.
2
Request a local license for a throughput limit. This limit is the amount of clean
traffic that vAPS is licensed to forward. Clean traffic refers to traffic that is not
dropped by a protection setting.
See “Requesting a throughput limit for vAPS” on the facing page.
3
Request a local license for an AIF level. See “Requesting an AIF license for vAPS”
on page 44.
4
(Optional) Refresh local copies of the licenses. See “Refreshing local copies of
the cloud-based licenses” on page 44.
Configuring access to the cloud-based license server
After you purchase a vAPS license, you receive an email that contains the cloud-based
license server ID. Use this ID to configure access to the license server.
To configure access to the license server:
1. Select Administration > Licenses.
2. On the Licenses page, in the Cloud-Based License Server section, specify the server
settings. See “vAPS license server settings” on the facing page.
To change any of the license server settings that you previously configured, click Edit.
3. Click Save.
42
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 2: Introduction to Arbor Networks APS
vAPS license server settings
The Cloud-Based License Server section contains the following settings:
vAPS license server settings
Setting
Description
Cloud-Based
License Server ID
box
Type the license server ID that you received from Arbor after
you purchased a cloud-based license.
Use Proxy Server
check box
Select this check box to connect to the vAPS license server
through a proxy server.
Proxy Server box
Type the IP address or the hostname for the proxy server.
Port box
Type the port number for the proxy server.
Proxy Username
box
If necessary, type the user name that is required to access the
proxy server.
Proxy Password box
Verify box
If necessary, type the password that is required to access the
proxy server, and then re-type the password to confirm it.
To delete an existing password and leave the password empty,
click
Proxy
Authentication
Method options
(Clear Password).
If necessary, select the authentication method that the proxy
server uses:
n
n
n
n
Automatic
Basic
Digest
NTLM
Automatic is the default setting. If you select Automatic,
then vAPS automatically identifies the authentication method
that the proxy server uses. If vAPS cannot identify the correct
authentication method automatically, then select another
authentication method.
Requesting a throughput limit for vAPS
After you configure access to the license server, you can request a throughput limit for
vAPS. vAPS can obtain the requested throughput limit from one throughput license or
from multiple throughput licenses on the configured cloud-based license server.
To request a throughput limit:
1. Select Administration > Licenses.
2. On the Licenses page, in the Requested Throughput Limit box, specify the
amount of throughput to license on this vAPS.
You can request from 20 Mbps up to 1 Gbps. The amount of clean traffic that vAPS can
forward depends on the throughput limit that has been purchased.
3. Click a throughput rate: Mbps or Gbps.
Proprietary and Confidential Information of Arbor Networks Inc.
43
APS User Guide, Version 6.0
4. Click Save.
If the cloud-based license server is processing a request from another user, a
message notifies you that your request cannot be saved. Wait until the message
disappears to save your request.
The Current Throughput Limit field displays the throughput limit that vAPS acquired. If the
throughput limit that you request is not available, then a message displays the throughput
limit that vAPS could acquire.
In this case, your original throughput request remains in the Requested Throughput
Limit box. If more throughput becomes available, vAPS increases the throughput, up to
the requested amount.
To increase the throughput limit for a vAPS, you can purchase additional throughput
licenses. You also can reduce the throughput limit on other vAPS systems that are
connected to the same license server.
Requesting an AIF license for vAPS
After you configure access to the license server, you can request an AIF license for vAPS.
To request an AIF license:
1. Select Administration > Licenses.
2. On the Licenses page, under Requested AIF Level, click Standard or Advanced.
For a list of the components that are included in the Standard feed and Advanced
feed, see "About the ATLAS Intelligence Feed" on page 280 .
Note
To turn off access to the AIF, click None.
3. Click Save.
If the cloud-based license server is processing a request from another user, a
message notifies you that your request cannot be saved. Wait until the message
disappears to save your request.
If the license server cannot acquire the requested AIF level, a message displays the level
that vAPS could acquire. The Current AIF Level field also displays the AIF level that vAPS
acquired or None , if no AIF license is available.
Your original AIF request remains in the Requested AIF Level field. This allows vAPS to
change to the requested level if it becomes available on the license server.
To obtain a different AIF level, you can purchase additional AIF licenses.
Refreshing local copies of the cloud-based licenses
vAPS communicates with the cloud-based license server on a regular basis throughout
each day, to refresh the local copies of the licenses. However, you may want to refresh the
local licenses in the following situations:
n after a network change occurs, to ensure that vAPS still can contact the license server
44
n
after you add more throughput capacity to the server or update the AIF license level, so
that vAPS can access it immediately
n
after you resolve issues that may have caused a license refresh to fail
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 2: Introduction to Arbor Networks APS
To refresh the local copies of the cloud-based licenses on vAPS:
1. Select Administration > Licenses.
2. On the Licenses page, in the Cloud-Based License Server section, click Refresh Local
Copy of License.
If a license request from another user is pending, then a message notifies you that
you cannot refresh your licenses at this time. You must wait until the message
disappears before you try to refresh again.
A refresh may take several minutes. If vAPS can communicate with the cloud-based license
server, then the Last Successful Refresh section displays the new date and time. If vAPS
cannot communicate with the license server, then a message notifies you that the refresh
was unsuccessful. In that situation, contact the Arbor Technical Assistance Center (ATAC) at
https://support.arbornetworks.com/.
Releasing Local Licenses on vAPS
Before you decommission vAPS, release the local licenses. If you do not release the
licenses first, then the capacity that is assigned to them is unavailable to other vAPS
systems until the local licenses expire. The licenses expire 10 days after you decommission
a vAPS.
To release the local licenses, you re-initialize the vAPS. See “Releasing the Local Licenses
on vAPS” on page 51.
If you delete or decommission vAPS before you release the local licenses and you do not
want to wait 10 days, contact ATAC at https://support.arbornetworks.com/.
Proprietary and Confidential Information of Arbor Networks Inc.
45
APS User Guide, Version 6.0
Viewing vAPS License Information in the UI
If you are a system administrator, then you can view information about the cloud-based
license server and the licensed capabilities for vAPS on the Licenses page. The licensed
capabilities are the vAPS throughput limit and the ATLAS Intelligence Feed (AIF) level.
For information about how to configure the licensed capabilities on vAPS, see
“Configuring Cloud-Based Licenses for vAPS” on page 42.
Navigating to the Licenses page
To view information about the licensed capabilities for vAPS:
Select Administration > Licenses .
n
Viewing information about the throughput license capability
On the Licenses page, you can view the following information about the throughput
license:
Throughput license information
Information
Description
Throughput Limit
for Clean Traffic
The amount of clean traffic that vAPS is licensed to forward. Clean
traffic refers to traffic that is not dropped by a protection setting.
This throughput limit is not absolute; it allows for a buffer that
accommodates occasional traffic spikes.
vAPS continues to forward clean traffic until the traffic exceeds the
buffer. At that point, vAPS may start dropping clean traffic.
Requested
Throughput Limit
The amount of throughput for which you requested a license. If
the requested amount is not available, this value differs from the
Current Throughput Limit.
See “Requesting a throughput limit for vAPS” on page 43.
Expiration
The first date on which a throughput license will expire on the
cloud-based license server. If no throughput license was
requested or if no throughput license is available, then this field is
empty. If the throughput license on the license server does not
have an expiration date, then this field shows No Expiration.
About the throughput information on the Licenses page
The Throughput for Clean Traffic graph represents the amount of clean traffic that vAPS
forwarded over the previous week. Use this information to monitor vAPS and determine
when it is near or above the licensed capacity. You also can use this information to verify
the success of an upgrade to a license that has a higher throughput limit.
Below the graph, the Throughput Limit for Clean Traffic section indicates the amount of
throughput for which vAPS is licensed. A black horizontal line identifies this limit on the
graph. This throughput limit is not absolute; it allows for a buffer that accommodates
occasional traffic spikes.
46
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 2: Introduction to Arbor Networks APS
Note
If you restart your system, the horizontal line may drop to zero. After the restart is
complete, the correct limit is restored.
vAPS continues to forward clean traffic until the traffic exceeds the buffer. At that point,
vAPS may start to drop clean traffic.
The traffic segments in blue represent the clean traffic that APS forwarded. The traffic
segments in red represent the clean traffic that APS dropped after the buffer was
exceeded.
Viewing information about the AIF licensed capability
On the Licenses page, you can view the following information about the AIF license:
AIF license information
Information
Description
Current AIF Level
The AIF level that is licensed for vAPS: None , Standard, or
Advanced.
Requested AIF
Level
The AIF level that you requested. If the requested level is not
available, this level differs from the Current AIF Level.
See “Requesting an AIF license for vAPS” on page 44.
Expiration
The first date on which an AIF license will expire on the cloudbased license server. If no AIF license level was requested or if no
AIF license is available, then this field is empty. If the AIF license on
the license server does not have an expiration date, then this field
shows No Expiration.
Proprietary and Confidential Information of Arbor Networks Inc.
47
APS User Guide, Version 6.0
Viewing information about the cloud-based license server
On the Licenses page, you can view the following information about the cloud-based
license server:
Cloud-based license server information
Information
Description
Last Successful
Refresh
The last date on which vAPS was able to connect to the cloudbased license server, to refresh the local copies of the licenses.
If vAPS cannot connect to the license server, a message displays
the amount of time, in days and hours, until the local licenses
expire.
Refresh Local
Copy of License
Click this button to refresh the connection to the cloud-based
license server. You may want to refresh the connection in the
following situations:
n after a network change occurs, to ensure that vAPS still can
contact the license server
n after you add more throughput capacity to the server or
update the AIF license level, so that vAPS can access it
immediately
n after you resolve issues that may have caused a license
refresh to fail
See “Refreshing local copies of the cloud-based licenses” on
page 44.
Cloud-Based License
Server ID
The ID of the cloud-based license server on which the vAPS
licenses reside.
Proxy Server, Port,
Proxy Authentication
Method
If you configure a proxy server for the cloud-based license
server, these fields show the IP address or hostname, port
number, and authentication method for the server.
Note
To view additional details about the vAPS licenses, use the command line interface (CLI).
See “Viewing vAPS License Information in the CLI” on the facing page.
48
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 2: Introduction to Arbor Networks APS
Viewing vAPS License Information in the CLI
After you configure cloud-based licenses for vAPS, you can view the following information
about the licensed capabilities in the command line interface (CLI):
n the aggregated amount of throughput that is associated with each of the licensed
capabilities
n
the AIF levels that are licensed
n
the expiration dates for all of the licenses on the cloud-based license server
n
the expiration dates for local copies of the licenses on vAPS
Note
You can view this information from the CLI only.
For an overview of cloud-based licenses, see “About Cloud-Based Licensing for vAPS” on
page 38.
Viewing the available cloud-based licenses
To view all of the available licenses on the cloud-based server, and the associated amount
of throughput for each of the licenses:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system license show to view the following information:
Number
Shows the ID that is associated with each license. Use this ID
with the / system license show command to view details
about a specific license.
License Name
Lists the licenses that are available on the cloud-based license
server:
APS.mbps – a license for the throughput limit
AIF.standard – a license to access the Standard AIF
AIF.advanced – a license to access the Advanced AIF
Amount
Indicates the amount of throughput, in Mbps, that is assigned
to each of the licenses on the cloud-based license server.
Expires
Shows the date at which the licensed capability expires on the
cloud-based license server. If the license does not have an
expiration date, then permanent is shown instead of a date.
Note
To view the date at which the local copy of a license expires, enter / system license
show ID. ID is the number to the left of the License Name, as described in the previous
table. The Borrowed until field displays the expiration date for the local copy of the
license.
Proprietary and Confidential Information of Arbor Networks Inc.
49
APS User Guide, Version 6.0
Viewing the licensed capabilities for vAPS
To view the throughput limits that are configured for each of the licensed capabilities
(APS.mbps, AIF.standard, and AIF.advanced):
1. Log in to the CLI with your administrator user name and password.
2. Enter / system license capability
50
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 2: Introduction to Arbor Networks APS
Releasing the Local Licenses on vAPS
Before you decommission the virtual machine, you need to release the local licenses on
vAPS If you do not release the licenses first, the capacity assigned to them will be
unavailable to other vAPS systems until the local licenses expire. The licenses expire 10
days after you decommission vAPS.
To release the local licenses, you initialize the vAPS .
Caution
Use the data init command carefully because it erases all of the settings that you have
configured on vAPS.
Initializing vAPS
To initialize vAPS and release the local licenses:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps stop
3. Enter / services aps data init
4. Enter / services aps start
Proprietary and Confidential Information of Arbor Networks Inc.
51
APS User Guide, Version 6.0
52
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3:
Implementing APS
This section describes your options for implementing and deploying APS.
In this section
This section contains the following topics:
Implementing APS for Trial or Monitoring Only
54
Implementing APS for Active Mitigation
57
About the APS Deployment Models
59
Network Connectivity Models
60
About the Deployment Modes
63
About the Layer 3 Deployment Mode
65
Setting the Protection Mode (Active or Inactive)
66
Network Placement Models
69
Deployment for Redundancy
71
Cloud Signaling Deployment Models
72
About SSL Inspection with APS
75
APS User Guide, Version 6.0
53
APS User Guide, Version 6.0
Implementing APS for Trial or Monitoring Only
A trial or monitor-only implementation is one in which APS monitors traffic and detects
attacks without performing mitigations. Most organizations typically perform a monitoronly implementation during a trial period.
You can also perform a monitor-only implementation if your organization forbids inline
deployment. For example, you can use APS to inspect traffic on-premises, and then
request and receive cloud-based mitigation from a cloud service provider.
See “About the monitor mode” on page 63.
About trial implementations
Before you allow APS to affect your network traffic, Arbor Networks strongly recommends
that you perform a trial implementation. A trial period is a useful tool for discovering the
level of protection that APS provides.
A trial is the same as a monitor-only implementation, except that you use the trial period
to accumulate historical traffic information and statistics. You can observe how APS would
block traffic, and you can adjust different protection settings to analyze how they affect the
suggested mitigations. You can use the resulting information to set your policies for attack
detection and mitigation.
Arbor recommends that you allow 30 to 60 days for a trial period. You can perform
additional tests at any time after you configure APS for an active implementation. For
example, you might need to test a new protection group when you bring new servers
online.
Note
The DNS Authentication settings and the Spoofed SYN Flood Prevention settings require
two-way communications. Arbor recommends that you test these settings in the inline
deployment mode and the active protection mode.
Trials of protection groups and the outbound threat filter
During the initial implementation or afterwards, you can test the configurations for an
individual protection group or the outbound threat filter without affecting the rest of the
system. To do so, set the protection mode for a protection group or the outbound threat
filter to inactive and keep the rest of the system in active mode. You can also change the
protection level for a protection group or the outbound threat filter without affecting the
traffic to the other protection groups.
For example, you might test an individual protection group after the initial implementation
in the following situations:
n You introduce a new server within the data center and create a new protection group
for that server.
54
n
An existing web site is updated with a new page.
n
An APS upgrade introduces new protection categories.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
Required configurations
A monitor-only implementation requires that you deploy APS in either of the following
configurations:
n Monitor deployment mode
For connection information, see “Connectivity model: monitor mode” on page 61 .
Important
If you deploy APS in the monitor mode, the outbound traffic does not go through
APS. Therefore, the traffic is not analyzed.
Inline deployment mode with the protection mode set to inactive
n
For connection information, see “Connectivity model: inline mode” on page 60 .
See “About the Deployment Modes” on page 63.
Workflow
The workflow for performing a trial or monitor-only implementation is as follows:
Performing a trial or monitor-only implementation
Step
Action
1
Determine where and how to place APS in your network.
See “About the APS Deployment Models” on page 59.
2
Install APS by following the instructions in the APS Quick Start Card. Be sure to
set the deployment mode as instructed.
3
If APS is deployed inline, set the protection mode to Inactive.
If you only need to test a specific protection group, set the protection group’s
protection mode to inactive mode while leaving the system in active mode.
See “Setting the Protection Mode (Active or Inactive)” on page 66.
4
Configure the minimum settings for using APS. See “About the APS
Configuration” on page 96.
5
Verify that the protection level is set to Low.
See “Changing the Protection Level” on page 361.
6
View the Summary page and the View Protection Group page to observe how
the low protection level affects the traffic. See “Viewing the Traffic Summary” on
page 310 and “Viewing the Traffic Activity for a Protection Group” on
page 324 .
You can also view the Blocked Hosts Log page to view the hosts that are blocked.
See “Viewing the Blocked Hosts Log” on page 408.
For a more extensive list of monitoring tasks, you can use the system monitoring
workflow. See “Workflow for Routine System Monitoring” on page 298.
7
Change the protection level to Medium, and then observe how the change
affects the traffic.
Proprietary and Confidential Information of Arbor Networks Inc.
55
APS User Guide, Version 6.0
Performing a trial or monitor-only implementation (Continued)
Step
8
Action
(Optional) Follow these steps:
Adjust the protection settings.
n
n
9
See “Changing the Protection Settings for Server Types” on page 169.
Observe how the changes affect the traffic at both the low protection level
and the medium protection level.
Continue to monitor the traffic until you have collected enough data to decide
how to configure APS for optimum protection from DDoS attacks.
After the trial period
After the trial period, your options are as follows:
n If you plan to use APS in a monitor-only mode, no further steps are needed. If you
prefer, you can configure additional settings. See “About the APS Configuration” on
page 96.
n
If you are ready to begin mitigating traffic, configure APS for an active implementation.
See “Implementing APS for Active Mitigation” on the facing page.
56
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
Implementing APS for Active Mitigation
An active APS implementation is one in which APS mitigates attacks in addition to
monitoring traffic and detecting attacks. When you are ready to begin mitigating traffic,
configure APS for an active implementation.
APS can mitigate traffic only when the deployment mode is Inline Bridged and the
protection mode is active.
Note
In a vAPS deployment, you also can mitigate traffic when the deployment mode is set to
Inline Routed (layer 3 mode). See “Setting the Deployment Mode” on page 511.
Before you begin
Before you allow APS to affect your network traffic, Arbor strongly recommends that you
perform a trial implementation. In a trial implementation, APS analyzes traffic and detects
attacks without performing mitigations.
See “Implementing APS for Trial or Monitoring Only” on page 54.
Workflow
The workflow for performing an active implementation is as follows:
Implementing APS for active mitigation
Step
Action
1
Determine where and how to place APS in your network.
See “About the APS Deployment Models” on page 59.
If you previously deployed APS through a span port or network tap during a trial
period, insert APS into a network data path by connecting its interfaces
(protection ports).
2
Install APS by following the instructions in the APS Quick Start Card.
Note
If you previously performed a trial implementation, skip this step.
3
Configure the minimum settings for using APS.
See “About the APS Configuration” on page 96.
Note
If you previously performed a trial implementation, skip this step.
4
Verify the following settings:
n The protection mode is Active.
n
See “Setting the Protection Mode (Active or Inactive)” on page 66.
The protection level is Low.
See “Changing the Protection Level” on page 361.
Completion of this step represents the minimum configuration that is required
to use APS. At this stage, APS can analyze traffic and even mitigate attacks.
Proprietary and Confidential Information of Arbor Networks Inc.
57
APS User Guide, Version 6.0
Implementing APS for active mitigation (Continued)
Step
Action
5
(Optional) Adjust the protection settings.
Note
If you previously performed a trial implementation, you can use the
observations that you made as a guide for adjusting the protection settings.
See “Changing the Protection Settings for Server Types” on page 169.
6
(Optional) Configure additional settings as needed.
For example, you can configure Cloud Signaling.
See “About the APS Configuration” on page 96.
7
(Optional) Add one or more custom protection groups.
For example, you can add a custom protection group to protect a specific server
or a group of servers.
See “Adding Protection Groups” on page 188.
58
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
About the APS Deployment Models
When you deploy APS, you must decide how and where to install it in your network. The
deployment models illustrate the recommended configurations and explain how each
one affects the way that you use APS.
Types of deployment models
The types of deployment models are as follows:
Types of deployment models
Model type
Description
Network
connectivity
These models describe the options for connecting APS within your
network.
See “Network Connectivity Models” on the next page.
Network
placement
These models describe the placement of APS in relation to the
customer edge router. This placement determines what APS
protects.
See “Network Placement Models” on page 69.
Redundancy
This model describes how to deploy APS to ensure the maximum
availability of your data center by using multiple APS installations.
See “Deployment for Redundancy” on page 71.
Cloud Signaling
These models describe the options for using Cloud Signaling,
depending on how many ISPs you connect to and who supplies
your cloud-based protection.
See “Cloud Signaling Deployment Models” on page 72.
Proprietary and Confidential Information of Arbor Networks Inc.
59
APS User Guide, Version 6.0
Network Connectivity Models
The network connectivity models describe the options for connecting APS within your
network. You can connect APS in the following ways:
n Inline with or without mitigations enabled (inline mode and layer 3 mode)
n
Out-of-line through a span port or network tap, with no mitigations (monitor mode)
See “About the Deployment Modes” on page 63.
About the protection interface connections
On the APS hardware, the protection interfaces are labeled as “ext0” and “int0”, “ext1” and
“int1”, and so on. You can connect a network path to be protected to any two likenumbered interfaces. The “ext” interface always faces an external internet connection, and
the “int” interface always faces your internal network.
Connectivity model: inline mode
In the inline mode, APS acts as a physical cable between the internet and your protected
network. All of the traffic that traverses the network flows through APS. APS analyzes the
traffic, detects attacks, and mitigates the attacks before it sends the traffic to its destination.
In an inline deployment, APS and two Ethernet cables directly replace an existing Ethernet
cable. An Ethernet cable from an upstream router or the service provider’s equipment is
connected to an “ext” interface on APS. The matching “int” interface on APS is connected to
your downstream network equipment. Usually, this network connection is an internetfacing port on a firewall, but it could be a router or a switch.
Connectivity model: inline mode
The APS appliance is bypass capable. You can configure APS to fail open (bypass) or fail
closed (disconnect) if a power failure, hardware failure, or software failure occurs. If you
configure software bypass, APS bypasses the protection interfaces when a software failure
occurs.
By default, hardware bypass is set to fail open and software bypass is enabled.
See “Configuring Hardware Bypass and Software Bypass” on page 499.
If you prefer not to deploy an appliance inline before you know how it affects your
network traffic, then deploy APS in monitor mode.
60
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
You can run APS inline in the inactive protection mode, in which APS analyzes traffic and
detects attacks without performing mitigations. You can use the resulting information to
set your policies for attack detection and mitigation. When you are ready to fully
implement APS, you can change the protection mode to active and allow it to mitigate
attacks.
See “Setting the Protection Mode (Active or Inactive)” on page 66.
Connectivity model: layer 3 mode (vAPS only)
In the layer 3 mode on vAPS, you configure mitigation routes by specifying IP addresses
for the nexthop and the destination host. vAPS inspects all of the traffic that traverses the
specified route and mitigates any attacks before it routes the traffic to its destination.
Connectivity model: layer 3 mode
If you prefer not to deploy APS in the layer 3 mode before you know how it affects your
network traffic, then you should deploy APS in the monitor mode.
You can deploy vAPS in layer 3 mode while vAPS is set to the inactive protection mode. In
this protection mode, vAPS analyzes traffic and detects attacks without performing any
mitigations. You can use the resulting information to set your policies for attack detection
and mitigation. When you are ready to fully implement vAPS, you can change the
protection mode to active and allow it to mitigate attacks.
See “Setting the Protection Mode (Active or Inactive)” on page 66.
Connectivity model: monitor mode
In the monitor mode, APS is deployed out-of-line through a span port or network tap,
which collectively are referred to as monitor ports. The router or switch sends the traffic
along its original path and also copies, or mirrors, the traffic to APS. APS analyzes the
traffic, detects possible attacks, and suggests mitigations but it does not forward traffic.
The monitor ports for the traffic that is received from the internet are connected to the
“ext” interfaces on APS. The network traffic is analyzed but no mitigation takes place.
Because APS never forwards traffic in the monitor mode, the mirrored traffic is not
reinjected to the “int” port in the pair.
You can connect the monitor ports for the traffic that is bound for the internet to the “int”
interfaces, but this connection is not required. The outbound traffic does not go through
APS and is not analyzed.
Proprietary and Confidential Information of Arbor Networks Inc.
61
APS User Guide, Version 6.0
Connectivity model: monitor mode
The monitor mode is most commonly used in trial implementations. For example, before
you deploy APS inline and allow it to affect your network traffic, you can deploy it in the
monitor mode for evaluation purposes. You can use the resulting information to set your
policies for attack detection and mitigation.
You can also use the monitor mode if your organization forbids inline deployment. For
example, you can use APS to detect traffic on-premises, and then request and receive
cloud-based mitigation from a cloud service provider.
Important
If you deploy APS in the monitor mode, then you should disable link state propagation.
Because the internal interface is not connected in a typical monitor mode
implementation, the link state propagation can prevent the corresponding external
interface from coming up.See “About link state propagation” on page 141.
Note
Hardware bypass and software bypass only work in the inline mode. APS does not
initiate a bypass when it is in the monitor mode. See “Configuring Hardware Bypass and
Software Bypass” on page 499.
62
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
About the Deployment Modes
The deployment mode indicates how APS is installed in your network: inline, layer 3 (vAPS
only), or monitor. See “Network Connectivity Models” on page 60. Typically, the
deployment mode is set during the initial installation. However, you might need to reset
the deployment mode. See “Setting the Deployment Mode” on page 511.
About the inline mode and layer 3 mode
In the inline mode and layer 3 mode, APS acts as a physical connection between two end
points and you can configure APS to block attack traffic. In the inline mode, APS forwards
all of the traffic that meets the mitigation rules. In the layer 3 mode, vAPS forwards all of
the traffic that meets the mitigation rules if a valid route is configured to the destination
network.
Note
If you deploy vAPS in the layer 3 mode, you must specify routes for the protection
interfaces. See “Configuring Static Routes for the Protection Interfaces on vAPS” on
page 513.
Typically, the inline mode and layer 3 mode are used in an active implementation. In an
active implementation, APS mitigates attacks in addition to monitoring traffic and detecting
attacks. However, you can run APS in an inactive protection mode, in which it analyzes
traffic and detects attacks without performing mitigations. The inactive protection mode is
similar to the monitor mode. Like the monitor mode, the inactive protection mode
typically is used for trial implementations.
See “Setting the Protection Mode (Active or Inactive)” on page 66.
In the UI, the inline deployment mode appears as Inline Bridged and the layer 3
deployment mode appears as Inline Routed.
For more information about the layer 3 deployment mode, see “About the Layer 3
Deployment Mode” on page 65.
About the monitor mode
In the monitor mode, you deploy APS out-of-line through a span port or network tap,
which are referred to as monitor ports. The router or switch sends the traffic along its
original path and also copies, or mirrors, the traffic to APS. APS analyzes the traffic, detects
possible attacks, and suggests mitigations.
In the monitor mode, APS does not forward traffic or analyze outbound traffic. Otherwise,
APS remains fully functional in the monitor mode.
Use the monitor mode if you prefer not to deploy APS inline before you know how it
affects your network traffic. Typically, you use monitor mode for trial implementations.
However, you also can use the monitor mode if your organization forbids the inline
deployment. For example, you can use APS to detect the traffic on-premises and then
request and receive cloud-based mitigation from a cloud service provider.
Proprietary and Confidential Information of Arbor Networks Inc.
63
APS User Guide, Version 6.0
Important
If you deploy APS in the monitor mode, then you should disable link state propagation.
Because the internal interface is not connected in a typical monitor mode
implementation, the link state propagation can prevent the corresponding external
interface from coming up.See “About link state propagation” on page 141.
Viewing the current deployment mode
The current deployment mode appears in the upper right of the APS window.
64
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
About the Layer 3 Deployment Mode
The deployment mode indicates how APS is installed on your network: inline or monitor.
On vAPS, you also have the option to deploy in the layer 3 mode. In the layer 3 mode, vAPS
forwards all of the traffic that meets the mitigation rules and has a route configured for the
destination network. See “Setting the Deployment Mode” on page 511.
In the UI, the inline deployment mode appears as Inline Bridged and the layer 3
deployment mode appears as Inline Routed.
If vAPS does not have a valid license when it is set to layer 3 mode, then the system does
not pass traffic or process mitigations.
Configuring routes
If you deploy vAPS in the layer 3 mode, then you must configure routes for the protection
interfaces. See “Configuring Static Routes for the Protection Interfaces on vAPS” on
page 513.
Changing the deployment mode from inline to layer 3
If you change the deployment mode from inline to layer 3, then vAPS makes the following
changes:
n Removes any GRE tunneling settings, including routes, local IP addresses, remote IP
addresses, and the subnet mask length
n
Disables link state propagation
Changing the deployment mode from layer 3 to inline
If you change the deployment mode from layer 3 to inline, then vAPS makes the following
changes:
n Removes any routes that are configured for the protection interfaces
n
Removes any IP addresses that are configured for the protection interfaces
n
Removes any GRE tunneling settings, including local IP addresses, remote IP addresses,
and the subnet mask length
Backing up and restoring data while in the layer 3 deployment mode
If vAPS is set to the layer 3 deployment mode, then the following data is not included in
any backup:
n Any GRE tunneling settings that are configured on the Interfaces page in the UI. See
“Configuring Interfaces and GRE Tunneling” on page 141.
n
Any routes that are configured for the protection interfaces. These routes may include
mitigation routes that were configured from the CLI and routes that were configured in
the Routes section on the Interfaces page. See “Configuring Routes” on page 145.
Proprietary and Confidential Information of Arbor Networks Inc.
65
APS User Guide, Version 6.0
Setting the Protection Mode (Active or Inactive)
When APS is installed in the inline deployment mode, you can run it in one of the following
protection modes:
n active — In addition to monitoring traffic and detecting attacks, APS mitigates attacks.
n
inactive — APS analyzes traffic and detects attacks without performing mitigations. You
can use the resulting information to set your policies for attack detection and
mitigation.
The inactive mode is most commonly used in trial implementations. See “Implementing
APS for Trial or Monitoring Only” on page 54.
You can set the protection mode for an individual protection group or the outbound
threat filter without affecting any other traffic. For example, you can set a new protection
group to inactive mode for testing while keeping the APS in active mode. See “Adding
Protection Groups” on page 188 and “Configuring the Outbound Threat Filter” on
page 205 .
About changing the protection mode for multiple APS devices
When you use APS Console to manage APS, you can set the protection mode for multiple
APS devices, as follows:
n By default, every APS to which a protection group is assigned uses the protection mode
that you configure for that protection group. However, for a specific APS, you can
override the protection group’s protection mode.
n
For outbound traffic, all of the managed APS devices use the protection mode that is set
for the APS Console outbound threat filter.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
66
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
Viewing the current protection mode
You can view the current protection mode in the following places in the UI:
Where to view the current protection mode
Protection
mode type
Where to view the protection mode
System-wide
When APS is in inline mode, the current protection mode is
displayed in the upper right of the APS window.
Protection group
You can view the protection mode for a protection group on the
following pages:
n List Protection Groups (Protect > Inbound Protection >
Protection Groups)
n
Outbound threat
filter
View Protection Group
You can view the protection mode for the outbound threat filter on
the Outbound Threat Filter page (Protect > Outbound
Protection > Outbound Threat Filter).
Changing the system-wide protection mode
To change the system-wide protection mode:
In the upper right of the APS window, select Active or Inactive.
n
If one or more protection mode notifications are configured, the system sends a
notification whenever someone changes the protection mode.
Changing the protection mode for a protection group
APS mitigates traffic for an active protection group only when the system’s protection
mode is active.
To change the protection mode for a protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name link of the protection group to edit.
3. On the View Protection Group page, in the header section, click Edit.
4. In Protection Group Mode, select Active or Inactive.
5. Click Save.
Changing the protection mode for the outbound threat filter
To change the protection mode for the outbound threat filter:
1. Select Protect > Outbound Protection > Outbound Threat Filter.
2. On the Outbound Threat Filter page, click
Proprietary and Confidential Information of Arbor Networks Inc.
(configure).
67
APS User Guide, Version 6.0
3. For Protection Mode, select Active or Inactive.
4. Click Save.
68
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
Network Placement Models
The network placement models describe the placement of APS in relation to the customer
edge (CE) router. The placement, which determines what APS protects, depends on the
type of CE router and the design and architecture of your network.
If you use a hardware-based router, then you place APS downstream of the router. If you
use a software-based router, then you place the APS upstream of the router.
The network placement applies to inline deployments only; it has no significant effect on
out-of-line deployments. For more information about deployment modes, see “About the
Deployment Modes” on page 63.
Note
All of the network placement configurations support Cloud Signaling. See “Cloud
Signaling Deployment Models” on page 72.
Placement model: downstream
In a downstream deployment, you place APS behind (downstream from) the upstream CE
router. APS protects the firewall and the data center directly, but it does not protect the CE
router.
If you connect to multiple upstream service providers, the CE router handles the
connection and APS does not need to know about each one. See “Placement model:
multiple service providers” on the next page.
Placement model: upstream
Proprietary and Confidential Information of Arbor Networks Inc.
69
APS User Guide, Version 6.0
In an upstream deployment, you place APS in front of (upstream from) the upstream CE
router. APS protects the CE router by mitigating the traffic that flows through APS and to
the router.
Important
This configuration requires an Ethernet connection between the CE router and your ISP.
Also, to ensure connectivity between the CE router and the ISP router, you must whitelist
the endpoints of any routing protocols. If the CE router does not have Ethernet
connectivity to the ISP, you must use the downstream deployment model.
Placement model: multiple service providers
Many customers have multiple service providers for redundancy. In a multiple provider
deployment, you connect to two separate service providers and you place APS behind the
upstream CE router. This configuration requires the upstream CE router to have Ethernet
connectivity to each of the service providers.
The number of upstream service providers that APS supports depends on the model that
you deploy. If you need APS to support more than the number of upstream service
providers that the model supports, you have the following options:
n Deploy additional APS devices.
n
70
Deploy a single APS downstream of the CE router.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
Deployment for Redundancy
The redundancy deployment model describes how to deploy multiple APS devices to
provide failover capabilities and ensure that your data center remains available.
This deployment requires that the configurations on all of the APS installations are exactly
the same.
Deployment model: redundancy
In a redundancy deployment, multiple APS installations connect to multiple service
providers to provide redundancy. Normally, traffic flows between any of the APS
installations and any of the routers. However, if APS or a router goes down for any reason,
including an attack, the traffic is routed to the other APS or router. No traffic is lost during
this automatic failover.
You can place APS downstream or upstream from the routers.
See “Network Placement Models” on page 69.
Reference
See “About the APS Deployment Models” on page 59 for information about the other
types of deployments.
Proprietary and Confidential Information of Arbor Networks Inc.
71
APS User Guide, Version 6.0
Cloud Signaling Deployment Models
Cloud Signaling is the process of requesting and receiving cloud-based mitigation of
volumetric attacks in real time from an upstream service provider. Cloud Signaling
deployment models describe the options for connecting to a cloud service provider.
Important
Deploying APS downstream from the upstream CE (customer edge) router can present a
risk for Cloud Signaling. If traffic levels at the CE router prevent the traffic from reaching
APS, then Cloud Signaling cannot occur.
About Cloud Signaling
You purchase the cloud-based protection from an ISP or MSSP (Managed Security Service
Provider) that supports Cloud Signaling. When you deploy APS, you configure the traffic
threshold that activates the Cloud Signaling. When a qualifying attack occurs, APS signals
to the service provider that mitigation help is needed. The service provider mitigates the
attack, and then routes the cleaned traffic back to its destination in your network. See
“About Cloud Signaling for DDoS Protection” on page 368.
Your cloud service provider might use GRE tunneling to route the cleaned traffic back to
your network. For more information, see “About GRE Tunneling and Cloud Signaling” on
page 372 .
Deployment model: Single ISP with ISP cloud service
This model illustrates the most common way to deploy Cloud Signaling. The customer
connects to a single ISP for internet service and purchases the cloud service from that ISP.
When APS initiates Cloud Signaling, the ISP performs the mitigation. The customer owns
and operates APS.
72
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
Deployment model: Single ISP with ISP cloud service and multiple Cloud Signaling
servers
In this model, a customer connects to a single ISP for internet service and cloud mitigation
service. To provide Cloud Signaling redundancy, the customer configures up to five Cloud
Signaling servers.
If a Cloud Signaling server goes down when multiple servers are configured, another
Cloud Signaling server takes its place. Cloud Signaling is available unless APS loses
communication with all of the Cloud Signaling servers.
Deployment model: Dual ISPs with ISP cloud service
In this model, the customer connects to multiple ISPs for internet service and might
purchase cloud-based protection from multiple ISPs. The customer owns and operates
APS.
Because APS supports mitigation connectivity to only one ISP at a time, the customer must
choose which ISP to use for Cloud Signaling. When APS initiates Cloud Signaling, the
selected ISP performs the mitigation.
Proprietary and Confidential Information of Arbor Networks Inc.
73
APS User Guide, Version 6.0
Deployment model: Single or dual ISPs with MSSP cloud service
In this model, the customer connects to one or more ISPs for internet service and
purchases cloud-based protection from an MSSP. Either the customer or the cloud service
provider can own and operate APS.
When APS initiates Cloud Signaling, the cloud service provider performs the mitigation.
The Arbor Cloud DDoS Protection service is an example of this model. See “About the
Arbor Cloud DDoS Protection Service” on page 402.
74
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 3: Implementing APS
About SSL Inspection with APS
The increased use of e-commerce applications, cloud computing, and Web 2.0
applications is responsible for significant increases in SSL-secured traffic on enterprise
networks. As TLS/SSL 1 (Transport Layer Security and Secure Sockets Layer) protects more
transactions and services, DDoS attacks on SSL-secured services are on the rise. SSL can
also be used to conceal malicious activity, such as botnet command-and-control attacks.
In the past, the SSL encryption that secured the data also prevented the inspection of the
SSL-encrypted traffic for threats. To overcome this limitation, APS is available with an
integrated Hardware Security Module (HSM) to provide visibility into SSL-secured traffic. By
combining APS and the HSM, you can protect the availability of online applications that rely
on TLS/SSL. The HSM hardware is installed in the APS appliance.
About the SSL inspection configuration
Before the HSM can decrypt traffic, you must initialize the HSM, import keys, and then
configure APS to inspect the SSL traffic. You configure the HSM in the command line
interface (CLI), and you configure APS in the UI. See “Configuring the Hardware Security
Module” on page 152.
How SSL inspection with APS works
When traffic arrives on port 443, APS performs several initial checks, and then checks the
HSM for a certificate that matches the traffic. If the HSM has a matching certificate, APS
decrypts the traffic, applies the HTTP-related protections, and then passes or blocks the
traffic accordingly. When APS passes the traffic, it forwards the original encrypted packets.
For details, see “The SSL inspection process” on the next page.
All of the decrypted traffic is processed internally. The decrypted data cannot appear in the
APS packet captures or in the reporting of traffic levels throughout the APS UI. However,
when you configure APS for SSL inspection, you have the option to include the URLs and
domains from the decrypted traffic in the reporting.
Deployment requirements
To perform SSL inspection, APS must be deployed inline.
APS performs passive SSL inspection only; it does not terminate SSL sessions or proxy
traffic. However, SSL inspection requires that the following conditions are met:
n To decrypt the traffic, APS must observe both sides of the SSL handshake.
n
To inspect the encrypted traffic, APS must be deployed such that both the inbound SSL
traffic and the outbound SSL traffic are present in the traffic path.
The SSL handshake does not have to traverse the same APS interface pair. For example,
APS and the HSM could decrypt and inspect traffic if the inbound traffic were on
ext0/int0 and the outbound traffic were on ext1/int1.
When APS processes asymmetric traffic and does not observe both sides of the SSL
handshake, it inspects the traffic without applying the HTTP-related protections.
1“SSL” is commonly used to refer to both Secure Socket Layer (SSL) and Transport Layer Security (TLS).
Proprietary and Confidential Information of Arbor Networks Inc.
75
APS User Guide, Version 6.0
The SSL inspection process
The following figure shows how APS and the HSM process traffic. (The notes that appear
below the figure provide details for the steps that are abbreviated in the figure.)
The SSL inspection process
Traffic
arrives
on port 443.
APS applies the
layer 3 & layer 4
protections. (1)
Yes
Does the
traffic pass the
inspection?
Are the
HTTP
protections
enabled?
(2)
No
Yes
Is HTTPS
decryption
required?
Yes
No
No
APS blocks
the traffic.
APS applies the
HTTP-related
protections. (3)
The HSM
decrypts copies
of the
packets.
APS holds
the original
encrypted
packets.
Yes
Does the
HSM have a
matching
certificate?
No
Yes
Does the
traffic pass the
inspection?
No
APS releases
the original
encrypted
packets.
APS applies the
layer 7 non-HTTP
protections.
Yes
Does the
traffic pass the
inspection?
APS passes
the traffic.
No
APS blocks
the traffic.
(1) The layer 3 and layer 4 protection settings include, but are not limited to: blacklists and
whitelists; TLS Attack Prevention; Malformed HTTP Filtering; TCP Connection Reset; and
Spoofed SYN Flood Prevention.
(2) Is the destination protection group associated with a server type that has the HTTP
protection settings enabled?
(3) An exception is the HTTP Authentication Method setting in the Spoofed SYN Flood
Prevention protection category, which does not inspect the decrypted traffic.
76
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 4:
Managing APS from APS Console
This section describes how to manage multiple APS devices from APS Console.
In this section
This section contains the following topics:
About Managing APS Devices from APS Console
78
About the APS Console - APS Data Synchronization
80
APS User Guide, Version 6.0
77
APS User Guide, Version 6.0
About Managing APS Devices from APS Console
Large organizations may have multiple APS devices installed across data centers or
geographic areas. APS Console provides security administrators with a single console for
the central management of multiple APS devices. APS Console can manage up to 50 APS
devices, which allows you to monitor and respond to attacks across your network from a
single user interface.
Note
APS Console can support multiple versions of APS software simultaneously. For more
information about multi-version support, see the Arbor Networks® APS and APS Console
Compatibility Guide .
For additional information about APS Console, see the Arbor Networks® APS Console User
Guide .
APS management tasks
APS Console allows you to perform the following tasks for managing the configuration
and daily operations on the APS devices that are under management:
n Centrally create, configure, and manage the server types, protection groups, outbound
threat filter, blacklists, and whitelists in APS Console. APS Console propagates the
configurations to each managed APS as appropriate.
n
Share common protection groups and server types across multiple APS devices.
n
View the traffic and statistics from each APS as well as an aggregate of the data from all
of the APS devices. For example, you can view an aggregated blocked host log.
n
View active bandwidth alerts and system alerts for all of the APS devices.
n
View and respond to the threats that are identified by the ATLAS threat policies.
n
Respond to availability attacks by changing the protection level, blacklisting hosts, or
modifying the protection settings globally or per APS.
n
Navigate to a specific APS to view more detailed information about its configuration or
traffic.
When you first connect APS to APS Console, the applicable configurations on APS Console
are copied to APS. Thereafter, any changes to the configurations on APS Console are
periodically copied to each APS as appropriate. See “About the APS Console - APS Data
Synchronization” on page 80.
Communication between APS Console and APS
To manage APS from APS Console, you connect the APS to APS Console. You do so on the
Configure General Settings page in APS. See “Configuring APS for APS Console
Management” on page 111.
After you connect an APS to APS Console, the systems communicate with each other as
follows:
n APS Console sends requests to APS for information such as alerts and traffic data.
n
APS checks APS Console periodically for configuration changes and obtains the
changes that apply to the APS. See “About the APS Console - APS Data
Synchronization” on page 80.
78
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 4: Managing APS from APS Console
In APS Console, you can view the connection and synchronization status for a specific APS
in the System Information section on the Summary page. See “Viewing the APS
synchronization status” on the next page.
Single sign-on
You can navigate to an APS from several areas in the APS Console UI, which allows you to
examine specific data more closely. For example, from the Blocked Hosts Log page in APS
Console, you can navigate to the Blocked Hosts Log page in the APS that blocked a
particular host.
If your APS user account has the same username as your APS Console user account, the
APS opens without prompting you to log in. You can use a different password for each
account.
Proprietary and Confidential Information of Arbor Networks Inc.
79
APS User Guide, Version 6.0
About the APS Console - APS Data Synchronization
When you use APS Console as a central management console for APS, you can create and
manage the configurations for multiple APS devices. You can configure server types,
protection groups, the outbound threat filter, blacklists, and whitelists in APS Console and
propagate the configurations to each managed APS as appropriate.
See “About Managing APS Devices from APS Console” on page 78.
When you first connect APS to APS Console, the applicable configurations on APS Console
are copied to APS. Any existing configurations on APS are copied to APS Console.
Thereafter, each APS periodically checks APS Console for configuration changes and
obtains the changes that apply to the APS.
For information about connecting APS to APS Console, see “Configuring APS for APS
Console Management” on page 111 .
Note
APS Console can support multiple versions of APS software simultaneously. For more
information about multi-version support, see the Arbor Networks® APS and APS Console
Compatibility Guide .
Viewing the APS synchronization status
In APS Console, you can view the synchronization status for a specific APS in the System
Information section on the Summary page. The possible statuses are as follows:
n Initial synchronization — A new APS is connected and the initial synchronization is in
progress.
n
Preparing configuration — The system is in the process of updating the current
configurations.
n
Good — The configurations on APS match the configurations on APS Console that apply
to the APS.
n
Out of sync — One or more of the configurations on APS Console changed, and the APS
has not yet received those changes.
n
APS version does not support synchronization — The APS version is earlier than 5.11.
Initial synchronization
When you first connect APS to APS Console, the following items are copied from APS
Console to the APS:
n all of the standard server types
n
the outbound threat filter
n
the default protection group
n
the global items in the inbound blacklist and inbound whitelist
n
all of the items in the outbound blacklist and outbound whitelist
No custom configurations or protection group-specific items are copied because no
custom protection groups have been assigned to the new APS yet.
80
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 4: Managing APS from APS Console
If APS contains local configurations, they affect the synchronization as follows:
If certain local configurations conflict with any of the configurations that are copied
from APS Console, they are duplicated on APS.
n
See “Initial synchronization of duplicate configurations” below.
n
The local configurations are merged with the configurations on APS Console.
See “Configuration merges during the initial synchronization” below.
Initial synchronization of duplicate configurations
During the initial synchronization of an APS that has local configurations, a server type or
protection group on APS might conflict with one on APS Console. These conflicts are
treated as follows:
n If APS and APS Console contain a server type (standard or custom) with the same
name, a copy of that server type is created on APS. The copy of the server type has the
same name as the original server type, with the name of the APS appended to it. The
original server type on APS is updated with the configuration from APS Console. Any
protection groups that were associated with the original server type are updated to be
associated with the new server type.
n
If APS and APS Console contain a protection group with the same name, a copy of that
protection group is created on APS. The copy of the protection group has the same
name as the original protection group, with the name of the APS appended to it. The
original protection group on APS is updated with the configuration from APS Console.
Consolidating the new configurations
After you connect each APS, you might review the APS for configurations that you can
consolidate.
For example, if an APS contains a protection group that is assigned to that APS only,
determine whether an existing protection group on APS Console would serve the same
purpose. If so, then in APS Console, unassign the APS from the local protection group and
assign it to the protection group on APS Console. Then delete the APS-specific protection
group.
Configuration merges during the initial synchronization
During the initial synchronization of an APS that has local configurations, the local items
are merged with the items on APS Console as described below.
Server type merges
All of the server types on APS are copied to APS Console.
These server types include any duplicate server types that APS might have created to
resolve conflicts with the server types that it received from APS Console. See “Initial
synchronization of duplicate configurations” above.
Protection group merges
The default protection group on the APS is replaced with the one from APS Console,
which overwrites any local configuration changes.
n
n
All of the custom protection groups on APS are copied to APS Console and assigned to
that APS.
Proprietary and Confidential Information of Arbor Networks Inc.
81
APS User Guide, Version 6.0
These protection groups include any duplicate protection groups that APS might have
created to resolve conflicts with the server types that it received from APS Console. See
“Initial synchronization of duplicate configurations” on the previous page.
Outbound threat filter merge
The outbound threat filter on the APS is replaced with the one from APS Console, which
overwrites any local configuration changes.
Blacklist merges and whitelist merges
The global items and protection group-specific items on APS that do not match any
items on APS Console are copied to APS Console.
n
n
A global item on APS that matches a protection group-specific item on APS Console
replaces the APS Console item.
n
A protection group-specific item on APS that matches a global item on APS Console is
deleted.
n
If an item from APS causes APS Console to exceed its capacity, the item is added to APS
Console but disabled. The disabled item appears on the blacklist page or whitelist page
in the APS Console UI, but it is dimmed. Also, if you add a host entry on APS after
synchronization and the APS table becomes full, the APS Console stops synchronizing
hosts with the APS. To avoid these issues, Arbor recommends that you do not add
hosts to the blacklists and whitelists on an APS if it is managed by APS Console.
See “About the Capacity of the Blacklists and Whitelists” on page 262.
n
Any blacklisted CIDRs or whitelisted CIDRs on APS that overlap existing items on APS
Console are copied to APS Console but are not merged.
For example, assume that 192.168.0.0/16 is blacklisted in APS and 192.168.1.0./24 is
blacklisted in APS Console. Although the blacklisted address on APS includes the
subnet of the blacklisted address on APS Console, APS Console will contain both items.
Subsequent synchronizations
Periodically, any configuration changes (additions, modifications, and deletions) on APS
Console are propagated to each APS as applicable. As in the initial synchronization, each
APS obtains only the standard items, the global items, and the items that are specific to the
APS. No items are copied from APS to APS Console.
Caution
After the initial synchronization, the additions and changes to the configurations on APS
Console might overwrite the local configurations on APS. Generally, you should not make
local changes on a managed APS, although you might occasionally need to do so. For
example, you might lose the connection between APS Console and an APS during a highvolume DDoS attack. In that case, you can make local changes on the APS to mitigate the
attack.
When you back up and restore APS Console and APS, you must follow certain guidelines
to maintain the synchronization. See “How Restoring Backups Affects the APS Console -
APS Synchronization” on page 461.
82
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 4: Managing APS from APS Console
Synchronization after APS is disconnected from APS Console
If APS is disconnected from APS Console and then reconnected, the synchronization
process depends on the state of the APS when you reconnect it, as follows:
Synchronization after APS is disconnected from APS Console
Situation
Synchronization process
An APS that contains configuration data
is reconnected to the same APS
Console.
This situation typically occurs when the
communication between APS and APS
Console is interrupted, either because
you disconnect APS or because of some
other connection issue.
The synchronization is the same as those that
occur after the initial synchronization. See
An APS that contains no configuration
data is reconnected to the same APS
Console.
This situation might occur when you
return the APS for a repair, during
which the configuration data is erased.
The synchronization is the same as when you
connect a new APS. See “Initial
An APS with or without configuration
data is reconnected to a different APS
Console.
This situation might occur when you
move the APS to a different location in
your network or replace the original
APS Console.
The synchronization is the same as when you
connect a new APS. Any configurations that
APS obtained from the original APS Console
are merged with the data from the new APS
Console. See “Initial synchronization” on
“Subsequent synchronizations” on the
previous page.
synchronization” on page 80.
page 80.
Proprietary and Confidential Information of Arbor Networks Inc.
83
APS User Guide, Version 6.0
84
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 5:
Getting Started with APS
This section describes how to log in to and navigate the APS web user interface (UI). Use
the UI to manage your APS deployment.
In this section
This section contains the following topics:
Logging in to and out of the UI
86
Editing Your User Account
87
Navigating the APS UI
89
Saving and Emailing Pages from the UI
91
Viewing Graphs in the UI
93
APS User Guide, Version 6.0
85
APS User Guide, Version 6.0
Logging in to and out of the UI
Use the UI to manage your APS deployment.
Prerequisites
Before you can log in to and access APS, you must complete the initial installation and
configuration procedures. These procedures are described in the APS Quick Start Card.
You must also set your browser preferences to allow pop-ups and accept cookies from
APS.
Logging in as a new user
If you are a new user, verify that your administrator has created an account for you with a
user name and initial password.
Important
For security purposes, change your password after you log in for the first time.
See “Editing Your User Account” on the facing page for information about changing your
password.
Accepting the certificate
The APS UI uses the HTTPS protocol for secure sessions. The certificate is based on Arbor
Networks’ Certificate Authority (CA); however, you can use your own certificate.
The first time you access APS, you must accept the SSL certificate to complete the secure
connection. For more information, see your web browser’s instructions for accepting
certificates.
Logging in to the APS UI
Important
You must use a secure connection to access APS.
To log in to the APS UI:
1. Open your web browser.
2. Type https:// followed by the IP address of your APS appliance.
3. If applicable, select the appropriate option for accepting the site’s certificate, and then
click OK.
4. If a pre-login message appears, acknowledge the message to access the login page.
5. In the Welcome window, type your user name and password.
6. Click Login.
Logging out of the APS UI
To log out of the APS UI:
In the upper-right corner of any page in the UI, click Logout.
n
86
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 5: Getting Started with APS
Editing Your User Account
You can edit the information in your APS user account. Typically, you edit your account to
change your password.
If you are not an administrative user, you can view and edit your own account. An
administrative user can edit any account. When you create or edit the accounts of other
users, the entry screen is somewhat different. See “Configuring User Accounts” on
page 114.
When to change your password
For security purposes, you should change your password in the following situations:
n after you log in to APS for the first time
n
at intervals that your system administrator recommends
n
whenever you think that someone else might have gained access to your password
Passwords must meet certain criteria. See “About secure and acceptable passwords” on
page 113.
Editing your account
To edit your user account:
1. Select Administration > User Accounts.
2. If you are an administrator, click your user name link to display the Edit Account
window.
If you are a non-administrative user, your own account appears.
3. Edit your account settings.
See “User account settings” below.
4. When you finish editing, click Save.
User account settings
The Edit Account page contains the following settings:
User account settings
Setting
Description
Username box
Displays the user name that was originally assigned. You cannot
edit the user name.
Real name box
Type the user’s full name.
Group list
Select the user group to assign to this user. The user group
determines the user’s level of system access.
Non-administrative users cannot change the group to which
they are assigned. You also cannot change the group for the
default “admin” user.
See “About User Groups” on page 482.
Proprietary and Confidential Information of Arbor Networks Inc.
87
APS User Guide, Version 6.0
User account settings (Continued)
Setting
Description
Email box
Type the user’s email address in local-part@domain format.
For example: user@example.com.
Time zone list
Select the time zone in which this user resides.
This setting defaults to the system time zone, which is configured
on the Configure General Settings page. Change it only if this
user resides in a different time zone.
You can select the time zone in any of the following formats.
n TZ database (Olson time zone database)
Examples: America/New_York, Asia/Seoul, Europe/Moscow,
Japan
n Acronyms
Examples: EST (Eastern Standard Time, America), KST (Korea
Standard Time), MSK (Moscow Standard Time)
n UNIX System V-style
Examples: EST5EDT (Eastern Standard Time/Eastern Daylight
Time), MST-3MDT (Russia/Moscow)
Password box
Type a password. See “About secure and acceptable
passwords” on page 113 for password guidelines.
In the Confirm box, retype the password to confirm it.
To clear the passwords in both boxes, click
88
(Remove).
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 5: Getting Started with APS
Navigating the APS UI
You can navigate the APS UI menus and pages by using a variety of navigation controls.
About the UI menu bar
The UI menu bar indicates which menu is active and allows you to navigate the UI menus
and pages. The menus that are available depend on the user group to which you are
assigned.
To view the items on a menu, hover your mouse pointer over the menu name.
The menu bar is divided into the following menus:
Menu descriptions
Menu
Description
Summary
Displays the current health of APS and provides traffic forensics
in real time.
Explore
Allows you to display information about the traffic that APS
monitors and mitigates.
Protect
Allows you to view, configure, and manage protection groups.
Administration
Contains options that allow you to configure and maintain APS.
About the Arbor Smart Bar
The Arbor Smart Bar appears in the upper-right corner of each page in the UI. It contains
icons that allow you to take certain actions on the current page. For example, you can save
the page in several formats and email the page as a PDF file.
If the icons are available when a detail window is open, then their actions apply to the
contents of the detail window only. For example, if you save as PDF when the Block Hosts
Detail window is open, the PDF file only contains the contents of that detail window.
See “Saving and Emailing Pages from the UI” on page 91 and “Saving packet
information” on page 420
Using Help
When you click the Help button on any UI page, a window appears that contains
information about the page that you are viewing.
In the Help window, you can do any of the following tasks:
Read about the functions that are available on the current APS page.
n
n
View related topics.
n
Scroll through the table of contents for the User Guide .
n
Search for topics in the User Guide .
Proprietary and Confidential Information of Arbor Networks Inc.
89
APS User Guide, Version 6.0
Navigating multiple pages
Data is often displayed in tables that continue on multiple pages.
On some pages, such as the Inbound Blacklists page, APS displays the current page
number in a text box and displays the total number of pages. To navigate to another page,
you type the page number in the text box.
On other pages, such as the Executive Summary Reports page, APS displays the current
page number in a highlighted box. Additional page numbers appear in boxes that are
links. To display a different page in the table, you click the page number box.
You also can use the following links to navigate among multiple pages:
Page navigation links
Link
Description
> (one right pointing arrow)
Displays the next page.
>> (two right pointing arrows)
Displays the last page.
< (one left pointing arrow)
Displays the previous page.
<< (two left pointing arrows)
Displays the first page.
Searching for data
When a page in the UI contains the Search box, you can search for a specific data record
or group of data records. Typically, you can search for data in any column on the page
except for dates and times.
To search for data:
n In the Search box, type all or part of a search string, and then click
(search).
To clear the results of a search:
Click the X in the Search box.
n
90
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 5: Getting Started with APS
Saving and Emailing Pages from the UI
The Arbor Smart Bar is located in the upper-right corner of the UI. It contains icons that
allow you to save pages as PDF files and to email pages.
If the icons are available when a detail window is open, then their actions apply to the
contents of the detail window only. For example, if you save as PDF when the Block Hosts
Detail window is open, the PDF file only contains the contents of that detail window.
Exporting a page as a CSV file
This option is available for certain pages only, such as the Blocked Hosts Log page.
The information in the CSV file is arranged in a tabular format and might differ slightly
from the graphical display on the UI page. The tabular format makes it easier for you to
manage the information.
To export a UI page as a CSV file:
1. Navigate to the page that you want to export.
2. In the Arbor Smart Bar, click
(CSV Export).
3. Open or save the file according to your browser options.
Saving a page as a PDF file
To save a UI page as a PDF file:
1. Navigate to the page that you want to save.
2. In the Arbor Smart Bar, click
(Create a PDF).
3. Open or save the file according to your browser options.
Emailing a page as a PDF file
Important
Before you can email pages from APS, you must configure an SMTP Server and a default
URL hostname. See “Configuring the General Settings” on page 100.
When you send an email message that contains a PDF file of a UI page, the subject line
contains “Arbor Networks APS:” followed by the name of the page. The “from” address is
root@hostname , where hostname is the Default URL Hostname that you configure on
the Configure General Settings page. For example, if the default URL hostname is
myserver.com, then the “from” address is root@myserver.com.
Note
The “from” address always starts with “root@”, which you cannot change.
To email a UI page as a PDF file:
1. Navigate to the page that you want to email.
2. In the Arbor Smart Bar, click
(Email this page ).
Proprietary and Confidential Information of Arbor Networks Inc.
91
APS User Guide, Version 6.0
3. In the Email Page window, type the following information:
Setting
Description
Email to box
Type one or more email address. If you want to send the
message to multiple recipients, enter the email addresses as
a comma-separated list.
Comment box
Type a message to include in the body of the email.
4. Click Send Email.
92
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 5: Getting Started with APS
Viewing Graphs in the UI
APS uses graphs to represent your organization’s traffic in real time.
By default, the graphs display traffic statistics for each minute of the last hour. This level of
visibility allows you to inspect the traffic on a much deeper scale. On some pages, you can
change the timeframe and unit of measure in which the graphs are displayed.
About stacked graphs
Stacked graphs allow you to see specific types of graph data more clearly. Each data type
in a stacked graph has its own color-coded segment. The height of the stack segment
represents that segment’s data as a percentage of the total data.
Examples of the pages that contain stacked graphs are the Summary page and the View
Protection Group page.
About minigraphs
Minigraphs allow you to see a small representation of graph data. In some areas, when
you hover your mouse pointer over a minigraph, a larger version of the graph appears in a
pop-up.
Changing the display timeframe
On certain pages in the UI, you can change the timeframe for which the traffic data is
displayed. The timeframe can represent a specific time increment or a time range.
Examples of the pages that contain the timeframe display are the View Protection Group
page and the Blocked Hosts Log page.
To change the display timeframe to a specific increment:
n In the time selector on the page, click one of the following buttons:
l
-5m — the last five minutes
l
-1h — the last hour
l
-24h — the last day
l
-7d — the last week
To change the display timeframe to a time range:
1. In the time selector on the page, click From.
2. In the From box, select the starting date and time from the calendar.
3. In the To box, select the ending date and time from the calendar.
4. Click Update or Search.
Changing the display unit of measure
On certain pages in the UI, you can display the traffic data in terms of bytes or packets.
To change the display unit of measure:
To the right of the Time selector on the page, click Bytes or Packets .
n
Note
The bits per second (bps) values that APS displays for traffic statistics are based on the
layer 3 packet size.
Proprietary and Confidential Information of Arbor Networks Inc.
93
APS User Guide, Version 6.0
94
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6:
Configuring APS
This section describes how to set up the basic components of the APS software.
In this section
This section contains the following topics:
About the APS Configuration
96
Configuring the General Settings
100
Configuring a Pre-Login Banner
106
Configuring the Idle Timeout for UI Sessions
107
About SNMP Polling
108
Changing the Language of the APS User Interface
110
Configuring APS for APS Console Management
111
About User Accounts
113
Configuring User Accounts
114
Locking and Unlocking a User Account
117
Configuring the ATLAS Intelligence Feed
119
About Bandwidth Alerts
123
Configuring Global Thresholds for Bandwidth Alerts
126
About Notifications
128
Configuring Notifications
131
Configuring Backup Settings
135
Using a Custom SSL Certificate for User Authentication
138
Connecting to a Remote Syslog Server
140
Configuring Interfaces and GRE Tunneling
141
Configuring Routes
145
Adding a Custom Logo to the UI
146
APS User Guide, Version 6.0
95
APS User Guide, Version 6.0
About the APS Configuration
APS requires little initial configuration before you can use it to monitor and mitigate your
network traffic. This topic describes the APS settings and when you need to configure
them.:
Before you begin
Before you complete these tasks, verify that you have completed all of the installation
procedures that are listed in the APS Quick Start Card.
Minimum required settings
When you first install APS, you must configure a minimum number of settings. Although
APS can protect your network immediately after you configure these settings, most
organizations choose to run APS in a trial or monitor-only implementation first.
Before you use APS, configure the following minimum settings:
Minimum required settings
Settings
Description
General settings
The general settings define the servers that APS interacts with as
well as other system preferences, such as the display language
for the UI.
See “Configuring the General Settings” on page 100.
User accounts
All users must have a user account to access APS.
In a trial implementation, Arbor recommends that you create at
least one user account in addition to the administrator account.
See “Configuring User Accounts” on page 114.
96
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Settings for maximizing automatic protection
(Recommended) You can use the full protection capabilities of APS by configuring the
following settings:
Settings for maximizing automatic protection
Settings
Description
ATLAS Intelligence
Feed settings
(Recommended) Atlas Intelligence Feed (AIF) updates APS with
information about new and emerging threats. Although you can
request the AIF updates as needed, the best practice is to
configure them to occur automatically.
AIF also downloads a list of search engine web crawlers. You can
select the search engines that can crawl your web site more
freely.
See “Configuring the ATLAS Intelligence Feed” on page 119.
Cloud Signaling
settings
Cloud Signaling is the process of requesting and receiving cloudbased mitigation of volumetric attacks in real time from an
upstream service provider. These settings allow you to enable
Cloud Signaling, configure the settings for connecting to the
cloud server, and configure the thresholds for rate-based Cloud
Signaling.
See “Configuring and Enabling Cloud Signaling” on page 378.
If your cloud service provider uses GRE tunneling to route the
cleaned traffic back to your network, you must configure APS to
serve as the GRE destination. See “About GRE Tunneling and
Cloud Signaling” on page 372 and “Configuring Interfaces and
GRE Tunneling” on page 141 .
Bandwidth alert
thresholds
APS can proactively inform you of attacks and other traffic
anomalies that require your attention. To implement this
feature, you define traffic thresholds based on either network
baselines or specific traffic rate limits. When the traffic for a
protection group exceeds a threshold, APS creates a bandwidth
alert.
See “About Bandwidth Alerts” on page 123.
You can configure the bandwidth alert thresholds globally or for
individual protection groups.
See “Configuring Global Thresholds for Bandwidth Alerts” on
page 126 and “Editing and Deleting Protection Groups” on
page 194 .
Notifications
When APS detects events, conditions, or errors in the system, it
creates alerts to inform the user. You can configure APS to send
notification messages to specified destinations to communicate
certain alerts.
See “About Notifications” on page 128.
Proprietary and Confidential Information of Arbor Networks Inc.
97
APS User Guide, Version 6.0
User and authentication settings
Depending on how you authenticate users, you might need to configure additional
settings. You can also create custom user groups.
You can authenticate and organize the APS users by configuring the following settings:
User and authentication settings
Settings
Description
Authentication
method
If you authenticate your users by using RADIUS or TACACS+, you
must specify which authentication method you use.
You set the authentication method in the command line
interface (CLI).
See “Setting the Authentication Method for RADIUS and
TACACS+” on page 490.
Custom SSL
certificate
APS is configured to use a default SSL certificate when users log
in to the UI. You can upload a custom certificate, which can
prevent browser error messages and help you comply with
your organization’s security policies.
See “Using a Custom SSL Certificate for User Authentication”
on page 138.
Custom user groups
You can create custom user groups to organize users by the
levels of system access that they are allowed.
You define user groups in the command line interface (CLI).
See “Adding and Deleting User Groups” on page 483.
Advanced protection settings
You can refine the protection settings to help increase the range of attacks that APS can
detect and mitigate automatically.
If you have historical traffic information and statistics from a trial or monitor-only
implementation, use that information as a guide for refining the protection settings. By
working proactively, you can reduce the need to change the settings on a trial-and-error
basis during an attack.
If you are not sure which settings to configure, continue to test APS in monitor mode until
you are familiar with how it affects your network’s traffic. The knowledge that you gain
from observing traffic and mitigating attacks can help you decide what changes to make.
As you continue to refine the protection settings, you allow APS to detect and mitigate
traffic more effectively.
98
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
You can configure any of the following settings:
Advanced protection settings
Settings
Description
Custom protection
groups and custom
server types
Create custom protection groups and custom server types to
protect a specific host or group of hosts with the most
appropriate protection settings for those hosts. Arbor
recommends that you create a protection group for each of the
services that you want to protect.
See “Adding Protection Groups” on page 188 and “Adding and
Deleting Custom Server Types” on page 167 .
Protection settings
You can edit the protection settings to refine the detection and
blocking of attack traffic.
See “Changing the Protection Settings for Server Types” on
page 169.
Blacklists and
whitelists
You can edit the blacklists and whitelists so that specific traffic is
always blocked or always passed. You can blacklist and whitelist
inbound traffic from IPv4 addresses and IPv6 addresses. You
can blacklist and whitelist outbound traffic from IPv4 addresses
only. See the following topics:
n
n
n
n
“Creating and Editing the Inbound Blacklist” on page 267
“Creating and Editing the Outbound Blacklist” on page 274
“Creating and Editing the Inbound Whitelist” on page 272
“Creating and Editing the Outbound Whitelist” on page 276
Proprietary and Confidential Information of Arbor Networks Inc.
99
APS User Guide, Version 6.0
Configuring the General Settings
The general settings define the servers that APS interacts with as well as other system
preferences, such as the display language for the UI. You configure the general settings on
the Configure General Settings page.
You also use the Configure General Settings page to configure APS for management by
APS Console. See “About Managing APS Devices from APS Console” on page 78.
Advantage of using a hostname for an NTP server
NTP servers synchronize the time across networks. You can specify an NTP server by its IP
address or its hostname. When you use a hostname for the NTP server, the DNS
resolution from hostname to IP address can return multiple addresses. If an address fails,
the NTP service uses the next address in the list. This configuration ensures that the
system clock within APS remains synchronized when an NTP server is offline for
maintenance or when a failure occurs.
About the Connection Status box
If the settings for managing APS through APS Console are configured, and a connection
error occurs, the connection status box appears. The connection status box provides
information about the connection error and contains a Test Connection button. After
you edit the connection settings or take other steps to fix the error, you can use the Test
Connection button to verify the connection.
Configuring general settings
To configure general settings:
1. Select Administration > General.
2. On the Configure General Settings page, configure the settings.
See “General settings” on the facing page.
3. Click Save.
100
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
General settings
The general settings are as follows:
General settings
Setting
Configuration
Language list
Select the language in which to display the APS UI.
System Time Zone
list
Select the system-wide time zone for APS, in any of the
following formats:
n TZ database (Olson time zone database)
Examples: America/New_York, Asia/Seoul,
Europe/Moscow, Japan
n Acronyms
Examples: EST (Eastern Standard Time, America), KST (Korea
Standard Time), MSK (Moscow Standard Time)
n UNIX System V-style
Examples: EST5EDT (Eastern Standard Time/Eastern Daylight
Time), MST-3MDT (Russia/Moscow)
You can set a different time zone for specific users when
necessary.
See “Configuring User Accounts” on page 114.
Date Format list
Select the format in which to display dates throughout the
system. The options are as follows:
n
n
n
n
Language default
The system defaults to the date format that is associated with
the current display language.
mm/dd/yy
dd/mm/yy
yy/mm/dd
In these options, mm represents the month, dd represents the
day of the month, and yy represents the year.
Hour Format
options
Select the format in which to display time throughout the
system. The options are as follows:
n
n
n
Language default
The system defaults to the time format that is associated with
the current display language.
12 hour
24 hour
Proprietary and Confidential Information of Arbor Networks Inc.
101
APS User Guide, Version 6.0
General settings (Continued)
Setting
Configuration
NTP Servers box
Type an IP address or hostname for an NTP server. You can
specify up to two NTP servers, separated by commas. See
“Advantage of using a hostname for an NTP server” on
page 100.
APS uses time source quality to determine which NTP server to
use. The accuracy of an NTP time source is based on its stratum
level. Stratum level 1 NTP time sources are the most accurate
devices.
Note
If you are using vAPS, then you configure the NTP server on
the host machine on which the vAPS resides.
Important
If you enable Cloud Signaling, then you should configure an
NTP server to avoid clock-related problems that might
interfere with communications to the Cloud Signaling Server.
SMTP Server box
Type the IP address or hostname for the SMTP relay that APS
should use to send email notifications.
Username box
If necessary, type the user name that is required to access the
SMTP server.
Password box
If necessary, type the password that is required to access the
SMTP server, and then re-type it to confirm it.
To delete an existing password and leave the password empty,
click
102
(Clear Password).
Enable Restrictive
Data Retention
check box
Select this check box to delete data that contains IP addresses
after a specified number of days.
Typically, APS stores data for up to one year or until your system
approaches its capacity. When one of those limits is reached,
the oldest data is deleted. However, you can delete data that
contains IP addresses more frequently if you are required to do
so.
Delete data older
than box
If you select the Enable Restrictive Data Retention check
box, then type the number of days to keep the data before it is
deleted. The minimum number of days that you can enter is 7.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
General settings (Continued)
Setting
Configuration
Pre-Login Banner
box
Type a message that users must acknowledge before they can
log into APS through the UI. This message may contain up to
1300 characters.
When you configure a pre-login message, the message appears
when users start the log in process in the CLI. However, the
users do not have to acknowledge the message before they can
finish logging in through the CLI.
Note
To allow users to log into the APS UI without acknowledging a
message, leave this box empty.
APS Console box
To manage APS with APS Console, type the IP address or
hostname for the APS Console.
Shared Secret box
To manage the APS with APS Console, type the shared secret to
use for authenticating communication with APS Console. APS
Console uses the shared secret to authenticate internal
communication.
This secret must be the same as APS Console‘s shared secret.
You also must configure the same secret on all of the APS
devices that APS Console manages.
To delete an existing shared secret, click
Version buttons
(Clear Password).
Select the SNMP version that APS supports for SNMP polling.
To allow SNMP access to APS, you must create an IP access rule
in the CLI. See “About SNMP Polling” on page 108.
Note
The SNMP settings on this page do not affect the SNMP
settings on the Configure Notifications page.
Community box
(Version 2 only) Type the community string (password) that APS
uses to authenticate SNMP traps.
Security Level list
(Version 3 only) Select one of the following SNMP security
options:
n None — Password authentication is not performed.
n Auth — Password authentication is performed, but the data
in SNMP requests and responses is not encrypted.
n Auth+Priv — Password authentication is performed and
the data in SNMP requests and responses is encrypted.
Auth Protocol
buttons
(Version 3 only) Select an authentication protocol (MD5 or SHA).
If you select Auth or Auth+Priv above, then the SNMP
requests that APS receives are required to match the selected
protocol.
Username box
(Version 3 only) Type an SNMP user name that is required for
SNMP access to APS. This setting is required.
Proprietary and Confidential Information of Arbor Networks Inc.
103
APS User Guide, Version 6.0
General settings (Continued)
Setting
Configuration
Password box
(Version 3 only) If you select Auth or Auth+Priv as the
Security Level setting, then type the password associated
with the user name.
Privacy Protocol
buttons
(Version 3 only) If you select Auth+Priv for the Security Level
setting, then select the appropriate privacy protocol (DES or
AES).
Privacy Password
box
(Version 3 only) If you select Auth+Priv for the Security Level
setting, then type a privacy password.
DNS Servers box
Type the IP addresses of your DNS servers. DNS servers provide
domain name service mappings from IP addresses to
hostnames in APS.
Type multiple servers as a comma-separated list of IP
addresses. APS tries to connect to the first IP address in the list
as the primary name server. If that address fails, then APS tries
the subsequent addresses in the list as backup name servers.
Important
If the VPC uses DHCP options to configure a DNS server for
vAPS on Amazon Web Services (AWS), the VPC automatically
populates this setting. Although you can change this setting
manually, the VPC DHCP options will overwrite the settings any
time the lease is renewed. For more information, see
“Installing vAPS on AWS” in the Arbor Networks® Virtual APS
Installation Guide .
104
Default URL
Hostname box
Type a hostname or a fully qualified domain name that will
appear as a link in the notification and report emails that
originate from APS. For example, aps.example.com.
APS also uses the specified name as the “from” address when
you send an email message that contains a PDF of a UI page.
Top Sources and
Destinations
buttons
Click one of these buttons to enable or disable the tracking of
the top sources and top destinations for inbound traffic. If you
enable tracking, the Top Inbound Sources section and Top
Inbound Destinations section appear on the Summary page.
The top sources and top destinations tracking is enabled by
default. To improve the performance of APS, disable this
tracking.
If Enable Targeted Cloud Signaling is selected on the
Configure Cloud Signaling page (Administration > Cloud
Signaling ), you cannot disable this setting. You must deselect
Enable Targeted Cloud Signaling first.
UI Idle Timeout box
Type the amount of time, in minutes, that must elapse before
APS logs out a user due to inactivity. The default idle timeout is
120 minutes.
If you do not want to use an idle timeout, enter 0.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
General settings (Continued)
Setting
Configuration
Enable SSL
Inspection check
box
Select this check box to enable the decryption of SSL-secured
traffic so that APS can inspect it.
This check box is available only if the Hardware Security Module
(HSM) is installed.
Before you enable SSL inspection, verify that you have initialized
the HSM and imported at least one PEM file. See “Initializing the
HSM” on page 152.
Include Decrypted
URLs in HTTP
Reporting check
box
Select this check box to allow APS to include the URLs and
domains from the decrypted traffic in its reporting of traffic
levels throughout the UI. To protect the fidelity of the decrypted
data, the data collection and reporting include no decrypted
data other than the URLs and domains in the HTTP header.
This check box is available only if the Hardware Security Module
(HSM) is installed and the Enable SSL Inspection check box is
selected.
Proprietary and Confidential Information of Arbor Networks Inc.
105
APS User Guide, Version 6.0
Configuring a Pre-Login Banner
You can create a message banner that users must acknowledge before they can log into
APS through the UI.
In the UI, the message appears on a separate page, and looks similar to the example in
the following window:
Note
When you configure a pre-login message, the message appears when users start the log
in process in the CLI. However, the users do not have to acknowledge the message
before they can finish logging in through the CLI.
Creating a pre-login banner
To create the banner:
1. Select Administration > General.
2. On the Configure General Settings page, in the Pre-Login Banner box, enter a
message. This message may contain up to 1300 characters.
Note
To allow users to log into the APS UI without acknowledging a message, leave this
box empty.
3. Click Save.
106
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Configuring the Idle Timeout for UI Sessions
To provide more security for APS UI sessions, you can specify an idle timeout. If there is no
activity in a UI session during the idle timeout period, APS logs the user out of the UI
session automatically. The default timeout is 120 minutes.
You configure the idle timeout in the APS UI or in the command line interface (CLI).
However, the timeout only applies to the UI sessions.
See “About the Command Line Interface (CLI)” on page 468.
Configuring the idle timeout in the UI
To configure the idle timeout in the UI:
1. Select Administration > General.
2. On the Configure General Settings page, in the UI Idle Timeout box, enter an
amount of time in minutes. This is the amount of time that must elapse before users
are logged out of the UI due to inactivity.
If you do not want to use an idle timeout, enter 0.
3. Click Save.
Proprietary and Confidential Information of Arbor Networks Inc.
107
APS User Guide, Version 6.0
About SNMP Polling
APS supports polling by third-party SNMP monitoring systems, which allows you to fit your
APS workflow into existing network monitoring tools. These monitoring tools can poll APS
for management information such as the system status and configurations or interface
statistics.
The SNMP agent runs only when the APS services run. When you stop the services, SNMP
is not available.
Configuring APS for SNMP polling
APS supports SNMPv2c and SNMPv3 for remote SNMP polling. To enable SNMP polling,
configure the following settings:
Process for configuring SNMP
Step
Action
Details
1
Create an IP access rule
to allow SNMP access to
APS.
To create an IP access rule:
1. Log in to the CLI with your administrator user
name and password.
2. To create an IP access rule to allow SNMP
access, enter / ip access add snmp {mgt0 |
mgt1 | all} CIDR
{mgt0 | mgt1 | all} = the name of the
management interface on which to apply a
service exclusively, or to apply the rule to all
of the interfaces
CIDR = the address range from which you
want to allow communications to a service
3. Enter ip access commit
4. To save the configuration, enter / config
write
2
Configure the SNMP
settings to authenticate
external sources that
poll APS.
In the UI, on the Configure General Settings page,
specify the appropriate SNMP settings. See
“Configuring the General Settings” on page 100.
About the SNMP traps that APS sends
APS can send notifications to a network management system as SNMP traps. See “About
Notifications” on page 128.
The Manage Files page allows you to download the MIB files that can help you decode the
SNMP traps that APS sends for notifications. The MIB files also can help you understand
the OIDs (object identifiers) that you can query for on the APS system. See “Downloading
files from APS” on page 452.
108
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Important
The source IP address for SNMP traps that APS sends is the IP address of the mgt0
interface. The IP address of the mgt1 interface cannot be used as the source IP address
for SNMP traps.
Proprietary and Confidential Information of Arbor Networks Inc.
109
APS User Guide, Version 6.0
Changing the Language of the APS User Interface
By default, the APS user interface (UI) is displayed in English. You can set APS to appear in
any of the languages that are available.
Typically, you perform this task during the APS installation. However, you can change the
language at any time on the Configure General Settings page.
The installation instructions are in the APS Quick Start Card.
Changing the language
To change the language of the APS user interface:
1. Select Administration > General.
2. On the Configure General Settings page, select a language from the Language list.
3. Click Save.
110
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Configuring APS for APS Console Management
You can manage multiple APS devices from APS Console. To do so, you connect each APS
to APS Console, to allow the systems to communicate.
See “About Managing APS Devices from APS Console” on page 78.
Before you begin
Before you connect APS to APS Console, verify that the following requirements are met:
APS is installed and configured as described in the APS Quick Start Card and in this
guide.
n
n
Both APS Console and APS are running version 5.11 or later.
Note
APS Console can support multiple versions of APS software simultaneously. For more
information about multi-version support, see the Arbor Networks® APS and APS
Console Compatibility Guide .
Connecting APS to APS Console
You configure the settings to manage APS through APS Console in APS.
To connect APS to APS Console:
1. Log in to the UI of the APS that you want to manage.
2. Select Administration > General.
3. On the Configure General Settings page, configure the following settings:
Setting
Description
APS Console box
Type the IP address or hostname for APS Console.
Shared Secret box
Type the shared secret to use to authenticate
communication with APS Console.
APS Console uses the shared secret to authenticate internal
communication. You must configure the same secret on all
of the APS devices that APS Console manages.
To delete an existing shared secret, click
Password).
(Clear
4. Click Save.
About the Connection Status box
If the settings for managing APS through APS Console are configured, and a connection
error occurs, the connection status box appears. The connection status box provides
information about the connection error and contains a Test Connection button. After
you edit the connection settings or take other steps to fix the error, you can use the Test
Connection button to verify the connection.
Disconnecting APS from APS Console
In certain situations, you might need to disconnect an APS device from APS Console. For
example, you might need to move the device or return it for repair.
Proprietary and Confidential Information of Arbor Networks Inc.
111
APS User Guide, Version 6.0
Also, certain backup and restore procedures require that you disconnect APS.
To disconnect APS from APS Console:
1. Log in to the UI of the APS.
2. Select Administration > General.
3. On the Configure General Settings page, delete the text in the APS Console box and
the Shared Secret box.
4. Click Save.
112
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
About User Accounts
Each person who uses APS requires a unique user account that contains their login
information and determines their levels of system access that they are allowed.
About configuring user accounts
You configure user account settings on the Configure User Accounts page. See
“Configuring User Accounts” on the next page.
For information about editing your own user account, see “Editing Your User Account” on
page 87.
About access to user accounts
Administrators can view all user accounts, edit and delete accounts, and create new
accounts. Non-administrative users can view and edit their own user accounts only. For
example, they can reset their passwords or update their email addresses.
See “About User Groups” on page 482 for more information about the different levels of
system access.
About secure and acceptable passwords
To create secure and acceptable passwords, the passwords must meet the following
criteria:
n contain from 10 to 72 characters, which can include special characters, spaces, and
quotation marks
n
cannot consist of all digits
n
cannot consist of all lowercase letters or all uppercase letters
n
cannot consist of only letters followed by only digits (for example, abcd123)
n
cannot consist of only digits followed by only letters (for example, 123abcd)
Proprietary and Confidential Information of Arbor Networks Inc.
113
APS User Guide, Version 6.0
Configuring User Accounts
The user account settings identify the people who use APS. These settings define the users’
login information and determine the levels of system access that the users are allowed.
You add, edit, and delete the user accounts on the Configure User Accounts page.
In a trial implementation, Arbor recommends that you create at least one user account, in
addition to the administrator account.
Adding and editing user accounts
Any users who use APS Console to manage APS devices should have the same username
in both of the products. A common username is not required, but it allows users to open a
managed APS from APS Console without having to log in to APS. APS and APS Console
have different sets of permissions and groups. When a user accesses APS through an APS
Console login, the user’s access is governed by the group and permissions that are
configured in that APS.
To add or edit user accounts:
1. Select Administration > User Accounts.
2. On the Configure User Accounts page, complete one of the following steps:
l
To add a new user, click Add Account.
l
To edit an existing user account, click the user’s name link.
If you are a non-administrative user, your own account page appears by default.
3. In the Add New Account window or Edit Account window, configure the settings.
See “User account settings” on the facing page.
4. Click either Create Account or Save.
Important
After you add new users, advise them to change their passwords to maintain
security. See “About secure and acceptable passwords” on the previous page.
114
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
User account settings
The user account settings are as follows:
User account settings
Setting
Configuration
Username box
Type a unique name for this user.
The user name must meet the following criteria:
n must contain 1 to 31 characters
n can contain any combination of letters (A-Z, a-z) and ,
numbers, or both
n cannot begin with a hyphen or underscore but can include
them
n cannot include a period (.)
You cannot edit the user name after the user account is created.
If you make a mistake in the user name, delete the account and
re-create it.
Real name box
Type the user’s full name.
Group list
Select the user group to assign to this user. The user group
determines the user’s level of system access.
This list does not appear for non-administrative users. You
cannot change the group for the default “admin” user.
See “About User Groups” on page 482.
Email box
Type the user’s email address in local-part@domain format. For
example, user@example.com.
Time zone list
Select the time zone in which this user resides.
This setting defaults to the system time zone, which you
configure on the Configure General Settings page. Change the
time zone only if this user resides in a different time zone.
You can select the time zone in any of the following formats.
n TZ database (Olson time zone database)
Examples: America/New_York, Asia/Seoul,
Europe/Moscow, Japan
n Acronyms
Examples: EST (Eastern Standard Time, America), KST (Korea
Standard Time), MSK (Moscow Standard Time)
n UNIX System V-style
Examples: EST5EDT (Eastern Standard Time/Eastern Daylight
Time), MST-3MDT (Russia/Moscow)
Password box
Type a password. See “About secure and acceptable passwords”
on page 113 for password guidelines.
In the Verify box, retype the password to confirm it.
To clear the passwords in both boxes, click
Proprietary and Confidential Information of Arbor Networks Inc.
(Remove).
115
APS User Guide, Version 6.0
Deleting user accounts
You cannot delete your own user account. Your security level determines whether you can
delete the accounts of other users.
To delete a user account:
1. Select Administration > User Accounts.
2. On the Configure User Accounts page, complete one of the following steps:
l
l
To delete individual user accounts, select the check boxes that correspond to the
user accounts that you want to delete.
To delete all of the user accounts, select the check box in the table heading row.
3. Click Delete.
4. In the confirmation message that appears, click OK.
116
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Locking and Unlocking a User Account
Administrators in the system_admin group can lock a user account manually. System
administrators also can specify the number of login attempts that a user can make before
the account gets locked automatically. System administrators can unlock accounts that
were disabled manually or automatically.
Note
The administrator account cannot be disabled manually.
If an account is locked manually, then the user cannot log into the APS until a system
administrator unlocks the account.
If an account is locked automatically, then the user cannot log in with a password.
However, if SSH key authentication was enabled previously on the APS, then the user can
log in with an SSH key.
You lock and unlock user accounts from the command line interface (CLI). See “About the
Command Line Interface (CLI)” on page 468.
Determining the status of a user account
You can review the status of a user account from the CLI.
To determine the status of a user account:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa user_hist
If disabled appears in the history for an account, then the account is locked. If ok
appears in the history, then the account is unlocked.
Changing the number of login attempts before APS locks a user account
You can change the number of times that users can attempt to log in before they are
locked out of their APS account. The default value is 5.
To change the number of login attempts that are allowed:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa max_login_failures number
number = the number of times a user can attempt to log in before APS locks them
out of the account
Manually locking a user account
In addition to configuring APS to automatically lock a user account after a specified
number of login attempts, an administrator can lock a user account manually. If you
manually disable a user account, the user cannot log in with SSH key authentication or
password authentication until you re-enable the account.
To lock a user account manually:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa disable_account userName
userName = the name of the user whose account is locked
Proprietary and Confidential Information of Arbor Networks Inc.
117
APS User Guide, Version 6.0
Unlocking a user account
After a user is locked out of APS, an administrator must unlock the user account manually
in the CLI.
To unlock a user account:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa enable_account userName
userName = the name of the user whose APS account is unlocked
118
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Configuring the ATLAS Intelligence Feed
The ATLAS Intelligence Feed (AIF) settings determine how and when APS receives the AIF.
The AIF settings also control additional AIF-related features. You configure the AIF settings
in the following sections of the Configure AIF Settings page:
n ATLAS Intelligence Feed section
Allows you to enable or disable the automatic AIF updates, request updates, and opt
into Arbor’s Data-Sharing Program. If necessary, you also can configure the settings for
connecting to the AIF server through a proxy server. See “Configuring AIF updates” on
the next page.
n
Manual Import section
Allows you to update the AIF content without using the automatic connection. For
example, you might want to update the AIF content outside of the update schedule, or
APS might not have internet access to obtain the AIF automatically. See “Obtaining the
AIF update files” on page 289.
n
Web Crawlers section
Allows you to select the web crawlers that can crawl your web site more freely. See
“Configuring web crawler support” on page 121.
For general information about AIF, see “About the ATLAS Intelligence Feed” on page 280 .
Requirement
The AIF is available by subscription. When you subscribe to the AIF, you receive a license
key, which you must install before APS can receive the AIF. See “About the ATLAS
Intelligence Feed Licensing” on page 31 and “Installing the License Keys for APS and AIF”
on page 522 .
Note
If you are using vAPS, you must borrow your AIF license from a cloud-based licensing
server. See “Configuring Cloud-Based Licenses for vAPS” on page 42.
Accessing the AIF server
When APS downloads AIF updates, it needs access to a pool of servers from which the
feed content is pulled. To ensure a successful download of AIF updates, configure APS in
one of the following ways:
n Configure APS to allow unrestricted outbound internet access on port 443
n
Configure APS with a proxy server that has unrestricted outbound access on port 443
If you have security constraints that limit your ability to connect to the internet without a
firewall, you can obtain the latest AIF files from Arbor or your reseller, and then import the
files to APS. See “Obtaining the AIF update files” on page 289.
If you have security constraints but do not want to perform manual updates, you can
open a case with the Arbor Technical Assistance Center (ATAC) for further review:
n Web: https://support.arbornetworks.com/ on the ATAC Customer Support Portal
n
Telephone: +1.877.272.6721 toll free USA or +1.781.362.4301
Proprietary and Confidential Information of Arbor Networks Inc.
119
APS User Guide, Version 6.0
Configuring AIF updates
To configure AIF updates:
1. Select Administration > ATLAS Intelligence Feed.
2. On the Configure AIF Settings page, in the ATLAS Intelligence Feed section, enable or
disable the automated connection to the AIF as needed. To do so, select or clear the
Enable Automated Connection to AIF check box.
If you enable the connection, type the update interval in the AIF Update Interval
box.
3. (Optional) To use a proxy server to connect to the AIF server, configure the proxy
server settings.
See “AIF settings” below.
4. Click Save.
AIF settings
The ATLAS Intelligence Feed section on the Configure AIF Settings page contains the
following settings:
AIF update settings
Setting
Description
Update AIF Now
button
Click this button to force APS to check the AIF server for
threat feed updates.
See “Requesting AIF Updates and Updating the AIF
Manually” on page 289.
Enable Automated
Connection to AIF
check box
Select this check box to download the AIF updates
automatically, or clear this check box to disable the automatic
updates.
The automatic updates are enabled by default.
AIF Update Interval
box
Type the interval at which APS should check the AIF server for
updates to the feed data. The default interval is 24 hours.
Use Proxy Server
check box
Select this check box to allow APS to connect to the AIF server
through a proxy server.
Proxy Server box
Type the IP address or the hostname of the proxy server.
Type the port number in the box to the right of the Proxy
Server box.
Proxy Username box
If necessary, type the user name that is required to access the
proxy server.
Proxy Password box
If necessary, type the password that is required to access the
proxy server, and then re-type it to confirm it.
To delete an existing password and leave the password
empty, click
120
(Clear Password).
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
AIF update settings (Continued)
Setting
Description
Proxy
Authentication
Method options
If necessary, select the authentication method that the proxy
server uses. The authentication methods are as follows:
n
n
n
n
Automatic
Basic
Digest
NTLM
Automatic is the default setting. When you select
Automatic, APS automatically identifies the authentication
method that the proxy server uses. If APS cannot identify the
correct authentication method, select a specific
authentication method from the list.
Yes, I want to opt in
to Arbor's datasharing program
check box
Select this check box to participate in Arbor’s Data-Sharing
program. See “Participating in Arbor’s Data Sharing
Program” below.
Configuring web crawler support
The AIF updates include a list of the IP address ranges that Arbor considers to be
legitimate search engine web crawlers. Configure the following settings to specify the
search engines that can crawl your web site.
For general information about web crawlers, see “About Web Crawler Support” on
page 288 .
To configure web crawler support:
1. Select Administration > ATLAS Intelligence Feed.
2. On the Configure AIF Settings page, in the Web Crawlers section, select check boxes to
enable web crawlers and clear check boxes to disable web crawlers.
Initially, all of the web crawlers are enabled by default, including any web crawlers that
are added to future AIF updates.
3. Enable the Web Crawler Support setting on the following pages:
l
l
Configure Server Type page, for inbound traffic — see “Changing the Protection
Settings for Server Types” on page 169
Outbound Threat Filter page, for outbound traffic — see “Viewing the Outbound
Threat Activity” on page 349
Participating in Arbor’s Data Sharing Program
When an APS is part of the Arbor Data-Sharing Program, it shares only anonymized data
with Arbor. The high-level threat data that APS shares does not contain any information
that can specifically identify your organization, such as IP addresses and payload data.
You also may elect to share your organization’s geographic location and industry type.
Arbor uses this information to perform additional contextual analysis of threats by
industry and geographic region to better predict threats that may affect you in the future.
Proprietary and Confidential Information of Arbor Networks Inc.
121
APS User Guide, Version 6.0
To participate in the data-sharing program:
1. Select Administration > ATLAS Intelligence Feed.
2. On the Configure AIF Settings page, in the ATLAS Intelligence Feed section, select the
Yes, I want to opt in to Arbor's data-sharing program check box.
3. (Optional) To view an example of the data that APS shares, click the View an
example link.
4. To share your organization’s geographic location and industry type, click the
geographic location and industry type link.
5. In the ATLAS Intelligence Feed feedback program window, select the industry and
country in which your organization is located, and then click Save.
6. In the ATLAS Intelligence Feed section, click Save.
For information about this program, see “About Arbor’s data-sharing program” on
page 282 or click the Arbor’s data-sharing program link to open Arbor’s Data-Sharing
Programs web page (www.arbornetworks.com/data-sharing-programs). The web page
describes all of Arbor’s data-sharing programs.
122
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
About Bandwidth Alerts
APS uses bandwidth alerts to inform you about attacks and other traffic anomalies that
require your attention. To implement bandwidth alerts, you define traffic thresholds based
on traffic baselines and specific traffic rate limits for specific types of traffic. When the traffic
for a protection group exceeds a threshold, APS creates a bandwidth alert. The alert
includes the protection group name and the level of traffic that triggered the alert.
You can configure bandwidth alert thresholds globally or for individual protection groups.
The global thresholds are enabled by default. APS uses the global thresholds for any
protection group that does not have its own thresholds configured. The threshold settings
for a specific protection group override the global threshold settings.
You can view bandwidth alerts in several areas of the APS UI. See “Viewing Bandwidth
Alerts” on page 302.
About the types of bandwidth alerts
You can configure baseline thresholds and specify rate limits to generate bandwidth alerts
for the following types of traffic:
Types of bandwidth alerts
Alert
Description
Total traffic alert
Occurs when a protection group’s total traffic exceeds the
threshold.
Total traffic alerts inform you of spikes in the traffic to protected
services so that you can investigate the cause and take action if
necessary.
Blocked traffic
alert
Occurs when a protection group’s blocked traffic exceeds the
threshold. A spike in blocked traffic typically indicates that an attack
is underway and is blocked.
Blocked traffic alerts inform you of the system’s response to an
attack so that you can respond with further actions. For example, if
you determine that the traffic is legitimate, you can whitelist the
source.
Botnet alert
Occurs when a protection group’s unblocked botnet traffic exceeds
the threshold.
Botnet alerts indicate that a botnet attack might be underway and
suggest the protection level that would block the botnet traffic.
License limit alert
Occurs when your system’s traffic exceeds 90 percent of its licensed
throughput limit. Your licensed throughput limit is the threshold for
the license limit alerts; this threshold is not user-configurable.
Note
The license limit does not apply to the APS 2108 model, which is
licensed for a throughput of 10 Gbps.
Proprietary and Confidential Information of Arbor Networks Inc.
123
APS User Guide, Version 6.0
About traffic baselines
APS generates bandwidth alerts when a protection group’s total traffic, blocked traffic, or
botnet traffic exceeds a specified baseline threshold for the corresponding traffic type.
Before APS can evaluate traffic against the baseline thresholds, it must calculate the
baselines based on a protection group’s traffic for the past week. Therefore, the alerts may
not begin to appear until a week after you create a protection group.
After the APS calculates the initial baselines, it recalculates them every hour.
Configuring global bandwidth alerts
You configure the global bandwidth alert thresholds on the System Alerts page in APS. The
global thresholds are enabled by default, but you can change the default settings or turn
off some or all of the global bandwidth alerts.
A global bandwidth alert threshold consists of a baseline threshold, and, optionally, a
minimum threshold. The baseline threshold is a percentage of the traffic above the
baseline for the corresponding traffic type. The minimum threshold is a traffic rate that
you specify in bps or pps.
If you specify a minimum threshold, then a protection group’s traffic must exceed both the
baseline threshold and the minimum threshold before APS generates an alert. For
example, a specific protection group’s baseline might be a low level of traffic. If that
group’s traffic suddenly increases by the global percentage, no alerts are created if the
traffic level is still below the minimum threshold.
See “Configuring Global Thresholds for Bandwidth Alerts” on page 126.
Configuring bandwidth alerts for individual protection groups
You configure protection group alert thresholds when you edit a protection group in APS.
You can use the global thresholds that are configured on APS or specify traffic thresholds
for the protection group in bps or pps. You also can disable one or more bandwidth alert
types for a protection group.
See “Editing and Deleting Protection Groups” on page 194.
Bandwidth alert expiration
Initially, a bandwidth alert remains active for one hour after it is created. The longer that a
bandwidth alert condition continues, the more the alert’s expiration time is extended. The
expiration time is never more than 24 hours after the alert condition disappears.
In addition, an alert expires instantly in the following situations:
n when you disable that type of alert in the configuration
124
n
when you change the type of threshold (global threshold or specified traffic threshold)
for a protection group
n
when you configure a protection group’s alert threshold to a level that is higher than the
level that triggered the alert
n
(botnet alerts only) when the protection level is changed to be greater than or equal to
the level that triggered the alert
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Configuring notifications for bandwidth alerts
You can configure notifications that send messages when a bandwidth alert occurs. See
“Configuring Notifications” on page 131.
Proprietary and Confidential Information of Arbor Networks Inc.
125
APS User Guide, Version 6.0
Configuring Global Thresholds for Bandwidth Alerts
APS generates bandwidth alerts when a protection group’s total traffic, blocked traffic, or
botnet traffic exceeds a specified baseline threshold for the corresponding traffic type.
See “About Bandwidth Alerts” on page 123.
Calculating baselines
Before APS can evaluate traffic against the baseline thresholds, it must calculate the
baselines based on a protection group’s traffic for the past week. Therefore, the alerts may
not begin to appear until a week after you create a protection group. After the APS
calculates the initial baselines, it recalculates them every hour.
About the percentage sliders
You configure a baseline threshold as a percentage of traffic above a protection group’s
baseline for the corresponding traffic type (total traffic, blocked traffic, or botnet traffic). As
you move the threshold sliders from left to right, the percentage increases from zero
(“Off”) to 750% in a series of increments. As the percentage increases, the difference
between the increments increases.
To disable a baseline threshold, move the slider to the left until it is at the “Off” position.
Caution
If you disable a baseline threshold, then that type of alert is disabled for any protection
groups that are configured to use that global threshold.
Configuring global thresholds
To configure global thresholds for bandwidth alerts:
1. Select Administration > System Alerts.
2. On the System Alerts page, select the Settings tab.
126
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
3. Configure any of the following settings:
Setting
Description
Total Traffic Alert
slider
Move the slider to specify the minimum level of total traffic
that should trigger a total traffic alert. The traffic level is
measured as a percentage of the total traffic above a
protection group’s baseline.
Total Traffic
Minimum
Threshold boxes
Specify a minimum threshold for total traffic in bits per
second or packets per second.
Blocked Traffic
Alert slider
Move the slider to specify the minimum level of blocked
traffic that should trigger a blocked traffic alert. The traffic
level is measured as a percentage of the blocked traffic
above a protection group’s baseline.
Blocked Traffic
Minimum
Threshold boxes
Specify a minimum threshold for blocked traffic in bits per
second or packets per second.
Botnet Traffic
Alert slider
Move the slider to specify the minimum level of botnet traffic
that should trigger a botnet traffic alert. The traffic level is
measured as a percentage of the botnet traffic above a
protection group’s baseline.
Botnet Traffic
Minimum
Threshold boxes
Specify a minimum threshold for botnet traffic in bits per
second or packets per second.
4. Click Save.
Proprietary and Confidential Information of Arbor Networks Inc.
127
APS User Guide, Version 6.0
About Notifications
When APS detects events, conditions, or errors in the system, it creates alerts to inform the
user. You can configure APS to send notification messages to specified destinations to
communicate certain alerts. See “Configuring Notifications” on page 131.
Alert types
The alert type specifies the alerts and events that trigger a specific notification. You can
associate each notification destination with one or more of these alert types.
Alert types and their causes
Alert type
Causes
System
Hardware or system component events and other events that
affect the system’s health. For example, a system alert is created
when an interface goes down.
Cloud
Specific Cloud Signaling events.
For example, cloud alerts occur when traffic exceeds the
configured threshold or when a communication error occurs
between your network and the Cloud Signaling Server.
Protection
Someone changes the global protection level or a protection
group’s protection level.
Deployment
The deployment mode is changed.
Blocked Host
Hosts are blocked. See “About the blocked host notifications” on
the facing page.
Bandwidth
A protection group’s traffic exceeds one or more traffic thresholds,
or your system’s traffic exceeds 90 percent of its licensed
throughput limit.
Note
The license limit does not apply to the APS 2108 model, which is
licensed for a throughput of 10 Gbps.
Change Log
Change log entries are created. See “About the change log
notifications” on page 130.
Notification contents
A typical notification contains the alert type and a message. It also includes a link to the
host that generated the alert, if you configure a default URL hostname on the Configure
General Settings page. The recipient can copy and paste the URL into a browser to
navigate to the event.
Depending on the alert type, the notification can contain additional information, such as
the associated source, destination, traffic level, or protection category.
128
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
For examples of the notifications, see the following topics:
n
“Email Notification Formats and Examples” on page 580
n
“SNMP Notification Examples” on page 584
n
“Syslog Notification Format and Examples” on page 587
Notification types
The notification type defines how APS sends notifications.
Types of notifications
Notification
type
Description
email
APS sends email notifications to the destination addresses that you
specify, and the notifications appear to come from the sender
address that you specify. APS queues email messages for one
minute, and then sends them in a batch. When an email
notification contains multiple alerts, APS sends one summary
email.
APS sends the email notifications through the SMTP server that
you configure on the Configure General Settings page.
SNMP
APS sends notifications to a network management system as
SNMP traps. APS supports SNMP version 2 and SNMP version 3 for
notifications.
The Arbor SMI MIB and the Pravail MIB define the SNMP
notification format. See “About SNMP Polling” on page 108.
Important
The source IP address for SNMP traps that APS sends is the IP
address of the mgt0 interface. The IP address of the mgt1
interface cannot be used as the source IP address for SNMP
traps.
syslog
APS sends notifications to a security event management system as
syslog messages.
About the blocked host notifications
The blocked host notifications differ from the other types of notifications as follows:
Notification interval
APS allows some time to pass between blocked host notifications for a given host, even if
the host is blocked again within that time. By default, APS waits 60 minutes between
blocked host notifications for a specific host. You can change the interval to any amount
from 1 minute to 60 minutes. See “Changing the interval between blocked host
notifications” on page 131.
For example, you set the interval to 40 minutes. When APS temporarily blocks a certain
host, it sends a blocked host notification. Within the next 30 minutes, APS blocks the same
host two more times but does not send additional blocked host notifications. After
Proprietary and Confidential Information of Arbor Networks Inc.
129
APS User Guide, Version 6.0
another 20 minutes, APS blocks the host again. This time, because the 40-minute interval
has passed, APS sends a second blocked host notification.
Notification limit
To prevent overwhelming the network or the receiving system, only 1,000 blocked hosts
per minute are identified for notifications. If the number of blocked hosts exceeds the
limit, the additional blocked hosts are not identified individually. Instead, the notifications
include the following statement:
n-more hosts were blocked
where n is the number of blocked hosts that exceed the limit.
Important
Because of the volume of notifications that are generated for blocked hosts, Arbor
recommends that you use SNMP or syslog for blocked host notifications. Email
notifications are available for blocked hosts but are typically used for testing only. For
example, create an email notification for blocked hosts, and then wait a few minutes to
receive one or more email notifications. After you verify that the blocked hosts are
reported, disable the email notification and configure an SNMP notification or syslog
notification.
About the change log notifications
You can use the Change Log alert type to configure notifications for change log entries.
These notifications provide an external trail of all the changes to your APS system. Such
documentation is important for any organization that has strict policies for change control
and change management.
The change log contains entries for other types of alerts (Cloud, Protection, and
Deployment). If you combine the Change Log alert type and any of those other alert
types in one notification, APS might send duplicate notifications for the same event. For
example, you might configure a notification for the Change Log alert type and the
Protection alert type. When someone changes the protection level, APS sends a change
log notification and a protection notification. However, this use case is not typical because
you probably will need to keep your change log notifications separate from the other
types of notifications.
For information about the change log, see “Viewing the Change Log” on page 448 .
130
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Configuring Notifications
The Configure Notifications page allows you to configure APS to send notification
messages to specified destinations when certain alerts and events occur. You also can
specify how often APS sends blocked host notifications. See “About Notifications” on
page 128.
Configuring a notification destination
To configure a notification destination:
1. Select Administration > Notifications.
2. On the Configure Notifications page, click Add Destination, and then select a
notification type from the pop-up menu.
3. In the Add Notification Destination window, configure the settings for the specified
destination type, and then click Save.
l
Email — See “Email notification settings” on the next page.
l
SNMP — See “SNMP notification settings” on the next page.
l
Syslog — See “Syslog notification settings” on page 134.
Changing the interval between blocked host notifications
APS allows some time to pass between blocked host notifications for a given host, even if
the host is blocked again within that time. You can change the amount of time that APS
waits before it sends a new notification for that host.
Select a longer interval to minimize the number of notifications per blocked host. Select a
shorter interval for a more precise record of how often a host is blocked. For example, you
might want to receive more frequent notifications if you use a Security Information and
Event Management (SIEM) system to manage your APS blocked hosts.
To change the interval between blocked host notifications:
1. Select Administration > Notifications.
2. On the Configure Notifications page, select the Settings tab.
3. On the Settings tab, move the Notification Interval slider to specify the amount of
time to wait between blocked host notifications for a specific host.
The default interval is 60 minutes. You can change it to any amount from 1 minute to
60 minutes
4. Click Save.
Deleting notifications
To delete notifications:
1. Select Administration > Notifications.
2. On the Configure Notifications page, complete one of the following steps:
l
Select the check box for each notification that you want to delete.
l
Select the check box in the table heading row to delete all of the notifications.
3. Click Delete.
4. In the confirmation message that appears, click OK.
Proprietary and Confidential Information of Arbor Networks Inc.
131
APS User Guide, Version 6.0
Email notification settings
The Email Notification window contains the following settings:
Email notification settings in the Add Notification Destination window
Setting
Description
From box
Type the email address that should appear as the sender.
You can use the APS appliance name to easily identify any
messages sent.
To box
Type the recipient’s email address.
For email notifications, all email addresses must be valid RFC 822
addresses.
Type multiple-recipient email addresses as a comma-separated
list.
Alert Types box
Click in the box, and then select an alert type to specify the alerts
that trigger a notification to this destination. You can also type the
beginning of an alert type name to select it. Repeat this action to
select additional alert types. See “Alert types” on page 128.
If you select Change Log in addition to Cloud, Protection, or
Deployment, APS might send duplicate notifications for the
same event. See “About the change log notifications” on
page 130.
SNMP notification settings
Note
The SNMP settings on this page do not affect the SNMP settings on the Configure General
Settings page.
The SNMP Notification window contains the following settings:
SNMP notification settings in the Add Notification Destination window
132
Setting
Description
Host box
Type the IP address for each SNMP trap receiver.
Type multiple IP addresses as a comma-separated list. You can
add up to four IP addresses.
Version buttons
Select the SNMP version that you use.
Community box
(Version 2 only) Type the community string (password) to use
for authenticating the SNMP trap.
Context box
(Version 3 only) Because each APS appliance has only one
SNMP context, this setting is not required. However, if your trap
receiver expects a specific context name, then type it in this
box.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
SNMP notification settings in the Add Notification Destination window (Continued)
Setting
Description
Engine ID box
(Version 3 only) Type an SNMP security engine ID.
This setting is required and must be an even-length string of
hex digits (0-9, A-F). It must match one of the security engine
IDs that are configured on your trap receiver.
Security Level list
(Version 3 only) Select one of the following options:
n None — No password authentication is performed.
n Auth — Password authentication is performed but there is
no encryption of the data in the trap messages.
n Auth+Priv — Password authentication is performed and
the data in the trap messages is encrypted.
Authentication
Protocol buttons
(Version 3 only) Select an authentication protocol (MD5 or
SHA).
If the Security Level setting is not set to None, this value
must match the value that is expected by your trap receiver.
Username box
(Version 3 only) Type an SNMP user name.
This setting is required and must match one of the names that
is configured on your trap receiver.
Password box
(Version 3 only) Type the password for the SNMP user name
that you specified above.
Specify this setting if the Security Level setting is not set to
None.
Privacy Protocol
buttons
(Version 3 only) If you selected Auth+Priv from the Security
Level list, then select the appropriate privacy protocol (DES or
AES).
Verify that this value matches the value that is expected by your
trap receiver.
Privacy Password
box
(Version 3 only) If you selected Auth+Priv from the Security
Level list, then type the privacy password that is expected by
your trap receiver.
Alert Types box
Click in the box, and then select an alert type to specify the
alerts that trigger a notification to this destination. You can also
type the beginning of an alert type name to select it. Repeat this
action to select additional alert types. See “Alert types” on
page 128.
If you select Change Log in addition to Cloud, Protection, or
Deployment, APS might send duplicate notifications for the
same event. See “About the change log notifications” on
page 130.
Proprietary and Confidential Information of Arbor Networks Inc.
133
APS User Guide, Version 6.0
Syslog notification settings
The Syslog Notification window contains the following settings:
Syslog notification settings in the Add Notification Destination window
Setting
Description
Host box
Type the IP address for the syslog host.
Port box
(Optional) The default setting is port 514. If you do not want to
use the default port, then type a new port number
Facility list
Select a syslog facility value to indicate the source of the message
as defined in the syslog protocol RFC 3164.
Severity list
Select one of the following syslog severity values:
n alert — action must be taken immediately
n crit — critical condition
n debug — debug-level message
n emerg — emergency, system is unusable
n err — error condition
n info — informational message
n notice — normal but significant condition
n warning — warning condition
Alert Types box
Click in the box, and then select an alert type to specify the alerts
that trigger a notification to this destination. You can also type the
beginning of an alert type name to select it. Repeat this action to
select additional alert types. See “Alert types” on page 128.
If you select Change Log in addition to Cloud, Protection, or
Deployment, APS might send duplicate notifications for the
same event. See “About the change log notifications” on
page 130.
134
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Configuring Backup Settings
The Configure Backup and Restore Settings page allows you to configure the location for
storing backups and schedule the automatic creation of backups.
See “About Backups” on page 454.
Planning your backup strategy
Before you configure the backup settings, make the following decisions:
Planning your backup strategy
Decision to
make
Where to save the
backups
Description
You can store backup files in the following locations:
n On a remote backup server
You can use any remote server that APS can access and that has
sufficient disk space for the backup files. The backup server must
support the Secure File Transfer Protocol (SFTP). Verify that the
backup server does not use a script to echo messages on login;
otherwise, errors can occur.
Important
If you need to create backups for multiple APS devices, you
must specify a unique target directory for each APS on the
backup server. If you use the same target directory for more
than one APS, the backup process will fail.
n
What type of data
to back up
Locally on APS
Backups that are stored locally do not include traffic data.
You can configure a full backup or an incremental backup, and you
can specify whether the backup contains traffic data in addition to
the configuration data.
For information about data that APS does not include in backups,
see “About the backup data” on page 454 .
Important
If vAPS is set to the layer 3 deployment mode, the following data is
not included in a backup:
n Any GRE tunneling settings that you configured on the Interfaces
page in the UI. See “Configuring Interfaces and GRE Tunneling”
on page 141.
n Any routes that you configured for the protection interfaces.
These routes include any mitigation routes that you configured
in the CLI and any routes that you configured on the Interfaces
page. See “Configuring Static Routes for the Protection
Interfaces on vAPS” on page 513 and “Configuring Routes” on
page 145 .
How often to
back up
For example, you might schedule the full backups to run weekly
and the incremental backups to run daily.
Proprietary and Confidential Information of Arbor Networks Inc.
135
APS User Guide, Version 6.0
Configuring backup settings
To configure backup settings:
1. Select Administration > Backup and Restore.
2. On the Configure Backup and Restore Settings page, in the Server Settings section,
click Edit.
3. Configure the settings as follows:
Setting
Description
Backup Server
Type options
To specify where to store the backups, select one of the
following options:
n
Local
Stores configuration backups on APS. After you select this
option, click Save. (The other settings do not appear.)
n
Remote
Stores the backups on a remote backup server. After you
select this option, configure the remaining settings.
Server box
Type the hostname or IP address of the server on which to
store the backups.
Port box
Type the port on the backup server on which to connect
APS.
Directory box
Type the path of the target directory on the backup server.
The path can contain underscores (_) and alphabetical and
numerical characters. An absolute path must begin with a
forward slash (/).
Important
If you need to create backups for multiple APS devices, you
must specify a unique target directory for each APS on the
backup server. If you use the same target directory for
more than one APS, the backup process will fail.
Username box
Type the user name with which to authenticate on the
backup server.
The Username cannot contain a space, at symbol (@), or
slash (/).
Password boxes
If the backup server requires a password, type the
password, and then re-type it to confirm it.
To delete an existing password and leave the password
empty, click
(Clear Password).
4. Click Save.
Scheduling the automatic creation of backups
Note
Only one backup can run at a time. If a backup is already in progress at a scheduled
backup time, the scheduled backup will not run.
136
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
To schedule the automatic creation of backups:
1. Select Administration > Backup and Restore.
2. On the Configure Backup and Restore Settings page, in the Schedule section, click
Edit.
3. Configure the settings as follows:
Setting
Description
Incremental
Backups options
In each of these sections, choose one of the following
steps:
Full Backups options
n
n
n
Include Traffic Data
check box
Click Never to disable the automatic creation of
backups.
Click Daily , and then select the time at which to run the
backups.
Click Weekly , and then select the day and the time at
which to run the backups.
Select this check box to include traffic data in the backup.
Note
If APS is configured to save backups locally, then this
check box does not appear.
See “About the backup data” on page 454.
This setting applies to all of the automatic backups.
4. Click Save.
Proprietary and Confidential Information of Arbor Networks Inc.
137
APS User Guide, Version 6.0
Using a Custom SSL Certificate for User Authentication
APS is configured to use a default SSL certificate when users log in to the UI. The Manage
Files page allows you to upload a custom certificate, which can prevent browser error
messages and help you comply with company security policies.
The Manage Files page also allows you to download the CA certificate that is used to sign
the custom SSL certificate.
See “Managing the Files on APS” on page 452.
About certificate authority (CA) files
When you upload a custom SSL certificate, you must also upload a certificate authority
(CA) file. Certificate authority files legitimize your SSL certificates. A CA file can sign multiple
certificates and is necessary to validate a certificate.
Custom SSL certificate requirements
If you want to use a custom SSL certificate to connect to the UI, the certificate files must
meet the following requirements:
n The SSL file and CA file must be PEM-encoded (Privacy Enhanced Mail).
n
The SSL file must contain the certificate and the key that was used to create the
certificate.
n
The SSL file and CA file cannot be password protected.
Uploading a custom SSL certificate
To upload a custom SSL certificate:
1. Select Administration > Files.
2. On the Manage Files page, in the Upload Custom Files section, click Upload SSL Cert.
3. In the Upload Certificate window, follow these steps:
a. Click Browse to locate the custom SSL certificate file.
b. Click Browse to locate the custom CA certificate file.
c. Click Upload.
4. In the confirmation window, click OK.
Note
Most browsers display an error message, which results from the change in the SSL
certificate mid-session.
5. Log out of APS, close your browser, and then restart your browser.
Using the APS default SSL certificate
This option is available only if someone previously uploaded a custom SSL certificate.
To revert to using the APS default SSL certificate:
1. Select Administration > Files.
2. On the Manage Files page, in the Upload Custom Files section, click Use default cert.
3. In the confirmation window, click OK.
4. Log out of APS, close your browser, and then restart your browser.
138
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Downloading a CA certificate
To download a CA certificate:
1. Select Administration > Files.
2. On the Manage Files page, in the System Files section, click the CA Certificate link.
3. Save the file according to your browser options.
Proprietary and Confidential Information of Arbor Networks Inc.
139
APS User Guide, Version 6.0
Connecting to a Remote Syslog Server
You can configure APS to send syslog data to a remote server. When you configure the
connection, you have the option to make it secure.
You create the connection to the remote server in the command line interface (CLI). See
“About the Command Line Interface (CLI)” on page 468.
Creating a connection to a remote syslog server
To create a connection to a remote syslog server:
1. Log in to the CLI with your administrator user name and password.
2. Enter /services logging remote set host tcp port [secure]
host = the IPv4 or IPv6 address or host name for the remote server
port = the port for the remote server
secure = (optional) creates a secure connection to the remote server
140
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Configuring Interfaces and GRE Tunneling
During the APS installation, the interfaces (protection ports) on the appliance are
connected to the routers and switches in your network. If you deploy APS in the inline
mode, no further configuration of the interfaces is necessary.
However, to use GRE tunneling with Cloud Signaling, you must do some additional
configuration of the interfaces. You define the addresses for the GRE tunnel source and
destination on the Interfaces page. You can define one or more routes as the destinations
for the cleaned traffic as well as routes for GRE tunnel keepalives. See “About GRE
Tunneling and Cloud Signaling” on page 372.
About the protection interfaces
The protection interfaces are configured as port pairs. Each pair consists of an external
(ext) interface and an internal (int) interface. The external interfaces connect APS to the
routers or switches that are outside your network. The internal interfaces connect APS to
the routers or switches that are inside your network.
Important
If you connect APS to interfaces that do not support Auto MDI selection, be sure to use
the correct combination of straight-through cables or crossover cables. It is important to
maintain the link through APS when the fail open bypass mode is engaged.
For more information about the interface connections, see “Network Connectivity
Models” on page 60. For more information about the bypass mode, see “About Hardware
Bypass and Software Bypass” on page 498 .
About link state propagation
By default, link state propagation is enabled on each protection interface pair when the
APS is set to the inline deployment mode. When link state propagation is enabled, if one
interface in a pair goes down, then APS disconnects the other interface. Also, if the original
interface that went down reconnects, then APS restores the other interface.
However, if you force hardware bypass open or closed, link state propagation does not
take effect. For more information about the bypass modes, see “Forcing the hardware
bypass mode” on page 499 .
Important
If you deploy APS in the monitor mode, then you should disable link state propagation. If
you deploy vAPS in the layer 3 mode, then link state propagation is disabled
automatically.
Configuring the protection interfaces
To configure an interface pair:
1. Select Administration > Interfaces.
2. On the Interfaces page, in the Interfaces section, click Edit to the right of the interface
pair.
3. Configure the settings for the interface pair. See “Interface settings” on the next page.
4. Click Save.
Proprietary and Confidential Information of Arbor Networks Inc.
141
APS User Guide, Version 6.0
Interface settings
The settings for configuring the interfaces are as follows:
Interface settings
Setting
Description
ext Name box
int Name box
Type a descriptive display name for each interface in this pair.
These names identify the interfaces throughout the UI and in
any interface-related alerts.
GRE Remote IPs box
To configure GRE tunneling for Cloud Signaling, type an IP
address to define the GRE tunnel source on the Cloud Signaling
server. To define multiple GRE tunnel sources, enter the IP
addresses in a comma-separated list.
Obtain these IP addresses from your cloud service provider.
If you deploy vAPS in the layer 3 mode, vAPS uses the IP
address of the external interface as the tunnel destination. See
“Specifying an IP address for a protection interface on vAPS”
on page 513.
If you specify the GRE Local IP and Subnet Mask Length, at
least one remote IP address is required.
Note
To use keepalives with GRE tunnels, you must configure a
route to a GRE tunnel source. See “Configuring Routes” on
page 145.
GRE Local IP and
Subnet Mask
Length boxes
To configure GRE tunneling for Cloud Signaling, enter the
following information to define the GRE tunnel destination on
APS:
n An IP address for the tunnel destination. For example,
198.51.100.0.
n A prefix length for the tunnel destination. For example, 24.
If you use LACP (Link Aggregation Control Protocol) to bundle
the protection interfaces, APS cannot serve as a GRE tunnel
destination. In this case, specify a GRE tunnel destination that is
downstream of APS.
Note
If you deploy vAPS in the layer 3 mode, you cannot specify a
GRE tunnel destination here. Instead, vAPS uses the IP
address of the external interface as the tunnel destination. See
“Specifying an IP address for a protection interface on vAPS”
on page 513.
142
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Interface settings (Continued)
Setting
Description
Alerts options
Enable or disable the creation of alerts when the deployment
mode is inline, and one or both of these interfaces goes down.
By default, alerts are enabled for the ext0 and int0 interface pair
and disabled for all of the other interface pairs.
Link State
Propagation options
Enable or disable the propagation of the link status on this pair
of interfaces. See About link state propagation.
Important
If you deploy APS in the monitor mode, then you should
disable link state propagation. When vAPS is deployed in the
layer 3 mode, link state propagation is disabled automatically.
Configuring the link state propagation timeouts
When link state propagation is enabled for a pair of protection interfaces, if one interface
in the pair goes down, then APS disconnects the other interface. Also, if the original
interface that went down reconnects, then APS restores the other interface. For more
information, see “About link state propagation” on page 141 .
You can configure two link state propagation timeouts on APS:
Interface Down specifies the amount of time that APS waits after one interface in a pair
goes down before it disconnects the other interface.
n
n
Interface Up specifies the amount of time that APS waits after the original interface that
went down reconnects before it restores the other interface.
Note
The Link State Propagation Timeouts settings are not available on vAPS.
You can select timeouts that are from one second to five seconds, in one-second
increments. Arbor recommends that you set the timeouts to five seconds, which is the
default value.
Important
Certain network configurations may cause the APS interfaces to take longer than the
specified timeout values to update their link status. If this situation occurs, the interfaces
may become unstable and bounce until you increase the timeout values.
To change the timeouts for link state propagation:
1. Select Administration > Interfaces.
2. On the Interfaces page, in the Link State Propagation Timeouts section, click Edit.
3. To specify the amount of time that APS waits after one interface goes down, move the
Interface Down slider.
4. To specify the amount of time that APS waits after one interface comes back up, move
the Interface Up slider.
5. Click Save.
Proprietary and Confidential Information of Arbor Networks Inc.
143
APS User Guide, Version 6.0
Configuring routes
After you configure the source and destination for GRE tunneling and GRE tunnel
keepalives, you must define one or more routes as the destination for the cleaned traffic.
See “Configuring Routes” on the facing page.
144
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
Configuring Routes
When you use Cloud Signaling with GRE tunneling, you configure the routes to forward
cleaned traffic through APS without reinspecting it. You also can configure the routes for
traffic when vAPS is set to the layer 3 deployment mode. See “About the Layer 3
Deployment Mode” on page 65.
Arbor recommends that you configure at least one route for forwarding cleaned traffic.
APS uses this route to forward any traffic whose destination does not match the subnet of
a tunnel destination or one of the other configured routes.
To use keepalives with GRE tunnels, you must configure a route to a GRE tunnel source.
You configure GRE tunnel sources on the Interfaces page. See “Configuring Interfaces and
GRE Tunneling” on page 141.
You configure the routes for GRE tunneling and layer 3 traffic on the Interfaces page in the
UI. You also can configure routes from the command line interface (CLI). You cannot
configure routes for GRE tunneling from the CLI.
Configuring routes
To configure routes in the UI:
1. Select Administration > Interfaces.
2. On the Interfaces page, in the Routes section, click Edit.
3. For each route, configure the settings as follows:
Setting
Description
Prefix box
The IPv4 address and prefix length for the destination
network, such as 198.51.100.0/24.
APS matches this prefix to the destination that is specified
for the traffic.
Nexthop box
The IPv4 address for the router through which the traffic is
sent to the destination network. This IP address must match
a subnet on one of the protection interfaces.
4. Click Save.
Proprietary and Confidential Information of Arbor Networks Inc.
145
APS User Guide, Version 6.0
Adding a Custom Logo to the UI
You can customize the appearance of the UI by replacing the default Arbor Networks®
APS logo with one that you upload on the Manage Files page. After you upload a custom
logo, you can lock the logo so it cannot be changed.
Custom logo file requirements
The custom logo file must meet the following requirements:
File formats: GIF, JPG, and PNG
n
n
Image width: 100 pixels minimum, 300 pixels maximum
n
Image height: 20 pixels recommended
Images that are more than 20 pixels high are cropped to 20 pixels.
Uploading and locking a custom logo
To upload a custom logo:
1. Select Administration > Files.
2. On the Manage Files page, in the Upload Custom Files section, click Upload Logo.
3. In the Upload Logo window, click Browse to select an image file, and then click
Upload.
4. If the custom logo does not appear on the page, refresh your browser.
The logo appears at the top of the page. Two new buttons also appear next to the
Upload Logo button: Use Default Logo and Lock Custom Logo.
5. To lock the logo so that it cannot be changed, click Lock Custom Logo.
Caution
After you lock the logo, you will be unable to upload another custom logo or revert
to the default logo. To unlock the custom logo functionality, you must perform a
data init from the command line interface. See “Unlocking a custom logo” below.
6. In the confirmation window, click OK.
The Logo section is no longer shown on the Manage Files page.
Unlocking a custom logo
After you lock the logo, you will be unable to upload another custom logo or revert to the
default logo. To unlock the custom logo functionality, you must perform a data init
from the command line interface.
To reinitialize APS and unlock the custom logo:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps stop
3. Enter / services aps data init
4. Enter / services aps start
Using the APS default logo
This option is available only if someone previously uploaded a custom logo but did not
lock the logo.
146
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 6: Configuring APS
To revert to the default logo:
1. Select Administration > Files.
2. On the Manage Files page, in the Upload Custom Files section, click Use Default
Logo.
3. In the confirmation window, click OK.
4. If the default logo does not appear on the page, refresh your browser.
Proprietary and Confidential Information of Arbor Networks Inc.
147
APS User Guide, Version 6.0
148
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 7:
Configuring SSL Inspection with the
Hardware Security Module
This section describes how to configure and manage the Hardware Security Module
(HSM), which integrates with APS to provide visibility into SSL-secured traffic.
In this section
This section contains the following topics:
About the Hardware Security Module Configuration
150
Configuring the Hardware Security Module
152
Managing the Keys for the Hardware Security Module
155
Managing the Hardware Security Module
158
Viewing the Hardware Security Module Status
160
APS User Guide, Version 6.0
149
APS User Guide, Version 6.0
About the Hardware Security Module Configuration
You can deploy the Hardware Security Module (HSM) with APS to protect the availability of
online applications that rely on SSL and TLS for security. When you purchase the HSM,
Arbor pre-installs the module on APS.
About the HSM and cipher suites
The HSM decrypts traffic that uses the cipher suites that the HSM supports. To decrypt
traffic that uses a supported cipher suite, you must import private keys into the HSM.
Note
The cipher suites that the HSM supports are listed in the Arbor NetworksAPS Release
Notes.
If the HSM receives encrypted traffic that uses an unsupported cipher suite, the HSM does
not decrypt this traffic. Instead, the HSM passes the traffic without decryption and APS logs
an error.
Important
For traffic that uses the ECDH and ECDHE cipher suites, APS only decrypts connections
that negotiate the same EC curve as the static EC private key.
Steps to configure the HSM
Before APS can begin the inspection of SSL traffic, you must take the following steps:
Initialize the HSM.
n
n
Import one or more PEM-encoded files.
The PEM-encoded file must contain a private key (RSA or EC). If you plan to decrypt
traffic that uses an RSA cipher, then the file must also include a certificate. APS refers to
a single imported PEM-encoded file as a key.
The HSM supports a maximum of 1998 keys.
n
Configure APS to inspect the SSL traffic. See “Configuring the Hardware Security
Module” on page 152.
About the HSM users
The HSM supports the following users:
n crypto officer — The crypto officer credentials are required to configure the crypto user
credentials during the HSM initialization.
n
crypto user — The crypto user credentials are required to perform the other
configuration and management tasks on the HSM.
When you initialize the HSM, you define these users. After you configure the HSM, you can
change a user’s password, but you cannot delete users or add new users.
See “Changing your HSM password” on page 158.
About the APS authorization
Before APS can decrypt traffic, you must provide APS with the credentials to communicate
with the HSM. This process is known as authorization.
150
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 7: Configuring SSL Inspection with the Hardware Security Module
You have the following options for authorizing APS:
During the HSM initialization process, you can authorize APS by persisting the crypto
credentials. When you persist the credentials, APS retains the user credentials after its
services are started.
n
n
If you do not persist the credentials during the initialization, then you must authorize
APS after the initialization. At this stage, you again have the option to persist the
credentials.
n
If you do not persist the credentials during the initialization or authorization, then you
must re-authorize APS whenever its services start. You might be required to choose this
option if your organization prohibits the persistence of such credentials.
If APS tries to communicate with the HSM without authorization, an HSM Credential Status
alert is created.
About key management
You can add and remove keys for the HSM as follows:
Using the Venafi Trust Protection Platform. See “Managing keys with Venafi” on
n
page 155.
Note
Venafi does not support the ability to import EC keys.
n
Using the APS API. See “Managing keys with the APS API” on page 155.
n
Using the APS command line interface (CLI). See “Managing keys in the command line
interface” on page 155.
About reconfiguration
In certain situations, you might need to reconfigure the HSM. For example, if the number
of login failures exceeds the maximum (1998), the HSM resets (zeroizes) and deletes all
configurations, keys, and users. In this case, you must reconfigure the HSM. The
reconfiguration procedure is the same as for the initial HSM configuration.
Proprietary and Confidential Information of Arbor Networks Inc.
151
APS User Guide, Version 6.0
Configuring the Hardware Security Module
To configure the Hardware Security Module (HSM), you initialize the HSM, import one or
more keys, and then configure APS to inspect SSL traffic. The HSM supports RSA and EC
keys. See “About the Hardware Security Module Configuration” on page 150.
You initialize the HSM in the command line interface (CLI). See “About the Command Line
Interface (CLI)” on page 468 for more information.
Note
APS neither backs up nor restores the HSM configuration. After a backup or restoration,
the HSM decrypts traffic based on the current HSM configuration.
Before you begin
Before you configure the HSM, complete the following steps:
Verify that your internal SSL servers support the cipher suites that are listed in the Arbor
Networks APS Release Notes.
n
The HSM decrypts traffic that uses the supported cipher suites. If the HSM receives
encrypted traffic that uses an unsupported cipher suite, the HSM does not decrypt this
traffic. Instead, the HSM passes this traffic without decryption and APS logs an error.
n
Gather the following information:
l
the user names and passwords for the crypto officer and the crypto user — see
“About the HSM users” on page 150
l
one or more PEM-encoded files
A PEM-encoded file, which APS refers to as a key, contains a private key. If you plan to
decrypt traffic that uses an RSA cipher suite, then the file must also include a
certificate. You also can include an optional certificate chain in the file.
Important
For traffic that uses the ECDH and ECDHE cipher suites, APS only decrypts
connections that negotiate the same EC curve as the static EC private key.
Initializing the HSM
Follow this procedure to configure the HSM for the first time or to reconfigure an existing
HSM. When you reconfigure an HSM, it automatically deletes all of the configurations, keys,
and users.
Note
If you make a mistake when you type an HSM password, you cannot use the BACKSPACE
key to correct it. Instead, you must retype the password.
To initialize the HSM:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps stop
3. Enter / system hsm init crypto_officer_name crypto_user_name {fips |
non-fips} {persist | nopersist}
crypto_officer_name = the crypto officer user name, with a maximum of 32
characters
crypto_user_name = the crypto user name, with a maximum of 32 characters
152
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 7: Configuring SSL Inspection with the Hardware Security Module
{fips | non-fips} = Enter fips to enable FIPS mode, in which the HSM uses the
FIPS cipher suites only. Enter non-fips to use both the FIPS cipher suites and the
non-FIPS cipher suites. The cipher suites that the HSM supports are listed in the
Arbor NetworksAPS Release Notes.
{persist | nopersist} = Enter persist to allow APS to retain the user
credentials after its services are restarted. Enter nopersist to clear the credentials
when the APS services are stopped. If you do not persist the credentials now, you
must authorize APS after you finish this configuration procedure. See
“Authorizing APS” on the next page.
4. At the next two prompts, enter a crypto_officer_password that consists of 7-14
characters.
5. At the next two prompts, enter a crypto_user_password that consists of 7-14
characters.
6. Import a PEM-encoded file in the CLI as follows:
a. Enter / system hsm key import label source
label = a descriptive name that identifies this key in the HSM status displays
source = the location of the PEM-encoded file. See “Configuring the Hardware
Security Module” on the previous page.
b. At the prompts, enter the crypto_user_name and then the crypto_user_
password.
c. If the Enter PEM pass phrase prompt appears, enter the pass phrase for the
PEM-encoded file.
Note
You also can import keys using the APS API and you can import RSA keys using
the Venafi Trust Protection Platform. See “Managing the Keys for the Hardware
Security Module” on page 155.
7. (Optional) Repeat the import command above to import additional keys.
The HSM supports a maximum of 1998 keys.
8. (Optional) Verify that the key is on the HSM as follows:
a. Enter / system hsm key show
b. At the prompts, enter the crypto_user_name and then the crypto_user_
password.
9. Enter / services aps start
If services are running already, a message appears. No response is necessary.
10. After you finish the HSM configuration, perform one of the following procedures:
l
l
If you persisted the credentials during the HSM initialization, see “Configuring APS
to inspect SSL traffic” on the next page.
If you did not persist the credentials during the HSM initialization, see “Authorizing
APS” on the next page.
Location arguments for importing PEM-encoded files
Use one of the following arguments to specify the location from which to import a PEMencoded file:
n
disk:file_name
n
scp://user@A.B.C.D:port/file_name
Proprietary and Confidential Information of Arbor Networks Inc.
153
APS User Guide, Version 6.0
n
scp://user@\aaaa:bbbb::\:port/file_name
n
scp://user@hostname:port/file_name
n
usb:file_name
scp = the protocol to use to access the remote host
[disk | usb ] = the storage device on the APS appliance that contains the file
user = the user name that is required to access the remote host
[A.B.C.D | aaaa:bbbb:: | hostname] = the IPv4 address, IPv6 address, or
hostname of the remote host that contains the file
port = the port on the remote host
file_name = the name of the PEM-encoded file to be imported, for example,
sample.pem
Authorizing APS
If you did not persist the credentials during the HSM initialization, you must authorize APS
before it can decrypt traffic. See “About the APS authorization” on page 150.
To authorize APS for the HSM:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system hsm services authorize {persist | nopersist}
{persist | nopersist} = Enter persist to allow APS to retain the crypto user
credentials after its services are restarted. Enter nopersist to clear the credentials
when the APS services are stopped. If you do not persist the credentials, then you
must re-authorize APS whenever the APS services restart.
3. At the prompts, enter the crypto_user_name and then the crypto_user_
password.
4. If this is the first time you authorized APS, follow the steps in “Configuring APS to
inspect SSL traffic” below.
Configuring APS to inspect SSL traffic
Typically, you only need to configure these settings once, during the initial implementation.
Before you perform this procedure, you must authorize APS. If you do not authorize APS
first, APS generates an HSM Credential Status alert.
To configure APS to inspect SSL traffic:
1. In the APS UI, select Administration > General.
2. On the Configure General Settings page, select the Enable SSL Inspection check
box.
3. (Optional) You can allow APS to include the URLs and domains from the decrypted
traffic in its reporting of traffic levels throughout the UI. To do so, select the Include
Decrypted URLs in HTTP Reporting check box.
4. Click Save.
154
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 7: Configuring SSL Inspection with the Hardware Security Module
Managing the Keys for the Hardware Security Module
The Hardware Security Module (HSM) requires you to import PEM-encoded private keys to
decrypt associated SSL traffic. A PEM-encoded file, which APS refers to as a key, contains a
private key and, for RSA ciphers, a certificate. For ciphers that require a certificate, the file
also may contain an optional certificate chain.
After you initialize the HSM, you can add and remove private keys for the HSM.
The HSM supports a maximum of 1998 keys.
Managing keys with Venafi
You can import, remove, and manage RSA keys with the Venafi Trust Protection Platform.
For information about the Venafi Trust Protection Platform, see
https://www.venafi.com/platform.
To configure Venafi to work with APS, you need the following information and resources:
The user name and password for the crypto user.
n
n
The user name, password, and API token for an APS user that has been assigned to a
user group with the authorization key to access the HSM.
For information about user groups and authorization keys, see “About User Groups”
on page 482 .
To generate an API token, see “Referencing the APS API” in the Arbor NetworksAPS API
Programmer’s Guide .
n
The Arbor-APS-xx.yy.zz-DDDD-TPP.ps1 PowerShell script, provided by Venafi.
xx.yy.zz = APS version
DDDD = APS build
For example, Arbor-APS-5.11.0-HDYH-TPP.ps1
To obtain this script, contact Venafi and follow their installation instructions. See
https://www.venafi.com/platform.
Important
To allow Venafi to access APS using HTTPS, Arbor recommends that you add the IP
address for the Venafi server to your access control lists.
Managing keys with the APS API
You can import and remove HSM keys with the /hsm/certificates/ methods in the
APS API. For information about how to access and use the APS API, see “Referencing the
APS API” in the Arbor NetworksAPS API Programmer’s Guide .
To view the APS API documentation and commented API calls, enter the following URL:
https://IP_address/api/aps/doc/v1/endpoints.html
IP_address = the IP address for your APS
Managing keys in the command line interface
You can import and remove keys in the command line interface (CLI). For information
about the CLI, see “About the Command Line Interface (CLI)” on page 468 .
Proprietary and Confidential Information of Arbor Networks Inc.
155
APS User Guide, Version 6.0
Caution
When you remove a key from the HSM, APS can no longer inspect any SSL traffic that
uses that key.
To import a key in the CLI:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system hsm key import label source
label = a descriptive name that identifies this key in the HSM status displays
source = the location of the PEM-encoded file. See “Location arguments for
importing PEM-encoded files” below.
3. At the prompts, enter the crypto_user_name and then the crypto_user_
password.
Note
If you make a mistake when you type an HSM password, you cannot use the
BACKSPACE key to correct it. Instead, you must retype the password.
4. If the Enter PEM pass phrase prompt appears, enter the pass phrase for the PEMencoded file.
5. (Optional) Verify that the key is on the HSM as follows:
a. Enter / system hsm key show
b. At the prompts, enter the crypto_user_name and then the crypto_user_
password.
6. Repeat this procedure to import additional keys as needed.
To remove a key in the CLI:
1. In the CLI, enter / system hsm key remove label
label = the descriptive name that was assigned to this key when it was imported
2. At the prompts, enter the crypto_user_name and then the crypto_user_
password.
3. Repeat this procedure to remove additional keys as needed.
If you want to remove all of the installed keys, you can zeroize the HSM instead of
removing each key separately. Zeroizing the HSM deletes all of its configurations, keys,
and users. See “Zeroizing the HSM” on page 158.
Location arguments for importing PEM-encoded files
Use one of the following arguments to specify the location from which to import a PEMencoded file:
n
disk:file_name
n
scp://user@A.B.C.D:port/file_name
n
scp://user@\aaaa:bbbb::\:port/file_name
n
scp://user@hostname:port/file_name
n
usb:file_name
scp = the protocol to use to access the remote host
[disk | usb ] = the storage device on the APS appliance that contains the file
user = the user name that is required to access the remote host
[A.B.C.D | aaaa:bbbb:: | hostname] = the IPv4 address, IPv6 address, or
hostname of the remote host that contains the file
156
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 7: Configuring SSL Inspection with the Hardware Security Module
port = the port on the remote host
file_name = the name of the PEM-encoded file to be imported, for example,
sample.pem
Viewing the installed keys
You can view the following information about the keys that are installed on the HSM:
number of keys
n
n
key type (RSA or EC)
n
label (the name that you assigned when you imported the key)
To view the installed keys:
1. In the CLI, enter / system hsm key show
2. At the prompts, enter the crypto_user_name and then the crypto_user_
password.
Proprietary and Confidential Information of Arbor Networks Inc.
157
APS User Guide, Version 6.0
Managing the Hardware Security Module
After you configure the Hardware Security Module (HSM), it requires little or no additional
management. However, you can perform the following tasks as needed.
Authorizing APS
The authorization process provides APS with the credentials to communicate with the
HSM. If you do not persist the credentials when you configure the HSM, then you must reauthorize APS whenever the services restart. See “About the APS authorization” on
page 150.
To authorize APS for the HSM:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system hsm services authorize {persist | nopersist}
{persist | nopersist} = Type persist to allow APS to retain the user
credentials after its services are restarted. Type nopersist to clear the credentials
when the APS services are stopped. If you do not persist the credentials, then you
must re-authorize APS whenever the APS services restart.
3. At the prompts, enter the crypto_user_name and then the crypto_user_
password.
Changing your HSM password
You define the users and their passwords during the HSM initialization process. You can
change your password as needed.
Note
If you make a mistake when you type an HSM password, you cannot use the BACKSPACE
key to correct it. Instead, you must retype the password.
To change your password:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps stop
3. Enter / system hsm user password {user | officer} {crypto_user_name |
crypto_officer_name}
{user | officer} = Type user to change the password for the crypto user or
officer to change the password for the crypto officer.
{crypto_user_name | crypto_officer_name} = the user name that was
defined during the HSM configuration
4. At the prompt, enter the current password.
5. At the next two prompts, enter the new password.
6. Enter / services aps start
Zeroizing the HSM
Caution
You cannot undo zeroizing the HSM.
158
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 7: Configuring SSL Inspection with the Hardware Security Module
If you need to reset the HSM to its pre-initialization state, you can zeroize it. Zeroizing the
HSM deletes all of the configurations, keys, and users. For example, you might need to
zeroize the HSM if you redeploy APS. You also might zeroize the HSM to clear the keys.
To zeroize the HSM:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps stop
3. Enter / system hsm zeroize
4. At the confirmation prompt, enter y
5. Enter / services aps start
Upgrading the HSM firmware
In some instances, Arbor includes an HSM firmware image in the APS installation package.
For instructions on how to upgrade the HSM firmware, see “Upgrading the APS Software”
on page 527 .
If you need to downgrade the APS software, you also may need to downgrade the HSM
firmware. For instructions, contact the Arbor Technical Assistance Center (ATAC) at
https://support.arbornetworks.com/.
Proprietary and Confidential Information of Arbor Networks Inc.
159
APS User Guide, Version 6.0
Viewing the Hardware Security Module Status
You can view the status of the Hardware Security Module (HSM) in the command line
interface (CLI).
For general information about the HSM and the CLI, see “About SSL Inspection with APS”
on page 75 and “About the Command Line Interface (CLI)” on page 468 .
You can view additional information about the HSM as follows:
n View the keys that are installed on the HSM. See “Viewing the installed keys” on
page 157.
n
View the status of the HSM in the UI, in the SSL Inspection section on the Summary
page. See “Viewing the Status of SSL Inspection” on page 323.
The SSL Inspection section also displays the amount of SSL traffic that the HSM
observed and decrypted during the last hour.
Viewing the HSM status
The default HSM status displays brief information about the HSM and its state, such as the
FIPS mode. The verbose status displays all of the available information about the HSM.
To view the status of the HSM:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system hsm show [verbose]
verbose = shows all of the HSM status information
Viewing HSM login failures
The HSM allows a maximum of 20 login failures per user. When the maximum is reached,
the HSM is zeroized (reset). You can view the current number of login failures for each
user.
To view the HSM login failures:
1. In the CLI, enter / system hsm show verbose
2. In the resulting display, look for the line that begins with Login Failures.
Viewing the HSM statistics
You can view statistics such as the number of packets or the amount of traffic that the HSM
processed as follows:
n In the CLI, enter / system hsm stats
160
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 8:
Managing Server Types
This section describes how to configure and manage the server types that APS uses to
determine which protection settings are available for each protection group.
In this section
This section contains the following topics:
About the Server Types
162
Adding and Deleting Custom Server Types
167
Changing the Protection Settings for Server Types
169
About Traffic Profiling for Protection Configuration
171
Capturing Traffic Profiles
173
Using Traffic Profile Data to Configure Protection Settings
175
Restoring the Default Protection Settings
178
APS User Guide, Version 6.0
161
APS User Guide, Version 6.0
About the Server Types
The server type represents a class of hosts that a specific protection group protects. The
server type determines which protection settings are available for a protection group and
which application-specific data APS collects and displays for that group. Each protection
group is associated with a server type; multiple protection groups can be associated with
the same server type.
APS contains predefined, standard server types for IPv4 hosts and one standard server
type for IPv6 hosts. These standard server types offer protection settings that cover most
situations. To meet your organization’s more specific protection requirements, you can
create custom server types based on the standard server types.
Navigating to the Server Types page
You add, edit, and delete the server types on the Configure Server Type page (Protect >
Inbound Protection > Server Type Configuration). You also can manage the server
types in APS Console on the Server Types page. See “Adding and Deleting Custom Server
Types” on page 167 and “Changing the Protection Settings for Server Types” on
page 169 .
About managing the server types from APS Console
If you manage APS with APS Console, then you can configure server types in APS Console
and propagate the configurations to each managed APS. For a server type to be copied to
an APS, that server type must be associated with a protection group that is assigned to the
APS.
When you first connect APS to APS Console, the server types on APS Console are merged
with any existing server types on APS. Thereafter, any changes to the server types on APS
Console are periodically copied to each APS as appropriate. See “About the APS Console -
APS Data Synchronization” on page 80.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Standard server types
The standard server types are as follows:
Generic Server
n
The generic server type contains all of the protection settings and is associated with the
default protection group.
162
n
Web Server
n
DNS Server
n
Mail Server
n
VoIP Server
n
VPN Server
n
RLogin Server (remote login)
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 8: Managing Server Types
n
File Server
n
Generic IPv6 Server
About the custom server types
All of the protection groups that are associated with a specific server type have the same
protection settings. If you need more flexibility in your protection configurations than the
standard server types provide, you can create custom server types. Custom server types
allow you to configure different protection settings for similar types of servers. For
example, you can add a custom server type to protect specific DNS servers with settings
that differ from the standard DNS Server settings.
Most custom server types are likely to be variations of existing ones. When you create a
new server type, it inherits the protection settings from the existing server type on which it
is based. You can edit the settings as necessary for the new server type.
You can create a maximum of 50 custom server types on an APS.
You can associate a custom server type with any custom protection group. See “Adding
Protection Groups” on page 188.
Examples of custom server types
Examples of how you can use custom server types are as follows:
Different content
n
Your organization might have one HTTP server that serves standard web pages,
another that serves video, and another with a heavy AJAX interaction. Some of the HTTPrelated protection categories, such as HTTP Rate Limiting, might not apply to all of those
servers. You can create a custom server type with the appropriate protection settings
for each of these HTTP servers.
n
Different traffic rates
An excessive amount of inbound traffic and connections for one server might be
normal for another server. In such cases, setting appropriate thresholds for the ratebased protection categories can be difficult. You can create custom server types that are
configured for different traffic rates.
n
Separate server ownership
In some organizations, different web servers can fall under completely separate
ownership structures, in which different people are responsible for the availability of
the web service. You can create custom server types with separate protection settings
for separately owned servers.
Available protection settings for IPv4 standard server types
Certain protection settings are available for all of the IPv4 standard server types. Other
settings include application-specific behavior and are available only for the server type that
is associated with the application. For example, the HTTP Rate Limiting settings are
available for a Web Server but not for a DNS Server.
Proprietary and Confidential Information of Arbor Networks Inc.
163
APS User Guide, Version 6.0
The categories of protection settings that are available for the IPv4 standard server types
are as follows:
Available protection settings for the IPv4 standard server types
Settings
category
Generic
Server
DNS
Server
File
Server
Mail
Server
RLogin
Server
VoIP
Server
VPN
Server
Web
Server
ATLAS Intelligence
Feed
x
x
x
x
x
x
x
x
Application
Misbehavior
x
x
x
x
x
x
Block Malformed
DNS Traffic
x
Block Malformed
SIP Traffic
x
x
Botnet Prevention
x
x
CDN and Proxy
Support
x
DNS
Authentication
x
x
DNS NXDomain
Rate Limiting
x
x
DNS Rate Limiting
x
x
DNS Regular
Expression
x
x
Filter List
x
x
x
x
x
x
x
x
Fragment
Detection
x
x
x
x
x
x
x
x
HTTP Header
Regular
Expressions
x
x
x
x
HTTP Rate Limiting
x
x
x
x
HTTP Reporting
x
x
x
ICMP Flood
Detection
x
Malformed HTTP
Filtering
x
Multicast Blocking
x
164
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 8: Managing Server Types
Available protection settings for the IPv4 standard server types (Continued)
Settings
category
Generic
Server
DNS
Server
File
Server
Mail
Server
RLogin
Server
VoIP
Server
VPN
Server
Web
Server
Payload Regular
Expression
x
x
x
x
x
x
x
x
Private Address
Blocking
x
x
x
x
x
x
x
x
Rate-based
Blocking
x
x
x
x
x
x
x
x
SIP Request
Limiting
x
Spoofed SYN Flood
Prevention
x
x
x
TCP Connection
Limiting
x
TCP Connection
Reset
x
TCP SYN Flood
Detection
x
TLS Attack
Prevention
x
Traffic Shaping
x
UDP Flood
Detection
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Available protection settings for the Generic IPv6 Server type
The categories of protection settings that are available for the Generic IPv6 Server type
are as follows:
n
Block Malformed DNS Traffic
n
DNS Authentication
n
DNS NXDomain Rate Limiting
n
DNS Rate Limiting
n
DNS Regular Expression
n
Filter List
n
Payload Regular Expression
n
Rate-based Blocking
n
Spoofed SYN Flood Prevention
n
TCP Connection Limiting
Proprietary and Confidential Information of Arbor Networks Inc.
165
APS User Guide, Version 6.0
166
n
TCP Connection Reset
n
Traffic Shaping
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 8: Managing Server Types
Adding and Deleting Custom Server Types
Custom server types allow you to configure different protection settings for similar types of
servers. For example, you can add a custom server type to protect specific DNS servers
with settings that differ from the standard DNS Server settings. When you create a new
server type, it inherits the protection settings from the existing server type on which it is
based. You can edit the settings as necessary for the new server type.
For general information about the server types, see “About the Server Types” on
page 162 .
Using APS Console
If you manage APS with APS Console, then you can configure server types in APS Console
and propagate the configurations to each managed APS.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Adding a custom server type
Use this procedure to create a custom server type that inherits the protection settings from
one of the standard server types.
To add a custom server type:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. On the Configure Server Type page, click Custom Server Types, and then click Add
Server Type.
3. In the Add A New Server Type window, define the server type as follows:
Setting
Description
Server Type Name
box
Type a name to identify the server type throughout the UI.
Base Server Type list
Select the server type on which to base the new server
type.
4. Click Add Server Type.
5. (Optional) Edit the protection settings, and then click Save. The Save button appears
at the bottom left of the page.
For information about the specific protection settings, see the topics under
“Configuring the Protection Settings” on page 199 .
Proprietary and Confidential Information of Arbor Networks Inc.
167
APS User Guide, Version 6.0
Duplicating an existing server type
Use this procedure to create a custom server type that inherits the protection settings from
any standard server type or custom server type.
To duplicate an existing server type:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. On the Configure Server Type page, from the Custom Server Types list, select the
server type to duplicate.
3. Click Options, and then select Duplicate.
4. In the Server Type Name box, type a name to identify the server type throughout the
UI.
5. (Optional) Edit the protection settings, and then click Save.
The Save button appears at the bottom left of the page.
For information about the specific protection settings, see the topics under
“Configuring the Protection Settings” on page 199 .
Deleting a custom server type
You can delete any custom server type. You cannot delete a standard server type.
Caution
When you delete a server type, all of the protection groups that are associated with that
server type are deleted. Any IPv4 prefixes that were protected by the deleted protection
groups are assigned to the default protection group unless they are included in another
custom protection group.
To delete a custom server type:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. On the Configure Server Type page, from the Custom Server Types list, select the
server type to delete.
3. Click Options, and then select Delete.
4. In the confirmation window, click OK to delete the server type and any protection
groups that are associated with that server type.
168
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 8: Managing Server Types
Changing the Protection Settings for Server Types
The protection settings are the criteria by which APS defines clean traffic and attack traffic.
The default protection settings provide protection from the most common types of DDoS
attacks. These attacks include TCP stack attacks, host or pipe flooding, fragmentation
attacks, resource exhaustion, connection state attacks, botnet attacks, and vulnerability
exploits.
You can customize these settings to provide more directed protection for specific server
types, both standard and custom. If necessary, you can restore a particular server type’s
protection settings to their default values. See “Restoring the Default Protection Settings”
on page 178.
For information about the protection categories and suggestions for when to change the
protection settings, see “About the Protection Settings Configuration” on page 201 . For
general information about the server types, see “About the Server Types” on page 162 .
Using APS Console to manage protection settings
If you manage APS with APS Console, then you can configure server types in APS Console
and propagate the configurations to each managed APS.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Navigating to the protection settings
The Configure Server Type page allows you to change the protection settings for each of
the protected server types.
How changes affect the protection groups
When you add a protection group, you associate it with a server type. The protection
group inherits the protection settings for that server type. If you change the protection
settings for a server type, the change applies to all of the protection groups that have the
same server type. For example, if you change the Web Server settings, those settings apply
to all of the Web Server protection groups.
About capturing traffic profiles
APS can simplify the configuration of certain rate-based protection settings by learning
typical network behaviors and suggesting protection settings that are appropriate for your
network. To determine these settings, APS profiles your network by capturing statistical
data about certain types of traffic. You can also use the profile data to estimate how much
traffic would be passed at different thresholds and protection levels. See “About Traffic
Profiling for Protection Configuration” on page 171.
If you use APS Console to manage APS, you can manage the profile captures for multiple
APS devices from APS Console.
Proprietary and Confidential Information of Arbor Networks Inc.
169
APS User Guide, Version 6.0
Configuring the protection settings
To configure the protection settings for a server type:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. On the Configure Server Type page, select Standard Server Types or Custom
Server Types, and then select the specific server type for which to configure settings.
3. (Optional) To start the capture of profile data for this server type, click Options, and
then select Profile Capture.
4. Edit the protection settings.
When the View profile icon ( ) appears, you can use traffic profile data to help you
configure the appropriate values for that setting. See “Using Traffic Profile Data to
Configure Protection Settings” on page 175.
For information about the specific protection settings, see the topics under “About
the Protection Settings Configuration” on page 201 .
5. Click Save.
This button appears at the bottom left of the page.
170
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 8: Managing Server Types
About Traffic Profiling for Protection Configuration
APS can simplify the configuration of certain rate-based protection settings by learning
typical network behaviors and suggesting protection settings that are appropriate for your
network. To determine these settings, APS profiles your network by capturing statistical
data about certain types of traffic. You can also use the profile data to estimate how much
traffic would be passed at different thresholds and protection levels.
The profile data includes passed traffic and might include blocked traffic, depending on
why it was blocked. The data represents all the protection groups that are associated with
the selected server type. Within each server type, the data applies to certain protection
settings only. See “Protection settings that are profiled” below.
Traffic profiling on multiple APS devices
If you use APS Console to manage APS devices, you can select the APS devices on which to
start, stop, and check the status of the profile data capture. The capture runs and the
results appear on each selected APS. You can use the profile data as a guide to configuring
the protection settings in APS Console.
Accessing the profile data
The profile data appears in a window that you access from the Configure Server Type
page. The profile window displays the data from the most recent capture, or from the
current capture, if one is in progress.
Protection settings that are profiled
APS captures profile data for the following protection settings, if the protection category is
enabled:
n Fragment Detection — Maximum bps and Maximum pps
n
ICMP Flood Detection — Maximum Request Rate and Maximum bps
n
UDP Flood Detection — Maximum bps and Maximum pps
APS captures profile data for the following protection settings, if values are configured for
the protection level that is current during the capture. For recommendations on the values
to configure, see “Best practice for capturing accurate profiles” below.
n DNS NXDomain Rate Limiting settings — DNS NXDomain Rate Limit
n
DNS Rate Limiting — DNS Query Rate Limit
n
HTTP Rate Limiting — HTTP Request Limit and HTTP URL Limit
n
Rate-based Blocking — Bits per Second Threshold and Packets per Second
Threshold
n
SIP Request Limiting — SIP Source Limit
Best practice for capturing accurate profiles
For the profile data to be accurate, the configured values for certain protection settings
should be higher than the traffic rates that you expect the capture to observe. This
recommendation applies to the protection settings that temporarily block hosts, which
appear in the second list under “Protection settings that are profiled” above.
Proprietary and Confidential Information of Arbor Networks Inc.
171
APS User Guide, Version 6.0
Arbor recommends the following workflow for capturing accurate profiles. This workflow
is not necessary for the protection settings that you do not need profile data to configure.
Best practice for capturing accurate profiles
Step
Action
1
For the protection settings that you want to profile, configure temporary values
as follows:
n Set the bit rates to 10000000000 (10 zeroes).
n Set the packet rates to 100000000 (8 zeroes).
n Set the other values to 1000000 (6 zeroes).
Configure these values for the protection level that will be current when you run
the profile data capture. Typically, you run the profile data capture at the low
protection level.
You can use APS Console to configure these settings for multiple APS devices.
2
Start the profile data capture.
You can use APS Console to start the capture for multiple APS devices. The
capture runs separately on each APS.
See “Capturing Traffic Profiles” on the facing page.
3
When the capture finishes, reset the temporary values that you configured in
Step “1” above by viewing the profile data and using it to determine the optimal
values.
If you manage multiple APS devices in APS Console, view the profile data on
each APS. Use that information to determine the optimal values to use for all of
the APS devices, and then set those values from APS Console.
See “Using Traffic Profile Data to Configure Protection Settings” on page 175.
172
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 8: Managing Server Types
Capturing Traffic Profiles
APS can profile your network by capturing statistical data about certain types of traffic. The
profile data can help you configure protection settings that are optimized for your server
types.
In APS, you can start, stop, and check the status of the profile data capture on the
Configure Server Type page. When you start a capture, you specify its duration, up to a
maximum of two weeks. See “About Traffic Profiling for Protection Configuration” on
page 171 and “Using Traffic Profile Data to Configure Protection Settings” on page 175 .
Using APS Console to start profile data captures on multiple APS devices
If you use APS Console to manage APS devices, you can select the APS devices on which to
start, stop, and check the status of the profile data capture. The capture runs and the
results appear on each selected APS. You can use the profile data as a guide to configuring
the protection settings in APS Console.
APS captures data by server type for the traffic that applies to certain protection settings
only. See “Protection settings that are profiled” on page 171.
Actions that affect the accuracy of the profile data
While a profile capture is in progress, avoid the following actions, which can cause
inaccuracies in the profile data:
n Enabling or disabling the following protection categories during a profile data capture:
l
Fragment Detection
l
ICMP Flood Detection
l
UDP Flood Detection
The profile data will be accurate only for the time when the protection category was
enabled. For example, if a category is enabled, but you disable it during the capture,
then the profile data reflects only the time during which the category was enabled.
n
Changing the protection level during a profile data capture, if the protection settings
have different values for the different protection levels. This issue applies only to the
protection settings that temporarily block hosts.
For example, the HTTP Request Limit is set to 10000 for the low protection level and
100 for the high protection level. When you start the capture, the current protection
level is low. While the capture is still in progress, you change the protection level to high.
Any hosts that are transmitting more than 100 packets per second, and are temporarily
blocked, will not be profiled correctly.
n
Changing the values of the protection settings during a profile data capture. This issue
applies only to the following protection settings:
l
DNS NXDomain Rate Limiting settings — DNS NXDomain Rate Limit
l
DNS Rate Limiting — DNS Query Rate Limit
l
HTTP Rate Limiting — HTTP Request Limit and HTTP URL Limit
l
l
Rate-based Blocking — Bits per Second Threshold and Packets per Second
Threshold
SIP Request Limiting — SIP Source Limit
Proprietary and Confidential Information of Arbor Networks Inc.
173
APS User Guide, Version 6.0
Capturing traffic profiles
To start capturing traffic profiles:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. On the Configure Server Type page, select Standard Server Types or Custom
Server Types, and then select a specific server type.
3. Click Options, and then select Profile Capture.
If this server type is not associated with any protection groups, then the Profile
Capture option is not available.
4. In the Profile Capture window, move the Length of capture slider to specify the
duration of the capture.
If a capture is running already, the window displays Ongoing and indicates when the
capture started.
5. Click Start.
6. To close the Profile Capture window, click Close.
The capture continues to run in the background.
Stopping a profile data capture
You can stop a profile data capture at any time. To determine whether a capture is running
for a specific server type, you can view the capture status. See “Viewing the status of
profile data captures” below.
To stop a profile data capture:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the Configure Server Type page, select Standard Server Types or Custom
Server Types, and then select a specific server type.
3. Click Options, and then select Profile Capture.
4. In the Profile Capture window, click Stop.
5. On the Server Types page, hover your mouse pointer over the name of a server type,
and then click (context menu).
6. In the context menu, select Profile Capture.
7. In the Profile Capture window, select the APS devices on which to stop the capture,
and then click Stop.
8. To close the Profile Capture window, click Close.
Viewing the status of profile data captures
The Profile Capture Status window displays the capture status for all the server types,
including those that do not have capture data.
To view the status of the profile data captures:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. To view the capture status, click
174
(Profile Capture Status) on the menu bar.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 8: Managing Server Types
Using Traffic Profile Data to Configure Protection Settings
After you run a profile data capture in APS, you can view the profile data in a profile
window on the Configure Server Type page. For each of the settings that are profiled, you
can view the data from the most recent capture, or from the current capture if one is in
progress. You can use the profile data as a guide to help you configure the protection
settings that are appropriate for your network. You can also use the profile data to
estimate how much traffic would be passed at different thresholds and protection levels.
See “About Traffic Profiling for Protection Configuration” on page 171.
The data represents all the protection groups that are associated with the selected server
type. Within each server type, the data applies to certain protection settings only. See
“Protection settings that are profiled” on page 171.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Before you begin
Before you can view or use the profile data, you must run a profile data capture to collect
the data. See “Capturing Traffic Profiles” on page 173.
Viewing and using the traffic profile data
To view the traffic profile data and use it to configure protection settings:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. On the Configure Server Type page, select Standard Server Types or Custom
Server Types, and then select a specific server type.
3. Click the
(View profile ) icon that appears next to the settings that you want to
configure.
Note
If a capture was not run, or if the most recent capture did not observe any traffic that
applied to this setting, then the icon does not appear.
4. In the profile window, use the profile data to configure the protection settings in any
of the following ways.
l
l
l
To set the thresholds for this protection setting to the values that APS recommends,
click Auto.
To change the threshold values and view how they might affect the amount of
passed traffic, drag the markers (
) to different points on the histogram.
Type different values in the protection setting fields and view the profile window to
discover how those values might affect the amount of passed traffic.
Note
If you manage the server types in APS Console, do not change any settings in APS.
Instead, go to APS Console and select Protect > Inbound Protection > Server
Type Configuration. On the Server Types page, click the server type’s name link,
and then edit the protection settings on the Server Types page.
Proprietary and Confidential Information of Arbor Networks Inc.
175
APS User Guide, Version 6.0
Information in the profile window
In APS, the profile window displays the following information for a specific protection
setting:
Information in the profile window
Information
Description
last capture
information
Displays the dates and times at which the capture began and
ended.
histogram
Displays the observed traffic volumes that apply to the current
protection setting.
For example, the histogram for the Bits per Second
Threshold setting displays the number of hosts that sent
certain volumes of traffic, measured in bits per second.
The gray area at the far right of the histogram represents
values that are out of the histogram’s displayed range.
Linear and Log
buttons
Change the scale of the y axis in the histogram graph as
follows:
n Linear presents the number of hosts on a linear scale, in
which the lines in the graph are proportional to the number
of hosts.
n Log presents the number of hosts on a logarithmic scale, in
which each unit increase represents an exponential increase
in the number of hosts.
markers:
Indicate the points in the histogram that correspond to the
configured threshold values for the protection levels: high (H),
medium (M ), and low (L ). The markers work as follows:
n
n
n
n
When you open the profile window, the markers reflect the
currently configured threshold values.
When you click Auto, the markers, the displayed values, and
the protection setting fields change to the threshold values
that APS recommends based on the profile data.
You can drag the markers to different points on the
histogram. As you drag the markers, the threshold values
change in both the profile window and the protection
setting fields.
If you type different threshold values in the protection
setting fields, the markers and the displayed values in the
profile window change accordingly.
Caution
If you manage the server types in APS Console, do not edit
them in APS.
Low , Med, and High
values
176
Display the threshold values and the approximate amounts of
traffic that those thresholds would allow APS to pass at each
protection level.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 8: Managing Server Types
Information in the profile window (Continued)
Information
Description
Maximum x (where x
varies depending on
the protection setting)
Displays the highest value of the item that is measured.
For example, if you view the values for the Bits per Second
Threshold setting, then this value represents the Maximum
bits per second.
Auto button
Changes the threshold values in the profile window and the
protection setting fields to the recommended values.
Caution
If you manage the server types in APS Console, do not edit
them in APS.
Proprietary and Confidential Information of Arbor Networks Inc.
177
APS User Guide, Version 6.0
Restoring the Default Protection Settings
You can change the protection settings for any standard server type or custom server type.
You also can restore a particular server type’s protection settings to its default values.
When you restore the protection settings for a server type, it affects each protection group
that is associated with that server type. If a protection group in APS Console is assigned to
one or more managed APS devices, the server type changes affect each assigned APS.
Restoring the protection settings affects the standard server types and custom server types
as follows:
n When you restore the protection settings for a standard server type, the settings of any
related custom server types are not affected.
n
When you restore the protection settings for a custom server type, the settings are
returned to the default settings of the base server type. Any changes that might have
been made to the base server type’s settings are not applied to the custom server type.
For general information about the server types, see “About the Server Types” on
page 162 and “Adding and Deleting Custom Server Types” on page 167 .
Restoring the default protection settings
To restore the default protection settings:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. On the Configure Server Type page, select Standard Server Types or Custom
Server Types, and then select the specific server type for which to restore settings.
3. Click Options, and then select Restore Defaults.
4. In the confirmation window, click OK.
178
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9:
Configuring Protection Groups
This section describes how to set up the protection groups that APS uses to monitor your
network activity and mitigate attack traffic.
In this section
This section contains the following topics:
About Protection Groups
180
About the Protection Levels
185
Adding Protection Groups
188
Automating the Protection Level for a Protection Group
193
Editing and Deleting Protection Groups
194
Viewing the Status of Protection Groups
196
APS User Guide, Version 6.0
179
APS User Guide, Version 6.0
About Protection Groups
APS monitors your network traffic and mitigates attacks by using the protection settings
that are defined for one or more protection groups.
A protection group represents either IPv4 hosts or IPv6 hosts that you need to protect.
Each protection group is associated with a server type and one or more host servers of
that type. For example, a protection group can represent a single web server or a specific
group of DNS servers.
Maximum number of protection groups
On the APS 2600 and APS 2800 appliances, APS supports a maximum of 100 protection
groups. Because the default protection group counts toward this maximum, you can add
99 custom protection groups.
On vAPS and the APS 2000 and APS 2100 appliances, APS supports a maximum of 50
protection groups. Because the default protection group counts toward this maximum,
you can add 49 custom protection groups.
Important
If you use the minimum vAPS configuration, vAPS only supports a maximum of 10
protection groups. Because the default protection group counts toward this maximum,
you can add 9 custom protection groups.
See the “Minimum System Resources” information in the Arbor Networks Virtual APS
Installation Guide .
About the default protection group
The default protection group provides protection for all of the IPv4 hosts in your
enterprise as soon as you put APS into an active protection mode. The default protection
group is preconfigured to protect all IPv4 hosts and is associated with the generic server
type, which contains nearly all of the protection settings categories.
You can edit the default protection group, but only to configure its protection mode,
protection level, and bandwidth alert thresholds. You cannot delete the default protection
group.
Note
The default protection group only protects IPv4 hosts. It does not protect IPv6 hosts.
You can configure a custom IPv6 protection group to serve as the default IPv6 protection
group. For an example that illustrates how to create a default protection group for all of
the unprotected IPv6 hosts, see the “IPv6 prefix matching example” on page 183 .
About custom protection groups
A custom protection group protects a specific host or group of hosts and allows you to
configure the most appropriate protection settings for those hosts. You can add
protection groups to protect either IPv4 hosts or IPv6 hosts.
Throughout APS and APS Console, you can monitor traffic and mitigate attacks by
protection group, so that you can focus your attention on your most critical hosts.
Arbor recommends that you create a protection group for each of the services that you
want to protect. See “Adding Protection Groups” on page 188.
180
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9: Configuring Protection Groups
Protection group concepts
A protection group is associated with the following items:
Protection group concepts
Concept
Description
Protection
protocol
You can create protection groups to protect IPv4 hosts or IPv6
hosts.
Protected hosts
Protection groups monitor and mitigate the traffic that is destined
for one or more host servers. You define the protected hosts by
their prefixes or a set of prefixes.
A protection group can protect either IPv4 hosts or IPv6 hosts. You
cannot add IPv4 hosts and IPv6 hosts to a single protection group.
See “Prefix matching in protection groups” on page 183.
Server type
The server type represents a class of servers that APS protects. The
server type determines which protection settings are available for a
protection group and the application-specific data that APS collects
and displays for the group.
When you create an IPv4 protection group, you can select a
standard IPv4 server type or a custom IPv4 server type, if any. When
you create an IPv6 protection group, you can select the Generic
IPv6 Server standard server type or a custom IPv6 server type, if
any.
See “About the Server Types” on page 162.
Protection
settings
The protection settings are the criteria by which APS defines clean
traffic and attack traffic. For example, if a setting specifies a
threshold based on the number of requests per second, then traffic
that exceeds the threshold is considered to be an attack.
Protection
categories
The protection settings are organized into categories, each of which
detects a different type of attack traffic. A protection group contains
the categories of settings that are most appropriate for its server
type. For example, a Web Server protection group contains the
HTTP categories of settings, which detect HTTP-based attacks.
Proprietary and Confidential Information of Arbor Networks Inc.
181
APS User Guide, Version 6.0
Protection group concepts (Continued)
Concept
Description
Protection levels
For each of the protection settings, you can specify different values
for the low, medium, and high protection levels. The current
protection level determines which protection settings are in use at
any given time.
By default, all of the protection groups use a global protection level.
You can continue to use the global protection level or you can
configure individual protection levels for specific protection groups.
These individual protection levels take precedence over the global
protection level.
You also can use the total traffic threshold or the global total traffic
threshold to automate the protection level for a protection group.
See “Automating the Protection Level for a Protection Group” on
page 193.
Protection mode
The protection mode determines whether APS mitigates traffic. In
active mode, APS mitigates attacks in addition to monitoring traffic.
In inactive mode, APS detects attacks but does not mitigate them.
You can set the protection mode for an individual protection group
without affecting any other traffic. For example, you can set a
protection group to inactive mode for testing while keeping the rest
of the system in active mode. See “Setting the Protection Mode
(Active or Inactive)” on page 66.
About managing the protection groups from APS Console
When you use APS Console to manage APS devices, you can add the protection groups in
APS Console and then assign APS devices to those protection groups. See “Adding,
Editing, and Deleting Protection Groups” in the Arbor Networks APS Console User Guide .
APS Console can determine how many protection groups an APS is assigned to. So if an
APS is assigned to the maximum number of protection groups, APS Console does not
allow you to assign that APS to another protection group.
Before APS Console allows you to assign the APS to another protection group, you must
unassign the APS from at least one protection group.
See “Maximum number of protection groups” on page 180.
When you first connect APS to APS Console, the protection groups on APS Console are
merged with any existing protection groups on the assigned APS devices. Thereafter, any
changes to the protection groups on APS Console are periodically copied to each APS that
is assigned to the protection group. See “About the APS Console - APS Data
Synchronization” on page 80.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
182
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9: Configuring Protection Groups
Prefix matching in protection groups
When different length prefixes of the same network are protected by one protection
group or separate protection groups, APS matches traffic to the most specific (longest)
prefix.
IPv4 prefix matching examples
In the first IPv4 prefix matching example, the protection groups protect the following IPv4
hosts:
n Protection Group 1 — 198.51.100.0/24
n
Protection Group 2 — 198.51.100.5/32
When traffic is destined to the IP address 198.51.100.5, APS matches it to Protection Group
2, which is the most specific match.
In the second IPv4 prefix matching example, the protection groups protect the following
IPv4 hosts:
IPv4 prefix matching
Protection
group name
Protected Hosts
setting
Matched traffic
Protection Group 3
192.0.2.2/32
All the traffic that is destined to 192.0.2.2
Protection Group 4
192.0.2.0/24
All the traffic that is destined to 192.0.2.0/24,
except for the traffic that is destined to
192.0.2.2
IPv4 default
protection group
0.0.0.0/0
All IPv4 traffic, except for the traffic that is
destined to 192.0.2.0/24
IPv6 prefix matching example
In the following IPv6 prefix matching example, the protection groups protect the following
IPv6 hosts:
IPv6 prefix matching
Protection group
name
Protected Hosts
setting
Matched traffic
Protection Group 5
fe80:22:ab00::3bf:159a:1/128
All the traffic that is destined to
fe80:22:ab00::3bf:159a:1
Protection Group 6
fe80:22:ab00::/40
All the traffic that is destined to
fe80:22:ab00::/40 except for the
traffic that is destined to
fe80:22:ab00::3bf:159a:1
Proprietary and Confidential Information of Arbor Networks Inc.
183
APS User Guide, Version 6.0
IPv6 prefix matching (Continued)
184
Protection group
name
Protected Hosts
setting
Matched traffic
Protection Group 7
(serves as a default
protection group
for IPv6 hosts)
::/0
All IPv6 traffic, except for the traffic
that is destined to
fe80:22:ab00::/40
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9: Configuring Protection Groups
About the Protection Levels
The protection level defines the strength of protection that APS provides and the
associated intrusiveness and risk of blocking clean traffic. The protection levels are low,
medium, and high.
The protection levels are associated with different protection settings. These settings
include those that are not user-defined, such as the invalid packets protection category.
When the protection level is set, the protection settings that are associated with that level
are enabled.
User access
Only administrators can change the protection level. Non-administrative users can view
the current protection level but cannot make changes.
About the different protection levels
The protection level determines which protection settings are in use at any given time. For
example, if the protection level is low, then the low protection settings are used to inspect
the current traffic. You can change the protection level as needed to mitigate attacks. See
“Changing the Protection Level” on page 361.
Initially, APS uses a global protection level, which applies to the entire APS. You can
continue to use the global protection level, but you also can configure individual
protection levels for specific protection groups and the outbound threat filter. These
individual protection levels take precedence over the global protection level.
About the protection levels for protection groups and the outbound threat filter
The protection level determines which protection settings are in use for a specific
protection group or the outbound threat filter. You might change the protection level for a
protection group or the outbound threat filter in the following situations:
n To respond to attacks and traffic spikes against one protection group without affecting
the traffic to the other protection groups.
n
To respond to outbound threats without affecting the inbound traffic.
n
To determine how different protection levels affect the traffic when you create a new
protection group or change the settings for an existing protection group.
You also can automate the protection level for a protection group. See “Automating the
Protection Level for a Protection Group” on page 193.
About the protection levels for the protection settings
For each of the protection settings, you can specify different values for the low, medium,
and high protection levels. The current protection level determines which of the settings
are used at any given time. For example, you might set conservative thresholds for the low
protection level and more aggressive thresholds for the medium and high protection
levels.
You also can leave the protection settings empty or disable one or more of the protection
levels. For example, you might disable a setting for the low protection level and then
enable it for the medium and high protection levels.
Proprietary and Confidential Information of Arbor Networks Inc.
185
APS User Guide, Version 6.0
You configure the protection settings on the following pages:
Configure Server Type page (Protect > Inbound Protection > Server Type
Configuration), for inbound traffic
n
See “Changing the Protection Settings for Server Types” on page 169.
n
Outbound Threat Filter page (Protect > Outbound Protection > Outbound
Threat Filter), for outbound traffic
See “Configuring the Outbound Threat Filter” on page 205.
Viewing the current protection level
Throughout the UI, the following icons represent the protection levels: global, low,
medium, and high. The current protection level is indicated by a check mark in the
corresponding icon.
You also can automate a protection group’s protection level. The following icons represent
the low automated protection level and the high automated protection level (there is no
medium automated protection level):
You can view the current protection level on the following pages:
Where you can view the protection level
Protection
level
Page
How the protection level is indicated
Global
All pages
In the upper right of the APS window, the
protection level icons indicate the current global
protection level.
Protection group
List Protection
Groups page
To the far right of the protection group name, a
single icon indicates the protection group’s
protection level. If the protection group uses the
global protection level, no icon appears.
View Protection
Group page
The header area contains text that indicates the
protection group’s protection level.
When you edit a protection group, all of the
protection level icons appear. The protection
group’s current protection level is checked, and
you can click an icon to change the protection
level.
Outbound
Threat Filter
page
The header area contains text that indicates the
outbound threat filter’s protection level.
When you edit the outbound threat filter, all the
protection level icons appear. The outbound
threat filter’s current protection level is checked,
and you can click an icon to change the
protection level.
Outbound threat
filter
186
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9: Configuring Protection Groups
Balancing protection and risk
The risk of blocking clean traffic increases with the level of protection. Generally, you
should set the protection level to low. Reserve the medium and high levels for use during
attack conditions.
Important
Arbor recommends that you experiment with different protection levels during normal
operations, so that you can identify any potential problems before an attack occurs.
When you test the protection levels, be sure to change the protection mode to inactive to
avoid blocking traffic unintentionally. See “Implementing APS for Trial or Monitoring
Only” on page 54.
The following table describes when to use the different protection levels and the levels of
protection and risk that are associated with each one:
Levels of protection and risk
Level
When to use
Level of protection and risk
Low
Under normal
conditions
This level is the safest but it offers the least
protection.
n Only low-risk traffic is blocked.
n There is no tolerance for false positives.
Medium
During a significant
attack
The protection settings are stricter. Clean traffic that
is unusual might be blocked.
High
During a heavy
attack
This level provides the most aggressive protection
but it carries risks.
Blocking some clean traffic is acceptable as long as
most of the hosts are protected.
For protection groups, you can automate the protection level. When you automate the
protection level, APS uses a total traffic threshold to determine when to change the
protection level from low to high. See “Automating the Protection Level for a Protection
Group” on page 193.
Recommended protection levels for protection settings
Your protection settings at the low level should protect your network against the majority
of attacks without blocking any clean traffic. If a large number of attacks are passed
through, then you might need to configure more aggressive thresholds at the low level.
Conversely, if too much clean traffic is blocked, then you might need to configure more
conservative thresholds at the low level. As you use APS and review the traffic information
that it provides, you can refine the settings to provide an acceptable balance between
protection and risk.
Proprietary and Confidential Information of Arbor Networks Inc.
187
APS User Guide, Version 6.0
Adding Protection Groups
You can add protection groups to protect a specific host or group of hosts with the most
appropriate protection settings for those hosts. You can create protection groups to
protect either IPv4 hosts or IPv6 hosts.
If a hostname resolves to both IPv4 addresses and IPv6 addresses, you must create two
protection groups. Add an IPv4 protection group to protect the IPv4 addresses. Add an
IPv6 protection group to protect the IPv6 addresses.
To edit a protection group, you use the View Protection Group page. See “Editing and
Deleting Protection Groups” on page 194.
About server types
When you add a protection group, you associate it with a server type. The server type
determines which protection settings are available for a protection group. Therefore, to
change the protection settings for a protection group, change its server type. You also can
add custom server types, which allow you to configure different protection settings for
similar types of servers. See “Adding and Deleting Custom Server Types” on page 167.
Adding a protection group
To add a protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click Add IPv4 Protection Group or Add IPv6
Protection Group.
Tip
If you add both IPv4 protection groups and IPv6 protection groups, Arbor
recommends that you prepend “IPv4” or “IPv6” to the protection group name. This
prefix helps you to quickly identify the protection group’s protocol when you see the
name.
The maximum number of protection groups you can add to an APS depends on the
device. See “Maximum number of protection groups” on page 180.
3. On the Add Protection Group page, configure the settings.
See “Protection group settings” on the facing page.
4. Click Add.
188
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9: Configuring Protection Groups
Protection group settings
To view information about a protection group’s traffic levels, click
(See threshold
graphs). See “About the threshold graphs” on page 191.
Protection group settings
Setting
Description
Protection Group
Name box
Type a name to identify the protection group throughout the UI.
Protected Hosts
box
You can specify IPv4 hosts and IPv6 hosts in any of the following
forms:
n A host IP address, such as 12.0.0.1 or 2001:DB8::2.
n A valid hostname, such as myserver.mycompany.net. The
hostname resolves to its corresponding IP address and prefix.
n An IP address and routing prefix in CIDR form, such as
12.8.4.0/24 or 2001:DB8::/32.
To protect a large number of hosts — for example, thousands of
hosts — Arbor recommends that you use a CIDR prefix instead of
specifying individual prefixes.
Server Type list
Select the type of server that the protection group protects. The
server type determines the protection settings that are available
for the protection group.
When you create an IPv4 protection group, you can select a
standard IPv4 server type or a custom IPv4 server type, if any.
When you create an IPv6 protection group, you can select the
Generic IPv6 Server standard server type or a custom IPv6
server type, if any.
See “About the Server Types” on page 162.
Protection Group
Mode options
Select Active or Inactive to configure the protection mode.
APS mitigates traffic for a protection group only when the
protection mode is active for both the protection group and the
APS.
See “Setting the Protection Mode (Active or Inactive)” on
page 66.
Proprietary and Confidential Information of Arbor Networks Inc.
189
APS User Guide, Version 6.0
Protection group settings (Continued)
Setting
Description
Protection Level
options
Select an icon to set the protection level for the protection group
(global, low, medium, or high). A check mark in the icon indicates
which level is selected.
The protection level icons are defined as follows:
— Global
— Low
— Medium
— High
If you select the global icon, the protection group uses the APS
protection level. For information about the global protection level,
see “About the Protection Levels” on page 185 . Also, see
“Changing the Protection Level” on page 361 .
Protection Group
Description box
Type a description that can help to identify the protection group.
Detection and
Automation Policy
section
This section appears only when you edit a protection group. Use
the settings in this section to configure alerting that is based on a
user-specified traffic threshold or a global traffic threshold. You
also can automate the protection level for a protection group,
based on the total traffic threshold.
Total Traffic
options
These options are
available only when
you edit a
protection group.
Select an option to configure the level of total traffic that causes
the APS to automate the protection level or trigger total traffic
alerts for the protection group:
n
n
n
n
n
Automatically change the protection level using the
global total traffic threshold
APS uses the global total traffic threshold setting to determine
when to automate the protection level and trigger this type of
alert. See “Automating the Protection Level for a Protection
Group” on page 193.
Automatically change the protection level when traffic
exceeds
Specify a total traffic threshold in bps, pps, or both bps and
pps.
Alert using the global total traffic threshold
APS uses the global total traffic threshold setting to determine
when to trigger this type of alert.
Alert when traffic exceeds
Specify a traffic threshold in bps, pps, or both bps and pps.
Do not alert or change the protection level based on
the total traffic threshold
Disables the protection level automation and total traffic alerts
for the protection group.
To view or change the global threshold, click the View the global
total traffic threshold settings link.
190
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9: Configuring Protection Groups
Protection group settings (Continued)
Setting
Description
Blocked Traffic
options
These options are
available only when
you edit a
protection group.
Select an option to configure the level of blocked traffic that
causes the APS to trigger blocked traffic alerts for the protection
group:
n
n
n
Botnet Traffic
options
These options are
available only when
you edit a
protection group.
Alert using the global blocked traffic threshold
APS uses the global blocked traffic threshold setting to
determine when to trigger this type of alert.
To view or change the global threshold, click the View the
global blocked traffic threshold settings link.
Alert when traffic exceeds
Specify a traffic threshold in bps, pps, or both bps and pps.
Do not alert for blocked traffic
Disables the blocked traffic alerts for the protection group.
(IPv4 protection groups only) Select an option to configure the
level of botnet traffic that causes APS to trigger botnet traffic alerts
for the protection group:
n
n
n
Alert using the global botnet traffic threshold
APS uses the global botnet traffic threshold setting to
determine when to trigger this type of alert.
To view or change the global threshold, click the View the
global botnet traffic threshold settings link.
Alert when traffic exceeds
Specify a traffic threshold in bps, pps, or both bps and pps.
Do not alert for botnet traffic
Disables the botnet traffic alerts for the protection group.
For information about the global thresholds, see “Configuring Global Thresholds for
Bandwidth Alerts” on page 126 .
About the threshold graphs
The
(See threshold graphs) icon displays graphs that show the protection group’s
traffic levels in bytes per second and packets per second. Both graphs show the traffic
levels for the last seven days, the current baseline if it is available, and the current
threshold.
This information can help you determine the thresholds to set for the protection group.
Adding protection groups on APS Console
When you use APS Console to manage APS devices, you can add the protection groups in
APS Console and then assign APS devices to those protection groups. See “Adding,
Editing, and Deleting Protection Groups” in the Arbor Networks APS Console User Guide .
Proprietary and Confidential Information of Arbor Networks Inc.
191
APS User Guide, Version 6.0
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
192
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9: Configuring Protection Groups
Automating the Protection Level for a Protection Group
You can automate the protection level for a protection group. When you automate the
protection level, APS uses a total traffic threshold to determine when to change the
protection level from low to high.
See “About the Protection Levels” on page 185.
About protection level automation
To automate the protection level for a protection group, you select a Detection and
Automation Policy for total traffic to automatically change the protection level. After you
select a policy that automatically changes the protection level, APS sets the protection
group's protection level to low. If traffic to the protection group exceeds the total traffic
threshold, then, within one minute, APS changes the protection level to high and triggers
an alert.
The protection level remains high for at least five minutes. At any time after that, if the
traffic level falls below the threshold, the protection level returns to low.
Automating the protection level
You can select an automation option only when you edit a protection group.
To automate the protection level for a protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name link of the protection group to edit.
3. On the View Protection Group page, in the header section, click Edit.
4. In the Detection and Automation Policy section, select one of the following options
from the Total Traffic list:
l
Automatically change the protection level using the global total traffic
threshold
For this option, make sure you configure a global total traffic threshold.
l
Automatically change the protection level when traffic exceeds
For this option, specify a total traffic threshold in bps, pps, or both bps and pps.
Disabling protection level automation
If you change a protection group’s protection level when automation is enabled, then APS
automatically disables the automation.
You also can disable automation by changing the total traffic setting to an alerting option
or by turning off automation and alerting. In this case, the protection level remains the
same as it was before you disabled the automation.
See “Protection group settings” on page 189.
Proprietary and Confidential Information of Arbor Networks Inc.
193
APS User Guide, Version 6.0
Editing and Deleting Protection Groups
After you create a protection group, you can edit the attributes of that protection group
For example:
n When you first create and test a new protection group, you can set its protection mode
to inactive so that it does not affect traffic. When you finish the testing, you can change
the group’s protection mode to active.
n
You can change a protection group’s protection level as needed to mitigate attacks
against the protected hosts in that group.
n
You can set bandwidth thresholds or use global thresholds that determine the amount
of traffic that triggers an alert or automates the protection level for a protection group.
See “Automating the Protection Level for a Protection Group” on the previous page.
n
Because the server type determines which protection settings are available for a
protection group, you change a protection group’s protection settings by changing its
server type.
See “Adding Protection Groups” on page 188.
About the default protection group
You can edit the default protection group, but only to configure its protection mode,
protection level, and bandwidth alert thresholds. You cannot delete the default protection
group. The default protection group protects all of the IPv4 hosts in your enterprise as
soon as you put APS into an active protection mode.
About configuring protection groups in APS Console
When you use APS Console to manage APS devices, you can add the protection groups in
APS Console and then assign APS devices to those protection groups. See “Adding,
Editing, and Deleting Protection Groups” in the Arbor Networks APS Console User Guide .
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Editing a protection group
To edit a protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name link of the protection group to edit.
3. On the View Protection Group page, in the header section, click Edit.
4. Change the settings as needed.
See “Protection group settings” on page 189.
5. Click Save.
Deleting a protection group
When you delete a protection group, the prefixes in the protection group are no longer
protected by the group’s specific server type settings.
194
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9: Configuring Protection Groups
If you delete an IPv4 protection group and its prefixes are not protected by another
protection group, then the prefixes are included in the default protection group. However,
the default protection group does not protect IPv6 prefixes.
If IPv6 prefixes are not protected by another IPv6 protection group, you can configure a
custom IPv6 protection group to serve as the default IPv6 protection group. For an
example of how to create a protection group that protects all of the unprotected IPv6
hosts, see the “IPv6 prefix matching example” on page 183 .
In addition, when you delete a protection group, APS removes the protection group from
any scheduled reports that include it.
Note
APS never removes data from existing reports.
To delete a protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, complete one of the following steps:
l
Select the check box for each protection group that you want to delete.
l
Select the check box in the table heading row to select all of the protection groups.
3. Click Delete.
4. In the confirmation message that appears, click OK.
Important
You cannot undo the deletion of a protection group.
Proprietary and Confidential Information of Arbor Networks Inc.
195
APS User Guide, Version 6.0
Viewing the Status of Protection Groups
The List Protection Groups page displays all of the protection groups and their status. On
this page, you can expand a specific protection group to view more information. You also
can add, edit, and delete protection groups. See “Adding Protection Groups” on page 188
and “Editing and Deleting Protection Groups” on page 194 .
Note
If you use APS Console to manage APS, you can view the protection groups for multiple
APS devices at once. To do so, you use the List Protection Groups page (Protect >
Inbound Protection > Protection Groups) in APS Console.
Navigating to the List Protection Groups page
To navigate to the List Protection Groups page:
Select Protect > Inbound Protection > Protection Groups .
n
About the List Protection Groups page
The List Protection Groups page contains the following information:
Information on the List Protection Groups page
Information
Description
Search box
Allows you to search on the name, description, or prefix for a
protection group.
Type all or part of a search string, and then click
(search).
To clear the search results, click the X in the Search box.
Add IPv6
Protection Group,
Add IPv4
Protection Group
buttons
Allow you to add an IPv4 protection group or an IPv6 protection
group.
Selection check
boxes
Allow you to select one or more protection groups to delete.
You cannot edit or delete the default protection group.
Delete button
Deletes the protection groups whose check boxes are selected.
Protection Group
column
Displays the protection group name in the form of a link that
allows you to open the View Protection Group page.
See “Adding Protection Groups” on page 188.
See “Viewing the Traffic Activity for a Protection Group” on
page 324.
196
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 9: Configuring Protection Groups
Information on the List Protection Groups page (Continued)
Information
(context menu)
Description
Appears when you hover your mouse pointer over a protection
group name.
You can use the options on the context menu to perform the
following actions:
n Blocked Hosts — Displays the blocked hosts that are related
to the IPv4 protection group on the Blocked Hosts Log page.
n
See “Viewing the Blocked Hosts Log” on page 408.
Packet Capture — Displays the Packet Capture page, with
the name of the protection group entered in the Filter section.
You can start the packet capture or specify additional filter
criteria. See “Capturing Packet Information” on page 418.
Graph column
Displays a minigraph that represents the traffic flow for the
protection group. You can click on the minigraph to open the
View Protection Group page for the protection group.
Passed and Blocked
traffic columns
Indicate the amount of traffic that was passed and blocked
during the last hour as the result of mitigations.
Prefixes column
Lists the prefixes that the protection group monitors.
Server Type column
Lists the type of server that the protection group protects.
Mode column
Displays the protection mode for the protection group.
See “Setting the Protection Mode (Active or Inactive)” on
page 66.
(Group
Protection Level)
(Automated
Group Protection
Level)
An icon with a check mark indicates the protection level that is
set for the protection group (low, medium, or high). If the
protection group uses the global protection level, then no icon
appears.
The icons with the arrows indicate that protection level
automation is enabled for the protection group:
— Indicates that the automated protection level is set to low.
— Indicates that APS changed the protection group’s
protection level to high automatically because the protection
group’s traffic exceeded the total traffic threshold.
See “About the Protection Levels” on page 185. For information
about protection level automation, see “Automating the
Protection Level for a Protection Group” on page 193 .
(Cloud Signaling)
Indicates that a Group Cloud Signaling mitigation was requested
or is in progress for the protection group. You can hover your
mouse pointer over the icon to view the status.
Note
APS does not support Cloud Signaling for IPv6 traffic.
Proprietary and Confidential Information of Arbor Networks Inc.
197
APS User Guide, Version 6.0
Information on the List Protection Groups page (Continued)
Information
(Alerts
configured)
Description
Indicates that one or more of the bandwidth alert thresholds
are configured for the protection group. You can hover your
mouse pointer over the icon to view the alerts that are
configured.
See “Adding Protection Groups” on page 188.
(bandwidth alert)
198
Indicates that one or more active bandwidth alerts exist for the
protection group. You can hover your mouse pointer over the
icon to view the number of alerts.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10:
Configuring the Protection Settings
The protection settings are the criteria by which APS defines clean traffic and attack traffic.
You configure the protection settings to define how APS identifies and blocks malicious
traffic at each protection level.
In APS Console, you can configure the protection settings for multiple APS devices.
In this section
This section contains the following topics:
About the Protection Settings Configuration
201
About the Outbound Threat Filter
203
Configuring the Outbound Threat Filter
205
Validating the Outbound Threat Filter Configuration
206
Application Misbehavior Settings
209
ATLAS Intelligence Feed Settings
210
Block Malformed DNS Traffic Settings
214
Block Malformed SIP Traffic Settings
215
Botnet Prevention Settings
216
CDN and Proxy Support Settings
218
DNS Authentication Settings
219
DNS NXDomain Rate Limiting Settings
220
DNS Rate Limiting Settings
221
DNS Regular Expression Settings
222
Fragment Detection Settings
223
HTTP Header Regular Expressions Settings
224
HTTP Rate Limiting Settings
225
HTTP Reporting Settings
227
ICMP Flood Detection Settings
228
Malformed HTTP Filtering Settings
229
Multicast Blocking Settings
230
Payload Regular Expression Settings
231
Private Address Blocking Settings
234
Rate-based Blocking Settings
235
SIP Request Limiting Settings
236
Spoofed SYN Flood Prevention Settings
237
TCP Connection Limiting Settings
240
TCP Connection Reset Settings
241
APS User Guide, Version 6.0
199
APS User Guide, Version 6.0
200
TCP SYN Flood Detection Settings
243
TLS Attack Prevention Settings
245
Traffic Shaping Settings
247
UDP Flood Detection Settings
249
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
About the Protection Settings Configuration
The protection settings are the criteria by which APS defines clean traffic and attack traffic.
For example, if a setting specifies a threshold based on the number of requests per
second, then traffic that exceeds the threshold is considered to be an attack.
The default protection settings in APS provide protection from the most common types of
DDoS attacks. You can customize these settings to provide more directed protection for
specific types of servers and for your outbound traffic. In APS Console, you can customize
the protection settings for multiple APS devices.
For information about types of DDoS attacks, see “DDoS Attacks and APS Protections” on
page 538 .
Navigating to the configuration pages
You configure the protection settings on the following pages in APS:
n Configure Server Type page, for inbound traffic
Allows you to change the protection settings for each of the protected server types. See
“Changing the Protection Settings for Server Types” on page 169.
n
Outbound Threat Filter page, for outbound traffic
Allows you to configure the protection settings for the outbound threat filter. See
“Configuring the Outbound Threat Filter” on page 205.
About the protection categories
The protection settings are organized into categories, each of which detects a different
type of attack traffic.
For inbound traffic, each server type contains the categories of protection settings that are
most appropriate for that server type. Each protection group is associated with a server
type and one or more host servers of that type. For example, a Web Server protection
group contains the HTTP categories of settings, which detect HTTP-based attacks.
The outbound threat filter contains the categories of protection settings that are most
appropriate for outbound traffic.
About temporary blocking
Temporary blocking occurs dynamically as a result of the protection settings that are
configured for the protection groups. When APS encounters certain types of malicious
inbound traffic, it blocks the offending traffic.
Some of the protection categories temporarily block a host, which effectively blocks all of
the traffic from that host, including its clean traffic. The top 10 hosts that are blocked in this
way appear in the Temporarily Blocked Sources section on the View Protection Group
page. APS does not temporarily block the hosts for outbound traffic.
Other protection categories temporarily block a host’s offending traffic but not its clean
traffic or the host itself. Such hosts do not appear in the Temporarily Blocked Sources
section on the View Protection Group page, but they do appear in the blocked hosts log.
This blockout period typically lasts for several minutes. The protection category that
detects the malicious traffic determines the length of the blockout period, and this time
period cannot be changed.
Proprietary and Confidential Information of Arbor Networks Inc.
201
APS User Guide, Version 6.0
About the protection levels for the protection settings
For each of the protection settings, you can specify different values for the low, medium,
and high protection levels. The current protection level determines which of the settings
are used at any given time. For example, you might set conservative thresholds for the low
protection level and more aggressive thresholds for the medium and high protection
levels.
You also can leave the protection settings empty or disable one or more of the protection
levels. For example, you might disable a setting for the low protection level and then
enable it for the medium and high protection levels.
See “About the Protection Levels” on page 185.
When to change the protection settings
Because you configure different settings for each protection level, you can vary the threat
detection criteria at any time by changing the protection level. You can change the
protection level globally or for one or more specific protection groups.
Typically, you use the default settings when you first install APS. As you use APS and
analyze its actions, you can customize as many settings as needed to secure your data
center from threats against availability. If you have historical traffic information and
statistics from an APS trial or monitor-only implementation, use that information as a
guide for refining the protection settings.
APS can simplify the configuration of certain rate-based protection settings by learning
typical network behaviors and suggesting protection settings that are appropriate for your
network. See “About Traffic Profiling for Protection Configuration” on page 171.
202
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
About the Outbound Threat Filter
The outbound threat filter prevents malicious traffic from leaving your network. Unlike the
protection groups, which protect specific hosts, the single outbound threat filter protects
all of the outbound IPv4 traffic that passes through APS.
When you install or upgrade APS, the outbound threat filter and all of its ATLAS
Intelligence Feed (AIF) threat categories are enabled by default. You can disable the
outbound threat filter and the AIF threat categories on the Outbound Threat Filter page
(Protect > Outbound Protection > Outbound Threat Filter). See “Configuring the
Outbound Threat Filter” on page 205.
On the Outbound Threat Filter page, you also can view the outbound traffic that the
outbound threat filter blocks. See “Viewing the Outbound Threat Activity” on page 349.
Important
For the outbound blacklist and outbound whitelist to work, you must leave the
outbound threat filter enabled. See “Creating and Editing the Outbound Blacklist” on
page 274 and “Creating and Editing the Outbound Whitelist” on page 276 .
About the protection settings
The outbound threat filter contains the categories of protection settings that are the most
appropriate for outbound traffic, to protect state-dependent devices such as load
balancers and next-generation firewalls. It also uses the ATLAS Intelligence Feed (AIF)
threat categories. These settings are the criteria by which APS defines clean traffic and
attack traffic.
You configure these protection settings on the Outbound Threat Filter page. You also can
configure the protection mode (active or inactive) and protection level (global, low,
medium, or high) for the outbound threat filter. See “Configuring the Outbound Threat
Filter” on page 205.
For information about the protection categories and suggestions for when to change the
protection settings, see “About the Protection Settings Configuration” on page 201 .
Note
If you turn on DNS Rate Limiting for a protection group, the outbound traffic may match
the protection group instead of the outbound threat filter. By default, DNS Rate Limiting is
turned on for the default IPv4 protection group and any protection groups that use a
DNS server. Custom protection groups also might have this protection turned on. See
“DNS Rate Limiting Settings” on page 221.
About using the outbound threat filter in the layer 3 deployment mode
If vAPS is set to the layer 3 mode when the outbound threat filter is enabled, then you
must configure a default route for outbound traffic. Arbor recommends that you
configure a route to 0.0.0.0/0 with a nexthop that is reachable by the external interface.
See “Adding a static route for a protection interface on vAPS” on page 513.
Important
If you do not configure a default route for the outbound traffic, the outbound threat filter
will not function properly.
Proprietary and Confidential Information of Arbor Networks Inc.
203
APS User Guide, Version 6.0
About the outbound threat filter’s protection mode and protection level
The outbound threat filter’s protection mode determines whether APS blocks malicious
outbound traffic. In the active mode, APS monitors traffic and mitigates attacks. In the
inactive mode, APS detects attacks but does not mitigate them. To test the outbound
threat filter, set the protection mode for the outbound threat filter to inactive.
The outbound threat filter’s protection level determines which protection settings are in
use for the outbound traffic. The outbound threat filter can use the global protection level
or a protection level that you configure for the outbound threat filter. The outbound threat
filter’s protection level takes precedence over the global protection level.
In APS Console, you can change the outbound threat filter’s protection mode or
protection level for all of the managed APS devices.
About managing the outbound threat filter from APS Console
When you use APS Console to manage APS, you can configure the outbound threat filter
in APS Console and propagate the configurations to each managed APS.
When you first connect APS to APS Console, the outbound threat filter on the APS is
replaced with the one from APS Console. Thereafter, any changes to the outbound threat
filter on APS Console are periodically copied to each APS. See “About the APS Console -
APS Data Synchronization” on page 80.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
204
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Configuring the Outbound Threat Filter
You configure the protection settings for the outbound threat filter, to prevent malicious
traffic from leaving your network. You also configure the ATLAS Intelligence Feed (AIF)
threat categories, the protection mode, and the protection level for the outbound threat
filter.
You can enable and disable the outbound threat filter, but you cannot delete it.
For more details about the outbound threat filter, see “About the Outbound Threat Filter”
on page 203 .
Important
If you deploy APS in the monitor mode, the outbound traffic does not go through APS.
Therefore, the traffic is not analyzed.
Configuring the outbound threat filter
To configure the outbound threat filter:
1. Select Protect > Outbound Protection > Outbound Threat Filter.
2. On the Outbound Threat Filter page, click
(configure).
3. Select the Enable Outbound Threat Filter check box.
4. Configure the following settings:
Setting
Description
Protection Mode
options
Select Active or Inactive to configure the protection mode.
For more information about the protection mode, see
“Setting the Protection Mode (Active or Inactive)” on
page 66.
(Protection Level)
Select an icon to set the protection level (global, low,
medium, or high) for the outbound threats. The global
protection level is the default. A check mark in the
corresponding icon shows which level is currently active.
For information about the global protection level, see
“About the Protection Levels” on page 185 . Also see
“Changing the Protection Level” on page 361 .
5. For each protection level, configure the protection settings.
For information about the specific settings, see the following topics:
l
l
“ATLAS Intelligence Feed Settings” on page 210
“Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter”
on page 255
l
“Payload Regular Expression Settings” on page 231
l
“DNS Rate Limiting Settings” on page 221
l
“Malformed HTTP Filtering Settings” on page 229
6. Click Save.
After you configure the outbound threat filter, you can verify that you configured it
correctly. See “Validating the Outbound Threat Filter Configuration” on the next page.
Proprietary and Confidential Information of Arbor Networks Inc.
205
APS User Guide, Version 6.0
Validating the Outbound Threat Filter Configuration
After you configure the outbound threat filter, Arbor recommends that you validate its
configuration to ensure that the relevant traffic passes through APS.
There are several issues that may prevent the outbound threat filter from functioning as
expected, such as:
n misconfiguration of the APS
n
an APS deployment that prevents traffic mitigation (for example, you deploy the APS in
an out-of-band mode or inactive mode)
n
routing configurations that do not allow APS to see the relevant traffic
For more information, see “About the Outbound Threat Filter” on page 203 .
Testing guidelines
To ensure maximum coverage during the testing, Arbor recommends the following
guidelines:
n To enable reputation-based protection, install an advanced ATLAS Intelligence Feed
(AIF) license prior to testing.
n
If your environment includes multiple internet gateways, then conduct these tests from
various points within the enterprise.
Required configuration settings
You must configure the following settings before testing the outbound threat filter:
Enable the outbound threat filter.
n
n
Set the protection mode to Active.
n
Enable all of the AIF threat categories.
See “Configuring the Outbound Threat Filter” on the previous page.
IP address and domain name for testing
To test the outbound threat filter configuration, use the following IP address and domain
name
n 52.26.163.109
n
arbor-aif-test.com
The AIF includes this IP address and domain name.
IP address testing
You can use the ping command on the operating system command line to test the
outbound threat filter configuration. This command is available for all of the standard
operating systems.
To use the ping command to test the outbound threat filter:
1. From a host inside a protection group, access the operating system’s command line.
2. On the command line, enter ping 52.26.163.109
206
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Results of a successful ping test
If you configure the outbound threat filter correctly, the ping command is unsuccessful
and times out, as shown in the following image:
On the APSSummary Page , you should see a spike in the blocked traffic, as shown in the
following image:
On the Outbound Blocked Threats graph, you should see an increase in the number of
source hosts that APS blocked , as shown in the following image:
Results of an unsuccessful ping test
If the host receives a response to the ping command, as shown in the following image,
you should review the outbound threat filter configuration settings.
DNS query testing
You can use the nslookup command on the operating system command line to test the
Proprietary and Confidential Information of Arbor Networks Inc.
207
APS User Guide, Version 6.0
outbound threat filter configuration. This command attempts to perform a DNS query.
The nslookup command is available for all of the standard operating systems.
To use the nslookup command to test the outbound threat filter:
1. From a host in a protection group, open up the operating system command line.
2. On the command line, enter nslookup arbor-aif-test.com
Results of a successful nslookup test
If you configure the outbound threat filter correctly, the nslookup command is
unsuccessful and times out, as shown in the following image:
On the APSSummary Page , you should see a spike in the blocked traffic, as shown in the
following image:
On the Outbound Blocked Threats graph, you should see an increase in the number of
source hosts that APS blocked, as shown in the following image:
Results of a unsuccessful nslookup test
If the host receives a response to the nslookup command, as shown in the following
image, you should review the outbound threat filter configuration settings.
208
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Application Misbehavior Settings
Use the Application Misbehavior settings to detect application misbehavior patterns that
might not be specific to any protocol.
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
These settings allow APS to detect request headers that are interrupted by a TCP FIN from
the client. APS counts a host’s interrupts until either of the following conditions is met:
n The number of interruptions exceeds the configured limit. In this case, APS temporarily
blocks the source host.
n
The host completes a request without interruption.
In either case, the interrupt counter is reset to zero.
For example, some botnet attacks send multiple, small HTTP requests that cause a series
of bad request errors and overwhelm the victim server. The bot terminates each
connection before the request is complete.
Application Misbehavior settings
The Application Misbehavior category contains the following setting for each protection
level:
Application Misbehavior settings
Setting
Description
Interrupt Count
box
Type the number of TCP FIN interruptions that are allowed
from a single client before that client is temporarily blocked.
To disable this setting, leave this box empty.
Reference
See “About the Protection Levels” on page 185.
Proprietary and Confidential Information of Arbor Networks Inc.
209
APS User Guide, Version 6.0
ATLAS Intelligence Feed Settings
The ATLAS Intelligence Feed (AIF) contains information about the latest advanced threats,
botnets, and web crawlers that Arbor’s Active Threat Level Analysis System (ATLAS) has
identified. APS can use this information to detect threats, block attacks, and allow
legitimate search engine web crawlers to access your network.
When APS detects traffic that matches any of the HTTP header signatures or enabled
threat policies, it blocks the traffic. If the traffic is inbound, APS temporarily blocks the
source host.
For general information about ATLAS Intelligence Feed, see “About the ATLAS Intelligence
Feed” on page 280 .
Enabling AIF updates
Important
These protection settings depend on the presence of an AIF update file. Before you
enable any of the ATLAS Intelligence Feed settings, either verify that the automatic AIF
updates are enabled or request an update. Some of these settings, such as the default
confidence values, do not appear if an AIF update file is not present. See “Configuring the
ATLAS Intelligence Feed” on page 119.
Where to configure the AIF settings
You configure these settings on the following pages:
For inbound traffic: Configure Server Type page (Protect > Inbound Protection >
Server Type Configuration)
n
See “Changing the Protection Settings for Server Types” on page 169.
n
For outbound traffic: Outbound Threat Filter page (Protect > Outbound Protection
> Outbound Threat Filter)
See “Configuring the Outbound Threat Filter” on page 205.
210
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
About these settings
The ATLAS Intelligence Feed settings allow APS to use the information in the ATLAS
Intelligence Feed to block traffic as follows:
How APS uses the ATLAS Intelligence Feed settings
APS action
Basis for action
Block attack
traffic
The AIF updates include the policies that identify categories of
known threats by their traffic patterns, which are defined by IP
addresses, HTTP regular expressions, or DNS names. When you
enable the Threat Categories settings, APS blocks any inbound
traffic or outbound traffic that matches the threat policies.
See “About the ATLAS Threat Policies” on page 283.
Block botnet
traffic
(Inbound traffic only) Many botnets are known by their traffic
patterns or profiles that suggest an attack. The AIF updates include
the policies (signatures) that identify known botnets. When you
enable the AIF Botnet Signatures settings, APS compares each
policy to the HTTP headers and HTTP requests. APS blocks any
traffic that matches any of the policies and temporarily blocks the
source host.
Pass web crawler
traffic
(Inbound traffic only) In the process of protecting your servers from
DDoS attacks, APS might prevent search engine web crawlers from
accessing your site. The AIF updates include a list of the IP address
ranges that Arbor considers to be legitimate search engine web
crawlers. When you enable the Web Crawler Support settings,
APS passes the traffic from the search engine IP addresses.
For more information, see “About Web Crawler Support” on
page 288 .
Proprietary and Confidential Information of Arbor Networks Inc.
211
APS User Guide, Version 6.0
ATLAS Intelligence Feed Settings
The ATLAS Intelligence Feed protection category contains the following settings for each
protection level:
ATLAS Intelligence Feed settings
Setting
Description
Web Crawler Support
buttons
(Inbound traffic only) Click one of these buttons to enable or
disable the inspection of traffic for legitimate web crawler
search engines.
For APS to pass the traffic from specific web crawlers, those
web crawlers must be enabled on the Configure AIF Settings
page (Administration > ATLAS Intelligence Feed).
Initially, all of the web crawlers are enabled by default, but
you can choose which web crawlers to enable or disable. See
“Configuring web crawler support” on page 121.
This option is available for the following server types only:
Generic, DNS, and web.
AIF Botnet
Signatures buttons
(Inbound traffic only) Click one of these buttons to enable or
disable the inspection of traffic based on the traffic patterns
or profiles by which Arbor identifies known botnets.
This option is available for the following server types only:
Generic, VOIP, and Web.
Threat Categories
buttons
Click one of these buttons to enable or disable advanced
threat detection based on the ATLAS threat policies, which
are grouped by threat category. See “About the ATLAS Threat
Policies” on page 283.
When you select the Threat Categories check box, the following ATLAS confidence
index settings become available. For more information about the ATLAS confidence
index and the confidence values, see “About the ATLAS Confidence Index” on
page 285 .
212
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
ATLAS Intelligence Feed settings (Continued)
Setting
Description
ATLAS Confidence
Index options
The default confidence value is applied to all of the rules in all
of the enabled threat categories, except those for which you
define a category-specific confidence value. To specify the
default confidence value, select one of the following options:
n Use Default — Use the confidence value that the Arbor
Security Engineering and Response Team (ASERT)
recommends, which appears in parentheses after this
option. This option is selected by default.
n Custom — Configure a custom confidence value to use as
the default. When you select this option, type a number
from 1 to 100 in the box to represent the confidence value.
When APS inspects traffic, it applies the threat policy rules
whose confidence values match or exceed the default
confidence value.
Threat category check
boxes and confidence
value boxes
For each of the threat categories, you can configure the
following settings:
n To enable or disable a threat category, select its check box.
By default, all of the threat categories are enabled.
n To configure a confidence value for an enabled threat
category, click to the right of the category’s check box to
display the confidence value box. Type a number from 1 to
100 to represent the confidence value.
The threat category confidence value overrides the default
confidence value for the specific category.
Your AIF license determines which of the threat categories
are available to you. Also, although the threat categories
remain relatively static, they are subject to change by Arbor.
If an Advanced AIF subscription expires and you renew it at the Standard level, your APS
AIF feed will no longer include the Advanced feed components. However, the Advanced
threat categories continue to appear in the UI.
For example, the traffic history that is related to those threat categories can appear on
pages such as the Blocked Hosts Log page. The Advanced threat categories also appear in
the ATLAS Intelligence Feed settings. Although you can enable those threat categories, they
no longer include any threat policies that would affect traffic.
For a list of the components that are included with each subscription level, see “Tiered
licensing for ATLAS Intelligence Feed” on page 31.
Proprietary and Confidential Information of Arbor Networks Inc.
213
APS User Guide, Version 6.0
Block Malformed DNS Traffic Settings
Use the Block Malformed DNS Traffic protection settings to prevent attacks that send
invalid or blank DNS requests to a server. These attacks are intended to exhaust resources
or to exploit vulnerabilities.
These settings are available for the Generic IPv6 Server type and some of the IPv4 server
types. See “About the Server Types” on page 162.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
When a DNS request arrives at port 53 (source or destination), APS performs the following
tests:
n Verifies that the packet contains a payload that could be part of a valid DNS message. If
the payload is missing, APS blocks the packet.
n
Evaluates valid DNS requests for compliance with RFC standards. APS blocks any
requests that do not conform to the standards.
APS does not block the source host.
Block Malformed DNS Traffic settings
The Block Malformed DNS Traffic category contains the following setting for each
protection level:
Block Malformed DNS Traffic settings
214
Setting
Description
Enabled and Disabled
buttons
Click one of these buttons to enable or disable this
category.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Block Malformed SIP Traffic Settings
Use the Block Malformed SIP Traffic settings to prevent attacks that disrupt VoIP service by
sending invalid or blank SIP requests.
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
When a UDP packet arrives at a SIP destination port (usually port 5060), APS performs the
following tests:
n Verifies that the packet contains a payload that could be part of a valid SIP request. If
the payload is missing, APS blocks the packet and temporarily blocks the source host.
n
Evaluates valid SIP requests to verify that all of the headers that are specified in RFC
3261 section 8.1 are properly formatted and have reasonable values. APS blocks any
requests that do not conform to the standards and temporarily blocks the source host.
Block Malformed SIP Traffic settings
The Block Malformed SIP Traffic category contains the following setting for each protection
level:
Block Malformed SIP Traffic settings
Setting
Description
Enabled and Disabled
buttons
Click one of these buttons to enable or disable this
category.
Reference
See “About the Protection Levels” on page 185.
Proprietary and Confidential Information of Arbor Networks Inc.
215
APS User Guide, Version 6.0
Botnet Prevention Settings
Use the Botnet Prevention settings to prevent botnet attacks, in which a large set of
compromised computers generate a high-volume traffic attack that targets a victim server.
The Botnet Prevention settings allow APS to detect and block botnet attacks based on
known botnet behaviors.
You also can prevent botnet attacks based on the traffic patterns or profiles by which
Arbor identifies known botnets. See “ATLAS Intelligence Feed Settings” on page 210.
See “About DDoS Botnets” on page 541.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About botnets
The following patterns of behavior are common to many botnets:
Sending requests with incomplete header fields
n
n
Sending slow request attacks, which usually contain artificially truncated request
segments
For example, some botnets send multiple, small HTTP requests, and then terminate
each connection before the request is complete. This attack causes a series of bad
request errors and overwhelms the victim server.
About these settings
To prevent botnet attacks, APS performs the following tests:
Basic Botnet Prevention
n
Checks the packet headers for incomplete fields. APS blocks any packets whose
headers are incomplete and temporarily blocks the source host.
The fields that are checked vary by protection level, as follows:
Protection level
Checks
Low
Analyzes the Host field in HTTP 1.1 requests
Medium
Analyzes the Host field in HTTP 1.1 requests
High
Analyzes the following fields in all requests:
n
n
n
n
Host
User-Agent
Connection
Prevent Slow Request Attacks
Checks for HTTP requests that contain less than 500 bytes of data and do not end with
\n. Requests that match these criteria are likely to be part of a slow HTTP attack. APS
216
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
passes the first three packets that match these criteria and then drops the subsequent
packets and temporarily blocks the source host.
Botnet Prevention settings
Important
The Botnet Prevention settings work only if Malformed HTTP Filtering is enabled. If you
disable Malformed HTTP Filtering, the Botnet Prevention settings for the corresponding
protection levels are disabled also. If you enable one of the Botnet Prevention settings,
the Malformed HTTP Filtering is enabled for the corresponding protection levels. See
“Malformed HTTP Filtering Settings” on page 229.
The Botnet Prevention category contains the following settings for each protection level:
Botnet Prevention settings
Setting
Description
Enable Basic Botnet
Prevention buttons
Click one of these buttons to enable or disable the inspection
of traffic for missing HTTP header fields, which are a common
indicator of botnet attacks.
Prevent Slow
Request Attacks
buttons
Click one of these buttons to enable or disable the inspection
of traffic for requests that are characteristic of slow HTTP
attacks.
Proprietary and Confidential Information of Arbor Networks Inc.
217
APS User Guide, Version 6.0
CDN and Proxy Support Settings
Use the CDN and Proxy Support settings to prevent the global blocking of all traffic from a
content delivery network (CDN) or proxy.
The protection categories in APS block malicious traffic, temporarily block malicious hosts,
or both. When traffic is routed through a CDN or proxy, the source IP address is that of the
last CDN or proxy device. That source IP address is shared by all of the users whose traffic
passes that device. Therefore, the protection settings that block an attacker’s IP address
might block all traffic from the CDN or proxy. To prevent the blocking of all traffic from a
CDN or proxy, enable CDN and Proxy Support.
When CDN and Proxy Support is enabled, APS relies on the protection categories that
block malicious traffic but do not block the attacker’s IP address. The clean traffic from the
CDN or proxy is passed.
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
CDN and Proxy Support settings
The CDN and Proxy Support category contains the following setting for each protection
level:
CDN and Proxy Support settings
Setting
Description
Enabled and Disabled
buttons
Click one of these buttons to enable or disable this
category.
By default, this category is disabled.
Reference
See “About the Protection Levels” on page 185.
218
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
DNS Authentication Settings
Use the DNS Authentication category to protect against DNS attacks that originate from a
source that is not a valid host. These settings can protect any type of DNS server.
APS forces any clients that send DNS requests to change to TCP before the queries reach
the DNS server. This change validates that the original request came from a legitimate
client. APS blocks any requests that are not verified, but does not block the source hosts.
These settings are available for the Generic IPv6 Server type and some of the IPv4 server
types. See “About the Server Types” on page 162.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
Before you enable these settings for active mitigation, test them thoroughly in a lab
environment. Because these settings require two-way communications, they must be
tested in an inline deployment mode (Inline Routed or Inline Bridged) and the active
protection mode. See “Setting the Deployment Mode” on page 511 and “Setting the
Protection Mode (Active or Inactive)” on page 66.
DNS Authentication settings
The DNS Authentication category contains the following setting for each protection level:
DNS Authentication settings
Setting
Description
Enabled and Disabled
buttons
Click one of these buttons to enable or disable this
category.
Proprietary and Confidential Information of Arbor Networks Inc.
219
APS User Guide, Version 6.0
DNS NXDomain Rate Limiting Settings
Use the DNS NXDomain Rate Limiting category to monitor response packets for hosts that
send requests that might cause the generation of a non-existent domain (NXDomain)
response. These settings protect against DNS cache poisoning and dictionary attacks.
APS temporarily blocks any host that generates more consecutive failed DNS requests
than the configured limit.
These settings are available for the Generic IPv6 Server type and some of the IPv4 server
types. See “About the Server Types” on page 162.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
Requirement
If you plan to use these settings, your network must be configured so that APS can see the
DNS response traffic from the DNS server.
DNS NXDomain Rate Limiting settings
The DNS NXDomain Rate Limiting category contains the following setting for each
protection level. When the View profile icon ( ) appears, you can use traffic profile data
to help you configure the appropriate values for that setting. See “Using Traffic Profile
Data to Configure Protection Settings” on page 175.
DNS NXDomain Rate Limiting settings
Setting
Description
DNS NXDomain Rate
Limit box
Type the number of failed queries to allow per second.
To disable this setting, leave this box empty.
If you do not configure the DNS NXDomain Rate Limiting settings, the processing of
outbound traffic is affected as follows:
n The following response-based protection categories do not block outbound traffic
(these protection categories are configured in the server types):
l
l
Filter List. See “Configuring Filter Lists for Specific Server Types or the Outbound
Threat Filter” on page 255.
Multicast Blocking. See “Multicast Blocking Settings” on page 230.
Private Address Blocking. See “Private Address Blocking Settings” on page 234.
The blacklist does not block outbound traffic.
You cannot perform a packet capture on “int” interfaces.
l
n
n
To address these issues, you must enable the Outbound Threat Filter and add FCAP
expressions to the filter list to block outbound traffic. See “Configuring the Outbound
Threat Filter” on page 205.
220
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
DNS Rate Limiting Settings
Use the DNS Rate Limiting settings to prevent attacks from legitimate hosts who misuse
DNS requests to flood DNS servers.
APS inspects all of the DNS traffic that originates from a single source and records the
number of queries per second. It blocks any traffic that exceeds the configured rate limit. If
the traffic is inbound, APS temporarily blocks the source host.
These settings are available for the Generic IPv6 Server type and some of the IPv4 server
types. See “About the Server Types” on page 162.
Navigating to the protection settings
You configure these settings on the following pages:
For inbound traffic: Configure Server Type page (Protect > Inbound Protection >
Server Type Configuration)
n
See “Changing the Protection Settings for Server Types” on page 169.
n
For outbound traffic: Outbound Threat Filter page (Protect > Outbound Protection
> Outbound Threat Filter)
See “Configuring the Outbound Threat Filter” on page 205.
DNS Rate Limiting settings
The DNS Rate Limiting category contains the following setting for each protection level.
When the View profile icon ( ) appears, you can use traffic profile data to help you
configure the appropriate values for that setting. See “Using Traffic Profile Data to
Configure Protection Settings” on page 175.
DNS Rate Limiting settings
Setting
Description
DNS Query Rate
Limit box
Type the maximum number of DNS queries per second that a
source can send before it is blocked.
This rate limit represents what you consider to be a reasonable
maximum amount of DNS traffic.
To disable this setting, leave this box empty.
Proprietary and Confidential Information of Arbor Networks Inc.
221
APS User Guide, Version 6.0
DNS Regular Expression Settings
The DNS Regular Expression settings allow you to target specific DNS traffic.
APS inspects all of the DNS traffic and applies each regular expression separately to each
line of the DNS requests. APS blocks any traffic that matches an expression and logs the
source host in Temporarily Blocked Sources. See “About temporary blocking” on
page 201.
These settings are available for the Generic IPv6 Server type and some of the IPv4 server
types. See “About the Server Types” on page 162.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
DNS Regular Expression settings
The DNS Regular Expression category contains the following setting for each protection
level:
DNS Regular Expression settings
222
Setting
Description
DNS Regular
Expressions lines
Type a regular expression to filter out DNS traffic with
matching requests or headers. Use PCRE format.
You can type multiple regular expressions. APS uses the OR
operator for multiple regular expressions.
See “About Regular Expressions” on page 578 for
information about entering regular expressions.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Fragment Detection Settings
Use the Fragment Detection settings to protect against attacks that send an excessive
number of IP packet fragments to a server to exhaust its resources.
About fragmentation attacks
A fragmentation attack is a flood of unwanted IP packet fragments. IP standards require a
receiving host to store packet fragments until the other fragments of that packet arrive and
the packet can be reassembled. If the other fragments never arrive, the original fragments
remain in the victim server’s buffers until a timeout marks them as too old. Such a large
number of fragments can fill the server buffer space and prevent the receipt of clean
traffic.
APS inspects the packet fragments that originate from a single source and records the bits
per second and packets per second. It blocks any traffic that exceeds the configured rate
limits. If the protection level is medium or high, it temporarily blocks the source host.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
Fragment Detection settings
The Fragment Detection category contains the following settings for each protection level.
When the View profile icon ( ) appears, you can use traffic profile data to help you
configure the appropriate values for that setting. See “Using Traffic Profile Data to
Configure Protection Settings” on page 175.
Fragment Detection settings
Setting
Description
Enable Fragment
Detection buttons
Click one of these buttons to enable or disable this
category.
Maximum bps box
Type the maximum amount of traffic (in bps) to allow
from a single source.
Maximum pps box
Type the maximum amount of traffic (in pps) to allow
from a single source.
Proprietary and Confidential Information of Arbor Networks Inc.
223
APS User Guide, Version 6.0
HTTP Header Regular Expressions Settings
Use the HTTP Header Regular Expressions settings to target specific HTTP traffic.
APS inspects HTTP traffic and applies each regular expression to each line of the HTTP
headers and HTTP requests. If any regular expression matches the first HTTP request or
HTTP header in a connection, then APS blocks that request and temporarily blocks the
source host. If any regular expression does not match the first HTTP request or HTTP
header in a connection, then APS whitelists all the HTTP requests for that connection.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
HTTP Header Regular Expressions settings
The HTTP Header Regular Expressions category contains the following setting for each
protection level:
HTTP Header Regular Expressions settings
Setting
Description
Header Regular
Expressions lines
Type a regular expression to match HTTP requests or
headers. Use PCRE format.
You can type multiple regular expressions. APS uses the OR
operator for multiple regular expressions.
See “About Regular Expressions” on page 578 for
information about entering regular expressions.
See “About the Protection Levels” on page 185.
224
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
HTTP Rate Limiting Settings
Use the HTTP Rate Limiting settings to limit the rates at which a source host can send HTTP
requests. These settings prevent a host from overwhelming the resources of a web server
by sending too many requests or by requesting too many unique HTTP objects. (An HTTP
object is a request for a specific resource.)
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
APS monitors the HTTP requests from each host and performs the following tests:
Compares the number of requests per second to the configured rate limit. If the
request rate is too high, APS blocks the requests and temporarily blocks the source
host.
n
n
Compares the number of unique HTTP objects per second to the configured URL limit.
If the object rate is too high, APS blocks the requests and temporarily blocks the source
host.
The default limits are usually acceptable for typical users. Because a web server can be
heavily loaded by a small number of HTTP requests, do not raise the limits by large
amounts without careful consideration. If you need to make an exception for a content
mirror server, you can add it to a pass rule in the Filter List settings. See “Configuring Filter
Lists for Specific Server Types or the Outbound Threat Filter” on page 255.
Proprietary and Confidential Information of Arbor Networks Inc.
225
APS User Guide, Version 6.0
HTTP Rate Limiting settings
The HTTP Rate Limiting category contains the following settings for each protection
level.When the View profile icon ( ) appears, you can use traffic profile data to help you
configure the appropriate values for that setting. See “Using Traffic Profile Data to
Configure Protection Settings” on page 175.
HTTP Rate Limiting settings
226
Setting
Description
HTTP Request
Limit box
Type the number of HTTP requests to allow per second.
An HTTP request is any type of request such as GET, POST, HEAD,
or OPTIONS.
To disable this setting, leave this box empty.
HTTP URL Limit
box
Type the number of requests for a unique HTTP object (specific
URL) to allow per second.
For example, the medium level defaults are 500 for the HTTP
Request Limit and 15 for the HTTP URL Limit. If 100 requests
for the same URL are received in one second, they are blocked
because they exceed the URL limit.
To disable this setting, leave this box empty.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
HTTP Reporting Settings
Use the HTTP Reporting settings to enable or disable the display of the top URLs and top
domains on the View Protection Group page. This information appears in the Web Traffic
By URL section and the Web Traffic By Domain section, respectively.
The HTTP Reporting is enabled by default. By disabling the HTTP Reporting, you can
improve the performance of APS.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
HTTP Reporting settings
The following setting applies to all protection levels:
HTTP Reporting settings
Setting
Description
Enabled and Disabled
buttons
Click one of these buttons to enable or disable this
category.
Reference
See “About the Protection Levels” on page 185.
See the following topics for more information about these displays:
n
“Viewing the Top URLs for a Protection Group” on page 337
n
“Viewing the Top Domains for a Protection Group” on page 339
Proprietary and Confidential Information of Arbor Networks Inc.
227
APS User Guide, Version 6.0
ICMP Flood Detection Settings
Use the ICMP Flood Detection settings to detect ICMP flood attacks.
An ICMP flood exploits the ping utility, which allows a user to verify that a particular IP
address exists and can accept requests. The attacker sends a large number of ICMP echo
requests to the victim web server. The server tries to respond to all of the requests until it
exhausts its resources and cannot respond to clean traffic.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
Typically, a legitimate client does not send a large number of ICMP echo requests to a
single server. APS inspects the ICMP traffic that originates from a single source and records
the number of ICMP packets per second and bits per second. If the protection level is low,
then APS allows traffic up to the configured rate limit. If the protection level is medium or
high, APS blocks the hosts traffic and temporarily blocks the source host.
ICMP Flood Detection settings
The ICMP Flood Detection category contains the following settings for each protection level.
When the View profile icon ( ) appears, you can use traffic profile data to help you
configure the appropriate values for that setting. See “Using Traffic Profile Data to
Configure Protection Settings” on page 175.
ICMP Flood Detection settings
228
Setting
Description
Enable ICMP Flood
Detection buttons
Click one of these buttons to enable or disable this category.
Maximum Request
Rate box
Type the maximum number of ICMP echo requests per
second that a source can send before it is blocked.
This rate limit represents what you consider to be a
reasonable amount of ICMP traffic.
Maximum bps box
Type the maximum amount of traffic (in bps) to allow from a
single source.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Malformed HTTP Filtering Settings
Use the Malformed HTTP Filtering settings to protect against attacks that exhaust
resources by sending invalid or blank HTTP requests to a server.
The bots in a botnet sometimes manufacture the HTTP requests that they use to flood
victim servers, and these requests can be malformed. For example, the request header
might not conform to RFC 2616.
Navigating to the protection settings
You configure these settings on the following pages:
For inbound traffic: Configure Server Type page (Protect > Inbound Protection >
Server Type Configuration)
n
See “Changing the Protection Settings for Server Types” on page 169.
n
For outbound traffic: Outbound Threat Filter page (Protect > Outbound Protection
> Outbound Threat Filter)
See “Configuring the Outbound Threat Filter” on page 205.
About these settings
APS performs the following tests on HTTP requests:
Verifies that the HTTP header conforms to RFC 2616 Section 2.2 "Basic Rules".
n
Exceptions to the RFC constraints on the space character are allowed.
n
Verifies that the entire request is in a legal and consistent format.
If any of these evaluations fails, APS blocks the request. If the traffic is inbound, APS
temporarily blocks the source host or destination host.
Malformed HTTP Filtering settings
The Malformed HTTP Filtering category contains the following setting for each protection
level:
Malformed HTTP Filtering settings
Setting
Description
Enabled and
Disabled buttons
Click one of these buttons to enable or disable this category.
Important
The Botnet Prevention settings work only if Malformed HTTP
Filtering is enabled. If you disable Malformed HTTP Filtering, the
Botnet Prevention settings for the corresponding protection
levels are disabled also. If you enable one of the Botnet
Prevention settings, the Malformed HTTP Filtering is enabled for
the corresponding protection levels. See “Botnet Prevention
Settings” on page 216.
Proprietary and Confidential Information of Arbor Networks Inc.
229
APS User Guide, Version 6.0
Multicast Blocking Settings
Use the Multicast Blocking settings to protect against attacks that misuse multicast routing
to overwhelm a server’s resources.
About multicasting
Many attackers use multicasting to reflect and amplify attack traffic. For example, one type
of attack sends echo requests to a multicast address, spoofing the request source with the
victim’s IP address. The amplified request can result in an excessive number of responses
that overwhelm the victim server and prevent it from accepting clean traffic.
To protect against this kind of attack, APS blocks any inbound traffic whose source or
destination is a designated multicast address. APS also blocks any outbound traffic whose
source or destination is a designated multicast address.
Important
If you do not enable the DNS NXDomain Rate Limiting protection settings, the Multicast
Blocking settings do not block outbound traffic. In this situation, you must enable the
Outbound Threat Filter and add FCAP expressions to the filter list to block outbound
traffic. See “Configuring the Outbound Threat Filter” on page 205.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
Multicast Blocking settings
The Multicast Blocking category contains the following setting for each protection level:
Multicast Blocking settings
230
Setting
Description
Enabled and Disabled
buttons
Click one of these buttons to enable or disable this
category.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Payload Regular Expression Settings
Use the Payload Regular Expression settings to drop malicious TCP traffic and UDP traffic
or to temporarily blacklist the hosts that sent the malicious traffic. Payload regular
expressions help you to identify attacks by packets that contain unique data patterns in
their payloads. You also can configure these protection settings to inspect packet headers.
Many application layer DDoS attacks and packet repetition attacks can be identified by
their payloads. The payload of a TCP packet or UDP packet consists of the data that
appears after the header.
The Payload Regular Expression protection settings are available for all of the IPv4 server
types and for the Generic IPv6 Server type. See “About the Server Types” on page 162.
You can configure the settings for each protection level. See “About the Protection Levels”
on page 185.
Navigating to the Payload Regular Expression settings
You configure these settings on the following pages:
n For inbound traffic: Configure Server Type page (Protect > Inbound Protection >
Server Type Configuration)
See “Changing the Protection Settings for Server Types” on page 169.
n
For outbound traffic: Outbound Threat Filter page (Protect > Outbound Protection
> Outbound Threat Filter)
See “Configuring the Outbound Threat Filter” on page 205.
Note
You can use the information in captured packets to help you write the regular
expressions. See “Configuring Regular Expressions from Captured Packets” on
page 425.
About these settings
APS inspects all TCP traffic and UDP traffic sent from or sent to the specified ports, and
matches each regular expression against each payload's packet. If you enable the Apply
Regular Expression to Packet Headers setting, APS also matches each regular
expression against each packet's header.
You can select source or destination as the direction of the specified ports.
For inbound traffic, if the payload or header matches a regular expression, then APS
drops the packet or temporarily blocks all traffic from the host. For outbound traffic, if the
payload or header matches a regular expression, then APS drops the packet.
APS matches the regular expression against individual packets only. It does not detect
matching content that spans multiple packets.
Note
If you enter a regular expression, but you do not specify any ports or port ranges, APS
passes all TCP and UDP traffic.
Proprietary and Confidential Information of Arbor Networks Inc.
231
APS User Guide, Version 6.0
Payload Regular Expression settings
The Payload Regular Expression category contains the following settings for each
protection level:
Payload Regular Expression settings
Setting
Description
Enable Payload
Regular Expression
buttons
Click one of these buttons to enable or disable this category for
each protection level.
Port Direction
buttons
To inspect traffic that is sent from TCP ports and UDP ports on
source hosts, click Source. To inspect traffic that is sent to TCP
ports and UDP ports on destination hosts, click Destination.
Payload Regular
Expression TCP
Ports box
Type the port numbers to define the TCP traffic to inspect. You
can enter port numbers and port ranges (for example, 10-22).
To inspect all TCP traffic, enter all.
Use spaces or commas to separate multiple port numbers.
If you set Port Direction to Source, APS matches the regular
expressions against TCP packets that are sent from the
specified ports. If you set Port Direction to Destination, APS
matches the regular expressions against TCP packets that are
sent to the specified ports.
Note
If you specify a regular expression, but you do not specify any
ports or port ranges, APS passes all TCP traffic.
Payload Regular
Expression UDP
Ports box
Type the port numbers to define the UDP traffic to inspect. You
can enter single port numbers and port ranges (for example,
10-22). To inspect all UDP traffic, enter all.
Use spaces or commas to separate multiple port numbers and
port ranges.
If you set Port Direction to Source, APS matches the regular
expressions against UDP packets that are sent from the
specified ports. If you set Port Direction to Destination, APS
matches the regular expressions against UDP packets that are
sent to the specified ports.
Note
If you specify a regular expression, but you do not specify any
ports or port ranges, APS passes all UDP traffic.
232
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Payload Regular Expression settings (Continued)
Setting
Description
Payload Regular
Expression box
Type the regular expressions to match against packets sent
from or sent to the specified ports. Use PCRE format. If you add
multiple regular expressions, then press ENTER after each one.
APS uses the OR operator for multiple regular expressions.
Note
If you enter a regular expression, but you do not specify any
ports or port ranges, APS passes all TCP and UDP traffic.
If you enable the Apply Regular Expression to Packet
Headers option, then APS also matches these expressions
against the packet headers.
See “About Regular Expressions” on page 578 for information
about entering regular expressions.
Apply Regular
Expression to
Packet Headers
buttons
Click Enabled to match the regular expressions against packet
headers in addition to packet payloads. If you enable this
option, then APS blocks attacks based on specific patterns in
packet headers.
To match the regular expressions against packet payloads only,
click Disabled.
Action to Apply
buttons
Click Drop Packets to drop the packets that match regular
expressions. Click Block Hosts to temporarily block all traffic
from the hosts of the packets that match the regular
expressions.
See “Viewing Temporarily Blocked Sources” on page 335.
Note
This option only applies to inbound traffic. For outbound
traffic, APS always drops the packets that match the regular
expressions.
Proprietary and Confidential Information of Arbor Networks Inc.
233
APS User Guide, Version 6.0
Private Address Blocking Settings
Use the Private Address Blocking settings to protect against attacks that spoof private IP
addresses.
You can configure the settings for each protection level. See “About the Protection Levels”
on page 185.
Specific blocks of IP addresses are reserved for use on private networks and their traffic is
not intended to be routed to the internet. Typically, traffic from outside your network
should not originate from a private address. Such traffic is likely to be an attack in which
the private address is spoofed.
To protect against this kind of attack, APS inspects the inbound traffic and blocks any
traffic whose source or destination is a designated private address. APS also blocks any
outbound traffic whose source or destination is a designated private address.
Important
If you do not enable the DNS NXDomain Rate Limiting protection settings, the Private
Address Blocking settings do not block outbound traffic. In this situation, you must
enable the Outbound Threat Filter and add FCAP expressions to the filter list to block
outbound traffic. See “Configuring the Outbound Threat Filter” on page 205.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
Private Address Blocking settings
The Private Address Blocking category contains the following setting for each protection
level:
Private Address Blocking settings
234
Setting
Description
Enabled and Disabled
buttons
Click one of these buttons to enable or disable this
category.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Rate-based Blocking Settings
The Rate-based Blocking settings use configured threshold values to identify and block
hosts that send excessive amounts of traffic to protected hosts or networks.
These protection settings are available for all of the IPv4 server types and for the Generic
IPv6 Server type. See “About the Server Types” on page 162.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
You can configure these settings to help prevent flood, TCP SYN, and protocol attacks, as
well as connection table and request table exhaustion attacks. You also can configure
settings to prevent some user-initiated actions such as bulk content downloads and peerto-peer file hosting.
APS uses these settings to limit the rate at which any source host can send traffic. APS
constantly examines the bit rate and packet rate of traffic from each source host. If the
traffic exceeds either of the configured thresholds, APS temporarily blocks the source
host.
Typically, you should set the thresholds to rates that are higher than any legitimate host
would be expected to send on a sustained basis. These rates can vary depending on the
services that the hosts offer. For example, if the protected hosts are content servers and
the source hosts are clients that send only requests and acknowledgments, low traffic
rates are expected.
Note
APS uses a speed measurement algorithm that applies a smoothing function to reduce
the possibility that short-term, high-traffic spikes are treated as attacks.
Rate-based Blocking settings
The Rate-based Blocking category contains the following settings for each protection level.
When the View profile icon ( ) appears, you can use traffic profile data to help you
configure the appropriate values for that setting. See “Using Traffic Profile Data to
Configure Protection Settings” on page 175.
Rate-based Blocking settings
Setting
Description
Bits per Second
Threshold box
Type the maximum rate of traffic in bits that a source can
send before it is blocked.
Packets per Second
Threshold box
Type the maximum rate of traffic in packets that a source
can send before it is blocked.
Proprietary and Confidential Information of Arbor Networks Inc.
235
APS User Guide, Version 6.0
SIP Request Limiting Settings
Use the SIP Request Limiting settings to limit the number of SIP requests that a host can
send per second. These settings prevent attacks that disrupt VoIP service by flooding the
VoIP network with too many SIP requests.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
APS monitors the SIP requests from the source IP. It blocks any traffic that exceeds the
configured rate limit, and temporarily blocks the source host.
Because SIP servers can send a large amount of data in a single request, communications
between SIP servers may greatly exceed the rate limit. You can protect those servers by
adding them to a pass rule in the Filter List settings or adding them to the whitelist.
See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on
page 255 or “Creating and Editing the Inbound Whitelist” on page 272 .
SIP Request Limiting settings
The SIP Request Limiting category contains the following setting for each protection level.
When the View profile icon ( ) appears, you can use traffic profile data to help you
configure the appropriate values for that setting. See “Using Traffic Profile Data to
Configure Protection Settings” on page 175.
SIP Request Limiting settings
236
Setting
Description
SIP Source Limit box
Type the maximum number of SIP requests to allow per
second.
To disable this setting, leave this box empty.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Spoofed SYN Flood Prevention Settings
Use the Spoofed SYN Flood Prevention settings to detect certain SYN flood attacks. A SYN
flood consists of a large number of uncompleted connection requests, which fill the
victim’s connection queues and consume its resources.
The Spoofed SYN Flood Prevention protection settings are available for all of the IPv4 server
types and for the Generic IPv6 Server type. See “About the Server Types” on page 162.
About SYN flood attacks
A SYN flood attack exploits the TCP three-way handshake, which establishes a connection
between a client and a server. During a SYN flood attack, the attacker sends a large
number of SYN packets. However, because the SYN packets contain spoofed source IP
addresses, the handshake is never completed.
Both Spoofed SYN Flood Prevention and TCP SYN Flood Detection protect against SYN
flood attacks. By forcing all TCP clients to authenticate that they are valid, Spoofed SYN
Flood Prevention can protect against highly distributed attacks.
If APS cannot authenticate a TCP connection, then it drops the traffic on that connection
but does not block the host.
Navigating to the Spoofed SYN Flood Prevention settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About TCP authentication
APS authenticates TCP traffic in one of the following ways:
APS replies to the client’s initial SYN packet with an ACK that has a special sequence
number. If the client responds with the correct ACK, then APS authenticates the client,
resets the connection, and passes its traffic without additional authentication.
n
n
If TCP Out of Sequence Authentication is enabled, then APS replies to the client’s
initial SYN with an ACK that imitates an existing, half-open TCP connection. If the client
sends a reset, then APS authenticates the client, and the client opens a new TCP
connection to the protected host.
This authentication method targets non-HTTP protocols, such as HTTPS and SMTP, that
do not support session redirects or retries. This method allows clients to connect to
protected hosts without having to manually refresh their web browsers.
About HTTP authentication
If you enable HTTP authentication, then APS ensures that the source host is a valid HTTP
client in one of the following ways:
n HTTP redirect — APS replies to the client’s initial request with a 302 redirect. If the client
sends a redirected request, then APS authenticates the client and redirects it to the
original URL.
Proprietary and Confidential Information of Arbor Networks Inc.
237
APS User Guide, Version 6.0
This authentication method causes the web browser to retry the request without a
connection reset.
n
HTTP soft reset — In this simplified version of the HTTP redirect authentication, APS
replies to the client, asking it to resend its request. If the client resends the request, then
APS authenticates the client.
n
HTTP JavaScript — In response to a request, APS sends a small amount of JavaScript to
the client. If the client responds with a redirect, then APS authenticates the client.
Automating Spoofed SYN Flood Prevention
You can automate Spoofed SYN Flood Prevention. To do this, you enable the Spoofed
SYN Flood Prevention Automation setting and then specify an automation threshold.
If the rate of SYN packets sent to any protected host in a protection group exceeds this
threshold, then APS performs TCP authentication or HTTP authentication as configured.
Otherwise, if all protected hosts in a protection group are receiving SYN packets at a rate
below the threshold, then APS does not perform the configured authentication.
Testing the settings
Before you enable these settings for active mitigation, test them thoroughly in a lab
environment. Because these settings require two-way communications, they must be
tested in an inline deployment mode (Inline Routed or Inline Bridged) and the active
protection mode. See “Setting the Deployment Mode” on page 511 and “Setting the
Protection Mode (Active or Inactive)” on page 66.
Spoofed SYN Flood Prevention settings
The Spoofed SYN Flood Prevention protection category contains the following settings for
each protection level.
Spoofed SYN Flood Prevention settings
Setting
Description
Prevent
Spoofed SYN
Floods buttons
Click one of the following buttons to select the authentication
method that APS uses to detect spoofed SYN flood attacks:
n Off — Disables spoofed SYN flood attack detection.
n TCP — Enables TCP authentication. APS inspects TCP traffic, to
authenticate the connections.
n TCP+HTTP — Enables HTTP authentication in addition to TCP
authentication. APS authenticates TCP connections and ensures
that the source host is a valid HTTP client.
The option that you select determines which protection settings are
available for this protection category.
Except on
ports box
238
For applications that have difficulty with spoofed SYN flood
authentication, type the affected application ports. If the traffic’s
destination ports match any of these ports, then APS skips the TCP
authentication.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Spoofed SYN Flood Prevention settings (Continued)
Setting
Description
TCP Out of
Sequence
Authentication
buttons
Click one of these buttons to enable or disable this authentication
method. If you enable this setting, then APS uses this method to
authenticate a TCP connection instead of attempting to complete
the TCP 3-way-handshake. See “About TCP authentication” on
page 237.
Spoofed SYN
Flood
Prevention
Automation
buttons
Click one of these buttons to enable or disable automating this
protection category. If you automate this protection category, then
you must specify an automation threshold.
Automation
Threshold box
Enter a value in pps. APS performs TCP authentication or HTTP
authentication as configured only if the rate of SYN packets sent to
any protected host in a protection group exceeds this threshold. If
the rate of SYN packets falls below this threshold, then APS stops
performing the configured authentication.
HTTP
Authentication
Method buttons
Click one of the following buttons to select the method that APS
uses to authenticate HTTP traffic on ports 80 and 8080:
n Redirect — Sends a 302 redirect to the client.
n Soft Reset — Asks the client to resend its request.
n JavaScript — Sends a JavaScript response to the client.
Note
If you select the JavaScript option, then legitimate clients that
do not have JavaScript enabled cannot connect to protected
hosts.
Proprietary and Confidential Information of Arbor Networks Inc.
239
APS User Guide, Version 6.0
TCP Connection Limiting Settings
Use the TCP Connection Limiting settings to limit the number of concurrent TCP
connections that can originate from a single host. These settings prevent attacks that
overwhelm the victim's connection resources with an excessive number of TCP
connections.
For example, some botnets open hundreds of active or inactive TCP connections. A
sufficiently large number of connections can consume all of the server's resources and
prevent the server from accepting clean traffic.
These settings are available for the Generic IPv6 Server type and some of the IPv4 server
types. See “About the Server Types” on page 162.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
APS monitors the TCP requests from the source IP and counts the number of SYN
messages that are followed by an ACK message. When the number of concurrent
connections from a single host exceeds a preconfigured rate limit, it blocks that traffic. It
does not block the source host.
TCP Connection Limiting settings
The TCP Connection Limiting category contains the following setting for each protection
level:
TCP Connection Limiting settings
240
Setting
Description
Enabled and Disabled
buttons
Click one of these buttons to enable or disable this category
for a protection level.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
TCP Connection Reset Settings
Use the TCP Connection Reset settings to track established TCP connections and drop the
traffic when a connection remains idle for too long. This category can protect against the
following types of TCP state exhaustion attacks:
n flood
n
TCP SYN
n
slow HTTP post
n
protocol
The TCP Connection Reset settings also can protect against the exhaustion of TCP
connection resources that occur when server connection tables are filled. These problems
can be caused by idle TCP connections or user-initiated actions such as bulk content
downloads and peer-to-peer file hosting.
These settings are available for the Generic IPv6 Server type and some of the IPv4 server
types. See “About the Server Types” on page 162.
About these settings
When APS monitors a TCP connection, it verifies that the source host sends the request
header within a certain amount of time. APS also verifies that the host maintains a
specified rate of transmission for the entire request.
If a TCP connection does not meet these requirements, APS resets the connection. Also, if
any source host exceeds the configured number of consecutive violations, APS
temporarily blocks the host.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About the protected ports
APS applies the TCP Connection Reset settings to the following ports:
80 — HTTP traffic (web traffic)
n
n
443 — HTTPS traffic (web traffic)
n
25 — SMTP traffic (email)
You cannot manually configure the ports for the TCP Connection Reset settings.
Proprietary and Confidential Information of Arbor Networks Inc.
241
APS User Guide, Version 6.0
TCP Connection Reset settings
The TCP Connection Reset category contains the following settings for each protection
level.
TCP Connection Reset settings
242
Setting
Description
Enable TCP
Connection Reset
buttons
Click one of these buttons to enable or disable this category.
Minimum Request
Bit Rate box
Type the minimum rate of bits per second that a host must
maintain when sending an individual request. APS checks
several times per minute to verify that the transmitted data
does not fall below this limit.
If the data rate falls below this limit for a minimum of 60
seconds, APS resets the connection or blocks the host.
TCP Connection
Idle Timeout box
Type the number of seconds that must elapse before an idle
connection is reset or blocked. For the medium and high
protection levels, the default value is 120 seconds.
There is no default value for the low protection level.
Track Connections
After Initial State
check box
Click Enabled to track a connection after it leaves the initial
state.
TCP Connection
Initial Timeout box
Type the number of seconds that a connection can be idle after
it is first established before it is blocked.
Initial Timeout
Required Data box
Type the number of bytes that a host must send within the
initial timeout period for the timeout to be canceled.
For example, the default TCP Connection Initial Timeout is
10 seconds and the default Initial Timeout Required Data
is 1 byte. In this case, the connection has 10 seconds in which
to send 1 byte of data. If the specified amount of data is not
sent within 10 seconds, then the connection is reset.
Consecutive
Violations before
Blocking Source
box
Type the number of consecutive idle connections to allow
before a host is blocked.
You can enter a larger number for applications with multiple
TCP control connections that might be idle simultaneously due
to a single lack of user action.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
TCP SYN Flood Detection Settings
Use the TCP SYN Flood Detection settings to detect TCP SYN flood attacks, which are also
known as SYN floods. A SYN flood consists of a large number of connection requests that
cannot be completed. These requests fill the victim’s connection queues and consume its
resources.
You can configure the settings for each protection level. See “About the Protection Levels”
on page 185.
About SYN flood attacks
The SYN flood attack exploits the TCP three-way handshake that establishes a connection
between a client and a server. During a SYN flood attack, the attacker sends a large
number of SYN packets. However, it does not return the final ACK responses and the
handshake is never completed.
The server waits for the ACK responses until it times out. A sufficiently large number of
half-open connections can consume all of the server’s resources and prevent the server
from accepting clean traffic.
Both Spoofed SYN Flood Prevention and TCP SYN Flood Detection protect against SYN
flood attacks. However, while Spoofed SYN Flood Prevention can protect against highly
distributed attacks, TCP SYN Flood Detection uses rate thresholds to detect high rate,
undistributed SYN flood attacks.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
APS intercepts all TCP traffic that originates from a single source and then completes the
following tests:
n Compares the number of SYN packets per second to the configured SYN Rate.
n
Subtracts the number of ACK packets from the number of SYN packets and compares
the result to the configured SYN ACK Delta Rate.
APS blocks any traffic that exceeds either of these rate limits and temporarily blocks the
source host.
Proprietary and Confidential Information of Arbor Networks Inc.
243
APS User Guide, Version 6.0
TCP SYN Flood Detection settings
The TCP SYN Flood Detection category contains the following settings for each protection
level:
TCP SYN Flood Detection settings
244
Setting
Description
Enable SYN Flood
Detection buttons
Click one of these buttons to enable or disable this category.
SYN ACK Delta
Rate box
Type the allowable difference between the number of ACK
packets and the number of SYN packets (SYN - ACK = delta). This
rate should be lower than the SYN Rate.
In clean traffic, the number of ACK packets from a specific
source should exceed or be slightly less than the number of SYN
packets from that source. This threshold represents the
allowable difference between the two types of packets and
allows APS to detect attackers that send only SYN packets.
To disable this setting, leave this box empty.
SYN Rate box
Type the number of packets per second that a source can send
before it is blocked.
In a data center environment, a client typically does not establish
a large number of connections per second. This threshold
allows APS to detect very blatant SYN floods based on the
number of connection requests from a single source.
To disable this setting, leave this box empty.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
TLS Attack Prevention Settings
Use the TLS Attack Prevention settings to protect against attacks that exploit SSL or TLS on
application servers such as Web, Mail, or secure VPN servers.
The SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption protocols
underlie secure services on the internet. Because these protocols are resource intensive,
the services that rely on them are particularly vulnerable to resource exhaustion attacks.
During these attacks, clients send small requests that force the server to perform a
disproportionately large amount of work to set up a secure session.
The TLS Attack Prevention settings enforce correct protocol usage and block malformed
SSL and TLS requests. These settings also block clients that attempt to exploit the
protocols to exhaust server resources.
You can configure the settings for each protection level. See “About the Protection Levels”
on page 185.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
When an SSL or TLS request is received, APS performs the following tests:
n Validates the request according to the following criteria:
n
n
l
The negotiation messages are well-formed.
l
The protocol options are used properly.
l
The message length and fragmentation are reasonable.
l
The protocol version is acceptable.
Verifies that acceptable SSL or TLS handshake behaviors occur as follows:
l
The messages are sent in the correct sequence.
l
Renegotiation requests do not occur outside of an established session.
Verifies that the following items do not exceed the preconfigured limits:
l
The number of cipher suites that are advertised.
l
The number of extensions that are sent.
l
The number of compression algorithms that are advertised.
l
The number of connections that are closed before a handshake is completed.
If any of these evaluations fails, APS blocks the request and temporarily blocks the source
host.
Proprietary and Confidential Information of Arbor Networks Inc.
245
APS User Guide, Version 6.0
TLS Attack Prevention settings
The TLS Attack Prevention category contains the following setting for each protection level:
TLS Attack Prevention settings
246
Setting
Description
Enabled and Disabled
buttons
Click one of these buttons to enable or disable this
category.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
Traffic Shaping Settings
Use the Traffic Shaping settings to limit the forwarding rate of the traffic that matches a
specific filter. These settings limit attack traffic to a level that allows protected hosts to
function and allows some clean traffic to reach those hosts.
The Traffic Shaping protection settings are available for all of the IPv4 server types and for
the Generic IPv6 Server type. See “About the Server Types” on page 162.
Note
Traffic shaping is also known as rate limiting.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
About these settings
APS inspects each packet to determine if it matches the filter that you define. If the packet
matches or if no filter is defined, APS compares the packet forwarding rate to the
maximum rate settings. If the packet would cause the forwarding rate to exceed either of
the maximum rates, APS blocks the packet. It does not block the source host.
Caution
Traffic shaping restricts clean traffic and attack traffic equally.
Use traffic shaping in the following situations only:
when other settings fail to mitigate an attack and you cannot mitigate it in another way
n
n
when other settings succeed only partially and the traffic levels remain high enough to
be a continued threat
If you enable this category, you must set at least one of the maximum rate settings.
Traffic Shaping settings
The Traffic Shaping category contains the following settings for each protection level:
Traffic Shaping settings
Setting
Description
Enable Traffic
Shaping buttons
Click one of these buttons to enable or disable this category.
Maximum bps box
Type the maximum amount of traffic (in bps) to allow.
Proprietary and Confidential Information of Arbor Networks Inc.
247
APS User Guide, Version 6.0
Traffic Shaping settings (Continued)
248
Setting
Description
Maximum pps box
Type the maximum amount of traffic (in pps) to allow.
Filter box
(Optional) Type an FCAP expression that corresponds to the
data that you want to match. For example, you can match IP
addresses, CIDRs, and other traffic attributes. See “Basic FCAP
expressions” on page 564 and “FCAP Expression Reference” on
page 566 .
Type one expression per line. To include a comment, type a
number sign (#) at the beginning of each comment line.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 10: Configuring the Protection Settings
UDP Flood Detection Settings
Use the UDP Flood Detection settings to protect against attacks that send an excessive
number of UDP packets to a server to exhaust its resources.
You can configure the settings for each protection level. See “About the Protection Levels”
on page 185.
About UDP floods
A UDP flood occurs when an attacker sends a large number of UDP packets to random
ports on a server, often from a spoofed IP address. The server tries to determine the
applications that are listening on those ports. Because no applications are listening, the
server is forced to reply with many ICMP Destination Unreachable packets. If the number
of ICMP packets is great enough, the server becomes unavailable to other clients.
APS inspects the UDP traffic that originates from a single source and records the bits per
second and packets per second. It blocks any traffic that exceeds the configured rate
limits. If the protection level is medium or high, it temporarily blocks the source host.
Navigating to the protection settings
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration). See “Changing the Protection Settings for
Server Types” on page 169.
See “Changing the Protection Settings for Server Types” on page 169.
UDP Flood Detection settings
The UDP Flood Detection category contains the following settings for each protection level.
When the View profile icon ( ) appears, you can use traffic profile data to help you
configure the appropriate values for that setting. See “Using Traffic Profile Data to
Configure Protection Settings” on page 175.
UDP Flood Detection settings
Setting
Description
Enable UDP Flood
Detection buttons
Click one of these buttons to enable or disable this
category.
Maximum bps box
Type the maximum amount of traffic (in bps) to allow
from a single source.
Maximum pps box
Type the maximum amount of traffic (in pps) to allow
from a single source.
Proprietary and Confidential Information of Arbor Networks Inc.
249
APS User Guide, Version 6.0
Chapter 11:
Configuring Filter Lists to Drop and Pass
Traffic
Filter lists allow you to configure fingerprint expression (FCAP) filters (rules) that drop and
pass traffic without further inspection. You can configure two types of filter lists.
Master filter lists compare the FCAP expressions to all protection group traffic across all
protection levels.
Filter lists compare FCAP expressions only to traffic for specific server types or the
outbound threat filter. These filter lists also allow you to configure different expressions
for each protection level.
In APS Console, you can configure both types of filter lists for multiple APS devices.
In this section
This section contains the following topics:
250
About Filter Lists
251
Configuring Master Filter Lists
253
Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter
255
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 11: Configuring Filter Lists to Drop and Pass Traffic
About Filter Lists
Filter lists allow you to configure flow capture (FCAP) fingerprint expression rules that drop
and pass traffic without further inspection. You can configure two types of filter lists:
n Master filter lists for all protection groups across all protection levels. See “Master filter
lists” below.
n
Filter lists for specific server types or the outbound threat filter. See “Filter lists for
specific server types or the outbound threat filter” below.
If a drop FCAP expression matches inbound traffic, then APS drops the matching traffic for
active protection groups only. If a drop FCAP expression matches outbound traffic, then
APS drops the matching traffic only when the outbound threat filter is enabled. See
“Setting the Protection Mode (Active or Inactive)” on page 66.
Note
If you manage multiple APS devices with APS Console, you can configure filter lists on
APS Console for the managed APS devices.
Master filter lists
Master filter lists contain drop and pass FCAP expressions that APS compares to all
inbound traffic. If any FCAP expression matches inbound traffic for an active protection
group, APS drops or passes the matching traffic without further inspection. See “Setting
the Protection Mode (Active or Inactive)” on page 66.
Use master filter lists if you have a common list of FCAP expressions to apply to all
protection groups across all protection levels. When you use master filter lists, you do not
have to create filter lists for each server type at each protection level.
There are two master filter lists: a list for IPv4 protection groups and a list for IPv6
protection groups. Each time you edit a master filter list, APS applies the updated list to all
IPv4 protection groups or all IPv6 protection groups. APS also automatically applies the
master filter lists to new protection groups that you add.
See “Configuring Master Filter Lists” on page 253.
Filter lists for specific server types or the outbound threat filter
You can configure filter lists for specific server types. This type of filter list compares drop
and pass FCAP expressions to traffic for protection groups that are associated with a
specific server type. These filter lists let you configure different expressions for each
protection level. See “About the Protection Levels” on page 185.
You also can configure filter lists that compare FCAP expressions to outbound traffic. See
“Configuring the Outbound Threat Filter” on page 205.
Use these filter lists to mitigate threats based on specific situations. For example, if the
mitigation protects a server group that obtains content from other sources, then add the
connections to those other sources to a pass rule. Because you know that those
connections are legitimate, you can exempt them from further inspection.
See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on
page 255.
Proprietary and Confidential Information of Arbor Networks Inc.
251
APS User Guide, Version 6.0
How APS evaluates and processes packets
APS uses master filter lists and filter lists to evaluate and process packets as follows:
n Immediately drops any packets that match a drop rule. APS does not evaluate any
additional rules or apply further settings for those packets.
n
Immediately passes any packets that match a pass rule. APS does not evaluate any
additional rules or apply further settings for those packets.
n
Passes the packets to the next protection category for further evaluation if they do not
match a drop rule or a pass rule.
Alternate methods for passing and dropping traffic
If you prefer not to use FCAP expressions, you can add hosts to the blacklist and whitelist
to drop and pass traffic without further inspection. However, FCAP expressions are more
flexible and powerful in their ability to find specific traffic. See “About Blacklisting and
Whitelisting Traffic” on page 258.
Order of evaluation
APS evaluates the items to drop and pass on master filter lists, filter lists, and the blacklist
and whitelist in the following order:
n the host blacklist and the whitelist
n
the master filter lists
n
server-type filter lists
n
the blacklists for countries, URLs, and domains
For example, consider the following rules:
n 192.0.2.0/24 in the whitelist
n
drop 192.0.2.11 in the master filter list
APS applies the rules as follows:
Passes all of the traffic from the addresses within the range 192.0.2.0/24.
n
n
252
Passes the traffic from 192.0.2.11, because it falls within the 192.0.2.0/24 address range.
Therefore, the traffic from this address cannot be dropped.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 11: Configuring Filter Lists to Drop and Pass Traffic
Configuring Master Filter Lists
Use a master filter list to configure drop and pass flow capture (FCAP) fingerprint
expression rules to compare to traffic for IPv4 protection groups and IPv6 protection
groups. APS applies the FCAP expressions in the master filter lists across all protection
levels.
Master filter lists drop and pass inbound traffic only.
Important
If a drop FCAP expression matches inbound traffic, APS drops the matching traffic for
active protection groups only. See “Setting the Protection Mode (Active or Inactive)” on
page 66.
You also can configure filter lists that apply to a specific server type only or to the
outbound threat filter. These filter lists drop and pass inbound traffic and outbound traffic.
See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on
page 255.
About managing the master filter lists from APS Console
If you manage your APS devices from APS Console, then you can configure master filter
lists in APS Console and propagate the configurations to each managed APS.
Caution
When you connect an APS device to APS Console, the master filter lists on APS Console
replace the master filter lists on APS. Thereafter, any changes to the master filter lists on
APS Console are periodically copied to each APS. See “About the APS Console - APS Data
Synchronization” on page 80.
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Configuring and editing master filter lists
To configure or edit a master filter list:
1. Select Protect > Inbound Protection > Master Filter Lists.
2. On the View Master Filter Lists page, click Edit.
3. In the IPv4 FCAP Expressions box and the IPv6 FCAP Expressions box, enter
FCAP expressions that correspond to the data to match. Enter expressions to match
IP addresses, CIDRs, and other traffic attributes.
Include a drop or pass keyword to specify the action to take on the matched data. If
you do not specify a keyword, then APS considers it a drop action.
Type one expression per line. To include a comment, type a number sign (#) at the
beginning of each comment line.
See “FCAP Expression Reference” on page 566.
4. To edit the lists, enter new expressions or delete the existing expressions in the FCAP
Expressions boxes.
5. Click Save.
Proprietary and Confidential Information of Arbor Networks Inc.
253
APS User Guide, Version 6.0
Example: Master filter list settings
If you want to pass TCP/22 SSH traffic from a block of addresses and block all other
TCP/22 SSH traffic, then enter the following FCAP expressions:
pass port 22 and src 192.0.2.0/24
drop port 22
All the port 22 traffic from 192.0.2.0/24 passes automatically, and APS blocks the other port
22 traffic automatically.
Order of evaluation within the master filter lists
APS evaluates the FCAP expressions in the order in which they appear in the lists. For
example, consider the following rules:
pass src 192.0.2.11
drop proto udp
APS applies these rules as follows:
Passes all of the traffic from 192.0.2.11, regardless of the protocol
n
n
254
Drops all of the UDP traffic whose source is not 192.0.2.11
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 11: Configuring Filter Lists to Drop and Pass Traffic
Configuring Filter Lists for Specific Server Types or the
Outbound Threat Filter
Use the filter list settings to configure a list of flow capture (FCAP) fingerprint expression
rules to drop and pass inbound traffic without further inspection. You configure a filter list
at the server-type level, so the filter list only applies to protection groups to which the
server type is assigned. This type of filter list lets you configure different expressions for
each protection level. See “About the Protection Levels” on page 185.
You also can use filter list settings to drop and pass outbound traffic. To compare FCAP
expressions in a filter list to outbound traffic, you configure the filter list settings for the
outbound threat filter. See “Configuring the Outbound Threat Filter” on page 205.
If a drop FCAP expression matches inbound traffic, then APS drops the matching traffic for
active protection groups only. If a drop FCAP expression matches outbound traffic, then
APS drops the matching traffic only when the outbound threat filter is enabled. See
“Setting the Protection Mode (Active or Inactive)” on page 66.
The Filter List protection settings are available for all of the IPv4 server types and for the
Generic IPv6 Server type. See “About the Server Types” on page 162.
Note
You can configure master filter lists that compare drop and pass FCAP expressions to
traffic for all protection groups. See “Configuring Master Filter Lists” on page 253.
Configuring and editing filter lists for server types
To configure or edit a filter list for a server type:
1. Select Protect > Inbound Protection > Server Type Configuration.
2. Select a server type from the Standard Server Types list or the Custom Server
Types list.
3. In the Filter FCAP Expressions boxes in the Filter List section, enter the FCAP
expressions that correspond to the data to match. Enter expressions to match IP
addresses, CIDRs, and other traffic attributes. You can enter expressions for each
protection level.
Include a drop or pass keyword to specify the action to take on the matched data. If
you do not include a keyword, then APS considers it a drop action.
Type one expression per line. To include a comment, type a number sign (#) at the
beginning of each comment line.
See “FCAP Expression Reference” on page 566.
Important
You can use IPv6 addresses in FCAP expressions only for the standard Generic
IPv6 Server type and custom server types that are based on it.
4. To edit the filter list, enter new expressions or delete the existing expressions in the
Filter FCAP Expressions boxes.
5. Click Save.
Proprietary and Confidential Information of Arbor Networks Inc.
255
APS User Guide, Version 6.0
Configuring and editing filter lists for the outbound threat filter
To configure or edit a filter list for the outbound threat filter:
1. Select Protect > Inbound Protection > Outbound Threat Filter.
2. On the Outbound Threat Filter page, click
(configure).
3. Select the Enable Outbound Threat Filter check box.
4. In the Filter FCAP Expressions boxes in the Filter List section, enter the FCAP
expressions that correspond to the data to match. Enter expressions to match IPv4 IP
addresses, IPv4 CIDRs, and other traffic attributes. You can enter expressions for each
protection level.
Include a drop or pass keyword to specify the action to take on the matched data. If
you do not include a keyword, then APS considers it a drop action.
Type one expression per line. To include a comment, type a number sign (#) at the
beginning of each comment line.
See “FCAP Expression Reference” on page 566.
5. To edit the filter list, enter new expressions or delete the existing expressions in the
Filter FCAP Expressions boxes.
6. Click Save.
Example: Filter list settings
If you want to pass TCP/22 SSH traffic from a block of addresses and block all other
TCP/22 SSH traffic, then enter the following FCAP expressions:
pass port 22 and src 192.0.2.0/24
drop port 22
All the port 22 traffic from 192.0.2.0/24 passes automatically, and APS blocks the other port
22 traffic automatically.
Order of evaluation within filter lists
APS evaluates the FCAP expressions in the order in which they appear in the lists. For
example, consider the following rules:
pass src 192.0.2.11
drop proto udp
APS applies these rules as follows:
n Passes all of the traffic from 192.0.2.11, regardless of the protocol
n
256
Drops all of the UDP traffic whose source is not 192.0.2.11
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12:
Managing the Blacklists and Whitelists
APS uses blacklisting to protect your network from malicious traffic, and it uses whitelisting
to allow trusted traffic. This section describes how to create and manage the blacklists and
whitelists.
In this section
This section contains the following topics:
About Blacklisting and Whitelisting Traffic
258
About the Capacity of the Blacklists and Whitelists
262
Viewing and Searching the Inbound Blacklist
264
Creating and Editing the Inbound Blacklist
267
Viewing and Searching the Inbound Whitelist
270
Creating and Editing the Inbound Whitelist
272
Creating and Editing the Outbound Blacklist
274
Creating and Editing the Outbound Whitelist
276
APS User Guide, Version 6.0
257
APS User Guide, Version 6.0
About Blacklisting and Whitelisting Traffic
APS uses blacklisting to protect your network from malicious traffic, and it uses whitelisting
to allow trusted traffic. APS uses the blacklists and whitelists as filters to block or pass
traffic without further inspection, regardless of the current protection level.
You can add IPv4 and IPv6 addresses to the inbound whitelist and inbound blacklist. You
also can add countries, domains, and URLs to the inbound blacklist. You only can add IPv4
addresses to the outbound whitelist and outbound blacklist.
About the blacklists and whitelists
Users configure the blacklists and whitelists; APS does not blacklist or whitelist hosts
automatically.
You can create and manage the following types of blacklists and whitelists:
Types of blacklists and whitelists
List
Purpose
Inbound blacklist
Blocks the inbound traffic that originates from specific hosts or
countries, or from the clients that access specific domains or URLs
in your network.
Inbound whitelist
Passes the inbound traffic that originates from specific hosts.
Outbound
blacklist
Blocks the IPv4 traffic that originates from your network and is sent
from specific hosts or to specific hosts.
Outbound
whitelist
Passes the IPv4 traffic that originates from your network and is
sent from specific hosts or to specific hosts.
Note
The Invalid Packets category takes precedence over the whitelist and blacklist. As a result,
APS blocks invalid packets from whitelisted hosts. Also, any traffic from hosts on the
blacklist or whitelist that matches invalid packets is attributed to invalid packets in the
Attack Categories graphs.
APS combines the blacklist items and the whitelist items and stores them in a blacklistwhitelist table, based on protocol. If an APS is managed by APS Console, any blacklist
items and whitelist items that are added in APS Console also are stored in the blacklistwhitelist table. See “About the Capacity of the Blacklists and Whitelists” on page 262.
258
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
About managing the blacklists and whitelists from APS Console
When you use APS Console to manage APS, you can configure blacklists and whitelists on
APS Console and propagate the configurations to each managed APS.
When you first connect an APS device to an APS Console, the blacklists and whitelists on
APS Console are copied to APS. Any blacklists or whitelists that were already on APS are
merged with the items from APS Console. Thereafter, any changes to the blacklists and
whitelists on APS Console are periodically copied to each managed APS device as
appropriate.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
See “About the APS Console - APS Data Synchronization” on page 80.
Blacklisting and whitelisting items
You can blacklist and whitelist items from the following areas in the UI.
Note
On the Configure Outbound Blacklists page and the Configure Outbound Whitelists page,
you can blacklist and whitelist IPv4 addresses only.
Locations for blacklisting and whitelisting items
Page
Reference
Configure Inbound
Blacklists
See “Creating and Editing the Inbound Blacklist” on page 267.
Configure
Outbound
Blacklists
See “Creating and Editing the Outbound Blacklist” on page 274.
Configure Inbound
Whitelists
See “Creating and Editing the Inbound Whitelist” on page 272.
Configure
Outbound
Whitelists
See “Creating and Editing the Outbound Whitelist” on page 276.
Summary
See “Viewing the Top Inbound Countries on the Summary Page”
on page 318 and “Viewing the Top Inbound Sources on the
Summary Page” on page 320 .
Proprietary and Confidential Information of Arbor Networks Inc.
259
APS User Guide, Version 6.0
Locations for blacklisting and whitelisting items (Continued)
Page
Reference
Note
You can blacklist and whitelist IPv6 items globally, for all
protection groups. You cannot blacklist and whitelist IPv6 items
for individual protection groups.
View Protection
Group
See the following topics:
n
n
n
n
“Viewing the Top IP Locations for a Protection Group” on
page 343
“Viewing the Top URLs for a Protection Group” on page 337
“Viewing the Top Domains for a Protection Group” on
page 339
“Viewing Temporarily Blocked Sources” on page 335
Blocked Hosts Log
See “Taking action on a blocked host” on page 408.
Packet Capture
See “Capturing Packet Information” on page 418.
About blacklisting and whitelisting inbound traffic by protection group
You can blacklist and whitelist inbound traffic at the following levels.
Levels of blacklisting and whitelisting
Level
Traffic that is affected
Individual
protection group
The IPv4 traffic that is destined for one or more specific protection
groups on an APS. For example, on the Summary page, you can
blacklist a country for a specific protection group.
Note
You can blacklist and whitelist IPv6 items globally, for all
protection groups. You cannot blacklist and whitelist IPv6 items
for individual protection groups.
All protection
groups
The traffic that is destined for all protection groups on an APS.
Typically, the options to blacklist or whitelist IPv4 items for a specific protection group are
available on the pages that contain protection-group-level information. For example, on
the View Protection Group page, when you click the Blacklist button, the following
options appear: All PGs and For this PG.
When the items from the blacklist or whitelist appear throughout the UI, the associated
protection group information is displayed.
Note
Outbound traffic is not associated with protection groups.
About removing items from the blacklist
Certain areas of the UI that display blocked traffic allow you to remove an item from the
260
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
blacklist, which is also referred to as unblocking. For example, in the Top Countries section
of the Summary page, you can unblock a blacklisted country.
Unblocking an item removes it from the blacklist but does not add it to the whitelist.
How quickly do blacklisting, whitelisting, and unblocking affect the traffic?
When you blacklist, whitelist, or unblock a host, country, domain, or URL, its traffic is
affected as follows:
n When you blacklist or whitelist an item, APS begins to block or pass its traffic
immediately.
n
When you unblock an item, APS can take several minutes to remove it from the blacklist
and pass its traffic.
n
When you whitelist a host or remove a host from the blacklist, and that host is
temporarily blocked, it is removed from the Temporarily Blocked Sources list
immediately. When you do the same for a CIDR that contains temporarily blocked
hosts, those hosts are removed from the Temporarily Blocked Sources list within five
minutes. You can unblock an individual IP address immediately by whitelisting that IP
address.
After you blacklist, whitelist, or unblock an item in APS Console, the change is applied to
APS during the next synchronization. See “About the APS Console - APS Data
Synchronization” on page 80.
Proprietary and Confidential Information of Arbor Networks Inc.
261
APS User Guide, Version 6.0
About the Capacity of the Blacklists and Whitelists
APS combines the blacklist items and the whitelist items and stores them in a blacklistwhitelist table, based on protocol. If an APS is managed by APS Console, any blacklist
items and whitelist items that are added in APS Console also are stored in the blacklistwhitelist table. See “About managing the blacklists and whitelists from APS Console” on
page 259 .
Capacity of the blacklists and whitelists
On APS 2000 and 2100 appliances, the IPv4 blacklist-whitelist table stores a maximum of
20,000 hosts and CIDRs. On APS 2800 and 2600 appliances, the IPv4 blacklist-whitelist table
stores a maximum of 40,000 hosts and CIDRs. The IPv4 blacklist-whitelist total includes
global items and protection group-specific items. The IPv6 blacklist-whitelist table stores a
maximum of 12,000 hosts and CIDRs on all APS appliances. This total includes global items
only.
The number of countries, domains, and URLs in the blacklists is not limited.
For general information about the blacklists and whitelists, see “About Blacklisting and
Whitelisting Traffic” on page 258 .
What happens when the capacity is exceeded
If your blacklists and whitelists contain a large number of items, the addition of new items
can cause the blacklist-whitelist table to exceed the capacity. In APS, you cannot enter any
item that would exceed the capacity of the blacklists or whitelists. APS Console accepts the
excess items, whether they are entered in the UI or added during the initial
synchronization of APS.
When the addition of an item would cause APS Console to exceed the capacity of its
blacklist-whitelist table, APS Console treats that item as follows:
n The excess item is added to the blacklist or whitelist on APS Console but it is marked as
disabled and does not affect any traffic.
n
The disabled item appears on the blacklist page or whitelist page in the APS Console UI,
but it is dimmed. You can delete the item as needed.
n
When a non-disabled item is deleted from a blacklist or whitelist, space can become
available for the addition of a disabled item. APS Console finds the oldest disabled item
and enables it. A global inbound item is enabled for all of the protection groups; a
protection group-specific item is enabled for that protection group only.
How synchronization between APS Console and APS affects the capacity
During the synchronization of the blacklists and whitelists between APS Console and APS,
either APS Console or APS can exceed the capacity of the IPv4 blacklist-whitelist table. For
example, a global item on APS Console can combine with the existing items on APS to
exceed the capacity on APS. When an item from APS Console causes APS to exceed the
capacity, the new item is not added to APS.
262
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
During the initial synchronization, if the addition of existing items from APS to APS Console
causes APS Console to exceed the capacity, the following events occur:
n The item is added to APS Console but is disabled.
n
On APS, the item that caused APS Console to exceed its capacity is deleted.
n
Other APS devices do not obtain the disabled item during synchronization, even if they
have the capacity to accept the item.
For example, a disabled inbound item might apply to a specific protection group. Even
if the protection group is assigned to an APS that is below its capacity, that APS does not
obtain the disabled item.
n
When APS Console enables an item that was disabled, the item is applied to all of the
appropriate APS devices.
See “About the APS Console - APS Data Synchronization” on page 80.
Proprietary and Confidential Information of Arbor Networks Inc.
263
APS User Guide, Version 6.0
Viewing and Searching the Inbound Blacklist
The Configure Inbound Blacklists page (Protect > Inbound Protection > Blacklists )
allows you to view all items on the inbound blacklist. You can search this blacklist for
specific hosts, CIDRs, countries, domains, or URLs.
You also can use the Configure Inbound Blacklists page to blacklist inbound traffic. See
“About Blacklisting and Whitelisting Traffic” on page 258 and “Creating and Editing the
Inbound Blacklist” on page 267 .
About searching the inbound blacklist
You can limit the items that are displayed on the inbound blacklist by searching for one or
more blacklisted items. You can search for hosts, countries, domains, and URLs that are
blacklisted. The blacklist search behaves as follows:
n A search for an IP address or CIDR returns any IP addresses or CIDRs on the inbound
blacklist that are associated with that address.
n
n
For example, a search for 192.0.2.1 would return 192.0.2.0/24, if that CIDR is on the
inbound blacklist. A search for 2001:DB8::/24 would return 2001:DB8::1 and 2001:DB8::8,
if those addresses were on the inbound blacklist.
When searching for hosts, you can search for IPv4 hosts and IPv6 hosts. When
searching for IPv6 hosts, you can search for compressed and expanded IPv6
addresses. For example, if you search for 2001:DB8:0:0:0:0:0:0/32 or 2001:DB8::/32, APS
would return 2001:DB8::/32 in both cases.
You can use wildcards when searching for hosts. However, if you use a wildcard
character to search for an IPv6 address, APS searches for and returns matches to
compressed IPv6 addresses only. APS does not return matches for a partially expanded
IPv6 address that contains a wildcard character.
For example, if you search for 2001:DB8*, APS would return 2001:DB8::/32. If you search
for 2001:DB8:0:*, APS would not return 2001:DB8::/32 because the “:0” is part of an
expanded address.
Searching the inbound blacklist
To search the inbound blacklist:
1. Select Protect > Inbound Protection > Blacklists.
2. On the Configure Inbound Blacklists page, type any of the following search strings:
Search box
Search string
Host
n
n
n
264
An IP address.
An IP address range, with a hyphen to separate the
beginning IP address and ending IP address. For example:
192.0.2.1-192.0.2.8 or 2001:DB8::1-2001:DB8::8.
A CIDR.
Domain
A full domain name or partial domain name.
URL
A full URL or partial URL.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
3. Click Search.
If you search for an item that is not on the list, all items on the blacklist are hidden.
4. To clear the search, click the X in the Search box.
Information on the Configure Inbound Blacklists page
The Configure Inbound Blacklists page displays the following information:
Configure Inbound Blacklists details
Information
Description
Hostname
Displays the blacklisted host’s IP address or CIDR. If APS can
resolve the hostname, you can hover your mouse pointer over the
IP address or CIDR to see the hostname.
If the system can identify the host’s country, this column also
includes a flag icon that represents the country. To see the country
name for IPv4 hosts, hover your mouse pointer over the flag icon.
Note
Country mappings do not exist for IPv6 addresses. If the source is
an IPv6 address, then this column includes an IPv6 flag icon
instead of a country flag icon. Also, for private networks, this
column includes a 10 icon or a 192 icon.
Country
Displays the blacklisted country. If APS can identify the country’s
flag, this column also displays a flag icon.
Domain Name
Displays the blacklisted domain. If the system can identify the
host’s country, this column also includes a flag icon that represents
the country. To see the country name, hover your mouse pointer
over the flag icon.
URL
Displays the blacklisted URL.
Since
Indicates the amount of time that the item has been on the
inbound blacklist.
PGs Affected
Displays the protection groups for which the item is blacklisted.
Note
IPv6 addresses can be blacklisted for all IPv6 protection groups
only.
Whitelist button
(Remove )
Allows you to move the item from the inbound blacklist to the
inbound whitelist.
Because only hosts can be whitelisted, this option is available in the
Blacklisted Hosts section only.
Allows you to remove the item from the inbound blacklist for all
the protection groups, without moving the item to the whitelist.
When you whitelist a host or remove a host from the blacklist, and that host is temporarily
blocked, it is removed from the Temporarily Blocked Sources list immediately. When you
do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed
Proprietary and Confidential Information of Arbor Networks Inc.
265
APS User Guide, Version 6.0
from the Temporarily Blocked Sources list within five minutes. You can unblock an
individual IP address immediately by whitelisting that IP address.
266
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
Creating and Editing the Inbound Blacklist
Use inbound blacklisting to block the traffic to your network that originates from specific
hosts or countries, or from the clients that access specific domains in your network. APS
always blocks the traffic from the blacklisted hosts without further inspection, regardless
of the current protection level. You can blacklist specific IPv4 inbound traffic for all IPv4
protection groups or for individual IPv4 protection groups. You can blacklist specific IPv6
traffic for all IPv6 protection groups only.
You can search the inbound blacklist for specific hosts, countries, domains, or URLs. See
“Viewing and Searching the Inbound Blacklist” on page 264.
The Invalid Packets category takes precedence over blacklists. As a result, any traffic from
blacklisted hosts that matches invalid packets is attributed to invalid packets in the Attack
Categories graphs. See “Viewing the Attack Categories for a Protection Group or
Outbound Threat Filter” on page 329.
For information about how many items can be added to the blacklists and whitelists, see
“About the Capacity of the Blacklists and Whitelists” on page 262 . For general
information about blacklisting, see “About Blacklisting and Whitelisting Traffic” on
page 258 .
Note
You also can blacklist outbound traffic. See “Creating and Editing the Outbound
Blacklist” on page 274.
About the blacklist settings
On the Configure Inbound Blacklists page, you can blacklist the traffic’s source in the
following ways:
n by the IP address, hostname, or CIDR
n
by the country
n
by the domain or URL that is specified in the HTTP request header (for IPv4 traffic only)
You cannot add URLs to the Configure Inbound Blacklists page directly, but you can add
them from other areas of APS and from APS Console. For example, you can blacklist a
URL in the Web Traffic By URL section of the View Protection Group page.
Proprietary and Confidential Information of Arbor Networks Inc.
267
APS User Guide, Version 6.0
Blacklisting hosts for inbound traffic
To create and edit the inbound blacklist:
1. Select Protect > Inbound Protection > Blacklists.
2. On the Configure Inbound Blacklists page, complete one of the following steps:
Step
Description
To add an item to
the inbound
blacklist:
Choose any of the following steps, and then click Add.
n
In the Host box that appears below the Blacklisted Hosts list,
type a source IP address, source hostname, or source
CIDR.
n
In the box that appears below the Blacklisted Countries list,
select a source country.
In the selection list, the countries are listed alphabetically and
other, non-specific regions are listed after the countries.
n
In the Domain box that appears below the Blacklisted
Domains list, type a domain name.
If the blacklists or whitelists contain an IP address, and a CIDR
that overlaps that IP address, the most specific address always
takes precedence. For example, if the IP address 10.2.3.141 is
on the whitelist, and you blacklist the CIDR 10.2.3.0/24, the IP
address remains whitelisted.
To remove an
item from the
inbound blacklist:
In the appropriate section, click
(Remove ) to the far right of
the item name to remove the item for all the protection groups.
To move a host
to the inbound
whitelist:
Click the Whitelist button to the far right of the hostname.
If the item is blacklisted for individual protection groups, you
can remove it from the blacklist for a specific protection group.
Hover your mouse pointer to the left of the protection group
name and click the
icon that appears.
APS whitelists an IPv4 host for all IPv4 protection groups and
whitelists an IPv6 host for all IPv6 protection groups.
Because only hosts can be whitelisted, this option is only
available in the Blacklisted Hosts section.
When you whitelist a host or remove a host from the blacklist, and that host is temporarily
blocked, it is removed from the Temporarily Blocked Sources list immediately. When you
do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed
from the Temporarily Blocked Sources list within five minutes. You can unblock an
individual IP address immediately by whitelisting that IP address.
About managing the blacklists from APS Console
When you use APS Console to manage APS, you can configure the blacklists in APS
Console and propagate the configurations to each managed APS as appropriate.
268
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Alternate method for blocking traffic
You also can use the Filter List settings to block traffic without further inspection. The filter
list uses FCAP expressions to define the hosts. If you prefer not to use FCAP expressions,
then you can specify the hosts in the blacklist settings. However, the FCAP expressions are
more flexible and powerful in their ability to find specific traffic. See “Configuring Filter
Lists for Specific Server Types or the Outbound Threat Filter” on page 255.
Proprietary and Confidential Information of Arbor Networks Inc.
269
APS User Guide, Version 6.0
Viewing and Searching the Inbound Whitelist
The Configure Inbound Whitelists page (Protect > Inbound Protection > Whitelists )
allows you to view all items on the inbound whitelist. You can search this whitelist for
specific hosts or CIDRs.
You also can use the Configure Inbound Whitelists page to whitelist inbound traffic. See
“About Blacklisting and Whitelisting Traffic” on page 258 and “Creating and Editing the
Inbound Whitelist” on page 272 .
About Searching the inbound whitelist
You can limit the items that are displayed on the inbound whitelist by searching for one or
more whitelisted hosts. The whitelist search behaves as follows:
n A search for an IP address or CIDR returns any IP addresses or CIDRs on the inbound
whitelist that are associated with that address.
For example, a search for 192.0.2.1 would return 192.0.2.0/24, if that CIDR is on the
inbound whitelist. A search for 2001:DB8::/24 would return 2001:DB8::1 and 2001:DB8::8,
if those addresses were on the inbound whitelist.
n
When searching for IPv6 hosts, you can search for compressed and expanded IPv6
addresses. For example, if you search for 2001:DB8:0:0:0:0:0:0/32 or 2001:DB8::/32, APS
would return 2001:DB8::/32 in both cases.
n
You can use wildcards when searching for hosts. However, if you use a wildcard
character to search for an IPv6 address, APS searches for and returns matches to
compressed IPv6 addresses only. APS does not return matches for a partially expanded
IPv6 address that contains a wildcard character.
For example, if you search for 2001:DB8*, APS would return 2001:DB8::/32. If you search
for 2001:DB8:0:*, APS would not return 2001:DB8::/32 because the “:0” is part of an
expanded address.
Searching the inbound whitelist
To search the inbound whitelist:
1. Select Protect > Inbound Protection > Whitelists.
2. On the Configure Inbound Whitelists page, type any of the following search strings:
l
l
l
An IP address.
An IP address range, with a hyphen to separate the beginning IP address and
ending IP address. For example: 192.0.2.1-192.0.2.8 or 2001:DB8::1-2001:DB8::8.
A CIDR.
3. Click Search.
Note
If you search for an item that is not on the inbound whitelist, all items on the
whitelist are hidden.
4. To clear the search, click the X in the Search box.
270
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
Information on the Configure Inbound Whitelists page
The Configure Inbound Whitelists page displays the following information:
Configure Inbound Whitelists details
Information
Description
Hostname
Displays the whitelisted host’s IP address or CIDR. If APS can
resolve the hostname, you can hover your mouse pointer over the
IP address or CIDR to see the hostname.
If the system can identify the host’s country, this column also
includes a flag icon that represents the country. To see the country
name, hover your mouse pointer over the flag icon.
Note
Country mappings do not exist for IPv6 addresses. If the source is
an IPv6 address, then this column includes an IPv6 flag icon
instead of a country flag icon. Also, for private networks, this
column includes a 10 icon or a 192 icon.
Since
Indicates the amount of time that the item has been on the
inbound whitelist.
PGs Affected
Displays the protection groups for which the item is whitelisted.
Note
IPv6 addresses can be whitelisted for all IPv6 protection groups
only.
Blacklist button
(Remove )
Allows you to move the item from the inbound whitelist to the
inbound blacklist.
Allows you to remove the item from the inbound whitelist for all
the protection groups, without moving the item to the blacklist.
Proprietary and Confidential Information of Arbor Networks Inc.
271
APS User Guide, Version 6.0
Creating and Editing the Inbound Whitelist
Use inbound whitelisting to pass the inbound traffic that originates from specific external
hosts. APS always passes the traffic from the whitelisted hosts without further inspection,
regardless of the current protection level. You can whitelist specific IPv4 inbound traffic for
all IPv4 protection groups or for individual IPv4 protection groups. You can whitelist
specific IPv6 traffic for all IPv6 protection groups only.
You whitelist hosts on the Configure Inbound Whitelist page. You also can view and search
for specific hosts on this page. See “Viewing and Searching the Inbound Whitelist” on
page 270.
The Invalid Packets category takes precedence over whitelists. As a result, APS blocks
invalid packets from whitelisted hosts. Also, any traffic from whitelisted hosts that matches
invalid packets is attributed to invalid packets in the Attack Categories graphs. See “Viewing
the Attack Categories for a Protection Group or Outbound Threat Filter” on page 329.
For information about how many items can be added to the blacklists and whitelists, see
“About the Capacity of the Blacklists and Whitelists” on page 262 . For general
information about whitelisting, see “About Blacklisting and Whitelisting Traffic” on
page 258 .
Note
You also can whitelist outbound traffic. See “Creating and Editing the Outbound
Whitelist” on page 276.
Whitelisting hosts for inbound traffic
To create and edit the inbound whitelist:
1. Select Protect > Inbound Protection > Whitelists.
2. On the Configure Inbound Whitelists page, complete one of the following steps:
272
Step
Description
To add a host to
the inbound
whitelist:
In the Host box that appears below the Whitelisted Hosts list,
type an IP address, hostname, or CIDR, and then click Add.
To remove a host
from the
inbound
whitelist:
Click
(Remove ) to the far right of the hostname to remove
the host for all protection groups.
To move a host
to the inbound
blacklist:
Click the Blacklist button to the far right of the hostname.
If the blacklists or whitelists contain an IP address, and a CIDR
that overlaps that IP address, the most specific address always
takes precedence. For example, if the IP address 10.2.3.141 is
on the whitelist, and you blacklist the CIDR 10.2.3.0/24, the IP
address remains whitelisted.
If the host is whitelisted for individual protection groups, you
can remove it from the whitelist for a specific protection group.
Hover your mouse pointer to the left of the protection group
name and click the
icon that appears
APS blacklists an IPv4 host for all IPv4 protection groups and
blacklists an IPv6 host for all IPv6 protection groups.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
When you whitelist a host that is temporarily blocked, it is removed from the Temporarily
Blocked Sources list immediately. When you do the same for a CIDR that contains
temporarily blocked hosts, those hosts are removed from the Temporarily Blocked
Sources list within five minutes. You can unblock an individual IP address immediately by
whitelisting that IP address.
About managing the whitelists from APS Console
When you use APS Console to manage APS, you can configure the whitelists in APS
Console and propagate the configurations to each managed APS as appropriate.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Alternate method for passing traffic
You can also use the Filter List settings to pass traffic without further inspection. The filter
list uses FCAP expressions to define the hosts. If you prefer not to use FCAP expressions,
you can specify the hosts in the whitelist settings. However, the FCAP expressions are
more flexible and powerful in their ability to find specific traffic. See “Configuring Filter
Lists for Specific Server Types or the Outbound Threat Filter” on page 255.
Proprietary and Confidential Information of Arbor Networks Inc.
273
APS User Guide, Version 6.0
Creating and Editing the Outbound Blacklist
Use outbound blacklisting to block the IPv4 traffic that originates from your network and is
sent from specific internal hosts or to specific external hosts. APS always blocks the IPv4
traffic from or to the blacklisted hosts without further inspection, regardless of the current
protection level.
You blacklist hosts on the Configure Outbound Blacklists page. You also can view and
search for specific hosts on this page.
Important
If you deploy APS in the monitor mode, the outbound traffic does not go through APS.
Therefore, the traffic is not analyzed.
The Invalid Packets category takes precedence over blacklists. As a result, any traffic from
blacklisted hosts that matches invalid packets is attributed to invalid packets in the Attack
Categories graphs. See “Viewing the Attack Categories for a Protection Group or
Outbound Threat Filter” on page 329.
For information about how many items can be added to the blacklists and whitelists, see
“About the Capacity of the Blacklists and Whitelists” on page 262 . For general
information about blacklisting, see “About Blacklisting and Whitelisting Traffic” on
page 258 .
Note
You also can blacklist inbound traffic. See “Creating and Editing the Inbound Blacklist”
on page 267.
Blacklisting hosts for outbound IPv4 traffic
To create and edit the outbound blacklist:
1. Select Protect > Outbound Protection > Blacklists.
2. On the Configure Outbound Blacklists page, complete one of the following steps:
Step
Description
To add an item to
the outbound
blacklist:
In the Host box that appears below the Blacklisted Hosts list,
type an IPv4 address, hostname, or CIDR., and then click
Add.
APS blocks any outbound IPv4 traffic in which the specified
host is the source or the destination.
If the blacklists or whitelists contain an IP address, and a CIDR
that overlaps that IP address, the most specific address always
takes precedence. For example, if the IP address 10.2.3.141 is
on the whitelist, and you blacklist the CIDR 10.2.3.0/24, the IP
address remains whitelisted.
To remove an
item from the
outbound
blacklist:
274
Click
(Remove ) to the far right of the item name.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
Step
Description
To move an item
to the outbound
whitelist:
Click the Whitelist button to the far right of the item name.
When you whitelist a host or remove a host from the blacklist, and that host is temporarily
blocked, it is removed from the Temporarily Blocked Sources list immediately. When you
do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed
from the Temporarily Blocked Sources list within five minutes. You can unblock an
individual IP address immediately by whitelisting that IP address.
About managing the blacklists from APS Console
When you use APS Console to manage APS, you can configure the blacklists in APS
Console and propagate the configurations to each managed APS as appropriate.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Alternate method for blocking traffic
You can also use the Filter List settings to block traffic without further inspection. The filter
list uses FCAP expressions to define the hosts. If you prefer not to use FCAP expressions,
you can specify the hosts in the blacklist settings. However, the FCAP expressions are more
flexible and powerful in their ability to find specific traffic. See “Configuring Filter Lists for
Specific Server Types or the Outbound Threat Filter” on page 255.
Proprietary and Confidential Information of Arbor Networks Inc.
275
APS User Guide, Version 6.0
Creating and Editing the Outbound Whitelist
Use outbound whitelisting to pass the IPv4 traffic that originates from your network and is
sent from specific internal hosts or to specific external hosts. APS always passes the IPv4
traffic from or to the whitelisted hosts without further inspection, regardless of the current
protection level.
You whites hosts on the Configure Outbound Whitelist page. You also can view and search
for specific hosts on this page.
The Invalid Packets category takes precedence over whitelists. As a result, APS blocks
invalid packets from whitelisted hosts. Also, any traffic from whitelisted hosts that matches
invalid packets is attributed to invalid packets in the Attack Categories graphs. See “Viewing
the Attack Categories for a Protection Group or Outbound Threat Filter” on page 329.
Important
If you deploy APS in the monitor mode, the outbound traffic does not go through APS.
Therefore, the traffic is not analyzed.
For information about how many items can be added to the blacklists and whitelists, see
“About the Capacity of the Blacklists and Whitelists” on page 262 . For general
information about whitelisting, see “About Blacklisting and Whitelisting Traffic” on
page 258 .
Note
You also can whitelist inbound traffic. See “Creating and Editing the Inbound Whitelist”
on page 272.
Whitelisting hosts
To create and edit the outbound whitelist:
1. Select Protect > Outbound Protection > Whitelists.
2. On the Configure Outbound Whitelists page, complete one of the following steps:
Step
Description
To add an item to
the outbound
whitelist:
In the Host box that appears below the Whitelisted Hosts list,
type an IPv4 address, hostname, or CIDR, and then click Add.
APS passes any outbound traffic in which the specified host is
the source or the destination.
If the blacklists or whitelists contain an IP address, and a CIDR
that overlaps that IP address, the most specific address always
takes precedence. For example, if the IP address 10.2.3.141 is
on the whitelist, and you blacklist the CIDR 10.2.3.0/24, the IP
address remains whitelisted.
To remove an
item from the
outbound
whitelist:
276
Click
(Remove ) to the far right of the item name.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 12: Managing the Blacklists and Whitelists
Step
Description
To move an item
to the outbound
blacklist:
Click the Blacklist button to the far right of the item name.
When you whitelist a host that is temporarily blocked, it is removed from the Temporarily
Blocked Sources list immediately. When you do the same for a CIDR that contains
temporarily blocked hosts, those hosts are removed from the Temporarily Blocked
Sources list within five minutes. You can unblock an individual IP address immediately by
whitelisting that IP address.
About managing the whitelists from APS Console
When you use APS Console to manage APS, you can configure the whitelists in APS
Console and propagate the configurations to each managed APS as appropriate.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Alternate method for passing traffic
You can also use the Filter List settings to pass traffic without further inspection. The filter
list uses FCAP expressions to define the hosts. If you prefer not to use FCAP expressions,
you can specify the hosts in the whitelist settings. However, the FCAP expressions are
more flexible and powerful in their ability to find specific traffic. See “Configuring Filter
Lists for Specific Server Types or the Outbound Threat Filter” on page 255.
Proprietary and Confidential Information of Arbor Networks Inc.
277
APS User Guide, Version 6.0
278
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 13:
Managing the ATLAS Intelligence Feed
This section describes how to use the ATLAS Intelligence Feed (AIF) to detect and stop
emerging botnet and application-layer attacks.
In this section
This section contains the following topics:
About the ATLAS Intelligence Feed
280
About the ATLAS Threat Policies
283
About the ATLAS Confidence Index
285
About Web Crawler Support
288
Requesting AIF Updates and Updating the AIF Manually
289
Viewing the Status of ATLAS Intelligence Feed Updates
291
Viewing the AIF Traffic Statistics for a Protection Group
292
APS User Guide, Version 6.0
279
APS User Guide, Version 6.0
About the ATLAS Intelligence Feed
APS can leverage Arbor’s global threat intelligence to protect your network against the
latest threats by using the ATLAS® Intelligence Feed (AIF).
The AIF is a global, subscription-based service of the Arbor Security Engineering and
Response Team (ASERT). The ASERT security researchers discover and analyze emerging
threats and develop targeted defenses, based on the data from Arbor’s Active Threat Level
Analysis System (ATLAS). For more information about ASERT and ATLAS, visit
https://www.arbornetworks.com/research/security-intelligence.
The AIF profiles emerging threats to facilitate the detection and mitigation of DDoS attacks,
malware, and other security hazards to help ensure service availability and data integrity.
About the AIF updates
Arbor frequently updates the feed to account for rapidly changing attacker behavior and
to provide more effective and accurate threat detection. The updates occur without
requiring any software upgrades, system downtime, or restarts.
When automatic AIF updates are enabled, APS downloads the AIF at regular intervals. APS
uses this information to detect threats and block attacks.
By default, the AIF updates run automatically every 24 hours. You can change the
frequency of the updates and you can force an update at any time.
See “Configuring the ATLAS Intelligence Feed” on page 119.
In rare situations and only under the direction of a support representative, you might
need to update the URLs from which APS downloads the information. See “Overriding the
AIF Feed URLs” on page 516.
About the AIF components
The AIF consists of the following components, each of which APS downloads separately:
Components of the ATLAS Intelligence Feed
Component
Feed name
Description
Threat policies
reputation_feed
Collections of the rules and actions that
define threats. The threat policies are
organized into threat categories by type,
such as malware, command and control
botnets, location-based threats, and
targeted attacks. In APS, you can enable
threat blocking and view traffic statistics by
threat category.
See “About the ATLAS Threat Policies” on
page 283.
AIF botnet
signatures
280
attack_rules
HTTP header signatures that identify
known botnets by their traffic patterns.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 13: Managing the ATLAS Intelligence Feed
Components of the ATLAS Intelligence Feed (Continued)
Component
Feed name
Description
Web crawler
support
webcrawler_whitelist
A list of the IP address ranges that Arbor
considers to be legitimate search engine
web crawlers.
Because web crawlers can demonstrate
behavior that is similar to malicious
botnets, ATLAS tracks active web crawlers
from relevant search engines, such as
Ask.com, Bing, Yahoo!, and Google. APS
allows these legitimate web crawlers the
limited access that is necessary to maintain
a web site’s page ranking while still
protecting its availability. See “About Web
Crawler Support” on page 288.
IP location data
geoip_countries
A list of country codes, IP addresses, and
regions, which are used to map specific IP
addresses to a country or region.
APS uses this information to identify the
geographic locations of the traffic sources.
APS also allows you to block the traffic that
originates from a specific location. When
you use APS Console to manage multiple
APS devices, APS Console uses the location
data in the same ways.
See “Viewing the Top IP Locations for a
Protection Group” on page 343.
Your AIF subscription level (Standard or Advanced) determines which components of the
AIF are included when you receive the AIF updates. See “About the ATLAS Intelligence
Feed Licensing” on page 31.
On APS Console, the following AIF components are provided by default. On APS, these
components are provided with an AIF Advanced subscription.
n AIF Botnet Signatures
n
Command and Control threat category
n
DDoS Reputation threat category
n
Email Threats threat category
n
IP location data
n
Location-based Threats threat category
n
Malware threat category
n
Mobile threat category
n
Targeted Attacks threat category
n
Web crawler list
Important
These components are subject to change as ASERT updates the feed.
Proprietary and Confidential Information of Arbor Networks Inc.
281
APS User Guide, Version 6.0
Where to configure the AIF settings
Use the Configure AIF Settings page (Administration > ATLAS Intelligence Feed) to
configure the AIF settings. For example, you can configure a proxy server, change the
update interval, or disable the automatic updates. See “Configuring the ATLAS Intelligence
Feed” on page 119.
You configure the other AIF-related settings in the ATLAS Intelligence Feed section on the
following pages:
n Configure Server Type page (Protect > Inbound Protection > Server Type
Configuration), for inbound traffic
n
Outbound Threat Filter page (Protect > Outbound Protection > Outbound
Threat Filter), for outbound traffic
See “ATLAS Intelligence Feed Settings” on page 210.
About Arbor’s data-sharing program
When you install or upgrade APS, you are opted into Arbor’s data-sharing program. When
an APS is part of the Arbor data-sharing program, it shares only anonymized data with
Arbor. The feedback includes high-level threat data and does not contain any information
that can specifically identify your organization, such as IP addresses and payload data. By
sharing this data with Arbor, you help to further the research and analysis of advanced
threats.
The versions of APS prior to 6.0 required users to opt in to whether user’s anonymized
data would be shared with Arbor’s data-sharing program. That selection now is an opt-out
option, which means that data will be part of Arbor’s data-sharing program unless you
take the action to opt-out of sharing this information.
You opt out of Arbor’s data-sharing program on the Configure AIF Settings page. The
Configure AIF Settings page also contains a link that allows you to download a sample of
the data that APS shares with Arbor. See “Participating in Arbor’s Data Sharing Program”
on page 121.
If you do not opt-out, you acknowledge and agree that your organization’s anonymized
data is shared with Arbor’s data-sharing program.
282
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 13: Managing the ATLAS Intelligence Feed
About the ATLAS Threat Policies
One of the components of the ATLAS Intelligence Feed (AIF) is the threat information,
which consists of the policies that identify threats by their traffic patterns. APS uses this
information to protect your network against the latest threats by blocking any traffic that
matches the policies.
You enable the APS threat protection when you configure the server types or the
outbound threat filter (OTF). See “ATLAS Intelligence Feed Settings” on page 210.
For general information about AIF, see “About the ATLAS Intelligence Feed” on page 280 .
About the ATLAS threat policies
A threat policy is a collection of the rules and actions that the Arbor Security Engineering
and Response Team (ASERT) develops to define a given threat. A rule can consist of one or
more IP addresses, HTTP regular expressions, or DNS names.
ASERT organizes related threat policies into threat categories. Each threat category is
further subdivided into threat subcategories, which are limited collections of related threat
policies. For example, the Malware threat category might contain subcategories such as
RAT (remote access Trojan), Fake Antivirus, and other malware threats. Each of these
subcategories consists of the policies that define the specific threats.
The AIF is updated frequently as the ASERT researchers identify new threats. Although the
threat categories remain relatively static, they are subject to change by Arbor. When you
subscribe to the AIF, your subscription level determines which categories of threats you
receive. See “About the ATLAS Intelligence Feed Licensing” on page 31.
In APS, you can enable threat blocking and view traffic statistics by threat category. When
you do so, you can also configure custom confidence values for specific threat categories.
The confidence value is a relative value on the ATLAS confidence index, which represents
Arbor’s confidence that the rules in a threat policy will identify malicious traffic. APS uses
the confidence value to determine whether to apply the corresponding rule to block
traffic.
About matching domain policies
The ATLAS threat categories contain threat policies that define domains that host threats.
When APS matches a domain threat policy, it does not block all of the traffic to the DNS
server and it does not block the host.
For outbound traffic, APS blocks the DNS request for a fully qualified domain name that is
known to be bad. For inbound traffic, APS blocks the response from the DNS server for a
fully qualified domain name that is known to be bad.
For example, an infected internal asset sends a request to a DNS host (192.0.2.1) to resolve
the IP address of a fully qualified domain name that is known to be bad. If the AIF threat
categories are enabled for inbound traffic only and the request matches a domain threat
policy, APS blocks the response from the DNS host.
APS only sees the request to the DNS server, not the resolution of the IP address for the
fully qualified domain name. Consequently, APS reports the DNS server as a blocked host
on the Blocked Hosts Log page. For the example above, 192.0.2.1 appears in the
Destination column on the Blocked Hosts Log page.
Proprietary and Confidential Information of Arbor Networks Inc.
283
APS User Guide, Version 6.0
If the AIF threat categories are enabled for the outbound threat filter and the DNS request
matches a domain threat policy, APS blocks the request.
Note
For APS to block outbound DNS requests, you must enable the outbound threat filter
and the AIF threat categories for the outbound threat filter. See “Configuring the
Outbound Threat Filter” on page 205.
You can use a packet capture to determine the hostname that is being requested and
blocked. See “Investigate why a DNS server appears to be blocked” on page 410.
A DNS server can be blocked for some other reason, for example, if it is blacklisted or it
matches a DNS regular expression. In such cases, APS blocks all of the traffic to the DNS
server.
284
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 13: Managing the ATLAS Intelligence Feed
About the ATLAS Confidence Index
The ATLAS confidence index is a numeric scale from 1 to 100, which represents Arbor’s
confidence that the rules in a threat policy will identify malicious traffic. ATLAS assigns a
relative numeric value, or confidence value, to every rule in a threat policy for each
protection level. As APS inspects traffic, it applies the rules whose confidence values match
or exceed the confidence value for the active protection level.
Configuring confidence values
In the ATLAS Intelligence Feed protection settings, the ATLAS confidence values become
the default confidence values for the threat categories. You can accept the default
confidence values or configure custom confidence values. You configure these settings
when you configure the server types or the outbound threat filter. See “ATLAS Intelligence
Feed Settings” on page 210.
For general information about AIF and the threat policies, see “About the ATLAS
Intelligence Feed” on page 280 and “About the ATLAS Threat Policies” on page 283 .
How the ATLAS confidence index affects traffic
In general, a high confidence value indicates that there is more evidence to support the
classification of the traffic that matches the rule as malicious. A lower confidence value can
indicate that there is less supporting evidence for classifying the traffic as malicious.
Alternatively, a lower confidence value can represent the aging and associated reduction
of a formerly high confidence value.
APS applies the threat rules based on the ATLAS confidence values, the configured
confidence values for the associated threat categories, and the active protection level, as
follows:
n When the ATLAS confidence value is less than the threat category’s confidence value for
the active protection level, then APS passes the traffic.
n
When the ATLAS confidence value is greater than or equal to the threat category’s
confidence value for the active protection level, then APS blocks the traffic.
At the higher protection levels, APS blocks more traffic; however, the lower confidence
values might cause some clean traffic to be blocked.
See “Example: How APS applies the threat rules” on the next page.
How the ATLAS confidence values can change over time
The confidence values for rules are relative values that change over time, based on several
factors. An example of a factor that affects the adjustment of the confidence value is
whether ATLAS continues to observe the threat behavior that a rule defines. For example,
when ATLAS observes a threat from a particular IP address, it creates a rule for that threat
and IP address, and assigns a confidence value of 100. If ATLAS continues to observe
traffic that matches the rule, the rule confidence value remains at 100. When ATLAS no
longer observes traffic that matches the rule, the rule confidence value decreases. The rule
confidence value continues to decrease as time passes without further attack traffic from
that IP address.
Proprietary and Confidential Information of Arbor Networks Inc.
285
APS User Guide, Version 6.0
Example
The following figure shows how the ATLAS confidence values for a rule can change over
time, given the following scenario:
n On Day 1, Day 2, and Day 3, ATLAS observes a malware threat from 192.0.2.1. ATLAS
creates a rule under the Malware threat category and assigns a confidence value of 100
to the new rule.
n
Because no malware is observed from 192.0.2.1 after Day 3, the confidence value
decreases over time.
n
On Day 29 and Day 30, ATLAS again detects a malware threat from 192.0.2.1, and resets
the confidence value to 100.
The confidence value changes do not adhere to a fixed timeframe. The date span in this
simplified example is for illustration purposes and does not necessarily represent an
actual timeframe for confidence value changes.
Example: How the ATLAS confidence values can change over time
Example: How APS applies the threat rules
The following example shows how APS applies the threat rules based on the changing
confidence values. For this example, assume these conditions:
n During a certain month, the AIF updates contain a rule for malware from 192.0.2.1, and
the rule confidence value changes over time as shown in the figure above.
286
n
You receive traffic from 192.0.2.1 on the dates in the following table.
n
In the ATLAS Intelligence Feed settings in APS, the confidence values for the Malware
threat category are configured as shown in the following table.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 13: Managing the ATLAS Intelligence Feed
Given those conditions, the following table shows how APS would apply the threat rules to
the traffic:
Example: How APS applies the threat rules
Confidence values in APS
Date
ATLAS confidence value
for the rule
Low = 75
Medium = 50
High = 25
Day 2
100
block
block
block
Day 8
80
block
block
block
Day 15
60
pass
block
block
Day 22
45
pass
pass
block
Day 29
100
block
block
block
Proprietary and Confidential Information of Arbor Networks Inc.
287
APS User Guide, Version 6.0
About Web Crawler Support
When protecting your HTTP servers from DDoS attacks, APS might prevent search engine
web crawlers from accessing your site. You can configure APS to pass traffic from certain
search engines with limited inspection, so that legitimate web crawlers can crawl your web
site more freely. As a result, you can maximize search engine page ranking while
maintaining protection from threats that are designed to imitate legitimate web crawlers.
How the web crawler support works
The web crawler support consists of the following features:
n The ATLAS Intelligence Feed (AIF) updates include a list of the IP address ranges that
Arbor considers to be legitimate search engine web crawlers. Each IP address range is
associated with the low, medium, or high protection level.
n
Settings on the Configure AIF Settings page (Administration > ATLAS Intelligence
Feed) allow you to enable the search engines that can crawl your web site.
Initially, all of the search engines are enabled by default, including any search engines
that are added to the AIF updates in the future. See “Configuring web crawler support”
on page 121.
n
On the Configure Server Type page, the Web Crawler Support setting allows you to
enable web crawler support by protection level. See “ATLAS Intelligence Feed Settings”
on page 210.
n
Sections on the Summary page and the View Protection Group page in APS display
information about the web crawler traffic that APS detects and passes.
See “Viewing the Top Web Crawlers on the Summary Page” on page 317 and “Viewing
the Top Web Crawlers for a Protection Group” on page 341 .
How APS passes web crawler traffic
APS passes search engine traffic in a manner that is similar to whitelisting, except that not
all search engine traffic is passed globally. The following criteria determine which search
engine traffic is passed:
n the search engines that are enabled on the Configure AIF Settings page
n
the protection level that is associated with each search engine’s IP address range in the
AIF updates
n
the global protection level or protection group protection level
The protection levels determine which search engine traffic is inspected and which
protection categories are used, as follows:
288
Protection level
Effect on search engine traffic
Low
Traffic from all of the enabled search engines is passed without
further inspection.
Medium
Traffic from a smaller set of enabled search engines is passed with
limited inspection.
High
Traffic from an even smaller set of enabled search engines is
inspected by a majority of protection categories.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 13: Managing the ATLAS Intelligence Feed
Requesting AIF Updates and Updating the AIF Manually
Most organizations enable the automatic ATLAS Intelligence Feed (AIF) updates. However,
in some situations, you might need to obtain the AIF updates without using the automatic
connection.
You can import the following AIF files to APS manually:
Reputation Feed – Contains the ATLAS threat policies.
n
n
Rules – Contains the AIF botnet signatures.
To update the AIF manually, you obtain the latest AIF files from Arbor or your reseller, and
then import the files to APS. You can access the AIF update files only if you have a current
AIF subscription.
For information about configuring AIF, see “Configuring the ATLAS Intelligence Feed” on
page 119 .
For general information about AIF, see “About the ATLAS Intelligence Feed” on page 280 .
When to manually update the AIF
You may want to update the AIF manually In the following situations:
n to perform an AIF update outside of the update schedule
n
to test the connection to the AIF servers.
n
to take advantage of the AIF policy data when APS does not have internet access
Requesting an AIF update
To request an AIF update:
1. Select Administration > ATLAS Intelligence Feed.
2. On the Configure AIF Settings page, click Update AIF Now.
Obtaining the AIF update files
To obtain the AIF update files:
1. From a device other than APS, go https://support.arbornetworks.com/ and log in to
the Arbor Technical Assistance Center with your support account user name and
password.
2. On the top menu, click Software Downloads.
3. Log in to the Arbor Networks Software Downloads Center with your update server
user name and password.
4. On the Arbor Networks Software Downloads page, navigate to the latest AIF update
files.
5. To download a file, click the file name link, and then save the file according to your
browser options.
Repeat this step to download the other file.
6. Copy the downloaded files to a location that APS can access.
Proprietary and Confidential Information of Arbor Networks Inc.
289
APS User Guide, Version 6.0
Importing the AIF update files
To import the AIF update files to APS:
1. In APS, select Administration > ATLAS Intelligence Feed.
2. On the Configure AIF Settings page, in the Manual Import section, click Choose File.
3. In the file selection window that appears, navigate to where you saved the AIF update
files, and then select a file.
4. On the Configure AIF Settings page, in the Manual Import section, click Upload.
5. Repeat this procedure to import the other file.
290
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 13: Managing the ATLAS Intelligence Feed
Viewing the Status of ATLAS Intelligence Feed Updates
You can view the status of the ATLAS Intelligence Feed (AIF) updates on the Configure AIF
Settings page, the Summary page, and the Change Log page.
On any of these pages, you can refresh your browser window to update the status
information.
Checking the status of the AIF updates
To check the status of the AIF updates, complete one of the following steps:
To check the status of the last automatic update or update request (from the Update
AIF Now button), complete one of the following steps:
n
l
l
n
Select Administration > ATLAS Intelligence Feed to display the Configure AIF
Settings page, and view the Last AIF Update section.
Select Summary , and then scroll to the AIF Botnet Prevention section.
To check the status of the last manual import attempt:
l
Select Administration > ATLAS Intelligence Feed to display the Configure AIF
Settings page, scroll down, and then view the Manual Import section.
These pages display the date and time of the last successful AIF update or import. The
Manual Import section also displays the names of the files that were imported.
Viewing AIF updates in the Change Log
All of the automatic AIF updates are recorded in the system change log and displayed on
the Change Log page. The AIF change log entries contain information about which files are
updated.
The AIF entries are listed under the ATLAS Intelligence Feed subsystem. You can search for
“ATLAS” to filter the display for AIF entries. See “Viewing the Change Log” on page 448.
About the AIF traffic statistics
You can use the View Protection Group page to view information about the attack traffic
that the AIF signatures detected and blocked. See “Viewing the AIF Traffic Statistics for a
Protection Group” on the next page.
Proprietary and Confidential Information of Arbor Networks Inc.
291
APS User Guide, Version 6.0
Viewing the AIF Traffic Statistics for a Protection Group
You can use the View Protection Group page to view information about the attack traffic
that the AIF botnet signatures detected and blocked. This information is displayed at the
protection group level.
You can also view the AIF traffic statistics on the Summary page. See “Viewing the ATLAS
Botnet Prevention Information on the Summary Page” on page 314.
For general information about ATLAS Intelligence Feed, see “About the ATLAS Intelligence
Feed” on page 280 .
Viewing the AIF traffic statistics for a protection group
To view the AIF traffic statistics for a protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name link of the protection group whose
data you want to view.
3. On the View Protection Group page, under the Attack Categories section, scroll to the
Botnet Prevention line and click Details.
4. In the subsection that opens, scroll to the AIF Botnet Signatures line and click Details.
This line appears only if traffic matched the AIF signatures and was blocked.
This subsection might also display information, under Basic Botnet Prevention, about
the traffic that is blocked as a result of the Botnet Prevention settings. That traffic is not
associated with the AIF botnet signatures.
5. When you finish viewing the detailed information, click Details to hide it.
AIF Botnet Signatures information
The AIF Botnet Signatures line displays the following information:
a minigraph of the total traffic that was blocked by the AIF botnet signatures
n
You can hover your mouse pointer over the minigraph to view a larger version of the
graph.
n
the total amount of traffic that was blocked, in bytes, bits per second (bps), packets, and
packets per second (pps)
AIF traffic details
When you click the Details button on the AIF Botnet Signatures line, the following
information appears for each protection level:
n a minigraph of the traffic that was detected or blocked by all of the AIF protection
settings at that level
n
the status of each protection level
For example, if the protection level is set to medium, both the low level and medium
level of AIF traffic are marked as Active. The AIF signatures at both levels are used to
block traffic.
292
n
the amount of traffic that was detected or blocked, in bytes, bits per second (bps),
packets, and packets per second (pps)
n
the average number of hosts that were blocked
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 13: Managing the ATLAS Intelligence Feed
This information reflects the global protection level or the protection group’s protection
level, for those groups that have their own protection level configured.
For the active protection level and for any lower protection levels, the traffic statistics
represent the attacks that were blocked. For any protection level that is higher than the
active level, the traffic statistics represent the attacks that would be blocked if that level
were active.
A large graph represents the traffic that was detected and blocked at all of the levels.
Proprietary and Confidential Information of Arbor Networks Inc.
293
APS User Guide, Version 6.0
294
Proprietary and Confidential Information of Arbor Networks Inc.
Part II:
Threat Management
APS User Guide, Version 6.0
296
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 14:
Monitoring System Health and
Identifying Attacks
This section describes how to monitor your APS deployment and your network’s traffic.
In this section
This section contains the following topics:
Workflow for Routine System Monitoring
298
Viewing Alerts
300
Viewing Bandwidth Alerts
302
Viewing the System Overview
304
Viewing the CPU Status and Memory Status
306
Viewing the Status of the APS Protection Interfaces
307
APS User Guide, Version 6.0
297
APS User Guide, Version 6.0
Workflow for Routine System Monitoring
Because APS can detect and mitigate most attacks automatically, the majority of your
interaction with the system should be to monitor its operations. By developing a routine
system monitoring workflow, you can ensure that APS always provides optimum
protection from attacks.
Regular monitoring can help you to learn about your network’s normal traffic levels so that
you can more easily recognize anomalies. Regular monitoring can also help you to detect
the attacks that are not mitigated automatically. As you learn more about those types of
attacks, you can refine the protection settings so that APS can detect and mitigate them
according to your preferences.
You can also use the system monitoring workflow during a trial or monitor-only
implementation. In these implementations, APS monitors traffic and detects attacks
without performing mitigations. However, APS reports the traffic behavior as though
mitigation was taking place. See “Implementing APS for Trial or Monitoring Only” on
page 54.
When you use APS Console to manage APS, you can perform these tasks for multiple APS
devices or multiple protection groups.
Workflow
Your APS monitoring workflow should allow you to answer the following questions:
Workflow for routine system monitoring
Question
Task
Do any system problems
need attention?
On the Summary page, view the Active Alerts section. See
Are the APS interfaces
working?
On the Summary page, view the Interfaces section to verify
that all of the interfaces are up. See “Viewing the Status of
“Viewing Alerts” on page 300.
the APS Protection Interfaces” on page 307.
If you use APS Console
to manage APS, is the
APS connected and
synchronized?
In APS Console, view the connection status and
synchronization status for each managed APS in the System
Information section on the Summary page.
Is APS monitoring traffic?
On the Summary page, view the Overview tab to verify that
traffic is being processed. Ideally, the majority of the network
traffic should be passed. See “Viewing the System
Overview” on page 304.
Is Cloud Signaling
working?
On the Summary page, view the Cloud Signaling widget to
check the Cloud Signaling status. See “Viewing Global and
Group Cloud Signaling Activity” on page 396.
Is the ATLAS Intelligence
Feed (AIF) update
working?
On the Configure AIF Settings page, view the status of the AIF
update. On the Change Log page, view the update
information. See “Viewing the Status of ATLAS Intelligence
Feed Updates” on page 291.
298
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 14: Monitoring System Health and Identifying Attacks
Workflow for routine system monitoring (Continued)
Question
Task
What servers are
receiving the most traffic,
and are any servers
under attack?
On the Summary page, review the Top Inbound Destinations
section to see which IP addresses are receiving the most
traffic overall. See “Viewing the Top Inbound Destinations
Is the network under an
attack that APS is not
blocking?
APS can proactively inform you of attacks and other traffic
anomalies that require your attention. If you have enabled
thresholds for total traffic alerts or botnet alerts, an alert
occurs when a protection group’s traffic exceeds one of the
thresholds. These alerts appear on the System Alerts page as
well on other pages in the UI.
In the absence of alerts, you can view specific pages in the UI
for information that can help you to detect an attack. See
on the Summary Page” on page 322.
“Indicators of Attacks and Mitigations” on page 355.
Is APS blocking the
appropriate traffic?
n
n
n
What hosts are currently
blocked, and should
they be unblocked or
whitelisted?
n
n
n
n
Display and review the Blocked Hosts Log page. See
“Viewing the Blocked Hosts Log” on page 408.
For each protection group, display and review the View
Protection Group page. See “Viewing the Traffic Activity
for a Protection Group” on page 324.
Display and view the Outbound Threat Filter page. See
“Viewing the Outbound Threat Activity” on page 349.
If you have enabled thresholds for blocked traffic alerts,
an alert occurs when a protection group’s blocked traffic
exceeds its threshold. You can view these alerts and
determine whether the traffic is legitimate. See “Viewing
Bandwidth Alerts” on page 302.
For each protection group, display the View Protection
Group page and review the Temporarily Blocked Sources
section. See “Viewing Temporarily Blocked Sources” on
page 335.
Display and review the Blocked Hosts Log page. See
“Viewing the Blocked Hosts Log” on page 408.
Investigate false positives by capturing the packet or
packets that caused a host’s traffic to be blocked. See
“Capturing Packet Information” on page 418.
Proprietary and Confidential Information of Arbor Networks Inc.
299
APS User Guide, Version 6.0
Viewing Alerts
APS monitors the system and creates alerts when it detects certain events, conditions, or
errors. The alerts keep you informed of your system’s health and allow you to take action
when necessary to resolve issues. For example, if an alert indicates that an interface is
down, you can restart the interface.
Where to view alerts
You can view alerts on the System Alerts page and on the Summary page. The System
Alerts page displays both the active alerts and expired alerts.
The Summary page displays the five most important active alerts only. However, you can
click the links at the bottom of the Top Active Alerts section to access the System Alerts
page. On the System Alerts page, you can view all of the active alerts and all of the expired
alerts.
You can configure APS to send notification messages to specified destinations when
specific alerts occur. See “Configuring Notifications” on page 131.
Note
If you use APS Console to manage APS, you can view the alerts for multiple APS devices at
once. To do so, view the Dashboard page or the Alerts page in APS Console. For more
information, see the Arbor Networks® APS Console User Guide .
About the Settings tab
On the System Alerts page, the Settings tab allows you to set traffic thresholds for
bandwidth alerts. See “Configuring Global Thresholds for Bandwidth Alerts” on
page 126.
Viewing the System Alerts page
To view the System Alerts page:
1. Select Administration > System Alerts.
2. Complete one of the following steps:
l
To view the alerts that represent an event that is ongoing, select Active Alerts .
l
To view the alerts that represent an event that has stopped, select Expired Alerts .
l
To search on the alert name or description, in the Search Alerts box, type all or
part of a search string, and then click
(search).
3. (Optional) When you hover your mouse pointer over the names of specific types of
alerts, the
(context menu) icon appears. Click
, and then select one of the
following options to view additional information about that alert:
300
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 14: Monitoring System Health and Identifying Attacks
Alert type
Option
Result
Bandwidth
alerts (Total
Traffic, Blocked
Traffic, and
Botnet Traffic)
View Protection
Group
Displays the View Protection Group page,
where you can view information about the
affected protection group’s traffic.
License Limit
alerts
View Limit
See “Viewing the Traffic Summary” on
page 310.
Opens the Licenses page, where you can
view additional information about your
system’s licensed throughput limit and its
current throughput rate.
Note
The View Limit option is available only to
members of the system_admin user
group.
See “Viewing System Information” on
page 32.
Deleting expired alerts
You can delete expired alerts as needed to manage the number of alerts that appear on
the Expired Alerts tab.
To delete expired alerts:
1. Select Administration > System Alerts.
2. Select the Expired Alerts tab.
3. (Optional) Filter the alerts table by using the Search box.
4. Complete one of the following steps:
l
l
l
l
Click
(Delete Alert) to the far right of the alert to delete.
Select the check box for each alert that you want to delete, and then click Delete at
the lower left of the page.
Select the check box in the table heading row to select all of the expired alerts on
the current page, and then click Delete.
To delete all of the expired alerts on all of the alerts pages, regardless of whether
the check boxes are selected, click Delete All.
Proprietary and Confidential Information of Arbor Networks Inc.
301
APS User Guide, Version 6.0
Viewing Bandwidth Alerts
Bandwidth alerts can proactively inform you of attacks and other traffic anomalies that
require your attention. You can define traffic thresholds globally or for individual
protection groups, and when the traffic for a protection group exceeds a threshold, APS
creates a bandwidth alert.
See “About Bandwidth Alerts” on page 123.
You can view bandwidth alerts in several areas of the APS UI.
Note
If you use APS Console to manage APS, you can view the alerts for multiple APS devices at
once. To do so, view the Dashboard page or the Alerts page in APS Console. For more
information, see the Arbor Networks® APS Console User Guide .
Where you can view bandwidth alerts
You can view the bandwidth alerts on the following pages in APS:
Where you can view bandwidth alerts
Page
Description
Summary page
Bandwidth alerts appear in the Active Alerts section. The
(context
menu) icon appears when you hover your mouse pointer over a
bandwidth alert name. Click
, and then select one of the
following options, depending on the alert type:
n View Protection Group (total traffic alerts, blocked traffic
alerts, and botnet alerts)
Displays the View Protection Group page, where you can view
information about the affected protection group’s traffic.
n View Limit (license limit alerts)
Displays the Licenses page, where you can view the license
details.
Note
The View Limit option is available only to members of the
system_admin user group.
See “Viewing the Traffic Summary” on page 310.
View Protection
Group page
Total traffic alerts, blocked traffic alerts, and botnet alerts appear at
the top of the header section.
See “Viewing the Traffic Activity for a Protection Group” on
page 324.
302
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 14: Monitoring System Health and Identifying Attacks
Where you can view bandwidth alerts (Continued)
Page
Description
List Protection
Groups page
At the far right of the protection group’s row, the following icons
might appear for total traffic alerts, blocked traffic alerts, and botnet
alerts:
n
(Alerts configured) — Indicates that one or more of the
bandwidth alert thresholds are configured for the protection
group.
n
(bandwidth alert) — Indicates that one or more active
bandwidth alerts exist for the protection group.
See “Viewing the Status of Protection Groups” on page 196.
System Alerts
page
Bandwidth alerts are listed on both the Active Alerts tab and the
Expired Alerts tab as appropriate. The
(context menu) icon
appears when you hover your mouse pointer over a bandwidth
alert name. Click
, and then select one of the following options,
depending on the alert type.
n View Protection Group (total traffic alerts, blocked traffic
alerts, and botnet alerts)
Displays the View Protection Group page, where you can view
information about the affected protection group’s traffic.
n View Limit (license limit alerts)
Displays the Licenses page, where you can view the license
details.
See “Viewing Alerts” on page 300.
Proprietary and Confidential Information of Arbor Networks Inc.
303
APS User Guide, Version 6.0
Viewing the System Overview
On the Summary page, the Overview tab displays information about all of the system’s
traffic during the last hour.
Use this tab to view the APS activity and look for any signs of a problem.
Information on the Overview tab
The Overview tab contains the following information:
Information on the Overview tab
304
Information
Description
Total Traffic
Shows the total amount of traffic in bytes and the average rate of
that traffic.
Passed Traffic
Shows the amount of passed traffic in bytes and the average rate
of the passed traffic.
Blocked Traffic
Shows the amount of blocked traffic in bytes and the average rate
of the blocked traffic.
Blocked Hosts
Shows the average number of hosts per second that were
blocked and a minigraph that represents the number of hosts
that were blocked.
Total Traffic pie
chart
Displays a pie chart that represents the percentages of the total
passed traffic and the total blocked traffic.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 14: Monitoring System Health and Identifying Attacks
Interpreting the Overview information
The information on the Overview tab can indicate the following problems:
Interpreting the Overview information
Problem indicator
Meaning
One or more of the traffic
minigraphs displays a flatline.
Traffic is not being processed. You can investigate
further by viewing the following information:
n Interfaces section on the Summary page
n
n
n
See “Viewing the Status of the APS Protection
Interfaces” on page 307.
System Status tab on the Summary page
See “Viewing the CPU Status and Memory
Status” on the next page.
Change Log tab on the Summary page or the
Change Log page
See “Viewing the Change Log” on page 448.
System Alerts page
See “Viewing Alerts” on page 300.
The traffic in the Total Traffic
minigraph forms a high plateau.
The traffic has reached or exceeded the throughput
rate of your APS model.
You might need to upgrade to another model or
purchase additional hardware.
The Passed Traffic minigraph
displays a significant increase in
traffic or a traffic spike.
You might be under attack. Examine the traffic
further.
The total traffic is at an
acceptable level but either of the
following situations exists:
n The amount of passed traffic
seems low and the amount of
blocked traffic seems high
compared to their usual
levels.
n The number of blocked hosts
seems high.
Too much traffic is blocked, which can happen in the
following situations:
n The protection level is too high.
See “Indicators of Attacks and Mitigations” on
page 355.
n
See “About the Protection Levels” on page 185.
The protection settings are too aggressive.
Review the Outbound Threat Filter page and the
View Protection Group page to determine what
kind of traffic is blocked and what settings are
blocking it.
See “Viewing the Traffic Activity for a Protection
Group” on page 324.
Proprietary and Confidential Information of Arbor Networks Inc.
305
APS User Guide, Version 6.0
Viewing the CPU Status and Memory Status
On the Summary page, the System Status tab displays information about the CPU usage
and memory usage during the last hour.
Use this information to monitor the load on your APS hardware. For example, a
consistently high level of memory usage can indicate an overload.
Note
CPU usages of 100 percent are not unusual and do not always indicate a problem.
Information on the System Status tab
The System Status tab contains the following information:
Information on the System Status tab
Information
Description
Type
Shows the type of usage that is monitored: the CPU or memory.
Graph
Represents the total usage of the CPU or memory.
Average
Shows the average usage of the CPU or memory.
Max
Min
Shows the maximum and minimum usages of the CPU or
memory.
Reference
See “Viewing the Traffic Summary” on page 310.
306
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 14: Monitoring System Health and Identifying Attacks
Viewing the Status of the APS Protection Interfaces
On the Summary page, the Interfaces section displays the activity on the protection
interfaces during the last hour.
Use the Interfaces section to determine whether the protection interfaces are up or down.
You can also determine if any of the interfaces are overloaded. A minigraph that displays
traffic as a high plateau typically indicates an overload.
Options on the Interfaces page allow you to configure the following features for each
protection interface pair:
n Alerting — When the deployment mode is inline and an interface pair is down, APS
creates an alert.
n
Link state propagation — If the link status is lost on one side of a pair of interfaces, APS
brings the other interface down.
See “Configuring Interfaces and GRE Tunneling” on page 141.
Troubleshooting the Interfaces display
Sometimes, the Interfaces section displays traffic for the int0 interface even when that
interface is not connected. This issue occurs when APS is deployed through a span port or
network tap but the deployment mode is set to inline instead of monitor. To resolve this
issue, use the command line interface (CLI) to set the deployment mode to monitor. See
“Setting the Deployment Mode” on page 511.
About the Interfaces graph
The Interfaces section contains a stacked graph that represents the traffic flow through all
of the protection interfaces.
The interface traffic is measured in bits per second and is displayed in one-minute
increments. The traffic that appears below the baseline (rx) represents the traffic that flows
into the protection interfaces. The traffic that appears above the baseline (tx) represents
the traffic that flows out of the protection interfaces.
Information in the Interfaces section
The Interfaces section contains the following information for each protection interface:
Interfaces information
Information
Description
Key
Shows the color that represents the interface in the stacked graph.
Interface
Displays the name of the interface, which is either the interface
number or the name that is defined on the Interfaces page, if any.
The interfaces are displayed as follows:
n The ext0 and int0 interfaces always appear, even though the int0
interface is not used in monitor mode.
n In inline mode, the interfaces other than ext0 and int0 always
appear in pairs even if only one is connected. In monitor mode,
the interfaces appear only if they are connected to a cable.
Proprietary and Confidential Information of Arbor Networks Inc.
307
APS User Guide, Version 6.0
Interfaces information (Continued)
Information
(context menu)
Description
Appears when you hover your mouse pointer over an interface
, and then select Packet Capture to display the
Packet Capture page, with the interface selected in the Filter
section. You can start the packet capture or specify additional filter
criteria.
See “Capturing Packet Information” on page 418.
name. Click
Speed
Shows the interface’s connection speed.
If the speed for an interface is incorrect, you can use the command
line interface (CLI) to configure the correct speed. See “Configuring
the Speed, Duplex Mode, and MTU for the Protection Interfaces”
on page 502.
Note
If you use vAPS on KVM, the speed for the ext0 and int0 interfaces
is shown as 10 Gbps.
308
Status
Indicates whether the interface is up or down.
Graph
Represents the traffic flow through the interface during the last
hour.
RX
Shows the average rate of traffic flow into the interface during the
last hour.
TX
Shows the average rate of traffic flow out of the interface during
the last hour.
When you deploy APS in monitor mode, the outbound traffic does
not go through APS, so the TX rate is zero.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15:
Viewing APS Traffic
This section describes the many ways in which you can view the traffic that APS inspects.
In this section
This section contains the following topics:
Viewing the Traffic Summary
310
Viewing the Top Protection Groups on the Summary Page
313
Viewing the ATLAS Botnet Prevention Information on the Summary Page
314
Viewing the ATLAS Threat Categories on the Summary Page
316
Viewing the Top Web Crawlers on the Summary Page
317
Viewing the Top Inbound Countries on the Summary Page
318
Viewing the Top Inbound Sources on the Summary Page
320
Viewing the Top Inbound Destinations on the Summary Page
322
Viewing the Status of SSL Inspection
323
Viewing the Traffic Activity for a Protection Group
324
Viewing the Traffic Overview for a Protection Group
327
Viewing the Attack Categories for a Protection Group or Outbound Threat Filter
329
Viewing Temporarily Blocked Sources
335
Viewing the Top URLs for a Protection Group
337
Viewing the Top Domains for a Protection Group
339
Viewing the Top Web Crawlers for a Protection Group
341
Viewing the Top IP Locations for a Protection Group
343
Viewing the Top Protocols for a Protection Group
345
Viewing the Top Services for a Protection Group
347
Viewing the Outbound Threat Activity
349
APS User Guide, Version 6.0
309
APS User Guide, Version 6.0
Viewing the Traffic Summary
The Summary page is a dashboard view that displays the current health of APS and
provides traffic forensics in real time.
The Summary page allows you to monitor your system from a single location. By quickly
reviewing the Summary page, you can verify that your hardware is working efficiently and
APS is monitoring traffic and blocking attacks. If you discover any anomalies, the Summary
page provides quick access to additional views, from which you can investigate further or
take remedial action.
See “Workflow for Routine System Monitoring” on page 298.
Navigating to the Summary page
The Summary page appears by default when you log in to APS.
To navigate to the Summary page from another page in the UI:
Select the Summary menu.
n
Information on the Summary page
The Summary page contains the following sections and tabs:
Information on the Summary page
Section or tab
Description
Alerts message
If active alerts exist, a message appears at the top of the Summary
page.
Top Active Alerts
section
Lists up to five of the most important active alerts. This section
appears only when active alerts exist.
At the bottom of this section, the number of total active alerts and
the number of total expired alert are shown. Next to the numbers
are links that allow you to view information about alerts on the
System Alerts page, as follows:
n To view all of the alerts that are active, click Total Active
Alerts.
n To view all of the alerts that have expired, click Total Expired
Alerts.
n To view or change the traffic thresholds for bandwidth alerts,
click Alert Settings .
See “Viewing Alerts” on page 300.
Top Protection
Groups section
Displays the five most active protection groups and their traffic,
and allows you to expand the information about individual
protection groups.
See “Viewing the Top Protection Groups on the Summary Page”
on page 313.
310
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Information on the Summary page (Continued)
Section or tab
Description
Cloud Signaling
widget
Allows you to monitor the progress of the cloud mitigation in real
time if you have enabled and configured Cloud Signaling.
See “Viewing Global and Group Cloud Signaling Activity” on
page 396.
The widget also contains options that allow you to perform the
following tasks:
n Request or stop cloud mitigation.
n Open the Configure Cloud Signaling Settings page.
n Open the management portal for Arbor Cloud or other cloud
service, where you can view the status of your cloud mitigations,
request mitigations, and so on.
See “About the Cloud Signaling Widget” on page 397.
ATLAS Botnet
Prevention section
Displays information about the protection against botnets that the
ATLAS Intelligence Feed (AIF) provides.
See “Viewing the ATLAS Botnet Prevention Information on the
Summary Page” on page 314.
Overview tab
Displays information about all of the system’s traffic during the last
hour.
See “Viewing the System Overview” on page 304.
System Status
tab
Displays information about the CPU usage and memory usage
during the last hour.
See “Viewing the CPU Status and Memory Status” on page 306.
Change Log tab
Displays the last 10 entries in the change log. The change log is a
user-friendly record of nearly all of the events that occur in APS.
You can view the complete change log in the Change Log page by
clicking the View all changes link.
See “Viewing the Change Log” on page 448.
Web Crawlers
section
Displays the five search engine web crawlers that sent the most
traffic during the last hour.
See “Viewing the Top Web Crawlers on the Summary Page” on
page 317.
ATLAS Threat
Categories section
Displays the five threat categories for which APS blocked the most
traffic during the last hour based on the ATLAS Intelligence Feed
settings.
See “Viewing the ATLAS Threat Categories on the Summary Page”
on page 316.
Proprietary and Confidential Information of Arbor Networks Inc.
311
APS User Guide, Version 6.0
Information on the Summary page (Continued)
Section or tab
Description
Top Inbound
Countries section
Displays the five countries that sent the most traffic during the last
hour. It also allows you to view the individual protection groups
that are affected by each country’s traffic.
See “Viewing the Top Inbound Countries on the Summary Page”
on page 318.
You can blacklist that country or remove it from the blacklist when
you view the protection group details.
See “About Blacklisting and Whitelisting Traffic” on page 258.
Interfaces section
Displays the activity on the current APS interfaces.
See “Viewing the Status of the APS Protection Interfaces” on
page 307.
Top Inbound
Sources section
Displays the five external IP addresses that sent the most traffic
during the last hour, and allows you to blacklist any of the IP
addresses. It also allows you to display the Blocked Hosts Log page
or the Packet Capture page for a specific IP address.
See “Viewing the Top Inbound Sources on the Summary Page” on
page 320.
Top Inbound
Destinations
section
Displays the five internal IP addresses that received the most traffic
during the last hour. It also allows you to display the Blocked Hosts
Log page or the Packet Capture page for a specific IP address.
See “Viewing the Top Inbound Destinations on the Summary
Page” on page 322.
SSL Inspection
section
Displays the status of the Hardware Security Module (HSM) and the
SSL traffic that the HSM affects.
See “Viewing the Status of SSL Inspection” on page 323.
If the HSM is not installed, the SSL Inspection section does not
appear.
312
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Top Protection Groups on the Summary Page
On the Summary page, the Top Protection Groups section displays the five most active
protection groups and their traffic during the last hour.
Use this section to view the traffic activity by protection group and look for possible
problems. For example, a dramatic increase in traffic on the Top Protection Groups graph
often indicates an attack. Further review of the protection groups list can help you identify
the attack target.
About the Top Protection Groups graph
The Top Protection Groups section contains a stacked graph that represents the traffic for
all of the protection groups. The traffic is measured in bits per second and is displayed in
one-minute increments. It represents the inbound traffic on the external interface only.
Information in the Top Protection Groups section
The Top Protection Groups section contains the following information for each protection
group:
Information in the Top Protection Groups section on the Summary page
Information
Description
Key
The color of the protection group’s segment in the stacked graph.
Protection Group
Displays the protection group’s name as a link that allows you to
open the View Protection Group page, where you can view
additional information.
See “Viewing the Traffic Activity for a Protection Group” on
page 324.
(context menu)
Appears when you hover your mouse pointer over a protection
group name. Click
to display the following options:
n
n
Blocked Hosts — Displays the Blocked Hosts Log page for IPv4
protection groups only. See “About the Blocked Hosts Log” on
page 406.
Packet Capture — Displays the Packet Capture page, with the
protection group selected in the Filter section. You can start the
packet capture or specify additional filter criteria. See “Capturing
Packet Information” on page 418.
Passed Traffic
Blocked Traffic
The amount of traffic that was passed or blocked as a result of the
protection group’s settings. The traffic rates are displayed in bits
per second (bps) and packets per second (pps).
Prefixes
The prefixes that the protection group protects.
(Cloud
Signaling)
Indicates that protection group-specific Cloud Signaling mitigation
was requested or is in progress for the protection group. You can
hover your mouse pointer over the icon to view the status.
Proprietary and Confidential Information of Arbor Networks Inc.
313
APS User Guide, Version 6.0
Viewing the ATLAS Botnet Prevention Information on the
Summary Page
On the Summary page, the ATLAS Botnet Prevention section displays the following
information about the protections against botnets that the ATLAS Intelligence Feed (AIF)
provides:
n the status of the AIF updates
n
the inbound traffic that is currently blocked by the AIF Botnet Signatures protection
setting at the active protection level
See “ATLAS Intelligence Feed Settings” on page 210. )
n
the traffic that would be blocked at a different protection level
n
the IPv4 protection groups whose traffic is blocked or would be blocked
For the active protection level and for any lower protection levels, the traffic statistics
represent the attacks that were blocked. For any protection level that is higher than the
active level, the traffic statistics represent the attacks that would be blocked if that level
were active.
During an attack, you can use the ATLAS Botnet Prevention section to help determine
whether to change the protection level.
See “About the ATLAS Intelligence Feed” on page 280.
Information in the ATLAS Botnet Prevention section
This information reflects the global protection level or the protection group’s protection
level, for those groups that have their own protection level configured.
The ATLAS Botnet Prevention section contains the following information:
ATLAS Botnet Prevention information
314
Information
Description
Last AIF Update
Displays the date, time, and status of the last update attempt. If the
update failed, a link to the Configure AIF Settings page appears.
Defined threats
Displays the number of threats that the current botnet signatures
protect against.
Hosts blocked
Displays the number of hosts that are currently blocked as a result
of the botnet protection.
Graph
Represents the inbound traffic that was detected or blocked by
the AIF Botnet Signatures protection setting at each protection
level during the last hour. The colors in the graph correspond to
the colors of the protection level icons.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
ATLAS Botnet Prevention information (Continued)
Information
Description
Groups with botnet
traffic
Displays the number of IPv4 protection groups whose traffic is
blocked or would be blocked.
This section also lists the top five IPv4 protection groups and the
rate of traffic that matches the botnet signatures at each
protection level. The traffic that is currently blocked appears in
bold type. The traffic that would be blocked at a different
protection level appears in gray type.
Any additional IPv4 protection groups are included in the “Others”
line item.
You can click a protection group’s name link to open the View
Protection Group page. See “Viewing the AIF Traffic Statistics for a
Protection Group” on page 292.
(context menu)
Appears when you hover your mouse pointer over the following
areas:
n the Hosts blocked text in the upper right of the section
n a protection group name
, and then select Blocked Hosts to display the Blocked
Hosts Log page for all of the IPv4 protection groups or for the
specific IPv4 protection group. The blocked hosts log is filtered for
the Botnet Prevention attack category.
See “About the Blocked Hosts Log” on page 406.
Click
Total detected
traffic
Displays the total rate of traffic that matches the botnet signatures
at each protection level. This total includes the traffic that is
blocked and the traffic that is not blocked.
Total blocked
traffic
Displays the total rate of traffic that is currently blocked by the
botnet signatures at each protection level.
AIF
Configuration
link
Allows you to display the Configure AIF Settings page.
See “Configuring the ATLAS Intelligence Feed” on page 119.
Reference
See “Viewing the Traffic Summary” on page 310.
Proprietary and Confidential Information of Arbor Networks Inc.
315
APS User Guide, Version 6.0
Viewing the ATLAS Threat Categories on the Summary Page
On the Summary page, the ATLAS Threat Categories section displays the five ATLAS threat
categories that blocked the most inbound traffic and outbound traffic during the last hour.
Use this information to examine the threats that are blocked from your network as a result
of the ATLAS Intelligence Feed settings.
For information about configuring the ATLAS threat categories, see “ATLAS Intelligence
Feed Settings” on page 210 .
Information in the ATLAS Threat Categories section
The ATLAS Threat Categories section contains the following information for each threat
category:
Information in the ATLAS Threat Categories section on the Summary page
Information
Description
Inbound Blocked
Threats graph
Represents the average rate of the inbound traffic that was
blocked for the top five threat categories.
Outbound Blocked
Threats graph
For outbound traffic, represents the number of source hosts that
were blocked per minute for the top five threat categories.
Key
Shows the color that represents the specific threat category in the
blocked threat graphs and allows you to filter the graph displays.
You can click a threat category’s key to hide or show that category
on the graph, so that you can focus on the traffic for specific
categories.
Category
Displays the name of the threat category that blocked the traffic.
(context menu)
Appears when you hover your mouse pointer over a threat
category name. Click
to display the following options:
n
n
Blocked Hosts — Displays the Blocked Hosts Log page, filtered
to display the hosts whose traffic was blocked by this threat
category. If you select this option for an inbound threat
category, the Blocked Hosts Log page is filtered for inbound
traffic. If you select this option for an outbound threat category,
the Blocked Hosts Log page is filtered for outbound traffic.
Learn more — Displays the description of the threat category
that ATLAS provides.
See “About the Blocked Hosts Log” on page 406.
316
Bytes Blocked
(Inbound Blocked Threats graph only) Shows the amount of
inbound traffic that the threat category blocked.
Source Hosts
Blocked
(Outbound Blocked Threats graph only) Shows the aggregate sum
of the hosts that the threat category blocked for each minute of the
last hour.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Top Web Crawlers on the Summary Page
On the Summary page, the Web Crawlers section displays the five search engine web
crawlers that sent the most traffic during the last hour.
Use this information to determine which search engine web crawlers are crawling your
site.
The web crawler support is configured on the Configure Server Type page. See the Web
Crawler Support buttons in the “ATLAS Intelligence Feed Settings” on page 210 .
You can view web crawler traffic for a specific protection group on the View Protection
Group page. See “Viewing the Top Web Crawlers for a Protection Group” on page 341.
Information in the Web Crawlers section
The Web Crawlers section contains the following information for each web crawler:
Information in the Web Crawlers section on the Summary page
Information
Description
Graph
Represents the search engine’s total traffic. You can hover your
mouse pointer over the minigraph to view a larger version of the
graph.
Web Crawler
Displays the name of the search engine from which the traffic was
sent.
If support for a search engine is discontinued, some of its data
might remain. In that case, “Unknown” appears in place of the
search engine name.
Total Traffic
Displays the search engine’s total amount of traffic for all of the
protection groups. The traffic is displayed in bytes and packets.
Traffic Rate
Displays the average rate of traffic from the search engine. The
traffic rates are displayed in bits per second (bps) and packets per
second (pps).
Proprietary and Confidential Information of Arbor Networks Inc.
317
APS User Guide, Version 6.0
Viewing the Top Inbound Countries on the Summary Page
On the Summary page, the Top Inbound Countries section displays the five countries that
sent the most traffic during the last hour. It also allows you to view the individual
protection groups that are affected by each country’s traffic.
Information in this section
This section contains the following information for each source country:
Information in the Top Inbound Countries section on the Summary page
Information
(Details)
Flag icon
Description
Displays information about the protection groups that are affected
by the selected country’s traffic.
You can hide the detail display by clicking
.
You can view the country name by hovering your mouse pointer
over the flag icon.
Note
In APS, country mappings do not exist for IPv6 addresses. As a
result, the report displays an IPv6 flag instead of a country flag
when the source is an IPv6 address.
(context menu)
Appears when you hover your mouse pointer over a flag icon. Click
, and then select Packet Capture to display the Packet Capture
page, with the country entered in the Filter section. You can start
the packet capture or specify additional filter criteria.
See “Capturing Packet Information” on page 418.
Graph
Represents the country’s total passed traffic in green and its total
blocked traffic in red.
Passed
Blocked
Displays the amount of traffic from the country that was passed or
blocked for all of the protection groups. The traffic rates are
displayed in bits per second (bps) and packets per second (pps).
Percent
Displays the percentage of the total traffic that the country’s traffic
represents, shown as a figure and as a proportion bar. The bar for
the top country is the full column width and the remaining bars are
in proportion to it.
About the Top Inbound Countries detail graph
The details section for a specific country contains a stacked graph of the total traffic flow
from that country to all of the protection groups. The traffic is measured in bits per second
(bps) and is displayed in one-minute increments.
318
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Detail information in this section
This section contains the following information for each protection group:
Information in the Top Inbound Countries detail section
Information
Description
Key
Shows the color of the protection group’s segment in the stacked
graph.
Protection Group
Displays the protection group’s name as a link that allows you to
open the View Protection Group page, where you can view
additional information.
See “Viewing the Traffic Activity for a Protection Group” on
page 324.
Passed
Blocked
Displays the amount of traffic from the selected country that was
passed or blocked for the protection group. The traffic rates are
displayed in bits per second (bps) and packets per second (pps).
Blacklist button
Allows you to add the country to the inbound blacklist for the
selected protection group or for all protection groups.
See “About Blacklisting and Whitelisting Traffic” on page 258.
Unblock button
Allows you to remove the country from the inbound blacklist.
If the country was blacklisted globally, a confirmation window
appears. If the country was blacklisted for a specific protection
group, it is removed for that protection group without needing
further confirmation.
Proprietary and Confidential Information of Arbor Networks Inc.
319
APS User Guide, Version 6.0
Viewing the Top Inbound Sources on the Summary Page
On the Summary page, the Top Inbound Sources section displays the five external IP
addresses that sent the most traffic during the last hour.
During an attack, you can use the Top Inbound Sources information to help determine the
source of the attack. You can also blacklist a source or remove it from the blacklist directly
on the Summary page.
This section appears only if you enable the Top Sources and Destinations option on
the Configure General Settings page.
Information in the Top Inbound Sources section
The Top Inbound Sources section contains the following information for each source:
Information in the Top Inbound Sources section on the Summary page
Information
Description
Graph
Represents the source’s total traffic.
Source
Displays the IP address for the source host.
Note
For some IP addresses, APS displays additional information when
you hover your mouse pointer over the address. If you hover over
a truncated IPv6 address, you can view the entire address. If you
hover over an IP address whose domain name has been
resolved, you can view its fully qualified domain name.
If you want to copy this information, click on the IP address, select
the text, and then copy it in one of the standard ways.
If APS can identify the host’s country, this column also includes a
flag icon that represents the country. You can view the country
name by hovering your mouse pointer over the flag icon.
Note
In APS, country mappings do not exist for IPv6 addresses. As a
result, the report displays an IPv6 flag instead of a country flag
when the source is an IPv6 address.
320
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Information in the Top Inbound Sources section on the Summary page (Continued)
Information
(context menu)
Description
Appears when you hover your mouse pointer over an address.
Click
to display the following options:
n
n
n
Blocked Hosts — Displays the Blocked Hosts Log page for the
source address.
See “About the Blocked Hosts Log” on page 406.
Packet Capture — Displays the Packet Capture page, with the
address entered in the Filter section. You can start the packet
capture or specify additional filter criteria.
See “Capturing Packet Information” on page 418.
Blacklist or Unblock — Depending on the current status of the
address, you can either add it to the blacklist or remove it from
the blacklist for all protection groups. Unblocking a host
removes it from the blacklist.
See “About Blacklisting and Whitelisting Traffic” on page 258.
Total Traffic
Displays the source’s total amount of traffic for all of the protection
groups. The traffic is displayed in bytes and packets.
Traffic Rate
Displays the average rate of traffic from the source. The traffic rates
are displayed in bits per second (bps) and packets per second
(pps).
Proprietary and Confidential Information of Arbor Networks Inc.
321
APS User Guide, Version 6.0
Viewing the Top Inbound Destinations on the Summary Page
On the Summary page, the Top Inbound Destinations section displays the five internal IP
addresses that received the most traffic during the last hour.
During an attack, you can use the Top Inbound Destinations information to help
determine which servers are affected.
This section appears only if the Top Sources and Destinations option on the Configure
General Settings page is enabled.
Information in the Top Inbound Destinations section
The Top Inbound Destinations section contains the following information for each
destination:
Information in the Top Inbound Destinations section on the Summary page
Information
Description
Graph
Represents the total traffic to the destination IP address.
Destination
Displays the IP address for which the traffic is destined.
Note
For some IP addresses, APS displays additional information when
you hover your mouse pointer over the address. If you hover over
a truncated IPv6 address, you can view the entire address. If you
hover over an IP address whose domain name has been
resolved, you can view its fully qualified domain name.
If you want to copy this information, click on the IP address, select
the text, and then copy it in one of the standard ways.
(context menu)
Appears when you hover your mouse pointer over an address.
Click
to display the following options:
n
n
322
Blocked Hosts — Displays the Blocked Hosts Log page for the
destination address.
See “About the Blocked Hosts Log” on page 406.
Packet Capture — Displays the Packet Capture page, with the
address entered in the Filter section. You can start the packet
capture or specify additional filter criteria.
See “Capturing Packet Information” on page 418.
Total Traffic
Displays the total amount of traffic to the destination for all of the
protection groups. The traffic is displayed in bytes and packets.
Traffic Rate
Displays the average rate of traffic to the destination. The traffic
rates are displayed in bits per second (bps) and packets per
second (pps).
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Status of SSL Inspection
On the Summary page, the SSL Inspection section displays the status of the Hardware
Security Module (HSM). It also displays the amount of SSL traffic that the HSM observed
and decrypted during the last hour. Use the SSL Inspection information to determine
whether the HSM is functioning correctly and whether you need to take action to fix issues.
You can also use this information to determine how much traffic the HSM decrypts.
For information about installing and initializing the HSM, see “Configuring the Hardware
Security Module” on page 152 .
Information in the SSL Inspection section
The appearance of the SSL Inspection section and the data that it represents depends on
the following criteria:
n If the HSM is not installed, the SSL Inspection section does not appear.
n
If the HSM is installed but not initialized or enabled, no traffic is decrypted. The SSL
Inspection section displays the SSL traffic that APS observes independently of the HSM.
n
If the HSM is installed, initialized, and enabled, it observes and decrypts SSL traffic and
displays the traffic information in the SSL Inspection section.
The SSL Inspection section contains the following information:
Information in the SSL Inspection section on the Summary page
Information
Description
Traffic graph
Displays the following traffic:
Total SSL/TLS Traffic — The total amount of SSL traffic that APS
observed.
Decrypted Traffic — The amount of SSL traffic that the HSM
decrypted during the last hour.
The traffic rates are displayed in bits per second (bps).
Below the traffic graph, you can click
(Total SSL/TLS Traffic) or
(Decrypted Traffic) to show and hide the different types of
traffic.
Disabled message:
Indicates that the HSM is installed and initialized, but SSL
inspection is not enabled in APS.
Click the Configure SSL Inspection link to open the Configure
General Settings page, where you can enable SSL inspection. See
“Enable SSL Inspection check box” on page 105.
Proprietary and Confidential Information of Arbor Networks Inc.
323
APS User Guide, Version 6.0
Viewing the Traffic Activity for a Protection Group
The View Protection Group page allows you to view information in real time about the
traffic that is destined for the prefixes in a protection group. The traffic information that
appears on this page is for incoming traffic. It does not include server response traffic.
You also can view the Cloud Signaling status for a protection group on its View Protection
Group page.
Use the information on this page to monitor how effectively APS mitigates attacks and to
decide whether you need to take action to block the traffic.
The View Protection Group page also allows you to blacklist certain hosts or remove them
from the blacklist, which is also referred to as unblocking. See “About Blacklisting and
Whitelisting Traffic” on page 258.
Navigating to the View Protection Group page
To navigate to the View Protection Group page:
1. Navigate to the View Protection Group page in one of the following ways:
l
l
Select Summary and in the Top Protection Groups section, click the protection
group’s name.
Select Protect > Inbound Protection > Protection Groups and on the List
Protection Groups page, click the protection group’s name or minigraph.
You also can access the View Protection Group page by clicking the links that appear
on some of the pages in the UI.
2. (Optional) Filter the information that appears on the page as follows:
l
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
To select the unit of measure for displaying traffic, click Bytes or Packets .
About the View Protection Group page header
The area at the top of the View Protection Groups page is the header. The header displays
information about the protection group and allows you to make the following changes:
n Edit the protection group. See “Editing and Deleting Protection Groups” on page 194.
n
View or edit the protection settings. See “Changing the Protection Settings for Server
Types” on page 169.
Sections on the View Protection Group page
The sections that appear on the View Protection Group page depend on the protection
group’s server type. For example, when you display this page for a Web Server protection
group, only the sections that are relevant for web servers appear.
324
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
The View Protection Group page contains the following sections:
Sections on the View Protection Group page
Section
Description and reference
Group Cloud
Signaling section
Allows you to monitor the status of the cloud mitigation for this
protection group in real time. This section appears only if you have
enabled and configured Cloud Signaling and your cloud service
provider supports protection group-level mitigation.
You also can disable threshold Cloud Signaling for this protection
group by clearing the Use Automatic Threshold check box. See
“About the Cloud Signaling Widget” on page 397.
Note
APS does not support Cloud Signaling for IPv6 traffic.
Time selector
Allows you to filter the information that appears on the View
Protection Group page by a specific increment or by a time range.
See “Changing the display timeframe” on page 93.
Bytes and
Packets buttons
Click Bytes or Packets to change the display unit of measure on
the View Protection Group page.
Protection Group
Overview
Displays summary data about all of the protection group’s traffic
during the selected timeframe.
See “Viewing the Traffic Overview for a Protection Group” on
page 327.
Total Protection
Group Traffic
graph
Shows a stacked graph that represents the total passed traffic in
green and the total blocked traffic in red. Below the graph, you can
click
(Passed) or
(Blocked) to show and hide the different
types of traffic.
Temporarily
Blocked Sources
Displays the source hosts that are blocked temporarily by certain
protection categories.
See “Viewing Temporarily Blocked Sources” on page 335.
Note
This traffic data is not available for IPv6 protection groups.
Web Traffic by URL
Displays the 10 URLs that have the highest amounts of inbound
traffic.
See “Viewing the Top URLs for a Protection Group” on page 337.
Note
This traffic data is not available for IPv6 protection groups.
Web Traffic by
Domain
Displays the 10 domains that have the highest amounts of
inbound traffic.
See “Viewing the Top Domains for a Protection Group” on
page 339.
Note
This traffic data is not available for IPv6 protection groups.
Proprietary and Confidential Information of Arbor Networks Inc.
325
APS User Guide, Version 6.0
Sections on the View Protection Group page (Continued)
Section
Description and reference
Web Crawlers
Displays the five search engines that have the highest amounts of
inbound traffic.
See “Viewing the Top Web Crawlers for a Protection Group” on
page 341.
Note
This traffic data is not available for IPv6 protection groups.
IP Location
Displays the 10 identifiable countries that send the most traffic.
See “Viewing the Top IP Locations for a Protection Group” on
page 343.
Note
This traffic data is not available for IPv6 protection groups.
Protocols
Displays the 10 protocols that have the highest amounts of
inbound traffic.
See “Viewing the Top Protocols for a Protection Group” on
page 345.
Services
Displays the 10 services that have the highest amounts of inbound
traffic.
See “Viewing the Top Services for a Protection Group” on
page 347.
326
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Traffic Overview for a Protection Group
On the View Protection Group page, the Protection Group Overview section displays
summary data about the protection group’s traffic during the selected timeframe.
Use the information in this section to quickly view the protection group’s activity, assess its
performance, and look for problems. For example, a significant increase or a large spike in
the passed traffic might indicate an attack.
To view information in real time about the traffic that is destined to a protection group, see
“Viewing the Traffic Activity for a Protection Group” on page 324 .
Navigating to the View Protection Group page
To navigate to the View Protection Group page:
1. Navigate to the View Protection Group page in one of the following ways:
l
l
Select Summary and in the Top Protection Groups section, click the protection
group’s name.
Select Protect > Inbound Protection > Protection Groups and on the List
Protection Groups page, click the protection group’s name or minigraph.
You also can access the View Protection Group page by clicking the links that appear
on some of the pages in the UI.
2. (Optional) Filter the information that appears on the page as follows:
l
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
To select the unit of measure for displaying traffic, click Bytes or Packets .
Information in the Protection Group Overview section
The Protection Group Overview section contains the following information:
Information in the Protection Group Overview section
Section
Description
Total Traffic
Displays a minigraph that represents the total traffic, and displays
the following values:
n Total summarizes the total amount of traffic during the specified
timeframe.
n Rate summarizes the average rate of this traffic during the
specified timeframe.
Passed Traffic
Displays a minigraph that represents the passed traffic, and
displays the following values:
n Total summarizes the total amount of passed traffic during the
specified timeframe.
n Rate summarizes the average rate of the passed traffic during
the specified timeframe.
Proprietary and Confidential Information of Arbor Networks Inc.
327
APS User Guide, Version 6.0
Information in the Protection Group Overview section (Continued)
328
Section
Description
Blocked Traffic
Displays a minigraph that represents the blocked traffic, and
displays the following values:
n Total summarizes the total amount of blocked traffic during the
specified timeframe.
n Rate summarizes the average rate of the blocked traffic during
the specified timeframe.
Blocked Hosts
Displays a minigraph that represents the blocked hosts. The
Average value indicates the average number of blocked hosts
during the specified timeframe.
Total Traffic
graph
Shows the percentage of the total traffic that is passed in green and
the percentage that is blocked in red.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Attack Categories for a Protection Group or
Outbound Threat Filter
The Attack Categories section displays the categories of protections that are responsible
for blocking current traffic. This section appears on the following pages:
n View Protection Group page, for inbound traffic — see “Viewing the Traffic Activity for a
Protection Group” on page 324
n
Outbound Threat Filter page, for outbound traffic — see “Viewing the Outbound Threat
Activity” on page 349
The data display for the attack categories refreshes approximately every 60 seconds.
Use this information to determine why traffic is blocked. For example, if blocked traffic is
shown for the Invalid Packets category, you can display the details for that category to
view the reasons why that traffic was considered to be invalid.
For general information about the protection settings, see “About the Protection Settings
Configuration” on page 201 .
Viewing the Attack Categories section
To view the Attack Categories section:
1. Navigate to the appropriate page for the type of traffic that you want to view, as
follows:
Traffic Type
Steps
Inbound
Navigate to the View Protection Group page in one of the
following ways:
n
n
Outbound
Select Summary and in the Top Protection Groups section,
click the protection group’s name.
Select Protect > Inbound Protection > Protection
Groups and on the List Protection Groups page, click the
protection group’s name or minigraph.
Select Protect > Outbound Protection > Outbound
Threat Filter.
2. (Optional) Filter the information that appears on the page as follows:
l
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
To select the unit of measure for displaying traffic, click Bytes or Packets .
Proprietary and Confidential Information of Arbor Networks Inc.
329
APS User Guide, Version 6.0
Information in the Attack Categories section
The Attack Categories section contains the following information:
Information in the Attack Categories section
Information
Description
Attack Categories
graph
Displays a stacked graph of the traffic that was blocked by the
settings in each of the protection categories. The graph displays
the traffic in bytes per second or packets per second, depending
on the unit of measure that is selected.
Key
Shows the color that represents the specific source in the Attack
Categories graph.
Graph
Represents the traffic that the specific category blocks. You can
hover your mouse pointer over the minigraph to view a larger
version of the graph.
Category
Displays the protection category that is blocking the traffic.
The Outbound Threat Filter page can include the following
protection categories only:
n
n
n
n
n
n
Invalid Packets
ATLAS Intelligence Feed
DNS Rate Limiting
Filter List
Malformed HTTP Filtering
Payload Regular Expression
Several of the categories do not correspond to specific protection
settings. See “About the non-configurable categories” on the
facing page.
(context menu)
(For IPv4 protection groups only) Appears when you hover your
mouse pointer over an attack category name. You can click
, and
then select Blocked Hosts to display the Blocked Hosts Log page
for this protection group or the outbound threat filter and
category.
See “About the Blocked Hosts Log” on page 406.
330
Bytes blocked
Packets blocked
Shows the amount of blocked traffic for the attack category in
bytes and packets.
bps blocked
pps blocked
Shows the rate of blocked traffic for the attack category in bits per
second and packets per second.
Details button
Allows you to view additional information about the blocked traffic.
The information that is displayed varies for each attack category.
Detailed information is not available for all of the attack categories.
You can hide the details by clicking Details again.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
About the non-configurable categories
The Attack Categories section might include the following categories. These attack
categories are not configurable on the Configure Server Type page or Outbound Threat
Filter page.
Non-configurable categories
Category
Description
Blacklisted Hosts
The Blacklisted Hosts category represents the hosts that are
blocked because they are on the blacklist. You can configure the
blacklists on the Configure Inbound Blacklists page and Configure
Outbound Blacklists page.
Note
The Invalid Packets category takes precedence over blacklists. As
a result, any traffic from blacklisted hosts that matches invalid
packets is attributed to invalid packets in the Attack Categories
graphs.
HTTP Blocked
Locations
The HTTP Blocked Locations category represents the following
hosts and domains:
n The domains that were blocked because they are on the
inbound blacklist
n The blocked hosts that appear in the Web Traffic By URL section
on the View Protection Group page
n The blocked domains that appear in the Web Traffic By Domain
section on the View Protection Group page
The HTTP Blocked Locations category does not include statistics for
the hosts that appear in the Temporarily Blocked Sources section
on the View Protection Group page.
Invalid Packets
The Invalid Packets category blocks invalid TCP/IP packets. Click
Details for this category to view the reasons that APS blocked the
packets.
Note
The Invalid Packets category takes precedence over the whitelist
and blacklist. As a result, APS blocks invalid packets from
whitelisted hosts. Also, any traffic from hosts on the blacklist or
whitelist that matches invalid packets is attributed to invalid
packets in the Attack Categories graphs.
Proprietary and Confidential Information of Arbor Networks Inc.
331
APS User Guide, Version 6.0
Detailed information in the Attack Categories section
Detailed information about blocked traffic is available for the following protection
categories. Only the protection categories that apply to outbound traffic appear on
Outbound Threat Filter page. See “Configuring the Outbound Threat Filter” on page 205.
Detailed information in the Attack Categories section
Category
Details
ATLAS Threat
Categories
Lists the ATLAS threat categories that blocked traffic, and shows
the amount of traffic that was blocked by each category. A traffic
minigraph is displayed for each category.
On the Outbound Threat Filter page, the ATLAS Threat Categories:
Source Hosts Blocked section shows additional details about the
ATLAS threat categories. (This section appears below the Attack
Categories section.) It lists the five ATLAS threat categories that
blocked the most outbound traffic during the selected timeframe.
Application
Misbehavior
Shows the average number of hosts that were blocked.
Block Malformed
SIP Traffic
Shows statistics about the hosts that were blocked, including the
total number of hosts that were blocked. See “About the total
hosts blocked” on page 334.
Botnet Prevention
Displays blocking information for the following subcategories:
n
n
n
Basic Botnet Prevention
These details show a graph and summary statistics of the
botnet traffic that would have been blocked under a higher
protection level.
They also show the average number of hosts that were blocked
and the number of requests that were examined.
AIF Botnet Signatures
These details show the botnet traffic that was blocked or that
would be blocked by the AIF signatures that are associated with
each protection level. For example, if the active global
protection level is medium, the blocking details for the medium
protection level and low protection level represent traffic that
was blocked. The blocking details for the high protection level
represent traffic that would be blocked if you change to the high
protection level.
Slow Request Attacks
These details show the average number of hosts that were
blocked and the number of requests that were examined.
DNS
Authentication
Shows the number of hosts that were tested and the number of
hosts that were validated.
DNS NXDomain
Rate Limiting
Shows the average number of hosts and the total number of hosts
that were blocked. See “About the total hosts blocked” on
page 334.
332
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Detailed information in the Attack Categories section (Continued)
Category
Details
DNS Rate Limiting
Shows statistics about the hosts that were blocked, including the
total number of hosts that were blocked. See “About the total
hosts blocked” on the next page.
Fragment
Detection
Shows the average number of hosts that were blocked.
HTTP Header
Regular
Expressions
Shows the average number of hosts that were blocked.
HTTP Rate Limiting
Shows statistics about the hosts that were blocked and whether
they were blocked for exceeding the request limit or the URL limit.
This section also shows the total number of hosts that were
blocked. See “About the total hosts blocked” on the next page.
ICMP Flood
Detection
Shows the average number of hosts that were blocked.
Invalid Packets
Lists the reasons why traffic was considered to be invalid and
shows the amount of traffic that was blocked for each reason. A
traffic minigraph is displayed for each reason, and a stacked graph
summarizes the blocked traffic with one row for each reason.
Malformed HTTP
Filtering
Shows the average number of hosts that were blocked and the
number of requests that were examined.
Rate-based
Blocking
Shows the average number of hosts that were blocked.
SIP Request
Limiting
Shows the average number of hosts and the total number of hosts
that were blocked. See “About the total hosts blocked” on the
next page.
Spoofed SYN Flood
Prevention
Shows statistics about the number of hosts that were allowed to
form connections, the total number of connections, and the total
number of HTTP requests on those connections.
TCP Connection
Limiting
Lists the top 10 hosts whose concurrent TCP connections
exceeded the rate limit, and shows the amount of traffic that was
blocked for each host. Connection statistics are displayed for each
host.
Important
This section includes traffic for all of the categories that affect
each host, not just the TCP Connection Limiting category.
TCP Connection
Reset
Shows statistics for the connections and hosts that were blocked,
including the total number of hosts that were blocked. See “About
the total hosts blocked” on the next page.
Proprietary and Confidential Information of Arbor Networks Inc.
333
APS User Guide, Version 6.0
Detailed information in the Attack Categories section (Continued)
Category
Details
TCP SYN Flood
Detection
Shows the average number of hosts that were blocked.
TLS Attack
Prevention
Lists the reasons why the SSL or TLS traffic was considered to be
invalid and shows statistics about the traffic that was blocked for
each reason. You can click Details next to each reason to view the
average number of hosts that were blocked for that reason.
Traffic Shaping
Shows statistics about the traffic that exceeded the configured
thresholds and the traffic that was passed.
UDP Flood
Detection
Shows the average number of hosts that were blocked.
About the total hosts blocked
The detail information for several of the protection categories shows the total hosts
blocked. This number represents the total number of times that any and all hosts were
blocked, and might contain hosts that were blocked multiple times. For example, if one
host is blocked 15 times, then the total is 15.
334
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing Temporarily Blocked Sources
When APS encounters certain types of malicious inbound traffic, it blocks the source host
temporarily but does not add the source to the blacklist. The Temporarily Blocked Sources
section of the View Protection Group page displays the source hosts that are blocked
temporarily.
About the Temporarily Blocked Sources section
View this section to learn which sources have sent malicious traffic and what kind of
malicious traffic they sent. If a source appears in this list frequently, you might decide to
add that source to the blacklist. See “Creating and Editing the Inbound Blacklist” on
page 267. Conversely, if this list contains a source host that you know is safe, you can use
the Whitelist button to add that source to the whitelist.
Traffic sources that are blacklisted do not appear in the Temporarily Blocked Sources
section. See “About Blacklisting and Whitelisting Traffic” on page 258.
Navigating to the View Protection Group page
To navigate to the View Protection Group page:
1. Navigate to the View Protection Group page in one of the following ways:
l
l
Select Summary and in the Top Protection Groups section, click the protection
group’s name.
Select Protect > Inbound Protection > Protection Groups and on the List
Protection Groups page, click the protection group’s name or minigraph.
You also can access the View Protection Group page by clicking the links that appear
on some of the pages in the UI.
2. (Optional) Filter the information that appears on the page as follows:
l
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
To select the unit of measure for displaying traffic, click Bytes or Packets .
Information in the Temporarily Blocked Sources section
The Temporarily Blocked Sources section contains the following information:
Information in the Temporarily Blocked Sources section
Information
Description
Top Temporarily
Blocked Sources
graph
Displays a stacked graph of the traffic flow from the top 10
temporarily blocked sources.
The traffic is displayed in bytes per second or packets per second,
depending on the unit of measure that is selected in the page
header.
Key
Shows the color that represents the specific source in the Top
Temporarily Blocked Sources graph.
Proprietary and Confidential Information of Arbor Networks Inc.
335
APS User Guide, Version 6.0
Information in the Temporarily Blocked Sources section (Continued)
Information
Description
Graph
Represents the blocked traffic for the specific source. You can
hover your mouse pointer over the minigraph to view a larger
version of the graph.
Host
Displays the IP address for the source host that is temporarily
blocked.
If "Other" appears in this list, it represents the totals for all of the
other blocked sources that are not listed here.
Note
For some IP addresses, APS displays additional information
when you hover your mouse pointer over the address. If you
hover over a truncated IPv6 address, you can view the entire
address. If you hover over an IP address whose domain name
has been resolved, you can view its fully qualified domain name.
If you want to copy this information, click on the IP address,
select the text, and then copy it in one of the standard ways.
Bytes, bps
Packets, pps
Shows the amount of blocked traffic for the source. The traffic is
displayed in bytes or packets, depending on the unit of measure
that is selected in the page header.
Percent
Displays the percentage of the total blocked traffic that the
source's blocked traffic represents, shown as a figure and as a
proportion bar. The bar for the top blocked source is the full
column width and the remaining bars are in proportion to it.
Time Blocked
Displays the length of time that the source has been blocked.
Categories
Displays the category of protection settings that detected and
blocked the traffic from this source.
If multiple protection categories are associated with the blocked
host, this column displays the number of categories. You can
display a list of those categories by hovering your mouse pointer
over the displayed number.
Use this information to determine why the traffic was blocked. For
example, if this column displays ICMP Flood Detection, it means
that the source sent more than a reasonable amount of ICMP
traffic.
Whitelist button
Allows you to remove the source from the Temporarily Blocked
Sources list and add the source to the whitelist for this protection
group or for all protection groups.
If the Whitelist button does not appear, and you are an
administrative user, it means that the source is already on the
whitelist.
See “About Blacklisting and Whitelisting Traffic” on page 258.
336
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Top URLs for a Protection Group
The Web Traffic By URL section of the View Protection Group page displays up to 10 of the
top destination URLs for an IPv4 protection group. The top URLs have the most HTTP
requests during the selected timeframe.
The data display for the top URLs refreshes approximately every five minutes. The slower
update rate is due to the way each APS collects and averages the URL data.
Use this information to identify problems or determine the target of an attack. For
example, a URL whose traffic is significantly higher than normal might be under attack.
Also, a URL that has a high percentage of the total HTTP traffic is often an attack target.
Note
This traffic data is not available for IPv6 protection groups.
Disabling the HTTP Reporting settings
You can disable the display of this information for specific protection groups. By disabling
the display of this information, you can improve the performance of APS. See “HTTP
Reporting Settings” on page 227.
Navigating to the View Protection Group page
To navigate to the View Protection Group page:
1. Navigate to the View Protection Group page in one of the following ways:
l
l
Select Summary and in the Top Protection Groups section, click the protection
group’s name.
Select Protect > Inbound Protection > Protection Groups and on the List
Protection Groups page, click the protection group’s name or minigraph.
You also can access the View Protection Group page by clicking the links that appear
on some of the pages in the UI.
2. (Optional) Filter the information that appears on the page as follows:
l
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
To select the unit of measure for displaying traffic, click Bytes or Packets .
Information in the Web Traffic By URL section
The Web Traffic By URL section contains the following information:
Information in the Web Traffic By URL section
Information
Description
Web Traffic By URL
graph
Displays a stacked graph of the traffic for the top URLs in requests
per minute.
Key
Shows the color that represents the specific URL in the Top URLs
graph.
Proprietary and Confidential Information of Arbor Networks Inc.
337
APS User Guide, Version 6.0
Information in the Web Traffic By URL section (Continued)
Information
Description
Graph
Represents the number of requests per minute that are sent to the
URL. You can hover your mouse pointer over a minigraph to view
a larger version of the graph.
URL
Displays the URL for which the traffic is destined.
If “Other” appears in this list, it represents the aggregated traffic
data for the URLs that are not listed here.
Note
If a URL is truncated because it does not fit in the column, you
can view the entire URL by hovering your mouse pointer over it. If
you copy a truncated URL, the entire URL is copied.
Requests
Displays the number of requests that are sent to the URL.
Percent
Displays the percentage of the total HTTP traffic that the traffic for
that URL represents, shown as a figure and as a proportion bar.
The bar for the top URL is the full column width and the remaining
bars are in proportion to it.
Request bps
Shows the average rate of the requests that are sent to the URL.
Blacklist button
Allows you to add the URL to the inbound blacklist for this
protection group or for all IPv4 protection groups. When you
blacklist a URL, APS blocks all of the IPv4 traffic from the clients
that access the blacklisted URL.
See “About Blacklisting and Whitelisting Traffic” on page 258.
Unblock button
338
Allows you to remove the URL from the inbound blacklist.
This button appears only when a URL has been blacklisted.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Top Domains for a Protection Group
The Web Traffic By Domain section on the View Protection Group page displays up to 10 of
the top destination domains for an IPv4 protection group. The top domains have the most
HTTP requests during the selected timeframe.
Use this information to identify problems or determine the target of an attack. For
example, a domain whose traffic is significantly higher than normal might be under attack.
Also, a domain that has a high percentage of the total HTTP traffic is often an attack target.
The data display for the top domains refreshes approximately every five minutes. The
slower update rate is due to the way each APS collects and averages the domain data.
Note
This traffic data is not available for IPv6 protection groups.
Disabling the HTTP Reporting settings
You can disable the display of this information for specific protection groups. By disabling
the display of this information, you can improve the performance of APS. See “HTTP
Reporting Settings” on page 227.
Navigating to the View Protection Group page
To navigate to the View Protection Group page:
1. Navigate to the View Protection Group page in one of the following ways:
l
l
Select Summary and in the Top Protection Groups section, click the protection
group’s name.
Select Protect > Inbound Protection > Protection Groups and on the List
Protection Groups page, click the protection group’s name or minigraph.
You also can access the View Protection Group page by clicking the links that appear
on some of the pages in the UI.
2. (Optional) Filter the information that appears on the page as follows:
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
l
To select the unit of measure for displaying traffic, click Bytes or Packets .
3. (Optional) Filter the information that appears on the View Protection Group page as
follows:
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
Proprietary and Confidential Information of Arbor Networks Inc.
339
APS User Guide, Version 6.0
Information in the Web Traffic By Domain section
The Web Traffic By Domain section contains the following information:
Information in the Web Traffic By Domain section
Information
Description
Web Traffic By
Domain graph
Displays a stacked graph of the traffic for the top domains in
requests per minute.
Key
Shows the color that represents the specific domain in the Web
Traffic by Domain graph.
Graph
Represents the number of requests per minute that are sent to
the domain. You can hover your mouse pointer over a minigraph
to view a larger version of the graph.
Domain Name
Displays the domain for which the traffic is destined.
If “Other” appears in this list, it represents the aggregated traffic
data for the domains that are not listed here.
Requests
Shows the number of requests that are sent to the domain.
Percent
Displays the percentage of the total HTTP traffic that the domain’s
traffic represents, shown as a figure and as a proportion bar. The
bar for the top domain is the full column width and the remaining
bars are in proportion to it.
Request bps
Shows the average rate of the requests that are sent to the
domain.
Blacklist button
Allows you to add the domain to the inbound blacklist for this
protection group or for all IPv4 protection groups. When you
blacklist a domain, APS blocks all of the IPv4 traffic from the clients
that access the blacklisted domain.
See “About Blacklisting and Whitelisting Traffic” on page 258.
Unblock button
340
Allows you to remove the domain from the inbound blacklist.
This button appears only when a domain has been blacklisted.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Top Web Crawlers for a Protection Group
The Web Crawlers section of the View Protection Group page displays the five search
engines that have the highest amounts of traffic for an IPv4 protection group.
Use this information to determine which search engine web crawlers are crawling your
site.
The web crawler support is configured on the Configure Server Type page. See the Web
Crawler Support buttons in the “ATLAS Intelligence Feed Settings” on page 210 .
You can view web crawler traffic for all protection groups on the Summary page. See
“Viewing the Top Web Crawlers on the Summary Page” on page 317.
The data display for the top web crawlers refreshes approximately every 60 seconds.
Navigating to the View Protection Group page
To navigate to the View Protection Group page:
1. Navigate to the View Protection Group page in one of the following ways:
l
l
Select Summary and in the Top Protection Groups section, click the protection
group’s name.
Select Protect > Inbound Protection > Protection Groups and on the List
Protection Groups page, click the protection group’s name or minigraph.
You also can access the View Protection Group page by clicking the links that appear
on some of the pages in the UI.
2. (Optional) Filter the information that appears on the page as follows:
l
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
To select the unit of measure for displaying traffic, click Bytes or Packets .
Information in the Web Crawlers section
The Web Crawlers section contains the following information:
Information in the Web Crawlers section
Information
Description
Top Web Crawlers
graph
Displays a stacked graph of the total traffic for all of the top web
crawlers.
The traffic is displayed in bytes per second or packets per second,
depending on the unit of measure that is selected in the page
header.
Key
Shows the color that represents the specific web crawler in the
Web Crawlers graph.
Graph
Represents all of the web crawler’s traffic. You can hover your
mouse pointer over the minigraph to view a larger version of the
graph.
Proprietary and Confidential Information of Arbor Networks Inc.
341
APS User Guide, Version 6.0
Information in the Web Crawlers section (Continued)
Information
Description
Web Crawler
Displays the name of the search engine from which the traffic was
sent. You can hover your mouse pointer over the name to view a
description of the web crawler.
If support for a search engine is discontinued, some of its data
might remain. In that case, “Unknown” appears in place of the
search engine name.
Total Traffic
Shows the average rate of total traffic from the web crawler in
bytes per second or packets per second.
Passed Traffic
Shows the average rate of passed traffic from the web crawler in
bytes per second or packets per second.
Reference
See the following topics:
342
n
“Viewing the Traffic Activity for a Protection Group” on page 324
n
“About Web Crawler Support” on page 288
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Top IP Locations for a Protection Group
The IP Location section of the View Protection Group page displays up to 10 countries that
send the most traffic to an IPv4 protection group. If a source country cannot be identified,
then the data for that IP address is added to the Unknown category in this section.
Use this section to identify problems or to determine the source of an attack. For example,
traffic that is significantly higher than normal or a spike in the passed traffic might indicate
an attack.
The data display for the top IP locations refreshes approximately every 60 seconds.
Note
This traffic data is not available for IPv6 protection groups.
Navigating to the View Protection Group page
To navigate to the View Protection Group page:
1. Navigate to the View Protection Group page in one of the following ways:
l
l
Select Summary and in the Top Protection Groups section, click the protection
group’s name.
Select Protect > Inbound Protection > Protection Groups and on the List
Protection Groups page, click the protection group’s name or minigraph.
You also can access the View Protection Group page by clicking the links that appear
on some of the pages in the UI.
2. (Optional) Filter the information that appears on the page as follows:
l
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
To select the unit of measure for displaying traffic, click Bytes or Packets .
Information in the IP Location section
The IP Location section contains the following information:
Information in the IP Location section
Information
Description
IP Location graph
Displays a stacked graph of the total traffic from the top countries.
The graph displays the traffic in bytes per second or packets per
second, depending on the unit of measure that is selected.
Key
Shows the color that represents the country in the Top Countries
graph.
Country
Displays the name of the country from which the traffic was sent.
The ATLAS Intelligence Feed (AIF) supplies the information that
identifies the country. See “About the ATLAS Intelligence Feed” on
page 280.
If “Unknown” appears in this list, it represents the total data for
which APS cannot identify a source country.
Proprietary and Confidential Information of Arbor Networks Inc.
343
APS User Guide, Version 6.0
Information in the IP Location section (Continued)
Information
(context menu)
Description
Appears when you hover your mouse pointer over a country
, and then select Packet Capture to display the
Packet Capture page, with the country entered in the Filter section.
You can start the packet capture or specify additional filter criteria.
See “About Capturing Packets” on page 417.
name. Click
Graph
Represents the country’s passed traffic (green) and blocked traffic
(red). You can hover your mouse pointer over the minigraph to
view a larger version of the graph.
Passed Traffic
Blocked Traffic
Shows the average rate of the passed and blocked traffic for the
country.
Percent Bytes
Displays the percentage of the total blocked traffic that the
country’s traffic represents, shown as a figure and as a proportion
bar. The bar for the top country is the full column width and the
remaining bars are in proportion to it.
Blacklist button
Allows you to add the country to the inbound blacklist for this
protection group or for all protection groups. See “About
Blacklisting and Whitelisting Traffic” on page 258.
Unblock button
344
Allows you to remove the country from the inbound blacklist.
This button appears only when a country has been blacklisted.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Top Protocols for a Protection Group
The Protocols section on the View Protection Group page displays up to 10 protocols that
have the highest amounts of inbound traffic.
This information is provided primarily for informational purposes. However, any traffic on
your network that is unexpected could represent an attack. For example, if you expect
only TCP traffic, but traffic is displayed for the UDP protocol, you should investigate this
traffic.
The data display for the top protocols refreshes approximately every 60 seconds.
Navigating to the View Protection Group page
To navigate to the View Protection Group page:
1. Navigate to the View Protection Group page in one of the following ways:
l
l
Select Summary and in the Top Protection Groups section, click the protection
group’s name.
Select Protect > Inbound Protection > Protection Groups and on the List
Protection Groups page, click the protection group’s name or minigraph.
You also can access the View Protection Group page by clicking the links that appear
on some of the pages in the UI.
2. (Optional) Filter the information that appears on the page as follows:
l
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
To select the unit of measure for displaying traffic, click Bytes or Packets .
Information in the Protocols section
The Protocols section contains the following information:
Information in the Protocols section
Information
Description
Protocols graph
Displays a stacked graph of the total traffic for the top protocols.
The graph displays the traffic in bytes per second or packets per
second, depending on the unit of measure that is selected.
Key
Shows the color that represents the specific protocol in the
Protocols graph.
Graph
Represents the total traffic for a specific protocol. You can hover
your mouse pointer over a minigraph to view a larger version of
the graph.
Protocol
Displays the destination port number of the specific protocol and
the name of the protocol, if it is known.
If “Other” appears in this list, it represents the totals for all of the
other protocols that are not listed here.
Proprietary and Confidential Information of Arbor Networks Inc.
345
APS User Guide, Version 6.0
Information in the Protocols section (Continued)
346
Information
Description
Bytes
Packets
Shows the amount of traffic for the specific protocol in bytes and
packets.
bps
pps
Shows the rate of traffic for the specific protocol in bits per second
and packets per second.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Top Services for a Protection Group
The Services section on the View Protection Group page displays up to 10 services that
have the highest amounts of inbound traffic.
The data display for the top services refreshes approximately every 60 seconds.
This information is provided primarily for informational purposes. However, any traffic on
your network that is unexpected could represent an attack. For example, if you expect
only web traffic, but traffic is displayed for SMTP, you should investigate the traffic further.
About service data for ephemeral ports
APS stores service data for individual ephemeral ports for one week, after which it
combines and stores the data in groups of 200 ephemeral ports.
An ephemeral port is a temporary port, numbered 1024 or greater, that the TCP/IP stack
allocates when a client does not specifically request a port number. When the
communication session terminates, the ephemeral port is available for reuse.
When the display timeframe on the View Protection Group page is more than one week,
the service data for ephemeral ports is displayed by port range. For example, when the
UDP service on port 5000 has a high amount of traffic and the display timeframe is one
hour, that traffic appears as UDP/5000. When the display timeframe is two weeks, that
traffic is included in the entry for UDP/5000-5199.
In the Services graph, the data for ephemeral ports is always displayed by port range,
regardless of the display timeframe.
Navigating to the View Protection Group page
To navigate to the View Protection Group page:
1. Navigate to the View Protection Group page in one of the following ways:
l
l
Select Summary and in the Top Protection Groups section, click the protection
group’s name.
Select Protect > Inbound Protection > Protection Groups and on the List
Protection Groups page, click the protection group’s name or minigraph.
You also can access the View Protection Group page by clicking the links that appear
on some of the pages in the UI.
2. (Optional) Filter the information that appears on the page as follows:
l
l
To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
To select the unit of measure for displaying traffic, click Bytes or Packets .
Proprietary and Confidential Information of Arbor Networks Inc.
347
APS User Guide, Version 6.0
Information in the Services section
The Services section contains the following information:
Information in the Services section
Information
Description
Services graph
Displays a stacked graph of the total traffic for the top services. The
graph displays the traffic in bytes per second or packets per
second, depending on the unit of measure that is selected.
The keys below the graph show the colors that represent the
specific services in the graph. You can click a service’s key to hide or
show that service on the graph.
Graph
Represents the total traffic for a specific service. If the service is on
an ephemeral port, the data is always displayed by port range. See
“About service data for ephemeral ports” on the previous page.
You can hover your mouse pointer over a minigraph to view a
larger version of the graph.
Service
(context menu)
Displays the name of the protocol and the port or the range of
ports. APS Console also displays the name of the service in
parentheses, if known.
If “Other” appears in this list, it represents the totals for all of the
other services that are not listed here.
Appears when you hover your mouse pointer over a name in the
Service column. You can select the Packet Capture option on this
menu to capture packets for the protection group and the service.
When you select Packet Capture, it opens the Packet Capture
page, with the protection group and the service selected as filter
criteria. You can start the packet capture or you can specify
additional filter criteria.
See “Capturing Packet Information” on page 418.
bps
pps
348
Shows the rate of traffic for the specific service in bits per second
and packets per second.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 15: Viewing APS Traffic
Viewing the Outbound Threat Activity
The Outbound Threat Filter page allows you to view detailed information in real time
about the outbound traffic from within your network. Use this information to monitor
how effectively APS is preventing outbound threats and to help you decide whether to
take action to block the traffic.
The Outbound Threat Filter page also allows you to configure the protection settings for
the outbound threat filter. See “Configuring the Outbound Threat Filter” on page 205.
Viewing the Outbound Threat Filter page
To view the Outbound Threat Filter page:
1. Select Protect > Outbound Protection > Outbound Threat Filter.
2. To change the display timeframe on the Outbound Threat Filter page, complete one of
the following steps:
l
l
To select a specific time increment, select an option from the Time list.
To select a time range, click From, select the starting date and time in the From
box, and select the ending date and time in the To box. Click Update.
3. To change the display unit of measure, at the right of the page, click Bytes or
Packets.
Information on the Outbound Threat Filter page
The Outbound Threat Filter page contains the following information:
Information on the Outbound Threat Filter page
Information
(configure)
Description
Allows you to change the outbound threat filter’s configuration.
See “Configuring the Outbound Threat Filter” on page 205.
Protection Mode
Displays whether the outbound threat filter’s protection mode is
active or inactive. See “Setting the Protection Mode (Active or
Inactive)” on page 66.
Protection Level
Indicates the outbound threat filter’s protection level (global,
Low, Medium, or High). See “About the Protection Levels” on
page 185.
Time selector
Allows you to filter the information that appears on the
Outbound Threat Filter page. See “Changing the display
timeframe” on page 93.
Bytes and Packets
buttons
Click Bytes or Packets to change the display unit of measure.
Total Outbound
Traffic Blocked
section
Displays summary data about all of the outbound traffic that APS
blocked during the selected timeframe. The blocked traffic
information is displayed in both bytes and packets, regardless of
the display unit of measure that is selected for the page.
Proprietary and Confidential Information of Arbor Networks Inc.
349
APS User Guide, Version 6.0
Information on the Outbound Threat Filter page (Continued)
350
Information
Description
Attack Categories
section
Displays the categories of protections that are responsible for
blocking current outbound traffic.
ATLAS Threat
Categories: Source
Hosts Blocked
section
This section shows additional details about the ATLAS threat
categories that appear in the Attack Categories section. It lists the
five ATLAS threat categories that blocked the most outbound
traffic during the selected timeframe.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 16:
Mitigating Attacks
APS blocks attacks automatically based on the protection settings that define malicious
traffic. However, certain attacks may require that you take action to block them. This
section describes how to respond to attacks that are not blocked automatically.
In this section
This section contains the following topics:
About Attack Mitigation
352
Indicators of Attacks and Mitigations
355
Mitigating an Attack by Raising the Protection Level
359
Changing the Protection Level
361
Identifying and Blocking an Attack
363
APS User Guide, Version 6.0
351
APS User Guide, Version 6.0
About Attack Mitigation
The focus of APS is on the automatic detection and mitigation of attacks. When APS is in
active mode, it continually blocks any malicious traffic that it detects. However, additional
solutions are available to help you to monitor the system and block the attacks that are
not mitigated automatically.
When to actively mitigate an attack
You might need to take steps to block an attack under the following conditions:
The protection settings and thresholds for the active protection level do not block the
attack.
n
For example, if the ICMP Flood Detection settings are disabled for the low protection
level, then APS does not detect ICMP floods at that protection level.
n
The threshold for automatic Cloud Signaling is disabled or no threshold is configured.
n
APS cannot mitigate the attack for reasons beyond its control.
For example, if an attack overloads routers that are deployed upstream of APS, then
APS cannot detect or mitigate that attack.
About attack mitigation from APS Console
When you use APS Console to manage APS devices, you should perform any mitigation
tasks in APS Console.
Caution
Because the configurations from APS Console can overwrite the ones on APS, any local
changes that you make on APS might be lost. Generally, you should not make local
changes on a managed APS, although you might occasionally need to do so. For
example, you might lose the connection between APS Console and an APS during a highvolume DDoS attack. In that case, you can make local changes on the APS to mitigate the
attack.
352
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 16: Mitigating Attacks
Options for mitigating inbound attacks
The following table describes your options for blocking an attack that is not mitigated
automatically. The options that you use depend on the type of attack, your knowledge of
network security, and your organization's policies.
Options for mitigating inbound attacks
Option
Description
Follow your
organization’s
standard
procedures.
If your organization has an attack policy, or playbook, follow the
procedures that are provided there. If your organization does not
have an attack playbook, then continue with the following steps.
Use Cloud
Signaling.
If you have deployed Cloud Signaling, your organization's policy or
its agreement with your cloud service provider might determine
how and when the Cloud Signaling is activated. In most cases, APS
activates Cloud Signaling based on configured traffic thresholds. In
other cases, your cloud service provider might start a mitigation
without receiving a request. However, you might need to activate
the Cloud Signaling manually. For example, an attack that is
beyond the capabilities of APS might not meet the thresholds that
trigger the Cloud Signaling request.
See “About Cloud Signaling for DDoS Protection” on page 368
and “Manually Requesting and Stopping a Global Cloud
Mitigation” on page 390 .
Raise the
protection level.
You can try to mitigate an attack by raising the global protection
level or the protection group protection level. Use this option when
you have little time or knowledge of network security and you
need to stop an attack as quickly as possible. Alternatively, you
might raise the protection level only after other attempts to
mitigate an attack are unsuccessful. See “Mitigating an Attack by
Raising the Protection Level” on page 359.
Remember that the risk of blocking clean traffic increases with the
level of protection. For information about the protection levels and
the protection and risk that are associated with each one, see
“About the Protection Levels” on page 185 .
Proprietary and Confidential Information of Arbor Networks Inc.
353
APS User Guide, Version 6.0
Options for mitigating inbound attacks (Continued)
Option
Description
Identify and block
specific attack
traffic.
If you can identify the source of an attack, you can block its traffic
in the following ways:
n Blacklist the traffic source.
n Create a regular expression to match the traffic and enter it in
the appropriate protection setting.
n Create an FCAP expression to match the traffic and enter it in
the appropriate protection setting.
See “Identifying and Blocking an Attack” on page 363.
Edit the protection
settings.
If you can identify the type of attack, you can try to block it by
changing the protection settings that typically block that type of
attack. See “Changing the Protection Settings for Server Types” on
page 169.
For example, your network experiences an ICMP flood but APS
does not detect it. If you can block the attack by changing the
Maximum Request Rate for the target protection group, you
can avoid changing the protection level.
354
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 16: Mitigating Attacks
Indicators of Attacks and Mitigations
APS provides several ways for you to determine whether your network is under attack and
whether APS is blocking the attack traffic.
If you have enabled alert thresholds, an alert can be the first sign that you are under
attack, in addition to any external indications. See “Alerts that indicate attacks” below and
“External attack symptoms” on page 358 .
Whether or not you receive an alert, you can view the extensive traffic statistics that appear
in APS. In particular, you can view the traffic graphs that provide a quick visual indication of
the state of your network traffic. Additional statistics provide more details about the data
that is provided in the graphs. See “Graphic indicators of an attack” on the next page.
For general information about attacks and mitigation, see “DDoS Attacks and APS
Protections” on page 538 and “About Attack Mitigation” on page 352 .
How to verify that a mitigation is working
After you take steps to block an attack, confirm that the attack is blocked.
n View the protected service from a customer’s perspective. For example, open a web
browser and try to open the web site that was reported as unavailable.
n
If you received a bandwidth alert, use the information in the alert to find where to view
the behavior that triggered the alert. You might also note whether the alert expired.
n
View the graphs and statistics that indicated the attack.
Alerts that indicate attacks
If you have enabled thresholds for total traffic alerts or botnet alerts, an alert occurs when
a protection group’s traffic exceeds one of the thresholds. These alerts are collectively
called bandwidth alerts.
n Total traffic alerts inform you of spikes in the traffic to protected services so that you can
investigate the cause and take action if necessary.
n
Botnet alerts indicate that a botnet attack might be underway and suggest the
protection level that would block the botnet traffic.
n
Blocked host alerts inform you of spikes in the amount of blocked traffic, which might
indicate that an attack is underway. You might want to determine if blocking the traffic
restored a sufficient level of service or if you need to take action to block additional
traffic.
Each alert includes information that can help you to investigate the alerting behavior
further. The information varies by the type of alert. For example, an alert might include the
protection group name, the blocked host IP address, or a URL to the page where you can
view further information. See “Viewing Bandwidth Alerts” on page 302.
When you use APS Console to manage APS, you can view the alerts for multiple APS
devices. To do so, view the Dashboard page or the Alerts page (Explore > Alerts ) in APS
Console.
Proprietary and Confidential Information of Arbor Networks Inc.
355
APS User Guide, Version 6.0
Graphic indicators of an attack
In the absence of alerts, you can view specific pages in the UI for information that can help
you to detect an attack. In particular, look for a significant increase in traffic or an
unexpected traffic spike in any of the following graphs.
In APS Console, these graphs typically represent an aggregate of the inbound traffic for
multiple protection groups or multiple APS devices.
Total traffic graphs
This type of graph can represent the amount of traffic flow, the traffic rate, or the request
rate. It appears in the following locations:
n On the Summary page, in the following sections: Top Inbound Sources , Top Inbound
Destinations
n
On the View Protection Group page, in the following sections: Web Traffic By URL, Web
Traffic By Domain, Protocols, and Services
Depending on where the graph appears, the traffic might appear in a color other than
blue, and the graph might display stacked data.
Attack and mitigation indicators in the total traffic graphs
Graph
Meaning
Unblocked attack — A significant increase in the level of total
traffic usually indicates an attack that is not sufficiently blocked.
Partially blocked attack — The graph shows only a minor drop in
the level of traffic. Additional mitigation steps might be necessary.
Blocked attack — The graph shows a significant drop in the level
of traffic. The level of traffic appears to be normal.
Blocked-passed traffic graph
This type of graph shows the level of passed traffic in green and the level of blocked traffic
in red, and appears in the following locations:
n On the Summary page, in the following sections: Total Traffic minigraph on the
Overview tab and Top Inbound Countries section
356
n
On the List Protection Groups page
n
On the View Protection Group page, in the following sections: Total Protection Group
Traffic and IP Location
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 16: Mitigating Attacks
Attack and mitigation indicators in the blocked-passed traffic graphs
Graph
Meaning
Unblocked attack — A significant increase in the level of passed
traffic (green) and a low level of blocked traffic (red) usually
indicates an attack that is not sufficiently blocked.
Partially blocked attack — The graph shows only a minor drop in
the level of passed traffic (green). Additional mitigation steps might
be necessary.
Blocked attack — The graph shows a significant drop in the level of
passed traffic (green). The level of passed traffic appears to be
normal.
Interfaces graph
On the Summary page, view the Interfaces section to determine whether excessive traffic
is flowing through the interfaces to the network. Such traffic might indicate an attack.
In the following example, the light blue area represents the traffic that flows through the
int0 (internal) interface. The int0 interface connects APS to the routers or switches that are
inside your network. The dark blue area represents the traffic that flows through the ext0
(external) interface. The ext0 interface connects APS to the routers or switches that are
outside your network. When APS is connected to multiple interface pairs, additional colors
appear in the graph.
For a description of the information that appears in the following example, see “Attack
and mitigation indicators in the Interfaces graph” on the next page.
TX: The transmitted
traffic, which flows
out of an interface,
appears above the
baseline.
RX: The received
traffic, which flows
into an interface,
appears below the
baseline.
Proprietary and Confidential Information of Arbor Networks Inc.
357
APS User Guide, Version 6.0
Attack and mitigation indicators in the Interfaces graph
Key
Description
1
Unblocked traffic — The ext0 interface receives the traffic from the internet and
the int0 interface forwards approximately the same amount of traffic, including
any attack traffic, to the network. The levels of the TX traffic and the RX traffic
mirror each other.
2
Unblocked traffic — The network sends a small amount of response traffic to
the internet.
n The int0 interface receives the traffic from the network. The graph represents
this traffic as the light blue area that is stacked below the dark blue traffic
below the baseline. This area is barely visible in the example graph.
n The ext0 interface transmits the response traffic to the internet. The graph
represents this traffic as the dark blue area that appears above the baseline.
3
Blocked attack — The mitigation begins. The ext0 interface (dark blue)
continues to receive about the same level of traffic as before. However, the int0
interface (light blue) shows a significant drop in the traffic that it transmits to the
network, which indicates a successful mitigation.
As the mitigation continues, the attack escalates, as shown by the higher
amount of traffic that the ext0 interface receives. This additional attack traffic
has no effect on the traffic that the int0 interface transmits to the network.
Indicators of botnet threats
The ATLAS Botnet Prevention section on the Summary page can indicate a botnet attack
that APS is not blocking. See “Viewing the ATLAS Botnet Prevention Information on the
Summary Page” on page 314.
For the active protection level and for any lower protection levels, the traffic statistics
represent the attacks that were blocked. For any protection level that is higher than the
active level, the traffic statistics represent the attacks that would be blocked if that level
were active. If a large amount of botnet traffic is not blocked at the active protection level,
you might want to raise the protection level to block that traffic.
External attack symptoms
The initial signs of an attack might occur external to the APS UI. The United States
Computer Emergency Readiness Team (US-CERT) states that the following symptoms
could indicate a DoS attack or DDoS attack:
n unusually slow network performance (opening files or accessing web sites)
n
unavailability of a particular web site
n
inability to access any web site
n
dramatic increase in the amount of spam you receive in your account
If you experience any of these symptoms, use the APS UI to investigate.
358
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 16: Mitigating Attacks
Mitigating an Attack by Raising the Protection Level
Typically, APS can block most attacks automatically. However, when an attack is not
blocked automatically, you must take some action to block the attack traffic.
You can try to mitigate an attack by raising the global protection level or the protection
group protection level. Use this option when you have little time or knowledge of network
security and you need to stop an attack as quickly as possible. Alternatively, you might
raise the protection level only after other attempts to mitigate an attack are unsuccessful.
For additional mitigation options, see “About Attack Mitigation” on page 352 .
The more finely tuned your protection settings are, the more successful this method of
blocking traffic will be.
Testing protection levels
Important
Arbor recommends that you experiment with different protection levels during normal
operations, so that you can identify any potential problems before an attack occurs.
When you test the protection levels, be sure to change the protection mode to inactive to
avoid blocking traffic unintentionally. See “Implementing APS for Trial or Monitoring
Only” on page 54.
Protection level icons
Throughout the UI, the following icons represent the protection levels: global, low,
medium, and high. The current protection level is indicated by a check mark in the
corresponding icon.
To change the protection level, you click the appropriate icon.
Proprietary and Confidential Information of Arbor Networks Inc.
359
APS User Guide, Version 6.0
Mitigating an attack by raising the protection level
This workflow assumes that you are already aware of an attack on your network. See
“Indicators of Attacks and Mitigations” on page 355 for information about how to
recognize an attack.
Workflow for mitigating an attack by raising the protection level
Step
1
Action
Can you identify the protection group that is under attack?
Yes — In the following steps, change the protection level for the protection
group.
n No — In the following steps, change the global protection level.
n
2
Change the protection level to Medium in one of the following ways:
For a protection group — On the View Protection Group page, edit the
protection group and select Medium.
n Globally — In the upper right corner of the APS window, in the Protection
Level section, select Medium.
n
If the attack is not blocked sufficiently, then change the protection level to High.
3
At the higher protection levels, APS might block valid hosts and services, such as
email servers, DNS servers, database servers, or VPNs.
When you raise the protection level, check the following pages. If you identify a
valid host, whitelist it to stop blocking it now and prevent it from being blocked
in the future.
n View the Blocked Hosts Log page. If you identify a valid host, whitelist it by
clicking its Details button, and then clicking Whitelist in the Blocked Host
Detail window . See “Viewing the Blocked Hosts Log” on page 408.
n View the Temporarily Blocked Sources section on the View Protection Groups
page. If you identify a valid host, click its Whitelist button. See “Viewing
Temporarily Blocked Sources” on page 335.
360
4
Is the attack blocked now?
n Yes — Go to Step 6.
n No — Go to Step 5.
5
Follow your organization’s procedure for escalating the attack mitigation. This
procedure might include requesting cloud mitigation.
6
When the level of traffic returns to normal, it indicates that the attack stopped,
and you can reset the protection level to Low.
To remain protected in case the attack recurs, you might wait a few hours before
you reset the protection level.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 16: Mitigating Attacks
Changing the Protection Level
The protection level determines which protection settings are in use at any given time. For
example, if the protection level is low, then the low protection settings are used to inspect
the current traffic. You can change the protection level as needed to mitigate attacks.
Generally, you should set the protection level to low, which offers the least protection but
reduces the risk of blocking clean traffic. Reserve the medium and high levels for
mitigating attacks. See “Balancing protection and risk” on page 187.
About the different protection levels
The global protection level in APS affects all of the protection groups except those that
have their own protection level configured. The protection group protection level
determines which protection settings are in use for a specific protection group. The
outbound threat filter can use the global protection level or it can have its own protection
level. The protection group protection levels and the outbound threat filter’s protection
level override the global protection level.
See “About the Protection Levels” on page 185.
Configuring notifications
You can configure notifications that send messages when someone changes the global
protection level, a protection group’s protection level, or the outbound threat filter’s
protection level. See “Configuring Notifications” on page 131.
Changing the protection level for multiple APS devices
When you use APS Console to manage APS, you can change the protection level for
multiple APS devices, as follows:
n By default, every APS to which a protection group is assigned uses the protection level
that you configure for that protection group. However, for a specific APS, you can
override the protection group’s protection level.
n
All of the managed APS devices use the protection level that is set in the APS Console
outbound threat filter for outbound traffic.
For example, when an attack targets the servers that are protected by several protection
groups, you can raise the protection level for all of those protection groups.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any local changes that you make on
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Protection level icons
Throughout the UI, the following icons represent the protection levels: global, low,
medium, and high. The current protection level is indicated by a check mark in the
corresponding icon.
Proprietary and Confidential Information of Arbor Networks Inc.
361
APS User Guide, Version 6.0
Changing the global protection level
To change the global protection level:
In the upper right corner of the APS window, in the Protection Level section, select Low,
Medium, or High.
n
Changing the protection level for a protection group
To change the protection level for a specific protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name link of the protection group to edit.
3. On the View Protection Group page, in the header section, click Edit.
4. Under Protection Level, select Global, Low, Medium, or High.
5. Click Save.
Changing the protection level for the outbound threat filter
To change the protection level for the outbound threat filter:
1. Select Protect > Outbound Protection > Outbound Threat Filter.
2. On the Outbound Threat Filter page, click
(configure).
3. Under Protection Level, select Global, Low, Medium, or High.
4. Click Save.
362
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 16: Mitigating Attacks
Identifying and Blocking an Attack
Typically, APS can block most attacks automatically. However, when an attack is not
blocked automatically, you must take some action to block the attack traffic.
This process assumes that you are already aware of an attack on your network and that
APS is not blocking the attack. See “Indicators of Attacks and Mitigations” on page 355 for
information about how to recognize an attack.
If you do not want to spend time investigating, you can try to mitigate the attack by raising
the protection level or by some other method. For additional mitigation options, see
“About Attack Mitigation” on page 352 .
Identifying and blocking the source of an attack
Arbor recommends the following process for identifying and blocking the source of an
attack. However, you can perform any of the steps in any order.
n Did you see a total traffic alert or a botnet alert, or did you receive a notification that
contained one of these alerts? Follow the link in the alert to view the Summary page or
the View Protection Group page as applicable.
If APS is not blocking the traffic that caused the alert, follow the next steps to investigate.
n
View the Summary page and look for traffic behavior that is unusual or unexpected.
See “Using the Summary page to identify an attack” below.
n
Look for botnet traffic that is not blocked. See “Identifying a botnet attack” on the next
page.
n
If you can identify the protection group that is under attack, use the View Protection
Group page to try determine the source of the attack. See “Identifying an attack against
a protection group” on page 365.
n
Run and review a packet capture and try to determine the nature of the attack. See
“Identifying an attack by examining captured packets” on page 365.
After any attempt to block the attack traffic, check the attack indicators to determine
whether your actions mitigated the attack. See “Indicators of Attacks and Mitigations” on
page 355.
Using the Summary page to identify an attack
View the active alerts, graphs, and data on the Summary page and look for traffic behavior
that is unusual or unexpected. In particular, look for unexplained traffic spikes, a sudden,
significant increase in the traffic level or traffic rate, or traffic from an unknown or
unexpected source.
For example, the Top Inbound Countries section might indicate that 1% of your network
traffic originates from Singapore. However, if you never receive traffic from Singapore, that
1% is an abnormal amount.
If you see any suspicious traffic, you can take steps to investigate further. In some cases,
you can block traffic from the Summary page.
Proprietary and Confidential Information of Arbor Networks Inc.
363
APS User Guide, Version 6.0
Options for investigation or mitigation on the Summary page
Section
Options for investigation or mitigation
Top Protection
Groups
n
n
n
Top Inbound
Countries
n
Top Inbound
Sources
n
n
n
n
Top Inbound
Destinations
n
n
Interfaces
Go to the View Protection Group page for a protection group.
Go to the Blocked Hosts Log page and look for the hosts that
are blocked for the protection group.
Capture the packets for a protection group.
Capture the packets for a country.
Expand the view to display the protection groups and access
the following options:
l
Go to the View Protection Group page for a protection
group.
l
Blacklist the country for a protection group or all of the
protection groups.
Go to the Blocked Hosts Log page and view information about
a blocked IP address.
Capture the packets from a source IP address.
Blacklist a source IP address.
Go to the Blocked Hosts Log page and view the hosts that are
blocked for the destination of inbound traffic.
Capture the packets for an inbound destination.
Capture the packets that flow through an interface.
See “Identifying an attack by examining captured packets” on the facing page.
Identifying blocked threats
View the Explore ATLAS Threat Categories page to examine the threats that are blocked
from your network as a result of the ATLAS Intelligence Feed settings. You can view the
threats that are blocked for an individual APS or for all of the managed APS devices. View
the blocked traffic for each threat category and for specific threats within each category.
When you identify a category or threat to investigate further, go the Blocked Hosts Log
page and view the associated blocked hosts.
Identifying a botnet attack
If none of the graphs on the Summary page indicate unusual traffic, look for any botnet
traffic that APS is not blocking. To do so, view the ATLAS Botnet Prevention section on the
Summary page.
For each protection group, the traffic that would be blocked at a different protection level
appears in gray type. If a large amount of botnet traffic is not blocked at the active
protection level, you can raise the protection level for that protection group. Alternatively, if
the AIF Botnet Signatures protection setting is disabled for the active protection level,
you can enable that setting in the appropriate server type. You can also go to the Blocked
Hosts Log page for further investigation of a protection group or all of the protection
groups.
364
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 16: Mitigating Attacks
When the botnet traffic is blocked, the traffic statistics appear in bold type.
See “Viewing the ATLAS Botnet Prevention Information on the Summary Page” on
page 314.
Identifying an attack against a protection group
If you can identify the protection group that is under attack, use the View Protection Group
page to try determine the source of the attack.
Look for traffic behavior that is unusual or unexpected. In particular, look for unexplained
traffic spikes, a sudden, significant increase in the traffic level or traffic rate, or traffic from
an unknown or unexpected source. Also, a URL or domain that has a very high percentage
of the total traffic is often an attack target.
Options for investigation or mitigation on the View Protection Group page
Section
Options for investigation or mitigation
Attack Categories
Is one category blocking much more traffic than the others? If so, it
is possible that even more of that type of traffic is not blocked. If
the category is one that can be edited, edit its protection settings
so that more traffic is blocked at the lower protection levels.
Web Traffic By URL
and Web Traffic By
Domain
Blacklist the URL or domain.
IP Location
n
n
Capture the packets for a country.
Blacklist the country for the protection group or all protection
groups.
Protocols
Create an FCAP expression to match a protocol and enter it in the
Filter List settings for the appropriate server type.
Services
n
n
Capture the packets for a service.
Create an FCAP expression to match a service and enter it in the
Filter List settings for the appropriate server type.
Identifying an attack by examining captured packets
On the Packet Capture page, run and review a packet capture. By examining the packet
payloads, you might be able to determine the nature of the attack. For example, you might
see HTTP packets that are destined for a web page that does not exist.
When you identify a pattern in the attack traffic, you can create a payload regular
expression to block that type of traffic. See “Configuring Regular Expressions from
Captured Packets” on page 425.
Investigating and blocking an attack from the Blocked Hosts Log page
After you identify the host IP address that is responsible for the attack, view information
about that host on the Blocked Hosts Log page. From there, you can add the host to the
blacklist to prevent future attacks from that host.
Proprietary and Confidential Information of Arbor Networks Inc.
365
APS User Guide, Version 6.0
If you determine that the host is no longer a threat, you can remove that host from the
blacklist.
If you determine that a legitimate host is blocked, you can whitelist that host.
366
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17:
Mitigating Attacks in the Cloud
This section describes how you can use Cloud Signaling to request and receive attack
mitigation from a cloud service provider.
In this section
This section contains the following topics:
About Cloud Signaling for DDoS Protection
368
Types of Cloud Mitigations
371
About GRE Tunneling and Cloud Signaling
372
How APS Communicates with the Cloud Signaling Servers
375
Configuring and Enabling Cloud Signaling
378
About Rate-Based Cloud Mitigation
384
About Manually Pushing an Attack Mitigation to the Cloud
387
Manually Requesting and Stopping a Global Cloud Mitigation
390
Manually Requesting and Stopping a Targeted Cloud Mitigation
391
Manually Requesting and Stopping a Group Cloud Mitigation
393
Viewing Targeted Cloud Signaling Activity
394
Viewing Global and Group Cloud Signaling Activity
396
About the Cloud Signaling Widget
397
About the Arbor Cloud DDoS Protection Service
402
Setting Up the Arbor Cloud DDoS Protection Service
404
APS User Guide, Version 6.0
367
APS User Guide, Version 6.0
About Cloud Signaling for DDoS Protection
Cloud Signaling is the process of requesting and receiving cloud-based mitigation of
volumetric attacks in real time from an upstream service provider. Arbor’s Cloud
SignalingSM capabilities integrate the on-premises protection of APS with the cloud-based
DDoS protection that is delivered by leading managed security service providers (MSSP).
Certain high-bandwidth, volumetric attacks, which usually originate from internet bots or
large-scale botnets, pose a serious threat to data center availability. Such attacks are too
large to mitigate at the data center’s premises. Cloud Signaling reduces the time it takes to
mitigate DDoS attacks and helps to ensure the availability of your data center
infrastructure.
Note
APS does not support Cloud Signaling for IPv6 traffic.
The APS mitigation signal does not depend on a response from a Cloud Signaling server.
Therefore, overwhelming inbound attacks do not prevent the outbound mitigation
requests.
Note
If APS is running in FIPS mode, then Cloud Signaling is not supported.
How Cloud Signaling works
When Cloud Signaling is activated, APS signals to the cloud service provider that mitigation
help is needed. When the service provider begins the mitigation process, the attack that is
congesting the upstream links is redirected to the cloud service provider. At the same time,
service availability is protected and the attack traffic diminishes or disappears from your
network’s access links. The service provider mitigates the attack, and then routes the
cleaned traffic back to your network.
When APS sends a cloud mitigation request, it also shares the hosts, countries, and URLs
on the inbound blacklist and the hosts on the inbound whitelist. APS shares these items
by default. If you do not want to share these items, clear the option that enables the
sharing on the Configure Cloud Signaling Settings page (Administration > Cloud
Signaling ).
Note
The CIDR blocks that are mapped to the country codes may differ between APS and your
cloud service provider.
APS does not share the following items on the blacklists and the whitelist:
domains on the inbound blacklist
n
n
IPv6 hosts
n
items that are not assigned to All Protection Groups
n
more than 1,000 URLs
Note
If the blacklist contains more than 1,000 URLs, APS arbitrarily selects 1,000 URLs from
the blacklist to send to the cloud service provider.
368
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
How Cloud Signaling works
It is possible for a cloud service provider to decide not to mitigate an attack. Therefore,
mitigation does not necessarily occur every time it is requested.
Cloud Signaling server redundancy
To provide Cloud Signaling redundancy, you can configure up to five Cloud Signaling
servers. If a Cloud Signaling server goes down when multiple servers are configured,
another Cloud Signaling server takes its place. Cloud Signaling is available unless APS loses
communication with all of the Cloud Signaling servers.
Note
Each IP address or hostname must identify a unique Cloud Signaling server. Do not add
more than one address or hostname for the same Cloud Signaling server.
See “Configuring and Enabling Cloud Signaling” on page 378.
Requirements
You must purchase cloud-based protection from an ISP or MSSP that supports Cloud
Signaling. APS supports mitigation connectivity to only one upstream provider at a time. If
you purchase cloud-based protection from multiple providers, you must choose which
provider to send Cloud Signaling requests to.
See “Cloud Signaling Deployment Models” on page 72.
If your cloud service provider uses GRE tunneling to route the cleaned traffic back to your
network, you must configure APS to serve as the GRE destination. See “About GRE
Tunneling and Cloud Signaling” on page 372 and “Configuring Interfaces and GRE
Tunneling” on page 141 .
If you purchased the Arbor Cloud DDoS Protection service, you work with Arbor to set up
your system for using the Arbor Cloud service. For more information, see the Arbor Cloud
documentation that has been provided to you.
Types of cloud mitigations
APS can send Cloud Signaling requests for the following types of cloud mitigations:
n global — Mitigation for all of the IPv4 prefixes
n
targeted — Mitigation for specific IPv4 prefixes, if your cloud service provider supports
targeted Cloud Signaling
Proprietary and Confidential Information of Arbor Networks Inc.
369
APS User Guide, Version 6.0
n
group — Mitigation for specific IPv4 protection groups, if your cloud service provider
supports group Cloud Signaling
For more information about Cloud Signaling, see “Types of Cloud Mitigations” on the
facing page.
How Cloud Signaling is activated
Cloud Signaling can be activated in the following ways:
Activation methods for Cloud Signaling
Activation
method
Rate-based
thresholds
Description
APS activates Cloud Signaling based on user-configured traffic
thresholds. You can configure global thresholds for inbound traffic
to all of the prefixes in your protected network. You also can
configure thresholds for inbound traffic to specific IPv4 prefixes.
When the inbound traffic exceeds a threshold, APS sends a request
to your cloud service provider to mitigate the attack traffic. This
method is the most effective way to use Cloud Signaling.
See “About Rate-Based Cloud Mitigation” on page 384.
Note
Even if all of your protection groups are set to Inactive , APS still
sends a cloud mitigation request when inbound traffic exceeds a
Cloud Signaling threshold.
Manual
You activate Cloud Signaling from the UI.
For example, an attack that is beyond the capabilities of APS might
not meet the thresholds that trigger a Cloud Signaling request.
Another example is an organization that wants APS to monitor
traffic and detect attacks, but prefers to have the service provider
perform all of the mitigations.
See “About Manually Pushing an Attack Mitigation to the Cloud”
on page 387.
Automatic
The cloud service provider starts a mitigation without receiving a
request. If your cloud service provider offers this service, you might
occasionally notice a cloud mitigation that APS did not request.
This term also describes any cloud mitigation whose source cannot
be determined. For example, if you deactivate the mitigation
request while a global cloud mitigation is in progress, APS can no
longer determine how the mitigation was activated. At that point,
the Cloud Signaling widget for a global mitigation displays
"Automatic Cloud Signaling Activated”. See “About the Cloud
Signaling Widget” on page 397.
Note
If you are using the Arbor Cloud DDoS Protection service, additional steps are required to
start the mitigation. See “About the Arbor Cloud DDoS Protection Service” on page 402.
370
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Types of Cloud Mitigations
Cloud Signaling is the process of requesting and receiving cloud-based mitigation of
volumetric attacks in real time from an upstream service provider. Cloud Signaling reduces
the time it takes to mitigate DDoS attacks and helps to ensure the availability of your data
center infrastructure.
APS can send Cloud Signaling requests for the following types of cloud mitigations:
global
n
n
targeted
n
group
Global mitigation
Global Cloud Signaling sends a cloud mitigation request for all of the IPv4 prefixes on your
network.
You can configure APS to send a global Cloud Signaling request when traffic on the
appliance exceeds a global threshold for a specified amount of time. For APS to start an
automatic global cloud mitigation, you first must specify the Global Cloud Signaling
Threshold on the Cloud Signaling Settings page. See “Configuring and Enabling Cloud
Signaling” on page 378.
You also can start a global Cloud Signaling request manually, from the Cloud Signaling
widget. See “About the Cloud Signaling Widget” on page 397.
Targeted mitigation
If your cloud service provider supports targeted Cloud Signaling, you can configure cloud
mitigation for targeted prefixes.
Before APS can send an automatic request for targeted Cloud Signaling, you enable and
configure automatic cloud signaling settings on the Cloud Signaling Settings page. You
must configure the Global Cloud Signaling Threshold settings and the Targeted
Destination Threshold settings. See “Configuring and Enabling Cloud Signaling” on
page 378.
After traffic exceeds a global Cloud Signaling threshold, APS starts a targeted cloud
mitigation if one or more IPv4 prefixes exceed a targeted destination threshold. In this
situation, APS replaces all of the prefixes in the global cloud mitigation with the targeted
prefixes.
A targeted cloud mitigation also can include IPv4 prefixes that you add manually on the
Active Cloud Signaling Requests page. See “Manually Requesting and Stopping a Targeted
Cloud Mitigation” on page 391.
Group mitigation
If your cloud service provider supports mitigation at the group level, you can send a cloud
mitigation request for specific IPv4 protection groups. APS can mitigate the attack traffic
for multiple protection groups at one time.
To start a cloud mitigation for a protection group, you use the Group Cloud Signaling
widget. You can find this widget on the View Protection Group page for an IPv4 protection
group. See “About the Cloud Signaling Widget” on page 397.
Proprietary and Confidential Information of Arbor Networks Inc.
371
APS User Guide, Version 6.0
About GRE Tunneling and Cloud Signaling
When you purchase cloud-based protection, your cloud service provider might request
that you configure GRE tunneling. This configuration allows APS to serve as a GRE
destination for the cleaned traffic that the provider routes back to your network. Because
APS assumes that the traffic that arrives from the GRE tunnel is clean, it does not need to
re-inspect that traffic.
Note
If you are using the Arbor Cloud DDoS Protection service with BGP redirection, you must
configure GRE tunneling. See “About the Arbor Cloud DDoS Protection Service” on
page 402.
About GRE tunneling
GRE (generic routing encapsulation) is a protocol that transports a variety of protocol
packet types over IP networks. In the inline deployment mode, you configure a GRE tunnel
as a logical interface. In this case, the GRE endpoints are the tunnel source address and
tunnel destination address. In the layer 3 deployment mode on vAPS, the GRE tunnel
destination endpoint is the external interface.
GRE encapsulates a payload packet inside an outer IP packet and routes it through an IP
network. When the packet reaches the tunnel destination endpoint, the packet is
decapsulated and routed to its final destination.
If you use LACP (Link Aggregation Control Protocol) to bundle the protection interfaces,
APS cannot serve as a GRE tunnel destination. In this case, specify a GRE tunnel destination
that is downstream of APS.
How GRE tunneling works with Cloud Signaling
Legend for the figures below
clean traffic (black)
attack traffic (red)
cleaned traffic (green)
cleaned and re-inspected traffic (gold)
Cloud Signaling without GRE tunneling
When you use Cloud Signaling without GRE tunneling, the cloud service provider mitigates
the attack, and then routes the cleaned traffic back to your network. APS re-inspects the
cleaned traffic along with any other traffic, and then forwards it to its final destination.
372
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Cloud Signaling with GRE tunneling
When you use APS as a GRE tunnel destination, the cloud service provider routes the
cleaned traffic back to your network through the GRE tunnel. APS forwards that traffic to
its final destination without further inspection. (For details about the traffic routing, see
“How GRE traffic is routed” on the next page.)
Caution
A large amount of GRE traffic can affect the performance of APS because the GRE traffic
uses hardware resources that would otherwise be used by non-GRE traffic.
Configuration requirements
To use APS as a GRE tunnel destination for Cloud Signaling, configure it as follows:
Item
Configuration
a tunnel source on
the Cloud Signaling
server
For at least one APS interface pair, configure one or more
remote GRE IP addresses on the cloud service provider’s
network.
Your cloud service provider supplies this information.
a tunnel destination
on APS
For the same APS interface pair, configure a local GRE IP
address and prefix length. For example, 198.51.100.0/24.
routes
Associate a destination prefix with the IP address of the router
(nexthop) to which the cleaned traffic should be forwarded.
See “About configuring routes” below.
You configure GRE tunneling on the Interfaces page. See “Configuring Interfaces and GRE
Tunneling” on page 141.
About configuring routes
Routes are not associated with any specific interface pair. However, the IP address for the
nexthop must be on the same subnet as one of the APS tunnel destinations. For example,
if the tunnel destination is 198.51.100.0/24, the IP address 198.51.100.2 is a valid nexthop
because it is on the same subnet.
Although a route is not required, Arbor recommends that you configure at least one route.
In the inline deployment mode, Arbor recommends that you configure a route to 0.0.0.0/0.
See “Configuring Routes” on page 145.
In the layer 3 mode, Arbor recommends that you configure at least one route to a subnet
that vAPS can access. See “Configuring Static Routes for the Protection Interfaces on
vAPS” on page 513.
Proprietary and Confidential Information of Arbor Networks Inc.
373
APS User Guide, Version 6.0
About GRE tunnel keepalives
To use keepalives with GRE tunnels, you must configure a route to a GRE tunnel source. To
configure a GRE tunnel source, see “Configuring Interfaces and GRE Tunneling” on
page 141 . To configure a route, see “Configuring Routes” on page 145 .
How GRE traffic is routed
When no GRE tunnel destination is configured for a pair of interfaces, APS inspects all of
the traffic that arrives at the external interface. The traffic that the cloud service provider
cleaned is included in the inspection. All of the clean traffic is forwarded out of the
corresponding internal interface to its final destination.
When GRE tunneling is configured, the cloud service provider sends the cleaned, GREencapsulated traffic through the GRE tunnel. The GRE traffic arrives at the external
interface and is sent to the APS tunnel destination that is associated with that interface. At
the tunnel destination, the traffic is decapsulated, its final destination address is examined,
and the traffic is forwarded as follows:
GRE traffic routing
374
Condition
How APS forwards the traffic
The traffic's destination
matches the prefix for the
local GRE endpoint, but it
does not fall within the prefix
for any other route.
APS forwards the traffic out of the internal interface
directly to the specified destination.
The traffic's destination
matches the prefix for a
configured route, but does
not match the prefix for the
local GRE endpoint.
APS forwards the traffic to the configured nexthop for
that route.
The traffic’s destination
matches the prefix for the
local GRE endpoint and the
prefix for a configured route.
APS forwards the traffic according to the rule for the
longest prefix match.
The traffic’s destination does
not match the prefix for the
local GRE endpoint or the
prefix for a configured route.
APS drops the traffic. To prevent such traffic from being
dropped, configure at least one route.
In the inline deployment mode, Arbor recommends
that you configure a route to 0.0.0.0/0. In the layer 3
mode on vAPS, Arbor recommends that you configure
at least one route to a subnet that vAPS can access.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
How APS Communicates with the Cloud Signaling Servers
APS sends the following requests to the Cloud Signaling servers:
n handshake — APS establishes connections with the configured Cloud Signaling servers
and determines whether your cloud service provider supports group mitigation for
protection groups.
n
prefix update — If your cloud service provider supports group mitigations or group and
targeted mitigations, APS sends a list of the IPv4 prefixes to the Cloud Signaling servers.
Note
APS does not support Cloud Signaling for IPv6 traffic.
n
heartbeat — To verify that the communication channels are open, APS exchanges
heartbeat messages with the Cloud Signaling servers every minute.
You can configure up to five Cloud Signaling servers. See “Cloud Signaling server
redundancy” on page 369.
Connection types
APS uses its management interfaces to open the following types of connections to the
Cloud Signaling servers:
Types of connections to the Cloud Signaling servers
Connection
Description
HTTPS
The handshake requests and the prefix updates use the HTTPS
protocol. The HTTPS connections can use a proxy.
UDP
The heartbeat requests use bi-directional UDP on port 7550.
During a large volumetric attack, the network path between APS
and the Cloud Signaling servers becomes degraded. By using UDP
instead of TCP, APS can continue to send heartbeats and
mitigation requests even when the network is under attack.
About the handshake
APS initiates the handshake connections with the Cloud Signaling servers. The handshake
is initiated in the following instances:
n when you enable Cloud Signaling on the Configure Cloud Signaling Settings page
n
every 12 hours, automatically
Important
If your cloud service provider makes any changes to your Cloud Signaling
configuration, a handshake must occur for APS to receive a notification about the
change. Depending on when the last handshake occurred, this notification may take
up to 12 hours. To initiate a handshake immediately, modify and save a Cloud
Signaling setting.
Proprietary and Confidential Information of Arbor Networks Inc.
375
APS User Guide, Version 6.0
If the handshake fails to run successfully for 36 hours, the heartbeats expire and both APS
and the Cloud Signaling servers stop sending them. The handshake might stop for any of
the following reasons:
n You disable Cloud Signaling on the Configure Cloud Signaling Settings page.
n
Your network is under attack for more than 36 hours and no outbound HTTPS
connections can be opened.
For information about the Configure Cloud Signaling Settings page, see “Configuring and
Enabling Cloud Signaling” on page 378 .
About the prefix update
If your cloud service supports cloud mitigation for IPv4 protection groups or IPv4 prefixes,
APS sends a list of the protected IPv4 prefixes to the Cloud Signaling servers. This prefix
update is initiated in the following instances:
n when the initial connection handshake determines that your cloud service provider
supports group cloud mitigation
n
when an IPv4 protection group is added or deleted, or an IPv4 protection group’s prefix
list is changed (assuming that group Cloud Signaling is supported)
Note
APS does not support Cloud Signaling for IPv6 traffic.
About the heartbeats
The heartbeat messages verify that both sides of the communication channel are open.
APS exchanges heartbeats with the Cloud Signaling servers every 60 seconds. These
heartbeats are discrete messages. The APS mitigation signal does not depend on a
response from the Cloud Signaling servers.
APS also sends a heartbeat when a user manually activates or deactivates cloud signaling.
APS sends heartbeats and processes received heartbeats only if Cloud Signaling is
enabled. If a certain amount of time passes without an exchange of heartbeats between
APS and a Cloud Signaling server, communication is considered lost.
About the APS heartbeats
The APS heartbeat is encrypted and contains the following information:
packet creation time
n
n
IP address of the Cloud Signaling servers
n
time at which APS received the last message from the Cloud Signaling servers
n
a flag to indicate whether or not a cloud mitigation is requested
n
mitigation requests, if applicable
n
a list of the IPv4 protection groups or IPv4 prefixes that are included in a mitigation
request, if applicable
APS sends multiple copies of each heartbeat message in case of packet loss or corruption.
376
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
About a Cloud Signaling server’s heartbeats
The heartbeat for a Cloud Signaling server contains information about the cloud
mitigations that result from any of the following requests:
n any mitigation request from this APS installation
n
any mitigation request from another APS installation in your organization
n
a request that an operator at the cloud service provider makes
A heartbeat for a Cloud Signaling server contains the following information:
packet creation time
n
n
IP address of the Cloud Signaling server
n
time at which the Cloud Signaling server received the last message from APS
n
a flag to indicate whether or not a cloud mitigation is running
n
a list of the IPv4 protection groups whose traffic is included in the cloud mitigation, if
applicable
n
bps and pps information for the packets that were blocked by any active cloud
mitigations
Note
If your organization deployed multiple APS installations that all use the same Cloud
Signaling servers, the Cloud Signaling widget displays combined traffic information for all
of those installations.
About the connection to the Cloud Signaling servers
After you enable Cloud Signaling, the Connection Status box appears on the Configure
Cloud Signaling Settings page. The Connection Status box provides the following
information about the connections to the Cloud Signaling servers:
n the current status of the connection
n
the length of time since the last communication between APS and the Cloud Signaling
servers
n
the status of a global cloud mitigation, if any
The status information is updated automatically.
If a certain amount of time passes without an exchange of heartbeats between APS and a
Cloud Signaling server, there may be a problem with the server. In this case, an
(alert)
icon is shown next to the server name in the Cloud Signaling widget. See “About the Cloud
Signaling Widget” on page 397.
Proprietary and Confidential Information of Arbor Networks Inc.
377
APS User Guide, Version 6.0
Configuring and Enabling Cloud Signaling
Cloud Signaling is the process of requesting and receiving cloud-based mitigation of
volumetric attacks in real time from an upstream service provider. Cloud Signaling reduces
the time it takes to mitigate DDoS attacks and helps to ensure the availability of your data
center infrastructure.
Note
APS does not support Cloud Signaling for IPv6 traffic.
See “About Cloud Signaling for DDoS Protection” on page 368 for more information
about Cloud Signaling.
Tasks to configure Cloud Signaling
On the Configure Cloud Signaling Settings page, you can perform the following tasks:
Enable Cloud Signaling.
n
n
Configure the settings for connecting up to five Cloud Signaling servers.
Note
Each IP address or hostname must identify a unique Cloud Signaling server. Do not
add more than one address or hostname for the same Cloud Signaling server.
n
Configure the settings for connecting to the Cloud Signaling servers through a proxy
server.
n
Configure the thresholds to enable rate-based global Cloud Signaling for all IPv4
prefixes or for specific IPv4 destination prefixes, if supported.
n
Enable the use of the Arbor Cloud DDoS protection service for Cloud Signaling
mitigation.
n
Specify a link to your cloud service provider’s management portal, if any.
n
Test the connection to ensure that it works.
n
View the current Cloud Signaling status.
If your cloud service provider uses GRE tunneling to route the cleaned traffic back to your
network, you must configure APS to serve as the GRE destination. This configuration is on
the Interfaces page. See “About GRE Tunneling and Cloud Signaling” on page 372 and
“Configuring Interfaces and GRE Tunneling” on page 141 .
Before you begin
Before you configure APS to use Cloud Signaling, obtain the following information from
your cloud service provider:
n the IP addresses or hostnames for the Cloud Signaling servers
n
the ID and password to access the Cloud Signaling servers
n
one or more IP addresses to define a GRE tunnel source on the Cloud Signaling servers,
if your cloud service provider requests that you configure GRE tunneling
If you purchased the Arbor Cloud DDoS Protection service, additional steps are necessary
to set up your system for Arbor Cloud mitigation. For more information, see the Arbor
Cloud documentation that has been provided to you.
378
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Important
If you enable Cloud Signaling, you should configure an NTP server to avoid clock-related
problems that might interfere with communications to the Cloud Signaling servers. See
“Configuring the General Settings” on page 100. If you are using vAPS, configure the
NTP server on the host machine on which the vAPS resides.
Configuring and enabling Cloud Signaling
To configure and enable Cloud Signaling:
1. Select Administration > Cloud Signaling .
2. On the Configure Cloud Signaling Settings page, configure the settings; see “Cloud
Signaling configuration settings” below.
3. Click Save.
APS enables Cloud Signaling and tests the connections.
4. If the test fails, check your settings, make any changes that are necessary, and then
click Save to save the new settings.
After you enable Cloud Signaling, the Connection Status box provides information about
the connections to the Cloud Signaling servers. See “About the connection to the Cloud
Signaling servers” on page 377.
Cloud Signaling configuration settings
The Configure Cloud Signaling Settings page contains the following settings:
Cloud Signaling configuration settings
Setting
Description
Enable Cloud
Signaling check box
Select this check box if you plan to use Cloud Signaling to
request cloud-based mitigation.
Cloud Signaling
Servers box
Type the IP address or the hostname for a Cloud Signaling
server at your cloud service provider. Your cloud service provider
supplies this information.
To provide Cloud Signaling redundancy, you can add up to five
Cloud Signaling servers. Each time you enter an IP address or
hostname, another box appears below the current box, until
you have configured five servers.
The Cloud Signaling servers can be configured in any order.
See “Cloud Signaling server redundancy” on page 369.
Note
Each IP address or hostname must identify a unique Cloud
Signaling server. Do not add more than one address or
hostname for the same Cloud Signaling server.
These are Arbor
Cloud Servers
check box
If you purchased the Arbor Cloud DDoS Protection service, select
this check box to route the Cloud Signaling requests to the Arbor
Cloud DDoS protection service. See “Setting Up the Arbor Cloud
DDoS Protection Service” on page 404.
Proprietary and Confidential Information of Arbor Networks Inc.
379
APS User Guide, Version 6.0
Cloud Signaling configuration settings (Continued)
Setting
Description
Use On-Demand
DNS Redirection
check box
Select this check box if you chose the DNS-based redirection
option when you enrolled in the Arbor Cloud DDoS Protection
service. See “Arbor Cloud redirection options” on page 402.
APS ID box
Type the ID that is required to access the Cloud Signaling servers.
Your cloud service provider supplies this information.
Password box
Type the password that is required to access the Cloud Signaling
servers, and then retype the password in the Verify box to
confirm it. Your cloud service provider supplies this information.
Management
Portal URL box
If your cloud service provider has a management portal, type its
URL to provide a link to the portal from APS. This link appears on
the Tools menu on the Cloud Signaling widget and on the
Group Cloud Signaling widget. See “About the Cloud Signaling
Widget” on page 397.
For example, the Arbor Cloud DDoS Protection service provides
the Arbor Cloud Customer Portal.
Share the Inbound
Blacklists and
Inbound Whitelist
check box
Select this check box to share the hosts on the inbound whitelist
and the hosts, countries, and URLs on the inbound blacklist with
the Cloud Signaling server. To find out when APS sends these
lists to the Cloud Signaling server, see “About sharing the
inbound blacklists and inbound whitelist” on page 383 .
If your cloud service provider cannot resolve any of the
blacklisted country codes, you will receive a message on the
Summary page. This message, which appears after the Cloud
Signaling handshake has occurred, will list the country codes
that your cloud service provider was unable to resolve.
Note
The CIDR blocks that are mapped to the country codes may
differ between APS and your cloud service provider.
APS does not share the following items on the blacklists and the
whitelist:
n domains on the inbound blacklist
n IPv6 hosts
n items that are not assigned to All Protection Groups
n more than 1,000 URLs
Note
If the blacklist contains more than 1,000 URLs, APS arbitrarily
selects 1,000 URLs from the blacklist to send to the cloud
service provider.
Enable Automatic
Cloud Signaling
check box
Select this check box to allow APS to request cloud-based
mitigation automatically when the inbound traffic exceeds one
of the defined thresholds.
See “About Rate-Based Cloud Mitigation” on page 384.
380
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Cloud Signaling configuration settings (Continued)
Setting
Description
Global Cloud
Signaling
Threshold boxes
Type a value for one or both of the thresholds, and select a unit
of measure to indicate the rates of traffic that trigger global
Cloud Signaling. These rates apply to all of the inbound traffic on
your network.
You can specify a bit rate from 1 bps to 1 Tbps, and a packet rate
from 1 pps to 1 Tpps. The default rates are 1 Gbps and 1 Gpps.
When you configure the global Cloud Signaling thresholds, you
need to allow for small variances in traffic bps calculations
between APS and the Cloud Signaling servers.
Note
Even if all of your protection groups are set to Inactive , APS still
sends a cloud mitigation request when inbound traffic exceeds
a Cloud Signaling threshold.
Interval slider
Move the slider to specify the amount of time over which to
average the inbound traffic, to meet the global Cloud Signaling
thresholds. You can specify an interval from 5 seconds to 10
minutes.
For example, you might configure an interval of 2 minutes and
thresholds of 1 Mbps and 1 Mpps. If at any time the 2-minute
moving average rate of traffic exceeds either of the global
thresholds, then APS sends a mitigation request.
Mitigation requests are included in the Cloud Signaling heartbeat
messages, which occur every minute. If the threshold interval is
less than one minute, APS sends any associated mitigation
request during the next heartbeat.
Enable Targeted
Destination Cloud
Signaling check box
If your cloud service provider supports Cloud Signaling for
targeted prefixes, this check box appears after you enable Cloud
Signaling on APS.
Select the check box to allow APS to request cloud-based
mitigation for any IPv4 prefixes on which traffic exceeds one of
the specified thresholds.
To enable this setting, you must enable Top Sources and
Destinations.
Note
Even if all of your protection groups are set to Inactive , APS still
sends a cloud mitigation request when inbound traffic exceeds
a Cloud Signaling threshold.
Proprietary and Confidential Information of Arbor Networks Inc.
381
APS User Guide, Version 6.0
Cloud Signaling configuration settings (Continued)
Setting
Description
Targeted
Destination
Threshold boxes
If your cloud service provider supports Cloud Signaling for
targeted prefixes, these boxes appear after you enable Cloud
Signaling on APS.
Type a value for one or both of the thresholds, and select a unit
of measure. You can specify a bit rate from 1 bps to 1 Tbps, and
a packet rate from 1 pps to 1 Tpps. The default rates are 1 Gbps
and 1 Gpps.
When you configure these thresholds, you need to allow for
small variances in traffic bps calculations between APS and the
Cloud Signaling server.
If traffic triggers a global Cloud Signaling request, the traffic on
any IPv4 prefix that exceeds one of these rates triggers a
targeted Cloud Signaling request. In this situation, APS replaces
all of the prefixes in the global cloud mitigation with the targeted
prefixes.
Top Sources and
Destinations
buttons
Click one of these buttons to enable or disable the tracking of
the top sources and top destinations for inbound traffic.
When you enable this setting, the Top Inbound Sources section
and the Top Inbound Destinations section appear on the
Summary page. When enabled, this tracking may have an
impact on the performance of APS.
To select Enable Targeted Destination Cloud Signaling
above, you must enable this setting. If Enable Targeted Cloud
Signaling is selected, you cannot disable this setting.
Use Proxy Server
check box
Select this check box to connect to the Cloud Signaling servers
through a proxy server.
Proxy Server boxes Enter the IP address or the hostname of the proxy server. Type
the port number in the box to the right of the Proxy Server
box.
Proxy Username
box
382
If necessary, enter the user name that is required to access the
proxy server.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Cloud Signaling configuration settings (Continued)
Setting
Description
Proxy Password
box
If necessary, type the password that is required to access the
proxy server, and then retype the password in the Verify box to
confirm it.
To delete an existing password and leave the password empty,
click
Proxy
Authentication
Method options
(Clear Password).
If necessary, select the authentication method that the proxy
server uses. The authentication methods are as follows:
n
n
n
n
Automatic
Basic
Digest
NTLM
Automatic is the default setting. When you select Automatic,
APS automatically identifies the authentication method that the
proxy server uses. If APS cannot identify the correct
authentication method, select an authentication method from
the list.
About sharing the inbound blacklists and inbound whitelist
When Share the Inbound Blacklists and Inbound Whitelist is selected, which is the
default, APS sends the lists when it connects to the Cloud Signaling server. If any of the
following circumstances occur, APS resends the blacklists and whitelist to the Cloud
Signaling server:
n APS connects to a new Cloud Signaling server.
n
You make changes to the Cloud Signaling configuration.
n
You make changes to the inbound blacklists or the inbound whitelist.
APS also automatically resends the lists every 12 hours.
Any time APS sends the blacklists and whitelist, the Cloud Signaling server updates the
lists.
Proprietary and Confidential Information of Arbor Networks Inc.
383
APS User Guide, Version 6.0
About Rate-Based Cloud Mitigation
When APS detects an attack that is too large to mitigate at the data center’s premises, it can
request mitigation from an upstream cloud service provider. The advantage of rate-based
Cloud Signaling is that no user intervention is required beyond the initial configuration.
Note
An exception is if you are using the Arbor Cloud DDoS Protection service, in which case
additional steps are required to start the mitigation. See “About the Arbor Cloud DDoS
Protection Service” on page 402.
APS only supports Cloud Signaling for IPv4 traffic.
If an attack is too large to mitigate at the data center but does not trigger Cloud Signaling,
you can send a Cloud Signaling request manually. See “About Manually Pushing an Attack
Mitigation to the Cloud” on page 387.
Monitoring the mitigation status
When you configure rate-based cloud mitigation, you do not actively participate in the
mitigation process. However, you can monitor the status of the mitigation at any stage of
the process on the Cloud Signaling widget. See “About the Cloud Signaling Widget” on
page 397.
Types of rate-based cloud mitigations
You can configure the following types of rate-based cloud mitigations:
global — Mitigation for all of the IPv4 prefixes
n
n
targeted — Mitigation for specific IPv4 prefixes
Note
Even if all of your protection groups are set to Inactive , APS still sends a cloud mitigation
request when inbound traffic exceeds a Cloud Signaling threshold.
Workflow Assumptions
The workflow examples are based on the following assumptions:
Cloud Signaling is configured and enabled.
n
n
The global Cloud Signaling thresholds are 5 Mbps and 5 Mpps, and the threshold
interval is five minutes.
n
A notification is configured to email a specific user when the traffic exceeds a threshold.
See “Configuring Notifications” on page 131.
n
The capacity of the data center communications channel is 10 Mbps.
n
The data center prefix is 1.2.3.0/24.
To configure the Cloud Signaling thresholds, see “Configuring and Enabling Cloud
Signaling” on page 378 .
384
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Workflow for rate-based global cloud mitigation
The following example for rate-based global cloud mitigation is based on the workflow
assumptions. In this example, the targeted destination thresholds are not enabled.
Rate-based global cloud mitigation workflow
Step
Action
1
Within a five-minute period, APS detects a large SYN flood attack at 10 Mbps,
which is the data center’s capacity.
2
Because 10 Mbps exceeds the configured threshold of 5 Mbps over a fiveminute interval, APS takes the following actions:
n Sends a global Cloud Signaling request to the Cloud Signaling server
n Sends a notification email to the specified user
n Creates a change log entry
3
The user views the Cloud Signaling widget on the Summary page to verify that
the global Cloud Signaling request was sent. The message should say “Threshold
Cloud Signaling Requested”.
See “Viewing Global and Group Cloud Signaling Activity” on page 396.
4
The Cloud Signaling server starts the mitigation for prefix 1.2.3.0/24. This action
creates a change log entry. Although only 10 Mbps of the attack reaches the data
center, the entire 20 Mbps attack is routed to the Cloud Signaling server.
5
The user views the Cloud Signaling widget to verify that the Cloud Signaling
server is mitigating the attack. The message should say “Threshold Cloud
Signaling Activated”.
6
The Cloud Signaling server mitigates 20 Mbps of the SYN flood attack on
1.2.3.0/24, and then reports to APS that the attack traffic is being mitigated.
7
APS receives 0 bps of attack traffic. However, APS continues to send mitigation
requests because the 20 Mbps that is routed to the cloud is still greater than the
5 Mbps threshold.
8
The user views the Cloud Signaling widget to verify that the Cloud Signaling
server is still mitigating the traffic. The message on the Cloud Signaling widget
should say “Threshold Cloud Signaling Activated”.
9
When the attack traffic rate falls under the 5 Mbps and 5 Mpps thresholds, the
mitigation requests stop. APS creates a change log entry that says “Global Cloud
Signaling canceled automatically”.
Workflow for rate-based targeted cloud mitigation
Note
Your cloud service provider must support Cloud Signaling for targeted prefixes to specify
the targeted Cloud Signaling threshold.
Proprietary and Confidential Information of Arbor Networks Inc.
385
APS User Guide, Version 6.0
The following example of rate-based targeted cloud mitigation is based on the workflow
assumptions. In this example, the targeted destination thresholds are enabled and set to 1
Mbps and 1 Mpps.
Rate-based targeted cloud mitigation workflow
Step
Action
1
Within a five-minute period, APS detects a large SYN flood attack at 10 Mbps,
which is the data center’s capacity.
2
Five IPv4 prefixes are receiving 2 Mbps of traffic, which exceeds the 1 Mbps
targeted destination threshold. However, APS takes no action on these prefixes
because a global Cloud Signaling threshold has not been exceeded. After a
global threshold is exceeded, APS takes the following actions:
n Sends a targeted Cloud Signaling request to the Cloud Signaling server for
prefixes 1.2.3.10/32, 1.2.3.4.20/32, 1.2.3.30/32, 1.2.3.40/32, and 1.2.3.50/32
n Adds the five prefixes to the list on the Active Cloud Signaling Requests page
n Sends a notification email to the specified user
n Creates a change log entry
3
The user views the Active Cloud Signaling Requests page to verify that the Cloud
Signaling request was sent. In the Duration column for the prefixes that were
added, it should say “Not Yet Mitigated”.
4
The Cloud Signaling server starts the mitigation for the prefixes and APS creates
a change log entry.
5
The user views the Active Cloud Signaling Requests page to verify that the Cloud
Signaling server is mitigating the attack. In the Duration column, it should show
the amount of time that the Cloud Signaling server has been mitigating the
prefix.
See “Viewing Targeted Cloud Signaling Activity” on page 394.
386
6
APS receives 0 bps of attack traffic. However, APS continues to send mitigation
requests because the 2 Mbps that is routed to the cloud is still greater than the 1
Mbps threshold.
7
The user views the Duration column on the Active Cloud Signaling Requests
page to verify that the Cloud Signaling server is still mitigating the traffic for the
prefixes.
8
After the attack traffic rate falls below the 1 Mbps and 1 Mpps thresholds, the
mitigation stops. At this time, APS removes the five prefixes from the list on the
Active Cloud Signaling Requests page and creates a change log entry.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
About Manually Pushing an Attack Mitigation to the Cloud
Certain high bandwidth, volumetric attacks are too large for APS to mitigate at the data
center’s premises and must be mitigated by an upstream cloud service provider. You can
manually request a mitigation when these type of attacks occur.
A cloud service provider may decide not to mitigate an attack. Therefore, mitigation does
not necessarily occur every time it is requested.
APS also can start a request for global Cloud Signaling automatically. See “About Rate-
Based Cloud Mitigation” on page 384.
Conditions for activating the cloud mitigation process manually
You might need to activate the cloud mitigation process manually under the following
conditions:
n Automatic thresholds for Cloud Signaling are disabled or no thresholds are configured.
See “About Rate-Based Cloud Mitigation” on page 384.
n
APS is deployed inline but is in inactive mode.
n
APS is deployed in monitor mode for detection only.
n
The attack is too large to mitigate at the data center’s premises but the traffic does not
exceed the configured threshold for activating Cloud Signaling.
n
Your organization’s policy requires that you always request cloud mitigation when APS
does not mitigate an attack, regardless of the type of attack.
n
APS cannot mitigate the attack for reasons beyond its control.
For example, if an attack overloads routers that are deployed upstream of APS, then
APS cannot detect or mitigate that attack.
Note
If you are using the Arbor Cloud DDoS Protection service, additional steps are required to
start the mitigation. See “About the Arbor Cloud DDoS Protection Service” on page 402.
Types of manual mitigations
You can push the following types of mitigations to the cloud manually:
global — Mitigation for all of the IPv4 prefixes. See “Manually Requesting and Stopping
n
a Global Cloud Mitigation” on page 390.
n
targeted — Mitigation for specific IPv4 prefixes. See “Manually Requesting and
Stopping a Targeted Cloud Mitigation” on page 391.
n
group — Mitigation for specific IPv4 protection groups. See “Manually Requesting and
Stopping a Group Cloud Mitigation” on page 393.
Workflow assumptions
The following workflow examples are based on the following assumptions:
n Cloud Signaling is configured.
Note
Your cloud service provider must support Cloud Signaling for targeted prefixes to
manually request targeted Cloud Signaling.
Proprietary and Confidential Information of Arbor Networks Inc.
387
APS User Guide, Version 6.0
n
The global Cloud Signaling thresholds are 5 Mbps and 5 Mpps, and the threshold
interval is 5 minutes.
n
The capacity of the data center’s communications channel is 10 Mbps.
n
The data center’s prefix is 1.2.3.0/24.
n
A SYN flood of 1 Mbps is directed at the data center.
n
2 Mbps of good traffic is directed at the data center.
Manual global cloud mitigation workflow
The following example of a global cloud mitigation that is started manually is based on the
workflow assumptions.
Workflow for manual global cloud mitigation
Step
Action
1
During routine system monitoring, the user identifies the 1 Mbps attack. Because
the attack does not exceed the global Cloud Signaling threshold, APS does not
request mitigation from the cloud. The user decides to mitigate the attack.
2
On the Cloud Signaling Settings page, the user clicks the Activate Global
button on the Cloud Signaling widget. This action creates a change log entry.
3
The user views the Cloud Signaling widget to verify that the Cloud Signaling
request was sent. The message should say “Manual Cloud Signaling Requested”.
See “Viewing Global and Group Cloud Signaling Activity” on page 396.
4
The Cloud Signaling server starts the mitigation for prefix 1.2.3.0/24. This action
creates a change log entry.
5
The user views the Cloud Signaling widget to verify that the Cloud Signaling
server started the mitigation. The status should say “Manual Cloud Signaling
Activated”. A mini graph also appears on the widget, which shows the mitigated
rates in bps and pps.
6
The Cloud Signaling server performs the following tasks:
Mitigates 1 Mbps of the SYN flood attack
n Reports that mitigation is in progress on 1 Mbps of attack traffic on 1.2.3.0/24.
n
7
APS receives 0 bps of attack traffic but continues to send mitigation requests.
This information appears on the Cloud Signaling widget.
8
When the attack traffic stops, the user deactivates the global Cloud Signaling
request on the Cloud Signaling widget. This action creates a change log entry.
Manual targeted cloud mitigation workflow
The following example of a targeted cloud mitigation that is started manually is based on
the workflow assumptions.
388
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Workflow for manual targeted cloud mitigation
Step
Action
1
During routine system monitoring, the user identifies a 1 Mbps attack that
targets one or more prefixes. Because the attack does not exceed a global Cloud
Signaling threshold or a targeted destination threshold, APS does not request
cloud mitigation. The user decides to mitigate the attack.
2
The user adds the prefixes 1.2.3.4/32 and 1.2.3.5/32 to the Active Cloud Signaling
Requests page. This action adds a change log entry.
3
On the Active Cloud Signaling Requests page, APS displays a status message that
indicates the success or failure of adding the prefixes. Also, when the Cloud
Signaling request is first sent, the Duration column on this page should say “Not
Yet Mitigating”.
4
After cloud mitigation starts, the user views the Active Cloud Signaling Requests
page to verify that the Cloud Signaling server is mitigating the attack. In the
Duration column, it should show the amount of time that the prefix has been
included in the targeted mitigation.
5
The Cloud Signaling server performs the following tasks:
n Mitigates 1 Mbps of the SYN flood attack
n Reports that mitigation is in progress on 1 Mbps of attack traffic on 1.2 .3.4/32
and 1.2.3.5/32.
6
APS receives 0 bps of attack traffic but continues to send mitigation requests.
The user views the Duration column, which should show that the time continues
to increment.
7
When the attack traffic stops, the user removes the prefixes from the Active
Cloud Signaling Requests page to stop the mitigation. This action creates a
change log entry.
Proprietary and Confidential Information of Arbor Networks Inc.
389
APS User Guide, Version 6.0
Manually Requesting and Stopping a Global Cloud Mitigation
You can request or stop cloud mitigation manually for all of the IPv4 destination prefixes
on your network. You request (activate) and stop (deactivate) global mitigation requests
on the Cloud Signaling widget.
A cloud service provider may decide not to mitigate an attack. Therefore, mitigation does
not necessarily occur every time it is requested.
Note
You also can manually request cloud mitigation for specific IPv4 prefixes or for specific
IPv4 protection groups. See “About Manually Pushing an Attack Mitigation to the Cloud”
on page 387.
Requesting a global cloud mitigation
You might request global cloud mitigation when a high-bandwidth, volumetric attack is
too large to mitigate on your premises but does not trigger a global Cloud Signaling
request.
To request a cloud mitigation for all of the IPv4 prefixes on your network.
1. Complete one of the following steps:
l
l
Select Summary to display the Summary page.
Select Administration > Cloud Signaling to display the Configure Cloud
Signaling Settings page.
2. In the Cloud Signaling widget, click Activate.
See “About the Cloud Signaling Widget” on page 397.
Stopping a global cloud mitigation
You might stop a global cloud mitigation request in the following situations:
The mitigation is in progress but the requests continue because the traffic that is routed
to the cloud for mitigation still exceeds the threshold. Stopping the subsequent
requests does not stop the mitigation.
n
n
A mitigation that you requested manually has finished.
When a cloud mitigation is requested manually, you must stop it manually. When APS
requests a cloud mitigation, the mitigation stops automatically, unless you stop it
manually first.
n
An Arbor Cloud mitigation has finished.
When you use the Arbor Cloud DDoS Protection service, you must stop the mitigation
manually, the Cloud Signaling was triggered manually or by APS.
To stop a global cloud mitigation:
1. Complete one of the following steps:
l
l
Select Summary to display the Summary page.
Select Administration > Cloud Signaling to display the Configure Cloud
Signaling Settings page.
2. In the Cloud Signaling widget, click Deactivate.
See “About the Cloud Signaling Widget” on page 397.
390
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Manually Requesting and Stopping a Targeted Cloud
Mitigation
If your cloud service provider supports Cloud Signaling for targeted prefixes, you can
request or stop cloud mitigation for specific IPv4 prefixes. To configure a request for a
targeted Cloud Signaling manually, you add prefixes to the Active Cloud Signaling Requests
page. This page displays all of the prefixes that are included in a request for targeted Cloud
Signaling. See “Viewing Targeted Cloud Signaling Activity” on page 394.
A cloud service provider may decide not to mitigate an attack. Therefore, mitigation does
not necessarily occur every time it is requested.
Note
You also can manually request cloud mitigation for all IPv4 prefixes or for specific IPv4
protection groups. See “About Manually Pushing an Attack Mitigation to the Cloud” on
page 387.
About adding prefixes to a targeted Cloud Signaling request
Note
To add prefixes to a request for targeted Cloud Signaling, you must enable Cloud
Signaling on APS. See “Configuring and Enabling Cloud Signaling” on page 378.
When you add a prefix on the Active Cloud Signaling Requests page, one of the following
situations occur:
n If a targeted mitigation is not in process and a targeted Cloud Signaling request is not
active, APS sends a targeted Cloud Signaling request.
n
If there is an active request for targeted Cloud Signaling, APS adds the prefixes to the
active request. The prefixes are added whether the request for targeted Cloud Signaling
was started automatically or manually.
n
If there is an active global cloud mitigation, you deactivate the global mitigation before
APS can request targeted Cloud Signaling.
Important
To quickly implement a targeted mitigation manually, Arbor recommends that you
add prefixes to the Active Cloud Signaling Requests page before you deactivate the
global cloud mitigation. If you configure the targeted prefixes first, APS replaces the
prefixes in the global Cloud Signaling request with the targeted prefixes instead of
stopping the cloud mitigation request.
Adding prefixes for a manual targeted Cloud Signaling request
To add IPv4 prefixes for a manual targeted Cloud Signaling request:
1. Select Protect > Active Cloud Signaling .
2. On the Active Cloud Signaling Requests page, in the Add box, enter one or more of the
following items, separated by commas:
l
a prefix, such as 192.0.2.2
l
a prefix in CIDR form, such as 192.0.2.0/24
l
a valid host name, such as myserver.mycompany.net
Proprietary and Confidential Information of Arbor Networks Inc.
391
APS User Guide, Version 6.0
APS only mitigates the IPv4 addresses that a host name resolves to. It does not
mitigate any IPv6 addresses.
Important
If APS sends a Cloud Signaling request that includes a prefix that is broader than
/16, then the Cloud Signaling server ignores the prefix when it starts a mitigation.
3. Click Add.
4. Repeat step 2 and step 3 to add more prefixes.
5. If a global cloud mitigation is active, click Deactivate on the Cloud Signaling widget.
You can find the Cloud Signaling widget on the Summary page and the Cloud
Signaling Settings page (Administration > Cloud Signaling ).
After you deactivate the global cloud mitigation, APS replaces the prefixes in the global
Cloud Signaling request with the targeted prefixes.
Removing prefixes from a targeted Cloud Signaling request
You can remove any of the prefixes that were added to the Cloud Signaling request
manually. However, you cannot remove prefixes that APS automatically adds to a request.
To remove a prefix from a targeted Cloud Signaling request:
1. Select Protect > Active Cloud Signaling .
2. On the Active Cloud Signaling Requests page, click
prefix.
(remove) to the far right of a
The prefixes that APS adds to a Cloud Signaling request do not have a
icon. These
prefixes remain in a Cloud Signaling request until the automatic mitigation ends.
Stopping a targeted cloud mitigation manually
To stop a targeted cloud mitigation manually, you remove all of the prefixes that were
added to the Active Cloud Signaling Requests page manually. However, this does not stop
the mitigation if it contains any prefixes that APS added.
In this case, the targeted cloud mitigation stops only in one of the following situations:
n You disable the Enable Targeted Destination Threshold option on the Cloud
Signaling Settings page. See “Configuring and Enabling Cloud Signaling” on page 378.
392
n
The traffic falls below the global Cloud Signaling threshold.
n
A request for global Cloud Signaling has been sent manually. In this case, “Not Yet
Mitigating” appears in the Duration column for the prefixes on the Active Cloud
Signaling Request page.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Manually Requesting and Stopping a Group Cloud Mitigation
If your cloud service provider supports group mitigation, you can request cloud mitigation
for any IPv4 protection group. You might request group Cloud Signaling when the prefixes
in a protection group receive attack traffic that does not exceed a Cloud Signaling
threshold.
A cloud service provider may decide not to mitigate an attack. Therefore, mitigation does
not necessarily occur every time it is requested.
Note
You also can manually request cloud mitigation for all IPv4 prefixes or for specific IPv4
prefixes. See “About Manually Pushing an Attack Mitigation to the Cloud” on page 387.
Requesting cloud mitigation for an IPv4 protection group
For protection groups, you request (activate) and stop (deactivate) Cloud Signaling on the
Group Cloud Signaling widget.
To request cloud mitigation for an IPv4 protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name of an IPv4 protection group.
3. On the View Protection Group page, in the Group Cloud Signaling widget, click
Activate.
See “About the Cloud Signaling Widget” on page 397.
If a group cloud mitigation is already in progress, you can request cloud mitigation for
other IPv4 protection groups.
Important
If APS sends a Cloud Signaling request that includes a prefix that is broader than /16,
then the Cloud Signaling server ignores the prefix when it starts a mitigation.
Stopping a cloud mitigation for an IPv4 protection group
To stop a cloud mitigation for an IPv4 protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name of an IPv4 protection group.
3. On the View Protection Group page, in the Group Cloud Signaling widget, click
Deactivate.
See “About the Cloud Signaling Widget” on page 397.
Proprietary and Confidential Information of Arbor Networks Inc.
393
APS User Guide, Version 6.0
Viewing Targeted Cloud Signaling Activity
The Active Cloud Signaling Requests page displays a list of all of the prefixes that are
included in a targeted Cloud Signaling request or will be included in a request. Targeted
Cloud Signaling mitigates the attack traffic on specific IPv4 prefixes.
An empty table on the Active Cloud Signaling Requests page indicates that there are no
active targeted Cloud Signaling requests. However, an active cloud mitigation may be in
process at the global level or at the group level. For more information, see “Viewing Global
and Group Cloud Signaling Activity” on page 396 .
Navigating to the Active Cloud Signaling Requests page
To navigate to the Active Cloud Signaling Requests page:
n Select Protect > Active Cloud Signaling .
Prefixes in a targeted Cloud Signaling request
A targeted Cloud Signaling request can include IPv4 prefixes that you add on the Active
Cloud Signaling Requests page. You also can remove these prefixes from a request.
See “Manually Requesting and Stopping a Targeted Cloud Mitigation” on page 391.
If you configure destination traffic thresholds, a targeted Cloud Signaling request also can
include IPv4 prefixes that APS adds. APS adds a targeted prefix to a request if its traffic
exceeds a user-configured threshold.
For information about how to configure traffic thresholds, see "Configuring and Enabling
Cloud Signaling" on page 378 .
About the Active Cloud Signaling Requests page
The Active Cloud Signaling Requests page contains the following information.
Information on the Active Cloud Signaling Requests page
Information
Description
Add box
Allows you to enter one or more IPv4 destination prefixes that APS
adds to a targeted Cloud Signaling request. Use commas to
separate multiple entries.
You can enter one or more prefixes in the following forms:
n an IP address, such as 192.0.2.2
n a CIDR, such as 192.0.2.0/24
n a host name, such as myserver.mycompany.net
APS only mitigates the IPv4 addresses that a host name resolves
to. It does not mitigate any IPv6 addresses.
See “Manually Requesting and Stopping a Targeted Cloud
Mitigation” on page 391.
Filter box
394
Allows you to filter the list by the items in the Destination column or
the Protection Group column.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Information on the Active Cloud Signaling Requests page (Continued)
Information
Description
Destination
column
Lists the prefixes that are included in the targeted Cloud Signaling
request.
(context menu)
Appears to the right of a prefix in the Destination column. You can
use the options on the context menu to perform the following
actions:
n Blocked Hosts — View the Blocked Hosts Log page. This page
lists any source hosts that are blocked now or that were blocked
in the past. See “Viewing the Blocked Hosts Log” on page 408.
n Packet Capture — View the Packet Capture page. The prefix
appears in the Destination Host list in the Filter section. You can
start a packet capture that uses this filter criteria or you can
specify additional filter criteria. See “Capturing Packet
Information” on page 418.
Protection Group
column
Lists the name of the protection group that contains the prefix.
Duration column
Specifies the amount of time that the prefix has been included in a
targeted destination cloud mitigation. If mitigation has not started
for the prefix, the message “Not Yet Mitigating” appears here.
Threshold column
Indicates the threshold rates (bps and pps), one or both of which
were exceeded by incoming traffic to the prefix.
Note
This column only applies to prefixes that APS adds to the Active
Cloud Signaling Requests page. If you add a prefix, Manual
appears in this column.
Trigger Rate
column
Indicates the incoming traffic rate (bps and pps) at which the
targeted Cloud Signaling request was triggered for the prefix.
Note
This column only applies to prefixes that APS adds to the Active
Cloud Signaling Requests page. If you add a prefix, Manual
appears in this column.
Remove column
Click
to remove a prefix from the targeted Cloud Signaling
request.
The prefixes that APS adds to a Cloud Signaling request do not
have a
icon. These prefixes remain in a Cloud Signaling request
until the automatic mitigation ends.
Proprietary and Confidential Information of Arbor Networks Inc.
395
APS User Guide, Version 6.0
Viewing Global and Group Cloud Signaling Activity
You can monitor the status and progress of global Cloud Signaling and group Cloud
Signaling by viewing the Cloud Signaling widget. This widget is available on several pages in
the UI.
About global Cloud Signaling activity
You might check the global Cloud Signaling widget for the following reasons:
to verify that Cloud Signaling is enabled and working, which applies to all types of
mitigation requests, not just global requests
n
n
to verify that a Cloud Signaling server received a global mitigation request
n
to verify that a global cloud mitigation is in progress
n
to determine if a global cloud mitigation is finished
Note
To view targeted Cloud Signaling activity , see “Viewing Targeted Cloud Signaling Activity”
on page 394 .
About group Cloud Signaling activity
If your cloud service provider supports group mitigation, a protection group version of this
widget appears on the View Protection Group page for IPv4 protection groups. This Group
Cloud Signaling widget contains information for the specific protection group.
Another indicator of group Cloud Signaling activity is the
icon. On the List Protection
Groups page, this icon appears for any IPv4 protection group that is undergoing group
cloud mitigation. This icon also appears on the Summary page, in the Top Protection
Groups section, for any top protection group that is undergoing group cloud mitigation.
Viewing the global Cloud Signaling activity
You can view the Cloud Signaling widget for global Cloud Signaling in one of the following
ways:
n Select Summary to display the Summary page.
n
Select Administration > Cloud Signaling to display the Configure Cloud Signaling
Settings page.
If your organization deployed multiple APS installations that all use the same Cloud
Signaling servers, the Cloud Signaling widget displays traffic information for all of those
installations combined.
Viewing the group Cloud Signaling activity
To view the Group Cloud Signaling widget for a specific IPv4 protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name of an IPv4 protection group.
The Group Cloud Signaling widget is shown on the View Protection Group page.
396
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
About the Cloud Signaling Widget
The Cloud Signaling widget lets you monitor the status of the Cloud Signaling connection,
communications, and mitigations on APS. When you enable Cloud Signaling, this widget
appears on the Summary page and the Configure Cloud Signaling Settings page
(Administration > Cloud Signaling ).
Note
APS does not support Cloud Signaling for IPv6 traffic.
Tasks to perform with the Cloud Signaling widget
The Cloud Signaling widget also contains options that allow you to perform the following
tasks:
n Request or stop global cloud mitigation.
n
Request or stop mitigation for a specific IPv4 protection group.
n
Open the Configure Cloud Signaling Settings page.
n
Open your cloud service provider’s management portal, if a portal is configured.
The status in the Cloud Signaling widget updates automatically.
See “Viewing Global and Group Cloud Signaling Activity” on the previous page.
The Cloud Signaling widget
An example of the Cloud Signaling widget is shown below:
If your cloud service provider supports group mitigation, a protection group version of this
widget appears on the View Protection Group page for IPv4 protection groups. This Group
Cloud Signaling widget contains information for the specific protection group.
Proprietary and Confidential Information of Arbor Networks Inc.
397
APS User Guide, Version 6.0
The numbers in the following table correspond to those in the figure above:
Information in the Cloud Signaling widgets
Item
Description
1
Represents your network.
2
Represents the communication between your network and the Cloud Signaling
servers.
3
Represents the Cloud Signaling servers.
4
Displays status information and error messages for cloud mitigations.
Note
If your organization deploys multiple APS installations that use the same
Cloud Signaling servers, the Cloud Signaling widget displays the combined
traffic information.
5
6
Displays an action button when it is appropriate. For example, if Cloud
Signaling is not enabled, an Enable button appears here.
Displays the Tools menu, which contains the following options:
Configure — Opens the Configure Cloud Signaling Settings page.
n Management Portal — Opens your cloud service provider’s management
portal, such as the Arbor Cloud Customer Portal, where you can manage
your account and view information about your mitigations. This option
appears only if you specify a management portal URL on the Configure
Cloud Signaling Settings page.
n
These options appear only after Cloud Signaling is configured. They do not
appear on the Configure Cloud Signaling Settings page.
About the Cloud Signaling status
The status in the Cloud Signaling widget updates automatically.
The Cloud Signaling widget indicates the following statuses and allows you to take the
following actions:
Cloud Signaling status images
Image
398
Status
Available actions
The settings for connecting to the
Cloud Signaling servers are not
configured.
Click Please Configure to go to the
Configure Cloud Signaling Settings page.
Cloud Signaling is configured but is
not enabled.
Click Enable to enable Cloud Signaling.
See “Configuring and Enabling Cloud
Signaling” on page 378.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Cloud Signaling status images (Continued)
Image
Status
Available actions
Cloud Signaling is in a normal state,
which means that APS is exchanging
heartbeats with a Cloud Signaling
server.
Below the image, the following
information appears:
n Connection information
n Activate button
When necessary, click Activate to start a
global mitigation or a group mitigation
manually. See “Manually Requesting and
A Cloud Signaling request is in
progress but the mitigation has not
started.
Below the image, the following
information appears:
n Connection information
n “Manual Cloud Signaling
Requested”, “Threshold Cloud
Signaling Requested” (global Cloud
Signaling only), or Targeted Cloud
To stop a global mitigation or a group
mitigation request, click Deactivate.
For information about threshold
activation, see “About Rate-Based Cloud
Mitigation” on page 384 .
n
Stopping a Global Cloud Mitigation” on
page 390 and “Manually Requesting and
Stopping a Group Cloud Mitigation” on
page 393 .
Note
The Activate button does not start
targeted Cloud Signaling. See “Manually
Requesting and Stopping a Targeted
Cloud Mitigation” on page 391.
Signaling Requested
Deactivate button
Proprietary and Confidential Information of Arbor Networks Inc.
399
APS User Guide, Version 6.0
Cloud Signaling status images (Continued)
Image
Status
Available actions
Cloud mitigation is in progress.
Below the image, the following
information appears:
n Connection information
n “Manual Cloud Signaling
Activated,” “Threshold Cloud
Signaling Activated” (global Cloud
Signaling only), Targeted Cloud
Signaling Activated, or
“Automatically Activated”
n Deactivate button (Threshold
Activated for global Cloud
Signaling and Manually Activated
only)
You can hover your mouse pointer over
the minigraph to view a larger version of
the graph.
To stop a global mitigation or a group
mitigation request, click Deactivate.
For descriptions of the activation
methods, see “How Cloud Signaling is
activated” on page 370 .
The following information appears
for all global or group cloud
mitigations except those that are
handled by the Arbor Cloud service:
n Minigraph of the traffic that is
routed to the Cloud Signaling
server
n The traffic rate as of the last
heartbeat, in bps and pps
An error occurred.
Below the image, a message
describes the error.
If possible, take appropriate action to
resolve the error.
You can configure notifications that send
messages when a communication error
occurs between your network and the
Cloud Signaling server.
See “Configuring Notifications” on
page 131.
400
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Cloud Signaling status images (Continued)
Image
(alert)
Status
Available actions
When this icon is shown next to a
Cloud Signaling server name, one of
the following situations may have
occurred:
n APS stopped receiving messages
from the Cloud Signaling server.
n APS cannot to connect to the
Cloud Signaling server.
n There is a Cloud Signaling version
mismatch (not all of the servers are
using the same Cloud Signaling
version).
Verify that the following information is
correct:
n the credentials for the Cloud Signaling
server
n the external firewall rules allow
communication with the Cloud
Signaling server
If you are unable to determine what is
causing the problem, contact your cloud
service provider.
See “How APS Communicates with
the Cloud Signaling Servers” on
page 375.
Proprietary and Confidential Information of Arbor Networks Inc.
401
APS User Guide, Version 6.0
About the Arbor Cloud DDoS Protection Service
Arbor’s Cloud Signaling capabilities seamlessly integrate the on-premises protection of
APS with the cloud-based DDoS protection that is delivered by the Arbor CloudSM DDoS
Protection service.
Arbor Cloud DDoS Protection is a cloud-based DDoS mitigation service that mitigates the
high-bandwidth, volumetric attacks that are too large to mitigate at the data center’s
premises. By rerouting the traffic away from your infrastructure, the Arbor Cloud DDoS
Protection service can defuse the attack, thereby limiting downtime and maintaining
availability.
This mitigation service requires a separate license and is provided on demand, through
the redirection of your traffic to the Arbor Cloud mitigation platform.
For more information, see “About Cloud Signaling for DDoS Protection” on page 368 and
“Setting Up the Arbor Cloud DDoS Protection Service” on page 404 .
Arbor Cloud redirection options
When you enroll in the Arbor Cloud DDoS Protection service, you choose one of the
following methods for redirecting the attack traffic to the Arbor Cloud:
n Domain Name Server (DNS) redirection — You change your DNS records to redirect
traffic for the affected hosts to the Arbor Cloud infrastructure.
n
Border Gateway Protocol (BGP) routing — You withdraw the BGP announcements for
the affected prefixes from your routers, and the Arbor Cloud service announces the
BGP routes for those prefixes.
How the Arbor Cloud DDoS Protection service works
When APS identifies a volumetric attack that cannot be mitigated on-premises, request a
mitigation from the Arbor Cloud service in any of the following ways:
n If automatic Cloud Signaling is enabled, APS activates the Cloud Signaling and sends a
mitigation request to the Arbor Cloud service.
n
If automatic Cloud Signaling is not enabled or if the attack does not trigger an automatic
mitigation request, activate the mitigation request manually in APS. See “Manually
Requesting and Stopping a Global Cloud Mitigation” on page 390.
n
If your organization does not use Cloud Signaling, request a mitigation directly. To do
so, you can create a support ticket on the Arbor Cloud Customer Portal or call Arbor
Cloud Support.
During the mitigation process, Arbor’s SOC staff works closely with you to coordinate your
defenses. Your chosen redirection method (DNS or BGP) determines the specific Arbor
Cloud mitigation procedure. For detailed instructions, see the Arbor Cloud documentation
that has been provided to you.
Important
When the mitigation ends, if the mitigation was requested through Cloud Signaling, you
must deactivate the mitigation requests manually in APS.
402
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 17: Mitigating Attacks in the Cloud
Accessing the Arbor Cloud Customer Portal
The Arbor Cloud service provides a web portal that allows you to manage your account,
create and monitor support tickets, and view information about your Arbor Cloud
mitigations.
You can access the Arbor Cloud Customer Portal in the following ways:
n Go to https://cloud.arbornetworks.com/.
n
In APS, in the Cloud Signaling widget, click the Tools button, and then select
Management Portal from the Tools menu.
This option appears only if you specified a management portal URL on the Configure
Cloud Signaling Settings page.
The Cloud Signaling widget appears on the Summary page, and the Group Cloud
Signaling widget appears on the View Protection Group page. See “About the Cloud
Signaling Widget” on page 397.
Note
Cloud Signaling is available for IPv4 protection groups only.
For information about using the Arbor Cloud Customer Portal, see the Arbor Cloud
documentation that has been provided to you.
Proprietary and Confidential Information of Arbor Networks Inc.
403
APS User Guide, Version 6.0
Setting Up the Arbor Cloud DDoS Protection Service
When you enroll in the Arbor Cloud DDoS Protection service, you work with Arbor Cloud
Support to set up your system for Arbor Cloud mitigation. The setup process includes the
following activities:
n Collaborating with Arbor Cloud Support to complete the provisioning process.
n
Configuring your environment to meet the Arbor Cloud service requirements.
n
Configuring APS to work with the Arbor Cloud service.
For specific information about the Arbor Cloud setup process, see the Arbor Cloud
documentation that has been provided to you.
For information about the Arbor Cloud service, see “About the Arbor Cloud DDoS
Protection Service” on page 402 .
Configuring APS to work with the Arbor Cloud service
To configure APS for Arbor Cloud mitigation:
1. Select Administration > Cloud Signaling and, on the Configure Cloud Signaling
Settings page, configure the following settings:
Setting
Description
These are Arbor
Cloud Servers
Select this check box to allow APS to communicate with the
Arbor Cloud service.
Use On-Demand
DNS Redirection
Select this check box if you chose the DNS-based protection
service from Arbor Cloud service. See “Arbor Cloud
redirection options” on page 402.
Management
Portal URL
Type the URL of the Arbor Cloud Customer Portal so that
you can access the portal from APS. The URL is
https://cloud.arbornetworks.com/.
See “Configuring and Enabling Cloud Signaling” on page 378.
2. (BGP redirection only) Select Administration > Interfaces and, on the Interfaces
page, configure the GRE tunnels for routing the cleaned traffic back to your network.
See “Configuring Interfaces and GRE Tunneling” on page 141.
During the provisioning process, Arbor provides the information that you need for the
GRE configuration, such as the remote IP addresses.
404
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18:
Traffic Forensics
APS provides reporting and packet capture features that enable you to gather forensic
information about traffic and attacks.
In this section
This section contains the following topics:
About the Blocked Hosts Log
406
Viewing the Blocked Hosts Log
408
Information on the Blocked Hosts Log Page
413
About Capturing Packets
417
Capturing Packet Information
418
Information on the Packet Capture Page
421
Configuring Regular Expressions from Captured Packets
425
APS User Guide, Version 6.0
405
APS User Guide, Version 6.0
About the Blocked Hosts Log
The Blocked Hosts Log page (Explore > Blocked Hosts ) provides a record of all of the
hosts that APS blocked, including the current temporarily blocked hosts.
You can specify search criteria to limit the scope of the list and you can export the resulting
list. For information about searching and viewing the Blocked Hosts Log page, see “Viewing
the Blocked Hosts Log” on page 408 .
The Blocked Hosts Log page allows you to navigate to other areas of the UI, where you can
take action on specific blocked hosts. See “Taking action on a blocked host” on page 408.
Why a host appears in the blocked hosts log
A source host can appear in the blocked hosts log for any of the following reasons:
It is on the inbound blacklist or outbound blacklist and all of its traffic is blocked.
n
n
A protection category blocked its traffic and temporarily blocked the host.
n
A protection category blocked some of its traffic but did not block the host.
For example, the TCP Connection Limiting category blocks the traffic that exceeds a
certain threshold but it does not block the host. In such cases, the host appears in the
blocked hosts log but not in the Temporarily Blocked Sources list.
The traffic that is blocked by the Traffic Shaping settings is an exception. Its source does
not appear in the blocked hosts log.
Because the outbound blacklist and certain protection categories can block outbound
traffic, the blocked hosts log can contain hosts whose outbound traffic was blocked.
You can configure notifications that send messages when a host is blocked. See “About
the blocked host notifications” on page 129.
How you can use the blocked hosts log
The following scenarios are examples of how you can use the blocked hosts log:
Forensic reporting
After an attack on a specific server, you can search the blocked hosts log for that server’s
destination IP address. The resulting list shows the hosts that were involved in the attack.
You can export the list to a file and include it in a report on the attack.
Protection settings verification
After you configure a new protection group or change protection settings, you can search
the blocked hosts log for that group or attack category. Inspect the log to determine the
level of traffic that the protection group or attack category blocks, and use that information
to further refine the settings.
If you have access to a host that is outside your network and that is capable of generating
attack traffic, you can perform a more controlled test. Set up the outside host so that it
directs attack traffic to one or more of the servers in a specific protection group. Search the
blocked hosts log for that protection group. If your test host is not listed as blocked, adjust
the protection group’s settings until they block the test host.
406
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
Debugging
When a customer reports that a legitimate host cannot access the server, you can search
the blocked hosts log for that source host. After you determine why the host was blocked,
you can edit your protection settings, whitelist that host, or relay the information to the
customer for corrective action.
Threat investigation
During or after an attack or other event, the traffic graphs and statistics might indicate that
certain traffic is blocked by an ATLAS threat category. View the blocked hosts log to identify
the specific threat and the IP address (external or internal) from which the threat
originated.
You can blacklist the IP address to block its traffic in the future. If the attack traffic
originated from within your network, you can notify your security operations center to the
possible threats that are in the network.
Proprietary and Confidential Information of Arbor Networks Inc.
407
APS User Guide, Version 6.0
Viewing the Blocked Hosts Log
The Blocked Hosts Log page displays the hosts that are blocked now or that were blocked
in the past. You can specify search criteria to limit the scope of the displayed list and you
can export the resulting list.
For general information about the Blocked Hosts Log page and how you can use it, see
“About the Blocked Hosts Log” on page 406 .
For details about the information on the Blocked Hosts Log page, see “Information on the
Blocked Hosts Log Page” on page 413 .
Viewing blocked hosts
Note
For performance reasons, the Blocked Hosts Log page can display a maximum of 100,000
blocked hosts. If a search returns more than the maximum number of blocked hosts, a
message appears. To limit the list further, you can refine the search.
To view blocked hosts:
1. Select Explore > Blocked Hosts.
2. On the Blocked Hosts Log page, in the Search section, specify the search criteria.
See “Blocked hosts search criteria” on page 410.
3. Click Search.
4. If you do not see the results you expect, adjust the search criteria and click Search
again.
For example, decrease the traffic threshold or change the display unit of measure.
5. To view additional information about a blocked host, click its Details button.
The Blocked Host Detail window opens. See “About the Blocked Host Detail window”
on page 416.
From the Blocked Hosts Log page, you can navigate to other areas of the UI, where you can
take action on a specific blocked host. See “Taking action on a blocked host” below.
Opening the Blocked Hosts Log page from other UI pages
For your convenience, certain pages in the UI allow you to open the Blocked Hosts Log
page and focus on a specific item. The item that you are viewing, such as a protection
group or a source IP address, becomes the filter criteria for the page. You can search the
Blocked Hosts Log page with that filter or specify additional filter criteria. Typically, the
option to open the Blocked Hosts Log page is available from a context menu.
Scrolling through the Blocked Hosts Log page
The results of a blocked hosts search can occupy multiple pages. When you scroll to the
end of the Blocked Hosts Log page, an additional page loads. You can continue to scroll
until you reach the end of the list.
Taking action on a blocked host
As you review the information on the Blocked Hosts Log page, you can take action on a
specific blocked host. For example, after an attack, you can review the blocked hosts log to
determine the hosts that were involved in the attack.
408
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
You can export the blocked hosts information to a file for forensic reporting, and then
decide which of those hosts to blacklist to prevent future attacks.
The following actions are available from the Blocked Hosts Log page:
Blacklist or whitelist a blocked host
After you analyze a blocked host’s traffic, you can add the host to the blacklist or whitelist,
unblock the host, or remove the host from the whitelist. Unblocking a host removes it
from the blacklist.
In the Blocked Host Detail window, click one of the following buttons:
n
Blacklist
n
Whitelist
n
Unblock
n
Remove from Whitelist
The host’s current status determines which options are available. The direction of the
blocked traffic (inbound or outbound) determines whether the action affects the blacklist
or whitelist for inbound traffic or outbound traffic. If the host’s inbound traffic was
blocked, then these actions apply to all of the protection groups. (Outbound traffic is not
associated with the protection groups.)
See “About Blacklisting and Whitelisting Traffic” on page 258.
Capture packets for a blocked host
You can navigate to the Packet Capture page and view the packet-level information about
the traffic on a specific blocked host.
Hover your mouse pointer over a source IP address, click
(context menu), and then
select Packet Capture. When the Packet Capture page opens, the host’s IP address is
entered in the Filter section. You can start the packet capture or specify additional filter
criteria. See “Capturing Packet Information” on page 418.
View the blocking protection group
(Inbound traffic only) You can view information about the protection group that blocked a
host’s traffic by opening the View Protection Group page for that protection group.
On the Blocked Hosts Log page or in the Blocked Host Detail window, click the protection
group name link. See “Viewing the Traffic Activity for a Protection Group” on page 324.
View the outbound threat filter
(Outbound traffic only) If a host’s outbound traffic was blocked, you can view the
outbound threat filter to analyze the current protection settings.
In the Blocked Host Detail window, click the Outbound Threat Filter link to open the
Outbound Threat Filter page. See “Viewing the Outbound Threat Activity” on page 349.
Export the blocked hosts information
To save a record of the current blocked hosts view, you can export the blocked hosts
information in the following ways:
n
Export to a CSV file by clicking
(CSV Export) on the Arbor Smart Bar. The CSV file
contains all of the search results, up to 100,000 hosts.
Proprietary and Confidential Information of Arbor Networks Inc.
409
APS User Guide, Version 6.0
n
Save as a PDF file by clicking
(Create a PDF) on the Arbor Smart Bar. The PDF file
contains the hosts that appear on the current page.
Investigate why a DNS server appears to be blocked
The ATLAS threat categories contain threat policies that define domains that host threats.
When APS matches a domain threat policy, it does not block all of the traffic to the DNS
server and it does not block the host. APS only blocks the DNS request for a known bad
host. See “About matching domain policies” on page 283.
APS sees only the request to the DNS server, not the resolution of the IP address for the
bad host. However, the DNS server appears as a blocked destination IP address on the
Blocked Hosts Log page.
When a host is blocked by an ATLAS threat policy that contains domain-related rules,
appears next to the destination IP address on the Blocked Hosts Log page. (This icon also
appears in the Blocked Host Detail window.) Click
to display an explanatory message.
To determine the hostname that is being blocked:
1. Click
next to the destination address. Click the link in the message to open the
Packet Capture page with the host information entered in the Filter section.
2. On the Packet Capture page, run a packet capture and display the dropped packets.
See “Capturing Packet Information” on page 418.
If the DNS requests are intermittent, you might have to wait until the next occurrence.
3. Select a packet and view the packet details.
4. View the packet payload to see the hostname that is being requested and blocked.
If you think that the blocked traffic is legitimate, contact the Arbor Technical Assistance
Center (ATAC) at https://support.arbornetworks.com/. Your feedback helps Arbor to
continually improve the AIF content.
Blocked hosts search criteria
The search criteria that you specify determine the blocked hosts that appear on the
Blocked Hosts Log page. However, the display includes all of the available information
about each host within the selected direction and timeframe. For more information, see
“Information on the Blocked Hosts Log Page” on page 413 .
410
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
You can search for blocked hosts by completing any of the following options:
Blocked hosts search criteria
Option
Description
Traffic Direction
options
n
Select one of the following options:
Inbound — Displays the source hosts that are responsible for
the inbound blocked traffic. The Blocked Hosts Log page initially
defaults to the inbound blocked traffic.
n Outbound — Displays the source hosts or destination hosts
that are responsible for the outbound blocked traffic.
Traffic slider
To find only the hosts that exceeded a certain traffic threshold,
move the slider to the threshold value.
The threshold is measured in bytes or packets, depending on the
display unit of measure that is selected.
Protection
Groups check
boxes
To find the hosts that were blocked by one or more specific
protection groups or by the outbound threat filter, select the
appropriate check boxes. Your Traffic Direction selection
determines which check boxes are available.
n Inbound direction — Select one or more protection group
check boxes, or select the Protection Groups check box to
select all of the protection groups.
You can click a protection group’s name navigate to open the
View Protection Group page.
n Outbound direction — The Outbound Threat Filter check
box is selected.
You can click the Outbound Threat Filter name link to open
the Outbound Threat Filter page.
Attack
Categories check
boxes
To find the hosts that were blocked by one or more specific
protection categories, select the appropriate check boxes. Click the
ATLAS Threat Categories check box to select all of the threat
categories. Click the Attack Categories check box to select all of
the categories in the list.
Note
Blacklisted Hosts is considered a category. It displays the
blocked traffic for blacklisted hosts.
Source Hosts
box
Type one or more hostnames, IP addresses, or CIDR blocks
to specify the source hosts to find.
Type commas or press ENTER to separate multiple hosts.
See “Searching for hosts on the Blocked Hosts Log page” on the
next page.
Destination
Hosts box
Type one or more hostnames, IP addresses, or CIDR blocks
to specify the destination hosts to find.
Type commas or press ENTER to separate multiple hosts.
See “Searching for hosts on the Blocked Hosts Log page” on the
next page.
Proprietary and Confidential Information of Arbor Networks Inc.
411
APS User Guide, Version 6.0
Blocked hosts search criteria (Continued)
Option
Description
Time selector
Click one of the time increments or click From to change the
timeframe for which the data is displayed. Only the hosts that were
blocked within this timeframe appear in the search results. See
“Changing the display timeframe” on page 93.
Bytes and
Packets buttons
Click Bytes or Packets to change the display unit of measure.
Searching for hosts on the Blocked Hosts Log page
You can search for IPv4 hosts and IPv6 hosts that are on the Blocked Hosts Log page.
If you search for IPv6 hosts, you can specify IPv6 addresses that are compressed or
expanded. For example, APS searches for the same host whether you specify
2001:DB8:0:0:0:0:0:0/32 or 2001:DB8::/32.
412
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
Information on the Blocked Hosts Log Page
The Blocked Hosts Log page (Explore > Blocked Hosts ) provides a record of all of the
hosts that APS blocked, including the current temporarily blocked hosts.
The Blocked Hosts Log page contains several options that allow you to take action on a
specific blocked host. For example, you can view the protection group that blocked the
host, capture packets for the host, and blacklist or whitelist the host. See “Taking action on
a blocked host” on page 408.
For information about viewing and using the blocked hosts log, see “Viewing the Blocked
Hosts Log” on page 408 .
For general information about the Blocked Hosts Log page and how you can use it, see
“About the Blocked Hosts Log” on page 406 .
About the Blocked Hosts Log page search
The search criteria that you specify determine the blocked hosts that appear on the
Blocked Hosts Log page. The display includes all of the available information about each
host as follows:
n If you search for a specific protection group, then the display includes all of the
protection groups that each host targeted within the selected timeframe.
n
If you search for a specific attack category, then the display includes all of the categories
that blocked each host within the selected timeframe.
n
The first and last times that the host was blocked and the total time, or duration, of the
blockage can fall outside the specified timeframe. For example, if you select a
timeframe of 5 minutes, but a host was blocked continually for 25 minutes, then the
displayed duration is 25 minutes.
The Blocked Hosts Log page provides the best representation of blocked host information
that is available at the time it is displayed. While a host is temporarily blocked, information
about additional blocked traffic from that host is not updated continuously. As a result, the
information on the Blocked Hosts Log page might not be all-inclusive. For example, the
range of destination IP addresses might not include every destination of a host’s blocked
traffic.
Proprietary and Confidential Information of Arbor Networks Inc.
413
APS User Guide, Version 6.0
Information on the Blocked Hosts Log page
After you complete the search, a summary of the search appears at the top of the Results
section. The Results section contains the following information:
Information on the Blocked Hosts Log page
Column
Description
Magnitude
Displays a minigraph that represents the traffic that was blocked
from or to the host during the specified time period.
The traffic is displayed in bytes per second or packets per second,
depending on the unit of measure that is selected in the Search
section.
Source
Displays the IP address of the source host.
For inbound traffic, this column represents the host that was
blocked. However, if outbound traffic was blocked because the
destination host is on the outbound blacklist, then this column
does not represent the blocked host. (A host that is on the
outbound blacklist is blocked when it is either the source or the
destination of traffic that originates from your network.)
Note
For some IP addresses, APS displays additional information when
you hover your mouse pointer over the address. If you hover over
a truncated IPv6 address, you can view the entire address. If you
hover over an IP address whose domain name has been resolved,
you can view its fully qualified domain name.
If you want to copy this information, click on the IP address, select
the text, and then copy it in one of the standard ways.
If APS can identify the country for an IPv4 host, this column also
includes a flag icon that represents the country. If the Source is an
IPv4 address, you can view the country name by hovering your
mouse pointer over the flag icon.
Note
In APS, country mappings do not exist for IPv6 addresses. As a
result, the report displays an IPv6 flag instead of a country flag
when the source is an IPv6 address.
(context
menu)
Appears when you hover your mouse pointer over a source IP
address.
, and then select Packet Capture to display the Packet
Capture page, with the IP address entered in the Filter section. You
can start the packet capture or specify additional filter criteria. See
Click
“Capturing Packet Information” on page 418.
414
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
Information on the Blocked Hosts Log page (Continued)
Column
Description
Protection Group
(Inbound traffic only) Displays the protection group for which the
host is blocked.
If multiple protection groups are associated with the blocked host,
this column displays the number of groups. You can display a list of
those protection groups by hovering your mouse pointer over the
displayed number.
You can click a protection group’s name link to display the View
Protection Group page for that group.
Destination
Lists the range of destination IP addresses that the blocked host
targeted. However, if outbound traffic was blocked because the
destination host is on the outbound blacklist, then this column
represents the blocked host. (A host that is on the outbound
blacklist is blocked when it is either the source or the destination of
traffic that originates from your network.)
Note
For some IP addresses, APS displays additional information when
you hover your mouse pointer over the address. If you hover over
a truncated IPv6 address, you can view the entire address. If you
hover over an IP address whose domain name has been resolved,
you can view its fully qualified domain name.
If you want to copy this information, click on the IP address, select
the text, and then copy it in one of the standard ways.
When a host is blocked by an ATLAS threat policy that contains
domain-related rules,
appears next to the destination IP address
on the Blocked Hosts Log page. (This icon also appears in the
Blocked Host Detail window.) The DNS server appears as the
blocked destination IP address. However, APS does not block all of
the traffic to the DNS server; it only blocks the DNS request for a
known bad host. Click
to display an explanatory message and a
link to the Packet Capture page, where you can investigate further.
See “About matching domain policies” on page 283 and
“Investigate why a DNS server appears to be blocked” on
page 410 .
Attack Category
Displays the protection categories that blocked the traffic. If
multiple protection categories are associated with the blocked host,
this column displays the number of categories. You can hover your
mouse pointer over the number of protection categories to view a
list of the specific categories. When the list includes the ATLAS
Threat Categories, the specific threat categories are listed.
Note
Blacklisted Hosts is considered a category. It displays the
blocked traffic for blacklisted hosts.
First Blocked
Indicates the first time APS blocked this host.
Proprietary and Confidential Information of Arbor Networks Inc.
415
APS User Guide, Version 6.0
Information on the Blocked Hosts Log page (Continued)
Column
Description
Duration
Displays the total time that the host was blocked since the first time
it was blocked.
If the host is currently blocked, this column displays “Ongoing”.
Details button
To view additional information about a blocked host and link to
additional workflows, click the host’s Details button. See “About
the Blocked Host Detail window” below.
About the Blocked Host Detail window
When you click a host’s Details button on the Blocked Hosts Log page, the Blocked Host
Detail window opens. This window displays additional information about the blocked
host, such as the protocol and port, amount and rate of blocked traffic, and a larger traffic
graph.
Although APS blocks all the threats that it detects, it only stores and reports information
about the first n threats that it blocks for each host. APS lists up to the first 4 blocked
threats for inbound traffic, and up to the first 10 blocked threats for outbound traffic.
The Blocked Host Detail window provides a link to the blocking protection group or
outbound threat filter. It also contains buttons that allow you to add the host to the
blacklist or whitelist, or remove the host from the blacklist or whitelist. See “Taking action
on a blocked host” on page 408.
416
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
About Capturing Packets
The Packet Capture page in APS allows you to sample the packets that APS inspects, and
capture information about the packets in real time. You can save the packet information
and you can use it to update protection settings to provide more targeted protection.
The packet capture provides a sample of the traffic data. It is not intended to capture
complete information about any given stream or application session.
How you can use captured packets
The following scenarios are examples of how you can use the captured packet
information:
How you can use captured packets
Use
Scenario
Create protection
settings for
unique attacks
Your network is under an attack that is outside the scope of the
current protection settings; for example, a custom URL attack. You
identify the target protection group and service, but you cannot
determine the target URL. You can capture and inspect the packets
that target the protection group and service. When you identify the
target URL, you can blacklist it from within the Packet Capture page
on APS to block all future traffic to that URL.
Forensic reporting
During an attack on a specific service, you capture a sample of the
packets that contain headers for that service. After inspecting the
packets, you save the packet information to a packet capture
(PCAP) file. You can use the PCAP file in a packet analysis program,
save it for reporting purposes, or send it to Arbor for technical
assistance.
See “Saving packet information” on page 420.
Investigate false
positives
Clean traffic is blocked and you need to determine the cause so
that you can change your protection settings or whitelist the host.
You can investigate false positives by capturing the packet or
packets that caused a specific host’s traffic to be blocked.
Reference
See the following topics for more information about capturing packets:
n
“Capturing Packet Information” on the next page
n
“Information on the Packet Capture Page” on page 421
n
“Configuring Regular Expressions from Captured Packets” on page 425
Proprietary and Confidential Information of Arbor Networks Inc.
417
APS User Guide, Version 6.0
Capturing Packet Information
The Packet Capture page in APS allows you to sample the packets that APS inspects, and
capture information about the packets in real time.
Important
If multiple users on APS capture packets simultaneously, APS returns different packets
for each user. No two users receive the same packet.
You also can perform the following tasks on the Packet Capture page:
Inspect the packet information. See “Information on the Packet Capture Page” on
n
page 421.
n
Save the packet information to a packet capture (PCAP) file. See “Saving packet
information” on page 420.
n
Blacklist a packet’s source address, target domain, or target URL.
n
Use the information from a captured packet to update the settings in the Payload
Regular Expression protection category. See “Configuring Regular Expressions from
Captured Packets” on page 425.
Capturing packet information
To capture packet information:
1. Select Explore > Packet Capture.
2. On the Packet Capture page, in the Filter section, specify the criteria for filtering the
packet capture. See “Packet filter criteria” on the facing page.
If you do not want to filter the packets, do not specify any filter criteria.
3. In the Capture section, click Start.
Note
If you specify filter criteria but do not click
when you click Start.
(add), that filter criteria is added for you
4. To limit the display of the capture results, either during the capture or after the
capture, click Passed, Dropped, or All.
APS always captures all of the packets that match the criteria in the Filter section,
regardless of how you choose to display them.
5. When you want to stop the packet capture, click Pause.
If you do not stop the packet capture, it will stop automatically at 5,000 packets.
6. To view detailed information about a packet, click the packet, and then scroll down to
the Packet Details section.
7. (Optional) As you inspect the packet details, you can take action to block future traffic
from the source of the packet, as follows:
l
To blacklist the source address, domain, or URL, click the associated Blacklist
button.
Note
The item is blacklisted for all IPv4 protection groups or all IPv6 protection groups.
l
To add packet information to the Payload Regular Expression protection category,
click the Add to Payload Regex button. See “Configuring Regular Expressions
from Captured Packets” on page 425.
418
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
Opening the Packet Capture page from other UI pages
For your convenience, certain pages in the UI allow you to open the Packet Capture page
in APS and focus on a specific item. The item that you are viewing, such as a protection
group or a source IPv4 address, becomes the filter criteria for the capture.
You can start the packet capture with that filter or specify additional filter criteria. Typically,
the option to open the Packet Capture page is available from a context menu.
Packet filter criteria
Filter the packet capture by selecting any of the following options:
Packet capture filter criteria
Option
Description
Source Host box
Type a source IP address or a CIDR block, and then press ENTER
or click
(add). You can enter multiple sources.
The capture is limited to the packets that match that source.
See “Filtering the Packet Capture list by hosts” on the next page.
Blocked host
triggers check box
Select this check box to capture only the packets that caused a
host’s traffic to be blocked.
If you do not see this check box, expand the Source Host
section.
Destination Host
box
Type a destination IP address or a CIDR block, and then press
ENTER or click
(add). You can enter multiple destinations.
The capture is limited to the packets that match that destination.
See “Filtering the Packet Capture list by hosts” on the next page.
Protection Group
list
To limit the packet capture by protection group or outbound
threat filter, click any of the following options:
n Outbound Threat Filter — Captures all of the outbound
packets.
n One or more protection groups — Captures the packets that
are destined for a host that matches a prefix in any of the
selected protection groups.
To deselect an item, click it again.
Service list
Select one or more services to limit the capture to the packets
that contain headers for those services. To deselect a service,
click it again.
Interface list
Select one or more interfaces from which to capture packets. To
deselect an interface, click it again.
The capture is limited to the packets that flow into the specified
interfaces.
Proprietary and Confidential Information of Arbor Networks Inc.
419
APS User Guide, Version 6.0
Packet capture filter criteria (Continued)
Option
Description
Country list
Select one or more countries and click
(add) after each one.
The capture is limited to the packets that match the sources from
the specified countries.
Regular
Expression box
Type a regular expression to limit the capture to the packets that
match the expression. Use PCRE format.
You can type multiple regular expressions; press ENTER after each
expression. APS uses the OR operator for multiple regular
expressions.
See “About Regular Expressions” on page 578 for information
about entering regular expressions.
Filtering the Packet Capture list by hosts
You can filter the list of packets that APS displays by specifying either IPv4 hosts or IPv6
hosts for Source Host or Destination Host.
Note
APS does not allow you to filter by IPv4 hosts and IPv6 hosts at the same time.
If you filter the list by IPv6 hosts, you can specify IPv6 addresses that are compressed or
expanded. For example, APS filters the packets it displays by the same host whether you
specify 2001:DB8:0:0:0:0:0:0/32 or 2001:DB8::/32.
Clearing the display of captured packet information
When you finish viewing the results of a packet capture, you can clear the packet list from
the screen.
To clear the display of captured packet information:
1. On the Packet Capture page, in the Capture section, click Reset.
2. In the confirmation window, click OK.
Saving packet information
When you save the packet information to a packet capture (PCAP) file, the file contains all
of the packets that you select. If you do not select any packets, the entire packet capture is
saved.
To save packet information to a PCAP file:
1. Capture packets.
See “Capturing packet information” on page 418.
2. (Optional) On the Packet Capture page, in the Capture section, select the packets to
save.
You can press SHIFT and click, or press CTRL and click, to select multiple packets.
3. In the Arbor Smart Bar, click
(PCAP Export).
4. Open or save the file according to your browser options.
420
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
Information on the Packet Capture Page
The Packet Capture page displays information about the packets that you sample from
your network. See “About Capturing Packets” on page 417.
You can inspect a specific packet during the capture process or after the capture is
stopped. See “Capturing Packet Information” on page 418.
As you inspect the packet details, you can take action to block future traffic from the
source of the packet. For example, you can blacklist the source of the packet. The options
are described in “Information in the Packet Details section” below.
Important
If multiple users on APS capture packets simultaneously, APS returns different packets
for each user. No two users receive the same packet.
Information in the Capture section
In the Capture section of the Packet Capture page, the captured packets are displayed
one per line. The background color of a packet line provides the following information:
n Red — The packet was blocked.
n
Blue — The packet is selected.
n
Purple — A blocked packet is selected.
The Capture section contains the following information for each packet:
Capture information on the Packet Capture page
Column
Description
Time
Shows the time in seconds since the packet was captured, relative
to the current time.
Source , Port
Destination, Port
Displays the IP address and port of the source host and the IP
address and port of the destination host.
If an IPv6 address is truncated, you can hover your mouse pointer
over it to view the entire address.
Note
You cannot copy the IP address in this section of the Packet
Capture page. To copy the IP address, select a packet, and then
copy the IP address that appears in the Packet Details section.
Service
Displays the name of the target service.
Bytes
Displays the size of the packet.
Information
Displays summary information about the packet. The content
depends on the protocol and the types of headers that the packet
contains.
Information in the Packet Details section
When you select a single packet in the Capture section, information about the packet
appears in the Packet Details section. The amount of information that appears depends
Proprietary and Confidential Information of Arbor Networks Inc.
421
APS User Guide, Version 6.0
on the types of headers that the packet contains.
The Packet Details section of the Packet Capture page contains the following information
for each packet:
Detail information on the Packet Capture page
Information
Description
blocking
information
Indicates whether the packet was blocked and if so, indicates why
it was blocked.
This information appears at the top of the Packet Details section.
Source , Port
Destination, Port
Displays the IP address and port of the source host and the IP
address and port of the destination host.
Note
For some IP addresses, APS displays additional information when
you hover your mouse pointer over the address. If you hover over
a truncated IPv6 address, you can view the entire address. If you
hover over an IP address whose domain name has been
resolved, you can view its fully qualified domain name.
If you want to copy this information, click on the IP address, select
the text, and then copy it in one of the standard ways.
The Blacklist Source button allows you to add the source IP
address to the inbound blacklist for all protection groups or to the
outbound blacklist.
Service
Displays the name of the target service.
Bytes
Displays the size of the packet.
IP section
Displays the following information for IP packets:
n
n
n
n
n
n
n
n
n
422
Total Length
Header Length
Type of Service
Time to Live
Flags
Fragment Offset
Sequence Number
Protocol
Checksum
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
Detail information on the Packet Capture page (Continued)
Information
TCP section
Description
Displays the following information for TCP packets:
n
n
n
n
n
n
n
n
n
UDP section
Displays the following information for UDP packets:
n
n
n
n
DNS section
Source Port
Destination Port
Sequence Number
ACK number
Header Length
Flags
Window
URG (urgent)
Checksum
Source Port
Destination Port
Data Length
Checksum
Displays the following information for DNS packets:
n Operation — for example, Query
n
n
Response
Name — first name in the query
The Blacklist Domain button in this section allows you to add
this domain to the inbound blacklist for all IPv4 protection groups.
HTTP section
Displays the following information for HTTP packets:
Operation — for example, GET
n URL, including the host, if known
The Blacklist URL button in this section allows you to add this
URL to the inbound blacklist for all IPV4 protection groups.
n Registered Domain Name , if known
The Blacklist Domain button in this section allows you to add
this domain to the inbound blacklist for all IPv4 protection
groups.
n
ICMP section
Displays the following information for ICMP packets:
n
n
n
n
n
n
Type
Code
ID
Sequence Number
Gateway
Checksum
Proprietary and Confidential Information of Arbor Networks Inc.
423
APS User Guide, Version 6.0
Detail information on the Packet Capture page (Continued)
Information
SSL section
Description
Displays the following information for SSL packets:
n
n
n
n
n
Data section
Content type
Operation
Protocol Version
Client Version
Session ID
Contains a hex dump of the packet, with the hexadecimal view on
the left and the corresponding ASCII text translation on the right.
The Add to Payload Regex button in this section allows you to
add packet information to the Payload Regular Expression
protection category. You can update the settings for either a
specific server type or the outbound threat filter.
See “Configuring Regular Expressions from Captured Packets” on
the facing page.
424
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 18: Traffic Forensics
Configuring Regular Expressions from Captured Packets
You can use information from captured packets to update the settings in the Payload
Regular Expression protection category, for either a specific server type or the outbound
threat filter. When you update the settings for a server type, the change applies to all of the
protection groups that are associated with that server type.
For example, suppose your network is under an attack that is outside the scope of the
current protection settings. You can use the Packet Capture page to capture packets and
inspect the packets in the attack flow. When you identify a pattern in the attack traffic, you
can update your regular expression settings to protect against that type of traffic in the
future.
Before you begin
Before you can update the regular expression settings, you must capture packets. See
“Capturing Packet Information” on page 418.
Updating the Payload Regular Expression settings
To update the Payload Regular Expression settings:
1. Select Explore > Packet Capture.
2. On the Packet Capture page, in the Capture section, select the packet on which to
base the regular expression.
3. Scroll down to the Data subsection of the Packet Details section.
4. In the hexadecimal column or the ASCII column, select the information to add to the
regular expression, and then click Add to Payload Regex.
5. In the Add to Payload Regular Expression window, identify the protection setting to
update as follows:
a. In the Server Type list, select a server type or the Outbound Threat Filter.
b. Click the icon of the Protection Level for which you want to update the setting.
6. Review the settings that appear in the Add to Payload Regular Expression window and,
if necessary, edit them as follows:
Setting
Description
TCP Ports box
(Optional) Type the port numbers to define the TCP traffic
to inspect. You can enter port numbers and port ranges (for
example, 10-22). To inspect all TCP traffic, enter all.
Use spaces or commas to separate multiple port numbers.
APS matches the regular expressions against the TCP
packets sent from or sent to the specified ports.
UDP Ports box
(Optional) Type the port numbers to define the UDP traffic
to inspect. You can enter port numbers and port ranges (for
example, 10-22). To inspect all UDP traffic, enter all.
Use spaces or commas to separate multiple port numbers.
APS matches the regular expressions against the UDP
packets sent from or sent to the specified ports.
Proprietary and Confidential Information of Arbor Networks Inc.
425
APS User Guide, Version 6.0
Setting
Description
Regular
Expression box
The packet information that you selected is appended to the
end of any existing regular expression, separated by an OR
sign (|), and highlighted.
Edit the regular expression as needed.
See “About Regular Expressions” on page 578 for
information about entering regular expressions.
7. Click Save.
8. To add more packet information to the regular expression settings, repeat this
procedure.
426
Proprietary and Confidential Information of Arbor Networks Inc.
Part III:
APS Reporting
APS User Guide, Version 6.0
428
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 19:
Managing and Viewing Reports
In APS, you can create and view predefined reports that are based on data that APS
collects about the attacks it detected and blocked on your network over time. These
Executive Summarty reports also provide information about high-level traffic trends on
your network over time.
Also, if you you opt into Arbor’s data-sharing program, you can view the ATLAS Global
DDoS Report that the Arbor Security Engineering and Response Team (ASERT) compiles.
ASERT analyzes ATLAS Intelligence Feed (AIF) data and the anonymous statistics it receives
from the data-sharing program to investigate new internet-scale attacks and who launches
them.
In this section
This section contains the following topics:
About the Executive Summary Report
430
About the ATLAS Global DDoS Report
434
Configuring On-Demand Reports
435
Configuring and Editing Scheduled Reports
438
Viewing and Deleting Generated Reports
440
Viewing and Deleting Scheduled Reports
442
APS User Guide, Version 6.0
429
APS User Guide, Version 6.0
About the Executive Summary Report
The predefined Executive Summary Report provides information about the attacks that
APS detected and blocked on your network over time. This report also provides
information about high-level traffic trends on your network over time.
You can configure reports that run immediately or you can schedule reports to run one
time or multiple times. See “Configuring On-Demand Reports” on page 435 and
“Configuring and Editing Scheduled Reports” on page 438 .
About the top hosts data
To include data about the top hosts in a report, you first must enable Top Sources and
Destinations tracking in APS. See “Configuring the General Settings” on page 100.
Important
Some of the data included in the Executive Summary Report is based on the traffic for the
selected protection groups. However, the data for the top hosts is based on all of the
traffic for the APS.
About the outbound traffic data
To include outbound traffic data in a report, you must enable the outbound threat filter in
APS. See “Viewing the Outbound Threat Activity” on page 349.
The outbound information includes IPv4 traffic data only.
Information in the Executive Summary Report
Report header and footer
The report header contains descriptive information about the report. Some of this
information is user-configurable when you create the report.
Information in the report header
Section
Description
Report name
The user-configurable name of the report, which
appears on the top left of the page.
APS name
The hostname of the APS appliance, which appears
below the report name.
Description
The optional user-configurable description for the
report, which appears below the APS name.
Date range
The user-configurable date range for the data included
in the report, which appears below the logo.
The report footer contains the following information:
n The user name of the person who requested the report
430
n
The date and time when the report was generated
n
Explanations about the data that was not included in the report, if applicable
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 19: Managing and Viewing Reports
Cloud Signaling
Important
Some of the data included in the Executive Summary Report is based on the traffic for the
selected protection groups. However, the data for Cloud Signaling is based on all of the
traffic for the APS.
If cloud-based mitigation occurred during the specified date range, the report includes
Cloud Signaling data. Events Mitigated shows the number of unique DDoS attacks that
were mitigated. Targeted IPs Protected shows the number of hosts in your network that
APS protected from DDoS attacks by using cloud-based mitigation.
See “About Cloud Signaling for DDoS Protection” on page 368.
DDoS Protection
If inbound traffic data is available, the report includes the following information for the
selected protection groups:
n The amount of blocked inbound traffic, in bytes
n
The percentage of inbound traffic that was blocked versus the total amount of inbound
traffic
n
The number of unique hosts that were blocked
Note
If the number of blocked hosts exceeds 100,000, the report displays 100000+ as the
blocked hosts statistic.
n
A stacked graph that displays the amount of blocked inbound traffic versus the amount
of passed inbound traffic
n
The average daily amount, in bytes, of the total inbound traffic, blocked inbound traffic,
and passed inbound traffic during the specified date range
To calculate the average daily inbound traffic, APS divides the total amount of inbound
traffic by the number of days in the specified date range.
n
The average rate, in bps, for the total inbound traffic, the blocked inbound traffic, and
the passed inbound traffic during the specified date range
If outbound traffic data is available, the report includes the following information for all of
the protection groups:
n The amount of blocked outbound traffic, in bytes
n
The percentage of outbound traffic that was blocked versus the total amount of
outbound traffic
n
The number of unique hosts that were blocked
n
A stacked graph that displays the amount of blocked outbound traffic versus the
amount of passed outbound traffic
n
The average daily amount, in bytes, of the total outbound traffic, blocked total traffic,
and passed outbound traffic during the specified date range
To calculate the average daily outbound traffic, APS divides the total amount of
outbound traffic by the number of days in the specified date range.
n
The average rate, in bps, for the total outbound traffic, blocked outbound traffic, and
passed outbound traffic during the specified date range
If no outbound traffic is available during the specified date range, the report omits the
outbound traffic section.
Proprietary and Confidential Information of Arbor Networks Inc.
431
APS User Guide, Version 6.0
The outbound information includes IPv4 traffic data only.
Important
Some of the data included in the report is based on the traffic for the selected protection
groups. However, the data in the Outbound Activity section reflects all of the outbound
traffic for the APS.
Top Inbound Countries
If the data is available, the report includes the following information about the five
countries that sent the most traffic:
n A flag icon that represents the country
Note
In APS, country mappings do not exist for IPv6 addresses. As a result, the report
displays an IPv6 flag instead of a country flag when the source is an IPv6 address.
n
A stacked graph that represents each country’s total passed traffic in green and its total
blocked traffic in red
n
The amount of traffic from each country that was passed and blocked, in bps and pps
n
Displays the percentage of the total traffic that each country’s traffic represents, shown
as a number and as a proportion bar. The bar for the top country is the full column
width and the remaining bars are in proportion to it.
In this case, total traffic refers to the total traffic for the countries that are included in this
report.
Top Blocked Threat Categories
If the data is available, the report includes the following information about the five threat
categories in the ATLAS Intelligence Feed that blocked the most traffic:
n A stacked graph that represents the amount of inbound traffic that was blocked
n
A stacked graph that represents the amount of outbound traffic that was blocked
n
A key for each graph that shows the color that represents a specific threat category in
the graph
n
The name of the threat category that blocked the traffic
n
The amount of inbound traffic and the amount of outbound traffic that was blocked
The outbound information includes IPv4 traffic data only.
Top Inbound Sources
Important
Some of the data included in the Executive Summary Report is based on the traffic for the
selected protection groups. However, the data for Top Inbound Sources is based on all of
the traffic for the APS.
If the data is available, the report includes the following information about the five external
IP addresses that sent the most traffic:
n The IP address for the source host. If APS can identify the host’s country, this column
also includes a flag icon that represents the country.
Note
In APS, country mappings do not exist for IPv6 addresses. As a result, the report
displays an IPv6 flag instead of a country flag when the source is an IPv6 address.
432
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 19: Managing and Viewing Reports
n
A graph that represents the total traffic from the source
n
The total amount of traffic from the source, in bytes and packets
n
The average rate of traffic from the source, in bps and pps
Top Inbound Destinations
Important
Some of the data included in the Executive Summary Report is based on the traffic for the
selected protection groups. However, the data for Top Inbound Destinations is based on
all of the traffic for the APS.
If the data is available, the report includes information about the five internal IP addresses
groups that received the most traffic:
n The IP address to which the traffic is destined
n
A graph that represents the total traffic to the destination
n
The total amount of traffic to the destination, in bytes and packets
n
The average rate of traffic to the destination, in bps and pps
Protection Groups
This section lists the protection groups whose data is included in the report. You select the
protection groups when you configure the report. See “Configuring On-Demand Reports”
on page 435 and “Configuring and Editing Scheduled Reports” on page 438 .
Proprietary and Confidential Information of Arbor Networks Inc.
433
APS User Guide, Version 6.0
About the ATLAS Global DDoS Report
When you participate in Arbor’s data-sharing program, you are given access to the ATLAS
Global DDoS Report from the Arbor Security Engineering and Response Team (ASERT).
ASERT analyzes ATLAS Intelligence Feed (AIF) data and the anonymous statistics it receives
from the data-sharing program to investigate new internet-scale attacks. This additional
intelligence helps to show the scope of internal threats to your network in the context of
other networks and the internet.
To download and view the report:
1. Select Administration > ATLAS Intelligence Feed.
2. On the Configure AIF Settings page, select the Enable Automated Connection to
AIF check box.
3. Select the Yes, I want to opt in to Arbor's data-sharing program check box.
4. Click Save.
5. Select Reports > ATLAS Global DDoS.
Note
For information about configuring the AIF, see “Configuring the ATLAS Intelligence Feed”
on page 119 .
434
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 19: Managing and Viewing Reports
Configuring On-Demand Reports
You can configure Executive Summary reports that provide information about the attacks
that APS detected and blocked on your network over time. You can configure reports that
APS runs immediately after you create them. APS runs these on-demand reports once.
Note
You also can configure Executive Summary reports that are scheduled to run one time or
multiple times in the future. See “Configuring and Editing Scheduled Reports” on
page 438.
For a description of the information that APS includes in the report, see “About the
Executive Summary Report” on page 430 .
After APS generates an Executive Summary Report, you can view the results online, as a
web page. You also can export the results as a PDF file. See “Viewing and Deleting
Generated Reports” on page 440.
Configuring an on-demand report
To configure an Executive Summary Report that APS runs once:
1. Select Reports > Executive Summary .
2. On the Executive Summary Reports page, click Configure New Report.
3. On the Step 1 page, select a date range for the data to include in the report in one of
the following ways:
a. To select a pre-defined timeframe, select Quick Date Range, type a number in
the Last box, and select Days , Weeks , or Months .
The report includes data for complete days, weeks, or months only. (A complete
week is Sunday through Saturday.) For example, if you specify a 2-month
timeframe for the data and APS generates the report on April 10, the report
includes the data for February and March only.
b. To specify a custom timeframe, select Custom Date Range. Select a start date in
the From calendar and select an end date in the To calendar.
For guidelines on how to specify a custom date range, see “Setting a custom date
range” on the next page.
4. Click Next.
5. On the Step 2 page, complete one of the following steps to select the protection
groups whose data you want to include in the report. You must select at least one
protection group before you can continue to the next step.
Tip
To filter a large list of protection groups, enter the name of a protection group or a
server type in the Search box. You can enter the full name or the partial name of
one or more protection groups or server types.
l
l
To select individual protection groups, select the check box for each protection
group to include.
To select all of the protection groups, select the check box next to the Protection
Groups column header.
Proprietary and Confidential Information of Arbor Networks Inc.
435
APS User Guide, Version 6.0
Important
Some of the data included in the report is based on the traffic for the selected
protection groups. However, the data in the Outbound Activity section reflects all of
the outbound traffic for the APS.
6. Click Next.
7. On the Step 3 page, in the Reporting On section, review the settings that you specified
on the previous pages. To change any of these settings, click Previous to return to the
appropriate page.
8. In the Report Name box, type a unique name for the report. The name may contain
up to 56 characters.
9. (Optional) In the Description box, type a description for the report. The description
may contain up to 132 characters.
10. (Optional) To deliver the report results as a PDF file to specific destinations, type one
or more email addresses in the Email Addresses box. Enter multiple emails as a
comma-separated list. The email addresses must be valid RFC 822 addresses.
Note
In the emails that APS sends, the “from” address is always report_
runner@hostname, which you cannot change.
Important
Before APS can email pages, you must configure an SMTP server on the Configure
General Settings page (Administration > General). See “Configuring the General
Settings” on page 100.
11. Click Submit.
After you submit the report, the report name appears in the list on the Reports page and
APS begins to process the report. While APS processes the report, a progress bar appears
in the Status column for the report.
Note
The new report is added to the end of the list of reports. If there are multiple pages of
reports, you will not see the report on the first page of reports on the Reports tab.
For information on how to view the report results, see “Viewing and Deleting Generated
Reports” on page 440 .
Setting a custom date range
When you specify a custom date range on the Step 1 page of the Create New Report
wizard, the following guidelines apply:
436
n
To change the month that appears in a calendar, click
(previous) or
(next).
n
After you select a start date in the From calendar, you cannot select any dates prior to
that date in the To calendar.
n
If you select start and end dates that are in the same month, you cannot select a new
start date in any month that follows the selected month. You have to pick a new date in
the To calendar first.
n
In the To calendar, you cannot select an end date that falls after the current date.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 19: Managing and Viewing Reports
n
The timeframe for the report starts at 12:00 am on the selected start date and ends at
11:59:59 pm on the selected end date.
Note
If you select the current day as the end date in the To calendar, the end time for the
report is the time at which you submit the report.
Proprietary and Confidential Information of Arbor Networks Inc.
437
APS User Guide, Version 6.0
Configuring and Editing Scheduled Reports
You can configure Executive Summary reports that provide information about the attacks
that APS detected and blocked on your network over time. You can configure scheduled
reports that APS runs one time or multiple times in the future.
Note
You also can configure Executive Summary reports that APS runs immediately after you
create them. See “Configuring On-Demand Reports” on page 435.
After you configure a scheduled report, its name is added in the form of a link to the list on
the Schedules tab. To edit a scheduled report, click the report name to access the
configuration settings.
For a description of the information that APS includes in the report, see “About the
Executive Summary Report” on page 430 .
After APS generates an Executive Summary Report, you can view the results online, as a
web page. You also can export the results as a PDF file. See “Viewing and Deleting
Generated Reports” on page 440.
Configuring or editing a scheduled report
To configure or edit a Executive Summary Report that is scheduled to run one or more
times:
1. Select Reports > Executive Summary .
2. On the Executive Summary Reports page, click the Schedules tab.
3. To configure a new report, click Configure New Report Schedule. To edit an
existing report, click the name of the report.
4. On the Step 1 page, in the Last complete boxes, select a timeframe for the data to
include in the report as follows:
a. In the first box, type a number to indicate how many days, weeks, or months of
data you want to include in the report.
b. In the second box, select days, weeks, or months.
The report includes data for complete days, weeks, or months only. (A complete
week is Sunday through Saturday.) For example, if you specify a 2-month
timeframe for the data and APS generates the report on April 10, the report
includes the data for February and March only.
5. In the Start on calendar, select the date on which you want APS to generate the first
report.
6. Select the Repeat check box to run the report multiple times.
7. In the Every box, type a number and then days, weeks, or months to specify how
often APS generates the report.
8. (Optional) To specify a date after which APS no longer generates the report, select the
End on check box and select a date in the calendar.
9. Click Next.
10. On the Step 2 page, complete one of the following steps to select the protection
groups whose data you want to include in the report. You must select at least one
protection group before you can continue to the next step.
438
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 19: Managing and Viewing Reports
Tip
To filter a large list of protection groups, enter the name of a protection group or a
server type in the Search box. You can enter the full name or the partial name of
one or more protection groups or server types.
l
l
To select individual protection groups, select the check box for each protection
group to include.
To select all of the protection groups, select the check box next to the Protection
Groups column header.
Important
Some of the data included in the report is based on the traffic for the selected
protection groups. However, the data in the Outbound Activity section reflects all of
the outbound traffic for the APS.
11. Click Next.
12. On the Step 3 page, in the Run a report on section, review the settings that you
specified on the previous pages. To change any of these settings, click Previous to
return to the appropriate page.
13. In the Name box, type a unique name for the report. This name may contain up to 56
characters.
14. (Optional) In the Description box, type a description for the report. The description
may contain up to 132 characters.
15. (Optional) To deliver the report results to specific destinations every time APS
generates the report, type one or more email addresses in the Email Addresses box.
Enter multiple emails as a comma-separated list. APS emails the report results as a
PDF file. The email addresses must be valid RFC 822 addresses.
Important
Before APS can email pages, you must configure an SMTP server on the Configure
General Settings page (Administration > General). See “Configuring the General
Settings” on page 100.
Note
In the emails that APS sends, the “from” address is always report_
runner@hostname, which you cannot change.
16. To save a new report, click Submit. To save changes to an edited report, click Save.
If there are multiple pages of scheduled reports, you may not see the report on the
first page of the Schedules tab.
APS generates a report just after midnight on the day on which the report is scheduled to
run.
Proprietary and Confidential Information of Arbor Networks Inc.
439
APS User Guide, Version 6.0
Viewing and Deleting Generated Reports
On the Reports tab of the Executive Summary Reports page, you can view or delete the
reports that APS generated. The list of the generated reports can include reports that APS
only runs once and reports that APS runs multiple times. See “Configuring On-Demand
Reports” on page 435 and “Configuring and Editing Scheduled Reports” on page 438 .
For a description of the Reports tab, see “Information on the Reports tab” on the facing
page.
For a description of the information that APS includes in these reports, see “About the
Executive Summary Report” on page 430 .
Searching for generated reports
You can limit the generated reports that APS displays on the Reports tab by searching for
one or more reports. You can search by report name or by the name of the person who
requested the report.
To search the list of reports:
1. Select Reports > Executive Summary .
2. On the Reports tab, in the Search box at the top of the page, enter any of the
following search strings:
l
the full name or partial name of a report
l
the full name or partial name of a person who requested a report
APS filters the list of reports as you type.
Note
If you enter the name of a report that is not in the list, APS hides all of the reports.
3. To clear the search, delete all of the text in the Search box.
Viewing report results
To view the results of a report:
1. Select Reports > Executive Summary .
2. To view the results for a report, complete one of the following steps:
l
l
Click on the report name link to view the report in your default web browser.
Click
(context menu) to the right of the report name, and select Export as PDF
to view a PDF version of the report.
Deleting generated reports
Caution
You cannot undo the deletion of reports.
To delete one or more of the generated reports:
1. Select Reports > Executive Summary .
2. Complete one of the following steps:
440
l
Select the check box for each report to delete, and then click Delete.
l
Select the check box to the left of the Name column header to select all of the
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 19: Managing and Viewing Reports
reports and click Delete.
l
Click
(context menu) to the right of a report name and select Delete.
Information on the Reports tab
The Reports tab contains the following information:
Information on the Reports tab
Information
Description
Search box
Allows you to search for reports by the information in the
following columns:
n
n
Name
Requested by
Configure New
Report button
Allows you to configure an on-demand report.
Selection check
boxes
Allow you to select one or more of the generated reports to
delete.
Name column
Displays the name of the report. After APS generates the report,
the report name appears in the form of a link. Click the link to
open the View Report page.
If the report fails, an error message appears when you click the
report name link.
(context menu)
See “Configuring On-Demand Reports” on page 435.
Appears to the right of a report name. Use the options on the
context menu to perform the following actions:
n Export as PDF — Generates a PDF file of the report.
n Delete — Deletes the report.
Run Date column
Indicates the date on which APS generated the report results.
Status column
Indicates the state of the report. The possible states are
Completed and Failed.
Note
While APS generates a report, the Status column displays a
progress bar.
Date Range column
Indicates the start date and the end date for the data that is
included in the report.
Requested by
column
Indicates the name of the person who configured the report.
Delete button
Deletes the selected reports.
Proprietary and Confidential Information of Arbor Networks Inc.
441
APS User Guide, Version 6.0
Viewing and Deleting Scheduled Reports
On the Schedules tab of the Executive Summary Reports page, you can view and delete
the reports that have been scheduled to run. APS runs scheduled reports one time or
multiple times in the future. You also can configure and edit scheduled reports on the
Schedules tab. See “Configuring and Editing Scheduled Reports” on page 438.
For a description of the information that APS includes in these reports, see “About the
Executive Summary Report” on page 430 .
Searching for scheduled reports
You can limit the reports that APS displays on the Schedules tab by searching for one or
more reports. You can search by report name or by the name of the person who
requested the report.
To search the list of scheduled reports:
1. Select Reports > Executive Summary .
2. Click the Schedules tab.
3. In the Search box at the top of the page, enter any of the following search strings:
l
the full name or partial name of a report
l
the full name or partial name of a person who requested a report
APS filters the list as you type.
Note
If you search for a report that is not in the list, APS hides all of the scheduled reports.
4. To clear the search, delete all of the text in the Search box.
Deleting scheduled reports
Caution
You cannot undo the deletion of reports.
To delete one or more of the scheduled reports:
1. Select Reports > Executive Summary .
2. Click the Schedules tab.
3. Complete one of the following steps:
l
l
l
442
Select the check box for each scheduled report to delete, and then click Delete.
Select the check box to the left of the Scheduled Report Name column header to
select all of the scheduled reports, and then click Delete.
Click
(context menu) to the right of a scheduled report name and select Delete.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 19: Managing and Viewing Reports
Information on the Schedules tab
The Schedules tab contains the following information:
Information on the Schedules tab
Information
Description
Search box
Allows you to search for reports by the information in the
following columns:
n
n
Name
Requested by
Configure New
Scheduled Report
button
Allows you to configure a new scheduled report.
Selection check
boxes
Allow you to select one or more scheduled reports to delete.
Name column
Displays the name of the scheduled report in the form of a link.
Click this link to make configuration changes to the scheduled
report.
When Done appears in the Next Run column, APS will not
generate the report again so the report name is grayed out.
However, you can still edit the report. See “Configuring and
See “Configuring and Editing Scheduled Reports” on page 438.
Editing Scheduled Reports” on page 438.
(context menu)
Appears to the right of a scheduled report name. Click on this
icon and select Delete to delete the report.
Repeat Every
column
Indicates how often APS generates the report. If the report is
scheduled to run one time only, Never appears in this column.
Coverage column
Indicates the start date and the end date for the data that is
included in the report.
Next Run column
Indicates the next date on which APS generates the report. Done
appears in this column when APS will not generate the report
again. In this case, you can edit the report to generate it again or
delete the report.
Last Run column
Indicates the last date on which APS generated the report.
Expires column
If an end date was configured, indicates the date after which APS
no longer generates the report.
Requested By
column
Indicates the name of the person who configured the scheduled
report.
Delete button
Deletes the selected reports.
Proprietary and Confidential Information of Arbor Networks Inc.
443
APS User Guide, Version 6.0
444
Proprietary and Confidential Information of Arbor Networks Inc.
Part IV:
APS Maintenance
APS User Guide, Version 6.0
446
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 20:
Managing APS
This section describes the tasks that you can perform in the UI to monitor and
troubleshoot APS and manage files on APS.
For information about managing multiple APS devices from APS Console, see “About
Managing APS Devices from APS Console” on page 78.
In this section
This section contains the following topics:
Viewing the Change Log
448
Managing Diagnostics Packages
450
Managing the Files on APS
452
About Backups
454
Backing Up APS Manually
457
Restoring APS from Backups
458
How Restoring Backups Affects the APS Console - APS Synchronization
461
Downloading and Uploading Backup Files
463
APS User Guide, Version 6.0
447
APS User Guide, Version 6.0
Viewing the Change Log
The change log is a user-friendly record of nearly all of the events that occur in APS. The
change log is a useful tool for keeping up with configuration changes and file downloads,
and for troubleshooting issues with the system.
For example, you might use the change log to help with the following tasks:
To learn which files were downloaded during the most recent AIF (Atlas Intelligence
Feed) update.
n
n
To determine the last time that the protection level was changed during an attack.
n
To troubleshoot problems by determining whether recent changes could have affected
the system's operation.
n
To save an audit trail of system changes. See “About exporting the change log” below.
You can view the complete change log in the Change Log page, and you can view the most
recent changes on the Summary page.
Events that create change log entries
Change log entries are created when the following types of events occur:
configuration changes
n
For example, log entries are created when a user configures or updates any of the APS
settings.
n
manual updates
For example, log entries are created when a user creates a protection group, types a CLI
command, or requests a cloud mitigation.
n
automatic updates
For example, log entries are created when an AIF (Atlas Intelligence Feed) update
occurs and when APS triggers Cloud Signaling.
About exporting the change log
You can save an audit trail of system changes in the following ways:
n By exporting the change log to a comma-separated values (CSV) file.
If you filtered the change log display with a search, the exported file contains only the
search results. See “Exporting a page as a CSV file” on page 91.
n
By configuring APS to send change log notifications to an external system, such as
syslog or SNMP.
These notifications record every change log entry to provide an audit trail of all the
changes to your APS system. Such audit trail documentation is important for any
organization that has strict policies for change control and change management.
You configure the notifications on the Configure Notifications page (Administration >
Notifications). See “Configuring Notifications” on page 131.
Viewing the complete change log
To view the complete change log in the Change Log page:
Select Administration > Change Log .
n
448
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 20: Managing APS
Viewing the most recent changes
To view the 10 most recent entries in the change log in the Summary page:
1. Select Summary .
2. On the Summary page, click the Change Log tab, which displays the most recent
entries.
3. (Optional) To display the Change Log page from the Change Log tab, click the View
all changes link.
Information on the Change Log page
The Change Log page contains the following information:
Information on the Change Log page
Information
Description
Search box
Allows you to search on data from any column on the page except
the date.
Type all or part of a search string, and then click
(search).
To clear the search results, click the X in the Search box.
Username
The user who made the change, or “system” if it is a systemgenerated change.
Date
The date on which the change occurred.
Sub-System
The sub-system that made the change.
Examples of the sub-systems that can make changes are as
follows: ATLAS, CLI, deployment, diagnostics, file system,
mitigation, notifications, system, and user accounts.
Setting Type
The name of the protection group or server type to which the entry
corresponds, if the entry is the result of a change to either of those
items.
Description
A description of the change.
For example, if a protection group is created, the description
displays the settings that are configured.
Proprietary and Confidential Information of Arbor Networks Inc.
449
APS User Guide, Version 6.0
Managing Diagnostics Packages
A diagnostics package contains debugging information for APS. The diagnostics package
helps the Arbor Technical Assistance Center to diagnose and correct any potential issues
that are related to your system.
The Diagnostics Packages page allows you to create new diagnostics packages and to
download, email, and delete the diagnostics packages. The Diagnostics Packages page
displays the existing diagnostics packages and their creation dates, file names, and file
sizes.
Creating a diagnostics package
To create a diagnostics package:
1. Select Administration > Diagnostics.
2. On the Diagnostics Packages page, click Create Diagnostics Package.
The package creation might take several minutes.
Emailing a diagnostics package to the Arbor Technical Assistance Center
To email a diagnostics package to Arbor:
1. Select Administration > Diagnostics.
2. On the Diagnostics Packages page, to the right of the package that you want to send,
click Email.
3. In the Email Diagnostics Package window, type the following information:
Setting
Description
From box
Type your email address.
Subject box
Type a subject for the email message.
Message box
Type a message that explains how you want Arbor to
process the diagnostics package.
4. Click Send Email.
Downloading a diagnostics package
If you cannot email from APS, you can download the diagnostics package and send it by
some other means.
To download a diagnostics package:
1. Select Administration > Diagnostics.
2. On the Diagnostics Packages page, click the name link of the package to download.
3. Follow your browser’s prompts to save the package.
450
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 20: Managing APS
Deleting diagnostics packages
To delete diagnostics packages:
1. Select Administration > Diagnostics.
2. Complete one of the following steps:
l
l
Select the check box for each diagnostics package that you want to delete.
Select the check box in the table heading row to select all of the diagnostics
packages.
3. Click Delete.
Proprietary and Confidential Information of Arbor Networks Inc.
451
APS User Guide, Version 6.0
Managing the Files on APS
On the Manage Files page, in the System Files section, you can download CA certificates
and SNMP MIB files. You can use the MIB files to help you decode the SNMP traps that APS
sends for notifications.
MIB files also can help you understand the OIDs (object identifiers) that can be queried on
APS. See “About SNMP Polling” on page 108.
In the Local Files section, you can upload, download, and delete the following types of
local files:
n Text
n
Directory
n
Gzip compressed
n
Signed package
n
SSH host keys
n
Unknown
You also can perform the following tasks on the Manage Files page:
Upload a custom logo for the UI. See “Adding a Custom Logo to the UI” on page 146.
n
n
Upload a custom SSL certificate. See “Using a Custom SSL Certificate for User
Authentication” on page 138.
Downloading files from APS
To download a file from APS:
1. Select Administration > Files.
2. On the Manage Files page, in the Local Files section or the System Files section, click
the link for the file that you want to download.
3. Save the file according to your browser options.
Uploading local files to APS
APS appliances have a 10 GB limit for storage of uploaded files.
To upload a file to APS:
1. Select Administration > Files.
2. On the Manage Files page, click Upload File.
3. In the Upload File window, click Browse to locate the file, and then select the file.
4. Click Upload.
5. When the upload finishes, complete one of the following steps:
l
To upload another file, click Upload another and specify the file to upload.
l
To stop uploading files, click Close.
Deleting local files from APS
Caution
You cannot undo the deletion of files.
452
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 20: Managing APS
To delete a local file from APS:
1. Select Administration > Files.
2. On the Manage Files page, in the Local Files table, complete one of the following steps:
l
Select the check box for each file that you want to delete.
l
Select the check box in the table heading row to select all of the uploaded files.
3. Click Delete.
Proprietary and Confidential Information of Arbor Networks Inc.
453
APS User Guide, Version 6.0
About Backups
The Configure Backup and Restore Settings page is the central location where you can
manage the backups of APS data.
A backup consists of configuration data and also can include traffic data. You can choose
whether to include the traffic data when you configure the settings for scheduled backups
and manual backups.
This page allows you to perform the following tasks:
Configure backup settings — See “Configuring backup settings” on page 136.
n
n
Schedule the automatic creation of backups — See “Scheduling the automatic creation
of backups” on page 136.
n
Create backups manually — See “Backing Up APS Manually” on page 457.
n
Restore data from backups — See “Restoring APS from Backups” on page 458.
n
Download and upload backup files — See “Downloading and Uploading Backup Files”
on page 463.
n
View the backups that have been created — See “About the Available Backups list” on
page 456.
See “Planning your backup strategy” on page 135.
Backing up and restoring APS devices under APS Console management
When you use APS Console to manage APS, the configuration data from APS Console is
periodically copied to each managed APS as appropriate. When you back up and restore
APS Console and APS, you must follow certain guidelines to maintain the data
synchronization. See “How Restoring Backups Affects the APS Console - APS
Synchronization” on page 461.
About the backup data
Each backup is stored as a set of gzip compressed tarball files and a manifest file.
The data that is included in a backup is as follows:
Backup data
454
Data type
Included data
Configuration data
All configuration settings, including the deployment mode,
protection settings, blacklists, whitelists, current logo, and change
log.
The backup does not include alerts, diagnostics packages, custom
SSL certificates, and IP and network configurations. The backup
also does not include any of the configuration data for the
Hardware Security Module (HSM).
Traffic data
Information about blocked traffic, including graph data.
The backup does not include the traffic data for the protection
interfaces that appears in the Interfaces section on the Summary
page.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 20: Managing APS
Important
If vAPS is set to the layer 3 deployment mode, the following data is not included in a
backup:
n Any GRE tunneling settings that you configured on the Interfaces page in the UI. See
“Configuring Interfaces and GRE Tunneling” on page 141.
n
Any routes that you configured for the protection interfaces. These routes include any
mitigation routes that you configured in the CLI and any routes that you configured on
the Interfaces page. See “Configuring Static Routes for the Protection Interfaces on
vAPS” on page 513 and “Configuring Routes” on page 145 .
Types of backups
You can create the following types of backups:
Types of backups
Backup type
Contents
Full
All of the files that comprise the full set of data.
Incremental
Only the files that changed since the last backup.
About backup storage
You can store backup files in the following locations:
On a remote backup server
n
You can use any remote server that APS can access and that has sufficient disk space
for the backup files. The backup server must support the Secure File Transfer Protocol
(SFTP). Verify that the backup server does not use a script to echo messages on login;
otherwise, errors can occur.
Important
If you need to create backups for multiple APS devices, you must specify a unique
target directory for each APS on the backup server. If you use the same target
directory for more than one APS, the backup process will fail.
n
Locally on APS
Backups that are stored locally do not include traffic data.
APS saves the last five full backups and the incremental backups that were made after
those full backups. The backup process deletes the older backups.
Caution
Do not delete the backup files yourself.
Proprietary and Confidential Information of Arbor Networks Inc.
455
APS User Guide, Version 6.0
About the Available Backups list
On the Configure Backup and Restore Settings page, the Available Backups section lists
the backups that are available and displays the following information for each one:
Information in the Available Backups list
456
Information
Description
Date and Time
Shows when the backup was created.
Description
Displays Scheduled Backup for an automatic backup or displays
the description that the user entered for a manual backup.
Type
Shows the backup type, either Full or Incremental.
Traffic Data
Indicates whether the backup includes traffic data.
User
Displays System for an automatic backup or displays the user
name for a manual backup.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 20: Managing APS
Backing Up APS Manually
The Configure Backup and Restore Settings page allows you to create backups manually.
See “About Backups” on page 454.
A manual backup can be full or incremental, and you can specify whether it includes traffic
data.
You might need to back up manually in the following situations:
When you choose not to schedule backups.
n
n
To save the initial system configuration.
You can create a full backup of configuration data after you complete the initial
configuration instead of waiting for the first scheduled backup time.
n
To save configuration data at a time that is outside the automatic backup schedule.
For example, if you configure a new server type and protection group, you can save the
configuration data immediately instead of waiting for the next scheduled backup time.
n
To save a different type of data than the what is included in the scheduled backup.
For example, if the scheduled backup contains only configuration data, you can create
a backup that includes traffic data.
Note
Only one backup can run at a time. If a backup is already in progress, you cannot start
the manual backup process.
Backing up manually
To back up APS manually:
1. Select Administration > Backup and Restore.
2. On the Configure Backup and Restore Settings page, click Back Up Now.
3. In the Manual Backup window, specify the backup criteria as follows:
Setting
Description
Type
options
Click Incremental or Full to define the scope of the backup.
If this is the first time you have run a backup of any type, APS creates
an initial full backup and these options do not appear.
See “Types of backups” on page 455.
Description
box
Type a description that can help to easily identify this backup.
Include
Traffic
Data check
box
Select this check box to include traffic data in the backup.
For example, if you just finished configuring APS, you might name
the backup “Initial Configuration”.
See “About the backup data” on page 454.
Note
If APS is configured to save backups locally, then this check box
does not appear.
4. Click Back Up.
Proprietary and Confidential Information of Arbor Networks Inc.
457
APS User Guide, Version 6.0
Restoring APS from Backups
When you restore APS from a backup, you replace the existing data with the data in the
backup that you select. When you restore from an incremental backup, APS also restores
the last full backup and all of the intermediate incremental backups up to the selected
incremental backup.
You typically restore from a backup to recover data after a hardware failure or other
outage. See “Recovering from a system failure” on page 460.
See “About Backups” on page 454.
Important
In some circumstances, the data in the backup does not replace the existing data on APS.
See "Data that is not restored from a backup" below and "Data restoration on APS
devices" on the facing page.
When you use APS Console to manage APS, the configuration data from APS Console is
periodically copied to each managed APS as appropriate. When you back up and restore
APS Console and APS, you must follow certain guidelines to maintain the data
synchronization. See “How Restoring Backups Affects the APS Console - APS
Synchronization” on page 461.
Data that is not restored from a backup
When you restore data from a backup, the following data will not be restored because it is
not included when APS is backed up:
n The interfaces traffic data that appears in the Interfaces section on the Summary page.
This section does not display data until new data accumulates.
n
The Hardware Security Module (HSM) configuration data. After a restoration, the HSM
continues to decrypt traffic as defined by its latest configuration.
See “About Backups” on page 454.
458
n
Alerts and diagnostics packages
n
Custom SSL certificates
n
IP and network configurations
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 20: Managing APS
Data restoration on APS devices
A backup restores the deployment mode. Therefore, if the APS that you restore is set to a
different deployment mode than the backup, the backup changes the deployment mode
on the APS. See “Setting the Deployment Mode” on page 511.
APS handles data restoration from a backup as follows:
Data restoration on APS devices
Deployment mode
on backup
Deployment
mode on the APS
being restored
Inline Routed
Inline Routed
The backup does not change the configuration settings
for GRE tunneling, routes, and the protection interfaces.
The backup also does not restore the configuration
settings for the management interfaces.
Inline Routed
Inline Bridged
The backup removes the configuration settings for GRE
tunneling, routes, the protection interfaces, and the
management interfaces.
Inline Bridged
Inline Routed
The backup restores the configuration settings for GRE
tunneling and routes. The backup does not restore the
settings for the protection interfaces or the management
interfaces.
Inline Bridged
Inline Bridged
The backup restores the configuration settings for GRE
tunneling and routes. The backup does not restore the
configuration settings for the management interfaces.
Result
Previous version support
You can restore backups that were created in an earlier version of APS than the version
that you are replacing.
Stopping and restarting APS during data restoration
The restoration process automatically stops and restarts the APS services when necessary.
Caution
While the services are stopped, APS runs in bypass mode. In bypass mode, either
network traffic passes through APS unaffected or APS is disconnected and traffic cannot
pass through to the connected equipment. See “Configuring Hardware Bypass and
Software Bypass” on page 499.
If certain configuration settings change between the time of the backup and the time of
the restoration, then APS restarts during the restoration process.
Changes in the following settings can cause a restart during restoration:
user accounts
n
n
backup settings
Proprietary and Confidential Information of Arbor Networks Inc.
459
APS User Guide, Version 6.0
Changes in the following settings, which are configured in the CLI, can also cause a restart
during restoration:
n DNS settings
n
NTP settings
n
SSH settings
n
system settings (system name, banner, and so on)
Restoring from a backup
To restore from a backup:
1. Select Administration > Backup and Restore.
2. On the Configure Backup and Restore Settings page, in the Available Backups section,
select the backup to restore.
3. Click Restore From Selected.
4. In the Restore APS window, click Restore.
Do not close the browser window during this process.
5. When the Welcome window appears, log in to return to the APS UI.
Error handling
If an error occurs during the restoration process, a system alert is created and, if possible,
the configuration data is rolled back to its previous state. For example, it is possible to roll
back the configuration data when the connection to the remote server is dropped or the
remote server goes down. In some situations, such as when APS goes down, it is not
possible to roll back the configuration data.
Traffic data cannot be rolled back.
Recovering from a system failure
To recover APS from a system failure:
1. If necessary, reinstall APS by following the instructions in “Reinstalling APS” on
page 530 .
2. In APS, configure the backup settings to use the same remote backup server as the
failed system.
See “Configuring Backup Settings” on page 135.
After you save the settings, the Configure Backup and Restore Settings page displays
the backups that are on the remote server.
3. Restore the most recent backup.
460
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 20: Managing APS
How Restoring Backups Affects the APS Console - APS
Synchronization
When you use APS Console to manage APS devices, APS Console periodically copies its
configuration data for a managed APS to the managed APS itself. When you back up and
restore APS Console and APS, you must follow certain guidelines to maintain the data
synchronization.
Guidelines for restoring an APS Console backup
Important
Restore an APS Console backup only when all of the managed APS devices are
disconnected. If you restore APS Console while APS devices are connected, then during
the next synchronization, APS Console sends the old data to APS.
Before you restore an APS Console backup, follow these steps:
1. Disconnect each APS that is connected to APS Console as follows:
a. Log in to the UI of the APS.
b. Select Administration > General.
c. On the Configure General Settings page, clear the APS Console box and the
Shared Secret box, and then click Save.
2. Restore the APS Console backup. See “Restoring APS Console from a Backup” in the
Arbor Networks® APS Console Advanced Configuration Guide .
Now the data on APS Console is older than the data on APS.
3. Reconnect each APS. The data is synchronized as follows:
l
l
If APS Console was backed up before the APS was connected, the synchronization
is the same as for a newly-connected APS. APS Console copies any configurations
from APS that postdate the backup. See “Initial synchronization” on page 80.
If APS Console was backed up after the APS was connected, the synchronization is
the same as for any periodic synchronization. The configurations are copied from
APS Console to APS as appropriate. See “Subsequent synchronizations” on
page 82.
Proprietary and Confidential Information of Arbor Networks Inc.
461
APS User Guide, Version 6.0
Guidelines for restoring an APS backup
When you run an APS backup, the state of the connection between APS Console and APS
determines how you must restore that backup.
Guidelines for restoring APS backups
Backup scenario
How to restore APS
You back up APS while it is
connected to APS Console.
Restore the APS backup as usual. During the next
synchronization, APS Console updates APS.
You back up APS before it is
connected to APS Console. Later,
after APS is connected to APS
Console, you need to restore the
APS backup.
1. Restore the APS backup.
Now APS is no longer connected to APS
Console, because the backup does not include
the connection configuration. However, APS
Console still knows about the APS.
2. Connect APS to APS Console.
During the next synchronization, APS Console
updates APS.
You back up APS while it is
connected to APS Console. Later,
you disconnect APS. For example,
you might need to move the
device or return it for repair.
1. Restore the APS backup.
2. Connect APS to APS Console.
During the next synchronization, APS Console
updates APS.
Additional information about backups and data synchronization
For additional information, see the following topics:
Backing up and restoring APS — see “Configuring Backup Settings” on page 135 and
“Restoring APS from Backups” on page 458 .
n
462
n
Connecting APS to APS Console — see “Configuring APS for APS Console
Management” on page 111 .
n
The data synchronization — see “About the APS Console - APS Data Synchronization”
on page 80.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 20: Managing APS
Downloading and Uploading Backup Files
You can store configuration backup files locally on APS. For example, creating a
configuration backup locally allows you to copy the configuration settings to another APS
installation without setting up a remote server.
The download and upload options on the Configure Backup and Restore Settings page
allow you to export backup files and import backup files between APS installations.
Important
The download and upload options are available only if you store backups locally.
About the contents of incremental backup files
An incremental backup file that you download or upload contains the following backups:
n the selected incremental backup
n
all of the incremental backups between the selected incremental backup and the last
full backup
n
the last full backup
When you upload an incremental backup to another APS installation, all of these backups
appear on the Configure Backup and Restore Settings page.
Downloading a backup file
To download a backup file from APS to another location:
1. Select Administration > Backup and Restore.
2. On the Configure Backup and Restore Settings page, in the Available Backups section,
select the backup to download.
3. Click Download Selected.
4. Save the file according to your browser options.
Uploading a backup file
To upload a backup file to APS from another location:
1. Select Administration > Backup and Restore.
2. On the Configure Backup and Restore Settings page, in the Available Backups section,
click Upload Backup.
3. In the Upload a Backup File window, click Browse or Choose File (depending on
your browser), navigate to the backup file, and then click Upload.
4. When the upload finishes, in the Upload a Backup File window, choose one of the
following steps:
l
l
Click Close to end the upload session.
Click Upload another and repeat step 3 of this procedure to upload another
backup.
Proprietary and Confidential Information of Arbor Networks Inc.
463
APS User Guide, Version 6.0
464
Proprietary and Confidential Information of Arbor Networks Inc.
Part V:
Advanced Configuration
APS User Guide, Version 6.0
466
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 21:
Using the Command Line Interface (CLI)
This section provides instructions for connecting to and using the command line interface
(CLI).
In this section
This section contains the following topics:
About the Command Line Interface (CLI)
468
About the Connections to the Command Line Interface
469
Logging in to and out of the APS Command Line Interface
471
Getting Help in the CLI
473
About the CLI Command Components
474
Entering CLI Commands
475
Navigating the CLI Command Hierarchy
477
Editing Command Lines
478
Viewing Statuses in the CLI
480
APS User Guide, Version 6.0
467
APS User Guide, Version 6.0
About the Command Line Interface (CLI)
The command line interface (CLI) allows you to enter commands and navigate through
the directories on the APS appliance.
Typically, the CLI is used for installing and upgrading the software and completing the
initial configuration. In addition, some advanced functions can only be configured by
using the CLI.
To access the APS command line interface (CLI), you can connect to the appliance directly
or remotely.
See “About the Connections to the Command Line Interface” on the facing page.
See “About the Connections to the Command Line Interface” in the Arbor Networks APS
User Guide .
Prerequisite
Before you can log in to and access the CLI, you must complete the initial installation and
configuration procedures that are listed in the APS Quick Start Card.
468
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 21: Using the Command Line Interface (CLI)
About the Connections to the Command Line Interface
To access the APS command line interface (CLI), you can connect to the appliance directly
or remotely.
See “Logging in to and out of the APS Command Line Interface” on page 471.
Options for connecting to the CLI
The following figure shows the options and ports that you can use to connect to the CLI.
Options for connecting to the CLI
The following table describes the connections in the figure:
Connection options
Item
Connection
1
Serial port with either of the following options (but not both):
n Serial console server
n Computer
See “Serial port connection” below.
2
VGA connector with monitor (direct connection)
See “Direct monitor and keyboard connection” on the next page.
3
USB port with keyboard (direct connection)
See “Direct monitor and keyboard connection” on the next page.
4
Management port mgt0 with SSH
See “SSH connection” on the next page.
Serial port connection
You can connect a computer directly to the serial port on the APS appliance. Alternatively,
you can connect a serial console to the serial port on the APS appliance, and then use a
terminal emulator to access the CLI. An example of a terminal emulation program is
HyperTerminal.
See “Terminal emulation settings” on the next page.
Proprietary and Confidential Information of Arbor Networks Inc.
469
APS User Guide, Version 6.0
The boot commands are available when you connect through the serial port.
To use the serial port, you must connect it to the console with a null modem (RJ-45) cable.
This type of cable is not included in your appliance package.
Instructions for connecting the serial cable are in the APS Quick Start Card.
Terminal emulation settings
Use the following settings to configure your terminal emulation program to connect to the
CLI:
Typical terminal emulation settings
Setting
Value
Baud rate
9600
Data bits
8
Stop bits
1
Parity
None
Flow control
None
Direct monitor and keyboard connection
You can access the appliance directly by connecting a monitor and keyboard to the VGA
and USB ports respectively. When you connect directly, you can access the CLI without
having to enter an IP address.
This connection method is typically used during the initial configuration and emergencies.
The boot commands are available when you connect directly.
SSH connection
You can access the APS appliance by using a network protocol such as SSH. The boot
commands are not available when you connect through SSH.
The SSH service is enabled by default.
470
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 21: Using the Command Line Interface (CLI)
Logging in to and out of the APS Command Line Interface
APS has a command line interface (CLI) that you can use to perform advanced
configurations and other tasks.
See “About the Command Line Interface (CLI)” on page 468.
The method that you use to connect to APS determines your login procedure. You can log
in directly, through terminal emulation or a keyboard and monitor connection to the serial
port, or through an SSH session.
See “About the Connections to the Command Line Interface” on page 469 for more
information about these connection methods.
Default username and password
When you log in to the CLI for the first time, you can use the default username and
password. The default username is admin. The default password is arbor.
Important
Change this password for security purposes after you log in for the first time. See “Editing
Your User Account” on page 87.
Logging in to the serial port through terminal emulation
To log in to the serial port through terminal emulation:
1. Start your terminal emulator and establish a connection to the APS serial port.
2. If you are prompted to press any key, do so.
If you do not press a key within five seconds, APS tries to boot automatically.
3. If the boot menu appears, select disk.
4. At the CLI login prompt, enter your user name.
5. Enter your password.
Logging in directly to the serial port
To log in directly to the serial port:
1. If you connected a terminal directly to the serial port, turn on the terminal.
2. If you are prompted to press any key, do so.
If you do not press a key within five seconds, APS tries to boot automatically.
3. If the boot menu appears, select disk.
4. At the CLI login prompt, enter your user name.
5. Enter your password.
Logging in through SSH
To log in through SSH:
1. Start your SSH client and establish a connection by entering the IP address or DNS
hostname for APS as needed.
2. At the CLI login prompt, enter your user name.
3. Enter your password.
Proprietary and Confidential Information of Arbor Networks Inc.
471
APS User Guide, Version 6.0
Logging out of the CLI
To log out of the CLI:
n In the CLI, enter exit
472
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 21: Using the Command Line Interface (CLI)
Getting Help in the CLI
Throughout the command line interface (CLI), you can get help for the commands and
command arguments that are available.
Types of Help commands
The CLI provides the following Help commands:
CLI Help commands
Command
Description
help
Lists the commands that are available within a directory.
help global
Lists the commands that are available from all directories.
?
Lists the commands that are available within a directory or the
arguments that are available within a command.
Note
You do not have to press ENTER after you type the question mark.
Example: Help commands
The following example shows the types of Help commands:
admin@example.com:/# help
Subcommands:
ip/
IP and network configuration
services/
System services
system/
System configuration
admin@example.com:/# help global
Global commands:
..
Return to previous menu
/
Return to root menu
clock
Show or set the system clock
config
Show or save the system configuration
edit
Enter configuration mode
help/?
Show available commands
ping
Ping a network host
ping6
Ping a network host (IPv6)
quit/exit
Exit the command shell
reload
Reload the system
shutdown
Shutdown the system
traceroute
Trace route to a network host
traceroute6
Trace route to a network host (IPv6)
users
Show user login summary
admin@example.com:/# clock ?
set
Set the system clock
<cr>
admin@example.com:/# clock set ?
[MMDDhhmm[[CC]YY][.ss]]
Proprietary and Confidential Information of Arbor Networks Inc.
473
APS User Guide, Version 6.0
About the CLI Command Components
The CLI commands follow a specific syntax and consist of several components. These
components are represented in a specific way in this guide and the CLI Help.
Components of CLI commands
The CLI command syntax is commandkeywordargumentparameter.
The components of a CLI command are as follows:
Components of CLI commands
Component
Description
command
The actual command or action to be taken, which might take other
arguments.
For example, the help command takes no keywords or
arguments; the mode command takes keywords (for example, set)
and arguments (for example, inline).
keyword
A specific action that the command must take.
For example, among the actions that the groups command can
take are add and copy.
argument
An entity to be acted upon by the keyword.
parameter
A user-defined parameter (variable) that is required for some
arguments.
For example, port requires that you type a physical port number.
Where possible, this guide provides valid parameters or parameter
guidelines in a command’s description.
Conventions for commands and expressions
The following conventions show the syntax of commands and expressions. Do not type
the brackets, braces, or vertical bar in commands or expressions.
Typographic conventions for commands and expressions
474
Convention
Description
Monospaced bold
Information that you must type exactly as shown.
Monospaced
italics
A variable for which you must supply a value.
{ } (braces)
A set of choices for options or variables, one of which is required.
For example: {option1 | option2}.
[ ] (square brackets)
A set of choices for options or variables, any of which is optional.
For example: [variable1 | variable2].
| (vertical bar)
Separates the mutually exclusive options or variables.
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 21: Using the Command Line Interface (CLI)
Entering CLI Commands
The command line interface (CLI) uses a standard command line command hierarchy that
allows you to enter commands and navigate through the directories.
Command types
The types of CLI commands are as follows:
CLI command types
Command type
Description
Sub commands
The command is specific to the current directory.
Global
The command is available anywhere in the command hierarchy.
Entering a command
To enter a command in the CLI:
At the command prompt, type the command, and then press ENTER.
n
Guidelines for typing commands
When you enter a CLI command, follow these guidelines:
Because the commands are case sensitive, enter them exactly as they are shown in this
guide or in the CLI Help.
n
n
You are only required to enter the minimal number of characters that form a unique
abbreviation of a command. For example, you can type sy instead of system.
Alternatively, if you cannot remember a complete command name, enter the first few
letters and press TAB . The system completes the command.
n
You can group multiple commands into one compound command.
See “Examples of singular and compound commands” below.
n
After you type a command, press ENTER or RETURN to execute it.
n
When you enter a string that contains one or more spaces, enclose the string within
double quotation marks.
The CLI parses literal text that contains spaces only if the string is within quotation
marks. All of the text that is within quotation marks is parsed as case sensitive.
See “Examples of literal text parsing” on the next page.
See “Components of CLI commands” on the previous page.
Examples of singular and compound commands
The following examples show how to enter singular or compound commands to navigate
to the banner directory:
Singular command
admin@example.com:/# system
admin@example.com:/system# banner
Banner:
Proprietary and Confidential Information of Arbor Networks Inc.
475
APS User Guide, Version 6.0
Welcome to ArbOS
Compound command
admin@example.com:/system# ..
admin@example.com:/# system banner
Banner:
Welcome to ArbOS
Examples of literal text parsing
n
services aaa groups show My Group generates an error.
n
services aaa groups show "My Group" displays the desired output.
Saving the configuration
It is important to save the configuration whenever you make changes. Saving the
configuration ensures that the current changes take effect immediately and preserves the
configuration if APS is rebooted.
Typically, you do not need to save the configuration after every command that you enter. It
is usually sufficient to save the configuration at the end of every session.
To save the configuration:
n From anywhere within the CLI, enter config write
476
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 21: Using the Command Line Interface (CLI)
Navigating the CLI Command Hierarchy
The command line interface (CLI) commands are arranged in a hierarchical manner,
similar to a file system. When you log in to the CLI, you are in the root directory, which is
represented in the command prompt by a / (slash). For example:
admin@example.com:/#
As you enter commands in the CLI, the command prompt displays your location in the
command hierarchy.
Navigating the CLI hierarchy
The commands for navigating the CLI are as follows:
Commands for navigating the CLI hierarchy
Navigation
Command
Move down the
hierarchy.
Type one or more directory commands. For example: system
Back up one level.
Type .. (two periods)
Return to the root
directory.
Type / (slash).
files
As with all of the CLI commands except the ? (question mark), you must press ENTER after
each command.
Example: Navigating the hierarchy
The following example shows how to navigate the CLI hierarchy:
admin@example.com:/# system files
admin@example.com:/system/files# ..
admin@example.com:/system# ..
admin@example.com:/# ip
admin@example.com:/ip# interfaces
admin@example.com:/ip/interfaces# /
admin@example.com:/#
Proprietary and Confidential Information of Arbor Networks Inc.
477
APS User Guide, Version 6.0
Editing Command Lines
The command line interface (CLI) contains a command line editor that provides entry
shortcuts and editing capabilities. This command line editor is similar to the Emacs realtime text editor.
Moving the cursor around the command line
To move the cursor around the command line and make corrections or changes, use the
following keystrokes:
Keystrokes for moving the cursor around the command line
Keystrokes
Description
CTRL+B
Moves the cursor back (left) one character.
or the Left Arrow
key
CTRL+F or the Right Arrow
Moves the cursor forward (right) one character.
key
CTRL+A
Moves the cursor to the beginning of the command line.
CTRL+E
Moves the cursor to the end of the command line.
ESC+B
Moves the cursor back one word.
ESC+F
Moves the cursor forward one word.
Recalling commands
The CLI contains a command buffer that stores the last 30 commands that you entered.
You can recall these commands and paste them into the command line. This feature is
particularly useful for recalling long or complex commands or entries.
To recall commands from the buffer, use the following keystrokes:
Keystrokes for recalling commands
Keystrokes
Description
CTRL+P or the Up
Recalls commands in the history buffer, beginning with the most
recent command. Repeat the key sequence to recall successively
older commands.
Arrow key
Note
If you press CTRL+P more than 30 times, you loop back to the first
entry.
CTRL+N
or the Down
Arrow key
478
Returns to more recent commands in the history buffer after you
have recalled commands. Repeat the key sequence to recall
successively more recent commands
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 21: Using the Command Line Interface (CLI)
Deleting entries
To delete command entries if you make a mistake or change your mind, use the following
keystrokes:
Keystrokes for deleting entries
Keystrokes
Description
BACKSPACE
Deletes the character to the left of the cursor.
CTRL+D
Deletes the character at the cursor.
CTRL+K
Deletes all of the characters from the cursor to the end of the
command line.
CTRL+U
Deletes all of the characters from the cursor to the beginning of
the command line.
ESC+D
Deletes from the cursor to the end of the word.
Transposing mistyped characters
To transpose a mistyped command entry, press CTRL+T . The character that is to the left of
the cursor is replaced with the character that is to the right of the cursor.
Breaking out of long outputs
Some commands result in outputs that run for multiple screens. To interrupt these long
outputs, press CTRL+C. After you press this key sequence, you are immediately returned to
the CLI prompt.
Proprietary and Confidential Information of Arbor Networks Inc.
479
APS User Guide, Version 6.0
Viewing Statuses in the CLI
You can view status information from the CLI.
Viewing the status of the current directory
You can view the directory status from most of the directories within the CLI. The results
that appear represent the state of the configurations that you can set within that directory.
For example, when you show the status of the services/aaa directory, the
authentication and user information appears.
This command is available only in the directories that contain configuration-level
information.
To view the status of the current CLI directory:
Enter show
n
Viewing the current configuration
To view the current configuration:
From anywhere within the CLI, enter config show
n
480
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 22:
Configuring User Groups and
Authentication
You can create custom user groups to organize APS users by the different levels of system
access. You can also set the authentication method that is used for users to log in to APS,
including RADIUS and TACACS+.
User access
Administrators who have the srv_aaa authorization key can complete all of the actions that
are described in this section.
In this section
This section contains the following topics:
About User Groups
482
Adding and Deleting User Groups
483
Assigning Authorization Keys to User Groups
484
Setting the Authentication Method for RADIUS and TACACS+
490
Configuring RADIUS Integration
492
Configuring TACACS+ Integration
494
Changing the Default User Group for RADIUS and TACACS+
496
APS User Guide, Version 6.0
481
APS User Guide, Version 6.0
About User Groups
User groups allow you to organize APS users by the different levels of system access that
they are allowed. When you create a user account, you assign it to a user group. The
owner of that account inherits the access levels that are assigned to that user group.
See “Configuring User Accounts” on page 114.
About authorization keys
An administrator assigns authorization keys to a user group, which determines the level of
system access that is granted to the users in that group. For a list of the authorization keys
that are assigned to each user group, see “Assigning Authorization Keys to User Groups”
on page 484 .
Predefined user groups
You can assign a user account to one of the following predefined groups:
Predefined user groups
Group
Access
system_admin
Allows full administrative access to view and configure APS settings.
Users in this group have read and write access to the UI, the API,
and the command line interface (CLI).
Users also can add and delete system_admin, ddos_admin,
system_user, and system_none user accounts.
ddos_admin
Allows limited administrative access, to view and configure DDoS
mitigation settings only. Users in this group have read and write
access to some of the UI pages and a subset of CLI commands.
Users also can add and delete ddos_admin, system_user, and
system_none user accounts.
system_user
Allows read access to view events and run blocked host queries
using the UI.
Users in this group cannot add user accounts, but they can change
the real name, email, time zone, and password for their account.
system_none
Denies APS access to unwanted users who have an account on a
TACACS+ or RADIUS server.
When your organization uses RADIUS or TACACS+ authentication, it
is possible for all users who have an account on the authentication
server to access APS. Use this group to lock out users, and assign
other user groups to users who need APS access.
See “Changing the Default User Group for RADIUS and TACACS+”
on page 496.
Custom user groups
Administrators can define custom user groups in the command line interface (CLI).
See “Adding and Deleting User Groups” on the facing page.
482
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 22: Configuring User Groups and Authentication
Adding and Deleting User Groups
User groups allow you to organize APS users by different levels of system access. APS has
several predefined user groups, and system administrators can define custom user
groups. Only users in the system_admin user group can add and delete user groups. See
“About User Groups” on the previous page.
You define user groups in the command line interface (CLI). See “About the Command
Line Interface (CLI)” on page 468 for more information.
Adding a user group
When you add a new user group using the add command, the new group is created
without any authorization keys. See “Assigning Authorization Keys to User Groups” on
the next page.
To add a user group:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa groups add name.
name = the group name
3. To save the configuration, enter / config write
Copying a user group
When creating a user group that is similar to an existing group, you can copy the existing
group and then edit the copy. The new user group inherits all of the authorization keys
from the original group.
To copy a user group:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa groups copyexisting_group new_group.
existing_group = the name of the group to copy
new_group = the name of the new group that is a copy of the existing group
3. To save the configuration, enter / config write
Deleting a user group
To delete a user group:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa groups delete name.
name = the group name
3. At the confirmation prompt, enter y.
4. To save the configuration, enter / config write
Proprietary and Confidential Information of Arbor Networks Inc.
483
APS User Guide, Version 6.0
Assigning Authorization Keys to User Groups
The authorization keys that are assigned to a user group determine the level of system
access that is granted to the users in that group. Only users in the system_admin user
group can add and delete authorization keys, and assign authorization keys for any new
groups that are created. See “About User Groups” on page 482.
You assign authorization keys in the command line interface (CLI). See “About the
Command Line Interface (CLI)” on page 468 for more information.
Adding and deleting authorization keys
To add or delete an authorization key:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa groups key {add | delete} name key
{add | delete} = Enter add to assign an authorization key or delete to remove
one.
name = the group name
key = the authorization key to assign
For a list of the authorization keys that are available, see “User group
authorization keys” below.
3. Repeat this procedure for each additional authorization key that you want to add or
delete.
4. To save the configuration, enter / config write
Viewing the group authorization keys
To view the user group authorization keys:
n In the CLI, enter / services aaa groups show name
name = the group name
If you do not include the user group name, APS displays the authorization keys for all
user groups.
User group authorization keys
The following table shows the authorization keys that a system_admin can assign to user
groups. This table also shows the user groups that the authorization keys are assigned to
by default. When you assign an authorization key to a user group, enter the key name
exactly as it is shown.
User group authorization keys
484
Predefined
group
assignment
Key
Description
api_access
Access the API.
system_admin
ddos_admin
system_user
clock
Set the system clock.
system_admin
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 22: Configuring User Groups and Authentication
User group authorization keys (Continued)
Predefined
group
assignment
Key
Description
conf_imp
Import a configuration from disk.
system_admin
ddos_admin
conf_show
Show the running or saved
configuration.
system_admin
ddos_admin
system_user
conf_write
Save the running configuration or
export to disk.
system_admin
diag_admin
Create a diagnostics package.
system_admin
ddos_admin
edit_accounts
Edit user accounts.
system_admin
ddos_admin
edit_active_cs
Edit targeted Cloud Signaling
requests.
system_admin
ddos_admin
system_user
edit_aif
Edit the AIF connection settings.
system_admin
ddos_admin
edit_cloud
Edit the Cloud Signaling
configuration.
system_admin
edit_diag
Create diagnostic packages.
system_admin
ddos_admin
edit_files
Manage files.
system_admin
ddos_admin
edit_filter
Edit the master filter list.
system_admin
ddos_admin
edit_general_settings
Manage general settings.
system_admin
ddos_admin
edit_inline_mode
Change the protection mode (active
or inactive).
system_admin
ddos_admin
edit_interfaces
Configure the interfaces and GRE
tunneling.
system_admin
edit_notify
Manage notification settings.
system_admin
edit_otf
Edit the outbound threat filter
configuration.
system_admin
ddos_admin
Proprietary and Confidential Information of Arbor Networks Inc.
485
APS User Guide, Version 6.0
User group authorization keys (Continued)
Predefined
group
assignment
Key
Description
edit_pg
Manage protection groups.
system_admin
ddos_admin
edit_protection_level
Change the global protection level.
system_admin
ddos_admin
edit_report
Edit and schedule Executive Summary
reports.
system_admin
ddos_admin
edit_sysevents
Manage system events.
system_admin
ddos_admin
explore_blocked_hosts
Explore historical blocked hosts log.
system_admin
ddos_admin
system_user
explore_packets
Capture packets in real time.
system_admin
ddos_admin
system_user
ip_access
Edit and apply the IP access rules.
system_admin
Note
This key is not supported by vAPS on
AWS.
ip_arp
Modify the Address Resolution
Protocol (ARP) information.
system_admin
Note
This key is not supported by vAPS on
AWS.
ip_int
Edit the IP interface configuration.
system_admin
Note
This key is not supported by vAPS on
AWS.
ip_route
Edit the routing configuration.
system_admin
Note
This key is not supported by vAPS on
AWS.
ip_snoop
Snoop network interface traffic.
Note
This key is not supported by vAPS on
AWS.
486
system_admin,
ddos_admin
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 22: Configuring User Groups and Authentication
User group authorization keys (Continued)
Key
Description
Predefined
group
assignment
ip_tee
Edit the IP tee configuration.
system_admin
Note
This key is not supported by vAPS on
AWS.
login_cli
Access the command line interface
(CLI) environment.
Note
Only the admin user can access the
CLI on a vAPS on Arbor Web
Services (AWS).
system_admin
ddos_admin
system_user
login_ui
Access the web user interface.
system_admin
ddos_admin
system_user
pravail_admin
Start and stop APS services and
complete other administrative tasks.
system_admin
ddos_admin
reload
Reload the system.
system_admin
ddos_admin
shutdown
Shut down the system.
system_admin
ddos_admin
srv_aaa
Edit local user and authentication,
authorization, and accounting (AAA)
configuration.
system_admin
srv_backup
Configure and run backups, and
restore data.
system_admin
ddos_admin
srv_dns
Edit the DNS cache configuration.
system_admin
srv_http
Edit the HTTP configuration.
system_admin
srv_log
Edit the logging configuration, and
view the log.
system_admin
ddos_admin
srv_nfs
Edit the NFS configuration.
system_admin
srv_ntp
Edit the NTP configuration.
system_admin
Note
This key is not supported by vAPS on
AWS.
srv_snmp
Edit the SNMP configuration.
Proprietary and Confidential Information of Arbor Networks Inc.
system_admin
487
APS User Guide, Version 6.0
User group authorization keys (Continued)
Key
Description
Predefined
group
assignment
srv_ssh
Edit the SSH configuration.
system_admin
Note
This key is not supported by vAPS on
AWS.
srv_ssh_key
Manage SSH keys.
system_admin
Note
This key is not supported by vAPS on
AWS.
srv_telnet
Edit the telnet configuration.
system_admin
sys
Edit the system information.
system_admin
sys_att
Edit the system attributes.
system_admin
sys_cdrom
Lock and unlock the CD drive.
system_admin
Note
This key is not supported by vAPS on
AWS.
sys_disk
Manage the system disks.
system_admin
sys_file
Manage files.
system_admin
Note
This key is not supported by vAPS on
AWS.
sys_file_admin
Install and uninstall software
packages.
system_admin
Note
This key is not supported by vAPS on
AWS.
488
sys_hsm
Access the Hardware Security Module
(HSM).
system_admin
view_active_cs
View targeted Cloud Signaling
requests.
system_admin
ddos_admin
view_changelog
View the system change log.
system_admin
ddos_admin
view_filter
View the APS master filter list.
system_admin
ddos_admin
system_user
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 22: Configuring User Groups and Authentication
User group authorization keys (Continued)
Predefined
group
assignment
Key
Description
view_otf
View the Outbound Threat Filter page.
system_admin
ddos_admin
system_user
view_pg
View the protection groups.
system_admin
ddos_admin
system_user
view_report
View the ATLAS Global DDoS Report
and the Executive Summary Reports.
system_admin
ddos_admin
Proprietary and Confidential Information of Arbor Networks Inc.
489
APS User Guide, Version 6.0
Setting the Authentication Method for RADIUS and TACACS+
If you authenticate your users with the RADIUS or TACACS+ authentication service, you
must specify which authentication method you use. If you use multiple methods, you also
must specify the order in which APS should try each method. APS tries each method
according to the order in which you list them, until one method succeeds or until they all
fail.
If you do not specify a method, APS uses local authentication.
You set the authentication method in the command line interface (CLI). See “About the
Command Line Interface (CLI)” on page 468 for more information.
After you set the authentication method, configure the integration between APS and the
authentication server. See “Configuring RADIUS Integration” on page 492 and
“Configuring TACACS+ Integration” on page 494 .
About the default user group
By default, any user who is not assigned to a user group on the RADIUS or TACACS+ server
is assigned to the predefined system_user group in APS. If the system_user group’s
authorizations are inappropriate for your RADIUS or TACACS+ users, you can change the
default group to which they are assigned.
See “Changing the Default User Group for RADIUS and TACACS+” on page 496.
Setting the authentication method
To set the authentication method:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa method set {local | radius | tacacs}
{local | radius | tacacs} = Type one of these methods or any combination of
these methods, in the order in which APS should use them to authenticate. Type a
space between each method.
Important
If you want APS to perform both RADIUS and local authentication, you must
explicitly set both methods.
Setting exclusive authentication
If you set multiple authentication methods, but want a user to log in with one method
only, you can enable the exclusive method. With the exclusive method, once a user logs in
successfully with one method, APS does not try to authenticate using any of the other
specified methods.
Also, if APS connects to an authentication server, but the user is unable to log in, then the
user cannot log in with any method. APS tries to authenticate with the next listed method
only when the server is unreachable on the network.
To set the method as exclusive:
Enter / services aaa method exclusive enable
n
490
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 22: Configuring User Groups and Authentication
If you set the “tacacs local” method exclusively, without an administrator-level user with
an account on the TACACS+ server, then you cannot log in as an administrative-level
user.
For example, if “admin” on example.com is the only privileged user but TACACS+ does
not have an administrative user, then “admin” cannot log in to example.com. The only
way “admin” can log into example.com is to make the TACACS+ server unavailable (for
example, by unplugging the network, etc.)
Configuring the accounting level
You can configure the accounting settings for each authentication method. Use local and
TACACS+ accounting to track and log software log ins, configuration changes, and
interactive commands. Use RADIUS accounting to track software log ins.
To configure the accounting level:
1. Enter / services aaa {local | radius | tacacs} accounting set level {none
| login | change | commands}.
{local | radius | tacacs} = the authentication method for which to configure
the accounting level
{none | login | change | commands} = the accounting level
The default accounting level is none. Enter login to track software log ins. For
TACACS+ only, enter change to track configuration changes and commands to track
interactive commands.
2. Repeat step 1 to set additional accounting levels.
Proprietary and Confidential Information of Arbor Networks Inc.
491
APS User Guide, Version 6.0
Configuring RADIUS Integration
APS can perform static password authentication with Remote Authentication Dial In User
Service (RADIUS). This optional feature integrates APS with your existing RADIUS
implementation.
Important
To use RADIUS for authentication, you must specify RADIUS as the authentication
method. Otherwise, the system uses local authentication. See “Setting the
Authentication Method for RADIUS and TACACS+” on page 490.
About integrating with RADIUS servers
You can integrate with a primary server and a backup server. When APS connects, it tries
to connect to the primary server, and then to the backup server. If APS cannot reach either
of the servers, it tries the next configured authentication method.
Integrating with a server
To integrate with a RADIUS server:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa radius server set {primary | backup} IP_address
{encrypted | unencrypted} secret port
{primary | backup} = primary sets the primary server; backup sets the backup
server
IP_address = the IPv4 address or IPv6 address for the primary server or the
backup server
{encrypted | unencrypted} = indicates whether the secret that you enter is
encrypted or unencrypted
secret = the secret that APS uses to communicate with the RADIUS server. For
security purposes, use a secret that contains a variety of characters.
port = (Optional) If you do not want to use the default RADIUS port, then specify
the port on which APS communicates with the RADIUS server.
Setting the number of retries and the timeout period
The retries setting specifies the number of times APS tries to authenticate after the first
attempt fails. The timeout period specifies the length of time APS waits for a connection
before it tries to connect to the specified backup server. The default settings are two retry
attempts and a two-second timeout.
You only need to configure these settings if you want to change the defaults.
To configure the number of retries and the timeout period:
1. In the CLI, enter / services aaa radius retries set number
number = the number of times (1 - 60) that APS tries to authenticate after the first
attempt fails
2. Enter / services aaa radius timeout set number
number = the number of seconds (1 - 60) that APS waits for a connection before it
tries the backup server
To revert to the default settings for the number of retries and the timeout period:
492
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 22: Configuring User Groups and Authentication
1. In the CLI, enter / services aaa radius {retries | timeout} clear
{retries | timeout} = specifies the setting to clear
You can specify only one of these settings per command.
2. (Optional) Repeat step 1 to clear the other setting.
Configuring a Network Access Server (NAS) identifier
The Network Access Server (NAS) identifier is a string that identifies the NAS that originates
an access request.
To configure an NAS identifier:
n In the CLI, enter / services aaa radius nas_identifier set string
string = an ASCII string of up to 253 characters
Clearing the NAS identifier
To clear the NAS identifier:
In the CLI, enter / services aaa radius nas_identifier clear
n
Viewing the current RADIUS configuration
To view the current RADIUS configuration:
In the CLI, enter / services aaa radius show
n
About setting the APS user group for RADIUS users
You must set the APS user group for RADIUS users on the RADIUS server. To do so, you set
an Arbor-Privilege-Level attribute that has the user group name as its value. You can
specify any of the predefined user groups or a custom user group.
For example:
Arbor-Privilege-Level = system_user
or
Arbor-Privilege-Level = system_none
Any user who is not assigned to a user group on the RADIUS server is assigned to the
default user group in APS. Initially, the default user group is system_user. If the
authorizations for the default group are inappropriate for your RADIUS users, you can
change the default group to which they are assigned.
See “Changing the Default User Group for RADIUS and TACACS+” on page 496.
For the RADIUS server to interpret the Arbor-Privilege-Level attribute, you must add
the following lines to the RADIUS dictionary file:
VENDOR
Arbor
9694
ATTRIBUTE
Arbor-Privilege-Level
1 string Arbor
Proprietary and Confidential Information of Arbor Networks Inc.
493
APS User Guide, Version 6.0
Configuring TACACS+ Integration
APS can perform static password authentication with an existing TACACS+
implementation. TACACS+ authentication is available for CLI connections through SSH,
and web interface access through HTTPS. If you log in and authenticate using TACACS+,
you must specify TACACS+ as the authentication method. See “Setting the Authentication
Method for RADIUS and TACACS+” on page 490.
After you set the authentication method, configure the integration between APS and the
authentication server.
You configure TACACS+ integration in the command line interface (CLI). See “About the
Command Line Interface (CLI)” on page 468 for more information.
About adding servers
You can add both a primary server and a backup server. When APS connects, it tries to
connect to the primary server, and then to the backup server. If APS cannot reach either of
the servers, it tries the next authentication method that is configured, if any.
Adding a TACACS+ server
To add a TACACS+ server:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa tacacs server set {primary | backup} IP_address
port {encrypted | unencrypted} secret
{primary | backup} = specifies which server to configure
IP_address = the IPv4 address or IPv6 address of the primary or backup server
port = the port number on which APS will communicate with the TACACS+ server
You must specify a TCP port.
{encrypted | unencrypted} = indicates whether the secret that you enter is
encrypted or unencrypted
secret = the secret that APS uses to communicate with the TACACS+ server
For security purposes, use a secret that contains a variety of characters.
Setting the timeout period
The timeout period specifies the length of time APS waits for a connection before it tries to
connect to the specified backup server. The default is a two-second timeout.
You only need to configure this setting if you want to change the default.
To set the timeout period:
In the CLI, enter / services aaa tacacs timeout set number
n
number = the number of seconds (1 - 60) that APS waits for a connection before it
tries the backup server
Reverting to the default timeout period
To revert to the default timeout:
In the CLI, enter / services aaa tacacs timeout clear
n
494
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 22: Configuring User Groups and Authentication
About TACACS+ password expiration
You can configure APS to display a warning message in the UI when a password is about
to expire. Users with expired passwords cannot log in to APS.
Configuring password expiration notifications
To configure notifications for passwords that are expiring:
In the CLI, enter / services aaa tacacs tacpass_expiry_notify {enable |
disable}
n
{enable | disable} = specifies whether to enable or disable the notifications
Viewing the current TACACS+ configuration
To view the current TACACS+ configuration:
n In the CLI, enter / services aaa tacacs show
About setting the APS user group for TACACS+ users
You must set the APS user group for TACACS+ users on the TACACS+ server. To do so, set
an arbor service with an arbor_group attribute that has the user group name as its value.
You can specify any of the predefined user groups or a custom user group.
For example:
service = arbor {
arbor_group = system_user
}
or
service = arbor {
arbor_group = system_none
}
Any user who is not assigned to a user group on the TACACS+ server is assigned to the
default user group in APS. Initially, the default user group is system_user. If the system_
user group’s authorizations are inappropriate for your TACACS+ users, you can change the
default group to which they are assigned.
See “Changing the Default User Group for RADIUS and TACACS+” on the next page.
Proprietary and Confidential Information of Arbor Networks Inc.
495
APS User Guide, Version 6.0
Changing the Default User Group for RADIUS and TACACS+
If you use RADIUS or TACACS+ to authenticate APS users, you must set the user group for
those users on the respective RADIUS or TACACS+ server. Any user who is not assigned to
a user group on the RADIUS or TACACS+ server is assigned to the default user group in
APS. Initially, the default user group is the predefined group system_user. If the system_
user group’s authorizations are inappropriate for your RADIUS or TACACS+ users, you can
change the default group to which they are assigned.
See “About User Groups” on page 482.
The predefined group system_none has no access to APS and is provided as a way to lock
out unwanted RADIUS or TACACS+ users. However, you can specify another group as the
default, including a custom group.
See “Adding and Deleting User Groups” on page 483.
You change the default user group in the command line interface (CLI). See “About the
Command Line Interface (CLI)” on page 468 for more information.
Changing the default user group
To change the default user group for RADIUS or TACACS+:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aaa groups default set group_name.
group_name = the name of the group to set as the default
3. To save the configuration, enter / config write
496
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 23: Configuring the Bypass Settings
Chapter 23:
Configuring the Bypass Settings
This section describes how to configure hardware bypass and software bypass settings on
APS.
In this section
This section contains the following topics:
About Hardware Bypass and Software Bypass
498
Configuring Hardware Bypass and Software Bypass
499
Proprietary and Confidential Information of Arbor Networks Inc.
497
APS User Guide, Version 6.0
About Hardware Bypass and Software Bypass
The APS appliance is bypass capable. You can configure APS to fail open (bypass) or fail
closed (disconnect) if a power failure, hardware failure, or software failure occurs. If you
configure software bypass, APS bypasses the protection interfaces when a software failure
occurs.
By default, hardware bypass is set to fail open and software bypass is enabled.
Hardware bypass and software bypass only work when APS is set to inline mode. APS
does not initiate a bypass when it is in monitor mode. See “About the monitor mode” on
page 63.
See “Configuring Hardware Bypass and Software Bypass” on the facing page.
About hardware bypass
You can configure hardware bypass to fail open (bypass on failure) or to fail closed
(disconnect on failure). If a system failure occurs when hardware bypass is set to fail open,
traffic passes through to the connected equipment. However, the traffic is not inspected.
If a system failure occurs when hardware bypass is set to fail closed, traffic cannot pass
through APS to the connected equipment.
You also can set hardware bypass manually, to immediately bypass the protection
interfaces or to immediately disconnect APS from the connected equipment.
Note
The links on the connected equipment may bounce briefly when the protection
interfaces are bypassed. This can happen if a system failure occurs when hardware
bypass is set to fail open or after you issue the services aps bypass force open
command.
Caution
If a system failure occurs when bypass is set to fail closed or when you issue the
services aps bypass force closed command, APS drop the traffic. In this case,
you can reroute traffic if you have more than one APS in your deployment. See
“Deployment for Redundancy” on page 71.
See “Setting the hardware bypass mode” on the facing page and “Forcing the hardware
bypass mode” on the facing page.
About software bypass
If a software failure occurs when software bypass is enabled, traffic bypasses the APS
protection interfaces. In this case, traffic still passes through APS to the connected
equipment.
You can enable both software bypass and hardware bypass. If software bypass can
handle a system failure, APS uses software bypass. If software bypass cannot handle a
system failure and hardware bypass is configured, hardware bypass handles the failure.
If you disable software bypass and hardware bypass is configured, hardware bypass
handles software failures.
498
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 23: Configuring the Bypass Settings
Configuring Hardware Bypass and Software Bypass
The APS appliance is bypass capable. You can configure APS to fail open (bypass) or fail
closed (disconnect) if a power failure, hardware failure, or software failure occurs. If you
configure software bypass, APS bypasses the protection interfaces when a software failure
occurs.
By default, hardware bypass is set to fail open and software bypass is enabled.
Hardware bypass and software bypass only work when APS is set to inline mode. APS
does not initiate a bypass when it is in monitor mode. See “About the monitor mode” on
page 63.
For more information about bypass modes, see “About Hardware Bypass and Software
Bypass” on the previous page.
Viewing the bypass configuration and status
To view the configuration and status of hardware bypass and software bypass on APS:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps bypass show
Setting the hardware bypass mode
Note
If the APS services are stopped, you cannot change the bypass settings.
Hardware bypass is set to fail open (bypass) by default. To change hardware bypass to fail
closed (disconnect) or to revert to the fail open mode:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps bypass fail {open | closed}
{open | closed} = Enter open to bypass the APS protection interfaces if a system
failure occurs. The open mode is the default setting. Enter closed to disconnect APS
from the connected equipment if a system failure occurs. In this case, traffic is
dropped.
Forcing the hardware bypass mode
Note
If the APS services are stopped, you cannot change the bypass settings.
To immediately force a hardware bypass:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps bypass force {open | closed}
{open | closed} = Enter open to immediately bypass the APS protection interfaces.
Enter closed to immediately disconnect APS from the connected equipment. In this
case, traffic is dropped.
If you enable software bypass, and then you force a hardware bypass, the hardware
bypass takes precedence.
Enabling or disabling software bypass
Note
If the APS services are stopped, you cannot change the bypass settings.
Proprietary and Confidential Information of Arbor Networks Inc.
499
APS User Guide, Version 6.0
Software bypass is enabled by default. To disable or re-enable software bypass:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps bypass software {enable | disable}
{enable | disable} = Enter disable to disable software bypass. Enter enable to
allow APS to use software bypass if a software failure occurs.
If you enable software bypass, and then you force a hardware bypass, the hardware
bypass takes precedence.
Caution
Network traffic may be dropped if a system failure occurs when hardware bypass is not
configured and software bypass is disabled.
Disabling the hardware bypass features
Note
If the APS services are stopped, you cannot change the bypass settings.
To disable all of the hardware bypass features:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps bypass disable
disable = disables all of the hardware bypass features
Caution
Network traffic may be dropped if a system failure occurs when hardware bypass is not
configured and software bypass is disabled.
500
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 24: Configuring Advanced Settings for the Protection Interfaces
Chapter 24:
Configuring Advanced Settings for the
Protection Interfaces
This section describes the advanced settings that you can configure in the commanbd line
interface (CLI) for the protection interfaces.
In this section
This section contains the following topics:
Configuring the Speed, Duplex Mode, and MTU for the Protection Interfaces
502
Configuring VLAN Subinterfaces
504
Troubleshooting the Protection Interfaces
507
Proprietary and Confidential Information of Arbor Networks Inc.
501
APS User Guide, Version 6.0
Configuring the Speed, Duplex Mode, and MTU for the
Protection Interfaces
Typically, the media speed, duplex mode, and MTU (maximum transfer unit) for the
protection interfaces are set automatically when you install APS. However, you can
configure these settings manually by using the command line interface (CLI).
See “About the Command Line Interface (CLI)” on page 468 for general information
about using the CLI.
Important
Use the same media settings for both of the protection interfaces in an interface pair.
You can view information about the protection interfaces in the UI. See “Viewing the
Status of the APS Protection Interfaces” on page 307.
Viewing the media settings for the protection interfaces
To view the media settings for the protection interfaces:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps mitigation interface media show
protectionInterface
protectionInterface = (Optional) The protection interface whose media
settings you want to view. For example: ext0 or int0. If you do not specify a
protection interface, then this command shows the media settings for all of the
protection interfaces.
If a protection interface is down when you enter this command, then APS returns
“Unknown Ethernet” for the interface instead of its speed.
Configuring the speed and duplex mode for the protection interfaces
To configure the speed and duplex mode for a protection interface:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps mitigation interface media protectionInterface
{autoselect | speed value} duplex {full | half}
protectionInterface = The protection interface to configure. For example:
ext0 or int0.
{autoselect | speedvalue} = Enter autoselect to set the protection interface
to autonegotiate. To set a specific media speed, enter speed value, where value
is 10, 100, 1000, or 10000.
duplex {full | half} = Enter duplex full or duplex half as the duplex
mode for the protection interface.
Configuring the MTU for the protection interfaces
To configure the MTU for a protection interface:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps mitigation interface media protectionInterface
mtu size
protectionInterface = The protection interface to configure. For example:
ext0 or int0.
502
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 24: Configuring Advanced Settings for the Protection Interfaces
mtu size = The size of the MTU for the interface. Valid values are 1500 - 9216.
Important
If you change the MTU size to a value greater than 1500, then the traffic may
continue to be fragmented for several minutes. This delay is due to the default
settings on the source host, which vary by system. Other factors and configurations
on a given network also may cause a similar delay.
Proprietary and Confidential Information of Arbor Networks Inc.
503
APS User Guide, Version 6.0
Configuring VLAN Subinterfaces
You can divide a single management interface into multiple VLAN subinterfaces. The
management interface can be a physical or logical interface. For example, the
management interface can be an Ethernet port on an APS appliance or a logical port on a
vAPS.
You need to add access rules to the VLAN subinterfaces for the recommended services.
See “Adding access rules to a VLAN subinterface” on the facing page.
If you want to set the default route to use a VLAN subinterface, see “Configuring the
default route to use a VLAN subinterface” on the facing page.
Adding VLAN subinterfaces
To add a VLAN subinterface:
1. Log in to the CLI with your administrator user name and password.
2. Enter / ip interfaces vlan {mgt0 | mgt1} VLAN_ID
VLAN_ID = a number from 0 - 4094 that identifies the VLAN
APS appends the VLAN ID to the management interface name to create the VLAN
name. For example, if you append the VLAN ID 101 to mgt0, the VLAN name is
mgt0.101.
Note
For each management interface, the VLAN IDs for subinterfaces must be unique.
3. For each subinterface to add, repeat step 2.
4. (Optional) To view a list of the VLAN subinterfaces, enter / ip interfaces show
5. To save the configuration changes, enter config write
Configuring VLAN subinterfaces
You configure VLAN subinterfaces in the same way that you configure the management
interfaces.
To configure a VLAN subinterface:
1. Log in to the CLI with your administrator user name and password.
2. Enter / ip interfaces ifconfig subint_name IP_address {netmask |
prefix_length} up
subint_name = the name of the subinterface to configure, which is the
management interface name plus the VLAN ID (for example: mgt0.101)
IP_address = the IPv4 address or IPv6 address for the subinterface
netmask = If you enter an IPv4 address, then you must include the netmask for
the subinterface in dotted-quad format (for example, 255.255.255.0).
prefix_length = If you enter an IPv6 address, then you must include the prefix
length (for example, /64).
3. For each VLAN subinterface that you want to configure, repeat step 2.
4. To save the configuration changes, enter config write
504
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 24: Configuring Advanced Settings for the Protection Interfaces
Configuring the default route to use a VLAN subinterface
You can configure a default route that uses a VLAN subinterface. If there is an existing
default route that uses a different interface or subinterface, you first must delete that
route.
To configure a default route that uses a VLAN subinterface:
1. Log in to the CLI with your administrator user name and password.
Caution
Avoid locking yourself out of the APS device. Before you delete the current default
route, make sure you have physical access to the appliance or that you understand
how your system is connected to the APS device.
2. To delete an existing default route, enter ip route delete default
3. To create the new default route, enter ip route add default IP_address
subint_name
IP_address = the IPv4 address or IPv6 address for the subinterface
subint_name = the name of the subinterface to configure, which is the
management interface name plus the VLAN ID (for example: mgt0.101)
Note
To access IPv6 network services that are outside the local subnet, you must
configure an IPv6 default route.
4. To save the configuration changes, enter config write
Adding access rules to a VLAN subinterface
To add access rules to a VLAN subinterface:
1. Log in to the CLI with your administrator user name and password.
2. Enter ip access add service subint_name CIDR
service = one of the following services:
https
allows access to the APS UI
ping
allows ICMP ping messages for network diagnostics
ssh
allows administrative users to access the CLI
snmp
allows SNMP access to APS
subint_name = the name of the subinterface to configure, which is the
management interface name plus the VLAN ID (for example: mgt0.101)
CIDR = the address range of the source network that you want to use for this
service
3. For each service that you want to add to each VLAN subinterface, repeat step 2.
4. Enter ip access commit
5. To save the configuration, enter config write
Removing VLAN subinterfaces
Important
Before you remove a VLAN subinterface, you must delete any IP access rules for that
subinterface.
Proprietary and Confidential Information of Arbor Networks Inc.
505
APS User Guide, Version 6.0
To remove a VLAN subinterface:
1. Log in to the CLI with your administrator user name and password.
2. To determine what IP access rules have been added to the subinterface, enter / ip
access show
3. If all of the access rules on the APS are configured for this VLAN subinterface, enter ip
access delete all
If the access rules on the APS are configured for multiple interfaces or subinterfaces,
enter ip access delete service subint_name CIDR
service = one of the following services:
https
allows access to the APS UI
ping
allows ICMP ping messages for network diagnostics
ssh
allows administrative users to access the CLI
snmp
allows SNMP access to APS
subint_name = the name of the subinterface to configure, which is the
management interface name plus the VLAN ID (for example: mgt0.101)
CIDR = the address range of the source network for this service
4. For each access rule to delete, repeat step 3.
5. After you remove all of the access rules for the subinterface, enter / ip interfaces
vlan mgt_interface VLAN_ID delete
mgt_interface = the name of the management interface (mgt0 or mgt1)
VLAN_ID = the ID for the subinterface
6. To save the configuration, enter config write
506
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 24: Configuring Advanced Settings for the Protection Interfaces
Troubleshooting the Protection Interfaces
APS provides several commands to help troubleshoot hardware issues that are associated
with the protection interfaces. These commands are available in the command line
interface (CLI).
For general information about using the CLI, see “About the Command Line Interface
(CLI)” on page 468 .
Viewing the pause parameter settings for a protection interface
You can query a protection interface to determine if the pause parameters are enabled for
RX, TX, and auto-negotiation.
To view the pause-parameter settings for a protection interface:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system hardware interface protectionInterface pause-frames
protectionInterface = The name of the protection interface whose pause
parameter settings you want to view. For example: ext0 or int0.
Viewing the register information for a protection interface
You can perform a register dump for a protection interface, which returns low-level details
about the NIC.
To view the register information for a protection interface:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system hardware interface protectionInterface dump-regs
protectionInterface = The name of the protection interface whose hardware
details you want to view. For example: ext0 or int0.
Viewing the configuration settings for a protection interface
You can view the link connection status for a protection interface, as well as its speed and
duplex settings.
See “Configuring the Speed, Duplex Mode, and MTU for the Protection Interfaces” on
page 502.
To view the configuration settings for a protection interface:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system hardware interface protectionInterface
protectionInterface = The name of the protection interface whose configuration
settings you want to view. For example: ext0 or int0.
Proprietary and Confidential Information of Arbor Networks Inc.
507
APS User Guide, Version 6.0
508
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 25:
Configuring Other Advanced Settings
This section describes miscellaneous management tasks that you can perform in the
command line interface (CLI).
In this section
This section contains the following topics:
Setting the System Clock
510
Setting the Deployment Mode
511
Configuring Static Routes for the Protection Interfaces on vAPS
513
Overriding the AIF Feed URLs
516
Viewing AIF Version Information
518
Advanced File Management from the Command Line Interface
519
APS User Guide, Version 6.0
509
APS User Guide, Version 6.0
Setting the System Clock
You can set or reset the clock in APS by using the Command Line Interface (CLI). See
“About the Command Line Interface (CLI)” on page 468 for more information about the
CLI.
Setting the system clock
To set the system clock:
1. Log in to the CLI with your administrator user name and password.
2. Enter / clock setMMDDhhmmCCYY.ss
MM = the month of the year as a two-digit integer between 01 and 12
DD = the day of the month as a two-digit integer between 01 and 31
hh = the hour of the day as a two-digit integer from 00 to 23
mm = the minute of the hour as a two-digit integer from 00 to 59
CC = (Optional) the century portion of the year as a two-digit integer
YY = the year as a two-digit integer
.ss = (Optional) the seconds as a two-digit integer between 00 and 59
Viewing the current time setting
To view the current time setting:
1. Log in to the CLI with your administrator user name and password.
2. Enter / clock
Reference
See “Saving the configuration” on page 476.
510
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 25: Configuring Other Advanced Settings
Setting the Deployment Mode
The deployment mode indicates how APS is installed in your network. The deployment
modes are as follows:
n inline
n
layer 3 (vAPS only)
n
monitor
In the inline mode and layer 3 mode, APS acts as a physical connection between two end
points and you can configure APS to block attack traffic. In the inline mode, APS forwards
all of the traffic that meets the mitigation rules. In the layer 3 mode, vAPS forwards all of
the traffic that meets the mitigation rules if a valid route is configured to the destination
network.
In the UI, the inline deployment mode appears as Inline Bridged and the layer 3
deployment mode appears as Inline Routed.
In the monitor mode, you deploy APS out-of-line through a span port or network tap,
which allows APS to monitor traffic without blocking it. If you deploy APS in the monitor
mode, the outbound traffic does not go through APS and therefore is not analyzed. See
“About the Deployment Modes” on page 63.
Setting the deployment mode
Typically, the deployment mode is set during the initial installation. However, you might
need to reset the deployment mode if you re-install APS or vAPS in a different
configuration. For example, you might install APS in the monitor mode for a trial period,
and then re-install it inline for detection and mitigation.
You set the deployment mode in the command line interface (CLI). See “Entering CLI
Commands” on page 475 for more information.
You can configure notifications that send messages when someone changes the
deployment mode. See “Configuring Notifications” on page 131.
You cannot change the deployment mode for vAPS on Amazon Web Services (AWS). AWS
only supports the layer 3 mode. For more information, see “Installing vAPS on AWS” in the
Arbor Networks® Virtual APS Installation Guide .
Important
If you deploy APS in the monitor mode, then you should disable link state propagation. If
you deploy vAPS in the layer 3 mode, link state propagation is disabled automatically.
To set the deployment mode:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps mode set {inline | l3 | monitor}
{inline | l3 | monitor } = Enter inline if you want APS to forward traffic as a
bridge. Enter l3 if you want vAPS to forward traffic based on a mitigation route
that you configure. Enter monitor if you place APS or vAPS out-of-line through a
span port or network tap.
Note
If vAPS is set to the layer 3 mode and then you select another mode, two
confirmation messages appear. To remove all of the layer 3 configuration settings
and switch to the new deployment mode, enter y for both of these messages.
Proprietary and Confidential Information of Arbor Networks Inc.
511
APS User Guide, Version 6.0
If you set vAPS to the layer 3 mode, you must configure static routes for the protection
interfaces. See “Configuring Static Routes for the Protection Interfaces on vAPS” on the
facing page.
512
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 25: Configuring Other Advanced Settings
Configuring Static Routes for the Protection Interfaces on
vAPS
If you deploy vAPS in the layer 3 mode, you can assign IP addresses to the protection
interfaces. Then you can create static routes to direct traffic through the vAPS. These
routes, which are distinct from the routes for management traffic, define how vAPS
handles passed traffic.
A route can be inbound or outbound. vAPS routes traffic using the most specific valid
route that matches the destination address, through the protection interface that has the
same subnet as the nexthop.
You configure routes in the command line interface (CLI). See “Entering CLI Commands”
on page 475 for more information.
Note
You also can configure routes on the Interfaces page (Administration > Interfaces ) in
the UI. See “Configuring Routes” on page 145.
Specifying an IP address for a protection interface on vAPS
Important
If you use vAPS on Amazon Web Services (AWS), you must configure the IP addresses for
the protection interfaces on AWS. See “Installing vAPS on AWS” in the Arbor Networks®
Virtual APS Installation Guide .
To specify an IP address for a protection interface:
1. Log in to the CLI with your administrator user name and password.
2. (Optional) To get a list of the protection interfaces on your appliance, enter /
services aps mitigation interface ?
3. Enter / services aps mitigation interface protectionInterface
network
protectionInterface = The protection interface to configure. For example: ext0 or
int0.
network = The IPv4 address and prefix length for the protection interface.
After you change the address for a protection interface, verify that any configured routes
are still valid. To verify the routes, enter / services aps mitigation route show. If
Unknown appears in the Interface column, you must reconfigure the route.
Important
If you configure GRE tunneling when vAPS is set to the layer 3 mode, vAPS uses the IP
address of the external interface as the GRE tunnel destination.
Adding a static route for a protection interface on vAPS
Before you can add a route for a protection interface, you must set vAPS to the layer 3
deployment mode. For information about deployment modes, see “Setting the
Deployment Mode” on page 511 .
Proprietary and Confidential Information of Arbor Networks Inc.
513
APS User Guide, Version 6.0
When vAPS is set to the layer 3 mode, you can configure routes on the protection
interfaces for inbound traffic and outbound traffic:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps mitigation route add network nexthop
network = The IPv4 address and prefix length for the destination network.
nexthop = The IPv4 address for the router through which the traffic is sent to the
destination network. For a nexthop to be valid, its IP address must match a subnet for
one of the protection interfaces.
3. Repeat the previous step for each route that you want to configure.
If you expect vAPS to forward outbound traffic, you must configure routes for the
outbound traffic. Arbor recommends that you configure a default route to 0.0.0.0/0 and a
nexthop to a gateway router on the subnet that is connected to the external interface. If
necessary, configure additional routes for the outbound traffic to other external nexthops.
If you do not configure routes for the outbound traffic, vAPS will drop outbound traffic.
See “Configuring the Outbound Threat Filter” on page 205.
Deleting the IP address for a protection interface on vAPS
Important
If you use vAPS on AWS, you must delete the IP addresses for the protection interfaces
on AWS. See “Installing vAPS on AWS” in the Arbor Networks® Virtual APS Installation
Guide .
To delete the IP address for a protection interface:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps mitigation interface protectionInterface delete
protectionInterface = The protection interface to delete. For example: ext0 or
int0.
If the IP address for the nexthop is not within any protection interface subnet, vAPS
displays Unknown in the Interface column.
Important
If you delete the IP address for a protection interface, all routes that were configured to
go through that interface become invalid. However, vAPS does not remove the invalid
routes. If vAPS can reach a nexthop after you assign a new IP address and subnet to a
protection interface, then vAPS reactivates the invalid route. This behavior is different
than the behavior for management routes.
Deleting the routes for protection interfaces on vAPS
Caution
This command deletes the entire route, including the IP address for the nexthop.
To delete the routes for a protection interface:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps mitigation route delete network
network = (Optional) The IPv4 address and prefix length for the destination network.
If you do not specify a network, this command deletes all of the routes for all of the
protection interfaces.
514
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 25: Configuring Other Advanced Settings
Deleting all of the layer 3 interface settings on vAPS
To delete all of the layer 3 interface settings for the protection interfaces, but leave any of
the routes that are configured:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps mitigation interface clear
Deleting all of the layer 3 interface settings and routes on vAPS
Caution
This command deletes all of the routes that are configured on vAPS, including any GRE
routes that you may have configured in the UI. See “Configuring Routes” on page 145.
To delete all of the layer 3 interface settings and all of the routes that are configured for the
protection interfaces:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps mitigation l3 clear
Proprietary and Confidential Information of Arbor Networks Inc.
515
APS User Guide, Version 6.0
Overriding the AIF Feed URLs
When you enable automatic connections to AIF, APS uses HTTPS to download the latest
AIF information at specified intervals. In rare situations, you might need to update the
URLs from which APS downloads the information. You view, set, and clear the overrides in
the Command Line Interface (CLI).
Caution
To avoid corrupting your APS feed consumption, only update a feed URL under the
direction of a support representative.
See “About the Command Line Interface (CLI)” on page 468 for general information
about using the CLI.
Components of the AIF
The AIF consists of the following components, each of which is downloaded separately:
attack_rules — Contains AIF botnet signatures.
n
n
geoip_countries — Contains IP location data.
n
reputation_feed — Contains ATLAS threat policies.
n
webcrawler_whitelist — Contains a list of legitimate search engine web crawlers.
For more information, see “About the AIF components” on page 280 .
Viewing the feed URLs
To view the current AIF URLs:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps aif url show [attack_rules | geoip_countries |
reputation_feed | webcrawler_whitelist]
Include a feed name to display a single feed or omit the feed name to display all of the
feeds.
Note
The output of this command shows a Download Securely column. You can
disregard the information in this column as it is used for Arbor testing purposes
only.
Overriding a feed URL
You can override the URL for a single feed or all of the feeds.
To override a feed URL:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps aif url set feed_name url
feed_name = one of the following feeds: attack_rules, geoip_countries,
reputation_feed, or webcrawler_whitelist
url = the new URL from which to download the feed, for example,
https://www.example.com/feed/version
516
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 25: Configuring Other Advanced Settings
Clearing a URL override
When you clear an override for a feed, its URL is reset to the default.
To clear a URL override
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps aif url clear [attack_rules | geoip_countries |
reputation_feed | webcrawler_whitelist]
Include a feed name to clear the URL for a single feed or omit the feed name to clear
all of the URL overrides.
Proprietary and Confidential Information of Arbor Networks Inc.
517
APS User Guide, Version 6.0
Viewing AIF Version Information
When APS downloads the ATLAS Intelligence Feed (AIF), information about the
downloaded feed components is recorded in the syslog. You can use the Command Line
Interface (CLI) to display information about the latest versions of the AIF feed
components. Typically, you might need this information for diagnostic or support
purposes.
See “About the Command Line Interface (CLI)” on page 468 for general information
about using the CLI.
Components of the AIF
The AIF consists of the following components, each of which is downloaded separately:
n attack_rules — Contains AIF botnet signatures.
n
geoip_countries — Contains IP location data.
n
reputation_feed — Contains ATLAS threat policies.
n
webcrawler_whitelist — Contains a list of legitimate search engine web crawlers.
For more information, see “About the AIF components” on page 280 .
Viewing the current AIF feed versions
You can view information about a single feed or all of the feeds.
To view the current AIF feed versions:
1. Log in to the CLI with your administrator user name and password.
2. Enter / services aps aif versions show [attack_rules | geoip_
countries | reputation_feed | webcrawler_whitelist]
Include a feed name to display a single feed or omit the feed name to display all of the
feeds.
Version information
When you view the version status of the AIF feeds, the system displays the following
information:
n Time of the latest download, either automatic or manual, in UNIX timestamp format
n
Etag (entity tag) identifier for the specific version of the feed component
n
Version number of the feed component
The version number for the attack_rules feed and webcrawler_whitelist feed is
<unknown> because those feeds do not contain version numbers.
The following example shows the version status of all of the AIF feeds:
admin@example.com:/# services aps aif versions show
Feed Name
Download Time Etag
attack_rules
1481057846
9d449496baa9dbd694db61d5c76e8796
geoip_countries
1481057844
6f9ad40b9bb2a59c5a04b4d3c5655750
reputation_feed
1481057864
0abd183efe52309aa443f2c1b6bb98af
webcrawler_whitelist 1481057847
440e3a394a252250621aa00505d970db
518
Version
<unknown>
814.734
1481050950
<unknown>
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 25: Configuring Other Advanced Settings
Advanced File Management from the Command Line
Interface
The APS UI provides shortcuts for managing files on the APS appliance. However, if you
need to manage directories or perform more complex file operations, you can use the
command line interface (CLI).
See “About the Command Line Interface (CLI)” on page 468 for general information
about using the CLI.
See “Managing the Files on APS” on page 452 for information about the file management
tasks that you can perform in the UI.
Viewing the files in a directory
To view the files in a directory:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system files directory { disk: | usb: | flash:}
{disk: | usb: | flash:} = the storage device that contains the files
Copying a file
To copy a file:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system files copysourcetarget
source = the original location and name of the file
target = the new location and name of the file
See “Arguments for copying files” below.
Arguments for copying files
When you copy a file to or from an appliance, use the following arguments to specify the
source file and the target file:
Arguments for copying files
Argument
Source or target
ftp://user:password@A.B.C.D:port/file_name
source
ftp://user:password@\aaaa:bbbb::\:port/file_name
source
http[s]://user:password@A.B.C.D:port/file_name
source
http[s]://\aaaa:bbbb::\:port/file_name
source
scp://user@A.B.C.D:port/file_name
source
scp://user@\aaaa:bbbb::\:port/file_name
source
disk:file_name
both
flash:file_name
both
usb:file_name
both
Proprietary and Confidential Information of Arbor Networks Inc.
519
APS User Guide, Version 6.0
n
{ftp: | http: | https: | scp:} = the protocol to use to access the remote host
n
{disk: | usb: | flash:} = the storage device that contains the source file or the
storage device to copy the file to
n
user = the user name that is required to access the remote host
n
password = the user password that is required to access the remote host
n
{A.B.C.D | \aaaa:bbbb::\} = the IP address of the remote host that contains the source
file
n
port = the port on the remote host
n
file_name = the name of the file to be copied
Deleting a file
To delete a file:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system files delete {disk: | usb:}file_name
{disk: | usb:} = the storage device that contains the file
file_name = the file to delete
Renaming a file
To rename a file:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system files rename {disk: | usb:}old_name {disk: | usb:}new_name
{disk: | usb:} = the storage device that contains the file
old_name, new_name = the original file name and the new file name, respectively
The first set of these arguments represents the original file name and the second
set of these arguments represents the new file name.
520
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 26:
Installing, Upgrading, and Reinstalling
APS
This section describes how to install, upgrade, and reinstall the APS appliance and
software.
In this section
This section contains the following topics:
Installing the License Keys for APS and AIF
522
Installing APS
524
Upgrading the APS Software
527
Reinstalling APS
530
APS User Guide, Version 6.0
521
APS User Guide, Version 6.0
Installing the License Keys for APS and AIF
You install the license key for the APS software during the initial APS installation and
configuration. When you subscribe to the ATLAS Intelligence Feed (AIF), you also install the
AIF license key.
Note
vAPS uses cloud-based licenses instead of a license key. See “About Cloud-Based
Licensing for vAPS” on page 38.
You must also install or replace the license keys in the following situations:
n You subscribe to the ATLAS Intelligence Feed (AIF) or renew your AIF subscription —
see “Installing or upgrading the AIF license key” on the facing page.
n
You upgrade your APS license to a different model; for example, to access a greater
traffic rate limit — see “Replacing an existing APS license key with a new APS license
key” below.
Users with administrative privileges can install the license keys in the command line
interface (CLI). See “Entering CLI Commands” on page 475.
Installing the license keys during a new APS installation or reinstallation
The license key installation is part of the procedures for installing and reinstalling the APS
software.
n The procedure for a new APS installation is in the APS Quick Start Card and in
“Installing APS” on page 524 .
n
The procedure for an APS reinstallation is in “Reinstalling APS” on page 530 .
If you do not have your original Quick Start Card, you can download one from the Arbor
Technical Assistance Center (ATAC) or contact your reseller.
Replacing an existing APS license key with a new APS license key
Note
When you replace an existing APS license key with a new APS license key, you do not
need to remove the original license key.
To install a new license key on an existing APS installation:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system license set Pravail "model" license_key
model = the APS model, such as PRA-APS-2107. This argument might take
additional parameters, such as the expiration date for an evaluation license.
license_key = your APS license key
Important
This command is case sensitive. Enter the model and license key exactly as they
appear on the product label or in your license key email, including any spaces and
punctuation. For example:
/ system license set Pravail "PRA-APS-2107" 12345-67890-ABCDEFGHIJ-KLMNO-PQRST-UVWXY-Z1234-5678
3. To verify that you installed the license key successfully, enter / system license
522
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 26: Installing, Upgrading, and Reinstalling APS
show. This command displays the current model and license.
4. To save the configuration, enter / config write
Installing or upgrading the AIF license key
When you subscribe to the AIF, you receive a license key that corresponds to your
subscription level (Standard or Advanced). You must install the AIF license key for APS to
receive the AIF. Whenever you renew or upgrade your AIF subscription, you must install a
new AIF license key. For information about the feed subscription levels, see “About the
ATLAS Intelligence Feed Licensing” on page 31.
To install the AIF license key:
1. Log in to the CLI with your administrator user name and password.
2. Enter / system license set ASERT "model" license_key
model = the model, or level, of your AIF license plus the expiration date
timestamp; for example, PRA-APS-AIF-STANDARD expires: 1437749737
license_key = your AIF license key
Important
This command is case sensitive. Type the model and license key exactly as they
appear in your license key document or email, including any spaces and
punctuation. For example:
/ system license set ASERT "PRA-APS-AIF-STANDARD expires:
1437749737" 98765-43210-FGHIJ-ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321
3. To verify that you installed the license key successfully, enter / system license
show. This command displays the current model and license.
4. To save the configuration, enter / config write
Proprietary and Confidential Information of Arbor Networks Inc.
523
APS User Guide, Version 6.0
Installing APS
Typically, you install APS by following a quick installation script that prompts you to enter
the information that is required. The script instructions are in the APS Quick Start Card.
If the installation script does not appear, you can install APS by typing a series of
commands in the command line interface (CLI). You can also use the CLI to configure
options that are not in the script or to redo any of the original configurations.
See “About the Command Line Interface (CLI)” on page 468.
Installing APS
To install APS:
1. If you are using a serial console server, connect it to the serial port.
2. Turn on the appliance.
Note
If an installation script starts, follow the prompts to enter the information that is in
this procedure.
3. At the login prompt, enter admin
4. At the password prompt, enter arbor
5. Before you can start the APS services, you must change the default administrator
password:
a. Enter / services aaa local password admin interactive
b. Enter the new password.
c. Re-enter the new password.
6. To configure the management port, enter ip interfaces ifconfig port IP_
address {netmask | prefix_length} up
port = the management port to configure; in this case, mgt0
IP_address = the address of the management port, for example, 198.51.100.2 or
2001:DB8::2
netmask = (IPV4 addresses only) the netmask in dotted-quad format, for
example: 255.255.255.0
prefix_length = (IPv6 addresses only) the prefix length of this management
port’s address, for example, /64
7. (Optional) Repeat the preceding step for management port mgt1.
8. Enter / ip route add default IP_address
IP_address = the default gateway’s IP address, for example, 198.51.100.1 or
2001:DB8::1
9. Enter / ip access add service {mgt0 | mgt1 | all} CIDR
service = one of the following services:
524
https
allows access to the APS UI
ping
allows ICMP ping messages for network diagnostics
ssh
allows administrative users to access the CLI
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 26: Installing, Upgrading, and Reinstalling APS
cloudsignal allows the cloud signaling server to access APS
snmp
allows SNMP access to APS
{mgt0 | mgt1 | all} = the name of the management interface on which to apply a
service exclusively, or to apply the rule to all of the interfaces
CIDR = the address range from which you want to allow communications to a
service
10. Repeat the preceding step for each service that you add on the appliance.
After the installation, you can add more users in the UI.
11. To commit the access configuration, enter / ip access commit
12. Enter / system name set hostname
hostname = the simple hostname of the appliance or a fully qualified domain
name. For example, host.example.com
13. (Optional) Enter / services dns server add IPaddress
IPaddress = the IP address of the DNS server
14. Configure the SSH host keys in one of the following ways:
l
To have APS generate the SSH host key files, enter / services ssh key
generate
l
To import a file that contains the SSH host keys, enter / services ssh key host
set disk:fileName
fileName = the name of the file that contains the SSH host keys
15. Enter / services ssh start
16. (Optional) To configure an NTP server, enter / services ntp server add IP_
address
IP_address = the IP address or hostname of your NTP server
17. To set the system clock, enter / clock set MMDDhhmmCCYY.ss
MM = the month of the year as a two-digit integer between 01 and 12
DD = the day of the month as a two-digit integer between 01 and 31
hh = the hour of the day as a two-digit integer from 00 to 23
mm = the minute of the hour as a two-digit integer from 00 to 59
CC = (Optional) the century as a two-digit integer
YY = (Optional) the year as a two-digit integer
.ss = (Optional) the seconds as a two-digit integer between 00 and 59
18. Enter / system license set Pravail "model" license_key
model = the APS model, such as PRA-APS-2107. This argument might take
additional parameters, such as the expiration date for an evaluation license.
license_key = your APS license key
Important
This command is case sensitive. Enter the model and license key exactly as they
appear on the product label or in your license key email, including any spaces and
punctuation. For example:
/ system license set Pravail "PRA-APS-2107" 12345-67890-ABCDEFGHIJ-KLMNO-PQRST-UVWXY-Z1234-5678
Proprietary and Confidential Information of Arbor Networks Inc.
525
APS User Guide, Version 6.0
19. If you subscribe to the ATLAS Intelligence Feed (AIF), enter / system license set
ASERT "model" license_key
model = the model, or level, of your AIF license plus the expiration date
timestamp; for example, PRA-APS-AIF-STANDARD expires: 1437749737
license_key = your AIF license key
Important
This command is case sensitive. Enter the model and license key exactly as they
appear in your license key document or email, including any spaces and
punctuation. For example:
/ system license set ASERT "PRA-APS-AIF-STANDARD expires:
1437749737" 98765-43210-FGHIJ-ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321
20. Enter / services aps mode set {inline | monitor}
inline | monitor = Enter inline if you placed the appliance inline in your
network. Enter monitor if you placed it out-of-line through a span port or
network tap.
21. To initialize the APS database, enter / services aps database initialize
22. Enter / reload
Important
You must reload APS before you can start the APS services.
23. Enter / services aps start
24. To save the configuration, enter / config write
Important
Do not skip this step.
25. To log out of the CLI, enter exit
526
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 26: Installing, Upgrading, and Reinstalling APS
Upgrading the APS Software
The process for upgrading APS consists of the following steps:
1. Uploading the upgrade files to APS.
2. Upgrading the APS software in the command line interface (CLI).
See “About the Command Line Interface (CLI)” on page 468 for more information
about the CLI.
3. If you use the hardware security module (HSM), you may need to upgrade the
firmware.
To determine if an HSM firmware upgrade is required, see the Arbor Networks®APS
Release Notes.
4. Restarting APS.
Note
For information about upgrading your ATLAS Intelligence Feed (AIF) license, see
“Installing or upgrading the AIF license key” on page 523 .
The way that you connect to the CLI determines whether reload information appears on
the screen during the upgrade. If you log in to the CLI through the serial port, the reload
status appears and indicates when APS restarts. Otherwise, the reload status does not
appear and you might need to ping the appliance to determine when APS restarts. See
“About the Connections to the Command Line Interface” on page 469.
Important
You cannot upgrade vAPS on Amazon Web Services (AWS). Instead, you must backup
your data and then restore the data on a new vAPS instance. See “About Backups” on
page 454.
Uploading the upgrade files
To upload the upgrade files:
1. Verify that the upgrade files are in a location that APS can access.
2. Make a note of the ArbOS and APS upgrade file names, which you need for the
upgrade procedure.
3. Log in to the APS UI with your administrator user name and password.
4. Select Administration > Files to display the Manage Files page and view the
packages that are currently installed on APS.
5. Use the release notes as a reference to verify that the new version is a valid upgrade
for the package or packages that are installed. If not, then you might have to perform
one or more intermediate upgrades before you can upgrade to the new version.
6. To copy the new ArbOS file to APS, click Upload File, and then follow these steps:
a. In the Upload File window, browse to and select the new ArbOS file.
b. Click Upload.
7. To copy the new APS file, click Upload File, and then follow these steps:
a. In the Upload File window, browse to and select the new APS file.
b. Click Upload.
8. Log out of the UI.
Proprietary and Confidential Information of Arbor Networks Inc.
527
APS User Guide, Version 6.0
Upgrading the APS software
Important
If you have APS devices connected to APS Console, disconnect them from APS Console
before you upgrade them. After you upgrade APS Console, upgrade the APS devices and
then reconnect them to APS Console.
To upgrade the APS software:
1. Verify that the new files have been uploaded.
See “Uploading the upgrade files” on the previous page.
2. Log in to the CLI with your administrator user name and password.
3. To view the packages that are currently installed on APS, enter / system files
show
4. Make a note of the old APS package name.
5. Enter / services aps stop
If you are installing a version that is earlier than 3.1, enter pravail instead of aps in
the command above.
6. To save the configuration, enter / config write
7. To uninstall the old APS package, enter / system files uninstall package_
name
package_name = the name of the old APS package, which you noted earlier in this
procedure
8. To install the new ArbOS package, enter / system files install disk:new_
file
new_file = the file name of the new ArbOS file that you uploaded to APS
9. To restart APS, complete the following steps:
a. Enter / reload
b. At the confirmation prompt, enter y
10. Wait for APS to restart.
If you logged on through the serial port, the reload status appears on the screen. The
Welcome message indicates that APS has restarted.
If you did not log in through the serial port, the reload status is not displayed. Wait a
few minutes before you try to access the CLI, or you can ping the appliance until it
responds. It will be ready to continue about one minute after you receive the ping
response.
11. After APS restarts, log in to the CLI with your administrator user name and password.
12. To verify that ArbOS was installed, enter / system files show
Only the ArbOS package name should be displayed.
13. To install the new APS package, enter / system files install disk:new_file
new_file = the file name of the APS file that you uploaded to APS
14. If you use the hardware security module (HSM) and an HSM firmware upgrade is
required, you must upgrade the firmware. To upgrade the firmware, enter /sys hsm
firmware update
To determine if an HSM firmware upgrade is required, see the Arbor Networks®APS
Release Notes.
528
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 26: Installing, Upgrading, and Reinstalling APS
15. After the upgrade is finished and before you can start APS services, you must restart
APS again:
a. Enter reload
b. At the confirmation prompt, enter y
16. After APS restarts, log in to the CLI with your administrator user name and password.
17. Enter / services aps start
If you are installing a version that is earlier than 3.1, enter pravail instead of aps in
the command above.
18. To save the configuration, enter / config write
19. To log out of the CLI, enter / exit
20. After the upgrade is finished, restart your browser and clear the cache.
Proprietary and Confidential Information of Arbor Networks Inc.
529
APS User Guide, Version 6.0
Reinstalling APS
In cases where it is necessary to reinstall APS, follow the instructions below.
Caution
The reinstallation erases all of the configuration settings and data and returns APS to its
factory state. Only reinstall APS in an emergency situation and under the direction of a
support representative.
Note
When you subscribe to the ATLAS Intelligence Feed (AIF), you must reinstall the AIF
license key during the APS reinstallation.
Before you begin
Before you reinstall APS, verify that you have the following items:
the most recent full backup of both configuration data and traffic data, which should be
on your remote backup server
n
n
the upgrade files for any upgrades that you installed after your initial APS installation
n
the following information about your deployment:
Item
Description
Appliance
hostname
The unique name that identifies the appliance on the network.
License keys
Your APS license key number, which appears on labels that are
attached to the appliance and the outer packaging.
For AIF subscriptions, you also need the AIF license key number
that you received with the subscription.
530
Administrative
user name and
password
The user name and password for administrative access to the
appliance. The default user name is admin and the default
password is arbor.
IP address and
network mask
The management IP address and the network mask of the
management interface for the APS appliance.
Default gateway IP
address
The IP address and netmask for the management default route
and any additional routes that are required for the device to
access the management interface.
NTP Server
(optional)
The IP address for the server that synchronizes network time.
Physical
connections
The switch or router port mappings to connect to the APS
interfaces (protection ports).
Network
connectivity mode
The method that you decided to use to connect the APS
appliance within your network. (inline or out-of-line through a
span port or network tap.)
Appliance access
mode
The method that you plan to use to access and configure the
APS appliance. (VGA or serial console server.)
Proprietary and Confidential Information of Arbor Networks Inc.
Chapter 26: Installing, Upgrading, and Reinstalling APS
Determining your current software versions
To determine your current software versions in the UI:
1. In the lower-right corner of any page in the UI, click the About link.
2. Note the versions of ArbOS and APS that are listed in the About page, under the
Installed Software section.
To determine your current software version in the CLI (if the UI is unresponsive):
1. Log in to the CLI with your administrator user name and password.
2. Enter / system version
About restoring backups from an earlier version
If you are using a version of APS earlier than 3.0, you must restore a backup to the version
in which the backup was created. For example, if you are running version 2.6 but your last
backup was created in version 2.5, you must restore that backup in version 2.5. In this
situation, you would reinstall the initial version of APS, upgrade to version 2.5 if necessary,
restore the 2.5 backup, and then upgrade to version 2.6.
Reinstallation task sequence
Perform the following tasks in sequence to reinstall the APS software.
Reinstalling APS
Step
Action
1
If you do not have a current backup, create a full backup of both the
configuration data and the traffic data, if possible.
See “Backing Up APS Manually” on page 457.
2
Reinstall the APS software.
See “Reinstalling the APS software” below.
3
If you upgraded to a newer version of APS since its initial installation, upgrade
APS to that version.
See “Upgrading the APS Software” on page 527.
Note
An exception is if you were running version 2.6 or earlier before the
reinstallation but your last available backup is from an earlier version. See
“About restoring backups from an earlier version” above.
4
Restore the backup data.
See “Restoring APS from Backups” on page 458.
Reinstalling the APS software
To reinstall the APS software:
1. Connect to APS in one of the following ways:
l
l
Connect a serial cable from the serial console to the appliance.
Connect a VGA monitor and keyboard to the appropriate ports on the back of the
appliance.
Proprietary and Confidential Information of Arbor Networks Inc.
531
APS User Guide, Version 6.0
2. Restart the appliance as follows:
Note
If APS is unresponsive, restart it by turning the power off and then turning it on.
a. Log in to the CLI with your administrator user name and password.
b. To stop the APS services, enter / services aps stop
If you are installing a version that is earlier than 3.1, enter services pravail
stop instead of the command above.
c. To save the configuration, enter / config write
d. Enter reload.
Important
You must perform this step before you can start the APS services.
e. At the prompt You are about to reboot the system. Do you wish to
proceed?, type y
Note
The remaining instructions are the same as on the APS Quick Start Card.
3. When APS restarts, watch for the prompt that tells you to Press any key to
continue. When the prompt appears, quickly press a key (within five seconds).
Important
If the system continues before you can press a key, turn off the appliance and start
over.
4. At the GRUB menu, press the up arrow key or down arrow key to stop the 10-second
countdown.
Important
If the system continues before you can stop the countdown, turn off the appliance
and start over.
5. Depending on how you connected to the appliance, select one of the following
options on the GRUB menu and then press ENTER:
l
(re)install from on-board flash (serial console)
l
(re)install from on-board flash (VGA)
6. At the prompt Do you want to begin the install process? This will
remove all current data and configuration, type y
The installation initializes the system, installs the software, and builds the databases.
These processes take some time.
7. After the appliance restarts, continue the configuration by following the procedure on
the APS Quick Start Card or in “Installing APS” on page 524 .
532
Proprietary and Confidential Information of Arbor Networks Inc.
Appendixes
APS User Guide, Version 6.0
534
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix A:
APS Communication Ports
This section describes the ports that APS uses to forward and receive data.
In this section
This section contains the following topics:
APS Communication Ports
APS User Guide, Version 6.0
536
535
APS User Guide, Version 6.0
APS Communication Ports
APS uses specific ports for each of the services that it allows.
If you have firewalls and other access control lists, you must open the ports on the firewall
to ensure that APS can forward and receive data.
Ports to enable
The following ports only need to be enabled if you are using the corresponding service:
APS communication ports
Service
Port
Protocol
Direction
Use
Backup to
remote server *
22
SFTP
APS to backup
server
Backup storage
Cloud Signaling
7550
UDP
APS to Cloud
Signaling Server
Cloud Signaling
Server to APS
Required for Cloud
Signaling
communication
DNS
53
UDP or
TCP
APS to DNS
server
Recommended for
APS functionality
TCP may be used
depending on the
response data size.
FTP *
20-21
TCP
APS to FTP
server
Optional for file
transfers
HTTP *
80
TCP
APS to web file
server
Optional for file
transfers
HTTPS
443
TCP
APS to Cloud
Signaling Server
Required for Cloud
Signaling
communication
APS to AIF server
Required for
receiving AIF updates
See “Accessing
the AIF server”
on page 119.
536
Workstation to
APS
UI access
NTP
123
UDP
APS to NTP
server
Optional to
synchronize network
time
ping
echorequest,
echoreply
ICMP
any server to
APS
Optional for
troubleshooting
RADIUS
Authentication *
1812
UDP
APS to RADIUS
server
Not commonly used
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix A: APS Communication Ports
APS communication ports (Continued)
Service
Port
Protocol
Direction
Use
RADIUS
Accounting *
1813
UDP
APS to RADIUS
server
Not commonly used
SMTP
25
TCP
APS to SMTP
server
Required for email
communication
SNMP queries
161
UDP
SNMP
monitoring
station to APS
Optional to query
APS
SNMP traps
162
UDP
APS to SNMP
trap collector
Optional to send
SNMP traps
SSH *
22
TCP
workstation to
APS
Optional for file
transfers and CLI
access
Syslog *
514
UDP
APS to Syslog
collector
Optional to send
syslog events
TACACS+ *
49
TCP
APS to TACACS+
server
Not commonly used
* You can configure a different port number for this service.
Proprietary and Confidential Information of Arbor Networks Inc.
537
APS User Guide, Version 6.0
Appendix B:
DDoS Attacks and APS Protections
This section describes several types of distributed denial of service (DDoS) attacks that APS
can protect against. It provides examples of known DDoS attacks and summarizes the
methods and protections that you can use in APS to prevent each type of attack.
This overview of APS protections is not a comprehensive guide to DDoS attack prevention.
The attacks that it covers are among the most common, but they are also relatively
unsophisticated.
Defending your enterprise network against the full range of advanced DDoS threats
requires more than installing APS and enabling protection settings for typical attacks. It
also requires an organization with these qualities:
n Clear, coordinated communications between peers and upstream operations security
teams.
n
Robust network architectures that reflect best current practices in both security and
availability.
n
Participation in online attack mitigation communities that allow coordinated responses
to DDoS threats.
In this section
This section contains the following topics:
538
DDoS Attacks: The Threat
539
About DDoS Botnets
541
DDoS Attack Categories
543
Volumetric Attack Types and Protections
544
About ICMP Flood Attacks and UDP Flood Attacks
545
About HTTP Flood Attacks
546
About Uncommon IP Protocol Flood Attacks
547
State Exhaustion Attack Types and Protections
548
About TCP SYN Flood Attacks
549
About IP Fragmentation Attacks
550
About TCP Protocol Attacks
551
About Slow HTTP Attacks
552
Application Attack Types and Protections
553
About DNS Amplification Attacks
554
About HTTP Cache Abuse Attacks
556
About Malformed HTTP Attacks
557
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
DDoS Attacks: The Threat
Internet availability is critical to the global economy as well as governments and
organizations worldwide. A successful DDoS attack can render service at an internet
location temporarily unavailable.
A DDoS attack can have any of the following goals:
Competitive advantage (for example, financial or online gaming)
n
n
Protest or political “hacktivism”
n
Cyberwar
n
Extortion
n
Vandalism
DDoS attacks can be more than an inconvenience. They can do actual harm in the real
world.
Using APS to mitigate DDoS attacks
An APS system in your data center can prevent or mitigate the damaging effects of a wide
variety of DDoS attacks in real time. In addition, when APS detects an attack, it can use
Cloud Signaling to automatically broadcast mitigation requests to participating service
providers upstream. In response, the service providers start to mitigate attack traffic
before it reaches your enterprise network.
How do DDoS attacks work?
The first denial of service attacks on the internet were launched from one malicious host at
a time. Their impact was limited by the attacker’s bandwidth. Today, DDoS attacks are
launched from many sources at once using botnets, which are synchronized networks of
hundreds or thousands of malicious hosts distributed throughout the internet. The
greater bandwidth that is available to an attacker with a botnet makes the potential impact
of an attack much larger than an attack from single host.
A DDoS attack can overwhelm one or more target servers with illegitimate traffic. The
attack traffic can include data requests, service requests, or connection requests. The
DDoS request packets arrive at their target in abnormally high volumes or with abnormal
formatting, content, or response timing.
While the servers are under attack, the burden of handling bad traffic prevents them from
responding to legitimate requests. If a DDoS attack persists, the targeted servers eventually
shut down, go offline, reset repeatedly, or run so slowly that they are effectively useless.
For more information about the types of DDoS attacks, see “DDoS Attack Categories” on
page 543 .
What damage can DDoS attacks do?
DDoS attacks can do the following types of damage:
Deny legitimate users access to services or resources.
n
n
Expose confidential data or resources.
n
Allow hackers to steal or destroy data.
n
Hide network abuse.
Proprietary and Confidential Information of Arbor Networks Inc.
539
APS User Guide, Version 6.0
For example, a DDoS attack can cause businesses on the internet to lose money quickly by
delaying time-sensitive transactions. The reputation and future sales of the business can
also suffer if customers cannot reach them when necessary.
540
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
About DDoS Botnets
A DDoS botnet is a large set of compromised computers (called bots or zombies) that can
be deployed remotely by a command-and-control (C&C) server. The computers in a botnet
are usually compromised by malware without their users’ knowledge. Working together, a
bot army can generate high-volume traffic attacks against victim servers, such as web
servers, Domain Name System (DNS) servers, and email servers.
The C&C server and its bots can use HTTP, Internet Relay Chat (IRC), or proprietary
protocols to communicate. Bots can report their status to the C&C server and receive
attack commands from the C&C server. Bots also can share status messages and attackcoordinating messages with other bots.
Some botnets are available for hire. The buyer purchases botnet service for a specified
period of time and then chooses one or more target servers for the botnet to attack.
Examples of botnets are Dirt Jumper, Athena, and BroBot.
Botnet families
Botnet messaging can be in plain text or encoded, depending on the botnet family. The
botnet family also determines the type of attacks that are supported. Botnet attacks are
typically volumetric traffic floods. However, a botnet also can launch state exhaustion
attacks and application attacks.
For more information, see “DDoS Attack Categories” on page 543 .
About voluntary botnets
A voluntary botnet is one in which users, such as the Anonymous hacktivist group, allow
their computers to join a botnet. When a computer joins a voluntary botnet, it agrees to
communicate with other bots in the botnet.
Voluntary botnets can be controlled manually or automatically. In manually controlled
botnets, the participants coordinate their bots by broadcasting messages to an IRC
channel or list of phone numbers. In automatically-controlled botnets, a C&C server
coordinates the bots by broadcasting commands to the bots. Either method allows large
numbers of bots to go online and launch attacks simultaneously.
The tools for creating and participating in voluntary botnets are openly available on many
internet file-sharing networks. They can also be downloaded — for free and for sale —
directly from the web sites and social media outlets of hacktivist and other hacking interest
groups.
Examples of voluntary botnet attack tools include Low Orbit Ion Cannon (LOIC) and its
variants, HOIC (High Orbit Ion Cannon) and GOIC (Geosynchronous Orbit Ion Cannon).
Note
Voluntary botnets are seen less often today than in the past.
APS protections for botnet attacks
The following APS features help to protect against botnet attacks:
The ATLAS Intelligence Feed (AIF) updates contain signatures that define known botnets.
n
See “Configuring the ATLAS Intelligence Feed” on page 119.
Proprietary and Confidential Information of Arbor Networks Inc.
541
APS User Guide, Version 6.0
n
The Botnet Prevention protection settings allow you to enable botnet detection at
various levels.
See “Botnet Prevention Settings” on page 216.
n
Cloud Signaling can mitigate botnet traffic in the cloud, before it reaches your data
center.
See “About Cloud Signaling for DDoS Protection” on page 368.
n
The HTTP Rate Limiting settings limit the rates at which malicious hosts in a botnet can
send HTTP requests.
See “HTTP Rate Limiting Settings” on page 225.
Additional protection settings can detect the different types of threats that are initiated by
botnets.
542
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
DDoS Attack Categories
APS protects against the following categories of DDoS attacks. Each attack category
contains multiple types of attacks.
n Volumetric attacks
n
State exhaustion attacks
n
Application attacks
Each attack category can target different types of network servers or communications
appliances that run different protocols, applications, or services. The protection settings
for various APS server types can be customized to protect against the most likely attacks.
APS Cloud Signaling can also help mitigate attacks upstream.
About volumetric attacks
Volumetric attacks use high volumes of traffic to saturate and overwhelm network
resources and circuits at the target site. Any extraordinarily large volume of inbound traffic
that is received in a relatively short amount of time could indicate a volumetric attack.
Volumetric attacks consume large amounts of bandwidth. They can generate traffic
volumes in the hundreds of billions of bits per second. These attacks leave virtually no
bandwidth available for legitimate purposes.
A volumetric attack uses packet traffic as a weapon rather than packet content. Therefore,
this type of attack is best mitigated upstream from the data center by using a combination
of APS traffic flow monitoring and Cloud Signaling.
For more information, see “Volumetric Attack Types and Protections” on the next page.
About state exhaustion attacks
State exhaustion attacks target servers and communications appliances on a network
whose connections or other resources are state-sensitive. They exploit the target’s need
for valid or timely responses. State exhaustion attacks consume the resources of servers,
routers, load balancers — and even some firewalls — by sending packets with the
following characteristics:
n The packet header or payload formatting or content is corrupt.
n
The packets are sent in the wrong sequence within a frame, or in frames that are out of
sequence.
n
The packets arrive at their destination after an excessively long delay or they never
arrive.
For more information see “State Exhaustion Attack Types and Protections” on page 548 .
About application attacks
Application attacks target specific applications or services that are running on a server.
They can slow down or crash the software that is running on the server by sending
illegitimate requests or malformed packets to the server.
Application attacks often use much less bandwidth than volumetric attacks and many
state-exhaustion attacks. They are also harder to detect than either volumetric or stateexhausting attacks. For more information, see “Application Attack Types and Protections”
on page 553 .
Proprietary and Confidential Information of Arbor Networks Inc.
543
APS User Guide, Version 6.0
Volumetric Attack Types and Protections
APS protects against the following types of volumetric traffic flood attacks:
n ICMP Flood
See “About ICMP Flood Attacks and UDP Flood Attacks” on the facing page.
n
UDP Flood
See “About ICMP Flood Attacks and UDP Flood Attacks” on the facing page.
n
HTTP Flood
See “About HTTP Flood Attacks” on page 546.
n
Uncommon IP Protocol Flood
See “About Uncommon IP Protocol Flood Attacks” on page 547.
Volumetric attack methods and effects
The method and protocol that an attacker uses to construct volumetric attack requests
determines the nature of the attack and how the attack traffic is mitigated. Some
volumetric attacks are designed for maximum packet delivery speed. Others focus less on
speed and more on manipulating the traffic pattern, for example, by delivering
randomized payloads.
APS protection for volumetric attacks
APS can use Cloud Signaling to request mitigation from participating service providers
upstream. APS can also use various protection settings to detect and protect against
volumetric attacks on-premises.
APS can protect against volumetric attacks on Windows server platforms that use
WinSock2 API calls, the WinInet library, and ActiveX interfaces. It can also protect against
volumetric attacks on other platforms, such as Linux, Mac OS X, and OpenBSD. Examples
of such attacks are those that target applications and services that are written in opensource languages such as Perl, PHP, or Python running on a UNIX server.
See “About Cloud Signaling for DDoS Protection” on page 368 and “Configuring the
Protection Settings” on page 199 .
544
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
About ICMP Flood Attacks and UDP Flood Attacks
ICMP flood attacks and UDP flood attacks use distributed reflection to bring down their
target. The attacker repeatedly broadcasts an ICMP or UDP request with a fake (spoofed)
source address to a large number of computers that will reply. The spoofed source
address is set to the target victim’s address. When all the computers reply to the request at
the spoofed address, their replies reflect back to the target server and overwhelm it with
traffic.
ICMP flood attacks and UDP flood attacks can use ICMP message packets of various types
to overload a target network’s bandwidth. For example, they can employ “ICMP echo
request” packets generated by the UNIX ping command or “ICMP destination
unreachable” packets.
Examples of ICMP flood attacks and UDP flood attacks are ICMP Ping Flood and UDP
Traffic Flood, which are described below. To protect against these types of attacks, see
“APS protections for ICMP Flood and UDP Flood attacks” below.
Example: ICMP Ping Flood
In an ICMP Ping Flood, the attacker overwhelms the victim by sending UNIX ping
command packets with the -flood option. (Use of the –flood option requires
administrator-level privileges on most systems.) The -flood option sends ICMP echo
request packets as fast as possible without waiting for replies. If the attacker has more
bandwidth than the victim, this attack can succeed.
Example: UDP Traffic Flood
In a UDP Traffic Flood attack, a UDP request with a spoofed source address is broadcast to
random ports on a large number of computers. When the computers find no application
on the requested ports, they flood the target host with “ICMP destination unreachable”
packets.
APS protections for ICMP Flood and UDP Flood attacks
You can use Cloud Signaling to mitigate ICMP flood attacks and UDP flood attacks. See
“About Cloud Signaling for DDoS Protection” on page 368.
To protect against ICMP flood attacks and UDP flood attacks on-premises, use the
following protection settings:
n The ICMP Flood Detection settings protect against ICMP Ping Flood attacks. See “ICMP
Flood Detection Settings” on page 228.
n
The UDP Flood Detection settings protect against UDP Traffic Flood attacks. See “UDP
Flood Detection Settings” on page 249.
n
The Rate-based Blocking settings enforce traffic thresholds. See “Rate-based Blocking
Settings” on page 235.
n
The Payload Regular Expression settings prevent attacks by packets that contain unique
data patterns in their payload. See “Payload Regular Expression Settings” on page 231.
Proprietary and Confidential Information of Arbor Networks Inc.
545
APS User Guide, Version 6.0
About HTTP Flood Attacks
An HTTP flood attack targets web sites and online services. The main types of HTTP flood
attacks are as follows:
n HTTP-GET flood
The attacker’s botnet floods the web server with GET requests to download large files
such as images or scripts.
n
HTTP-POST flood
The attacker’s botnet floods the web server with POST requests that post large amounts
of data to online forms on the web site.
In all cases, the web server becomes so busy processing the HTTP-GET requests and HTTPPOST requests that it cannot service the requests from legitimate users.
HTTP flood attacks and Content Delivery Networks (CDNs)
CDNs manage the large volumes of normal HTTP traffic to popular web sites. They also
provide some protection against HTTP flood attacks. CDNs can buffer and route large
amounts of HTTP requests so no single web server is overwhelmed.
However, attackers bypass CDNs by randomizing parameters in HTTP-GET and HTTP-POST
requests. This tactic allows them to target a specific web server downstream from the CDN.
The server is then forced to respond to an unbuffered flood of GET or POST requests until
it is overwhelmed and rendered unavailable.
APS protections for HTTP flood attacks
You can use Cloud Signaling to mitigate HTTP flood attacks. See “About Cloud Signaling
for DDoS Protection” on page 368.
To protect against HTTP flood attacks on-premises, use the following protection settings:
The HTTP Header Regular Expressions settings block attack HTTP packets with headers
that contain the specified data pattern, such as HTTP-GET or HTTP-POST.
n
See “HTTP Header Regular Expressions Settings” on page 224.
n
The HTTP Rate Limiting settings limit the rates at which source hosts can send HTTP
requests.
See “HTTP Rate Limiting Settings” on page 225.
n
The Rate-based Blocking settings enforce traffic thresholds.
See “Rate-based Blocking Settings” on page 235.
546
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
About Uncommon IP Protocol Flood Attacks
Uncommon IP protocol flood attacks exploit incomplete Access Control Lists (ACLs). Most
ACLs filter the packets from common protocols such as TCP, UDP, and ICMP. However,
there are 254 valid internet protocols. Those that are used infrequently are often omitted
from ACLs. An uncommon IP protocol flood attack can overwhelm servers with packets
from one or more of these lesser-used protocols.
APS protections for uncommon IP protocol flood attacks
The Rate-based Blocking settings enforce traffic thresholds for all packets regardless of the
protocol. See “Rate-based Blocking Settings” on page 235.
Proprietary and Confidential Information of Arbor Networks Inc.
547
APS User Guide, Version 6.0
State Exhaustion Attack Types and Protections
APS protects against these (and other) types of state exhaustion attacks:
n TCP SYN Flood
See “About TCP SYN Flood Attacks” on the facing page.
n
Spoofed TCP SYN Flood
See “About TCP SYN Flood Attacks” on the facing page.
n
IP Fragmentation
See “About IP Fragmentation Attacks” on page 550.
n
TCP Protocol
See “About TCP Protocol Attacks” on page 551.
n
Slow HTTP
See “About Slow HTTP Attacks” on page 552.
State exhaustion attack methods and effects
A state exhaustion attack can consume all the connections or resources on a server or
communications appliance. A server or appliance can become unavailable if the attack
exhausts all of its communication ports, memory, or CPU capacity.
Note
State exhaustion attacks are sometimes called “Layer 4-7” attacks. They exploit protocols
in the upper layers of the TCP/IP protocol stack that correspond to layers 4-7 of the Open
Systems Interconnect (OSI) network architecture.
State exhaustion attack protections
APS can use Cloud Signaling to request mitigation from participating service providers
upstream. APS can also use various protection settings to detect and protect against state
exhaustion attacks on-premises.
You can also detect and prevent state exhaustion attacks on-premises in your data center
by configuring various APS protection settings.
See “About Cloud Signaling for DDoS Protection” on page 368 and “Configuring the
Protection Settings” on page 199 .
548
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
About TCP SYN Flood Attacks
A TCP SYN flood attack renders a web server unable to handle new connection requests. It
drives all of the target server’s communications ports into a half-open state. It achieves this
result by preventing the completion of the TCP three-way handshake between client and
server on every port. The handshake must be completed before a communications port
between the client and server can be fully open and available.
An attacker can use a botnet to mount a TCP SYN flood attack as a simple traffic flood. The
attack overwhelms the server with TCP SYN requests from thousands of bots. The rate at
which packets arrive exceeds the rate at which the server can open and close ports. New
clients are unable to connect while the server handles the connection requests from the
bots.
About Spoofed TCP SYN Flood attacks
In addition to sending simple traffic floods, an attacker can send a spoofed TCP SYN flood
that spoofs the source address in the TCP SYN requests. As a result, the TCP handshake
never completes because the SYN-ACK reply from the server goes to an illegitimate or nonresponsive client.
Spoofing the source address lowers the volume of TCP SYN requests that are required to
consume the server’s resources. All the attacker must do is send enough packets with
spoofed source addresses to fill up all the available ports on the server. Furthermore, the
attacker can replace the source address with the destination address of the target server.
In that case, the Spoofed TCP SYN flood is amplified by the reflection of the request back
to the server itself.
Example: Land attack
The Land attack sends spoofed TCP SYN packets in which the source address and port
match the victim server’s destination address and port. The spoofed source address
prevents the TCP three-way handshake from completing and eventually exhausts the
server’s connections.
APS protections for TCP SYN Flood attacks
You can use Cloud Signaling to mitigate TCP SYN flood attacks. For example, cloud service
providers that run Arbor’s Peakflow software can enable filters that drop outbound
packets if the packets have a source address outside their network. See “About Cloud
Signaling for DDoS Protection” on page 368.
To protect against TCP SYN flood attacks on-premises, use the following protection
settings:
n The TCP SYN Flood Detection settings detect high TCP SYN packet rates and excessive
differences between the number of ACK packets and the number of SYN packets.
See “TCP SYN Flood Detection Settings” on page 243.
n
The Spoofed SYN Flood Prevention settings can detect spoofed destination addresses by
filtering the TCP SYN packets based on the destination address. These settings can also
employ TCP authentication methods to validate the source of TCP SYN connection
requests and HTTP traffic.
See “Spoofed SYN Flood Prevention Settings” on page 237.
Proprietary and Confidential Information of Arbor Networks Inc.
549
APS User Guide, Version 6.0
About IP Fragmentation Attacks
In an IP fragmentation attack, an attacker sends a large volume of IP packet fragments to
the target server in an attempt to overflow the server’s memory. This type of attack exploits
the target server’s obligation to keep IP packet fragments in memory until all fragments
arrive. It buffers the fragments until the packet can be reassembled, or until a timeout
period expires.
The attack uses one of the following methods to consume the server’s memory:
Never delivers all the fragments.
n
n
Deliver the fragments after the timeout expires.
n
Deliver so many fragments, so fast, that the server’s memory fills up before the packets
can be reassembled.
Examples of IP fragmentation attacks are Teardrop, Jolt2, Nestea, and Targa3. They are
described below. To protect against these types of attacks, see “APS protections for IP
fragmentation attacks” below.
Example: Teardrop
A Teardrop attack exploits a vulnerability in older versions of Windows and Linux. The
attack crashes the Windows server by sending overlapping IP packet fragments. Older
versions of Windows and Linux cannot reassemble overlapping packets. This vulnerability
is fixed in newer versions of Windows and Linux.
Example: Jolt2
Jolt2 is a fragmentation attack that targets older Windows systems and some older Cisco
equipment. It sends illegitimate IP packet fragments to the victim server. The victim
consumes 100 percent of its CPU time processing the illegitimate packets, which renders it
unable to handle legitimate requests. This vulnerability is fixed in newer versions of
Windows and in newer Cisco equipment.
Example: Nestea
The Nestea fragmentation attack is similar to the Teardrop attack except that it only targets
older Linux operating systems. Nestea exploits a bug in the Linux operating system (called
the “off by one IP header” bug) that reassembles and reformats packet fragments. A
Nestea attack on a vulnerable Linux system will crash the system.
Example: Targa3
Targa3 is a fragmentation attack that sends random IP packets with abnormal headers
that can crash some types of systems. Attackers can use Targa3 to do reconnaissance on
potential targets. Based on the server’s response to the Targa3 attack, an attacker can
ascertain whether or not the server’s IP protocol software is vulnerable to atypical traffic.
APS protections for IP fragmentation attacks
To protect against IP fragmentation attacks, use the Fragment Detection protection
settings. See “Fragment Detection Settings” on page 223.
550
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
About TCP Protocol Attacks
TCP protocol attacks exploit vulnerabilities in the following features of the TCP protocol:
n TCP window sizing (or scaling)
n
TCP connection timing
These types of TCP protocol exploits seek to exhaust TCP connections, leaving them in a
perpetually idle state.
Example: Sockstress
The Sockstress attack exploits the window-size setting feature of the TCP protocol. Only
Windows systems that allow access to raw sockets are vulnerable.
Note
Raw socket access is not allowed on newer Windows systems unless it is enabled with a
device driver.
In a Sockstress attack, the attacker completes a successful TCP handshake with its TCP
receive window set to a small value or zero. Once the connection is open, the attacker
sends an HTTP request for a large amount of data, again, with its receive window size set
to zero. The victim tries to send the requested data but cannot because the receive
window is too small (size 0). As a result, the TCP connection goes into an idle state.
A large number of these idle connections can consume the memory that is allocated to
TCP sockets. Eventually, all new connections are blocked from opening.
Example: Nkiller2
Like the Sockstress attack, the Nkiller2 attack also puts TCP connections in a perpetually
idle state by setting the TCP receive window size to zero. However, Nkiller2 also uses the
timing features of the TCP protocol, such as the TCP Timestamp option, to artificially
extend the connection session duration. This two-pronged attack doubles the risk of
connection exhaustion that can block new connections on the victim web server.
APS protections for TCP Protocol attacks
To protect against TCP protocol attacks, use the TCP Connection Reset protection settings.
See “TCP Connection Reset Settings” on page 241.
Proprietary and Confidential Information of Arbor Networks Inc.
551
APS User Guide, Version 6.0
About Slow HTTP Attacks
In contrast to the traditional HTTP flood attacks, slow HTTP attacks send fewer HTTP
requests to the web server but hold them open for as long as possible. During a slow
HTTP attack, the attacker makes several connections and, on each connection, sends a
partial request for data to the victim server.
In response, the server allocates resources such as memory to each connection and waits
for subsequent requests to arrive. The attacker sends a small portion of the request at a
rate almost equal to, but less than, the server’s timeout setting. Therefore, the server stays
busy processing the small requests but it takes a long time to time out. Eventually, the
server starts to deny legitimate connection requests from other clients.
For example, if the server’s timeout period is 300 seconds, the attacker sends 5 bytes of a
500-byte request every 299 seconds. The attack occupies the server's resources on that
connection for 29,900 seconds (299 * 500/5).
Slowloris and Pyloris are examples of Slow HTTP attacks.
Example: Slowloris
The Slowloris attack exhausts connection resources by sending small chunks of HTTP
request headers to the target web server too slowly. By design, the web server must wait
for all the header chunks to arrive or time out the HTTP request. The attack client sends
each small HTTP header chunk just before the server’s HTTP request time out expires.
When many malicious hosts launch simultaneous Slowloris attacks from a botnet, all the
available connections to a target server are opened at once. As a result, the server cannot
handle legitimate HTTP requests.
Example: Pyloris
Pyloris is a modified version of the Slowloris attack that is written in Python (hence the “Py”
prefix). It is a Slowloris attack that targets Windows systems exclusively. Unlike UNIX,
Windows allows only 130 communication sockets to be open at once. Pyloris overcomes
this limit.
APS protections for Slow HTTP attacks
To protect against slow HTTP attacks, use the following features and protection settings:
The ATLAS Intelligence Feed (AIF) updates contain signatures that define slow HTTP
attacks.
n
See “Configuring the ATLAS Intelligence Feed” on page 119.
n
The Botnet Prevention protection settings detect many slow HTTP attacks by detecting
missing fields in the HTTP headers.
See “Botnet Prevention Settings” on page 216.
n
The TCP Connection Reset settings track established TCP connections and block the
traffic when a connection remains idle for too long. Traffic is also blocked when the bit
rate for a single request drops below a configured minimum.
See “TCP Connection Reset Settings” on page 241.
552
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
Application Attack Types and Protections
APS protects against many types of application attacks. For example, it can prevent and
mitigate the following frequently encountered application attacks:
n DNS Amplification. See “About DNS Amplification Attacks” on the next page.
n
HTTP Cache Abuse. See “About HTTP Cache Abuse Attacks” on page 556.
n
Malformed HTTP. See “About Malformed HTTP Attacks” on page 557.
Application attack methods and effects
Application attacks compromise or crash the applications that run on network servers.
These attacks are classified by the attack method that they use. Application attacks often
exploit an application's attempts to recover from or resolve bad inputs.
Examples of application attacks are described below.
Example: Apache Killer
The Apache Killer attack targets web servers that run older, unpatched versions of the
Apache software. The attack exploits Apache’s “range” request that allows a client to ask
the web server to download large files in smaller chunks. The Apache Killer attack, which
typically is delivered in a Perl script, asks the web server to break up even small files into
thousands of tiny chunks. This tactic quickly exhausts the memory resources on the web
server and renders it unavailable.
A botnet Apache Killer attack can target many web servers at once, some of which will,
most likely, be vulnerable due to the large number of Apache web servers on the internet.
Example: Hash DoS
The Hash DoS attack exploits applications that are written in older, 32-bit versions of
languages such as PHP, Java, ASP.NET, Python, and Ruby. Unlike the newer versions of
these languages, these older versions did not support strategies for resolving hash key
collisions, such as using randomizing hash functions.
In a Hash DoS attack, the attacker supplies a single request with many parameters, such as
an HTTP-POST, to a target server that runs one of these older applications. When the
application attempts to build a hash table from the input data in the request, many hash
key collisions result. The application’s attempts to resolve these collisions overwhelm the
server’s CPU and renders the server unavailable.
A botnet Hash DoS attack can supply malicious requests to many applications on many
servers at once. Some will, most likely, be vulnerable given the large number of
applications and web servers on the internet.
Application attack protections
Application attacks are best mitigated on-premises by using the APS protection settings.
Proprietary and Confidential Information of Arbor Networks Inc.
553
APS User Guide, Version 6.0
About DNS Amplification Attacks
A DNS amplification attack uses DNS server behavior to amplify a DDoS attack. It does so
by exploiting weaknesses in the DNS protocol.
Process for translating domain names into an IP address
To understand a DNS amplification attack, it helps to know how a domain name is
translated (resolved) into an IP address. The following steps provide a simplified
description of this process:
1. A client’s browser requests a page from a web server with the domain name
www.example.com.
2. The request goes to the DNS resolver program in the client’s operating system or ISP.
3. The DNS resolver sends the following query to a local DNS server: “What is the IP
address for www.example.com?”
4. If the local DNS server knows the answer, it sends the IP address back to the DNS
resolver.
5. If the local DNS server does not know the answer, it asks a succession of DNS servers
for the address, starting with a DNS root name server. The search narrows with each
query. Finally, an upstream DNS server sends the actual (or authoritative) IP address
for the web server to the local DNS server, which it forwards to the DNS resolver.
Launching a DNS amplification attack
To launch a DNS amplification attack, an attacker follows these steps:
1. Replace (spoof) the IP address of the DNS resolver with the victim’s IP address. This
causes all replies to the DNS server queries to be sent to the victim address rather
than the DNS resolver.
Note
For this to work, the DNS resolver must be open. Efforts to close all of the open DNS
resolvers on the internet are underway, but many are still open.
2. Find a web domain with many subdomains and URLs, for example, bigsite.com.
3. Send a request for the entire list of IP addresses for all the URLs in the bigsite.com
domain. This malicious request elicits a large or amplified response from the DNS
servers.
4. Send a command to each bot in the DDoS botnet to send the same DNS request for
URLs in bigsite.com. In this command, the victim’s address replaces the DNS resolver
address. The large volume of traffic from all the DNS server replies renders the victim’s
web server unavailable.
APS protections for DNS amplification attacks
To protection against DNS amplification attacks, use the following protection settings:
The DNS Authentication settings protect against the DNS attacks that originate from a
source that is not a valid host. See “DNS Authentication Settings” on page 219.
n
n
554
The DNS Rate Limiting settings prevent the attacks that misuse DNS requests to flood
DNS servers. See “DNS Rate Limiting Settings” on page 221.
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
n
The DNS NXDomain Rate Limiting settings can temporarily block any host that
generates too many consecutive failed DNS requests to non-existent domains.
See “DNS NXDomain Rate Limiting Settings” on page 220.
n
The DNS Regular Expression settings filter out DNS traffic based on matching data
patterns in requests or headers. See “DNS Regular Expression Settings” on page 222.
n
The Payload Regular Expression settings prevent attacks by packets that contain unique
data patterns in their payload. See “Payload Regular Expression Settings” on page 231.
Proprietary and Confidential Information of Arbor Networks Inc.
555
APS User Guide, Version 6.0
About HTTP Cache Abuse Attacks
A web server, a firewall proxy server, or a CDN server can store responses in cache
memory to improve performance. The HTTP protocol supports several elements to make
caching work. Some of these elements can be misused to make the server vulnerable to
cache abuse attacks.
For example, an attacker repeatedly sends HTTP requests in a way that prevents the web
server from using the cache. The attacker can achieve this disruption by using some of the
cache control-specific headers in the HTTP request message. This kind of attack can force
the web server to repeatedly reload the same page or load less frequently used pages,
causing significant load on the server. As a result, the web server can start to deny services
to legitimate clients.
APS protections for HTTP cache abuse attacks
To protect against HTTP cache abuse attacks, use the Malformed HTTP Filtering protection
settings.
See “Malformed HTTP Filtering Settings” on page 229.
556
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix B: DDoS Attacks and APS Protections
About Malformed HTTP Attacks
Malformed HTTP attacks exploit the way that web servers handle the HTTP requests that
do not conform to protocol standards.
For example, an early version of the Microsoft Internet Information Server (IIS) was
vulnerable to HTTP requests that contained a specially crafted header. This header
contained multiple, duplicate Host fields of a certain length that appeared a certain
number of times. The attack consumed all of the server’s memory.
Some malware and attack tools generate large amounts of TCP payload data that targets a
web server without including legitimate HTTP header information. These requests force
the web server to send a response, such as an error message, to the attacker for each
request it receives. These attacks exhaust the web server’s resources.
APS protections for Malformed HTTP attacks
To protect against malformed HTTP attacks, use the Malformed HTTP Filtering protection
settings. See “Malformed HTTP Filtering Settings” on page 229.
Proprietary and Confidential Information of Arbor Networks Inc.
557
APS User Guide, Version 6.0
Appendix C:
Bypass and Link State Propagation
Benchmarks
This section documents the results of several performance tests on APS. The tests
provided the following benchmarks:
n The average amount of time that it takes for APS to enter and exit hardware bypass and
software bypass
n
The average amount of time that it takes APS to propagate the link state after an
interface in a pair of protection interfaces goes down or comes back up
In this section
This section contains the following topics:
Performance Benchmarks for Hardware Bypass, Software Bypass, and Link State
Propagation
558
559
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix C: Bypass and Link State Propagation Benchmarks
Performance Benchmarks for Hardware Bypass, Software
Bypass, and Link State Propagation
To determine the average amount of time it takes to enter and exit a bypass mode, Arbor
performed benchmark tests on several APS platforms. See “Entering bypass mode” below
and “Exiting bypass mode” on the next page.
To learn more about hardware and software bypass, see “Configuring Hardware Bypass
and Software Bypass” on page 499 .
Arbor also performed link state propagation tests on a pair of protection interfaces (ext
and int). These tests determined how long APS takes to propagate the link state after an
interface in a pair is disconnected or reconnected. See “Propagating the link state of
protection interfaces” on the next page.
Important
Due to the differences among network infrastructures, bypass results may vary.
Entering bypass mode
During testing, Arbor used the following methods to enter the bypass modes:
Forced hardware bypass — Entered services aps bypass force open in the CLI.
n
n
Manual hardware bypass — Removed all power to the APS appliance.
n
Forced software bypass — Entered services aps stop in the CLI.
The following tables show the average amount of time in seconds that it takes APS to enter
a bypass mode.
APS 2100 results
Hardware bypass
Software
bypass
Configuration
Interfaces
Forced
Manual
Forced
1 GbE copper
int0 - ext0
4.83
3.74
0.2
1 GbE fiber
int2 - ext2
0.2
0.2
0.2
10 GbE fiber
int0 - ext0
0.2
1.43
0.2
APS 2600 and APS 2800 results
Hardware bypass
Software
bypass
Configuration
Interfaces
Forced
Manual
Forced
1 GbE copper
int2 - ext2
3.96
3.66
0.2
1 GbE fiber
int0 - ext0
0.2
0.2
0.2
10 GbE fiber
int2 - ext2
0.2
.86
0.2
Proprietary and Confidential Information of Arbor Networks Inc.
559
APS User Guide, Version 6.0
Exiting bypass mode
During testing, Arbor used the following methods to exit the bypass modes on APS:
n Forced hardware bypass — Entered services aps bypass fail open on the CLI.
n
Manual hardware bypass — Powered up the APS appliance.
n
Forced software bypass — Entered services aps start on the CLI.
Note
For tests on APS appliances with copper interfaces, Arbor enabled auto negotiation and
BPDU filtering.
The following tables show the average amount of time in seconds that it takes APS to exit a
bypass mode.
APS 2100 results
Hardware bypass
Software
bypass
Configuration
Interfaces
Forced
Manual
Forced
1 GbE copper
int2 - ext2
5
3.75*
0.2
1 GbE fiber
int0 - ext0
0.6
4
0.2
10 GbE fiber
int0 - ext0
0.9
0.2
0.2
* If the speed and duplex settings are used instead of the auto-negotiation setting, APS
may take longer to exit the bypass mode when a hardware bypass is forced. For example,
when the speed was set to 1000 and duplex was set to full, APS took from 4.9 seconds
(BPDU filter on) to 6.9 seconds (BPDU filter off) to exit the bypass mode.
APS 2600 and APS 2800 results
Hardware bypass
Software
bypass
Configuration
Interfaces
Forced
Manual
Forced
1 GbE copper
int2 - ext2
3.2
4.9
0.2
1 GbE fiber
int0 - ext0
3.5
0.2
0.2
10 GbE fiber
int2 - ext2
0.9
0.2
0.2
Propagating the link state of protection interfaces
When you enable link state propagation for protection interfaces (ext and int), if one of the
interfaces in a pair is disconnected, APS disconnects the other interface. Also, if one of the
interfaces in a pair is reconnected, APS reconnects the other interface.
To learn more about link state propagation, see “About link state propagation” on
page 141 .
To test link state propagation, Arbor disconnected one of the interfaces in a pair of
protection interfaces. Arbor then monitored syslog to measure how much time it took for
APS to report that the other interface in the pair was disconnected.
560
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix C: Bypass and Link State Propagation Benchmarks
To measure how much time it took for the second interface to reconnect, Arbor
reconnected the interface that it disconnected in the previous test.
In both cases, it took APS an average of 5.5 seconds to propagate the link state from one
interface in the pair to the other interface.
Proprietary and Confidential Information of Arbor Networks Inc.
561
APS User Guide, Version 6.0
562
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix D:
Using FCAP Expressions
This section describes the FCAP (Flow Capture) fingerprint expression language that you
can use to match layer 3 traffic information. This expression language is an extended
version of the standard fingerprint expression language that is used by programs such as
tcpdump.
In this section
This section contains the following topics:
Available FCAP Expressions
564
FCAP Expression Reference
566
Logical Operators for Compound FCAP Expressions
571
FCAP Expressions that Indicate Direction
573
Examples of FCAP Expressions
574
APS User Guide, Version 6.0
563
APS User Guide, Version 6.0
Available FCAP Expressions
The FCAP expression language consists of the following components:
basic expressions — See “Basic FCAP expressions” below.
n
n
action expressions — See “Action expressions that drop or pass traffic” on page 566.
n
the operators AND, OR, NOT, and () — See “Logical Operators for Compound FCAP
Expressions” on page 571.
n
expressions that indicate direction — See “FCAP Expressions that Indicate Direction”
on page 573.
n
comments — See “Comments in FCAP expressions” on page 566.
Conventions for commands and expressions
The following conventions show the syntax of commands and expressions. Do not type
the brackets, braces, or vertical bar in commands or expressions.
Typographic conventions for commands and expressions
Convention
Description
Monospaced bold
Information that you must type exactly as shown.
Monospaced
italics
A variable for which you must supply a value.
{ } (braces)
A set of choices for options or variables, one of which is required.
For example: {option1 | option2}.
[ ] (square brackets)
A set of choices for options or variables, any of which is optional.
For example: [variable1 | variable2].
| (vertical bar)
Separates the mutually exclusive options or variables.
Basic FCAP expressions
These expressions are case insensitive. For example, both src and SRC are valid.
Available FCAP expressions
564
Expression
Reference
[src | dst] [net | host] addr
“Matching networks and hosts”
on page 566
[protocol | proto] protocol-name
{protocol | proto} number
“Matching protocols” on
page 567
{tflags | tcpflags} flags/flag-mask
“Matching TCP flags” on page 567
[src | dst] port {port-name | number } [ ..
{port-name | number} ]
“Matching ports” on page 568
bytesnumber [ ..number]
“Matching IP length” on page 568
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix D: Using FCAP Expressions
Available FCAP expressions (Continued)
Expression
Reference
icmptype {icmptype | number}
icmpcodecode
“Matching ICMP messages” on
page 569
tosnumber
“Matching the Type of Service” on
page 570
Note
This expression is for IPv4 traffic
only.
ttlnumber
“Matching the Time to Live” on
page 570
Note
This expression is for IPv4 traffic
only.
frag
“Matching fragments” on
page 570
Note
This expression is for IPv4 traffic
only.
Where you can use FCAP expressions
You can type FCAP expressions in the following areas of the APS UI:
Filter List settings
n
See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter”
on page 255.
n
Master Filter List settings
See “Configuring Master Filter Lists” on page 253.
n
Traffic Shaping settings
See “Traffic Shaping Settings” on page 247.
Proprietary and Confidential Information of Arbor Networks Inc.
565
APS User Guide, Version 6.0
FCAP Expression Reference
This topic describes how to use the FCAP expressions. For information about specific
expressions, see the following sections.
Note
Unless otherwise noted, FCAP expressions are supported for IPv4 traffic and IPv6 traffic.
Comments in FCAP expressions
To add a comment to an FCAP expression, type the number sign (#) at the beginning of
the line of text.
Any line that begins with # is considered a comment and is not evaluated as part of the
FCAP expression.
Numbers in FCAP expressions
In expressions that contain a number, you can type the number in decimal notation or
hexadecimal notation. For example, the following expressions are equivalent:
tos 255
tos 0XFF
Action expressions that drop or pass traffic
Use the FCAP action expressions to either drop traffic or pass traffic without further
inspection. To specify which action to perform, precede the FCAP expressions with one of
the following expressions:
pass
drop
The action expression is optional. If you do not specify one, APS uses a drop action.
Matching networks and hosts
Use the following expression to match a network or a host:
[src | dst] [net | host] addr
To match a network or host, specify its IP address. You can use CIDR notation
(IP/number) to specify a network. For example:
net 198.51.100.0/24
host 192.0.2.1
If you specify an address without a netmask or without the expression net or host, the
address is assumed to be a host.
If you do not specify a direction, then both the source and the destination are evaluated.
See “FCAP Expressions that Indicate Direction” on page 573.
566
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix D: Using FCAP Expressions
Additional examples of expressions for matching hosts or networks
Item to match
Expression
any source or destination that is part of the
network 198.51.100.0/24
Either of the following expressions:
any source that is part of the network
198.51.100.0/24
src net 198.51.100.0/24
198.51.100.0/24
src net 198.51.100.0/24 or dst
net 198.51.100.0/24
Matching protocols
Use the following expressions to match a protocol:
[protocol | proto] protocol-name
{protocol | proto} number
To match a protocol, specify its name or number. If you specify the protocol by name, you
can omit the expression protocol. For example:
protocol tcp
tcp
proto 6
Matching TCP flags
Use the following expression to match a packet’s TCP flags:
{tflags | tcpflags} flags/flag-mask
flags = the flag or flags that must be set for the expression to match
flag-mask = the flag or flags to examine
For example, tflags FSA/FSA matches all of the traffic whose SYN, ACK, and FIN flags
are set.
For the flag fields, you can specify any combination of the following TCP flags:
F — FIN
n
n
S — SYN
n
R — RST (reset)
n
P — PSH (push)
n
A — ACK
n
U — URG (urgent)
n
E — ECE (ECN-Echo)
n
W — CWR (Congestion Window Reduced)
Do not separate multiple flags with any characters, including spaces or commas.
Proprietary and Confidential Information of Arbor Networks Inc.
567
APS User Guide, Version 6.0
Additional examples of expressions for matching TCP flags
Item to match
Expression
packets that contain the SYN flag
Either of the following expressions:
tflags S/S
proto tcp and (tflags S/S)
all of the TCP SYN traffic that is not SYNACK
Either of the following expressions:
all of the traffic for which the A bit is set,
but the F bit is not set
tflags A/FA
proto tcp and (tflags S/SA)
proto tcp and (tflags S/S) and !
(tflags SA/SA)
Matching ports
Use the following expression to match ports:
[src | dst] port {port-name | number} [ .. {port-name | number} ]
To match a port, specify its name or number. For example:
port http
port 22
To match a range of port numbers, separate the first number and the last number with
two periods. For example:
port 0..1024
If you do not specify the source or the destination, then both the source and the
destination are evaluated. See “FCAP Expressions that Indicate Direction” on page 573.
Additional examples of expressions for matching ports
Item to match
Expression
IP address 192.0.2.1, port 22
host 192.0.2.1 port 22
any traffic with a destination IP address of
192.0.2.1 and a destination port of either 22 or
80
dst host 192.0.2.1 and (dst
port 22 or dst port http)
Matching IP length
Use the following expression to match a packet’s IP length: bytes number [..number]
Specify the IP length as a number of bytes. For example: bytes 100
To match a range of bytes, separate the first number and the last number with two
periods. For example: bytes 100..102
568
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix D: Using FCAP Expressions
Matching ICMP messages
Use the following expressions to match an ICMP message by specifying its type:
icmptype {name | number}
icmpcodecode
For example, to match ICMPv4 echo request traffic by type, you can use either of the
following expressions:
icmptype icmp-echo
icmptype 8
Note
APS supports both ICMPv4 and ICMPv6 message types. However, for ICMPv6, you can
specify message type numbers only. You cannot use message type names for ICMPv6.
The ICMP code is a subtype of a given type. For example, the following expressions match
the ICMP control message type “Destination Unreachable”, and the subtype of “Host
Unreachable” (ICMPv4) or “address unreachable” (ICMPv6):
n ICMPv4
icmptype icmp-unreach and icmpcode 1
ICMPv6
n
icmptype 1 and icmpcode 3
The table below lists some common ICMPv4 message types.
ICMPv4 message types
ICMP type
number
ICMP type name
Description
0
icmp-echoreply
Echo Reply
3
icmp-unreach
Destination Unreachable
4
icmp-sourcequench
Source Quench
5
icmp-redirect
Redirect
8
icmp-echo
Echo Request
9
icmp-routeradvert
Router Advertisement
10
icmp-routersolicit
Router Selection
11
icmp-timxceed
Time Exceeded
12
icmp-paramprob
Parameter Problem
13
icmp-tstamp
Timestamp
14
icmp-tstampreply
Timestamp Reply
15
icmp-ireq
Information Request
Proprietary and Confidential Information of Arbor Networks Inc.
569
APS User Guide, Version 6.0
ICMPv4 message types (Continued)
ICMP type
number
ICMP type name
Description
16
icmp-ireqreply
Information Reply
17
icmp-maskreq
Address Mask Request
18
icmp-maskreply
Address Mask Reply
For a complete list of the ICMPv4 message types and codes, refer to an IPv4 reference or
go to the following URL: http://www.iana.org/assignments/icmp-parameters/icmp-
parameters.xhtml
For a complete list of the ICMPv6 message types and codes, refer to an IPv6 reference or
go to the following URL: http://www.iana.org/assignments/icmpv6-parameters/icmpv6-
parameters.xhtml
Matching the Type of Service
Note
This expression is for IPv4 traffic only. You cannot filter by the IPv6 header field Traffic
Class.
Use the following expression to match the Type of Service (TOS):
tosnumber
Specify the eight-bit TOS field as a number from 0 to 255. For example:
tos 255
tos 0XFF
Matching the Time to Live
Note
This expression is for IPv4 traffic only. You cannot filter by the IPv6 header field Hop Limit.
Use the following expression to match the Time to Live (TTL ) value:
ttlnumber
Specify the eight-bit TTL field as a number from 0 to 255. For example:
ttl 6
Matching fragments
This expression is for IPv4 traffic only.
The following expression allows you to match IP fragments:
frag
570
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix D: Using FCAP Expressions
Logical Operators for Compound FCAP Expressions
You can create compound FCAP expressions by using logical operators to join
expressions.
For information about the basic FCAP expressions, see “Available FCAP Expressions” on
page 564 .
Operators for joining expressions
To join FCAP expressions, use the following operators:
parentheses ( ) — establishes precedence for complex expressions
n
n
NOT — negates an expression (negation)
For example, not port 33 matches all of the ports except port 33.
You can also use an exclamation mark (!) instead of not.
n
OR — joins expressions where any can be true (alternation)
For example, dst port 22 or dst port 25 or dst port 80 matches all of the
traffic that is destined for any one of these three ports.
n
AND — joins expressions where both are true (concatenation)
For example, dst host 192.0.2.1 and dst port 22 matches all of the traffic that
is destined for port 22 on the host 192.0.2.1.
How APS evaluates compound expressions
APS evaluates expressions in the following order:
1. The expressions in parentheses are evaluated first. If you use a combination of
adjacent objects with AND and OR operators, use parentheses so that APS knows the
explicit order.
2. NOT expressions are evaluated next.
3. The OR and AND expressions have equal precedence and are evaluated from left to
right.
For example, the following expressions are equivalent:
not tcp port 3128 and tcp port 23
(not tcp port 3128) and tcp port 23
Omitting the operators and parentheses can produce unexpected results. For example, to
block all TCP traffic on port 80 or port 443, you might type the following expression:
tcp port 80 or tcp port 443
However, this expression does not do what you intend because the order of operations
interprets it as follows:
tcp and (port 80 or tcp) and (port 443)
Instead, you should use one of the following expressions:
tcp (port 80 or port 443)
(tcp port 80) or (tcp port 443)
Proprietary and Confidential Information of Arbor Networks Inc.
571
APS User Guide, Version 6.0
Reference
See the following topics for more information about using FCAP expressions:
572
n
“FCAP Expression Reference” on page 566
n
“FCAP Expressions that Indicate Direction” on the facing page
n
“Examples of FCAP Expressions” on page 574
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix D: Using FCAP Expressions
FCAP Expressions that Indicate Direction
The direction expressions indicate whether a network, host, or port represents the source
or the destination.
In an FCAP expression, the direction refers to the source or destination section of the
packets that are evaluated.
For information about the basic FCAP expressions, see “Available FCAP Expressions” on
page 564 .
Indicating direction
The following expressions indicate direction:
src — source
dst — destination
For example:
src host 192.0.2.1
dst port 33
Default direction
If you do not specify a direction, then both the source and the destination are evaluated.
For example, the following expressions are equivalent:
host 192.0.2.1
(src host 192.0.2.1) or (dst host 192.0.2.1)
Reference
See the following topics for more information about using FCAP expressions:
n
“FCAP Expression Reference” on page 566
n
“Logical Operators for Compound FCAP Expressions” on page 571
n
“Examples of FCAP Expressions” on the next page
Proprietary and Confidential Information of Arbor Networks Inc.
573
APS User Guide, Version 6.0
Examples of FCAP Expressions
To help further your understanding of FCAP expressions, this topic provides examples of
expressions and shows how APS interprets them.
In particular, observe how APS interprets expressions when you omit certain components.
For example, you can omit the direction and the drop or pass action. You can also omit
the logical operators, although doing so can produce unexpected results.
Examples
The following examples show how APS interprets FCAP expressions and how it makes
assumptions about any information that is omitted from the typed expressions.
Note
APS interprets FCAP expressions that use IPv6 addresses in the same way that it
interprets FCAP expressions that use IPv4 addresses.
FCAP expressions and how they are interpreted
574
Expression
Interpretation
host 192.0.2.1
192.0.2.1
drop src host 192.0.2.1 or dst host 192.0.2.1
protocol tcp
tcp
drop proto 6
tflags saf/saf
drop tflags FSA/FSA
You do not have to type the flags in any particular order; the
system orders them for you.
port 33
drop src port 33 or dst port 33
not port 33
drop (src port 0..32 or src port 34..65535) and
(dst port 0..32 or dst port 34..65535)
dst host 192.0.2.1
and port 22
drop dst host 192.0.2.1 and (src port 22 or dst
port 22)
src 1.2.3.4 src
1.2.3.9
drop (src net 0.0.0.0/0)
The system assumes that the two addresses are joined by an
AND operator. However, because no packet can ever have
two sources, the expression is interpreted as “drop
everything.”
src 1.2.3.4 or src
1.2.3.9
drop src host 1.2.3.4 or src host 1.2.3.9
src 1.2.3.4 dst
5.6.7.8
drop src host 1.2.3.4 and dst host 5.6.7.8
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix D: Using FCAP Expressions
Reference
See the following topics for more information about using FCAP expressions:
n
“Available FCAP Expressions” on page 564
n
“FCAP Expression Reference” on page 566
n
“Logical Operators for Compound FCAP Expressions” on page 571
n
“FCAP Expressions that Indicate Direction” on page 573
Proprietary and Confidential Information of Arbor Networks Inc.
575
APS User Guide, Version 6.0
576
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix E:
Using Regular Expressions
A regular expression is a text string that describes a search pattern. APS can use regular
expressions to match traffic.
In this section
This section contains the following topics:
About Regular Expressions
APS User Guide, Version 6.0
578
577
APS User Guide, Version 6.0
About Regular Expressions
You can write regular expressions to match specific types of traffic. APS uses a POSIX
regular expression syntax.
Syntax examples of regular expressions
The following examples show how you can use regular expressions in APS:
Examples of standard regular expressions
Example
Description
^backbone
Matches an interface name that starts with the word
backbone.
^(peer|transit)-link[0-9]+
Matches an interface name that starts with either peer
or transit, is followed by -link-, and has at least
one or more numbers 0 through 9.
([bB]oston|[cC]hicago)
Matches either Boston or Chicago, and ignores the
case of the first character in the city name.
cust.*boundary
Matches a string that contains the word cust separated
from the word boundary by zero or more characters.
References
For more information about regular expressions, you can access the following resources:
n Cisco Systems, Inc. — Cisco provides a valuable explanation of regular expressions. Go
to the following web site and search for “regular expression reference”:
http://www.cisco.com
n
Open BSD — Arbor uses a specific version of regular expression, which is documented
on the OpenBSD web site:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man7/re_
format.7?query=re_format&sec=7
If this specific link is broken, go to http://www.openbsd.org/ and search for the re_
format man page in OpenBSD 3.6.
n
Wikipedia — This site provides background information about regular expression and
syntax examples:
http://en.wikipedia.org/wiki/Regular_expression
578
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix F:
Notification Formats
This section describes the formats of the notifications from APS and provides examples of
each format.
In this section
This section contains the following topics:
Email Notification Formats and Examples
580
SNMP Notification Examples
584
Syslog Notification Format and Examples
587
APS User Guide, Version 6.0
579
APS User Guide, Version 6.0
Email Notification Formats and Examples
APS can send notification messages to communicate certain events and alerts. You can
configure APS to send notifications as email messages. An email notification message can
contain one or more notifications. See “About Notifications” on page 128 and
“Configuring Notifications” on page 131 .
Format of email notifications
The following tables show the formats of the subject line and body text in email
notifications:
Subject line formats
Number of
notifications
Subject line format
Single notification
alert_type: alert_message
Multiple
notifications
number Notifications
Single change log
notification
The subject of change log notifications varies as follows:
n
n
n
Change Log: subsystem
Change Log: subsystem: setting type — when the
change is associated with a protection group or server type
Change Log: subsystem: message — when the message is
short enough that the entire subject length is no more than 80
characters
Body text formats
580
Notification type
Body text format
Bandwidth, Cloud
Signaling, Deployment
Mode, Infrastructure,
Protection Level
Type: alert_type
URL: host URL
Message: alert message
alert_type = Bandwidth | Cloud Signaling |
Deployment Mode | Infrastructure | Protection
Level
Blocked Host
Message: alert message
Because of the volume of notifications that are generated for
blocked hosts, the alert type and the URL are omitted from
the email notifications. Only the alert message appears.
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix F: Notification Formats
Body text formats (Continued)
Notification type
Body text format
Change Log
Type: Change Log
Username: user
Subsystem: subsystem that made the change
Setting Type: protection group or server type
that is affected, if any
Message: alert message
URL: host URL
If the change is not associated with a protection group or
server type, the Setting Type line does not appear.
Similar information also appears on the Change Log page.
Example: single email notification
The following example shows an email notification that contains a single alert:
Subject
Infrastructure: Interface Link 'int2' is down. You may want to use
monitor mode.
Body
Type:
Infrastructure
URL:
https://my_host/summary/
Message: Interface Link 'int2' is down. You may want to use monitor mode.
Example: multiple email notifications
The following example shows an email notification that contains multiple alerts:
Subject
4 Notifications
Body
Type:
Infrastructure
URL:
https://my_host/summary/
Message: Interface Link 'ext2' is down.
------------------------Type:
Infrastructure
URL:
https://my_host/summary/
Message: Interface Link 'int2' is down. You may want to use monitor
mode.
------------------------Type:
Bandwidth
URL:
https://my_host/summary/
Message: Total traffic for this system is approaching the license
limit. Current traffic level is 2.79 Gbps.
Proprietary and Confidential Information of Arbor Networks Inc.
581
APS User Guide, Version 6.0
------------------------Type:
Bandwidth
URL:
https://my_host/groups/view/?time_interval=between&time_
start=2012-08-21T10%3A30Z&timezone=Default&mode_state=between&unit_
select=bps&id=32&time_end=2012-08-21T10%3A45Z
Message: Traffic for protection group 'test alerting' exceeds
configured limit. Current traffic level is 234.62 Mbps.
Example: email notifications for blocked host alerts
The following example shows an email notification that contains blocked host alerts:
Subject
4 Notifications
Body
Message: Blocked host 81.205.65.83 at 20:07 by Blocked Countries using
UDP/34959 (Unknown) destination 164.76.199.14 source port 62934,URL:
https://my_host/summary/
------------------------Message: Blocked host 117.18.231.56 at 20:07 by Malformed HTTP
Filtering using TCP/80 (HTTP) destination 141.211.244.25 source port
19062,URL: https://my_host/summary/
------------------------Message: Blocked host 5.178.86.77 at 20:07 by Botnet Prevention using
TCP/80 (HTTP) destination 141.211.184.99 source port 15313,URL:
https://my_host/summary/
------------------------Message: Blocked host 91.102.202.42 at 20:07 by Invalid Packets using
TCP/0 (Unknown) destination 141.212.121.128,URL: https://my_
host/summary/
-------------------------
Example: email notifications for change log alerts
The following example shows an email notification that contains change log alerts:
Subject
3 Notifications
Body
Type:
Username:
Subsystem:
Message:
URL:
582
Change Log
system
Cloud Signaling
Cloud Signaling terminated.
https://my_host/administration/changelog/
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix F: Notification Formats
------------------------Type:
Change Log
Username: admin
Subsystem: Deployment
Message:
Updated inline deployment mode to Inactive
URL:
https://my_host/administration/changelog/
------------------------Type:
Change Log
Username:
admin
Subsystem:
Protection Group
Setting Type: New PG
Message:
Changed Protection Level to Medium for protection group:
New PG
URL:
https://my_host/administration/changelog/
Proprietary and Confidential Information of Arbor Networks Inc.
583
APS User Guide, Version 6.0
SNMP Notification Examples
APS can send notification messages to communicate certain events and alerts. You can
configure APS to send notifications to a network management system as SNMP traps. See
“About Notifications” on page 128 and “Configuring Notifications” on page 131 .
The Arbor SMI MIB and the Pravail MIB define the SNMP notification format. The Manage
Files page allows you to download these MIB files. See “Downloading files from APS” on
page 452.
Important
The source IP address for SNMP traps that APS sends is the IP address of the mgt0
interface. The IP address of the mgt1 interface cannot be used as the source IP address
for SNMP traps.
Example: SNMP notifications
The following example shows several SNMP notifications:
2012-01-16 15:41:27 my_host [10.10.10.100]:
sysUpTime.0 = Timeticks: (1496898) 4:09:28.98
snmpTrapOID.0 =
OID: pravailProtectionLevelChange
sysName.0 = my_host
pravailTrapString = Protection Level Change
pravailTrapDetail =
Changed Protection Level from 1 to 2
pravailPreviousProtectionLevel = 1
pravailProtectionLevel = 2
2012-01-16 15:41:38 my_host [10.10.10.100]:
sysUpTime.0 = Timeticks: (1498025) 4:09:40.25
snmpTrapOID.0 =
OID: pravailProtectionLevelChange
sysName.0 = my_host
pravailTrapString = Protection Level Change
pravailTrapDetail =
Changed Protection Level from 2 to 3
pravailPreviousProtectionLevel = 2
pravailProtectionLevel = 3
2012-01-16 15:42:15 my_host [10.8.10.193]:
sysUpTime.0 = Timeticks: (1501691) 4:10:16.91
snmpTrapOID.0 =
OID: linkDown
ifIndex = 11
ifAdminStatus.11 = up(1)
ifOperStatus.11 = down(2)
2012-01-16 15:48:13 my_host [10.10.10.100]:
sysUpTime.0 = Timeticks: (1537491) 4:16:14.91
snmpTrapOID.0 =
OID: pravailCloudSignalTimeout sysName.0 = my_host
pravailTrapString = Cloud signaling timeout
pravailTrapDetail =
Cloud Signaling heartbeats are not being received. Please contact your
Cloud Signaling provider.
pravailTrapComponentName = client
Example: SNMP notification for bandwidth alerts
The following example shows the notification that APS sends when traffic exceeds the
system’s licensed throughput limit:
2012-08-20 15:23:30 my_host [10.8.10.193]:
system.sysUpTime.0 =
Timeticks: (1539) 0:00:15.39
.iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTra
p.snmpTrapOID.0 = OID: enterprises.9694.1.6.3.0.54
system.sysName.0 = my_host
enterprises.9694.1.6.2.9 = "License
Limit"
enterprises.9694.1.6.2.10 = "Total traffic for this system
584
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix F: Notification Formats
is approaching the license limit. Current traffic level is 2.91 Gbps."
enterprises.9694.1.6.2.31 = https://my_host/summary/
The following example shows the notifications that APS sends when a protection group’s
traffic exceeds a configured threshold:
2012-08-21 10:36:34 my_host [10.8.10.193]:
system.sysUpTime.0 =
Timeticks: (6919987) 19:13:19.87
.iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTra
p.snmpTrapOID.0 = OID: enterprises.9694.1.6.3.0.52
system.sysName.0 = my_host
enterprises.9694.1.6.2.9 = "Total
Traffic over configured limit"
enterprises.9694.1.6.2.10 =
"Traffic for protection group 'test alerting' exceeds configured limit.
Current traffic level is 234.62 Mbps."
enterprises.9694.1.6.2.29 =
Counter64: 234621045
enterprises.9694.1.6.2.30 = 1
enterprises.9694.1.6.5.2.3.1.5 = "test alerting"
enterprises.9694.1.6.2.31 = "https://my_host/groups/view/?time_
interval=between&time_start=2012-08-21T10%3A30Z&timezone=Default&mode_
state=between&unit_select=bps&id=32&time_end=2012-08-21T10%3A45Z"
2012-08-21 16:27:34 my_host [10.8.10.193]:
system.sysUpTime.0 =
Timeticks: (385899) 1:04:18.99
.iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTra
p.snmpTrapOID.0 = OID: enterprises.9694.1.6.3.0.55
system.sysName.0 = my_host
enterprises.9694.1.6.2.9 = "Blocked
Traffic over configured limit"
enterprises.9694.1.6.2.10 =
"Blocked traffic for protection group 'Default Protection Group'
exceeds configured limit. Current blocked traffic level is 2.57 Gbps."
enterprises.9694.1.6.2.29 = Counter64: 2570073505
enterprises.9694.1.6.2.30 = 1
enterprises.9694.1.6.5.2.3.1.5 =
"Default Protection Group"
enterprises.9694.1.6.2.31 = "https://my_
host/groups/view/?time_interval=between&time_start=2012-0821T16%3A20Z&timezone=Default&mode_state=between&unit_
select=bps&id=13&time_end=2012-08-21T16%3A35Z"
2012-08-21 16:50:32 my_host [10.8.22.36]:
sysUpTime.0 = Timeticks:
(1474339) 4:05:43.39
snmpTrapOID.0 = OID: pravailTrapsEnumerate.53
sysName.0 = my_host
pravailTrapString = Botnet Attack over
baseline pravailTrapDetail = Botnet traffic which was not blocked for
protection group 'Default Protection Group' exceeds the baseline.
Current traffic level is 641.03 kbps. Suggested protection level:
High.
pravailMgr.29 = Counter64: 641029
pravailMgr.30 = 1
pravailProtectionGroupName = Default Protection Group
pravailMgr.31 = "https://my_host/groups/view/?time_
interval=between&time_start=2012-08-21T20%3A45Z&timezone=Default&mode_
state=between&unit_select=bps&id=9&time_end=2012-08-21T21%3A00Z"
Example: SNMP notifications for blocked host alerts
The following example shows the format of SNMP blocked host notifications:
2014-04-22 16:07:16 my_host [UDP: [10.8.10.190]:27205->
[10.8.2.190]:162]: iso.3.6.1.2.1.1.3.0 = Timeticks: (349459) 0:58:14.59
iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.9694.1.6.3.0.50
iso.3.6.1.2.1.1.5.0 = STRING: "my_host" iso.3.6.1.4.1.9694.1.6.2.9 =
Proprietary and Confidential Information of Arbor Networks Inc.
585
APS User Guide, Version 6.0
STRING: "Host 195.81.160.151 was blocked"
iso.3.6.1.4.1.9694.1.6.2.10 =
STRING: "Blocked host 195.81.160.151 at 20:09 by Blocked Countries
using TCP/45190 (Unknown) destination 141.212.121.193 source port 443"
iso.3.6.1.4.1.9694.1.6.2.25 = IpAddress: 195.81.160.151
iso.3.6.1.4.1.9694.1.6.2.27 = INTEGER: 6
iso.3.6.1.4.1.9694.1.6.2.26 =
IpAddress: 141.212.121.193
iso.3.6.1.4.1.9694.1.6.2.35 = INTEGER: 443
iso.3.6.1.4.1.9694.1.6.2.28 = INTEGER: 45190
iso.3.6.1.4.1.9694.1.6.2.12 = STRING: "Blocked Countries"
Example: SNMP notifications for change log alerts
The following example shows several change log notifications:
2014-04-08 11:14:04 my_host [UDP: [10.8.10.190]:10457->
[10.8.2.190]:162]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks:
(8601104) 23:53:31.04
SNMPv2-MIB::snmpTrapOID.0 = OID: PRAVAILMIB::pravailDeploymentModeChange
SNMPv2-MIB::sysName.0 = STRING: drill
PRAVAIL-MIB::pravailTrapString = STRING: Deployment Mode Change
PRAVAIL-MIB::pravailTrapDetail = STRING: Changed deployment mode to
inactive
PRAVAIL-MIB::pravailDeploymentMode = INTEGER: inactive(0)
2014-04-08 11:20:30 my_host [UDP: [10.8.10.190]:27716->
[10.8.2.190]:162]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks:
(8639781) 23:59:57.81
SNMPv2-MIB::snmpTrapOID.0 = OID: PRAVAILMIB::pravailTrapsEnumerate.61
SNMPv2-MIB::sysName.0 = STRING: drill
PRAVAIL-MIB::pravailTrapString = STRING: Change Log
PRAVAILMIB::pravailTrapDetail = STRING: Updated Cloud Signaling Settings:
Automatic Cloud Server Threshold: disabled, Proxy Server: disabled,
Arbor Cloud: disabled
PRAVAIL-MIB::pravailMgr.32 = STRING: "admin"
PRAVAIL-MIB::pravailMgr.33 = STRING: "Cloud Signaling" PRAVAILMIB::pravailMgr.34 = ""
2014-04-08 11:20:51 my_host [UDP: [10.8.10.190]:27716->
[10.8.2.190]:162]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks:
(8641790) 1 day, 0:00:17.90
SNMPv2-MIB::snmpTrapOID.0 = OID: PRAVAILMIB::pravailTrapsEnumerate.61
SNMPv2-MIB::sysName.0 = STRING: drill
PRAVAIL-MIB::pravailTrapString = STRING: Change Log
PRAVAILMIB::pravailTrapDetail = STRING: Cloud Signaling terminated.
PRAVAILMIB::pravailMgr.32 = STRING: "system"
PRAVAIL-MIB::pravailMgr.33 =
STRING: "Cloud Signaling"
PRAVAIL-MIB::pravailMgr.34 = ""
586
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix F: Notification Formats
Syslog Notification Format and Examples
APS can send notification messages to communicate certain events and alerts. You can
configure APS to send notifications to a security event management system as syslog
messages. See “About Notifications” on page 128 and “Configuring Notifications” on
page 131 .
Format for syslog notifications
Syslog notifications are formatted as follows:
date host_name aps: alert_type: alert_message, URL:host_URL
date = mmm dd HH:MM:SS
alert_type = Bandwidth | Blocked Host | Change Log | Cloud Signaling
| Deployment Mode | Infrastructure | Protection Level
The syslog notifications for the change log alerts contain additional information and are
formatted as follows:
date host_name aps: Change Log: Username: user, Subsystem: subsystem_
name, Setting Type: {protection group | server type}, Message: alert_
message, URL: host_URL
user = the user who made the change
subsystem_name = the subsystem that made the change
protection group | server type = the protection group or server type that is
affected, if any
Example: syslog notifications
The following example shows the format of syslog notifications:
Dec 20 13:42:21 my_host aps: Protection Level: Changed Protection Level
from 1 to 2,URL: https://my_host/summary/
Dec 20 13:43:26 my_host aps: Infrastructure: Interface Link 'int2' is down.
You may want to use monitor mode.,URL: https://my_host/
summary/
Dec 20 13:49:02 my_host aps: Cloud Signaling: Cloud Signaling
heartbeats are not being received. Please contact your Cloud
Signaling provider.,URL: https://my_host/summary/
Dec 20 13:50:14 my_host aps: Cloud Signaling: The current traffic levels
are above the specified threshold, and a mitigation has been requested from
the Cloud Signaling server.,URL: https://my_host/
summary/
Dec 20 13:55:07 my_host aps: Cloud Signaling: Cloud Signaling
heartbeats are not being received. Please contact your Cloud
Signaling provider.,URL: https://my_host/summary/
Dec 20 14:27:03 my_host aps: Protection Level: Changed Protection Level
from 2 to 1,URL: https://my_host/summary/
Proprietary and Confidential Information of Arbor Networks Inc.
587
APS User Guide, Version 6.0
Example: syslog notifications for bandwidth alerts
The following example shows the notification that APS sends when traffic exceeds the
system’s licensed throughput limit:
Aug 13 09:59:30 my_host aps: Bandwidth: Total traffic for this system
is approaching the license limit. Current traffic level is 2.70
Gbps.,URL: https://my_host/summary/
The following example shows the notifications that APS sends when a protection group’s
traffic exceeds a configured threshold:
Aug 21 10:36:35 my_host aps: Bandwidth: Traffic for protection group
'test alerting' exceeds configured limit. Current traffic level is
341.07 kpps.,URL: https://my_host/groups/view/?time_
interval=between&time_start=2012-0821T10%3A30Z&timezone=Default&mode_state=between&unit_
select=pps&id=32&time_end=2012-08-21T10%3A45Z
Aug 21 16:38:19 my_host aps: Bandwidth: Blocked traffic for protection
group 'Default Protection Group' exceeds baseline. Current blocked
traffic level is 2.17 Gbps.,URL: https://my_host/groups/view/?time_
interval=between&time_start=2012-0821T20%3A30Z&timezone=Default&mode_state=between&unit_
select=bps&id=9&time_end=2012-08-21T20%3A45Z
Aug 21 17:09:19 my_host aps: Bandwidth: Botnet traffic which was not
blocked for protection group 'test alerting' exceeds the configured
limit. Current traffic level is 158.38 kbps. Suggested protection
level: High.,URL: https://my_host/groups/view/?time_
interval=between&time_start=2012-0821T21%3A00Z&timezone=Default&mode_state=between&unit_
select=bps&id=28&time_end=2012-08-21T21%3A15Z
Example: syslog notifications for blocked host alerts
The following example shows the format of syslog blocked host notifications:
Apr 22 20:08:09 my_host aps: Blocked Host: Blocked host 81.205.65.83 at
20:07 by Blocked Countries using UDP/34959 (Unknown) destination
164.76.199.14 source port 62934,URL: https://my_host/summary/
Apr 22 20:08:09 my_host aps: Blocked Host: Blocked host 117.18.231.56
at 20:07 by Malformed HTTP Filtering using TCP/80 (HTTP) destination
141.211.244.25 source port 19062
Apr 22 20:08:09 my_host aps: Blocked Host: Blocked host 5.178.86.77 at
20:07 by Botnet Prevention using TCP/80 (HTTP) destination
141.211.184.99 source port 15313
Apr 22 20:08:09 my_host aps: Blocked Host: Blocked host 91.102.202.42
at 20:07 by Invalid Packets using TCP/0 (Unknown) destination
141.212.121.128
Example: SNMP notifications for change log alerts
The following example shows several change log notifications:
Apr 8 15:16:11 my_host aps: Change Log: Username: admin, Subsystem:
Deployment, Message: Updated inline deployment mode to Inactive,URL:
https://my_host/administration/changelog/
588
Proprietary and Confidential Information of Arbor Networks Inc.
Appendix F: Notification Formats
Apr 8 15:16:11 my_host aps: Deployment Mode: Changed deployment mode
to inactive,URL: https://my_host/summary/
Apr 8 15:22:38 my_host aps: Change Log: Username: admin, Subsystem:
Cloud Signaling, Message: Updated Cloud Signaling Settings: Automatic
Cloud Server Threshold: disabled, Proxy Server: disabled, Arbor Cloud:
disabled,URL: https://my_host/administration/changelog/
Apr 8 15:51:04 my_host aps: Change Log: Username: admin, Subsystem:
Protection Group, Setting Type: New PG, Message: Created protection
group: Changed Protection Level to Low for protection group: New PG
Added prefix: 10.0.0.0/24,URL: https://my_
host/administration/changelog/
Proprietary and Confidential Information of Arbor Networks Inc.
589
APS User Guide, Version 6.0
590
Proprietary and Confidential Information of Arbor Networks Inc.
Glossary
A
AAA (Authentication, Authorization, & Accounting) — An acronym that describes the process of
authorizing access to a system, authenticating the identity of users, and logging their behaviors.
ACL (Access Control List) — A list composed of rules and filters stored in a router to allow, deny, or
otherwise regulate network traffic based on network parameters such as IP addresses, protocol
types, and port numbers.
active mode — A state within the inline deployment modes, in which APS mitigates attacks in addition to
monitoring traffic and detecting attacks.
address — A coded representation that uniquely identifies a particular network identity.
AIF (ATLAS Intelligence Feed) — A service that downloads real-time threat information from Arbor's
Active Threat Level Analysis System (ATLAS). This information is used to detect and block emerging
botnet attacks and application-layer attacks.
alert — A message informing the user that certain events, conditions, or errors in the system have
occurred.
anomaly — An event or condition in the network that is identified as an abnormality when compared to a
predefined illegal traffic pattern.
API (Application Programming Interface) — A well-defined set of function calls providing high-level
controls for underlying services.
APS — A protection system that focuses on securing the internet data center edge from threats against
availability by analyzing and blocking malicious traffic.
APS Console — A single user interface that allows for the central management of multiple APS devices, to
more effectively monitor and respond to attacks across your network.
Arbor Cloud DDoS Protection — A cloud-based DDoS mitigation service that scrubs the highbandwidth, volumetric attacks that are too large to mitigate at the data center’s premises.
Arbor Smart bar — An area of the product's user interface that contains icons for performing certain
actions.
ArbOS — Arbor’s proprietary, embedded operating system.
ARP (Address Resolution Protocol) — A protocol for mapping an IP address to a physical machine
address.
ASCII (American Standard Code for Information Interchange) — A coded representation for
standard alphabetic, numeric, and punctuation characters, also referred to as “plain text”.
APS User Guide, Version 6.0
591
APS User Guide, Version 6.0
ATLAS (Active Threat Level Analysis System) — A globally scoped threat analysis network that
analyzes data from darknets and the core backbone of the internet to provide information to
participating customers about malware, exploits, phishing, and botnets.
authentication — An identity verification process.
B
black hole routing — A technique to route traffic to null interfaces that can never forward the traffic.
blacklist — A list of hosts whose traffic is blocked without further inspection. To add a host to the blacklist.
block — To prevent traffic from passing to the network, or to prevent a host from sending traffic. In APS,
blocking occurs for a specific length of time, after which the traffic is allowed to pass again.
bot — A program that runs automated tasks over the internet.
botnet — A set of compromised computers (bots) that respond to a controlling server to generate attack
traffic against a victim server.
bps — Bits per second.
Bps — Bytes per second.
C
CA (Certificate Authority) — A third party that issues digital certificates for use by other parties. CAs are
characteristic of many public key infrastructure (PKI) schemes.
CAR (Committed Access Rate) — A tool for managing bandwidth that provides the same control as ACL
with the additional property that traffic can be regulated based on bandwidth usage rates in bits
per second.
CDN (Content Delivery Network) — A collection of web servers that contain duplicated content and
are distributed across multiple locations to deliver content to users based on proximity.
cflowd — Developed to collect and analyze the information available from NetFlow. It allows the user to
store the information and enables several views of the data. It produces port matrices, AS matrices,
network matrices, and pure flow structures.
CIDR (Classless Inter-Domain Routing) — Method for classifying and grouping internet addresses.
CLI (command line interface) — A user interface that uses a command line, such as a terminal or
console (as opposed to a graphical user interface).
client — The component of client/server computing that uses a service offered by a server.
cloud — A metaphor for the internet.
Cloud Signaling — Cloud Signaling is the process of requesting and receiving cloud-based mitigation of
volumetric attacks in real time from an upstream service provider.
592
Proprietary and Confidential Information of Arbor Networks Inc.
Glossary
Cloud Signaling widget — A graphical element in the UI that allows the user to monitor the status of the
Cloud Signaling connection and mitigations in real time. It also allows the user to enable, activate,
and deactivate Cloud Signaling.
CSV (comma-separated values) file — A file that stores spreadsheet or database information in plain
text, with one record on each line, and each field within the record separated by a comma.
customer — An ISP, ASP, or enterprise user of APS.
customer edge — The location at the customer premises of the router that connects to the provider edge
of one or more service provider networks.
customer edge router — A router within a customer's network that is connected to an ISP's customer
peering edge.
D
Dark IP — Regions of the IP address space that are reserved or known to be unused.
data center — A centralized facility that houses computer systems and associated components, such as
telecommunications and storage systems, and is used for processing or transmitting data.
DDoS (Distributed Denial of Service) — An interruption of network availability typically caused by
many, distributed malicious sources.
deployment mode — Indicates how APS is installed in the network: inline bridged, inline routed (layer 3
traffic; vAPS only), or out-of-line through a span port or network tap (monitor).
DNS (Domain Name System) — A system that translates numeric IP addresses into meaningful,
human-consumable names and vice-versa.
DNS server — A server that uses the Domain Name System (DNS) to translate or resolve human-readable
domain names and hostnames into the machine-readable IP addresses.
DoS (Denial of Service) — An interruption of network availability typically caused by malicious sources.
E
edge — The outer perimeter of a network.
encryption — The process by which plain text is scrambled in such a way as to hide its content.
Ethernet — A series of technologies used for communication on local area networks.
exploit — Tools intended to take advantage of security holes or inherent flaws in the design of network
applications, devices, or infrastructures.
F
fail closed — The hardware bypass mode in which APS disconnects the protection interfaces and does
not allow traffic to pass after a system failure occurs. The hardware bypass mode is set from the
CLI.
Proprietary and Confidential Information of Arbor Networks Inc.
593
APS User Guide, Version 6.0
fail open — The hardware bypass mode in which APS allows unmonitored network traffic to bypass the
protection interfaces after a system failure occurs. The hardware bypass mode is set from CLI.
failover — A configuration of two devices so that if one device fails, the second device takes over the
duties of the first, ensuring continued service.
FCAP — A fingerprint expression language that describes and matches traffic information.
Fibre Channel — Gigabit-speed network technology primarily used for storage networking.
fidelity period — The maximum amount of time for which APS saves data in the connection database.
fingerprint — A pattern or profile of traffic that suggests or represents an attack. Also known as a
signature.
firewall — A security measure that monitors and controls the types of packets allowed in and out of a
network, based on a set of configured rules and filters.
FQDN (Fully Qualified Domain Name) — A complete domain name, including both the registered
domain name and any preceding node information.
FTP (File Transfer Protocol) — A TCP/IP protocol for transferring files across a network.
G
Gb — Gigabit.
GB — Gigabyte.
Gbps — Gigabits per second.
global protection level — Determines which protection settings are in use for an APS.
GMT (Greenwich Mean Time) — A world time standard that is deprecated and replaced by UTC.
GRE (Generic Routing Encapsulation) — A protocol that is used to transport packets from one
network through another network.
GRE tunnel — A logical interface whose endpoints are the tunnel source address and tunnel destination
address.
H
handshake — The process or action that establishes communication between two telecommunications
devices.
header — The data that appears at the beginning of a packet to provide information about the file or the
transmission.
heartbeat — A periodic signal generated by hardware or software to indicate that it is still running.
host — A networked computer (client or server); in contrast to a router or switch.
594
Proprietary and Confidential Information of Arbor Networks Inc.
Glossary
HTTP (HyperText Transfer Protocol) — A protocol used to transfer or convey information on the
World Wide Web. Its original purpose was to provide a way to publish and retrieve HTML pages.
HTTPS (HyperText Transfer Protocol over SSL) — The combination of a normal HTTP interaction
over an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) transport
mechanism.
I
ICMP (Internet Control Message Protocol) — An IP protocol that delivers error and control messages
between TCP/IP enabled network devices, for example, ping packets.
IMAP (Internet Message Access Protocol) — An application layer internet protocol that allows a local
client to access email on a remote server. (Also known as Internet Mail Access Protocol, Interactive
Mail Access Protocol, and Interim Mail Access Protocol.)
inactive mode — A state within an inline deployment mode, in which APS analyzes traffic and detects
attacks without performing mitigations.
inline mode — A deployment mode in which APS acts as a physical connection between two end points.
All of the traffic that traverses the network flows through APS.
interface — An interconnection between routers, switches, or hosts.
IP (Internet Protocol) — A connectionless network layer protocol used for packet delivery between
hosts and devices on a TCP/IP network.
IP address — A unique identifier for a host or device on a TCP/IP network.
IPS (Intrusion Prevention System) — A computer security device that exercises access control to
protect computers from exploitation.
ISP (Internet Service Provider) — A business or organization that provides to consumers access to the
internet and related services.
L
LAN (Local Area Network) — A typically small network that is confined to a small geographic space.
K
Kbps — Kilobits per second.
M
MAC (Media Access Control) Address — A unique hardware number associated with a networking
device.
malformed — Refers to requests or packets that do not conform to the RFC standards for internet
protocol. Such requests or packets are often used in DoS attacks.
Mbps — Megabits per second.
MBps — Megabytes per second.
Proprietary and Confidential Information of Arbor Networks Inc.
595
APS User Guide, Version 6.0
MIB (Management Information Base) — A database used by the SNMP protocol to manage devices
in a network. Your SNMP polling device uses this to understand APS SNMP traps.
mitigation — The process of using recommendations to apply policies to the network to reduce the
effects of an attack.
monitor mode — A deployment mode in which APS is deployed out-of-line through a span port or
network tap. APS monitors traffic and detects attacks but does not mitigate the attacks.
MPLS (Multiprotocol Label Switching) — A packet-switching protocol developed by the Internet
Engineering Task Force (IETF) initially to improve switching speeds, but other benefits are now
seen as being more important.
MSSP (Managed Security Service Provider) — An internet service provider (ISP) that provides an
organization with network security management,
multicast — Protocols that address multiple IP addresses with a single packet (as opposed to unicast and
broadcast protocols).
N
NetFlow — A technology that Cisco Systems, Inc. developed to allow routers and other network devices to
periodically export information about current network conditions and traffic volumes.
netmask — A dotted quad notation number that routers use to determine which part of the address is
the network address and which part is the host address.
network tap — A hardware device that sends a copy of network traffic to another attached device for
passive monitoring.
NIC (Network Interface Card) — A hardware component that maintains a network interface
connection.
notification — An email message, SNMP trap, or syslog message that is sent to specified destinations to
communicate certain alerts.
NTP (Network Time Protocol) — A protocol that synchronizes clock times in a network of computers.
NXDomain — A response that results when DNS cannot resolve a domain name.
O
outbound threat filter — A group of protection settings that block malicious outbound traffic.
out-of-band — Communication signals that occur outside of the channels that are normally used for data.
P
packet — A unit of data transmitted across the network that includes control information along with
actual content.
password — A secret code used to gain access to a computer system.
payload — The data in a packet that follows the TCP and UDP header data.
596
Proprietary and Confidential Information of Arbor Networks Inc.
Glossary
PCAP (packet capture) file — A file that consists of data packets that have been sent over a network.
ping — An ICMP request to determine if a host is responsive.
policy — The set of rules that network operators determine to be acceptable or unacceptable for their
network.
POP (Post Office Protocol) — A TCP/IP email protocol for retrieving messages from a remote server.
PoP (Point of Presence) — A physical connection between telecommunications networks.
port — A field in TCP and UDP packet headers that corresponds to an application level service (for
example TCP port 80 corresponds to HTTP).
pps — Packets per second.
prefix — The initial part of a network address, which is used in address delegation and routing.
protection category — A group of related protection settings that detect a specific type of attack traffic.
protection group — A collection of one or more protected hosts that are associated with a specific type
of server.
protection level — Defines the strength of protection against a network attack and the associated
intrusiveness and risk of blocking clean traffic. The protection level can be set globally or for
specific protection groups.
protection mode — A state within an inline deployment mode, in which the mitigations are either active
or inactive.
protection settings — The criteria by which APS defines clean traffic and attack traffic.
protocol — A well-defined language used by networking entities to communicate with one another.
R
RADIUS (Remote Authentication Dial In User Service) — A client/server protocol that enables
remote access servers to communicate with a central server to authenticate dial-in users and
authorize their access to the requested system or service.
rate limit — The number of requests, packets, bits, or other measurement of data that a host is allowed
to send within a specified amount of time.
RDN (Registered Domain Name) — A domain name as registered, without any preceding node
information (for example, “arbor.net” instead of www.arbor.net).
real time — When systems respond or data is supplied as events happen.
redundancy — The duplication of devices, services, or connections so that, in the event of a failure, the
duplicate item can perform the work of the item that failed.
refinement — The process of continually gathering information about anomalous activity that is
observed on a network.
Proprietary and Confidential Information of Arbor Networks Inc.
597
APS User Guide, Version 6.0
regular expression — A standard set of rules for matching a specified pattern in text. Often abbreviated
as regex or regexp.
report — An informational page that presents data about a traffic type or event.
route — A path that a packet takes through a network.
router — A device that connects one network to another. Packets are forwarded from one router to
another until they reach their ultimate destination.
S
secret key — A secret that is shared only between a sender and receiver of data.
server type — A class of servers that APS protects and that is associated with one or more protection
groups.
shared secret — A word or phrase that APS Console uses to authenticate the internal communication
between itself and APS devices.
signature — A pattern or profile of traffic that suggests or represents an attack. Also known as a
fingerprint.
SIP (Standard Initiation Protocol) — An IP network protocol that is used for VoIP (Voice Over IP)
telephony.
SMTP (Simple Mail Transfer Protocol) — The de facto standard protocol for email transmissions
across the internet.
SNMP (Simple Network Management Protocol) — A standard protocol that allows routers and other
network devices to export information about their routing tables and other state information.
span port — A designated port on a network switch onto which traffic from other ports is mirrored.
spoofing — A situation in which one person or program successfully masquerades as another by
falsifying data (usually an IP address) and thereby gains an illegitimate advantage.
SSH (Secure Shell) — A command line interface and protocol for securely accessing a remote computer.
SSH is also known as Secure Socket Shell.
SSL (Secure Sockets Layer) — A protocol for secure communications on the internet for such things as
web browsing, email, instant messaging, and other data transfers.
SSL certificate — A file that is installed on a secure web server to identify a web site and verify that the
web site is secure and reliable.
stacked graph — A graph in an Arbor Networks product that displays multiple types of data in a colorcoded stack.
syslog — A file that records certain events or all of the events that occur in a particular system. Also, a
service for logging data.
598
Proprietary and Confidential Information of Arbor Networks Inc.
Glossary
T
TACACS+ (Terminal Access Controller Access Control System +) — An authentication protocol
common to UNIX networks that allows a remote access server to forward a user’s login password
to an authentication server to determine whether that user is allowed to access a given system.
target — A victim host or network of a malicious denial of service (DoS) attack.
TCP (Transmission Control Protocol) — A connection-based, transport protocol that provides reliable
delivery of packets across the internet.
TCP/IP — A suite of protocols that controls the delivery of messages across the internet.
throughput — The data transfer rate of a network or device.
TLS (Transport Layer Security) — An encryption protocol for the secure transmission of data over the
internet. TLS is based on, and has succeeded, SSL.
U
UDP (User Datagram Protocol) — An unreliable, connectionless, communication protocol.
unblock — To remove a source or destination from the temporarily blocked list without adding it to the
whitelist.
UNC (Universal Naming Convention) — A standard which originated from UNIX for identifying
servers, printers, and other resources in a network.
URI (Uniform Resource Identifier) — A protocol, login, host, port, path, etc. in a standard format used
to reference a network resource, (for example http://arbor.net/).
URL (Uniform Resource Locator) — Usually a synonym for URI.
UTC (Universal Time Coordinated) — The time zone at zero degrees longitude, which replaces GMT as
the world time standard.
V
vAPS — The virtual version of APS that is hardware-independent. vAPS contains all of the APS software
packages and configurations but does not require a physical APS appliance.
VLAN (Virtual Local Area Network) — Hosts connected in an infrastructure that simulates a local area
network, when the hosts are remotely located, or to segment a physical local network into smaller,
virtual pieces.
VoIP (Voice over Internet Protocol) — Routing voice communications (such as phone calls) through
an IP network.
volumetric attack — A type of DDoS attack that is generally high bandwidth and that originates from a
large number of geographically distributed bots.
VPN (Virtual Private Network) — A private communications network that is often used within a
company, or by several companies or organizations, to communicate confidentially over a public
network using encrypted tunnels.
Proprietary and Confidential Information of Arbor Networks Inc.
599
APS User Guide, Version 6.0
vulnerability — A security weakness that could potentially be exploited.
W
WAN (Wide Area Network) — A computer network that covers a broad area. (Also Wireless Area
Network, meaning a wireless network.)
UI (User Interface) — A web-based interface for using an Arbor Networks product.
whitelist — A list of hosts whose traffic is passed without further inspection. To add a host to the whitelist.
widget — A graphical element in a user interface that displays information about an application and
allows the user to interact with the application.
X
XML (eXtensible Markup Language) — A metalanguage written in Standard Generalized Markup
Language (SGML) that allows one to design a markup language for easy interchange of documents
on the World Wide Web.
600
Proprietary and Confidential Information of Arbor Networks Inc.
Index
A
About page 32
access rules
adding to a VLAN subinterface 505
active implementation
recommendations 57
workflow 57
active protection mode
about 66
for a protection group 67, 189
for the outbound threat filter 67
system-wide 67
Active Threat Level Analysis System
See ATLAS 280
AIF (ATLAS Intelligence Feed)
about 280
attack rules 280
botnet signatures 280
cloud-based licenses 39
components 280
configuring 119
geoip_countries 281
license for APS 31
license on vAPS 39
license, viewing on vAPS 47
location data 281
proxy 120
reputation feed 280
search engine list 281
settings 120
status 291, 314
threat policies 280, 283
traffic statistics 292, 314
updating 289
URL overrides 516
version information 518
web crawler whitelist 281
AIF level, configuring for vAPS 44
alerts
bandwidth 123
blocked host alert 128
change log alert 128
cloud alert 128
deleting 301
APS User Guide, Version 6.0
deployment alert 128
expired 301
license limit 27, 32, 301
protection alert 128
searching 300
types 128
viewing 300
amplification attack 554
Apache Killer attack 553
API
managing HSM keys with 155
appliance, APS 26
application attack
about 543
Apache Killer 553
DNS amplification 554
Hash DoS 553
methods and effects 553
related protections 553
Application Misbehavior settings 209
APS
about 20
build number 32
communications with APS Console 78
configuring for APS Console management 111
heartbeat 376
installing 524
installing in FIPS mode 524
license 32, 522
license information 27
log in from APS Console 79
managing from APS Console 78
model number 32
reinstalling 530
services, stopping and starting 459
upgrading 527
APS appliance
about 26
CLI 468
clock 510
command line interface 468
connecting to console 470
deployment guidelines 26
time zone 101
APS Console
communicating with APS 78
601
Index: APS Console - APS synchronization – bandwidth alerts
connection status 100
data synchronization with APS 80
managing APS devices 78
APS Console - APS synchronization
effect of restoring backups 461
Arbor Cloud DDoS Protection
about 402
access to Customer Portal 403
enabling 379, 404
redirection options 402
setup 404
Arbor Smart Bar 89
Arbor Technical Assistance Center, contacting 15
ATAC, contacting 15
ATLAS confidence index
about 285
confidence value 285
ATLAS Global DDoS Report
viewing 434
ATLAS Intelligence Feed (AIF)
about 280
Also see AIF 280
attack rules 280
botnet signatures 280
cloud-based licenses 39
components 280
configuring 119
geoip_countries 281
license for APS 31
license on vAPS 39
location data 281
proxy 120
reputation feed 280
search engine list 281
settings 120, 210
status 291, 314
threat policies 280, 283
traffic statistics 292, 314
updating 289
URL overrides 516
version information 518
web crawler whitelist 281
ATLAS threat categories
about 283
summary 316
Attack Categories view 329
attack detection
attack indicators 355
source identification 363
attack mitigation 352
attack rules, AIF 280
attack types
application 553
botnet 541
602
HTTP cache abuse 556
HTTP Flood 546
ICMP flood 545
IP fragmentation 550
malformed HTTP 557
slow HTTP 552
spoofed TCP SYN flood 549
state exhaustion 548
TCP protocol 551
TCP SYN flood 549
UDP flood 545
uncommon IP protocol 547
volumetric 544
audit trail, system events 448
authentication
custom SSL certificate 138
DNS 219
RADIUS 490
TACACS+ 490
authorization keys 484
authorization, HSM
about 150
authorizing 158
Auto MDI 141
B
backup
about 454
available backups 456
configuration data 454
configuring 135
copying backup files 463
downloading backup file 463
errors 135
full 455
incremental 455
list of backups 456
manual 457
restoring 458
scheduling 135
settings 135
strategy 135
traffic data 454
uploading backup file 463
backups
restoring 461
bandwidth alerts
about 123
baselines 124
blocked traffic 123
botnet 123
configuration 124
expiration 124
Proprietary and Confidential Information of Arbor Networks Inc.
Index: bandwidth flood attack – CLI
thresholds, about 124
thresholds, global 126
thresholds, protection group 189
total traffic 123
viewing 302
bandwidth flood attack
about 543-544
ICMP Ping Flood 545
UDP Traffic Flood 545
banner, pre-login 106
baseline calculation 124
benchmarks
hardware and software bypass 559
link state propagation 560
blacklist
about 258
by protection group 260
capacity 262
Configure Inbound Blacklists page 267
Configure Outbound Blacklists page 274
country 319, 344
creating, inbound 267
creating, outbound 274
domain 340, 423
global 260
IP address 422
settings, inbound 267
settings, outbound 274
URL 338, 423
blacklist, inbound
searching 264, 270
viewing 264, 270
Block Malformed DNS Traffic settings 214
Block Malformed SIP Traffic settings 215
block traffic
about 258
by protection level 359
by source 320
by URL 337
See also blacklist 258
blocked host
alert 128
in blocked hosts log 406
notifications 129
temporary 335
blocked hosts
total number 334
blocked hosts log
about 406
contents 413
details 416
page 406
searching 410
viewing 408
blocked traffic alert 123
botnet alert 123
botnet attack
about 541
preventing 216
related protection settings 541
voluntary botnet 541
Botnet Prevention settings 216
botnet signatures, AIF 280
build number, APS 32
bypass
performance benchmarks 559
bypass modes
during data restoration 459
hardware 498-499
setting 498-499
software 498-499
C
CA certificate, downloading 139, 452
cache abuse attack 556
capacity, blacklist and whitelist 262
capture packets 417
capture traffic data 173
categories, protection 201
category, threat
about 283
summary 316
CDN and Proxy Support settings 218
central management from APS Console
about 78
configuring 111
data synchronization 80
change control 448
change log
alert 128
exporting 448
notifications 130
saving 448
searching 449
viewing 448
viewing AIF updates 291
CIDR
adding to Cloud Signaling request 391
removing from Cloud Signaling request 392
CLI
about 468
command components 474
command types 475
compound commands 475
connection options 469
editing commands 478
entering commands 475
Proprietary and Confidential Information of Arbor Networks Inc.
603
Index: CLI connection – connectivity model
help 473
importing HSM keys 155
log in 471
log out 472
navigating command hierarchy 477
parsing text 475
removing HSM keys 155
saving configuration 476
syntax 474
viewing current configuration 480
viewing current directory status 480
CLI connection
direct 470
serial port 469
SSH 470
terminal emulation 469
clock, setting 510
cloud-based license server, configuring for vAPS 42
cloud-based licenses, vAPS
about 38
AIF 39, 47
configuring 42
expiration 39
refreshing local copies 44
releasing 45
status 40
throughput, viewing 46
viewing information about 46
viewing information about in CLI 49
cloud alert 128
cloud mitigation
global 371
group 371
targeted 371
Cloud Signaling
about 368, 371
activating manually 390-391, 393, 399
Arbor Cloud 402
communications 375
configuring 378
connection status 377
deactivating 399
deactivating manually 390-391, 393
enabling 378, 398
error 400
for protection groups 370
Global 384
GRE tunneling 372
group 371
handshake 375
heartbeat 377
how it works 368
manual mitigation process 387
prefix update 376
604
proxy 382
rate-based signaling 380-381
redundancy 369
server configuration 379
settings 379
stopping 399
targeted 371
Targeted Destination 384
threshold interval 381
threshold limit 381-382
threshold signaling, enabling 380-381
types 371
viewing global activity 396
viewing group activity 396
viewing targeted destination activity 394
widget 397
Cloud Signaling redundancy 73
Cloud Signaling request
adding IP addresses and CIDRs to 391
removing IP address or CIDR from 392
Cloud Signaling widget
about 397
protection group 325
comma-separated values file 91
command line interface 468
importing HSM keys 155
commands, hierarchy in CLI 477
comment in FCAP 566
communication ports 536
communications
Cloud Signaling 375
components of AIF 280
confidence index
about 285
confidence value 285
confidence value
about 285
configuring 212
configuration
backing up 454
viewing current 480
Configure Inbound Blacklists page 267
Configure Inbound Whitelists page 272
Configure Outbound Blacklists page 274
Configure Outbound Whitelists page 276
Configure Server Type page 169
connection limit, TCP 240
connection status
APS Console 100
ATLAS Intelligence Feed 291, 314
Cloud Signaling 377
connections to the CLI 469
connectivity model
inline mode 60
Proprietary and Confidential Information of Arbor Networks Inc.
Index: connectivity options, network – email notifications
layer 3 mode 61
connectivity options, network 60
console, connecting 470
Content Delivery Networks (CDNs) 546
context menu icon
opening the Blocked Hosts Log 408
opening the Packet Capture page 419
conventions, typographic
in commands and expressions 14, 474, 564
in procedures 13
copy files 519
countries traffic
blacklisting 319, 344
summary 318
unblocking 319, 344
viewing by protection group 343
CPU utilization 306
crypto officer 150
crypto user 150
CSV file, creating from UI page 91
custom logo
locking 146
unlocking 146
uploading 146
custom protection groups 180
custom server type
about 163
adding 167
deleting 167
duplicating 168
maximum allowed 163
settings, configuring 169
customer support, contacting 15
D
dashboard 310
data recovery 458
data synchronization with APS Console 80
DDoS attacks
about 539
application 543, 553
botnet, voluntary 541
botnets 541
categories 543
how they work 539
state exhaustion 543, 548
types of damage 539
volumetric 543-544
debugging information 450
default
password 471
protection group 180
time zone 101
username 471
default logo 146
default route
using a VLAN subinterface 505
default route, GRE tunneling 145
denial of service attacks 539
deployment alert 128
deployment mode
about 63
inline 63
layer 3 63, 65, 513
monitor 61, 63
setting 511
deployment models
about 59
Cloud Signaling 72
Cloud Signaling with redundancy 73
failover 71
network connectivity 60
network placement 69
redundancy 71
details
attack categories 332
blocked hosts log 416
captured packet 421
diagnostics package 450
direct connection to CLI 470
directory, viewing 519
disabling a user account 117
distributed denial of service attacks 539
DNS amplification attack
about 554
related protections 554
DNS Authentication settings 219
DNS malformed 214
DNS NXDomain Rate Limiting settings 220
DNS Rate Limiting settings 221
DNS Regular Expression settings 222
DNS server, specifying IP addresses for 104
domains
blacklisting 340, 423
unblocking 340
viewing traffic for 339
download
backup file 463
file 452
E
email notifications
about 129
adding 132
examples 580
format 580
Proprietary and Confidential Information of Arbor Networks Inc.
605
Index: enabling a user account – GRE tunneling
settings 132
enabling a user account 117
ephemeral ports in Services view 347
errors
Cloud Signaling 400
during backup 135
during restore 460
interface 307
Executive Summary Report
about 430
configuring and editing 438
configuring on-demand 435
deleting 440
exporting as PDF file 440
one-time 435
running multiple times 438
scheduled 438, 442
searching 440
viewing 440
expiration
cloud-based licenses 39
vAPS licenses 39
expired alerts 301
expired password, TACACS+ 495
export Web UI page
to CSV file 91
to PCAP file 420
to PDF file 91
F
fail closed bypass mode 498-499
fail open bypass mode 498-499
failover deployment 71
FCAP expressions
about 564
comment line 566
direction 573
examples 574
filter lists 251, 255
joining 571
master filter lists 253
operators 571
reference 566
specifying direction 573
features of APS 20
files
backup 463
copying 519
deleting from APS 452, 520
downloading from APS 452
packet capture 420
renaming 520
uploading to APS 452
606
filter lists
about 251
per server type 255
filter lists for server types, about 251
FIPS mode 524
firmware dump for protection interfaces 507
flood attack
bandwidth 544
HTTP flood 546
ICMP 228
ICMP flood 545
spoofed SYN flood 237-238
spoofed TCP SYN flood 549
SYN flood detection 243
TCP SYN flood 549
TCP SYN flood detection 243
UDP flood 545
UDP flood detection 249
uncommon IP protocol 547
forensics, traffic 310
Fragment Detection settings 223
fragmentation attack 223, 550
full backup 455
G
general settings 100
global blacklist 260
global Cloud Signaling 371
activating manually 390
automated 384
deactivating manually 390
rate-based 384
starting 390
stopping 390
viewing activity 396
global protection level
about 185
changing 361
global whitelist 260
graph data
about 93
changing timeframe 93
minigraph 93
stacked 93
unit of measure 93
GRE tunneling
about 372
configuring 141
default route 145
keepalives 142
routes 145
routing 374
Proprietary and Confidential Information of Arbor Networks Inc.
Index: group Cloud Signaling – initial setup
group Cloud Signaling 371
activating manually 393
deactivating manually 393
starting 393
stopping 393
viewing activity 396
widget 325
H
handshake, Cloud Signaling 375
hardware bypass
performance benchmarks 559
Hardware Security Module
keys 155
PEM file 155
Hardware Security Module (HSM)
about 75
authorizing 150, 158
changing passwords 158
configuration overview 150
configuring 152
downgrading firmware 159
importing keys 152
initializing 152
login failures 160
PEM file 150
resetting 158
status 160, 323
upgrading firmware 159
users 150
zeroizing 158
Hash DoS attack 553
heartbeat
from APS 376
from Cloud Signaling Server 377
Help 89
Help, CLI 473
histograms 175
hosts
total number blocked 334
HSM
keys 155
managing keys 155
managing keys in CLI 155
PEM file 155
HSM (Hardware Security Module)
about 75
authorizing 150, 158
changing passwords 158
configuration overview 150
configuring 152
downgrading the firmware 159
importing keys 152
initializing 152
login failures 160
PEM file 150
resetting 158
status 160, 323
upgrading firmware 159
users 150
zeroizing 158
HTTP attack
cache abuse 556
malformed 229, 557
slow 217, 552
HTTP Blocked Locations category 331
HTTP cache abuse attack 556
HTTP flood attack
about 546
and CDNs 546
related protections 546
HTTP Header Regular Expressions settings 224
HTTP malformed attack
about 557
protection settings 229
HTTP Rate Limiting settings 225
HTTP Reporting settings 227
I
ICMP flood attack
about 545
ICMP Ping Flood 545
related protections 545
ICMP Flood Detection settings 228
ICMP Ping Flood attack 545
idle TCP attack 241
idle timeout for inactive UI session 104, 107
implementation, APS
active for mitigation 57
monitor-only 54
trial 54
inactive protection mode
about 66
for a protection group 67, 189
for the outbound threat filter 67
system-wide 67
inbound blacklist
searching 264, 270
See blacklist 267
viewing 264, 270
incremental backup 455
initial setup
active implementation 57
monitor-only 54
trial implementation 54
Proprietary and Confidential Information of Arbor Networks Inc.
607
Index: inline mode – logo
inline mode
about 63
connectivity model 60
setting 511
inspected throughput
about 29
vAPS 38
installation instructions 524
installed hardware information 32
installed software information 32
intelligence feed data
See also ATLAS Intelligence Feed 289
updating 289
interfaces
activity 307
alerts 141
configuring 141
display error 307
link state propagation 141
speed setting 502
status 307
vAPS 36
interval, Cloud Signaling threshold 381
Invalid Packets category 331
IP address
adding to Cloud Signaling request 391
removing from Cloud Signaling request 392
IP address, blacklist 422
IP fragmentation attack 223
about 550
Jolt2 550
Nestea 550
related protections 550
Targa3 550
Teardrop 550
IP locations
location data updates 281
traffic summary 318
viewing traffic by protection group 343
IPv4 prefix matching in protection groups 183
J
Jolt2 attack 550
K
keepalives for GRE tunneling 142
key tasks 23
keys, for Hardware Security Module (HSM) 155
L
l3
see layer 3 mode 513
608
Land attack 549
language
changing 110
setting 101
layer 3 mode
about 63, 65
configuring routes 513
connectivity model 61
default route for outbound traffic 203
routes 145
setting 511
layer 3 traffic 61
Layer 4-7 attacks 548
license agreements 32
license information
APS 27
vAPS 46, 49
license key, APS
installing 522
rate limit options 29
upgrading 522
license key, ATLAS Intelligence Feed (AIF)
about 31
installing 523
upgrading 523
license limit alert 27, 32, 301
license server, vAPS
configuring 42
viewing information 48
Licenses page 27, 46
licenses, releasing on vAPS 45, 51
link state propagation
about 141
benchmarks 560
disabling in monitor mode 63, 141
timeouts 143
List Protection Groups page 196
local files, deleting from APS 452
locking a user account 117
log in
authentication required before 103
CLI 471
from APS Console 79
UI 86
log out
CLI 472
UI 86
login attempts before account lockout 117
logo
adding to UI 146
default 146
locking 146
unlocking 146
uploading 146
Proprietary and Confidential Information of Arbor Networks Inc.
Index: malformed DNS – packet capture
Multicast Blocking settings 230
M
malformed DNS 214
malformed HTTP attack
about 557
related protections 557
Malformed HTTP Filtering settings 229
malformed SIP 215
manual activation
global Cloud Signaling 390
group Cloud Signaling 393
targeted Cloud Signaling 391
manual backup 457
manual Cloud Signaling
activating 399
process 387
master filter lists
about 251
configuring 253
maximizing automatic protection 97
media settings for protection interfaces 502
memory utilization 306
menu bar 89
message
pre-login 103
message, pre-login banner 106
MIB file, downloading 452
minigraph 93
mitigation
about 352
by blocking source 363
cloud, see Cloud Signaling 368-369, 371
manual 359
manual Cloud Signaling 387
options 353
when to mitigate manually 352
workflow 359, 363
mitigation interfaces
configuring 513
media settings 502
speed 502
mode
deployment 63
protection, see protection mode 66
monitor-only implementation
recommendations 54
workflow 55
monitor mode
about 61, 63
disabling link state propagation 63, 141
setting 511
monitoring traffic 298
MTU, protection interfaces 502
N
NAS identifier, configuring 493
navigation
controls 90
Web UI 89
Nestea attack 550
network connectivity options 60
network placement options 69, 72
Nkiller2 attack 551
notifications
about 128
blocked hosts 129
change log 130
configuring 131
deleting 131
email 129, 580
examples 580, 584, 587
SNMP 129, 584
syslog 129, 587
types 129
NTP server, specifying IP address for 102
O
on-demand Executive Summary report,
configuring 435
online help 89
Open Systems Interconnect (OSI) 548
options
licenses 29
OSI network architecture 548
outbound blacklist 274
outbound threat filter
Attack Categories view 329
configuring 203, 205
default route in layer 3 mode 203
filter lists 255
page 349
protection level 361
protection mode 66-67
viewing 349
outbound threats, viewing 349
outbound whitelist 276
overview of APS 20
overview of vAPS 36
Overview tab, Summary page 304
P
packet capture
about 417
blacklisting domain 423
Proprietary and Confidential Information of Arbor Networks Inc.
609
Index: Packet Capture page – protection group protection level
blacklisting IP address 422
blacklisting URL 423
capturing packets 418
clearing 420
contents 421
details 421
file, exporting 420
regular expressions 425
saving PCAP 420
uses 417
viewing 421
Packet Capture page 421
packets
evaluating and processing 252
page navigation 90
page, Web UI
creating PDF 91
emailing as PDF 91
exporting to CSV 91
parsing CLI text 475
password
changing 87
changing in Hardware Security Module (HSM) 158
choosing 113
criteria 113
default 471
expired, TACACS+ 495
requirements 113
pause parameter settings for protection
interfaces 507
payload inspection, UDP 231
Payload Regular Expression settings
about 231
configuring from captured packets 425
PCAP export 420
PDF file
creating from UI page 91
emailing UI page 91
exporting Executive Summary Report as 440
PEM file 150, 155
performance benchmarks
bypass 559
permanent blacklist 258
permanent whitelist 258
permissions 484
ping exploitation 228
ping flood, ICMP 545
ports
ephemeral 347
for APS access 536
post-GRE route 374
pre-login message 103, 106
prefix matching
IPv4 183
610
IPv6 183
prefix matching in protection groups 183
prefix update, Cloud Signaling 376
Private Address Blocking settings 234
private IP address 234
process for rate-based Cloud Signaling 384
profiling traffic
about 171
best practice 171
capturing data 173
viewing data 175
protected host
about 181
prefix update 376
protection alert 128
protection categories
about 201
blocked traffic 329
configuring from traffic profiles 175
configuring settings 169
restoring default settings 178
protection group
about 180
adding 188
automating the protection level 193
blacklist 260
Cloud Signaling mitigation 370
custom 180
default 180
deleting 194
disabling protection level automation 193
domain traffic 339
editing 194
header 324
prefix matching 183
searching for 196
settings, configuring from traffic profiles 175
settings, restoring 178
summary 313
Temporarily Blocked Sources 335
top countries 343
top protection groups 313
top protocols 345
top services 347
top URLs 337
top web crawlers 341
traffic summary 327
viewing all 196
viewing traffic for 324
whitelist 260
protection group protection level
about 185
changing 361
changing from APS Console 361
Proprietary and Confidential Information of Arbor Networks Inc.
Index: protection group protection mode – route, post-GRE
protection group protection mode
changing 67
changing from APS Console 66
setting 189
protection interfaces
configuring 513
firmware dump 507
media settings 502
MTU setting 502
pause parameter settings 507
troubleshooting 507
protection level
about 185
automating for a protection group 193
changing 361
changing from APS Console 361
disabling automation for a protection group 193
for protection settings 185, 202
global 185
protection group level 185
recommendations 187
viewing 186
protection mode
about 66
active and inactive 66
changing by protection group 67, 189
changing from APS Console 66
changing, system-wide 67
setting by protection group 189
protection mode, outbound threat filter
about 66
changing 67
protection settings
about 201
categories 201
configuring 169
configuring from traffic profiles 175
protection level 185, 202
restoring defaults 178
when to change 202
protections for specific attacks
botnet 541
DNS amplification 554
HTTP cache abuse 556
HTTP flood 546
ICMP flood 545
IP fragmentation 550
malformed HTTP 557
slow HTTP 552
spoofed SYN flood 549
TCP SYN flood 549
UDP flood 545
uncommon IP protocol 547
volumetric 544
protocols, top 10 345
proxy server
ATLAS Intelligence Feed (AIF) 120
Cloud Signaling 382
vAPS license server 43
proxy support settings 218
Pyloris attack 552
R
RADIUS integration
authentication method 490
configuring 492
default user group 496
user group assignment 493
Rate-based Blocking settings 235
rate-based Cloud Signaling
enabling 380-381
process 384
threshold interval 381
threshold limit 381-382
rate limit
any source host 235
by license key 29
DNS 221
DNS NXDomain 220
HTTP 225
SIP 236
traffic shaping 247
redundancy deployment 71
regular expression
about 578
configuring from captured packets 425
DNS 222
HTTP header 224
payload 231
reinstallation instructions 530
remote syslog server, creating secure tunnel to 140
rename files 520
reports
ATLAS Global DDoS 434
custom date range 436
Executive Summary 430
reputation feed, AIF 280
restore from backup
bypass mode 459
data 458
error handling 460
restoring backups
affect on synchronization 461
route
outbound threat filter 203
route, post-GRE 374
Proprietary and Confidential Information of Arbor Networks Inc.
611
Index: routes – Summary page
routes
configuring 145
configuring on vAPS 513
deleting 513
routine monitoring 298
rules for passwords 113
S
scheduled backups 135
scheduled report
configuring and editing 438
scheduled reports
deleting 442
viewing 442
search engine
list 281
web crawler support 288
searching 90
secure tunnel, using to transfer syslog data 140
serial cable
connecting for CLI setup 470
type 470
serial connection to CLI 469
serial number, finding 32
server configuration, Cloud Signaling 379
server type
about 162
adding 167
custom server types 167
deleting 167
duplicating 168
filter lists for 255
restoring default settings 178
settings, configuring 169
standard server types 162
server types
filter lists for 251
services traffic 347
services, stopping and starting 459
setup tasks 54, 57
sign-on
CLI 471
from APS Console 79
UI 86
SIP malformed 215
SIP Request Limiting settings 236
slow HTTP attack
about 552
preventing 217
Pyloris 552
related protections 552
Slowloris 552
Slowloris attack 552
612
SMTP server, specifying IP address for 102
SNMP notifications
about 129
adding 132
examples 584
format 584
settings 132
SNMP polling
about 108
configuring 103
enabling 108
Sockstress attack 551
software bypass
performance benchmarks 559
source of attack 363
speed, protection interfaces 502
Spoofed SYN Flood Prevention settings 237
automating 238
spoofed TCP SYN flood attack
about 549
Land attack 549
SSH connection to CLI 470
SSL attack, prevention 245
SSL certificate, custom 138
SSL data
including in traffic statistics 105
viewing 323
SSL inspection
about 75
configuration overview 150
configuring 152
enabling 105
how it works 75
HSM status 160, 323
keys 155
stacked graph 93
standard server types 162
start Cloud Signaling 398
state exhaustion attack
about 543, 548
Layer 4-7 548
related protections 548
status
APS Console connection 100
ATLAS Intelligence Feed 291, 314
Cloud Signaling connection 377
HSM (Hardware Security Module) 323
interfaces 307
SSL inspection 323
vAPS licenses 40
stop Cloud Signaling 399
Summary page 310
AIF Highlights 314
ATLAS Threat Categories 316
Proprietary and Confidential Information of Arbor Networks Inc.
Index: support, contacting – timeout
blacklisting countries 319
Interfaces 307
Overview tab 304
SSL Inspection status 323
System Status tab 306
top inbound countries 318
top inbound destinations 322
top inbound sources 320
top protection groups 313
unblocking countries 319
web crawlers 317
support, contacting 15
SYN flood
spoofed 237-238
TCP 243
syntax
CLI commands 474
FCAP expressions 564
syslog notifications
about 129
adding 134
examples 587
format 587
settings 134
syslog, secure remote server 140
system
alerts, See alerts 300
overview 304
settings 100
status 306
traffic 310
System Alerts page 300
T
TACACS+ integration
authentication method 490
configuring 494
default user group 496
password expiration 495
user group assignment 495
Targa3 attack 550
targeted Cloud Signaling 371
activating manually 391
deactivating manually 391
starting 391
stopping 391
viewing activity 394
Targeted Destination Cloud Signaling
automated 384
rate-based 384
TCP
idle connections 241
payload inspection 231
TCP Connection Limiting settings 240
TCP Connection Reset settings 241
TCP protocol attack
about 551
Nkiller2 551
Sockstress 551
TCP SYN flood attack
about 549
related protections 549
spoofed 549
TCP SYN Flood Detection settings 243
Teardrop attack 550
temporarily blocked hosts
in blocked hosts log 406
viewing 335
whitelisting 336
temporarily blocked sources
in blocked hosts log 406
viewing 335
whitelisting 336
temporary ports in Services view 347
terminal emulation, connecting to CLI 469
text parsing in the CLI 475
threat categories, ATLAS
about 283
summary 316
threat policies, AIF 280
threat policy, ATLAS
about 283
categories 283
confidence index 285
confidence value 285
threshold Cloud Signaling
enabling 380-381
See also Cloud Signaling 380-381
threshold, bandwidth alerts
about 124
global thresholds 126
protection group thresholds 189
throughput
about 29
enforcement on vAPS 38
limit, configuring for vAPS 43
viewing on vAPS 46
time zone
setting for system 101
setting for user 88, 115
timeframe, display
blocked hosts log 412
changing 93
View Protection Group page 324
timeout
inactive UI session 104
link state propagation 143
Proprietary and Confidential Information of Arbor Networks Inc.
613
Index: timeout for inactive UI session – username
timeout for inactive UI session 107
TLS Attack Prevention settings 245
top domains per protection group 339
top inbound countries, traffic summary 318
top inbound destinations
disabling summary tracking 104, 382
traffic summary 322
top inbound sources
disabling summary tracking 104, 382
traffic summary 320
top IP locations per protection group 343
top protection groups 313
top protocols per protection group 345
top services per protection group 347
top URLs per protection group 337
top web crawlers per protection group 341
total traffic alert 123
traffic
blocking, see block traffic 258
data backup 454
forensics 310
layer 3 61
monitoring 298
statistics, ATLAS Intelligence Feed 292, 314
viewing for protection group 324
traffic alert 123
traffic profile
about 171
best practice 171
capturing 173
viewing 175
Traffic Shaping settings 247
traffic summary for protection group 327
transient ports in Services view 347
trial implementation
recommendations 54
workflow 55
typographic conventions
commands and expressions 14, 474, 564
procedures 13
U
UDP flood attack
about 545
related protections 545
UDP Traffic Flood 545
UDP Flood Detection settings 249
UDP payload inspection 231
UDP Traffic Flood attack 545
UI
language 101
log in and out 86
UI session, idle timeout for 107
614
unblock
country 319, 344
domain 340
URL 338
uncommon IP protocol flood attack 547
unit of measure, graphs 93
unlocking a user account 117
upgrade instructions 527
upload
backup file 463
file 452
URL
blacklisting 338, 423
unblocking 338
viewing traffic for 337
user account
about 113
adding 114
configuring 114
crypto officer 150
crypto user 150
deleting 116
disabling 117
editing your account 87
enabling 117
Hardware Security Module (HSM) 150
locking manually 117
number of login attempts before lockout 117
password 113
settings 115
time zone 88, 115
unlocking 117
user group
about 482
adding 483
assigning in RADIUS 493
assigning in TACACS+ 495
authorization assignment 484
authorization keys 484
configuring 483
customizing 483
default for RADIUS or TACACS+ 496
permissions 484
predefined groups 482
username
APS Console 79
default 471
entering 115
password 471
requirements 115
Proprietary and Confidential Information of Arbor Networks Inc.
Index: vAPS – workflow
V
vAPS
about 36
accessing 37
configuring AIF level 44
configuring license server 42
configuring routes 513
inspected throughput 38
layer 3 mode 513
reinitializing 45
releasing local licenses 51
supported interfaces 36
vAPS license server
proxy server 43
viewing information 48
vAPS licenses
about 38
AIF 39, 47
configuring 42
configuring throughput limit 43
expiration 39
overview 38
refresh manually 48
refreshing local licenses 44
releasing 45
status 40
throughput 38, 46
viewing information about 46, 49
Venafi
importing HSM keys with 155
version number, APS 32
View Protection Group page 324
blacklisting countries 344
blacklisting domains 340
blacklisting URLs 338
unblocking countries 344
unblocking domains 340
unblocking URLs 338
whitelisting temporarily blocked sources 336
viewing
top inbound countries 318
top inbound destinations 322
top inbound sources 320
viewing AIF updates 291
virtual machine (vAPS)
about 36
Also see vAPS 36
VLAN sub-interfaces
adding 504
VLAN subinterface
adding access rules 505
configuring a default route to use 505
removing 505
VLAN subinterfaces
configuring 504
VoIP attack, preventing 236
volumetric attack
about 543-544
ICMP flood 545
related protections 544
UDP flood 545
voluntary DDoS botnets 541
W
web crawler support
about 288
web crawler list 281
web crawler traffic
by protection group 341
summary 317
viewing 317, 341
web crawler whitelist, AIF 281
Web Traffic By Domain
disabling 227
viewing 339
Web Traffic By URL
disabling 227
viewing 337
web UI
about 34
custom logo 146
language 110
navigating 89
whitelist
about 258
by protection group 260
capacity 262
Configure Inbound Whitelists page 272
Configure Outbound Whitelists page 276
creating, inbound 272
creating, outbound 276
global 260
settings, inbound 272
settings, outbound 276
temporarily blocked sources 336
widget, Cloud Signaling
about 397
protection group 325
workflow
active implementation 57
manual mitigation 359
mitigation 363
monitor-only implementation 55
routine system monitoring 298
trial implementation 55
Proprietary and Confidential Information of Arbor Networks Inc.
615
Index: zeroize Hardware Security Module (HSM) – zeroize Hardware Security Module (HSM)
Z
zeroize Hardware Security Module (HSM) 158
616
Proprietary and Confidential Information of Arbor Networks Inc.
Related documents
"Third International Math and Science Study 12th Grade Advanced
"Third International Math and Science Study 12th Grade Advanced
Download