pdfcoffee.com user-guide-arbor-aps-console-pdf-free

Arbor APS Console User Guide Version 6.3 Legal Notice Default The information contained within this document is subject to change without notice. Arbor Networks, Inc. makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Arbor Networks, Inc. shall not be liable for errors contained herein or for any direct or indirect, incidental, special, or consequential damages in connection with the furnishings, performance, or use of this material. © 2019 Arbor Networks, Inc. All rights reserved. Proprietary and Confidential Information of Arbor Networks, Inc. Document Number: APSCON-UG-63-2019/08 19 August, 2019 Contents Preface About the APS Console Documentation Command Syntax Contacting the Arbor Technical Assistance Center 8 9 10 Part I: APS Console Overview Section 1: Introduction to APS Console About Managing APS Devices from APS Console About the APS Console User Interfaces Section 2: Getting Started with APS Console Before You Begin to Use APS Console Logging in to and out of the APS Console UI Editing Your User Account Navigating the APS Console UI Using Navigation Controls About the Arbor Smart Bar Saving and Emailing Pages from the UI Viewing Graphs in the UI 13 14 16 17 18 19 20 22 24 26 27 28 Part II: APS Console Configuration Section 3: Configuring APS Console Configuring General Settings About SNMP Polling About User Accounts About User Groups Configuring User Accounts Configuring the Audit Trail Settings Configuring System Alerts Configuring Remote Backup Settings Using a Custom SSL Certificate for User Authentication Adding a Custom Logo to the UI Section 4: Managing the ATLAS Intelligence Feed About the ATLAS Intelligence Feed About the ATLAS Threat Policies About the ATLAS Confidence Index About Web Crawler Support Configuring the ATLAS Intelligence Feed Viewing the Status of ATLAS Intelligence Feed Updates Viewing the AIF Traffic Statistics for a Protection Group Section 5: Configuring Notifications About Notifications APS Console User Guide, Version 6.3 31 32 34 36 38 39 41 42 44 47 49 51 52 54 56 59 60 62 63 65 66 3 APS Console User Guide, Version 6.3 68 72 Configuring Notifications Viewing Notifications Part III: APS Management Section 6: Introduction to APS Management Configuring APS for APS Console Management 1About the APS Console - APS Data Synchronization How Restoring Backups Affects the APS Console - APS Synchronization Setting the Protection Mode (Active or Inactive) About the Protection Levels Deleting Offline Devices Section 7: Managing Shared Server Types About the Server Types Viewing Server Types edAdding and Deleting Custom Server Types Changing the Protection Settings for Server Types About Traffic Profiling for Protection Configuration Capturing Traffic Profiles from APS Console Using Traffic Profile Data to Configure Protection Settings Restoring the Default Protection Settings Section 8: Configuring the Protection Settings About the Protection Settings Configuration About the Outbound Threat Filter Configuring the Outbound Threat Filter Validating the Outbound Threat Filter Configuration Application Misbehavior Settings ATLAS Intelligence Feed Settings Block Malformed DNS Traffic Settings Block Malformed SIP Traffic Settings Botnet Prevention Settings CDN and Proxy Support Settings DNS Authentication Settings DNS NXDomain Rate Limiting Settings DNS Rate Limiting Settings DNS Regular Expression Settings Fragment Detection Settings HTTP Header Regular Expressions Settings HTTP Rate Limiting Settings HTTP Reporting Settings ICMP Flood Detection Settings Malformed HTTP Filtering Settings Multicast Blocking Settings Payload Regular Expression Settings Private Address Blocking Settings Rate-based Blocking Settings SIP Request Limiting Settings Spoofed SYN Flood Prevention Settings TCP Connection Limiting Settings TCP Connection Reset Settings TCP SYN Flood Detection Settings TLS Attack Prevention Settings Traffic Shaping Settings 4 75 76 78 82 84 86 89 91 92 96 98 100 102 104 105 108 109 111 113 115 116 119 120 124 125 126 128 129 130 131 132 133 134 135 136 137 138 139 140 143 144 145 146 150 151 153 155 157 Proprietary and Confidential Information of Arbor Networks, Inc. UDP Flood Detection Settings Section 9: Configuring Filter Lists to Drop and Pass Traffic About Filter Lists Configuring Master Filter Lists Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter Section 10: Managing the Blacklists and Whitelists About Blacklisting and Whitelisting Traffic About the Capacity of the Blacklists and Whitelists Blacklisting Inbound Traffic Viewing and Searching the Inbound Blacklist Blacklisting Outbound Traffic Viewing and Searching the Outbound Blacklist Whitelisting Inbound Traffic Viewing and Searching the Inbound Whitelist Whitelisting Outbound Traffic Viewing and Searching the Outbound Whitelist Section 11: Viewing APS Traffic Viewing the Traffic Activity for a Protection Group Viewing the Traffic Overview for a Protection Group Filtering the Traffic Data by APS Viewing the Attack Categories for a Protection Group Viewing the Top URLs for a Protection Group Viewing the Top Domains for a Protection Group Viewing the Top IP Locations for a Protection Group Viewing the Top Protocols for a Protection Group Viewing the Top Services for a Protection Group Section 12: Managing Protection Groups About Protection Groups About Bandwidth Alerts Viewing the Status of Protection Groups Adding, Editing, and Deleting Protection Groups Assigning APS Devices to Protection Groups Overriding a Protection Group’s Settings on a Managed APS Section 13: Mitigating Attacks About Attack Mitigation Workflow for Routine System Monitoring Indicators of Attacks and Mitigations Mitigating an Attack by Raising the Protection Level Changing the Protection Level Identifying and Blocking an Attack Section 14: Traffic Forensics About the Blocked Hosts Log Viewing the Blocked Hosts Log Information on the Blocked Hosts Log Page Viewing the ATLAS Threat Categories that Block Traffic About Capturing Packets Capturing Packet Information Section 15: Managing Centralized Reports About Centralized Reports About the Centralized Executive Summary Report Proprietary and Confidential Information of Arbor Networks, Inc. 158 159 160 162 164 167 168 172 174 177 180 182 184 186 188 190 193 194 197 199 200 206 208 210 212 214 217 218 223 225 231 237 240 243 244 246 248 251 253 255 259 260 262 266 269 274 275 277 278 279 5 APS Console User Guide, Version 6.3 Configuring On-Demand Centralized Reports Viewing and Deleting Centralized Reports 283 286 Part IV: Network Management Section 16: Viewing Network Activity on the Dashboard Viewing a Dashboard of Network Activity Viewing APS Traffic on the Dashboard Viewing Active Alerts on the Dashboard Section 17: Monitoring Alerts About Alerts Viewing a Summary of Alerts Filtering the Alerts on the Alerts page Section 18: Monitoring the Status of the Network and Devices Viewing a Summary of System Activity Viewing System Information on the Summary Page Viewing Audit Trail Information on the Summary Page Section 19: Monitoring System Changes in the Audit Trail About the Audit Trail Including Change Messages in the Audit Trail Viewing the Audit Trail Log 291 292 294 297 301 302 304 306 309 310 311 313 315 316 318 319 Part V: APS Console Maintenance and Management Section 20: Managing APS Console Files About the Files Page Managing the Files on APS Console and Managed APS Devices Managing Diagnostics Packages Section 21: Backing Up APS Console About APS Console Backups Running a Local Backup Manually 323 324 326 328 329 330 332 Appendixes Appendix A: Notification Formats Email Notification Examples Syslog Notification Examples Appendix B: Using FCAP Expressions Available FCAP Expressions FCAP Expression Reference Logical Operators for Compound FCAP Expressions FCAP Expressions that Indicate Direction Examples of FCAP Expressions 6 337 338 339 341 342 344 349 350 351 Glossary 353 Index 363 End User License Agreement 371 Proprietary and Confidential Information of Arbor Networks, Inc. Preface This guide describes how to configure and use the NETSCOUT® Arbor APS Console to manage Arbor APS, to protect critical service availability. Audience This guide is intended for the network security system administrators (or network operators) who are responsible for configuring and managing APS Console on their networks. These administrators should have a fundamental knowledge of their network security policies and network configuration. In this section This section contains the following topics: About the APS Console Documentation 8 Command Syntax 9 Contacting the Arbor Technical Assistance Center APS Console User Guide, Version 6.3 10 7 APS Console User Guide, Version 6.3 About the APS Console Documentation The instructions assume that you have completed the installation steps in the appropriate Quick Start Card. Related documentation See the following guides for information about APS Console and its deployment: Reference documentation Document Contents APS Console User Guide Instructions and information for using the features in the APS Console user interface (UI). APS Console Advanced Configuration Guide Information about configuring advanced settings in APS Console, particularly those that can only be configured in the command line interface (CLI). APS Console Quick Start Card Instructions and requirements for the installation and initial configuration of APS Console. APS Console Quick Start Card Instructions and requirements for the installation and initial configuration of the APS Console. APS Console Online Help Online help topics from the APS Console User Guide and APS Console Advanced Configuration Guide . The Help is contextsensitive to the APS Console UI page from which it is accessed. APS Console Online API Documentation The APS Console API doc is installed with APS Console. You can access it at the following link: https://IP_address/api/aps-console/docs/v2/endpoints.html IP_address = the IP address or hostname for your APS Console APS User Guide 8 Instructions and information for using the APS user interface (UI). It also contains instructions and information for configuring advanced settings in APS, including those that can only be configured using the command line interface (CLI). Proprietary and Confidential Information of Arbor Networks, Inc. Preface Command Syntax This guide uses typographic conventions to make the information in procedures, commands, and expressions easier to recognize. The following table shows the syntax of commands and expressions. Do not type the brackets, braces, or vertical bar in commands or expressions. Conventions for commands and expressions Convention Description Monospaced bold Information that you must type exactly as shown. Monospaced italics A variable for which you must supply a value. { } (braces) A set of choices for options or variables, one of which is required. For example: {option1 | option2}. [ ] (square brackets) A set of choices for options or variables, any of which is optional. For example: [variable1 | variable2]. | (vertical bar) Separates the mutually exclusive options or variables. Proprietary and Confidential Information of Arbor Networks, Inc. 9 APS Console User Guide, Version 6.3 Contacting the Arbor Technical Assistance Center The Arbor Technical Assistance Center is your primary point of contact for all service and technical assistance issues that involve Arbor products. Contact methods You can contact the Arbor Technical Assistance Center as follows: n Phone US toll free — +1 877 272 6721 n Phone worldwide — +1 781 362 4301 n Support portal — https://support.arbornetworks.com Submitting documentation comments If you have comments about the documentation, you can forward them to the Arbor Technical Assistance Center. Please include the following information: n Title of the guide n Document number (listed on the reverse side of the title page) n Page number Example APSCON-UG-63-2019/08 APS Console User Guide Page 9 10 Proprietary and Confidential Information of Arbor Networks, Inc. Part I: APS Console Overview APS Console User Guide, Version 6.3 12 Proprietary and Confidential Information of Arbor Networks, Inc. Section 1: Introduction to APS Console This section describes APS Console and how to use it to manage APS devices. In this section This section contains the following topics: About Managing APS Devices from APS Console 14 About the APS Console User Interfaces 16 APS Console User Guide, Version 6.3 13 APS Console User Guide, Version 6.3 About Managing APS Devices from APS Console Very large organizations may have multiple APS devices installed across data centers or geographic areas. APS Console provides security administrators with a single console for the central management of multiple APS devices. APS Console features APS Console can manage up to 50 APS devices, which allows you to monitor and respond to attacks across your network from a single user interface. Note APS Console can support multiple versions of APS software simultaneously. For more information about multi-version support, see the APS and APS Console Compatibility Guide . The ability to manage multiple APS devices from a single user interface allows you to more effectively perform the following network management tasks: n View the critical alerts and events in your network and outside your network that may put your business at risk. n Manage the security policies that protect your network from potential threats and attacks. n Centralize the server types, protection groups, outbound threat filter, blacklists, and whitelists to provide consistent protection across your network and a streamlined workflow. n Quickly respond to attacks by adjusting the protections on multiple APS devices or an individual APS, all from APS Console. APS management tasks APS Console allows you to perform the following tasks for managing the configuration and daily operations on the APS devices that are under management: n Centrally create, configure, and manage the server types, protection groups, outbound threat filter, blacklists, and whitelists in APS Console. APS Console propagates the configurations to each managed APS as appropriate. n Share common protection groups and server types across multiple APS devices. n View the traffic and statistics from each APS as well as an aggregate of the data from all of the APS devices. For example, you can view an aggregated blocked host log. n View active bandwidth alerts and system alerts for all of the APS devices. n View and respond to the threats that are identified by the ATLAS threat policies. n Respond to availability attacks by changing the protection level, blacklisting hosts, or modifying the protection settings globally or per APS. n Navigate to a specific APS to view more detailed information about its configuration or traffic. When you first connect APS to APS Console, the applicable configurations on APS Console are copied to APS. Thereafter, any changes to the configurations on APS Console are periodically copied to each APS as appropriate. See “1About the APS Console - APS Data Synchronization” on page 78. 14 Proprietary and Confidential Information of Arbor Networks, Inc. Section 1: Introduction to APS Console Communication between APS Console and APS To manage APS from APS Console, you connect the APS to APS Console. You do so on the Configure General Settings page in APS. See “Configuring APS for APS Console Management” on page 76. After you connect an APS to APS Console, the systems communicate with each other as follows: n APS Console sends requests to APS for information such as alerts and traffic data. APS checks APS Console periodically for configuration changes and obtains the changes that apply to the APS. n See “1About the APS Console - APS Data Synchronization” on page 78. In APS Console, you can view the connection and synchronization status for a specific APS in the System Information section on the Summary page. See “Viewing the APS synchronization status” on page 78. Single sign-on You can navigate to an APS from several areas in the APS Console UI, which allows you to examine specific data more closely. For example, from the Blocked Hosts Log page in APS Console, you can navigate to the Blocked Hosts Log page in the APS that blocked a particular host. If your APS user account has the same username as your APS Console user account, the APS opens without prompting you to log in. You can use a different password for each account. Important To use single sign-on with an APS, the APS must have a valid reverse DNS lookup. If the APS does not have a valid reverse DNS lookup, then APS Console links to the IP address of the APS instead of its hostname. If this happens, an SSL certificate error will occur. Proprietary and Confidential Information of Arbor Networks, Inc. 15 APS Console User Guide, Version 6.3 About the APS Console User Interfaces You can view data and configure settings using the user interface (UI) and the command line interface (CLI). About the UI On APS Console, you use the UI to configure system settings and view and analyze network traffic on managed APS devices. The APS Console UI uses the HTTPS protocol for secure sessions. The certificate is based on Arbor’s Certificate Authority (CA); however, you can use your own certificate. See “Using a Custom SSL Certificate for User Authentication” on page 47. See “Logging in to and out of the APS Console UI” on page 19 and “Navigating the APS Console UI” on page 22. About the CLI The command line interface (CLI) allows you to enter commands and navigate through the directories on APS Console. Typically, the CLI is used for installing and upgrading the software and completing the initial configuration. However, some advanced functions can be configured only by using the CLI. See “Using the Command Line Interface (CLI)” in the APS Console User Guide . 16 Proprietary and Confidential Information of Arbor Networks, Inc. Section 2: Getting Started with APS Console This section describes how to log in to and navigate the APS Console user interface (UI). You use the UI to configure system settings, manage network security rules, and view and analyze network traffic. In this section This section contains the following topics: Before You Begin to Use APS Console 18 Logging in to and out of the APS Console UI 19 Editing Your User Account 20 Navigating the APS Console UI 22 Using Navigation Controls 24 About the Arbor Smart Bar 26 Saving and Emailing Pages from the UI 27 Viewing Graphs in the UI 28 APS Console User Guide, Version 6.3 17 APS Console User Guide, Version 6.3 Before You Begin to Use APS Console Before you can access the APS Console UI, you must perform the tasks described in this topic. Initial requirements You must complete all of the initial configuration procedures listed in the Quick Start Cards for your appliances. Verify that you have done the following: n connected and configured your APS Console n connected and configured your APS devices Supported web browsers See the Release Notes for a list of supported browsers. Logging in as a new user If you are a new user, verify that your administrator has created an account for you with a user name and initial password. Important Change this password for security purposes after you log in for the first time. For information about changing your password, see “Editing Your User Account” on page 20. 18 Proprietary and Confidential Information of Arbor Networks, Inc. Section 2: Getting Started with APS Console Logging in to and out of the APS Console UI You use the UI to configure system settings, manage network security rules, and view and analyze the network traffic. Logging in as a new user If you are a new user, verify that your administrator has created an account for you with a user name and initial password. Important Change this password for security purposes after you log in for the first time. For information about changing your password, see “Editing Your User Account” on the next page. Accepting the certificate The APS Console UI uses the HTTPS protocol for secure sessions. The certificate is based on Arbor Networks’ Certificate Authority (CA); however, you can use your own certificate. The first time you access APS Console, you must accept the SSL certificate to complete the secure connection. For more information, see your web browser’s instructions for accepting certificates. Logging in to the APS Console UI Important You must use a secure connection to access APS Console. To log in to the APS Console UI: 1. Open your web browser. 2. Enter https://console_IP_address console_IP_address = the IP address of your APS Console 3. If applicable, select the appropriate option for accepting the site’s certificate, and then click OK . 4. In the Welcome window, type your user name and password. 5. Click Log in . Logging out of the APS Console UI To log out of the APS Console UI: n In the upper-right corner of any page in the UI, click Logout . Troubleshooting If you cannot access the UI, verify that you are logged in to your computer with a local administrator account. Then try to log in to APS Console again. Proprietary and Confidential Information of Arbor Networks, Inc. 19 APS Console User Guide, Version 6.3 Editing Your User Account You can edit the information in your APS Console user account. Typically, you edit your account to change your password. If you are not an administrative user, you can only view and edit your own account. An administrative user can edit any account. When you create or edit the accounts of other users, the entry screen is somewhat different. See “Configuring User Accounts” on page 39. When to change your password For security purposes, you should change your password in the following situations: after you log in to APS Console for the first time n n at intervals that your system administrator recommends n whenever you think that someone else might have gained access to your password Passwords must meet certain criteria. See “Criteria for secure and acceptable passwords” on page 36. Editing your account To edit your user account: 1. Select Administration > User Accounts. 2. If you are an administrator, click your user name link to display the Edit Existing Account window. If you are a non-administrative user, your own account appears on the Edit Existing Account page. 3. Edit your account settings. See “User account settings” below. 4. When you finish editing, click Save. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. User account settings Settings for editing user accounts 20 Setting Description Username box Displays the user name that was originally assigned. You cannot edit the user name. Real Name box Type your full name. Proprietary and Confidential Information of Arbor Networks, Inc. Section 2: Getting Started with APS Console Settings for editing user accounts (continued) Setting Description Email box Type your email address as a fully qualified domain name. For example, user@example.com. If the administrator who created your user account entered your email address, APS Console created a notification for that email address. If you change or delete your email address, be sure to edit or delete any related notifications on the Configure Notifications page (Administration > Notifications). See “Configuring Notifications” on page 68. Password box Confirm box Type a password, and then re-type it to confirm it. Proprietary and Confidential Information of Arbor Networks, Inc. 21 APS Console User Guide, Version 6.3 Navigating the APS Console UI You can navigate through the APS Console UI menus and pages using the following controls: n UI menu bar n Arbor Smart Bar — See “About the Arbor Smart Bar” on page 26. About the UI menu bar The UI menu bar indicates which menu is active and allows you to navigate to the UI menus and pages. The menus that are available depend on the user group to which you are assigned. Navigation menu bar in APS Console The menu bar is divided into the following menus: Navigation menus Menu Description Dashboard View an overview of the security status of your network. Summary View a summary of the status for APS Console. Explore Use the options on the menus as follows: View the ATLAS threat categories that block inbound traffic and outbound traffic on all of the APS devices that APS Console manages. n View information about the traffic that is blocked by the managed APS devices. n View APS Console system alerts. n Protect Assign APS devices to protection groups and add hosts to the inbound and outbound blacklists and whitelists. Reports Configure and manage centralized reports. Administration View and change the APS Console system settings. About submenus You can hover your mouse pointer over a menu item to view submenus for that item. Using Help When you click the Help button on any UI page, a window appears that contains information about the page that you are viewing. In the Help window, you can do any of the following tasks: Read about the functions that are available on the current APS Console page. n 22 n Scroll through the table of contents for the User Guide and Advanced Configuration Guide . n Search for topics in the User Guide and Advanced Configuration Guide . Proprietary and Confidential Information of Arbor Networks, Inc. Section 2: Getting Started with APS Console Finding licensing and copyright information The APS Console About window displays information about the installed software and hardware, including the version number, build numbers, and the Arbor Software License Agreement. To view licensing and copyright information: 1. In the lower-right corner of any page in the UI, click the copyright notice link. 2. In the About window, you can view the following license information: l Information about the installed software and hardware l Arbor License — Use the scrollbar to view the entire license. l Associated licenses — Click the copyright notice and the associated licensing link. l GPL-based software licenses — Click the support@arbornetworks.com link to email a request for copies of additional licenses that are based on the General Public License (GPL). About the error page The system displays an error page when unexpected errors or internal errors occur. This page includes a link that you can click to send a report to the Arbor Technical Assistance Center. If you click this link and you do not have an SMTP server configured, then the system displays an error message advising you to configure the SMTP server. Click the link that appears in the error message to navigate to the Configure General Settings page, where you can configure the server. Proprietary and Confidential Information of Arbor Networks, Inc. 23 APS Console User Guide, Version 6.3 Using Navigation Controls The APS Console navigation controls help you access traffic and policy data. Navigating paged tables Data is often displayed in tables that continue on multiple pages. In these cases, APS Console displays the page number of the current page, in relation to the number of pages that exist (for example, 1/3). It displays the current page number as a text box. You can type a different page number in the text box to navigate directly to that page. Paging icons The system also displays the following paging icons that allow you to move forward and backward through the pages: Paging icons Description Function > Navigates to the next page. >> Navigates to the last page. < Navigates to the previous page. << Navigates to the first page. Refreshing pages You can click (refresh) on the Arbor Smart Bar to manually update the page with the most current data. To configure APS Console to automatically refresh pages throughout the UI: 1. Click Summary in the navigation menu. 2. Click (Turn On Auto-Refresh ) on the Arbor Smart Bar. For more information, see “About the Arbor Smart Bar” on page 26 . Selecting all Some tables include check boxes that you can use to select specific rows. These tables also include a Select All check box next to the column header. When you select this check box and then click an action button, the system selects all of the rows on the current page of the table and acts upon them simultaneously. Sorting information in tables In some of the tables in the UI, you can sort by certain columns. If a column can be sorted, its column heading appears as a link. An up arrow or down arrow next to the column header indicates how the column is sorted. The columns that contain alphabetical data are initially sorted in alphabetical order. Click an alphabetical column header to re-sort the table by that column in reverse order (Z-A). 24 Proprietary and Confidential Information of Arbor Networks, Inc. Section 2: Getting Started with APS Console The alphabetical sort is case-sensitive. For example, in an alphabetical sort, Atlas would appear before arbor. The columns that contain numerical data are initially sorted in ascending order. Click a numerical column header to re-sort the table by that column in descending order. Navigation icons The following table shows the navigation icons and how you use them: Navigation icons Icon Function Expand table rows or choose reporting components. Collapse table rows or remove reporting components. Toggle timeframe entry format. Toggle search entry format. Refresh items. Perform an ascending sort. When this icon appears, the column is sorted in descending order. Click the icon to sort in ascending order. Perform a descending sort. When this icon appears, the column is sorted in ascending order. Click the icon to sort in descending order. or Display a context menu, which provides options that are relevant to the context (or page) in which the menu appears. These options link to other pages in the UI. Proprietary and Confidential Information of Arbor Networks, Inc. 25 APS Console User Guide, Version 6.3 About the Arbor Smart Bar The Arbor Smart Bar is located in the upper-right corner of each page. It contains icons that allow you to perform common functions. For example, you can email the page as a PDF file. If a function is not applicable to a page, its icon does not appear. If the icons are available when a detail window is open, then their actions apply to the detail window only. For example, if a detail window is open and you save as a PDF file, the resulting file contains only the information in the detail window. Functions You can perform the following functions on the Arbor Smart Bar: Functions on the Arbor Smart Bar Function 26 Icon Description Create a PDF Click to create a PDF of a page and save it to your local machine. Email This Page Click to email a page and an optional message to recipients. Print This Page Click to open your browser’s print window and print a page. Refresh This Page Click to refresh the data on a page. Proprietary and Confidential Information of Arbor Networks, Inc. Section 2: Getting Started with APS Console Saving and Emailing Pages from the UI The Arbor Smart Bar is located in the upper-right corner of each page in the UI. It contains icons that allow you to save pages as PDF files and to email pages. If the icons are available when a detail window is open, then their actions apply to the contents of the detail window only. For example, if a detail window is open and you save as a PDF file, only the contents of the detail window are included in the PDF file. Note Before you can send email from APS Console, you must configure an SMTP Server and a Default URL Hostname . See “Configuring General Settings” on page 32. Saving a page as a PDF file To save a UI page as a PDF file: 1. Navigate to the page that you want to save. 2. In the Arbor Smart Bar, click (Create a PDF). 3. Open or save the file according to your browser options. Emailing a page as a PDF file When you send an email message that contains a PDF of a UI page, the subject line contains “APS Console:” followed by the name of the page. The “from” address uses the Default URL Hostname. For example, if the hostname is 123.example.com, then the “from” address is root@123.example.com. To email a UI page as a PDF file: 1. Navigate to the page that you want to email. 2. In the Arbor Smart Bar, click (Email this page). 3. In the Email Page window, type the following information: Setting Description Email to box Type the recipient’s email address. Comment box Type a message to include in the body of the email. 4. Click Send Email. Proprietary and Confidential Information of Arbor Networks, Inc. 27 APS Console User Guide, Version 6.3 Viewing Graphs in the UI APS Console uses graphs to represent your organization’s traffic in real time. By default, the graphs display traffic statistics for each minute of the last hour. This level of visibility allows you to inspect the traffic on a much deeper scale. On some pages, you can change the timeframe and unit of measure in which the graphs are displayed. About stacked graphs Stacked graphs allow you to see specific types of graph data more clearly. Each data type in a stacked graph has its own color-coded segment. The height of the stack segment represents that segment’s data as a percentage of the total data. Examples of the pages that contain stacked graphs are the Dashboard page and the View Protection Group page. About minigraphs Changing the display timeframe On certain pages in the UI, you can change the timeframe for which the traffic data is displayed. The timeframe can represent a specific time increment or a time range. Examples of the pages that contain the timeframe display are the View Protection Group page and the Dashboard page. To change the display timeframe to a specific increment: In the time selector on the page, select one of the following options: n l Past 5m — the last five minutes l Past Hour — the last hour l Past Day — the last 24 hours l Past Week — the last week To change the display timeframe to a time range: 1. In the time selector on the page, select From. 2. In the Start box, select the starting date and time from the calendar or click Now to select the current date and time. 3. In the End box, select the ending date and time from the calendar or click Now to select the current date and time. 4. Click Done. The display change might take a few seconds. Changing the display unit of measure On certain pages in the UI, you can display the traffic data in terms of bytes or packets. To change the display unit of measure: n To the far right of the time selector on the page, click Bytes or Packets. Note The bits per second (bps) values that APS displays for traffic statistics are based on the layer 3 packet size. 28 Proprietary and Confidential Information of Arbor Networks, Inc. Part II: APS Console Configuration APS Console User Guide, Version 6.3 30 Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console This section describes how to set up the basic components of APS Console. In this section This section contains the following topics: Configuring General Settings 32 About SNMP Polling 34 About User Accounts 36 About User Groups 38 Configuring User Accounts 39 Configuring the Audit Trail Settings 41 Configuring System Alerts 42 Configuring Remote Backup Settings 44 Using a Custom SSL Certificate for User Authentication 47 Adding a Custom Logo to the UI 49 APS Console User Guide, Version 6.3 31 APS Console User Guide, Version 6.3 Configuring General Settings The general settings define the servers that APS Console interacts with as well as other system preferences, such as the system date format. Configuring General Settings To configure the general settings: 1. Select Administration > General. 2. On the Configure General Settings page, configure the settings. See “General Settings” below. 3. Click Save. 4. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. General Settings Details about General Settings Setting Description DNS box Type the IP addresses of your DNS servers, to map IP addresses to hostnames in APS Console. Type multiple servers as a comma-separated list of IP addresses. APS Console tries to connect to the first IP address in the list as the primary name server. If that address fails, then APS Console tries the subsequent addresses in the list as backup name servers. SMTP Server box Type the IP address or domain name for the SMTP server that APS Console uses to send email notifications. You can specify one SMTP server. SNMP Agent Community box Type the community string (password) to authenticate the external sources that poll APS Console through SNMP. The maximum length of this string is 32 characters. You can use any characters except the following: n quotation mark (") n apostrophe (‘) n backslash (\) n pipe (|) n tab See “About SNMP Polling” on page 34. 32 Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console Details about General Settings (continued) Setting Description Default URL Hostname box Type a hostname or a fully qualified domain name that appears as a link in the notification and emails that originate from APS Console. For example, console.example.com. APS Console also uses this URL as the “from” address when you send an email message that contains a PDF of a UI page. Date Format list Select the format in which to display dates throughout the system: n n n mm/dd/yy (month/day/year) dd/mm/yy (day/month/year) yy/mm/dd (year/month/day) Proprietary and Confidential Information of Arbor Networks, Inc. 33 APS Console User Guide, Version 6.3 About SNMP Polling APS Console supports polling by third-party SNMP monitoring systems, which allows you to fit your APS Console workflow into existing network monitoring tools. These monitoring tools can poll APS Console for management information such as the system status and configurations. The SNMP agent runs only when the APS Console services run. When you stop the services, SNMP is not available. Configuring APS Console for SNMP polling APS Console supports SNMPv1 and SNMPv2c for remote SNMP polling. To enable SNMP polling, configure the following settings: Process for configuring SNMP Step Action Details 1 Set a community string to authenticate the external sources that poll APS Console. In the UI, on the Configure General Settings page, type a string in the SNMP Agent Community box. Create an IP access rule to allow SNMP access to APS Console. To create an IP access rule: 1. Log in to the CLI with your administrator user name and password. 2. To create an IP access rule to allow SNMP access, enter / ip access add snmp {mgt0 | mgt1 | all} CIDR {mgt0 | mgt1 | all} = the name of the management interface on which to apply a service exclusively, or to apply the rule to all of the interfaces CIDR = the address range from which you want to allow communications to a service 3. Type ip access commit, and then press ENTER. 4. To save the configuration, enter config write 2 See “About the SNMP Agent Community string” on the facing page. About the SNMP traps that APS Console sends APS Console can send notifications to a network management system as SNMP traps. See “About Notifications” on page 66. SNMP MIB files can help you decode the SNMP traps that APS Console sends for notifications. The MIB files can also help you understand the OIDs (object identifiers) that can be queried on APS Console. You can download and view the MIB files from the Files page (Administration > Files). See “Managing the Files on APS Console and Managed APS Devices” on page 326. 34 Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console About the SNMP Agent Community string External sources can poll APS Console through SNMP for the following system status and configuration information: n Disk Space Free/Used n APS Console configuration If you want to limit the external sources that can use SNMP to poll APS Console. configure a unique SNMP Agent Community string. This string is used to authenticate external sources. See “Configuring General Settings” on page 32. Proprietary and Confidential Information of Arbor Networks, Inc. 35 APS Console User Guide, Version 6.3 About User Accounts Each person who uses APS Console requires a unique user account that contains their login information and determines the levels of system access that they are allowed. About configuring user accounts You configure the user account settings on the Configure User Accounts page (Administration > User Accounts). See “Configuring User Accounts” on page 39. For information about editing your own user account, see “Editing Your User Account” on page 20. About access to user accounts Administrators can view all of the user accounts, edit and delete accounts, and create new accounts. Non-administrators can view and edit their own user accounts only. For example, they can reset their passwords or update their email addresses. For information about the different levels of system access, see “Editing Your User Account” on page 20. Criteria for secure and acceptable passwords A user’s account contains a password, which allows the user to access APS Console. Passwords must meet the following criteria: must be between 7 and 72 characters long n Administrators can configure a different minimum length and maximum length for passwords. n can include special characters, spaces, and quotation marks n cannot be all digits n cannot be all lowercase letters or all uppercase letters n cannot be only letters followed by only digits (for example, abcd123) n cannot be only digits followed by only letters (for example, 123abcd) n cannot consist of alternating letter-digit combinations (for example, 1a3A4c1 or a2B4c1d) See “Configuring the Password Length Requirements” in the APS Console Advanced Configuration Guide . Information on the Configure User Accounts page For administrative users, the Configure User Accounts page displays the following information for each user: User account details 36 Information Description Username Displays the user name as a link to the Edit Existing Account window. Real Name Displays the user’s real name. Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console User account details (continued) Information Description Group Displays the user group to which the user belongs. Email Displays the user’s email address. Location Displays the IP address from which the user last connected to APS Console. Time Displays the last time the user logged in to APS Console. Failures Indicates the number of times that the user tried to log in but was unsuccessful. This number is cleared when the user successfully logs in to the system. Selection check box Allows you to select the user account for deletion. Proprietary and Confidential Information of Arbor Networks, Inc. 37 APS Console User Guide, Version 6.3 About User Groups User groups allow you to organize APS Console users by the different levels of system access that they are allowed. When you create a user account, you assign it to a group. The owner of that account inherits the access levels that are assigned to that group. APS Console contains several predefined user groups and allows you to create additional custom user groups. You can assign users to user groups on the User Accounts page in the user interface (UI), or in the command line interface (CLI). See “Adding Users to User Groups” in the APS Console Advanced Configuration Guide . About the predefined user groups APS Console contains the following predefined user groups: Predefined user groups User Privileges system_admin The users in this group have full read and write access to all pages of the UI and can run all of the CLI commands. system_user The users in this group have read-only access to most of the UI pages and can edit and update their own user account settings. They can log in to the CLI and run limited CLI commands. For example, they can view the current system configuration. system_none The users in this group have no access to APS Console. When your organization uses RADIUS or TACACS+ authentication, it is possible for all users who have an account on the authentication server to access APS Console. Use this group as the default to lock out the unwanted users, and then assign other groups to the users who need to access APS Console. See “Changing the Default User Group for RADIUS and TACACS+” in the APS Console Advanced Configuration Guide . About custom user groups For additional flexibility in assigning user permissions, administrators can define custom user groups in the CLI. These custom user groups appear as options on the User Accounts page in the UI. See “Adding and Deleting User Groups” in the APS Console Advanced Configuration Guide . 38 Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console Configuring User Accounts The user account settings identify the people who use APS Console. These settings define the users’ login information and determine the levels of system access that the users are allowed. You add, edit, and delete the user accounts on the Configure User Accounts (Administration > User Accounts) page. See “About User Accounts” on page 36. Adding and editing user accounts Important After you add new users, advise them to change their passwords to maintain security. See “Criteria for secure and acceptable passwords” on page 36. To add or edit user accounts: 1. Select Administration > User Accounts. 2. On the Configure User Accounts page, complete one of the following steps: l To add a new user, click Add Account . l To edit an existing user account, click the user’s name link. If you are a non-administrative user, your own account page appears by default. 3. In the Add New Account window or Edit Existing Account window, configure the settings. See “User account settings” below. 4. Click Save. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. User account settings Settings for configuring user accounts Setting Description Username box Type a unique name for this user. The user name must meet the following criteria: n must contain 1 to 32 characters n can contain any combination of letters (A-Z, a-z), numbers, or both n cannot begin with a hyphen or underscore but can include them n cannot include a period (.) You cannot edit the user name after the user account is created. If you make a mistake in the user name, delete the account and re-create it. Real Name box Type the user’s full name. Proprietary and Confidential Information of Arbor Networks, Inc. 39 APS Console User Guide, Version 6.3 Settings for configuring user accounts (continued) Setting Description Group list Select the user group to assign to this user. The user group determines the user’s level of system access. This list does not appear for non-administrative users. You cannot change the group for the default “admin” user. See “About User Groups” on page 38. Email box Type the user’s email address as a fully qualified domain name. For example, user@example.com. When you enter an email address for a user account, APS Console creates a notification for that email address. If you change or delete a user’s email address, be sure to edit or delete any related notification on the Configure Notifications page (Administration > Notifications). See “Configuring Notifications” on page 68. Password box Confirm box Type a password, and then re-type it to confirm it. Deleting user accounts You cannot delete your own user account. Your security level determines whether you can delete the accounts of other users. To delete a user account: 1. Select Administration > User Accounts. 2. On the Configure User Accounts page, complete one of the following steps: l l To delete individual user accounts, select the check boxes that correspond to the user accounts that you want to delete. To delete all of the user accounts on the current page, select the Select All check box in the table heading row. 3. Click Delete. 4. In the confirmation message that appears, click OK . 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 40 Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console Configuring the Audit Trail Settings When you make a change in the APS Console UI, the Audit Trail window appears and prompts you to describe the change. By default, the Audit Trail window appears for all changes and does not include a default change message. On the Audit Trail page, you can specify a default change message and enable or disable the Audit Trail window for certain changes or all changes. The Audit Trail page also allows you to view the audit trail log. See “Viewing the Audit Trail Log” on page 319. For general information about the audit trail, see “About the Audit Trail” on page 316 . Changing the Audit Trail default settings To change the default settings for the audit trail: 1. Select Administration > Audit Trail. 2. On the Audit Trail page, select the Audit Settings tab. 3. (Optional) In the Change Message box, type a default change message that appears in the Audit Trail window whenever a user makes a change. When the Audit Trail window appears to users, they can accept this default message, add to it, or override it by typing new text. 4. In the list of settings, choose one of the following options: Option Steps Enable or disable the Audit Trail window for all changes. For the Globally enable or disable the audit trail dialogs setting, select Enable or Disable. Enable or disable the Audit Trail window for individual changes. For each setting, select Show or Don’t Show. 5. Click Save. 6. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Disabling the Audit Trail window If you disable the Audit Trail window for a specific change, then the window does not appear when users make that type of change. The system still logs the changes but it does not include any change messages. Additional audit trail configuration In the command line interface (CLI), you can configure a syslog destination, to which you can export audit trail entries. See “Configuring the Syslog Destination for the Audit Trail” in the APS Console Advanced Configuration Guide . Proprietary and Confidential Information of Arbor Networks, Inc. 41 APS Console User Guide, Version 6.3 Configuring System Alerts APS Console monitors certain system events and creates alerts when those events occur. APS Console events are predefined and you cannot add or delete them. However, you can enable or disable them, change their severity levels, and configure their notification settings. You edit the alert settings for system events on the Configure System Alerts page (Administration > System Alerts). Note The alert settings that you configure apply to future alerts only. They do not apply to alerts that APS Console has already generated. Types of system events APS Console monitors the following system events: Types of system events System event Trigger APS Blacklist/Whitelist Table Full A managed APS reaches the capacity of its blacklist or whitelist. APS Up/Down An APS device changes state. Misc. System APS Console detects health-related system behaviors. These events may represent normal behaviors or abnormal behaviors; for example, an APS device synchronization or an SMTP failure on APS Console. See “About the Capacity of the Blacklists and Whitelists” on page 172. Before you configure alerting for system events If you want to send notifications when these system events occur, then you first must configure at least one notification. A notification defines the users and the systems to notify when these system alerts occur. For example, if you want to send notifications as syslog messages to an external system, then configure a syslog notification. When you configure the alert settings, you select the syslog notification as its destination. See “Configuring Notifications” on page 68. Configuring system alerts To configure system alerts: 1. Select Administration > System Alerts from the menu. 2. On the Configure System Alerts page, select the event to configure in one of the following ways: l Click the Edit button for the alert. l Click the name of the alert. 3. In the Configure window, configure the following settings: 42 Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console Setting Description Notification Enabled options Select Yes to enable notifications for this alert. Select No to disable the notifications. By default, notifications are disabled for all of the system alerts. Note The notifications for APS Up/Down events may be delayed by up to five minutes. This delay occurs because APS Console waits to make sure that an APS device is down and not experiencing a temporary connection issue. If you do not enable notifications, you do not have to configure the remaining settings. Severity level Select the severity level to assign to this system alert, where 1 is the least severe and 10 is the most severe. See “About alert severity levels” on page 302. Notification Destinations list This section displays all of the notification destinations that are defined in APS Console. To indicate which destinations should be notified when this alert occurs, select the check boxes for one or more of the destinations. If there are no notification destinations, you need to define at least one notification. See “Configuring Notifications” on page 68. 4. Click Save. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Proprietary and Confidential Information of Arbor Networks, Inc. 43 APS Console User Guide, Version 6.3 Configuring Remote Backup Settings You can manage remote backups for APS Console configuration settings and data on the Backup Settings page. Note You also can run local backups. See “Running a Local Backup Manually” on page 332. Types of backups APS Console supports the following types of backups: n remote backups that you run on a recurring backup schedule or that you run manually n local backups that run automatically every night at midnight or that you run manually For more information about these types of backups, see “About APS Console Backups” on page 330 . About restoring backup data To restore APS Console from a backup, you must use the command line interface (CLI). See “Restoring APS Console from a Backup” in the APS Console Advanced Configuration Guide . Specifying a remote backup schedule To specify a remote backup schedule: 1. Select Administration > Backup. 2. On left side of the Backup Settings page, select APS Console Configuration and Data. The amount of disk space that the data requires appears in parentheses. 3. Configure the remote backup settings. See “Remote backup settings” on the facing page. 4. Click one of the following buttons: l l l Test Connection — To test the connection settings for the copy method without saving the settings. See “Testing the connection to the backup server” on page 46. Save and Run — To test the connection, save the settings, and then begin the backup. Save — To save the connection settings without testing them or beginning the backup. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Running a remote backup manually To run a remote backup manually: 1. Select Administration > Backup. 2. On left side of the Backup Settings page, select APS Console Configuration and Data. The amount of disk space that the data requires appears in parentheses. 3. Configure the appropriate remote backup settings. See “Remote backup settings” on the facing page. 4. Click Save and Run . 44 Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Remote backup settings You configure the settings for a remote backup as follows: Settings for scheduling a recurring remote backup Setting Description Schedule remote backups to occur section Select the backup frequency (Daily or Weekly), and then select the time of day at which the backup should begin. Copy via options Select the way in which the backup is copied: SCP (Secure Copy Protocol using SSH) or SMB (Server Message Block). Host box Type the hostname or IP address of the server on which to store the backups. Port box Type the port on the backup server to which APS Console connects. For SCP backups, the default port is 22. For SMB backups, the default port is 139. Share box For an SMB backup, type the file share for the file system share. Directory box Type the path to the target directory on the backup server. The following guidelines apply: n Use an absolute path for SCP. The path must start with a forward slash (/) and may contain underscores (_) and alphabetic and numeric characters. n Use a relative path for SMB. n Use a forward slash (/) as a directory separator. Username box Type the user name with which to authenticate on the backup server. Authentication list For an SCP backup, select the authentication method: Password or DSA Key. Password box Confirm box If you select Password authentication, type the password and then re-type the password to confirm it. Generate Key button Download Public Key button If you select DSA Key authentication and a key has not been generated, click Generate Key to generate a DSA key. If a DSA key has been generated, click Download Public Key to download a copy of the key. Proprietary and Confidential Information of Arbor Networks, Inc. 45 APS Console User Guide, Version 6.3 Testing the connection to the backup server When you test the connection to the backup server, APS Console tries to copy a file to the location that you configured on the backup server. Then APS Console tries to remove the file from the backup server. When the test is finished, a message reports the results. To test the connection to the backup server: 1. Select Administration > Backup. 2. On the Backup Settings page, click Test Connection . 46 Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console Using a Custom SSL Certificate for User Authentication APS Console uses a default SSL certificate when users log in to the UI. However, on the Manage Files page (Administration > Files), you can upload a custom certificate, which can prevent browser error messages and help you comply with company security policies. You also can upload the CA certificate that is used to sign the custom SSL certificate. See “About the Files Page” on page 324. About certificate authority (CA) files When you upload a custom SSL certificate, you must also upload a certificate authority (CA) file. CA files legitimize your SSL certificates. A CA file can sign multiple certificates and is necessary to validate a certificate. Custom SSL certificate requirements If you want to use a custom SSL certificate to connect to the UI, the certificate files must meet the following requirements: n The SSL file and CA file must be PEM-encoded (Privacy Enhanced Mail). n The SSL file must contain the certificate and the key that was used to create the certificate. n The SSL file and CA file cannot be password protected. Uploading a custom SSL certificate To upload a custom SSL certificate: 1. Select Administration > Files. 2. On the Manage Files page, under SSL Certificate , click Upload SSL Cert. 3. In the Upload Certificate window, follow these steps: a. Click Browse to locate a custom SSL certificate file. b. Click Browse to locate the custom CA certificate file. c. Click Upload. 4. In the confirmation window, click OK . Note Most browsers display an error message, which results from the change in the SSL certificate mid-session. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 6. Log out of APS Console, close your browser, and then restart your browser. Using the APS Console default SSL certificate This option is available only if someone previously uploaded a custom SSL certificate. To revert to the APS Console default SSL certificate: 1. Select Administration > Files. 2. On the Manage Files page, under SSL Certificate , click Use Default. 3. In the confirmation window, click OK . Proprietary and Confidential Information of Arbor Networks, Inc. 47 APS Console User Guide, Version 6.3 4. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 5. Log out of APS Console, close your browser, and then restart your browser. 48 Proprietary and Confidential Information of Arbor Networks, Inc. Section 3: Configuring APS Console Adding a Custom Logo to the UI You can customize the appearance of the APS Console UI by replacing the default APS Console logo with your custom logo. To do so, you upload the logo file on the Files page. When you upload a custom logo, it appears in the UI. The custom logo image must be a GIF file that is smaller than 500 kB. Note For information about the other uses for the Files page, see “About the Files Page” on page 324 . Uploading a custom logo To upload a custom logo: 1. Select Administration > Files. 2. On the Manage Files page, in the Logo section, click Use Custom. 3. In the Upload Logo window, click Browse to locate and select the logo file. 4. Click Upload. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 6. If the custom logo does not appear on the page, then refresh your browser. To change to a different custom logo, you first must revert to the default logo, and then perform these steps again. Reverting to the default logo This option is available only if someone previously uploaded a custom logo. To revert to the default logo: 1. Select Administration > Files. 2. On the Manage Files page, in the Logo section, click Use Default. 3. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 4. If the default logo does not appear on the page, refresh your browser. Proprietary and Confidential Information of Arbor Networks, Inc. 49 APS Console User Guide, Version 6.3 50 Proprietary and Confidential Information of Arbor Networks, Inc. Section 4: Managing the ATLAS Intelligence Feed This section describes how to use the ATLAS Intelligence Feed (AIF) to detect and stop emerging botnet and application-layer attacks. In this section This section contains the following topics: About the ATLAS Intelligence Feed 52 About the ATLAS Threat Policies 54 About the ATLAS Confidence Index 56 About Web Crawler Support 59 Configuring the ATLAS Intelligence Feed 60 Viewing the Status of ATLAS Intelligence Feed Updates 62 Viewing the AIF Traffic Statistics for a Protection Group 63 APS Console User Guide, Version 6.3 51 APS Console User Guide, Version 6.3 About the ATLAS Intelligence Feed APS Console and APS can leverage our global threat intelligence to protect your network against the latest threats by using the ATLAS Intelligence Feed (AIF). The AIF is a global service of the Arbor Security Engineering and Response Team (ASERT). The ASERT security researchers discover and analyze emerging threats and develop targeted defenses, based on the data from Arbor’s Active Threat Level Analysis System (ATLAS). For more information about ASERT and ATLAS, visit https://www.netscout.com/global-threat-intelligence. The AIF profiles emerging threats to facilitate the detection and mitigation of DDoS attacks, malware, and other security hazards to help ensure service availability and data integrity. About the AIF updates Arbor frequently updates the feed to account for rapidly changing attacker behavior and to provide more effective and accurate threat detection. The updates occur without requiring any software upgrades, system downtime, or restarts. When automatic AIF updates are enabled, APS Console uses HTTPS to download the latest AIF information at regular intervals. By default, the AIF updates run automatically every 24 hours. You can change the frequency of the updates and you can force an update at any time. See “Configuring the ATLAS Intelligence Feed” on page 60. About the AIF components The AIF consists of the following components, each of which APS downloads separately: Components of the ATLAS Intelligence Feed Component Feed name Description Threat policies reputation_feed Collections of the rules and actions that define threats. The threat policies are organized into threat categories by type, such as malware, command and control botnets, location-based threats, and targeted attacks. In APS, you can enable threat blocking and view traffic statistics by threat category. See “About the ATLAS Threat Policies” on page 54. AIF botnet signatures 52 attack_rules HTTP header signatures that identify known botnets by their traffic patterns. Proprietary and Confidential Information of Arbor Networks, Inc. Section 4: Managing the ATLAS Intelligence Feed Components of the ATLAS Intelligence Feed (continued) Component Feed name Description IP location data geoip_countries A list of country codes, IP addresses, and regions, which are used to map specific IP addresses to a country or region. APS uses this information to identify the geographic locations of the traffic sources. APS also allows you to block the traffic that originates from a specific location. When you use APS Console to manage multiple APS devices, APS Console uses the location data in the same ways. See “Viewing the Top IP Locations for a Protection Group” on page 210. n AIF Botnet Signatures n Command and Control threat category n DDoS Reputation threat category n Email Threats threat category n IP location data n Location-based Threats threat category n Malware threat category n Mobile threat category n Targeted Attacks threat category Important These components are subject to change as ASERT updates the feed. Where to configure the AIF settings Use the Configure AIF Settings page (Administration > ATLAS Intelligence Feed) to configure the AIF settings. For example, you can configure a proxy server, change the update interval, or disable the automatic updates. See “Configuring the ATLAS Intelligence Feed” on page 60. You configure the other AIF-related settings in the ATLAS Intelligence Feed section on the following pages: n Configure Server Type page (Protect > Inbound Protection > Server Type Configuration ), for inbound traffic n Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat Filter), for outbound traffic See “ATLAS Intelligence Feed Settings” on page 120. Proprietary and Confidential Information of Arbor Networks, Inc. 53 APS Console User Guide, Version 6.3 About the ATLAS Threat Policies One of the components of the ATLAS Intelligence Feed (AIF) is the threat information, which consists of the policies that identify threats by their traffic patterns. APS uses this information to protect your network against the latest threats by blocking any traffic that matches the policies. You enable the APS threat protection when you configure the server types or the outbound threat filter (OTF). See “ATLAS Intelligence Feed Settings” on page 120. For general information about AIF, see “About the ATLAS Intelligence Feed” on page 52 . About the ATLAS threat policies A threat policy is a collection of the rules and actions that the Arbor Security Engineering and Response Team (ASERT) develops to define a given threat. A rule can consist of one or more IP addresses, HTTP regular expressions, or DNS names. ASERT organizes related threat policies into threat categories. Each threat category is further subdivided into threat subcategories, which are limited collections of related threat policies. For example, the Malware threat category might contain subcategories such as RAT (remote access Trojan), Fake Antivirus, and other malware threats. Each of these subcategories consists of the policies that define the specific threats. The AIF is updated frequently as the ASERT researchers identify new threats. Although the threat categories remain relatively static, they are subject to change. In APS, you can enable threat blocking and view traffic statistics by threat category. When you do so, you can also configure custom confidence values for specific threat categories. The confidence value is a relative value on the ATLAS confidence index, which represents ASERT’s confidence that the rules in a threat policy will identify malicious traffic. APS uses the confidence value to determine whether to apply the corresponding rule to block traffic. About matching domain policies The ATLAS threat categories contain threat policies that define domains that host threats. When APS matches a domain threat policy, it does not block all of the traffic to the DNS server and it does not block the host. For outbound traffic, APS blocks the DNS request for a fully qualified domain name that is known to be bad. For inbound traffic, APS blocks the response from the DNS server for a fully qualified domain name that is known to be bad. For example, an infected internal asset sends a request to a DNS host (192.0.2.1) to resolve the IP address of a fully qualified domain name that is known to be bad. If the AIF threat categories are enabled for inbound traffic only and the request matches a domain threat policy, APS blocks the response from the DNS host. APS only sees the request to the DNS server, not the resolution of the IP address for the fully qualified domain name. Consequently, APS reports the DNS server as a blocked host on the Blocked Hosts Log page. For the example above, 192.0.2.1 appears in the Destination column on the Blocked Hosts Log page. If the AIF threat categories are enabled for the outbound threat filter and the DNS request matches a domain threat policy, APS blocks the request. 54 Proprietary and Confidential Information of Arbor Networks, Inc. Section 4: Managing the ATLAS Intelligence Feed Note For APS to block outbound DNS requests, you must enable the outbound threat filter and the AIF threat categories for the outbound threat filter. See “Configuring the Outbound Threat Filter” on page 115. You can use a packet capture to determine the hostname that is being requested and blocked. See “Investigate why a DNS server appears to be blocked” on page 263. A DNS server can be blocked for some other reason, for example, if it is blacklisted or it matches a DNS regular expression. In such cases, APS blocks all of the traffic to the DNS server. Proprietary and Confidential Information of Arbor Networks, Inc. 55 APS Console User Guide, Version 6.3 About the ATLAS Confidence Index The ATLAS confidence index is a numeric scale from 1 to 100, which represents our confidence that the rules in a threat policy will identify malicious traffic. ATLAS assigns a relative numeric value, or confidence value, to every rule in a threat policy for each protection level. As APS inspects traffic, it applies the rules whose confidence values match or exceed the confidence value for the active protection level. Configuring confidence values In the ATLAS Intelligence Feed protection settings, the ATLAS confidence values become the default confidence values for the threat categories. You can accept the default confidence values or configure custom confidence values. You configure these settings when you configure the server types or the outbound threat filter. See “ATLAS Intelligence Feed Settings” on page 120. For general information about AIF and the threat policies, see “About the ATLAS Intelligence Feed” on page 52 and “About the ATLAS Threat Policies” on page 54. How the ATLAS confidence index affects traffic In general, a high confidence value indicates that there is more evidence to support the classification of the traffic that matches the rule as malicious. A lower confidence value can indicate that there is less supporting evidence for classifying the traffic as malicious. Alternatively, a lower confidence value can represent the aging and associated reduction of a formerly high confidence value. APS applies the threat rules based on the ATLAS confidence values, the configured confidence values for the associated threat categories, and the active protection level, as follows: n When the ATLAS confidence value is less than the threat category’s confidence value for the active protection level, then APS passes the traffic. n When the ATLAS confidence value is greater than or equal to the threat category’s confidence value for the active protection level, then APS blocks the traffic. At the higher protection levels, APS blocks more traffic; however, the lower confidence values might cause some clean traffic to be blocked. See “Example: How APS applies the threat rules” on the facing page. How the ATLAS confidence values can change over time The confidence values for rules are relative values that change over time, based on several factors. An example of a factor that affects the adjustment of the confidence value is whether ATLAS continues to observe the threat behavior that a rule defines. For example, when ATLAS observes a threat from a particular IP address, it creates a rule for that threat and IP address, and assigns a confidence value of 100. If ATLAS continues to observe traffic that matches the rule, the rule confidence value remains at 100. When ATLAS no longer observes traffic that matches the rule, the rule confidence value decreases. The rule confidence value continues to decrease as time passes without further attack traffic from that IP address. 56 Proprietary and Confidential Information of Arbor Networks, Inc. Section 4: Managing the ATLAS Intelligence Feed Example The following figure shows how the ATLAS confidence values for a rule can change over time, given the following scenario: n On Day 1, Day 2, and Day 3, ATLAS observes a malware threat from 192.0.2.1. ATLAS creates a rule under the Malware threat category and assigns a confidence value of 100 to the new rule. n Because no malware is observed from 192.0.2.1 after Day 3, the confidence value decreases over time. n On Day 29 and Day 30, ATLAS again detects a malware threat from 192.0.2.1, and resets the confidence value to 100. The confidence value changes do not adhere to a fixed timeframe. The date span in this simplified example is for illustration purposes and does not necessarily represent an actual timeframe for confidence value changes. Example: How the ATLAS confidence values can change over time Example: How APS applies the threat rules The following example shows how APS applies the threat rules based on the changing confidence values. For this example, assume these conditions: n During a certain month, the AIF updates contain a rule for malware from 192.0.2.1, and the rule confidence value changes over time as shown in the figure above. n You receive traffic from 192.0.2.1 on the dates in the following table. n In the ATLAS Intelligence Feed settings in APS, the confidence values for the Malware threat category are configured as shown in the following table. Proprietary and Confidential Information of Arbor Networks, Inc. 57 APS Console User Guide, Version 6.3 Given those conditions, the following table shows how APS would apply the threat rules to the traffic: Example: How APS applies the threat rules 58 Date ATLAS confidence value for the rule Day 2 Confidence values in APS Low = 75 Medium = 50 High = 25 100 block block block Day 8 80 block block block Day 15 60 pass block block Day 22 45 pass pass block Day 29 100 block block block Proprietary and Confidential Information of Arbor Networks, Inc. Section 4: Managing the ATLAS Intelligence Feed About Web Crawler Support When protecting your HTTP servers from DDoS attacks, APS might prevent search engine web crawlers from accessing your site. You can configure APS to pass traffic from certain search engines with limited inspection, so that legitimate web crawlers can crawl your web site more freely. As a result, you can maximize search engine page ranking while maintaining protection from threats that are designed to imitate legitimate web crawlers. How the web crawler support works The web crawler support consists of the following features: n In APS, the ATLAS Intelligence Feed (AIF) updates include a list of the IP address ranges that Arbor considers to be legitimate search engine web crawlers. Each IP address range is associated with the low, medium, or high protection level. n Settings on the Configure AIF Settings page in APS allow you to enable the search engines that can crawl your web site. n On the Configure Server Type page, the Web Crawler Support setting allows you to enable web crawler support by protection level. See “ATLAS Intelligence Feed Settings” on page 120. n Sections on the Summary page and the View Protection Group page in APS display information about the web crawler traffic that APS detects and passes. How APS passes web crawler traffic APS passes search engine traffic in a manner that is similar to whitelisting, except that not all search engine traffic is passed globally. The following criteria determine which search engine traffic is passed: n the search engines that are enabled on the Configure AIF Settings page (Administration > ATLAS Intelligence Feed) in APS n the protection level that is associated with each search engine’s IP address range in the AIF updates n the global protection level or protection group protection level The protection levels determine which search engine traffic is inspected and which protection categories are used, as follows: Protection level Effect on search engine traffic Low Traffic from all of the enabled search engines is passed without further inspection. Medium Traffic from a smaller set of enabled search engines is passed with limited inspection. High Traffic from an even smaller set of enabled search engines is inspected by a majority of protection categories. Proprietary and Confidential Information of Arbor Networks, Inc. 59 APS Console User Guide, Version 6.3 Configuring the ATLAS Intelligence Feed You can configure the automatic updates for the ATLAS Intelligence Feed (AIF) on the Configure AIF Settings page (Administration > ATLAS Intelligence Feed). The automatic threat feed updates are enabled by default. However, you must configure additional settings if you want to connect to the AIF server through a proxy server. For more information about the AIF, see “About the ATLAS Intelligence Feed” on page 52 . Note You can also configure the AIF in the command line interface (CLI). See “Configuring the ATLAS Intelligence Feed (AIF) in the CLI” in the APS Console Advanced Configuration Guide . About the Status section The status section indicates the date and time of the most recent update. It also indicates when the system last checked for an update. Requirements On APS Console, you must configure a valid DNS server that can contact the Arbor DNS server for valid name resolution. You can configure this information on the Configure General Settings page. See “Configuring General Settings” on page 32. The AIF server uses your client certificate to authenticate an SSL session to allow you to download the updated feed. Enabling automatic AIF updates To enable an automatic connection to AIF: 1. Select Administration > ATLAS Intelligence Feed . 2. On the Configure AIF Settings page, select the Enable Automatic Connection to AIF check box. 3. Configure the remaining settings to define the update interval and, optionally, a proxy server. See “AIF settings” on the facing page. 4. Click Save to save the settings and poll the AIF server at the next interval. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 6. (Optional) Click Update Now to test the connection. 60 Proprietary and Confidential Information of Arbor Networks, Inc. Section 4: Managing the ATLAS Intelligence Feed AIF settings When you enable the automatic AIF updates, configure the following settings: Settings for configuring AIF updates Setting Description Check for AIF updates every box Type the interval at which APS Console should check the AIF server for updates to the threat feed data. Type any number of hours from 1 to 168 (7 days); the default interval is one hour. Update Now button (Optional) Click this button to force an AIF update at any time. For example, when you first implement APS Console, you might want to force an AIF update to test the connection. If you made any configuration changes, they do not take effect until you click Save. Use proxy to connect to AIF server check box (Optional) Select this check box to allow APS Console to connect to the AIF server through a proxy server. If you do not select this check box, you can skip the remaining settings in the AIF Proxy Configuration section. Host box Type the IP address or the hostname for the proxy server. Port box Type the port number for the proxy server. Username box If necessary, type the user name that is required to access the proxy server. Password box If necessary, type the password that is required to access the proxy server. Authentication mode list Select the type of authentication to use when APS Console connects to the AIF server: n n n basic NTLM digest method Proprietary and Confidential Information of Arbor Networks, Inc. 61 APS Console User Guide, Version 6.3 Viewing the Status of ATLAS Intelligence Feed Updates You can view the status of the ATLAS Intelligence Feed (AIF) updates on the Configure AIF Settings page and the Audit Trail Log. On any of these pages, you can refresh your browser window to update the status information. Checking the status of the AIF updates To check the status of the last automatic update or update request (from the Update Now button): n Select Administration > ATLAS Intelligence Feed to display the Configure AIF Settings page, and view the Last Check information. Viewing AIF updates in the Audit Trail Log All of the automatic AIF updates are recorded and displayed in the Audit Trail Log (Administration > Audit Trail). The AIF log entries contain information about which files are updated. You can search for “ATLAS” to filter the display for AIF entries. See “Viewing the Audit Trail Log” on page 319. About the AIF traffic statistics You can use the View Protection Group page to view information about the attack traffic that the AIF signatures detected and blocked. See “Viewing the AIF Traffic Statistics for a Protection Group” on the facing page. 62 Proprietary and Confidential Information of Arbor Networks, Inc. Section 4: Managing the ATLAS Intelligence Feed Viewing the AIF Traffic Statistics for a Protection Group You can use the View Protection Group page to view information about the attack traffic that the AIF botnet signatures detected and blocked. This information is displayed at the protection group level. For general information about ATLAS Intelligence Feed, see “About the ATLAS Intelligence Feed” on page 52. Viewing the AIF traffic statistics for a protection group To view the AIF traffic statistics for a protection group: 1. Select Protect > Inbound Protection > Protection Groups. 2. On the List Protection Groups page, click the name link of the protection group whose data you want to view. 3. On the View Protection Group page, under the Attack Categories section, scroll to the Botnet Prevention line and click Details. 4. In the subsection that opens, scroll to the AIF Botnet Signatures line and click Details. This line appears only if traffic matched the AIF signatures and was blocked. This subsection might also display information, under Basic Botnet Prevention, about the traffic that is blocked as a result of the Botnet Prevention settings. That traffic is not associated with the AIF botnet signatures. 5. When you finish viewing the detailed information, click Details to hide it. AIF Botnet Signatures information The AIF Botnet Signatures line displays the following information: a minigraph of the total traffic that was blocked by the AIF botnet signatures n You can hover your mouse pointer over the minigraph to view a larger version of the graph. n the total amount of traffic that was blocked, in bytes, bits per second (bps), packets, and packets per second (pps) AIF traffic details When you click the Details button on the AIF Botnet Signatures line, the following information appears for each protection level: n a minigraph of the traffic that was detected or blocked by all of the AIF protection settings at that level n the status of each protection level For example, if the protection level is set to medium, both the low level and medium level of AIF traffic are marked as Active. The AIF signatures at both levels are used to block traffic. n the amount of traffic that was detected or blocked, in bytes, bits per second (bps), packets, and packets per second (pps) n the average number of hosts that were blocked This information reflects the global protection level or the protection group’s protection level, for those groups that have their own protection level configured. Proprietary and Confidential Information of Arbor Networks, Inc. 63 APS Console User Guide, Version 6.3 For the active protection level and for any lower protection levels, the traffic statistics represent the attacks that were blocked. For any protection level that is higher than the active level, the traffic statistics represent the attacks that would be blocked if that level were active. A large graph represents the traffic that was detected and blocked at all of the levels. 64 Proprietary and Confidential Information of Arbor Networks, Inc. Section 5: Configuring Notifications This section describes how to define destinations for sending alert notifications. You can create notifications for any combination of email addresses, SNMP traps, and syslog messages. You can group similar recipients so that they all receive the same types of event notifications. For example, you can create a notification that includes all of your network security engineers. User access Users at all authorization levels can view the notification configurations. Only administrators and can perform the configuration tasks that are described in this section. In this section This section contains the following topics: About Notifications 66 Configuring Notifications 68 Viewing Notifications 72 APS Console User Guide, Version 6.3 65 APS Console User Guide, Version 6.3 About Notifications When APS Console detects events, conditions, or errors in the system, it creates alerts to inform users. You can configure APS Console to send notification messages to specified destinations to communicate certain alerts. You do so by associating the alert with one or more notifications. A notification defines its destination and the means by which the notification is sent. You can create notifications for different groups of users, mailing lists, and remote systems. You also can create notifications when you add user accounts. When you enter an email address for a user account, APS Console creates a notification for that email address. If necessary, you can edit or delete these user-specific notifications on the Configure Notifications page. Viewing notifications The Configure Notification page displays all of the notifications that are configured for APS Console, and allows you to add, edit, and delete notifications. See “Viewing Notifications” on page 72 and “Configuring Notifications” on page 68. How APS Console uses the notifications When you create a notification, it appears as a selection in the alert configuration for system events. You can select one or more notifications for each alert configuration. When an alert is triggered for the associated event, the notifications are sent to the destinations that are defined in the alert’s notification. Note The notifications for APS Up/Down events may be delayed by up to five minutes. This delay occurs because APS Console waits to make sure that an APS device is down and not experiencing a temporary connection issue. Notification contents A typical notification contains the alert type and a description. It also includes the default URL hostname, if one is configured on the Configure General Settings page (Administration > General). The recipient can copy and paste the URL into a browser to navigate directly to the event. Depending on the alert type, the notification can contain additional information, such as the associated rule, severity, client, server, service, and other messages. See “Email Notification Examples” on page 338 or “Syslog Notification Examples” on page 339 . 66 Proprietary and Confidential Information of Arbor Networks, Inc. Section 5: Configuring Notifications Notification types The notification type defines how APS Console sends notifications. You can create notifications for any combination of email addresses, SNMP traps, and syslog messages. Types of notifications Notification type Description email APS Console sends email notifications to the destination addresses that you specify, and the notifications appear to come from the sender address that you specify. APS Console queues email messages for one minute, and then sends them in a batch. When an email notification contains multiple alerts, APS Console sends one summary email. The system sends the email notifications through the SMTP server that you configure on the Configure General Settings page. SNMP APS Console sends notifications to a network management system as SNMP traps. The Arbor SMI MIB and the APS Console MIB define the SNMP notification format. See “About SNMP Polling” on page 34. APS Console supports SNMP versions 1, 2, and 3 for notifications. You can send test SNMP notification messages to verify that the system is working properly before it generates an actual alert. syslog APS Console sends notifications to a security event management system as syslog messages. Proprietary and Confidential Information of Arbor Networks, Inc. 67 APS Console User Guide, Version 6.3 Configuring Notifications The Configure Notifications page allows you to configure notifications that APS Console sends to specified destinations when certain system alerts and events occur. See “About Notifications” on page 66. Setting a default From address You can set a default From address that is used in every new email notification that you create, unless you specify otherwise. To set a default From address: 1. Select Administration > Notifications. 2. At the bottom of the Configure Notifications page, in the Default ‘From’ Address box, type a valid email address. 3. Click Save. 4. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Configuring notifications To add or edit a notification: 1. Select Administration > Notifications. 2. On the Configure Notifications page, complete one of the following steps: l To add a new notification, click Add Notification . l To edit an existing notification, click the notification name. 3. Configure the following settings: Setting Description Name box Type a unique name to identify the notification throughout the UI. Use a name that helps users recognize the destinations that it represents. You can use any combination of letters and numbers. Comment box (Optional) Provide descriptive information to further identify the notification. The comment appears in the list of notifications on the Configure Notifications page. 4. Configure the settings for one of the following destination types, and then click Save. l Email — See “Email notification settings” on the facing page. l SNMP — See “SNMP notification settings” on the facing page. Tip After you add an SNMP notification, you can click Test to send test SNMP notification messages. This test allows you to verify that the system is working properly before it generates an actual alert. l Syslog — See “Syslog notification settings” on page 70. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 68 Proprietary and Confidential Information of Arbor Networks, Inc. Section 5: Configuring Notifications Email notification settings When you create or edit an email notification, configure the following settings: Email notification settings Setting Description From box Type the email address that should appear as the sender. You can use the APS Console name as the sender to easily identify any APS Console notifications. If you specified a default From address, it appears here. See “Setting a default From address” on the previous page. To box Type the recipient’s valid email address. Enter multiple email addresses as a comma-separated list. SNMP notification settings When you create or edit an SNMP notification, configure the following settings: SNMP notification settings Settings Description Destination IP box Type the IP address for each SNMP trap receiver. You can add up to four IP addresses. Use commas to separate multiple IP addresses. Version list Select the SNMP version that you use. Community box (Versions 1 and 2 only) Type the community string (password) to use for authenticating the SNMP trap. Otherwise, the system defaults to the standard public setting. Agent IP box (Version 1 only) Type the IP address for the SNMP agent. User Name box (Version 3 only) Type an SNMP user name. This setting is required and must match one of the names that is configured on your trap receiver. Security Engine ID box (Version 3 only) Type an SNMP security engine ID. This setting is required and must be an even-length string of hex digits (0-9, A-F). It must match one of the security engine IDs that are configured on your trap receiver. Passphrase box (Version 3 only) Type the passphrase for the SNMP user name that you specified above if the Security Level setting is set to something other than No Authentication. Proprietary and Confidential Information of Arbor Networks, Inc. 69 APS Console User Guide, Version 6.3 SNMP notification settings (continued) Settings Description Authentication Protocol list (Version 3 only) Select an authentication protocol (MD5 or SHA). If the Security Level setting is set to something other than No Authentication, this value must match the value that is expected by your trap receiver. Security Level list (Version 3 only) Select one of the following security levels: n n n No Authentication — No passphrase authentication is performed. Authentication/No Privacy — Passphrase authentication is performed, but there is no encryption of the data in the trap messages. Authentication w/ Privacy — Passphrase authentication is performed and the data in the trap messages is encrypted. Context Name box (Version 3 only, optional) Type the SNMP application context. Because there is only one SNMP context on APS Console , this setting typically is not required. However, if your trap receiver expects a specific context name, then provide it. Privacy Protocol list (Version 3 only) Verify that this value matches the value that is expected by your trap receiver. If you selected Authentication w/ Privacy from the Security Level list, then select the appropriate privacy protocol (DES or AES). Verify that this value matches the value that is expected by your trap receiver. Privacy Passphrase box (Version 3 only) If you selected Authentication w/ Privacy from the Security Level list, then type the privacy passphrase that is expected by your trap receiver. Syslog notification settings When you create or edit a syslog notification, configure the following settings: Syslog notification settings 70 Setting Description Destination box Type the syslog host IP address. Port box (Optional) The default setting is port 514. if you do not want to use the default port, then type a new port number For more information about setting the default syslog port, see “Commands and Subcommands in the /services Menu” in the APS Console Advanced Configuration Guide . Proprietary and Confidential Information of Arbor Networks, Inc. Section 5: Configuring Notifications Syslog notification settings (continued) Setting Description Facility list Select a syslog facility value to indicate the source of the message as defined in the syslog protocol RFC 3164. The default facility is Daemon . Severity list Select one of the following syslog severity values: n n n n n n n n alert — action must be taken immediately crit — critical condition debug — debug-level message emerg — emergency, system is unusable err — error condition info — informational message notice — normal but significant condition warning — warning condition Deleting notifications You cannot delete a notification that is referenced by a system alert. To delete a notification: 1. Select Administration > Notifications. 2. On the Configure Notifications page, complete one of the following steps: l l To delete individual notifications, select the check boxes to the right of the notifications. To delete all of the notifications on the current page, select the Select All check box in the table heading row. 3. Click Delete. 4. In the confirmation message that appears, click OK . 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Proprietary and Confidential Information of Arbor Networks, Inc. 71 APS Console User Guide, Version 6.3 Viewing Notifications The Configure Notifications page displays all of the notifications in the system and allows you to add, edit, and delete the notifications. See “Configuring Notifications” on page 68. For general information about notifications, see “About Notifications” on page 66 . Viewing the notifications To view the existing notifications: 1. Select Administration > Notifications. 2. (Optional) On the Configure Notifications page, to find specific notifications, type a string in the Search Notifications box, and then click Search . Information on the Configure Notifications page The Configure Notifications page displays the following information for each notification: Notification details 72 Information Description Name Displays the name of the notification as a link that opens the Edit Notification Settings page for that notification. Email For email notifications, displays the email addresses that notifications are sent to, and the email address that the notifications appear to be sent from. SNMP For SNMP notifications, displays the SNMP destination, community, and version for the notification. Syslog For Syslog notifications, displays the destination, facility, and severity for the notification. Comment Displays descriptive information that was entered when the notification was configured. Log Message Displays the most recent message that was logged for the notification. Creator Displays the name of the user who configured the notification. Last Modified Indicates the last time that the notification was changed by a user or by the system. Used By Alert Configurations Displays the system alerts that reference the notification as links to the corresponding alert Configuration window. Selection check box Allows you to select the notification for deletion. Proprietary and Confidential Information of Arbor Networks, Inc. Part III: APS Management APS Console User Guide, Version 6.3 74 Proprietary and Confidential Information of Arbor Networks, Inc. Section 6: Introduction to APS Management This section describes how to use APS Console as a system to manage multiple APS devices. User access Users at all authorization levels can view the APS information. Only administrators and analysts can perform the configuration tasks that are described in this section. In this section This section contains the following topics: Configuring APS for APS Console Management 76 1About the APS Console - APS Data Synchronization 78 How Restoring Backups Affects the APS Console - APS Synchronization 82 Setting the Protection Mode (Active or Inactive) 84 About the Protection Levels 86 Deleting Offline Devices 89 APS Console User Guide, Version 6.3 75 APS Console User Guide, Version 6.3 Configuring APS for APS Console Management You can manage multiple APS devices from APS Console. To do so, you connect each APS to APS Console, to allow the systems to communicate. Before you begin Before you connect APS to APS Console, verify that the following requirements are met: APS is installed and configured as described in the APS Quick Start Card and in this guide. n n Both APS Console and APS are running version 5.11 or later. Connecting APS to APS Console You configure the settings to manage APS through APS Console in APS. To connect APS to APS Console: 1. Log in to the UI of the APS that you want to manage. 2. Select Administration > General. 3. On the Configure General Settings page, configure the following settings: Setting Description APS Console box Type the IP address or hostname for APS Console. Shared Secret box Type the shared secret to use to authenticate communication with APS Console. APS Console uses the shared secret to authenticate internal communication. You must configure the same secret on all of the APS devices that APS Console manages. To delete an existing shared secret, click Password). (Clear 4. Click Save. About the Connection Status box If the settings for managing APS through APS Console are configured, and a connection error occurs, the connection status box appears. The connection status box provides information about the connection error and contains a Test Connection button. After you edit the connection settings or take other steps to fix the error, you can use the Test Connection button to verify the connection. Disconnecting APS from APS Console In certain situations, you might need to disconnect an APS device from APS Console. For example, you might need to move the device or return it for repair. Also, certain backup and restore procedures require that you disconnect APS. To disconnect APS from APS Console: 1. Log in to the UI of the APS. 2. Select Administration > General. 76 Proprietary and Confidential Information of Arbor Networks, Inc. Section 6: Introduction to APS Management 3. On the Configure General Settings page, delete the text in the APS Console box and the Shared Secret box. 4. Click Save. Proprietary and Confidential Information of Arbor Networks, Inc. 77 APS Console User Guide, Version 6.3 About the APS Console - APS Data Synchronization When you use APS Console as a central management console for APS, you can create and manage the configurations for multiple APS devices. You can configure server types, protection groups, the outbound threat filter, blacklists, and whitelists in APS Console and propagate the configurations to each managed APS as appropriate. See “About Managing APS Devices from APS Console” on page 14. When you first connect APS to APS Console, the applicable configurations on APS Console are copied to APS. Any existing configurations on APS are copied to APS Console. Thereafter, each APS periodically checks APS Console for configuration changes and obtains the changes that apply to the APS. For information about connecting APS to APS Console, see “Configuring APS for APS Console Management” on page 76. Viewing the APS synchronization status In APS Console, you can view the synchronization status for a specific APS in the System Information section on the Summary page. The possible statuses are as follows: n Initial synchronization — A new APS is connected and the initial synchronization is in progress. n Preparing configuration — The system is in the process of updating the current configurations. n Good — The configurations on APS match the configurations on APS Console that apply to the APS. n Out of sync — One or more of the configurations on APS Console changed, and the APS has not yet received those changes. n APS version does not support synchronization — The APS version is earlier than 5.11. Initial synchronization When you first connect APS to APS Console, the following items are copied from APS Console to the APS: n all of the standard server types n the outbound threat filter n the default protection group n the global items in the inbound blacklist and inbound whitelist n all of the items in the outbound blacklist and outbound whitelist No custom configurations or protection group-specific items are copied because no custom protection groups have been assigned to the new APS yet. If APS contains local configurations, they affect the synchronization as follows: If certain local configurations conflict with any of the configurations that are copied from APS Console, they are duplicated on APS. n See “Initial synchronization of duplicate configurations” on the facing page. n The local configurations are merged with the configurations on APS Console. See “Configuration merges during the initial synchronization” on the facing page. 78 Proprietary and Confidential Information of Arbor Networks, Inc. Section 6: Introduction to APS Management Initial synchronization of duplicate configurations During the initial synchronization of an APS that has local configurations, a server type or protection group on APS might conflict with one on APS Console. These conflicts are treated as follows: n If APS and APS Console contain a server type (standard or custom) with the same name, a copy of that server type is created on APS. The copy of the server type has the same name as the original server type, with the name of the APS appended to it. The original server type on APS is updated with the configuration from APS Console. Any protection groups that were associated with the original server type are updated to be associated with the new server type. n If APS and APS Console contain a protection group with the same name, a copy of that protection group is created on APS. The copy of the protection group has the same name as the original protection group, with the name of the APS appended to it. The original protection group on APS is updated with the configuration from APS Console. Consolidating the new configurations After you connect each APS, you might review the APS for configurations that you can consolidate. For example, if an APS contains a protection group that is assigned to that APS only, determine whether an existing protection group on APS Console would serve the same purpose. If so, then in APS Console, unassign the APS from the local protection group and assign it to the protection group on APS Console. Then delete the APS-specific protection group. Configuration merges during the initial synchronization During the initial synchronization of an APS that has local configurations, the local items are merged with the items on APS Console as described below. Server type merges All of the server types on APS are copied to APS Console. These server types include any duplicate server types that APS might have created to resolve conflicts with the server types that it received from APS Console. See “Initial synchronization of duplicate configurations” above. Protection group merges n The default protection group on the APS is replaced with the one from APS Console, which overwrites any local configuration changes. n All of the custom protection groups on APS are copied to APS Console and assigned to that APS. These protection groups include any duplicate protection groups that APS might have created to resolve conflicts with the server types that it received from APS Console. See “Initial synchronization of duplicate configurations” above. Outbound threat filter merge The outbound threat filter on the APS is replaced with the one from APS Console, which overwrites any local configuration changes. Proprietary and Confidential Information of Arbor Networks, Inc. 79 APS Console User Guide, Version 6.3 Blacklist merges and whitelist merges n The global items and protection group-specific items on APS that do not match any items on APS Console are copied to APS Console. n A global item on APS that matches a protection group-specific item on APS Console replaces the APS Console item. n A protection group-specific item on APS that matches a global item on APS Console is deleted. n If an item from APS causes APS Console to exceed its capacity, the item is added to APS Console but disabled. The disabled item appears on the blacklist page or whitelist page in the APS Console UI, but it is dimmed. Also, if you add a host entry on APS after synchronization and the APS table becomes full, the APS Console stops synchronizing hosts with the APS. To avoid these issues, we recommend that you do not add hosts to the blacklists and whitelists on an APS if it is managed by APS Console. See “About the Capacity of the Blacklists and Whitelists” on page 172. n Any blacklisted CIDRs or whitelisted CIDRs on APS that overlap existing items on APS Console are copied to APS Console but are not merged. For example, assume that 192.0.2.0/16 is blacklisted in APS and 192.0.2.0./24 is blacklisted in APS Console. Although the blacklisted address on APS includes the subnet of the blacklisted address on APS Console, APS Console will contain both items. Subsequent synchronizations Periodically, any configuration changes (additions, modifications, and deletions) on APS Console are propagated to each APS as applicable. As in the initial synchronization, each APS obtains only the standard items, the global items, and the items that are specific to the APS. No items are copied from APS to APS Console. Caution After the initial synchronization, the additions and changes to the configurations on APS Console might overwrite the local configurations on APS. Generally, you should not make local changes on a managed APS, although you might occasionally need to do so. For example, you might lose the connection between APS Console and an APS during a highvolume DDoS attack. In that case, you can make local changes on the APS to mitigate the attack. When you back up and restore APS Console and APS, you must follow certain guidelines to maintain the synchronization. See “How Restoring Backups Affects the APS Console - APS Synchronization” on page 82. 80 Proprietary and Confidential Information of Arbor Networks, Inc. Section 6: Introduction to APS Management Synchronization after APS is disconnected from APS Console If APS is disconnected from APS Console and then reconnected, the synchronization process depends on the state of the APS when you reconnect it, as follows: Synchronization after APS is disconnected from APS Console Situation Synchronization process An APS that contains configuration data is reconnected to the same APS Console. This situation typically occurs when the communication between APS and APS Console is interrupted, either because you disconnect APS or because of some other connection issue. The synchronization is the same as those that occur after the initial synchronization. See An APS that contains no configuration data is reconnected to the same APS Console. This situation might occur when you return the APS for a repair, during which the configuration data is erased. The synchronization is the same as when you connect a new APS. See “Initial An APS with or without configuration data is reconnected to a different APS Console. This situation might occur when you move the APS to a different location in your network or replace the original APS Console. The synchronization is the same as when you connect a new APS. Any configurations that APS obtained from the original APS Console are merged with the data from the new APS Console. See “Initial synchronization” on “Subsequent synchronizations” on the previous page. synchronization” on page 78. page 78. Proprietary and Confidential Information of Arbor Networks, Inc. 81 APS Console User Guide, Version 6.3 How Restoring Backups Affects the APS Console - APS Synchronization When you use APS Console to manage APS devices, APS Console periodically copies its configuration data for a managed APS to the managed APS itself. When you back up and restore APS Console and APS, you must follow certain guidelines to maintain the data synchronization. Guidelines for restoring an APS Console backup Important Restore an APS Console backup only when all of the managed APS devices are disconnected. If you restore APS Console while APS devices are connected, then during the next synchronization, APS Console sends the old data to APS. Before you restore an APS Console backup, follow these steps: 1. Disconnect each APS that is connected to APS Console as follows: a. Log in to the UI of the APS. b. Select Administration > General. c. On the Configure General Settings page, clear the APS Console box and the Shared Secret box, and then click Save. 2. Restore the APS Console backup. See “Restoring APS Console from a Backup” in the APS Console Advanced Configuration Guide . Now the data on APS Console is older than the data on APS. 3. Reconnect each APS. The data is synchronized as follows: l l If APS Console was backed up before the APS was connected, the synchronization is the same as for a newly-connected APS. APS Console copies any configurations from APS that postdate the backup. See “Initial synchronization” on page 78. If APS Console was backed up after the APS was connected, the synchronization is the same as for any periodic synchronization. The configurations are copied from APS Console to APS as appropriate. See “Subsequent synchronizations” on page 80. 82 Proprietary and Confidential Information of Arbor Networks, Inc. Section 6: Introduction to APS Management Guidelines for restoring an APS backup When you run an APS backup, the state of the connection between APS Console and APS determines how you must restore that backup. Guidelines for restoring APS backups Backup scenario How to restore APS You back up APS while it is connected to APS Console. Restore the APS backup as usual. During the next synchronization, APS Console updates APS. You back up APS before it is connected to APS Console. Later, after APS is connected to APS Console, you need to restore the APS backup. 1. Restore the APS backup. Now APS is no longer connected to APS Console, because the backup does not include the connection configuration. However, APS Console still knows about the APS. 2. Connect APS to APS Console. During the next synchronization, APS Console updates APS. You back up APS while it is connected to APS Console. Later, you disconnect APS. For example, you might need to move the device or return it for repair. 1. Restore the APS backup. 2. Connect APS to APS Console. During the next synchronization, APS Console updates APS. Additional information about backups and data synchronization For additional information, see the following topics: Backing up and restoring APS Console — see “About APS Console Backups” on page 330 . Also see “Restoring APS Console from a Backup” in the APS Console Advanced Configuration Guide . n n Connecting APS to APS Console — see “Configuring APS for APS Console Management” on page 76. n The data synchronization — see “1About the APS Console - APS Data Synchronization” on page 78. Proprietary and Confidential Information of Arbor Networks, Inc. 83 APS Console User Guide, Version 6.3 Setting the Protection Mode (Active or Inactive) When APS is installed in the inline deployment mode, you can run it in one of the following protection modes: n active — In addition to monitoring traffic and detecting attacks, APS mitigates attacks. n inactive — APS analyzes traffic and detects attacks without performing mitigations. You can use the resulting information to set your policies for attack detection and mitigation. The inactive mode is most commonly used in trial implementations. See “Implementing APS for Trial or Monitoring Only” in the APS User Guide . You can set the protection mode for an individual protection group or the outbound threat filter without affecting any other traffic. For example, you can set a new protection group to inactive mode for testing while keeping the APS in active mode. See “Adding, Editing, and Deleting Protection Groups” on page 231 and “Configuring the Outbound Threat Filter” on page 115 . About changing the protection mode for multiple APS devices When you use APS Console to manage APS, you can set the protection mode for multiple APS devices, as follows: n By default, every APS to which a protection group is assigned uses the protection mode that you configure for that protection group. However, for a specific APS, you can override the protection group’s protection mode. n For outbound traffic, all of the managed APS devices use the protection mode that is set for the APS Console outbound threat filter. Caution If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any changes that you make on an APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. Viewing the current protection mode You can view the current protection mode in the following places in the UI: Where to view the current protection mode Protection mode type Protection group Where to view the protection mode You can view the protection mode for a protection group on the following pages: n List Protection Groups (Protect > Inbound Protection > Protection Groups) n Outbound threat filter 84 View Protection Group You can view the protection mode for the outbound threat filter on the Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat Filter). Proprietary and Confidential Information of Arbor Networks, Inc. Section 6: Introduction to APS Management Changing the protection mode for a protection group APS mitigates traffic for an active protection group only when the system’s protection mode is active. To change the protection mode for a protection group: 1. Select Protect > Inbound Protection > Protection Groups. 2. On the List Protection Groups page, click the name link of the protection group to edit. 3. On the View Protection Group page, in the header section, click Edit. 4. In Protection Group Mode, select Active or Inactive. 5. Click Save. Changing the protection mode for the outbound threat filter To change the protection mode for the outbound threat filter: 1. Select Protect > Outbound Protection > Outbound Threat Filter. 2. For Protection Mode, select Active or Inactive. 3. Click Save. Proprietary and Confidential Information of Arbor Networks, Inc. 85 APS Console User Guide, Version 6.3 About the Protection Levels The protection level defines the strength of protection that APS provides and the associated intrusiveness and risk of blocking clean traffic. The protection levels are low, medium, and high. The protection levels are associated with different protection settings. These settings include those that are not user-defined, such as the invalid packets protection category. When the protection level is set, the protection settings that are associated with that level are enabled. User access Only administrators can change the protection level. Non-administrative users can view the current protection level but cannot make changes. About the different protection levels The protection level determines which protection settings are in use at any given time. For example, if the protection level is low, then the low protection settings are used to inspect the current traffic. You can change the protection level as needed to mitigate attacks. See “Changing the Protection Level” on page 253. Initially, APS uses a global protection level, which applies to the entire APS. You can continue to use the global protection level, but you also can configure individual protection levels for specific protection groups and the outbound threat filter. These individual protection levels take precedence over the global protection level. About the protection levels for protection groups and the outbound threat filter The protection level determines which protection settings are in use for a specific protection group or the outbound threat filter. You might change the protection level for a protection group or the outbound threat filter in the following situations: n To respond to attacks and traffic spikes against one protection group without affecting the traffic to the other protection groups. n To respond to outbound threats without affecting the inbound traffic. n To determine how different protection levels affect the traffic when you create a new protection group or change the settings for an existing protection group. You also can automate the protection level for a protection group. See “About protection level automation” on page 235. About the protection levels for the protection settings For each of the protection settings, you can specify different values for the low, medium, and high protection levels. The current protection level determines which of the settings are used at any given time. For example, you might set conservative thresholds for the low protection level and more aggressive thresholds for the medium and high protection levels. You also can leave the protection settings empty or disable one or more of the protection levels. For example, you might disable a setting for the low protection level and then enable it for the medium and high protection levels. 86 Proprietary and Confidential Information of Arbor Networks, Inc. Section 6: Introduction to APS Management You configure the protection settings for multiple APS devices on the following pages: Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , click a server type name), for inbound traffic n n Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat Filter), for outbound traffic. See “Configuring the Outbound Threat Filter” on page 115. Viewing the current protection level Throughout the UI, the following icons represent the protection levels: global, low, medium, and high. The current protection level is indicated by a check mark in the corresponding icon. You also can automate a protection group’s protection level. The following icons represent the low automated protection level and the high automated protection level (there is no medium automated protection level): You can view the current protection level on the following pages: Where you can view the protection level Protection level Page How the protection level is indicated Protection group List Protection Groups page To the far right of the protection group name, a single icon indicates the protection group’s protection level. If the protection group uses the global protection level, no icon appears. View Protection Group page The header area contains text that indicates the protection group’s protection level. When you edit a protection group, all of the protection level icons appear. The protection group’s current protection level is checked, and you can click an icon to change the protection level. Outbound Threat Filter page The header area contains text that indicates the outbound threat filter’s protection level. When you edit the outbound threat filter, all the protection level icons appear. The outbound threat filter’s current protection level is checked, and you can click an icon to change the protection level. Outbound threat filter Proprietary and Confidential Information of Arbor Networks, Inc. 87 APS Console User Guide, Version 6.3 Balancing protection and risk The risk of blocking clean traffic increases with the level of protection. Generally, you should set the protection level to low. Reserve the medium and high levels for use during attack conditions. The following table describes when to use the different protection levels and the levels of protection and risk that are associated with each one: Levels of protection and risk Level When to use Level of protection and risk Low Under normal conditions This level is the safest but it offers the least protection. n Only low-risk traffic is blocked. n There is no tolerance for false positives. Medium During a significant attack The protection settings are stricter. Clean traffic that is unusual might be blocked. High During a heavy attack This level provides the most aggressive protection but it carries risks. Blocking some clean traffic is acceptable as long as most of the hosts are protected. For protection groups, you can automate the protection level. When you automate the protection level, APS uses a total traffic threshold to determine when to change the protection level from low to high. See “About protection level automation” on page 235. Recommended protection levels for protection settings Your protection settings at the low level should protect your network against the majority of attacks without blocking any clean traffic. If a large number of attacks are passed through, then you might need to configure more aggressive thresholds at the low level. Conversely, if too much clean traffic is blocked, then you might need to configure more conservative thresholds at the low level. As you use APS and review the traffic information that it provides, you can refine the settings to provide an acceptable balance between protection and risk. 88 Proprietary and Confidential Information of Arbor Networks, Inc. Section 6: Introduction to APS Management Deleting Offline Devices If a managed device goes down, “Offline” appears in the Uptime column for that device on the Summary page. If the device remains down for several minutes, a Delete button appears at the far right of that device’s row. TheDelete button allows you to delete an offline device from APS Console. When you delete a device, it is removed from APS Console and all of its alerts and protection groups are deleted from APS Console. The deletion does not affect the device itself or any of the alerts or protection groups on that device. If you delete a device prematurely and it comes back online, it re-appears in APS Console and in the System Information section on the Summary page. For general information about the Summary page, see “Viewing a Summary of System Activity” on page 310 . Deleting an offline device To delete a device: 1. Select the Summary menu. 2. On the Summary page, in the System Information section, click the Delete button that appears next to the offline appliance. 3. In the confirmation message that appears, click OK . 4. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Proprietary and Confidential Information of Arbor Networks, Inc. 89 APS Console User Guide, Version 6.3 90 Proprietary and Confidential Information of Arbor Networks, Inc. Section 7: Managing Shared Server Types This section describes how to configure and manage the server types that determine which protection settings are available for each protection group. On APS Console, you can manage the server types for all of the APS devices that APS Console manages. You also can add and delete server types on APS Console. In this section This section contains the following topics: About the Server Types 92 Viewing Server Types 96 edAdding and Deleting Custom Server Types 98 Changing the Protection Settings for Server Types 100 About Traffic Profiling for Protection Configuration 102 Capturing Traffic Profiles from APS Console 104 Using Traffic Profile Data to Configure Protection Settings 105 Restoring the Default Protection Settings 108 APS Console User Guide, Version 6.3 91 APS Console User Guide, Version 6.3 About the Server Types A server type represents a class of hosts that a specific protection group protects. The server type determines which protection settings are available for a protection group and which application-specific data APS collects and displays for that group. Each protection group is associated with a server type; multiple protection groups can be associated with the same server type. APS contains predefined, standard server types for IPv4 hosts and one standard server type for IPv6 hosts. These standard server types offer protection settings that cover most situations. To meet your organization’s more specific protection requirements, you can create custom server types that are based on the standard server types. You can add a maximum of 100 custom server types on an APS. Navigating to the Server Types page You add, edit, and delete the server types on the Server Types page (Protect > Inbound Protection > Server Type Configuration ). About managing the server types from APS Console If you manage APS with APS Console, then you can configure server types in APS Console and propagate the configurations to each managed APS. For a server type to be copied to an APS, that server type must be associated with a protection group that is assigned to the APS. When you first connect APS to APS Console, the server types on APS Console are merged with any existing server types on APS. Thereafter, any changes to the server types on APS Console are periodically copied to each APS as appropriate. See “1About the APS Console - APS Data Synchronization” on page 78. Caution If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any changes that you make on an APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. Standard server types The standard server types are as follows: n Generic Server The generic server type contains all of the protection settings and is associated with the default protection group. 92 n Web Server n DNS Server n Mail Server n VoIP Server n VPN Server n RLogin Server (remote login) Proprietary and Confidential Information of Arbor Networks, Inc. Section 7: Managing Shared Server Types n File Server n Generic IPv6 Server About the custom server types You can create custom server types on the Configure Server Type page. The custom server types allow you to configure different protection settings for similar types of servers. For example, you can add a custom server type to protect specific DNS servers with settings that differ from the standard DNS Server settings. You can associate a custom server type with any custom protection group. See “Adding, Editing, and Deleting Protection Groups” on page 231. Examples of custom server types Examples of how you can use custom server types are as follows: n Different content Your organization might have one HTTP server that serves standard web pages, another that serves video, and another with a heavy AJAX interaction. Some of the HTTPrelated protection categories, such as HTTP Rate Limiting, might not apply to all of those servers. You can create a custom server type with the appropriate protection settings for each of these HTTP servers. n Different traffic rates An excessive amount of inbound traffic and connections for one server might be normal for another server. In such cases, setting appropriate thresholds for the ratebased protection categories can be difficult. You can create custom server types that are configured for different traffic rates. n Separate server ownership In some organizations, different web servers can fall under completely separate ownership structures, in which different people are responsible for the availability of the web service. You can create custom server types with separate protection settings for separately owned servers. Available protection settings for IPv4 standard server types Certain protection settings are available for all of the IPv4 standard server types. Other settings include application-specific behavior and are available only for the server type that is associated with the application. For example, the HTTP Rate Limiting settings are available for a Web Server but not for a DNS Server. The categories of protection settings that are available for the IPv4 standard server types are as follows: Available protection settings for the IPv4 standard server types Generic Server DNS Server File Server Mail Server RLogin Server VoIP Server VPN Server Web Server ATLAS Intelligence Feed x x x x x x x x Application Misbehavior x x x x x x Settings category Proprietary and Confidential Information of Arbor Networks, Inc. 93 APS Console User Guide, Version 6.3 Available protection settings for the IPv4 standard server types (continued) Generic Server DNS Server Block Malformed DNS Traffic x x Block Malformed SIP Traffic x x Botnet Prevention x x CDN and Proxy Support x DNS Authentication x x DNS NXDomain Rate Limiting x x DNS Rate Limiting x x DNS Regular Expression x x Filter List x x x x x x x x Fragment Detection x x x x x x x x HTTP Header Regular Expressions x x x x HTTP Rate Limiting x x x x HTTP Reporting x x x ICMP Flood Detection x Malformed HTTP Filtering x Multicast Blocking x x x x x x x x Payload Regular Expression x x x x x x x x Private Address Blocking x x x x x x x x Rate-based Blocking x x x x x x x x SIP Request Limiting x Settings category 94 File Server Mail Server RLogin Server VoIP Server VPN Server Web Server x x x x x x x x x x x x Proprietary and Confidential Information of Arbor Networks, Inc. Section 7: Managing Shared Server Types Available protection settings for the IPv4 standard server types (continued) Generic Server DNS Server File Server Mail Server RLogin Server VoIP Server VPN Server Web Server Spoofed SYN Flood Prevention x x x x x x x x TCP Connection Limiting x x x TCP Connection Reset x x x x x x x x TCP SYN Flood Detection x x x x x x x x TLS Attack Prevention x x x x x Traffic Shaping x x x x x x x x UDP Flood Detection x x x x x x x x Settings category x Available protection settings for the Generic IPv6 Server type The categories of protection settings that are available for the Generic IPv6 Server type are as follows: n Block Malformed DNS Traffic n DNS Authentication n DNS NXDomain Rate Limiting n DNS Rate Limiting n DNS Regular Expression n Filter List n Payload Regular Expression n Rate-based Blocking n Spoofed SYN Flood Prevention n TCP Connection Limiting n TCP Connection Reset n Traffic Shaping Proprietary and Confidential Information of Arbor Networks, Inc. 95 APS Console User Guide, Version 6.3 Viewing Server Types The Server Types page displays the server types that are shared by the APS devices that are under APS Console management. Use the Server Types page to view information about the server types, edit and manage existing server types, and create new custom server types. For general information about the server types, see “About the Server Types” on page 92 . For information about editing the server types, see “edAdding and Deleting Custom Server Types” on page 98 and “Changing the Protection Settings for Server Types” on page 100 . Viewing the server types To view the server types: 1. Select Protect > Inbound Protection > Server Type Configuration . 2. (Optional) On the Server Types page, filter the list of servers. In the search box, type a search string in any of the following ways, and then click Search . l l l Type all or part of a server type name, base type name, or protection group name. Type multiple search strings in any combination, using commas to separate multiple entries. Include a wildcard character: an underscore (_) matches any one character, and a percent sign (%) matches any number of characters. For example, to find “DNS Server”, you could type dns, _ns, or d%. 3. To view or edit the protection settings for a particular server type, click the server type’s name link. For information about the specific protection settings, see the topics under “Configuring the Protection Settings” on page 109 . 96 Proprietary and Confidential Information of Arbor Networks, Inc. Section 7: Managing Shared Server Types About the Server Types page The Server Types page contains the following information for each server type: Information on the Server Types page Column Description Name Displays the server type’s name as a link that allows you to open the Configure Server Type page. There, you can view and edit the server type information. See “Changing the Protection Settings for Server Types” on page 100. (context menu) Appears when you hover your mouse pointer over a source IP address. Click to display the following options: n n n Restore Defaults — Restores the selected server type’s protection settings to their default values. When you restore the protection settings for a server type, it affects all of the protection groups that are associated with that server type. See “Restoring the Default Protection Settings” on page 108. Duplicate — Creates a custom server type that inherits the protection settings from the selected server type. See “Duplicating an existing server type” on page 99. Delete — (Custom server types only) Deletes the selected server type for all of the APS devices with which it is associated. Caution When you delete a server type, all of the protection groups that are associated with that server type are deleted. See “Deleting a custom server type” on page 99. Profile Capture — Allows you to perform a traffic profile on any of the APS devices that are associated with the server type. Base Type Indicates the standard server type on which a custom server type is based. The base server type name appears as a link to the Configure Server Type page, where you can view and edit the base server type. Last Modified Indicates the last time the server type was edited, which allows you to identify recent configuration changes. In Use By Displays the protection groups that use this server type. If multiple protection groups are associated with the server type, this column displays the number of groups. You can display a list of those protection groups by hovering your mouse pointer over the displayed number. You can click a protection group’s name link to display the View Protection Group page for that protection group. Proprietary and Confidential Information of Arbor Networks, Inc. 97 APS Console User Guide, Version 6.3 Adding and Deleting Custom Server Types Custom server types allow you to configure different protection settings for similar types of servers. For example, you can add a custom server type to protect specific DNS servers with settings that differ from the standard DNS Server settings. When you create a new server type, it inherits the protection settings from the existing server type on which it is based. You can edit the settings as necessary for the new server type. For general information about the server types, see “About the Server Types” on page 92 . Adding custom server types when you add a protection group When you add a new protection group, you select a server type from the list of the standard server types. When you save the protection group, APS creates a custom server type that is based on the selected server type, with the same name as the protection group. APS adds this server type to the list of Custom Server Types on the Configure Server Type page. Adding a custom server type Use this procedure to create a custom server type that inherits the protection settings from one of the standard server types. You can add a maximum of 100 custom server types on an APS. To add a custom server type: 1. Select Protect > Inbound Protection > Server Type Configuration . 2. On the Server Types page, under Add A New Server Type , define the server type as follows: Setting Description Server Type Name box Type a name to identify the server type throughout the UI. Base Server Type list Select the server type on which to base the new server type. 3. Click Add Server Type. 4. (Optional) To edit the protection settings, follow these steps: a. To go to the Configure Server Type page, click the Edit settings link in the confirmation message that appears at the top of the page. You also can click the name link for the new server type in the list on the Server Types page. b. Edit the protection settings. For information about the specific protection settings, see the topics under “Configuring the Protection Settings” on page 109 . c. Click Save. 98 Proprietary and Confidential Information of Arbor Networks, Inc. Section 7: Managing Shared Server Types Duplicating an existing server type Use this procedure to create a custom server type that inherits the protection settings from any standard server type or custom server type. To duplicate a server type: 1. Select Protect > Inbound Protection > Server Type Configuration . 2. On the Server Types page, click and then select Duplicate . (context menu) next to the server type to duplicate, 3. In the Server Type Name box, type a name to identify the server type throughout the UI. 4. (Optional) To edit the protection settings, follow these steps: a. To go to the Configure Server Type page, click the Edit settings link in the confirmation message that appears at the top of the page. You also can click the name link for the new server type in the list on the Server Types page. b. Edit the protection settings. For information about the specific protection settings, see the topics under “Configuring the Protection Settings” on page 109 . c. Click Save. Deleting a custom server type You can delete custom server types. You cannot delete standard server types. Caution When you delete a server type, APS deletes all of the protection groups that are associated with that server type. Any IPv4 prefixes that the deleted protection group protected are assigned to the default protection group unless they are included in another custom protection group. To delete a custom server type: 1. Select Protect > Inbound Protection > Server Type Configuration . 2. On the Server Types page, click and then select Delete . (context menu) next to the server type to delete, 3. In the confirmation message that appears, select Delete. Proprietary and Confidential Information of Arbor Networks, Inc. 99 APS Console User Guide, Version 6.3 Changing the Protection Settings for Server Types The protection settings are the criteria by which APS defines clean traffic and attack traffic. The default protection settings provide protection from the most common types of DDoS attacks. These attacks include TCP stack attacks, host or pipe flooding, fragmentation attacks, resource exhaustion, connection state attacks, botnet attacks, and vulnerability exploits. You can customize these settings to provide more directed protection for specific server types, both standard and custom. If necessary, you can restore a particular server type’s protection settings to their default values. See “Restoring the Default Protection Settings” on page 108. For information about the protection categories and suggestions for when to change the protection settings, see “About the Protection Settings Configuration” on page 111 . For general information about the server types, see “About the Server Types” on page 92 . Using APS Console to manage protection settings If you manage APS with APS Console, then you can configure server types in APS Console and propagate the configurations to each managed APS. Caution If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any changes that you make on an APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. Navigating to the protection settings The Server Types page allows you to change the protection settings for each of the protected server types. To access the Server Types page, select Protect > Inbound Protection > Server Type Configuration . How changes affect the protection groups When you add a protection group, you associate it with a server type. The protection group inherits the protection settings for that server type. If you change the protection settings for a server type, the change applies to all of the protection groups that have the same server type. For example, if you change the Web Server settings, those settings apply to all of the Web Server protection groups. About capturing traffic profiles APS can simplify the configuration of certain rate-based protection settings by learning typical network behaviors and suggesting values that are appropriate for your network. To determine these values, APS profiles your network by capturing statistical data about certain types of traffic. You also can use the profile data to estimate how much traffic would be passed at different thresholds and protection levels. The profile data includes passed traffic and might include blocked traffic, depending on why it was blocked. The data represents all of the protection groups that are associated with the selected server type. Within each server type, the data applies to certain protection settings only. 100 Proprietary and Confidential Information of Arbor Networks, Inc. Section 7: Managing Shared Server Types See “About Traffic Profiling for Protection Configuration” on the next page. If you use APS Console to manage APS, you can manage the profile captures for multiple APS devices from APS Console. Configuring the protection settings To configure the protection settings for a server type: 1. Select Protect > Inbound Protection > Server Type Configuration . 2. (Optional) On the Server Types page, filter the list of servers. In the search box, type a search string in any of the following ways, and then click Search . l l l Type all or part of a server type name, base type name, or protection group name. Type multiple search strings in any combination, using commas to separate multiple entries. Include a wildcard character: an underscore (_) matches any one character, and a percent sign (%) matches any number of characters. For example, to find “DNS Server”, you could type dns, _ns, or d%. 3. In the Server Types list, click the name link of the server type to edit. 4. Edit the protection settings. For information about the specific protection settings, see “About the Protection Settings Configuration” on page 111 . 5. Click Save. Proprietary and Confidential Information of Arbor Networks, Inc. 101 APS Console User Guide, Version 6.3 About Traffic Profiling for Protection Configuration APS can simplify the configuration of certain rate-based protection settings by learning typical network behaviors and suggesting values that are appropriate for your network. To determine these values, APS profiles your network by capturing statistical data about certain types of traffic. You also can use the profile data to estimate how much traffic would be passed at different thresholds and protection levels. The profile data includes passed traffic and might include blocked traffic, depending on why it was blocked. The data represents all of the protection groups that are associated with the selected server type. Within each server type, the data applies to certain protection settings only. Traffic profiling on multiple APS devices If you use APS Console to manage APS devices, you can select the APS devices on which to start, stop, and check the status of a profile capture. The capture runs and the results appear on each selected APS. You can use the profile data as a guide to configuring the protection settings in APS Console. Rate-based protection settings that APS uses for profiling APS gathers profile data for the rate-based protection settings. When you start a profile capture, APS applies the appropriate maximum values for these rate-based protection settings to obtain accurate results. However, the values that APS applies do not appear in the fields on the Configure Server Type page. Any values that were set previously still appear in these fields. Important While the profiling is active, do not make any changes to these protection settings because changes may cause inaccurate profile capture results. Rate-based protection settings for profiling 102 Protection category Setting Rate-based Blocking Bits per Second Threshold Packets per Second Threshold See “Rate-based Blocking Settings” on page 144. TCP Connection Reset TCP Connection Initial Timeout See “TCP Connection Reset Settings” on page 151. DNS Rate Limiting DNS Query Rate Limit See “DNS Rate Limiting Settings” on page 131. DNS NXDomain Rate Limiting DNS NXDomain Rate Limit See “DNS NXDomain Rate Limiting Settings” on page 130. HTTP Rate Limiting HTTP Request Limit HTTP URL Limit See “HTTP Rate Limiting Settings” on page 135. Proprietary and Confidential Information of Arbor Networks, Inc. Section 7: Managing Shared Server Types Rate-based protection settings for profiling (continued) Protection category Setting SIP Request Limiting SIP Source Limit See “SIP Request Limiting Settings” on page 145. ICMP Flood Detection Maximum bps Maximum pps See “ICMP Flood Detection Settings” on page 137. UDP Flood Detection Maximum bps Maximum pps See “UDP Flood Detection Settings” on page 158. Fragment Detection Maximum bps Maximum pps See “Fragment Detection Settings” on page 133. Proprietary and Confidential Information of Arbor Networks, Inc. 103 APS Console User Guide, Version 6.3 Capturing Traffic Profiles from APS Console APS can profile your network by capturing statistical data about certain types of traffic. The profile data can help you configure protection settings that are optimized for your server types. See “About Traffic Profiling for Protection Configuration” on page 102. If you use APS Console to manage APS devices, you can select the APS devices on which to start, stop, and check the status of a profile capture. The capture runs and the results appear on each selected APS. You can use the profile data as a guide to configuring the protection settings in APS Console. APS captures data by server type for the traffic that applies to certain protection settings only. See “Rate-based protection settings that APS uses for profiling” on page 102. Capturing traffic profiles To start capturing traffic profiles from APS Console: 1. Select Protect > Inbound Protection > Server Type Configuration . 2. On the Server Types page, hover your mouse pointer over the name of a server type, and then click (context menu). 3. In the context menu, select Profile Capture. The Profile Capture option is available only if a server type is associated with a protection group that has at least one APS assignment. 4. In the Profile Capture window, select the APS devices on which to perform a profile capture. 5. To specify the duration of the capture, move the Length of capture slider. If a capture is running already, the amount of time that remains is shown next to the selected APS device names in the Stop Capture section. 6. Click Start. 7. To close the Profile Capture window, click Close. The capture continues to run in the background. Stopping traffic profile captures You can stop a profile data capture at any time. To determine whether a capture is running for a specific server type, you can view the capture status. To stop a profile data capture from APS Console: 1. Select Protect > Inbound Protection > Server Type Configuration . 2. On the Server Types page, hover your mouse pointer over the name of a server type, and then click (context menu). 3. In the context menu, select Profile Capture. 4. In the Profile Capture window, select the APS devices on which to stop the capture, and then click Stop. 5. To close the Profile Capture window, click Close. 104 Proprietary and Confidential Information of Arbor Networks, Inc. Section 7: Managing Shared Server Types Using Traffic Profile Data to Configure Protection Settings After you run a profile data capture in APS, you can view the profile data in a profile window on the Configure Server Type page. For each of the settings that are profiled, you can view the data from the most recent capture, or from the current capture if one is in progress. You can use the profile data as a guide to help you configure the protection settings that are appropriate for your network. You can also use the profile data to estimate how much traffic would be passed at different thresholds and protection levels. See “About Traffic Profiling for Protection Configuration” on page 102. The data represents all the protection groups that are associated with the selected server type. Within each server type, the data applies to certain protection settings only. See “Rate-based protection settings that APS uses for profiling” on page 102. Caution If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any changes that you make on an APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. Before you begin Before you can view or use the profile data, you must run a profile data capture to collect the data. See “Capturing Traffic Profiles from APS Console” on the previous page. Viewing and using the traffic profile data Profile data is visible in APS only. To view the traffic profile data and use it to configure protection settings: 1. On APS Console, select Protect > Inbound Protection > Protection Groups. 2. To view the APS devices that are assigned to a protection group, click the left of a protection group name. (expand) to 3. Click the name of an APS device. 4. Log into the APS. 5. Select Protect > Inbound Protection > Server Type Configuration . 6. On the Configure Server Type page, select Standard Server Types or Custom Server Types, and then select a specific server type. 7. Click the (View profile ) icon that appears next to the settings that you want to configure. Note If a capture was not run, or if the most recent capture did not observe any traffic that applied to this setting, then the icon does not appear. 8. Review the suggested protection settings that appear in the profile window so that you can configure the corresponding settings in APS Console. Do not change any settings in APS. 9. Go to APS Console and select Protect > Inbound Protection > Server Type Configuration . 10. On the Server Types page, click the name link for the server type that you want to Proprietary and Confidential Information of Arbor Networks, Inc. 105 APS Console User Guide, Version 6.3 configure. 11. On the Server Types page, edit the protection settings. Information in the profile window In APS, the profile window displays the following information for a specific protection setting: Information in the profile window Information Description last capture information Displays the dates and times at which the capture began and ended. histogram Displays the observed traffic volumes that apply to the current protection setting. For example, the histogram for the Bits per Second Threshold setting displays the number of hosts that sent certain volumes of traffic, measured in bits per second. The gray area at the far right of the histogram represents values that are out of the histogram’s displayed range. Linear and Log buttons Change the scale of the y axis in the histogram graph as follows: n n markers: Linear presents the number of hosts on a linear scale, in which the lines in the graph are proportional to the number of hosts. Log presents the number of hosts on a logarithmic scale, in which each unit increase represents an exponential increase in the number of hosts. Indicate the points in the histogram that correspond to the configured threshold values for the protection levels: high (H), medium (M), and low (L). The markers work as follows: n When you open the profile window, the markers reflect the currently configured threshold values. n When you click Auto, the markers, the displayed values, and the protection setting fields change to the threshold values that APS recommends based on the profile data. n You can drag the markers to different points on the histogram. As you drag the markers, the threshold values change in both the profile window and the protection setting fields. n If you type different threshold values in the protection setting fields, the markers and the displayed values in the profile window change accordingly. Caution If you manage the server types in APS Console, do not edit them in APS. 106 Proprietary and Confidential Information of Arbor Networks, Inc. Section 7: Managing Shared Server Types Information in the profile window (continued) Information Description Low , Med, and High values Display the threshold values and the approximate amounts of traffic that those thresholds would allow APS to pass at each protection level. Maximum x (where x varies depending on the protection setting) Displays the highest value of the item that is measured. For example, if you view the values for the Bits per Second Threshold setting, then this value represents the Maximum bits per second. Auto button Changes the threshold values in the profile window and the protection setting fields to the recommended values. Caution If you manage the server types in APS Console, do not edit them in APS. Proprietary and Confidential Information of Arbor Networks, Inc. 107 APS Console User Guide, Version 6.3 Restoring the Default Protection Settings You can change the protection settings for any standard server type or custom server type. You also can restore a particular server type’s protection settings to its default values. When you restore the protection settings for a server type, it affects each protection group that is associated with that server type. If a protection group in APS Console is assigned to one or more managed APS devices, the server type changes affect each assigned APS. Restoring the protection settings affects the standard server types and custom server types as follows: n When you restore the protection settings for a standard server type, the settings of any related custom server types are not affected. n When you restore the protection settings for a custom server type, the settings are returned to the default settings of the base server type. Any changes that might have been made to the base server type’s settings are not applied to the custom server type. For general information about the server types, see “About the Server Types” on page 92 and “edAdding and Deleting Custom Server Types” on page 98 . Restoring the default protection settings To restore the default protection settings: 1. Select Protect > Inbound Protection > Server Type Configuration . 2. On the Server Types page, click (context menu) next to the server type for which you want to restore settings, and then select Restore Defaults. 3. In the confirmation window, click OK . 4. To view the restored protection settings, click the server type’s name link to open the Configure Server Type page. 108 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings The protection settings are the criteria by which APS defines clean traffic and attack traffic. You configure the protection settings to define how APS identifies and blocks malicious traffic at each protection level. In APS Console, you can configure the protection settings for multiple APS devices. In this section This section contains the following topics: About the Protection Settings Configuration 111 About the Outbound Threat Filter 113 Configuring the Outbound Threat Filter 115 Validating the Outbound Threat Filter Configuration 116 Application Misbehavior Settings 119 ATLAS Intelligence Feed Settings 120 Block Malformed DNS Traffic Settings 124 Block Malformed SIP Traffic Settings 125 Botnet Prevention Settings 126 CDN and Proxy Support Settings 128 DNS Authentication Settings 129 DNS NXDomain Rate Limiting Settings 130 DNS Rate Limiting Settings 131 DNS Regular Expression Settings 132 Fragment Detection Settings 133 HTTP Header Regular Expressions Settings 134 HTTP Rate Limiting Settings 135 HTTP Reporting Settings 136 ICMP Flood Detection Settings 137 Malformed HTTP Filtering Settings 138 Multicast Blocking Settings 139 Payload Regular Expression Settings 140 Private Address Blocking Settings 143 Rate-based Blocking Settings 144 SIP Request Limiting Settings 145 Spoofed SYN Flood Prevention Settings 146 TCP Connection Limiting Settings 150 TCP Connection Reset Settings 151 APS Console User Guide, Version 6.3 109 APS Console User Guide, Version 6.3 110 TCP SYN Flood Detection Settings 153 TLS Attack Prevention Settings 155 Traffic Shaping Settings 157 UDP Flood Detection Settings 158 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings About the Protection Settings Configuration The protection settings are the criteria by which APS defines clean traffic and attack traffic. For example, if a setting specifies a threshold based on the number of requests per second, then traffic that exceeds the threshold is considered to be an attack. The default protection settings in APS provide protection from the most common types of DDoS attacks. You can customize these settings to provide more directed protection for specific types of servers and for your outbound traffic. In APS Console, you can customize the protection settings for multiple APS devices. For information about types of DDoS attacks, see “DDoS Attacks and APS Protections” in the APS User Guide . Navigating to the configuration pages You configure the protection settings on the following pages in APS: n Configure Server Type page, for inbound traffic Allows you to change the protection settings for each of the protected server types. See “Changing the Protection Settings for Server Types” on page 100. n Outbound Threat Filter page, for outbound traffic Allows you to configure the protection settings for the outbound threat filter. See “Configuring the Outbound Threat Filter” on page 115. About the protection categories The protection settings are organized into categories, each of which detects a different type of attack traffic. For inbound traffic, each server type contains the categories of protection settings that are most appropriate for that server type. Each protection group is associated with a server type and one or more host servers of that type. For example, a Web Server protection group contains the HTTP categories of settings, which detect HTTP-based attacks. The outbound threat filter contains the categories of protection settings that are most appropriate for outbound traffic. About temporary blocking Temporary blocking occurs dynamically as a result of the protection settings that are configured for the protection groups. When APS encounters certain types of malicious inbound traffic, it blocks the offending traffic. Some of the protection categories temporarily block a host, which effectively blocks all of the traffic from that host, including its clean traffic. The top 10 hosts that are blocked in this way appear in the Temporarily Blocked Sources section on the View Protection Group page. APS does not temporarily block the hosts for outbound traffic. Other protection categories temporarily block a host’s offending traffic but not its clean traffic or the host itself. Such hosts do not appear in the Temporarily Blocked Sources section on the View Protection Group page, but they do appear in the blocked hosts log. This blockout period typically lasts for several minutes. The protection category that detects the malicious traffic determines the length of the blockout period, and this time period cannot be changed. Proprietary and Confidential Information of Arbor Networks, Inc. 111 APS Console User Guide, Version 6.3 About the protection levels for the protection settings For each of the protection settings, you can specify different values for the low, medium, and high protection levels. The current protection level determines which of the settings are used at any given time. For example, you might set conservative thresholds for the low protection level and more aggressive thresholds for the medium and high protection levels. You also can leave the protection settings empty or disable one or more of the protection levels. For example, you might disable a setting for the low protection level and then enable it for the medium and high protection levels. See “About the Protection Levels” on page 86. When to change the protection settings Because you configure different settings for each protection level, you can vary the threat detection criteria at any time by changing the protection level. You can change the protection level globally or for one or more specific protection groups. Typically, you use the default settings when you first install APS. As you use APS and analyze its actions, you can customize as many settings as needed to secure your data center from threats against availability. If you have historical traffic information and statistics from an APS trial or monitor-only implementation, use that information as a guide for refining the protection settings. APS can simplify the configuration of certain rate-based protection settings by learning typical network behaviors and suggesting protection settings that are appropriate for your network. See “About Traffic Profiling for Protection Configuration” on page 102. 112 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings About the Outbound Threat Filter The outbound threat filter prevents malicious traffic from leaving your network. Unlike the protection groups, which protect specific hosts, the single outbound threat filter protects all of the outbound IPv4 traffic that passes through APS. When you install or upgrade APS Console, the outbound threat filter and all of its ATLAS Intelligence Feed (AIF) threat categories are enabled by default on APS Console. You can disable the outbound threat filter and the AIF threat categories on the Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat Filter). See “Configuring the Outbound Threat Filter” on page 115. Important For the outbound blacklist and outbound whitelist to work, you must leave the outbound threat filter enabled. See "Blacklisting Outbound Traffic" on page 180 and "Whitelisting Outbound Traffic" on page 188 . About the protection settings The outbound threat filter contains the categories of protection settings that are the most appropriate for outbound traffic, to protect state-dependent devices such as load balancers and next-generation firewalls. It also uses the ATLAS Intelligence Feed (AIF) threat categories. These settings are the criteria by which APS defines clean traffic and attack traffic. You configure these protection settings on the Outbound Threat Filter page. You also can configure the protection mode (active or inactive) and protection level (global, low, medium, or high) for the outbound threat filter. See “Configuring the Outbound Threat Filter” on page 115. For information about the protection categories and suggestions for when to change the protection settings, see “About the Protection Settings Configuration” on page 111 . Note If you turn on DNS Rate Limiting for a protection group, the outbound traffic may match the protection group instead of the outbound threat filter. By default, DNS Rate Limiting is turned on for the default IPv4 protection group and any protection groups that use a DNS server. Custom protection groups also might have this protection turned on. See “DNS Rate Limiting Settings” on page 131. About the outbound threat filter’s protection mode and protection level The outbound threat filter’s protection mode determines whether APS blocks malicious outbound traffic. In the active mode, APS monitors traffic and mitigates attacks. In the inactive mode, APS detects attacks but does not mitigate them. To test the outbound threat filter, set the protection mode for the outbound threat filter to inactive. The outbound threat filter’s protection level determines which protection settings are in use for the outbound traffic. The outbound threat filter can use the global protection level or a protection level that you configure for the outbound threat filter. The outbound threat filter’s protection level takes precedence over the global protection level. In APS Console, you can change the outbound threat filter’s protection mode or protection level for all of the managed APS devices. Proprietary and Confidential Information of Arbor Networks, Inc. 113 APS Console User Guide, Version 6.3 About managing the outbound threat filter from APS Console When you use APS Console to manage APS, you can configure the outbound threat filter in APS Console and propagate the configurations to each managed APS. When you first connect APS to APS Console, the outbound threat filter on the APS is replaced with the one from APS Console. Thereafter, any changes to the outbound threat filter on APS Console are periodically copied to each APS. See “1About the APS Console - APS Data Synchronization” on page 78. Caution If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any changes that you make on an APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. 114 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Configuring the Outbound Threat Filter You configure the protection settings for the outbound threat filter, to prevent malicious traffic from leaving your network. You can enable and disable the outbound threat filter, but you cannot delete it. For more details about the outbound threat filter, see “About the Outbound Threat Filter” on page 113 . Important If you deploy APS in the monitor mode, the outbound traffic does not go through APS. Therefore, the traffic is not analyzed. Configuring the outbound threat filter To configure the outbound threat filter: 1. Select Protect > Outbound Protection > Outbound Threat Filter. 2. Select the Enable Outbound Threat Filter check box. 3. Configure the following settings: Setting Description Protection Mode options Select Active or Inactive to configure the protection mode. For more information about the protection mode, see “Setting the Protection Mode (Active or Inactive)” on page 84. (Protection Level) Select an icon to set the protection level (global, low, medium, or high) for the outbound threats. The global protection level is the default. A check mark in the corresponding icon shows which level is currently active. For information about the global protection level, see “About the Protection Levels” on page 86. Also see “Changing the Protection Level” on page 253 . 4. For each protection level, configure the protection settings. For information about the specific settings, see the following topics: l l “ATLAS Intelligence Feed Settings” on page 120 “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on page 164 l “Payload Regular Expression Settings” on page 140 l “DNS Rate Limiting Settings” on page 131 l “Malformed HTTP Filtering Settings” on page 138 5. Click Save. After you configure the outbound threat filter, you can verify that you configured it correctly. See “Validating the Outbound Threat Filter Configuration” on the next page. Proprietary and Confidential Information of Arbor Networks, Inc. 115 APS Console User Guide, Version 6.3 Validating the Outbound Threat Filter Configuration After you configure the outbound threat filter, we recommend that you validate its configuration to ensure that the relevant traffic passes through APS. There are several issues that may prevent the outbound threat filter from functioning as expected, such as: n misconfiguration of the APS n an APS deployment that prevents traffic mitigation (for example, you deploy the APS in an out-of-band mode or inactive mode) n routing configurations that do not allow APS to see the relevant traffic For more information, see “About the Outbound Threat Filter” on page 113 . Testing guidelines Required configuration settings You must configure the following settings before testing the outbound threat filter: Enable the outbound threat filter. n n Set the protection mode to Active. n Enable all of the AIF threat categories. See “Configuring the Outbound Threat Filter” on the previous page. IP address and domain name for testing To test the outbound threat filter configuration, use the following IP address and domain name n 52.26.163.109 n arbor-aif-test.com The AIF includes this IP address and domain name. IP address testing You can use the ping command on the operating system command line to test the outbound threat filter configuration. This command is available for all of the standard operating systems. To use the ping command to test the outbound threat filter: 1. From a host inside a protection group, access the operating system’s command line. 2. On the command line, enter ping 52.26.163.109 Results of a successful ping test If you configure the outbound threat filter correctly, the ping command is unsuccessful and times out, as shown in the following image: 116 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings On the APS Summary Page , you should see a spike in the blocked traffic, as shown in the following image: On the Outbound Blocked Threats graph, you should see an increase in the number of source hosts that APS blocked , as shown in the following image: Results of an unsuccessful ping test If the host receives a response to the ping command, as shown in the following image, you should review the outbound threat filter configuration settings. DNS query testing You can use the nslookup command on the operating system command line to test the outbound threat filter configuration. This command attempts to perform a DNS query. The nslookup command is available for all of the standard operating systems. To use the nslookup command to test the outbound threat filter: 1. From a host in a protection group, open up the operating system command line. 2. On the command line, enter nslookup arbor-aif-test.com Proprietary and Confidential Information of Arbor Networks, Inc. 117 APS Console User Guide, Version 6.3 Results of a successful nslookup test If you configure the outbound threat filter correctly, the nslookup command is unsuccessful and times out, as shown in the following image: On the APS Summary Page , you should see a spike in the blocked traffic, as shown in the following image: On the Outbound Blocked Threats graph, you should see an increase in the number of source hosts that APS blocked, as shown in the following image: Results of a unsuccessful nslookup test If the host receives a response to the nslookup command, as shown in the following image, you should review the outbound threat filter configuration settings. 118 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Application Misbehavior Settings Use the Application Misbehavior settings to detect application misbehavior patterns that might not be specific to any protocol. You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings These settings allow APS to detect request headers that are interrupted by a TCP FIN from the client. APS counts a host’s interrupts until either of the following conditions is met: n The number of interruptions exceeds the configured limit. In this case, APS temporarily blocks the source host. n The host completes a request without interruption. In either case, the interrupt counter is reset to zero. For example, some botnet attacks send multiple, small HTTP requests that cause a series of bad request errors and overwhelm the victim server. The bot terminates each connection before the request is complete. Application Misbehavior settings The Application Misbehavior category contains the following setting for each protection level: Application Misbehavior settings Setting Description Interrupt Count box Type the number of TCP FIN interruptions that are allowed from a single client before that client is temporarily blocked. To disable this setting, leave this box empty. For a description of the protection levels, see “About the Protection Levels” on page 86 . Proprietary and Confidential Information of Arbor Networks, Inc. 119 APS Console User Guide, Version 6.3 ATLAS Intelligence Feed Settings The ATLAS Intelligence Feed (AIF) contains information about the latest advanced threats, botnets, and web crawlers that our Active Threat Level Analysis System (ATLAS) has identified. APS can use this information to detect threats, block attacks, and allow legitimate search engine web crawlers to access your network. When APS detects traffic that matches any of the HTTP header signatures or enabled threat policies, it blocks the traffic. If the traffic is inbound, APS temporarily blocks the source host. For general information about ATLAS Intelligence Feed, see “About the ATLAS Intelligence Feed” on page 52. Enabling AIF updates Important These protection settings depend on the presence of an AIF update file. Before you enable any of the ATLAS Intelligence Feed settings, either verify that the automatic AIF updates are enabled or request an update. Some of these settings, such as the default confidence values, do not appear if an AIF update file is not present. Where to configure the AIF settings In APS Console, you configure these settings for multiple APS devices on the following pages: n For inbound traffic: Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , then click on a server type name) See “Changing the Protection Settings for Server Types” on page 100. n For outbound traffic: Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat Filter) See “Configuring the Outbound Threat Filter” on page 115. 120 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings About these settings The ATLAS Intelligence Feed settings allow APS to use the information in the ATLAS Intelligence Feed to block traffic as follows: How APS uses the ATLAS Intelligence Feed settings APS action Basis for action Block attack traffic The AIF updates include the policies that identify categories of known threats by their traffic patterns, which are defined by IP addresses, HTTP regular expressions, or DNS names. When you enable the Threat Categories settings, APS blocks any inbound traffic or outbound traffic that matches the threat policies. See “About the ATLAS Threat Policies” on page 54. Block botnet traffic (Inbound traffic only) Many botnets are known by their traffic patterns or profiles that suggest an attack. The AIF updates include the policies (signatures) that identify known botnets. When you enable the AIF Botnet Signatures settings, APS compares each policy to the HTTP headers and HTTP requests. APS blocks any traffic that matches any of the policies and temporarily blocks the source host. Pass web crawler traffic (Inbound traffic only) In the process of protecting your servers from DDoS attacks, APS might prevent search engine web crawlers from accessing your site. The AIF updates include a list of the IP address ranges that Arbor considers to be legitimate search engine web crawlers. When you enable the Web Crawler Support settings, APS passes the traffic from the search engine IP addresses. For more information, see “About Web Crawler Support” on page 59. Proprietary and Confidential Information of Arbor Networks, Inc. 121 APS Console User Guide, Version 6.3 ATLAS Intelligence Feed Settings The ATLAS Intelligence Feed protection category contains the following settings for each protection level: ATLAS Intelligence Feed settings Setting Description Web Crawler Support buttons (Inbound traffic only) Click one of these buttons to enable or disable the inspection of traffic for legitimate web crawler search engines. For APS to pass the traffic from specific web crawlers, those web crawlers must be enabled on the Configure AIF Settings page (Administration > ATLAS Intelligence Feed). Initially, all of the web crawlers are enabled by default, but you can choose which web crawlers to enable or disable. This option is available for the following server types only: Generic, DNS, and web. AIF Botnet Signatures buttons (Inbound traffic only) Click one of these buttons to enable or disable the inspection of traffic based on the traffic patterns or profiles by which Arbor identifies known botnets. This option is available for the following server types only: Generic, VOIP, and Web. Threat Categories buttons Click one of these buttons to enable or disable advanced threat detection based on the ATLAS threat policies, which are grouped by threat category. See “About the ATLAS Threat Policies” on page 54. When you select the Threat Categories check box, the following ATLAS confidence index settings become available. For more information about the ATLAS confidence index and the confidence values, see “About the ATLAS Confidence Index” on page 56 . 122 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings ATLAS Intelligence Feed settings (continued) Setting Description ATLAS Confidence Index options The default confidence value is applied to all of the rules in all of the enabled threat categories, except those for which you define a category-specific confidence value. To specify the default confidence value, select one of the following options: n n Use Default — Use the confidence value that the Arbor Security Engineering and Response Team (ASERT) recommends, which appears in parentheses after this option. This option is selected by default. Custom — Configure a custom confidence value to use as the default. When you select this option, type a number from 1 to 100 in the box to represent the confidence value. When APS inspects traffic, it applies the threat policy rules whose confidence values match or exceed the default confidence value. Threat category check boxes and confidence value boxes For each of the threat categories, you can configure the following settings: n To enable or disable a threat category, select its check box. By default, all of the threat categories are enabled. n To configure a confidence value for an enabled threat category, click to the right of the category’s check box to display the confidence value box. Type a number from 1 to 100 to represent the confidence value. The threat category confidence value overrides the default confidence value for the specific category. Proprietary and Confidential Information of Arbor Networks, Inc. 123 APS Console User Guide, Version 6.3 Block Malformed DNS Traffic Settings Use the Block Malformed DNS Traffic protection settings to prevent attacks that send invalid or blank DNS requests to a server. These attacks are intended to exhaust resources or to exploit vulnerabilities. These settings are available for the Generic IPv6 Server type and some of the IPv4 server types. See “About the Server Types” on page 92. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings When a DNS request arrives at port 53 (source or destination), APS performs the following tests: n Verifies that the packet contains a payload that could be part of a valid DNS message. If the payload is missing, APS blocks the packet. n Evaluates valid DNS requests for compliance with RFC standards. APS blocks any requests that do not conform to the standards. APS does not block the source host. Block Malformed DNS Traffic settings The Block Malformed DNS Traffic category contains the following setting for each protection level: Block Malformed DNS Traffic settings Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category. For a description of the protection levels, see “About the Protection Levels” on page 86 . 124 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Block Malformed SIP Traffic Settings Use the Block Malformed SIP Traffic settings to prevent attacks that disrupt VoIP service by sending invalid or blank SIP requests. You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings When a UDP packet arrives at a SIP destination port (usually port 5060), APS performs the following tests: n Verifies that the packet contains a payload that could be part of a valid SIP request. If the payload is missing, APS blocks the packet and temporarily blocks the source host. n Evaluates valid SIP requests to verify that all of the headers that are specified in RFC 3261 section 8.1 are properly formatted and have reasonable values. APS blocks any requests that do not conform to the standards and temporarily blocks the source host. Block Malformed SIP Traffic settings The Block Malformed SIP Traffic category contains the following setting for each protection level: Block Malformed SIP Traffic settings Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category. For a description of the protection levels, see “About the Protection Levels” on page 86 . Proprietary and Confidential Information of Arbor Networks, Inc. 125 APS Console User Guide, Version 6.3 Botnet Prevention Settings Use the Botnet Prevention settings to prevent botnet attacks, in which a large set of compromised computers generate a high-volume traffic attack that targets a victim server. The Botnet Prevention settings allow APS to detect and block botnet attacks based on known botnet behaviors. You also can prevent botnet attacks based on the traffic patterns or profiles by which Arbor identifies known botnets. See “ATLAS Intelligence Feed Settings” on page 120. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About botnets The following patterns of behavior are common to many botnets: Sending requests with incomplete header fields n n Sending slow request attacks, which usually contain artificially truncated request segments For example, some botnets send multiple, small HTTP requests, and then terminate each connection before the request is complete. This attack causes a series of bad request errors and overwhelms the victim server. About these settings To prevent botnet attacks, APS performs the following tests: n Basic Botnet Prevention Checks the packet headers for incomplete fields. APS blocks any packets whose headers are incomplete and temporarily blocks the source host. The fields that are checked vary by protection level, as follows: Protection level Checks Low Analyzes the Host field in HTTP 1.1 requests Medium Analyzes the Host field in HTTP 1.1 requests High Analyzes the following fields in all requests: n n n n Host User-Agent Connection Prevent Slow Request Attacks Checks for HTTP requests that contain less than 500 bytes of data and do not end with \n. Requests that match these criteria are likely to be part of a slow HTTP attack. APS passes the first three packets that match these criteria and then drops the subsequent packets and temporarily blocks the source host. 126 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Botnet Prevention settings Important The Botnet Prevention settings work only if Malformed HTTP Filtering is enabled. If you disable Malformed HTTP Filtering, the Botnet Prevention settings for the corresponding protection levels are disabled also. If you enable one of the Botnet Prevention settings, the Malformed HTTP Filtering is enabled for the corresponding protection levels. See “Malformed HTTP Filtering Settings” on page 138. The Botnet Prevention category contains the following settings for each protection level: Botnet Prevention settings Setting Description Enable Basic Botnet Prevention buttons Click one of these buttons to enable or disable the inspection of traffic for missing HTTP header fields, which are a common indicator of botnet attacks. Prevent Slow Request Attacks buttons Click one of these buttons to enable or disable the inspection of traffic for requests that are characteristic of slow HTTP attacks. Proprietary and Confidential Information of Arbor Networks, Inc. 127 APS Console User Guide, Version 6.3 CDN and Proxy Support Settings Use the CDN and Proxy Support settings to prevent the global blocking of all traffic from a content delivery network (CDN) or proxy. The protection categories in APS block malicious traffic, temporarily block malicious hosts, or both. When traffic is routed through a CDN or proxy, the source IP address is that of the last CDN or proxy device. That source IP address is shared by all of the users whose traffic passes that device. Therefore, the protection settings that block an attacker’s IP address might block all traffic from the CDN or proxy. To prevent the blocking of all traffic from a CDN or proxy, enable CDN and Proxy Support. When CDN and Proxy Support is enabled, APS relies on the protection categories that block malicious traffic but do not block the attacker’s IP address. The clean traffic from the CDN or proxy is passed. You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. CDN and Proxy Support settings The CDN and Proxy Support category contains the following setting for each protection level: CDN and Proxy Support settings Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category. By default, this category is disabled. For a description of the protection levels, see “About the Protection Levels” on page 86 . 128 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings DNS Authentication Settings Use the DNS Authentication category to protect against DNS attacks that originate from a source that is not a valid host. These settings can protect any type of DNS server. APS forces any clients that send DNS requests to change to TCP before the queries reach the DNS server. This change validates that the original request came from a legitimate client. APS blocks any requests that are not verified, but does not block the source hosts. Important If a cloud service provider forwards cleaned traffic through a GRE tunnel, then APS does not inspect that traffic for Spoofed Syn Flood Prevention or DNS Authentication. In this case, APS ignores these protection settings because it would have to send packets back through the GRE tunnel. These settings are available for the Generic IPv6 Server type and some of the IPv4 server types. See “About the Server Types” on page 92. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. Before you enable these settings for active mitigation, test them thoroughly in a lab environment. Because these settings require two-way communications, they must be tested in an inline deployment mode (Inline Routed or Inline Bridged) and the active protection mode. See “Setting the Deployment Mode” in the APS User Guide and “Setting the Protection Mode (Active or Inactive)” on page 84. DNS Authentication settings The DNS Authentication category contains the following setting for each protection level: DNS Authentication settings Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category. Proprietary and Confidential Information of Arbor Networks, Inc. 129 APS Console User Guide, Version 6.3 DNS NXDomain Rate Limiting Settings Use the DNS NXDomain Rate Limiting category to monitor response packets for hosts that send requests that might cause the generation of a non-existent domain (NXDomain) response. These settings protect against DNS cache poisoning and dictionary attacks. APS temporarily blocks any host that generates more consecutive failed DNS requests than the configured limit. These settings are available for the Generic IPv6 Server type and some of the IPv4 server types. See “About the Server Types” on page 92. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. Requirement If you plan to use these settings, your network must be configured so that APS can see the DNS response traffic from the DNS server. DNS NXDomain Rate Limiting settings The DNS NXDomain Rate Limiting category contains the following setting for each protection level. If (View profile ) appears next to a setting, you can use profile data to help you configure the appropriate values for that setting. See “Using Traffic Profile Data to Configure Protection Settings” on page 105. DNS NXDomain Rate Limiting settings Setting Description DNS NXDomain Rate Limit box Type the number of failed queries to allow per second. To disable this setting, leave this box empty. If you do not configure the DNS NXDomain Rate Limiting settings, the processing of outbound traffic is affected as follows: n The following response-based protection categories do not block outbound traffic (these protection categories are configured in the server types): l l Filter List. See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on page 164. Multicast Blocking. See “Multicast Blocking Settings” on page 139. Private Address Blocking. See “Private Address Blocking Settings” on page 143. The blacklist does not block outbound traffic. You cannot perform a packet capture on “int” interfaces. l n n To address these issues, you must enable the Outbound Threat Filter and add FCAP expressions to the filter list to block outbound traffic. See “Configuring the Outbound Threat Filter” on page 115. 130 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings DNS Rate Limiting Settings Use the DNS Rate Limiting settings to prevent attacks from legitimate hosts who misuse DNS requests to flood DNS servers. APS inspects all of the DNS traffic that originates from a single source and records the number of queries per second. It blocks any traffic that exceeds the configured rate limit. If the traffic is inbound, APS temporarily blocks the source host. These settings are available for the Generic IPv6 Server type and some of the IPv4 server types. See “About the Server Types” on page 92. Navigating to the protection settings In APS Console, you configure these settings for multiple APS devices on the following pages: n For inbound traffic: Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , then click on a server type name) See “Changing the Protection Settings for Server Types” on page 100. n For outbound traffic: Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat Filter) See “Configuring the Outbound Threat Filter” on page 115. DNS Rate Limiting settings The DNS Rate Limiting category contains the following setting for each protection level. If (View profile ) appears next to a setting, then you can use profile data to help you configure the appropriate values for that setting. See “Using Traffic Profile Data to Configure Protection Settings” on page 105. DNS Rate Limiting settings Setting Description DNS Query Rate Limit box Type the maximum number of DNS queries per second that a source can send before it is blocked. This rate limit represents what you consider to be a reasonable maximum amount of DNS traffic. To disable this setting, leave this box empty. Proprietary and Confidential Information of Arbor Networks, Inc. 131 APS Console User Guide, Version 6.3 DNS Regular Expression Settings The DNS Regular Expression settings allow you to target specific DNS traffic. APS inspects all of the DNS traffic and applies each regular expression separately to each line of the DNS requests. If traffic matches an expression, APS drops that traffic. These settings are available for the Generic IPv6 Server type and some of the IPv4 server types. See “About the Server Types” on page 92. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. DNS Regular Expression settings The DNS Regular Expression category contains the following setting for each protection level: DNS Regular Expression settings 132 Setting Description DNS Regular Expressions lines Type a regular expression to filter out DNS traffic with matching requests or headers. Use PCRE format. You can type multiple regular expressions. APS uses the OR operator for multiple regular expressions. Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Fragment Detection Settings Use the Fragment Detection settings to protect against attacks that send an excessive number of IP packet fragments to a server to exhaust its resources. About fragmentation attacks A fragmentation attack is a flood of unwanted IP packet fragments. IP standards require a receiving host to store packet fragments until the other fragments of that packet arrive and the packet can be reassembled. If the other fragments never arrive, the original fragments remain in the victim server’s buffers until a timeout marks them as too old. Such a large number of fragments can fill the server buffer space and prevent the receipt of clean traffic. APS inspects the packet fragments that originate from a single source and records the bits per second and packets per second. It blocks any traffic that exceeds the configured rate limits. If the protection level is medium or high, it temporarily blocks the source host. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. Fragment Detection settings The Fragment Detection category contains the following settings for each protection level. If (View profile ) appears next to a setting, then you can use profile data to help you configure the appropriate values for that setting. See “Using Traffic Profile Data to Configure Protection Settings” on page 105. Fragment Detection settings Setting Description Enable Fragment Detection buttons Click one of these buttons to enable or disable this category. Maximum bps box Type the maximum amount of traffic (in bps) to allow from a single source. Maximum pps box Type the maximum amount of traffic (in pps) to allow from a single source. Proprietary and Confidential Information of Arbor Networks, Inc. 133 APS Console User Guide, Version 6.3 HTTP Header Regular Expressions Settings Use the HTTP Header Regular Expressions settings to target specific HTTP traffic. APS inspects HTTP traffic and applies each regular expression to each line of the HTTP headers and HTTP requests. If any regular expression matches the first HTTP request or HTTP header in a connection, then APS blocks that request and temporarily blocks the source host. If any regular expression does not match the first HTTP request or HTTP header in a connection, then APS whitelists all the HTTP requests for that connection. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. HTTP Header Regular Expressions settings The HTTP Header Regular Expressions category contains the following setting for each protection level: HTTP Header Regular Expressions settings Setting Description Header Regular Expressions lines Type a regular expression to match HTTP requests or headers. Use PCRE format. You can type multiple regular expressions. APS uses the OR operator for multiple regular expressions. For a description of the protection levels, see “About the Protection Levels” on page 86 . 134 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings HTTP Rate Limiting Settings Use the HTTP Rate Limiting settings to limit the rates at which a source host can send HTTP requests. These settings prevent a host from overwhelming the resources of a web server by sending too many requests or by requesting too many unique HTTP objects. (An HTTP object is a request for a specific resource.) Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings APS monitors the HTTP requests from each host and performs the following tests: Compares the number of requests per second to the configured rate limit. If the request rate is too high, APS blocks the requests and temporarily blocks the source host. n n Compares the number of unique HTTP objects per second to the configured URL limit. If the object rate is too high, APS blocks the requests and temporarily blocks the source host. The default limits are usually acceptable for typical users. Because a web server can be heavily loaded by a small number of HTTP requests, do not raise the limits by large amounts without careful consideration. If you need to make an exception for a content mirror server, you can add it to a pass rule in the Filter List settings. See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on page 164. HTTP Rate Limiting settings The HTTP Rate Limiting category contains the following settings for each protection level. If (View profile ) appears next to a setting, then you can use profile data to help you configure the appropriate values for that setting. See “Using Traffic Profile Data to Configure Protection Settings” on page 105. HTTP Rate Limiting settings Setting Description HTTP Request Limit box Type the number of HTTP requests to allow per second. An HTTP request is any type of request such as GET, POST, HEAD, or OPTIONS. To disable this setting, leave this box empty. HTTP URL Limit box Type the number of requests for a unique HTTP object (specific URL) to allow per second. For example, the medium level defaults are 500 for the HTTP Request Limit and 15 for the HTTP URL Limit . If 100 requests for the same URL are received in one second, they are blocked because they exceed the URL limit. To disable this setting, leave this box empty. For a description of the protection levels, see “About the Protection Levels” on page 86 . Proprietary and Confidential Information of Arbor Networks, Inc. 135 APS Console User Guide, Version 6.3 HTTP Reporting Settings Use the HTTP Reporting settings to enable or disable the display of the top URLs and top domains on the View Protection Group page. This information appears in the Web Traffic By URL section and the Web Traffic By Domain section, respectively. The HTTP Reporting is enabled by default. By disabling the HTTP Reporting, you can improve the performance of APS. See the following topics for more information about these displays: n “Viewing the Top URLs for a Protection Group” on page 206 n “Viewing the Top Domains for a Protection Group” on page 208 Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. HTTP Reporting settings The following setting applies to all protection levels: HTTP Reporting settings Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category. For a description of the protection levels, see “About the Protection Levels” on page 86 . 136 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings ICMP Flood Detection Settings Use the ICMP Flood Detection settings to detect ICMP flood attacks. An ICMP flood exploits the ping utility, which allows a user to verify that a particular IP address exists and can accept requests. The attacker sends a large number of ICMP echo requests to the victim web server. The server tries to respond to all of the requests until it exhausts its resources and cannot respond to clean traffic. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings Typically, a legitimate client does not send a large number of ICMP echo requests to a single server. APS inspects the ICMP traffic that originates from a single source and records the number of ICMP packets per second and bits per second. If the protection level is low, then APS allows traffic up to the configured rate limit. If the protection level is medium or high, APS blocks the hosts traffic and temporarily blocks the source host. ICMP Flood Detection settings The ICMP Flood Detection category contains the following settings for each protection level. If (View profile ) appears next to a setting, then you can use profile data to help you configure the appropriate values for that setting. See “Using Traffic Profile Data to Configure Protection Settings” on page 105. ICMP Flood Detection settings Setting Description Enable ICMP Flood Detection buttons Click one of these buttons to enable or disable this category. Maximum Request Rate box Type the maximum number of ICMP echo requests per second that a source can send before it is blocked. This rate limit represents what you consider to be a reasonable amount of ICMP traffic. Maximum bps box Type the maximum amount of traffic (in bps) to allow from a single source. For a description of the protection levels, see “About the Protection Levels” on page 86 . Proprietary and Confidential Information of Arbor Networks, Inc. 137 APS Console User Guide, Version 6.3 Malformed HTTP Filtering Settings Use the Malformed HTTP Filtering settings to protect against attacks that exhaust resources by sending invalid or blank HTTP requests to a server. The bots in a botnet sometimes manufacture the HTTP requests that they use to flood victim servers, and these requests can be malformed. For example, the request header might not conform to RFC 2616. Navigating to the protection settings In APS Console, you configure these settings for multiple APS devices on the following pages: n For inbound traffic: Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , then click on a server type name) See “Changing the Protection Settings for Server Types” on page 100. n For outbound traffic: Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat Filter) See “Configuring the Outbound Threat Filter” on page 115. About these settings APS performs the following tests on HTTP requests: n Verifies that the HTTP header conforms to RFC 2616 Section 2.2 "Basic Rules". Exceptions to the RFC constraints on the space character are allowed. n Verifies that the entire request is in a legal and consistent format. If any of these evaluations fails, APS blocks the request. If the traffic is inbound, APS temporarily blocks the source host or destination host. Malformed HTTP Filtering settings The Malformed HTTP Filtering category contains the following setting for each protection level: Malformed HTTP Filtering settings 138 Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category. Important The Botnet Prevention settings work only if Malformed HTTP Filtering is enabled. If you disable Malformed HTTP Filtering, the Botnet Prevention settings for the corresponding protection levels are disabled also. If you enable one of the Botnet Prevention settings, the Malformed HTTP Filtering is enabled for the corresponding protection levels. See “Botnet Prevention Settings” on page 126. Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Multicast Blocking Settings Use the Multicast Blocking settings to protect against attacks that misuse multicast routing to overwhelm a server’s resources. About multicasting Many attackers use multicasting to reflect and amplify attack traffic. For example, one type of attack sends echo requests to a multicast address, spoofing the request source with the victim’s IP address. The amplified request can result in an excessive number of responses that overwhelm the victim server and prevent it from accepting clean traffic. To protect against this kind of attack, APS blocks any inbound traffic whose source or destination is a designated multicast address. APS also blocks any outbound traffic whose source or destination is a designated multicast address. Important If you do not enable the DNS NXDomain Rate Limiting protection settings, the Multicast Blocking settings do not block outbound traffic. In this situation, you must enable the Outbound Threat Filter and add FCAP expressions to the filter list to block outbound traffic. See “Configuring the Outbound Threat Filter” on page 115. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. Multicast Blocking settings The Multicast Blocking category contains the following setting for each protection level: Multicast Blocking settings Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category. Proprietary and Confidential Information of Arbor Networks, Inc. 139 APS Console User Guide, Version 6.3 Payload Regular Expression Settings Use the Payload Regular Expression settings to drop malicious TCP traffic and UDP traffic or to temporarily blacklist the hosts that sent the malicious traffic. Payload regular expressions help you to identify attacks by packets that contain unique data patterns in their payloads. You also can configure these protection settings to inspect packet headers. Many application layer DDoS attacks and packet repetition attacks can be identified by their payloads. The payload of a TCP packet or UDP packet consists of the data that appears after the header. The Payload Regular Expression protection settings are available for all of the IPv4 server types and for the Generic IPv6 Server type. See “About the Server Types” on page 92. You can configure the settings for each protection level. See “About the Protection Levels” on page 86. Navigating to the Payload Regular Expression settings In APS Console, you configure these settings for multiple APS devices on the following pages: n For inbound traffic: Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , then click on a server type name) See “Changing the Protection Settings for Server Types” on page 100. n For outbound traffic: Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat Filter) See “Configuring the Outbound Threat Filter” on page 115. About these settings APS inspects all TCP traffic and UDP traffic sent from or sent to the specified ports, and matches each regular expression against each payload's packet. If you enable the Apply Regular Expression to Packet Headers setting, APS also matches each regular expression against each packet's header. You can select source or destination as the direction of the specified ports. For inbound traffic, if the payload or header matches a regular expression, then APS drops the packet or temporarily blocks all traffic from the host. For outbound traffic, if the payload or header matches a regular expression, then APS drops the packet. APS matches the regular expression against individual packets only. It does not detect matching content that spans multiple packets. Note If you enter a regular expression, but you do not specify any ports or port ranges, APS passes all TCP and UDP traffic. 140 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Payload Regular Expression settings The Payload Regular Expression category contains the following settings for each protection level: Payload Regular Expression settings Setting Description Enable Payload Regular Expression buttons Click one of these buttons to enable or disable this category for each protection level. Port Direction buttons To inspect traffic that is sent from TCP ports and UDP ports on source hosts, click Source . To inspect traffic that is sent to TCP ports and UDP ports on destination hosts, click Destination . Payload Regular Expression TCP Ports box Type the port numbers to define the TCP traffic to inspect. You can enter port numbers and port ranges (for example, 10-22). To inspect all TCP traffic, enter all. Use spaces or commas to separate multiple port numbers. If you set Port Direction to Source , APS matches the regular expressions against TCP packets that are sent from the specified ports. If you set Port Direction to Destination , APS matches the regular expressions against TCP packets that are sent to the specified ports. Note If you specify a regular expression, but you do not specify any ports or port ranges, APS passes all TCP traffic. Payload Regular Expression UDP Ports box Type the port numbers to define the UDP traffic to inspect. You can enter single port numbers and port ranges (for example, 10-22). To inspect all UDP traffic, enter all. Use spaces or commas to separate multiple port numbers and port ranges. If you set Port Direction to Source , APS matches the regular expressions against UDP packets that are sent from the specified ports. If you set Port Direction to Destination , APS matches the regular expressions against UDP packets that are sent to the specified ports. Note If you specify a regular expression, but you do not specify any ports or port ranges, APS passes all UDP traffic. Proprietary and Confidential Information of Arbor Networks, Inc. 141 APS Console User Guide, Version 6.3 Payload Regular Expression settings (continued) Setting Description Payload Regular Expression box Type the regular expressions to match against packets sent from or sent to the specified ports. Use PCRE format. If you add multiple regular expressions, then press ENTER after each one. APS uses the OR operator for multiple regular expressions. Note If you enter a regular expression, but you do not specify any ports or port ranges, APS passes all TCP and UDP traffic. If you enable the Apply Regular Expression to Packet Headers option, then APS also matches these expressions against the packet headers. Apply Regular Expression to Packet Headers buttons Click Enabled to match the regular expressions against packet headers in addition to packet payloads. If you enable this option, then APS blocks attacks based on specific patterns in packet headers. To match the regular expressions against packet payloads only, click Disabled. Action to Apply buttons Click Drop Packets to drop the packets that match regular expressions. Click Block Hosts to temporarily block all traffic from the hosts of the packets that match the regular expressions. Note This option only applies to inbound traffic. For outbound traffic, APS always drops the packets that match the regular expressions. 142 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Private Address Blocking Settings Use the Private Address Blocking settings to protect against attacks that spoof private IP addresses. You can configure the settings for each protection level. See “About the Protection Levels” on page 86. Specific blocks of IP addresses are reserved for use on private networks and their traffic is not intended to be routed to the internet. Typically, traffic from outside your network should not originate from a private address. Such traffic is likely to be an attack in which the private address is spoofed. To protect against this kind of attack, APS inspects the inbound traffic and blocks any traffic whose source or destination is a designated private address. APS also blocks any outbound traffic whose source or destination is a designated private address. Important If you do not enable the DNS NXDomain Rate Limiting protection settings, the Private Address Blocking settings do not block outbound traffic. In this situation, you must enable the Outbound Threat Filter and add FCAP expressions to the filter list to block outbound traffic. See “Configuring the Outbound Threat Filter” on page 115. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. Private Address Blocking settings The Private Address Blocking category contains the following setting for each protection level: Private Address Blocking settings Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category. Proprietary and Confidential Information of Arbor Networks, Inc. 143 APS Console User Guide, Version 6.3 Rate-based Blocking Settings The Rate-based Blocking settings use configured threshold values to identify and block hosts that send excessive amounts of traffic to protected hosts or networks. These protection settings are available for all of the IPv4 server types and for the Generic IPv6 Server type. See “About the Server Types” on page 92. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings You can configure these settings to help prevent flood, TCP SYN, and protocol attacks, as well as connection table and request table exhaustion attacks. You also can configure settings to prevent some user-initiated actions such as bulk content downloads and peerto-peer file hosting. APS uses these settings to limit the rate at which any source host can send traffic. APS constantly examines the bit rate and packet rate of traffic from each source host. If the traffic exceeds either of the configured thresholds, APS temporarily blocks the source host. Typically, you should set the thresholds to rates that are higher than any legitimate host would be expected to send on a sustained basis. These rates can vary depending on the services that the hosts offer. For example, if the protected hosts are content servers and the source hosts are clients that send only requests and acknowledgments, low traffic rates are expected. Note APS uses a speed measurement algorithm that applies a smoothing function to reduce the possibility that short-term, high-traffic spikes are treated as attacks. Rate-based Blocking settings The Rate-based Blocking category contains the following settings for each protection level. If (View profile ) appears next to a setting, then you can use profile data to help you configure the appropriate values for that setting. See “Using Traffic Profile Data to Configure Protection Settings” on page 105. Rate-based Blocking settings 144 Setting Description Bits per Second Threshold box Type the maximum rate of traffic in bits that a source can send before it is blocked. Packets per Second Threshold box Type the maximum rate of traffic in packets that a source can send before it is blocked. Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings SIP Request Limiting Settings Use the SIP Request Limiting settings to limit the number of SIP requests that a host can send per second. These settings prevent attacks that disrupt VoIP service by flooding the VoIP network with too many SIP requests. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings APS monitors the SIP requests from the source IP. It blocks any traffic that exceeds the configured rate limit, and temporarily blocks the source host. Because SIP servers can send a large amount of data in a single request, communications between SIP servers may greatly exceed the rate limit. You can protect those servers by adding them to a pass rule in the Filter List settings or adding them to the whitelist. See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on page 164 or “Whitelisting Inbound Traffic” on page 184 . SIP Request Limiting settings The SIP Request Limiting category contains the following setting for each protection level. If (View profile ) appears next to a setting, then you can use profile data to help you configure the appropriate values for that setting. See “Using Traffic Profile Data to Configure Protection Settings” on page 105. SIP Request Limiting settings Setting Description SIP Source Limit box Type the maximum number of SIP requests to allow per second. To disable this setting, leave this box empty. Proprietary and Confidential Information of Arbor Networks, Inc. 145 APS Console User Guide, Version 6.3 Spoofed SYN Flood Prevention Settings Use the Spoofed SYN Flood Prevention settings to detect certain SYN flood attacks. A SYN flood consists of a large number of uncompleted connection requests, which fill the victim’s connection queues and consume its resources. Important If a cloud service provider forwards cleaned traffic through a GRE tunnel, then APS does not inspect that traffic for Spoofed Syn Flood Prevention or DNS Authentication. In this case, APS ignores these protection settings because it would have to send packets back through the GRE tunnel. The Spoofed SYN Flood Prevention protection settings are available for all of the IPv4 server types and for the Generic IPv6 Server type. See “About the Server Types” on page 92. About SYN flood attacks A SYN flood attack exploits the TCP three-way handshake, which establishes a connection between a client and a server. During a SYN flood attack, the attacker sends a large number of SYN packets. However, because the SYN packets contain spoofed source IP addresses, the handshake is never completed. Both Spoofed SYN Flood Prevention and TCP SYN Flood Detection protect against SYN flood attacks. By forcing all TCP clients to authenticate that they are valid, Spoofed SYN Flood Prevention can protect against highly distributed attacks. If APS cannot authenticate a TCP connection, then it drops the traffic on that connection but does not block the host. Navigating to the Spoofed SYN Flood Prevention settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About TCP authentication APS authenticates TCP traffic in one of the following ways: APS replies to the client’s initial SYN packet with an ACK that has a special sequence number. If the client responds with the correct ACK, then APS authenticates the client, resets the connection, and passes its traffic without additional authentication. n n If TCP Out of Sequence Authentication is enabled, then APS replies to the client’s initial SYN with an ACK that imitates an existing, half-open TCP connection. If the client sends a reset, then APS authenticates the client, and the client opens a new TCP connection to the protected host. This authentication method targets non-HTTP protocols, such as HTTPS and SMTP, that do not support session redirects or retries. This method allows clients to connect to protected hosts without having to manually refresh their web browsers. 146 Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings About HTTP authentication If you enable HTTP authentication, then APS ensures that the source host is a valid HTTP client in one of the following ways: n HTTP redirect — APS replies to the client’s initial request with a 302 redirect. If the client sends a redirected request, then APS authenticates the client and redirects it to the original URL. This authentication method causes the web browser to retry the request without a connection reset. n HTTP soft reset — In this simplified version of the HTTP redirect authentication, APS replies to the client, asking it to resend its request. If the client resends the request, then APS authenticates the client. n HTTP JavaScript — In response to a request, APS sends a small amount of JavaScript to the client. If the client responds with a redirect, then APS authenticates the client. Automating Spoofed SYN Flood Prevention You can automate Spoofed SYN Flood Prevention. To do this, you enable the Spoofed SYN Flood Prevention Automation setting and then specify an automation threshold. If the rate of SYN packets sent to any protected host in a protection group exceeds this threshold, then APS performs TCP authentication or HTTP authentication as configured. Otherwise, if all protected hosts in a protection group are receiving SYN packets at a rate below the threshold, then APS does not perform the configured authentication. Testing the settings Before you enable these settings for active mitigation, test them thoroughly in a lab environment. Because these settings require two-way communications, they must be tested in an inline deployment mode (Inline Routed or Inline Bridged) and the active protection mode. See “Setting the Deployment Mode” in the APS User Guide and “Setting the Protection Mode (Active or Inactive)” on page 84. Proprietary and Confidential Information of Arbor Networks, Inc. 147 APS Console User Guide, Version 6.3 Spoofed SYN Flood Prevention settings The Spoofed SYN Flood Prevention protection category contains the following settings for each protection level. Spoofed SYN Flood Prevention settings Setting Description Prevent Spoofed SYN Floods buttons Click one of the following buttons to select the authentication method that APS uses to detect spoofed SYN flood attacks: n n n Off — Disables spoofed SYN flood attack detection. TCP — Enables TCP authentication. APS inspects TCP traffic, to authenticate the connections. TCP+HTTP — Enables HTTP authentication in addition to TCP authentication. APS authenticates TCP connections and ensures that the source host is a valid HTTP client. The option that you select determines which protection settings are available for this protection category. Except on ports box For applications that have difficulty with spoofed SYN flood authentication, type the affected application ports. If the traffic’s destination ports match any of these ports, then APS skips the TCP authentication. TCP Out of Sequence Authentication buttons Click one of these buttons to enable or disable this authentication method. If you enable this setting, then APS uses this method to authenticate a TCP connection instead of attempting to complete the TCP 3-way-handshake. See “About TCP authentication” on page 146. Spoofed SYN Flood Prevention Automation buttons 148 Click one of these buttons to enable or disable automating this protection category. If you automate this protection category, then you must specify an automation threshold. Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Spoofed SYN Flood Prevention settings (continued) Setting Description Automation Threshold box Enter a value in pps. APS performs TCP authentication or HTTP authentication as configured only if the rate of SYN packets sent to any protected host in a protection group exceeds this threshold. If the rate of SYN packets falls below this threshold, then APS stops performing the configured authentication. HTTP Authentication Method buttons Click one of the following buttons to select the method that APS uses to authenticate HTTP traffic on ports 80 and 8080: n n n Redirect — Sends a 302 redirect to the client. Soft Reset — Asks the client to resend its request. JavaScript — Sends a JavaScript response to the client. Note If you select the JavaScript option, then legitimate clients that do not have JavaScript enabled cannot connect to protected hosts. Proprietary and Confidential Information of Arbor Networks, Inc. 149 APS Console User Guide, Version 6.3 TCP Connection Limiting Settings Use the TCP Connection Limiting settings to limit the number of concurrent TCP connections that can originate from a single host. These settings prevent attacks that overwhelm the victim's connection resources with an excessive number of TCP connections. For example, some botnets open hundreds of active or inactive TCP connections. A sufficiently large number of connections can consume all of the server's resources and prevent the server from accepting clean traffic. These settings are available for the Generic IPv6 Server type and some of the IPv4 server types. See “About the Server Types” on page 92. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings APS monitors the TCP requests from the source IP and counts the number of SYN messages that are followed by an ACK message. When the number of concurrent connections from a single host exceeds a preconfigured rate limit, it blocks that traffic. It does not block the source host. TCP Connection Limiting settings The TCP Connection Limiting category contains the following setting for each protection level: TCP Connection Limiting settings 150 Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category for a protection level. Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings TCP Connection Reset Settings Use the TCP Connection Reset settings to track established TCP connections and drop the traffic when a connection remains idle for too long. This category can protect against the following types of TCP state exhaustion attacks: n flood n TCP SYN n slow HTTP post n protocol The TCP Connection Reset settings also can protect against the exhaustion of TCP connection resources that occur when server connection tables are filled. These problems can be caused by idle TCP connections or user-initiated actions such as bulk content downloads and peer-to-peer file hosting. These settings are available for the Generic IPv6 Server type and some of the IPv4 server types. See “About the Server Types” on page 92. About these settings When APS monitors a TCP connection, it verifies that the source host sends the request header within a certain amount of time. APS also verifies that the host maintains a specified rate of transmission for the entire request. If a TCP connection does not meet these requirements, APS resets the connection. Also, if any source host exceeds the configured number of consecutive violations, APS temporarily blocks the host. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About the protected ports APS applies the TCP Connection Reset settings to the following ports: n 80 — HTTP traffic (web traffic) n 443 — HTTPS traffic (web traffic) n 25 — SMTP traffic (email) You cannot manually configure the ports for the TCP Connection Reset settings. Proprietary and Confidential Information of Arbor Networks, Inc. 151 APS Console User Guide, Version 6.3 TCP Connection Reset settings The TCP Connection Reset category contains the following settings for each protection level. TCP Connection Reset settings 152 Setting Description Enable TCP Connection Reset buttons Click one of these buttons to enable or disable this category. Minimum Request Bit Rate box Type the minimum rate of bits per second that a host must maintain when sending an individual request. APS checks several times per minute to verify that the transmitted data does not fall below this limit. If the data rate falls below this limit for a minimum of 60 seconds, APS resets the connection or blocks the host. TCP Connection Idle Timeout box Type the number of seconds that must elapse before an idle connection is reset or blocked. For the medium and high protection levels, the default value is 120 seconds. There is no default value for the low protection level. Track Connections After Initial State check box Click Enabled to track a connection after it leaves the initial state. TCP Connection Initial Timeout box Type the number of seconds that a connection can be idle after it is first established before it is blocked. Initial Timeout Required Data box Type the number of bytes that a host must send within the initial timeout period for the timeout to be canceled. For example, the default TCP Connection Initial Timeout is 10 seconds and the default Initial Timeout Required Data is 1 byte. In this case, the connection has 10 seconds in which to send 1 byte of data. If the specified amount of data is not sent within 10 seconds, then the connection is reset. Consecutive Violations before Blocking Source box Type the number of consecutive idle connections to allow before a host is blocked. You can enter a larger number for applications with multiple TCP control connections that might be idle simultaneously due to a single lack of user action. Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings TCP SYN Flood Detection Settings Use the TCP SYN Flood Detection settings to detect TCP SYN flood attacks, which are also known as SYN floods. A SYN flood consists of a large number of connection requests that cannot be completed. These requests fill the victim’s connection queues and consume its resources. You can configure the settings for each protection level. See “About the Protection Levels” on page 86. About SYN flood attacks The SYN flood attack exploits the TCP three-way handshake that establishes a connection between a client and a server. During a SYN flood attack, the attacker sends a large number of SYN packets. However, it does not return the final ACK responses and the handshake is never completed. The server waits for the ACK responses until it times out. A sufficiently large number of half-open connections can consume all of the server’s resources and prevent the server from accepting clean traffic. Both Spoofed SYN Flood Prevention and TCP SYN Flood Detection protect against SYN flood attacks. However, while Spoofed SYN Flood Prevention can protect against highly distributed attacks, TCP SYN Flood Detection uses rate thresholds to detect high rate, undistributed SYN flood attacks. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings APS intercepts all TCP traffic that originates from a single source and then completes the following tests: n Compares the number of SYN packets per second to the configured SYN Rate . n Subtracts the number of ACK packets from the number of SYN packets and compares the result to the configured SYN ACK Delta Rate. APS blocks any traffic that exceeds either of these rate limits and temporarily blocks the source host. Proprietary and Confidential Information of Arbor Networks, Inc. 153 APS Console User Guide, Version 6.3 TCP SYN Flood Detection settings The TCP SYN Flood Detection category contains the following settings for each protection level: TCP SYN Flood Detection settings 154 Setting Description Enable SYN Flood Detection buttons Click one of these buttons to enable or disable this category. SYN ACK Delta Rate box Type the allowable difference between the number of ACK packets and the number of SYN packets (SYN - ACK = delta). This rate should be lower than the SYN Rate. In clean traffic, the number of ACK packets from a specific source should exceed or be slightly less than the number of SYN packets from that source. This threshold represents the allowable difference between the two types of packets and allows APS to detect attackers that send only SYN packets. To disable this setting, leave this box empty. SYN Rate box Type the number of packets per second that a source can send before it is blocked. In a data center environment, a client typically does not establish a large number of connections per second. This threshold allows APS to detect very blatant SYN floods based on the number of connection requests from a single source. To disable this setting, leave this box empty. Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings TLS Attack Prevention Settings Use the TLS Attack Prevention settings to protect against attacks that exploit SSL or TLS on application servers such as Web, Mail, or secure VPN servers. The SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption protocols underlie secure services on the internet. Because these protocols are resource intensive, the services that rely on them are particularly vulnerable to resource exhaustion attacks. During these attacks, clients send small requests that force the server to perform a disproportionately large amount of work to set up a secure session. The TLS Attack Prevention settings enforce correct protocol usage and block malformed SSL and TLS requests. These settings also block clients that attempt to exploit the protocols to exhaust server resources. You can configure the settings for each protection level. See “About the Protection Levels” on page 86. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings When an SSL or TLS request is received, APS performs the following tests: n Validates the request according to the following criteria: n n l The negotiation messages are well-formed. l The protocol options are used properly. l The message length and fragmentation are reasonable. l The protocol version is acceptable. Verifies that acceptable SSL or TLS handshake behaviors occur as follows: l The messages are sent in the correct sequence. l Renegotiation requests do not occur outside of an established session. Verifies that the following items do not exceed the preconfigured limits: l The number of cipher suites that are advertised. l The number of extensions that are sent. l The number of compression algorithms that are advertised. l The number of connections that are closed before a handshake is completed. If any of these evaluations fails, APS blocks the request and temporarily blocks the source host. Proprietary and Confidential Information of Arbor Networks, Inc. 155 APS Console User Guide, Version 6.3 TLS Attack Prevention settings The TLS Attack Prevention category contains the following setting for each protection level: TLS Attack Prevention settings 156 Setting Description Enabled and Disabled buttons Click one of these buttons to enable or disable this category. Proprietary and Confidential Information of Arbor Networks, Inc. Section 8: Configuring the Protection Settings Traffic Shaping Settings Use the Traffic Shaping settings to limit the forwarding rate of the traffic that matches a specific filter. These settings limit attack traffic to a level that allows protected hosts to function and allows some clean traffic to reach those hosts. The Traffic Shaping protection settings are available for all of the IPv4 server types and for the Generic IPv6 Server type. See “About the Server Types” on page 92. Note Traffic shaping is also known as rate limiting. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. About these settings APS inspects each packet to determine if it matches the filter that you define. If the packet matches or if no filter is defined, APS compares the packet forwarding rate to the maximum rate settings. If the packet would cause the forwarding rate to exceed either of the maximum rates, APS blocks the packet. It does not block the source host. Caution Traffic shaping restricts clean traffic and attack traffic equally. Use traffic shaping in the following situations only: when other settings fail to mitigate an attack and you cannot mitigate it in another way n n when other settings succeed only partially and the traffic levels remain high enough to be a continued threat If you enable this category, you must set at least one of the maximum rate settings. Traffic Shaping settings The Traffic Shaping category contains the following settings for each protection level: Traffic Shaping settings Setting Description Enable Traffic Shaping buttons Click one of these buttons to enable or disable this category. Maximum bps box Type the maximum amount of traffic (in bps) to allow. Maximum pps box Type the maximum amount of traffic (in pps) to allow. Filter box (Optional) Type an FCAP expression that corresponds to the data that you want to match. For example, you can match IP addresses, CIDRs, and other traffic attributes. Type one expression per line. To include a comment, type a number sign (#) at the beginning of each comment line. Proprietary and Confidential Information of Arbor Networks, Inc. 157 APS Console User Guide, Version 6.3 UDP Flood Detection Settings Use the UDP Flood Detection settings to protect against attacks that send an excessive number of UDP packets to a server to exhaust its resources. You can configure the settings for each protection level. See “About the Protection Levels” on page 86. About UDP floods A UDP flood occurs when an attacker sends a large number of UDP packets to random ports on a server, often from a spoofed IP address. The server tries to determine the applications that are listening on those ports. Because no applications are listening, the server is forced to reply with many ICMP Destination Unreachable packets. If the number of ICMP packets is great enough, the server becomes unavailable to other clients. APS inspects the UDP traffic that originates from a single source and records the bits per second and packets per second. It blocks any traffic that exceeds the configured rate limits. If the protection level is medium or high, it temporarily blocks the source host. Navigating to the protection settings You configure these settings on the Configure Server Type page (Protect > Inbound Protection > Server Type Configuration , and then click on a server type name). See “Changing the Protection Settings for Server Types” on page 100. UDP Flood Detection settings The UDP Flood Detection category contains the following settings for each protection level. If (View profile ) appears next to a setting, then you can use profile data to help you configure the appropriate values for that setting. See “Using Traffic Profile Data to Configure Protection Settings” on page 105. UDP Flood Detection settings 158 Setting Description Enable UDP Flood Detection buttons Click one of these buttons to enable or disable this category. Maximum bps box Type the maximum amount of traffic (in bps) to allow from a single source. Maximum pps box Type the maximum amount of traffic (in pps) to allow from a single source. Proprietary and Confidential Information of Arbor Networks, Inc. Section 9: Configuring Filter Lists to Drop and Pass Traffic Filter lists allow you to configure fingerprint expression (FCAP) filters (rules) that drop and pass traffic without further inspection. You can configure two types of filter lists. Master filter lists compare the FCAP expressions to all protection group traffic across all protection levels. Filter lists compare FCAP expressions only to traffic for specific server types or the outbound threat filter. These filter lists also allow you to configure different expressions for each protection level. In APS Console, you can configure both types of filter lists for multiple APS devices. In this section This section contains the following topics: About Filter Lists 160 Configuring Master Filter Lists 162 Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter 164 APS Console User Guide, Version 6.3 159 APS Console User Guide, Version 6.3 About Filter Lists Filter lists allow you to configure flow capture (FCAP) fingerprint expression rules that drop and pass traffic without further inspection. You can configure two types of filter lists: n Master filter lists for all protection groups across all protection levels. See “Master filter lists” below. n Filter lists for specific server types or the outbound threat filter. See “Filter lists for specific server types or the outbound threat filter” below. If a drop FCAP expression matches inbound traffic, then APS drops the matching traffic for active protection groups only. If a drop FCAP expression matches outbound traffic, then APS drops the matching traffic only when the outbound threat filter is enabled. See “Setting the Protection Mode (Active or Inactive)” on page 84. Note If you manage multiple APS devices with APS Console, you can configure filter lists on APS Console for the managed APS devices. Master filter lists Master filter lists contain drop and pass FCAP expressions that APS compares to all inbound traffic. If any FCAP expression matches inbound traffic for an active protection group, APS drops or passes the matching traffic without further inspection. See “Setting the Protection Mode (Active or Inactive)” on page 84. Use master filter lists if you have a common list of FCAP expressions to apply to all protection groups across all protection levels. When you use master filter lists, you do not have to create filter lists for each server type at each protection level. There are two master filter lists: a list for IPv4 protection groups and a list for IPv6 protection groups. Each time you edit a master filter list, APS applies the updated list to all IPv4 protection groups or all IPv6 protection groups. APS also automatically applies the master filter lists to new protection groups that you add. See “Configuring Master Filter Lists” on page 162. Filter lists for specific server types or the outbound threat filter You can configure filter lists for specific server types. This type of filter list compares drop and pass FCAP expressions to traffic for protection groups that are associated with a specific server type. These filter lists let you configure different expressions for each protection level. See “About the Protection Levels” on page 86. You also can configure filter lists that compare FCAP expressions to outbound traffic. See “Configuring the Outbound Threat Filter” on page 115. Use these filter lists to mitigate threats based on specific situations. For example, if the mitigation protects a server group that obtains content from other sources, then add the connections to those other sources to a pass rule. Because you know that those connections are legitimate, you can exempt them from further inspection. See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on page 164. 160 Proprietary and Confidential Information of Arbor Networks, Inc. Section 9: Configuring Filter Lists to Drop and Pass Traffic How APS evaluates and processes packets APS uses master filter lists and filter lists to evaluate and process packets as follows: Immediately drops any packets that match a drop rule. APS does not evaluate any additional rules or apply further settings for those packets. n n Immediately passes any packets that match a pass rule. APS does not evaluate any additional rules or apply further settings for those packets. n Passes the packets to the next protection category for further evaluation if they do not match a drop rule or a pass rule. Alternate methods for passing and dropping traffic If you prefer not to use FCAP expressions, you can add hosts to the blacklist and whitelist to drop and pass traffic without further inspection. However, FCAP expressions are more flexible and powerful in their ability to find specific traffic. See “About Blacklisting and Whitelisting Traffic” on page 168. Order of evaluation APS evaluates the items to drop and pass on master filter lists, filter lists, and the blacklist and whitelist in the following order: n the host blacklist and the whitelist n the master filter lists n server-type filter lists n the blacklists for countries, URLs, and domains For example, consider the following rules: 192.0.2.0/24 in the whitelist n n drop 192.0.2.11 in the master filter list APS applies the rules as follows: n Passes all of the traffic from the addresses within the range 192.0.2.0/24. n Passes the traffic from 192.0.2.11, because it falls within the 192.0.2.0/24 address range. Therefore, the traffic from this address cannot be dropped. Proprietary and Confidential Information of Arbor Networks, Inc. 161 APS Console User Guide, Version 6.3 Configuring Master Filter Lists Use a master filter list to configure drop and pass flow capture (FCAP) fingerprint expression rules to compare to traffic for IPv4 protection groups and IPv6 protection groups. APS applies the FCAP expressions in the master filter lists across all protection levels. Master filter lists drop and pass inbound traffic only. Important If a drop FCAP expression matches inbound traffic, APS drops the matching traffic for active protection groups only. See “Setting the Protection Mode (Active or Inactive)” on page 84. You also can configure filter lists that apply to a specific server type only or to the outbound threat filter. These filter lists drop and pass inbound traffic and outbound traffic. See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on page 164. About managing the master filter lists from APS Console If you manage your APS devices from APS Console, then you can configure master filter lists in APS Console and propagate the configurations to each managed APS. Caution When you connect an APS device to APS Console, the master filter lists on APS Console replace the master filter lists on APS. Thereafter, any changes to the master filter lists on APS Console are periodically copied to each APS. See “1About the APS Console - APS Data Synchronization” on page 78. If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any local changes that you make on APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. Configuring and editing master filter lists To configure or edit a master filter list: 1. Select Protect > Inbound Protection > Master Filter Lists. 2. On the View Master Filter Lists page, click Edit. 3. In the IPv4 FCAP Expressions box and the IPv6 FCAP Expressions box, enter FCAP expressions that correspond to the data to match. Enter expressions to match IP addresses, CIDRs, and other traffic attributes. Include a drop or pass keyword to specify the action to take on the matched data. If you do not specify a keyword, then APS considers it a drop action. Type one expression per line. To include a comment, type a number sign (#) at the beginning of each comment line. See “FCAP Expression Reference” on page 344. 4. To edit the lists, enter new expressions or delete the existing expressions in the FCAP Expressions boxes. 5. Click Save. 162 Proprietary and Confidential Information of Arbor Networks, Inc. Section 9: Configuring Filter Lists to Drop and Pass Traffic 6. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Example: Master filter list settings If you want to pass TCP/22 SSH traffic from a block of addresses and block all other TCP/22 SSH traffic, then enter the following FCAP expressions: pass port 22 and src 192.0.2.0/24 drop port 22 All the port 22 traffic from 192.0.2.0/24 passes automatically, and APS blocks the other port 22 traffic automatically. Order of evaluation within the master filter lists APS evaluates the FCAP expressions in the order in which they appear in the lists. For example, consider the following rules: pass src 192.0.2.11 drop proto udp APS applies these rules as follows: n Passes all of the traffic from 192.0.2.11, regardless of the protocol n Drops all of the UDP traffic whose source is not 192.0.2.11 Proprietary and Confidential Information of Arbor Networks, Inc. 163 APS Console User Guide, Version 6.3 Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter Use the filter list settings to configure a list of flow capture (FCAP) fingerprint expression rules to drop and pass inbound traffic without further inspection. You configure a filter list at the server-type level, so the filter list only applies to protection groups to which the server type is assigned. This type of filter list lets you configure different expressions for each protection level. See “About the Protection Levels” on page 86. You also can use filter list settings to drop and pass outbound traffic. To compare FCAP expressions in a filter list to outbound traffic, you configure the filter list settings for the outbound threat filter. See “Configuring the Outbound Threat Filter” on page 115. If a drop FCAP expression matches inbound traffic, then APS drops the matching traffic for active protection groups only. If a drop FCAP expression matches outbound traffic, then APS drops the matching traffic only when the outbound threat filter is enabled. See “Setting the Protection Mode (Active or Inactive)” on page 84. The Filter List protection settings are available for all of the IPv4 server types and for the Generic IPv6 Server type. See “About the Server Types” on page 92. Note You can configure master filter lists that compare drop and pass FCAP expressions to traffic for all protection groups. See “Configuring Master Filter Lists” on page 162. Configuring and editing filter lists for server types To configure or edit a filter list for a server type: 1. Select Protect > Inbound Protection > Server Type Configuration . 2. In the Server Types list, click the name link of the server type to edit. 3. In the left navigation menu, click Filtering. 4. In the Filter FCAP Expressions boxes in the Filter List section, enter the FCAP expressions that correspond to the data to match. Enter expressions to match IP addresses, CIDRs, and other traffic attributes. You can enter expressions for each protection level. Include a drop or pass keyword to specify the action to take on the matched data. If you do not include a keyword, then APS considers it a drop action. Type one expression per line. To include a comment, type a number sign (#) at the beginning of each comment line. See “FCAP Expression Reference” on page 344. Important You can use IPv6 addresses in FCAP expressions only for the standard Generic IPv6 Server type and custom server types that are based on it. 5. To edit the filter list, enter new expressions or delete the existing expressions in the Filter FCAP Expressions boxes. 6. Click Save. 7. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 164 Proprietary and Confidential Information of Arbor Networks, Inc. Section 9: Configuring Filter Lists to Drop and Pass Traffic Configuring and editing filter lists for the outbound threat filter To configure or edit a filter list for the outbound threat filter: 1. Select Protect > Inbound Protection > Outbound Threat Filter. 2. On the Outbound Threat Filter page, click Filtering. 3. Select the Enable Outbound Threat Filter check box. 4. In the Filter FCAP Expressions boxes, enter the FCA expressions that correspond to the data to match. Enter expressions to match IPv4 IP addresses, IPv4 CIDRs, and other traffic attributes. You can enter expressions for each protection level. Include a drop or pass keyword to specify the action to take on the matched data. If you do not include a keyword, then APS considers it a drop action. Type one expression per line. To include a comment, type a number sign (#) at the beginning of each comment line. See “FCAP Expression Reference” on page 344. 5. To edit the filter list, enter new expressions or delete the existing expressions in the Filter FCAP Expressions boxes. 6. Click Save. 7. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Example: Filter list settings If you want to pass TCP/22 SSH traffic from a block of addresses and block all other TCP/22 SSH traffic, then enter the following FCAP expressions: pass port 22 and src 192.0.2.0/24 drop port 22 All the port 22 traffic from 192.0.2.0/24 passes automatically, and APS blocks the other port 22 traffic automatically. Order of evaluation within filter lists APS evaluates the FCAP expressions in the order in which they appear in the lists. For example, consider the following rules: pass src 192.0.2.11 drop proto udp APS applies these rules as follows: Passes all of the traffic from 192.0.2.11, regardless of the protocol n n Drops all of the UDP traffic whose source is not 192.0.2.11 Proprietary and Confidential Information of Arbor Networks, Inc. 165 APS Console User Guide, Version 6.3 166 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists APS uses blacklisting to protect your network from malicious traffic, and it uses whitelisting to allow trusted traffic. In this section This section contains the following topics: About Blacklisting and Whitelisting Traffic 168 About the Capacity of the Blacklists and Whitelists 172 Blacklisting Inbound Traffic 174 Viewing and Searching the Inbound Blacklist 177 Blacklisting Outbound Traffic 180 Viewing and Searching the Outbound Blacklist 182 Whitelisting Inbound Traffic 184 Viewing and Searching the Inbound Whitelist 186 Whitelisting Outbound Traffic 188 Viewing and Searching the Outbound Whitelist 190 APS Console User Guide, Version 6.3 167 APS Console User Guide, Version 6.3 About Blacklisting and Whitelisting Traffic APS uses blacklisting to protect your network from malicious traffic, and it uses whitelisting to allow trusted traffic. APS uses the blacklists and whitelists as filters to block or pass traffic without further inspection, regardless of the current protection level. About the blacklists and whitelists Users configure the blacklists and whitelists; APS does not blacklist or whitelist hosts automatically. You can create and manage the following types of blacklists and whitelists: Types of blacklists and whitelists List Purpose Items you can add Inbound blacklist Blocks the inbound traffic that originates from specific hosts or countries, or from the clients that access specific domains or URLs in your network. Hosts (both IPv4 and IPv6), countries, and domains Inbound whitelist Passes the inbound traffic that originates from specific hosts. Hosts (both IPv4 and IPv6), countries, and domains Outbound blacklist Blocks the traffic that is sent from specific internal hosts or to specific external hosts. Also blocks the traffic that originates from your network and is sent to specific countries. Hosts and countries (IPv4 only) Outbound whitelist Passes the traffic that originates from your network and is sent from specific hosts or to specific hosts. Hosts (IPv4 only) Note The Invalid Packets category takes precedence over the whitelist and blacklist. As a result, APS blocks invalid packets from whitelisted hosts. Also, any traffic from hosts on the blacklist or whitelist that matches invalid packets is attributed to invalid packets in the Attack Categories graphs. APS combines the blacklist items and the whitelist items and stores them in a blacklistwhitelist table, based on protocol. If an APS is managed by APS Console, any blacklist items and whitelist items that are added in APS Console also are stored in the blacklistwhitelist table. See “About the Capacity of the Blacklists and Whitelists” on page 172. 168 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists About managing the blacklists and whitelists from APS Console When you use APS Console to manage APS, you can configure blacklists and whitelists on APS Console and propagate the configurations to each managed APS. When you first connect an APS device to an APS Console, the blacklists and whitelists on APS Console are copied to APS. Any blacklists or whitelists that were already on APS are merged with the items from APS Console. Thereafter, any changes to the blacklists and whitelists on APS Console are periodically copied to each managed APS device as appropriate. Caution If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any changes that you make on an APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. See “1About the APS Console - APS Data Synchronization” on page 78. Blacklisting and whitelisting items You can blacklist and whitelist items from the following areas in the UI. Note On the Outbound Blacklists page and the Outbound Whitelists page, you can blacklist and whitelist IPv4 addresses only. Locations for blacklisting and whitelisting items Page Reference Inbound Blacklists See “Blacklisting Inbound Traffic” on page 174. Outbound Blacklists See “Blacklisting Outbound Traffic” on page 180. Inbound Whitelists See “Whitelisting Inbound Traffic” on page 184. Outbound Whitelists See “Whitelisting Outbound Traffic” on page 188. Note You can blacklist and whitelist IPv6 items globally, for all protection groups. You cannot blacklist and whitelist IPv6 items for individual protection groups. View Protection Group See the following topics: n n n Blocked Hosts Log “Viewing the Top IP Locations for a Protection Group” on page 210 “Viewing the Top URLs for a Protection Group” on page 206 “Viewing the Top Domains for a Protection Group” on page 208 See “Taking action on a blocked host” on page 262. Proprietary and Confidential Information of Arbor Networks, Inc. 169 APS Console User Guide, Version 6.3 About blacklisting and whitelisting inbound traffic by protection group You can blacklist and whitelist inbound traffic at the following levels. Levels of blacklisting and whitelisting Level Traffic that is affected Individual protection group The IPv4 traffic that is destined for one or more specific protection groups on an APS. For example, on the Summary page, you can blacklist a country for a specific protection group. Note You can blacklist and whitelist IPv6 items globally, for all protection groups. You cannot blacklist and whitelist IPv6 items for individual protection groups. All protection groups The traffic that is destined for all protection groups on an APS. Typically, the options to blacklist or whitelist IPv4 items for a specific protection group are available on the pages that contain protection-group-level information. For example, on the View Protection Group page, when you click the Blacklist button, the following options appear: All PGs and For this PG. When the items from the blacklist or whitelist appear throughout the UI, the associated protection group information is displayed. Note Outbound traffic is not associated with protection groups. About removing items from the blacklist Certain areas of the UI that display blocked traffic allow you to remove an item from the blacklist, which is also referred to as unblocking. For example, in the Top Countries section of the Summary page, you can unblock a blacklisted country. Unblocking an item removes it from the blacklist but does not add it to the whitelist. How quickly do blacklisting, whitelisting, and unblocking affect the traffic? When you blacklist, whitelist, or unblock a host, country, domain, or URL, its traffic is affected as follows: n When you blacklist or whitelist an item, APS begins to block or pass its traffic immediately. 170 n When you unblock an item, APS can take several minutes to remove it from the blacklist and pass its traffic. n When you whitelist a host or remove a host from the blacklist, and that host is temporarily blocked, it is removed from the Temporarily Blocked Sources list immediately. When you do the same for a CIDR or country that contains temporarily blocked hosts, those hosts are removed from the Temporarily Blocked Sources list within five minutes. You can unblock an individual IP address immediately by whitelisting that IP address. Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists After you blacklist, whitelist, or unblock an item in APS Console, the change is applied to APS during the next synchronization. See “1About the APS Console - APS Data Synchronization” on page 78. Proprietary and Confidential Information of Arbor Networks, Inc. 171 APS Console User Guide, Version 6.3 About the Capacity of the Blacklists and Whitelists APS combines the blacklist items and the whitelist items and stores them in a blacklistwhitelist table, based on protocol. If an APS is managed by APS Console, any blacklist items and whitelist items that are added in APS Console also are stored in the blacklistwhitelist table. See “About managing the blacklists and whitelists from APS Console” on page 169 . Capacity of the blacklists and whitelists The maximum number of IP addresses and CIDRs that APS stores in the IPv4 blacklistwhitelist table is as follows. This total includes the items on the blacklists and whitelists for inbound traffic and outbound traffic. IPv4 blacklist-whitelist table APS model Supported number of items 2800 16,000 2600 6,400 2100 6,400 vAPS 2,000 The maximum number of IP addresses and CIDRs that APS stores in the IPv6 blacklistwhitelist table is as follows. This total includes the items on the blacklist and whitelist for inbound traffic. IPv6 blacklist-whitelist table APS model Supported number of items 2800 5,091 2600 2,036 2100 4,072 vAPS 1,272 For domains, URLs, and countries, you can blacklist a combined total of 5,000 items. For general information about the blacklists and whitelists, see “About Blacklisting and Whitelisting Traffic” on page 168 . What happens when the capacity is exceeded If your blacklists and whitelists contain a large number of items, the addition of new items can cause the blacklist-whitelist table to exceed the capacity. In APS, you cannot enter any item that would exceed the capacity of the blacklists or whitelists. APS Console accepts the excess items, whether they are entered in the UI or added during the initial synchronization of APS. 172 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists When the addition of an item causes APS Console to exceed the capacity of its blacklistwhitelist table, APS Console treats that item as follows: n The excess item is added to the blacklist or whitelist on APS Console, but it is marked as disabled and does not affect any traffic. n The disabled item appears on the blacklist page or whitelist page in the APS Console UI, but it is dimmed. You can delete the item as needed. n When a non-disabled item is deleted from a blacklist or whitelist, space can become available for the addition of a disabled item. APS Console finds the oldest disabled item and enables it. A global inbound item is enabled for all of the protection groups; a protection group-specific item is enabled for that protection group only. How synchronization between APS Console and APS affects the capacity During the synchronization of the blacklists and whitelists between APS Console and APS, either APS Console or APS can exceed the capacity of the IPv4 blacklist-whitelist table. For example, a global item on APS Console can combine with the existing items on APS to exceed the capacity on APS. When an item from APS Console causes APS to exceed the capacity, the new item is not added to APS. During the initial synchronization, if the addition of existing items from APS to APS Console causes APS Console to exceed the capacity, the following events occur: n The item is added to APS Console, but is disabled. n On APS, the item that caused APS Console to exceed its capacity is deleted. n Other APS devices do not obtain the disabled item during synchronization, even if they have the capacity to accept the item. For example, a disabled inbound item might apply to a specific protection group. Even if the protection group is assigned to an APS that is below its capacity, that APS does not obtain the disabled item. n When APS Console enables an item that was disabled, the item is applied to all of the appropriate APS devices. See “1About the APS Console - APS Data Synchronization” on page 78. Proprietary and Confidential Information of Arbor Networks, Inc. 173 APS Console User Guide, Version 6.3 Blacklisting Inbound Traffic Use inbound blacklisting to block the traffic to your network that originates from specific hosts or countries, or from the clients that access specific domains in your network. APS always blocks the traffic from the blacklisted hosts without further inspection, regardless of the current protection level. You can configure the blacklists in APS Console and propagate the configurations to each managed APS as appropriate. You also can view the items that were added to the inbound blacklist from APS Console and on all the APS devices that APS Console manages. See “Viewing and Searching the Inbound Blacklist” on page 177. For general information about blacklisting, see “About Blacklisting and Whitelisting Traffic” on page 168 . Caution Because the configurations from APS Console can overwrite the configurations on APS, any local changes that you make on APS might be lost. Generally, you should not edit the configurations locally on a managed APS. About the blacklist settings On the Inbound Blacklists page, you can blacklist the traffic’s source in the following ways: n by the IP address or CIDR n by the country n by the domain or URL that is specified in the HTTP request header If the blacklists or whitelists contain an IP address and a CIDR that overlaps that IP address, the most specific address always takes precedence. For example, if the IP address 10.2.3.141 is on the whitelist, and you blacklist the CIDR 10.2.3.0/24, the IP address remains whitelisted. If you whitelist a host or remove a host from the blacklist, and that host is temporarily blocked, it is removed from the Temporarily Blocked Sources list immediately. When you do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed from the Temporarily Blocked Sources list within five minutes. You can unblock an individual IP address immediately by whitelisting that IP address. Adding items to the inbound blacklist To add items to the inbound blacklist: 1. Select Protect > Inbound Protection > Blacklists. 2. On the Inbound Blacklists page, select one of the following tabs: l Source IP Address tab — to blacklist an IP address or country l Domains and URLs tab — to blacklist a domain or URL 3. In the Add box, type any combination of the following items separated by commas, and then click Add: 174 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists Selected tab What you can add Source IP Address tab n n IPv4 or IPv6 address CIDR n Country name As you type the name, the system displays the countries that match your entry, and you can select a country from the list. Domains and URLs tab n n Domain, for example, domain.com URL, for example, www.domain.com/doc1/?search=text When you blacklist a domain or URL, APS blocks the traffic by matching the domain or URL that is specified in the HTTP request header. 4. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. This audit trail information will be visible from the Inbound Blacklists page. Deleting items from the inbound blacklist Deleting an item from the blacklist does not add it to the whitelist. If you want to whitelist a host from the Inbound Blacklists page, see “Whitelisting blacklisted hosts” below. To delete an item from the inbound blacklist: 1. Select Protect > Inbound Protection > Blacklists. 2. On the Inbound Blacklists page, select the tab for the item that you want to delete. 3. Delete the item as follows: l l To delete the item for all the protection groups, click the item. (Remove ) to the far right of To delete the item for a specific protection group, hover your mouse pointer over the protection group in the PGs Affected column. Click the appears. (Remove ) icon that 4. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Whitelisting blacklisted hosts Because only IP addresses and CIDRs can be whitelisted, this option is available in the Blacklisted Hosts section only. When you whitelist a blacklisted host, it is removed from the blacklist and added to the whitelist. If the host was blacklisted for specific protection groups only, then it is whitelisted for those protection groups. To whitelist a blacklisted host: 1. Select Protect > Inbound Protection > Whitelists. 2. On the Inbound Blacklists page, select the Source IP Address tab. 3. Click the Whitelist button to the far right of the IP address or CIDR. Proprietary and Confidential Information of Arbor Networks, Inc. 175 APS Console User Guide, Version 6.3 4. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. This audit trail information will be visible from the Inbound Whitelists page. 176 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists Viewing and Searching the Inbound Blacklist The Inbound Blacklists page in APS Console allows you to view the entire blacklist for all of the APS devices managed by APS Console. You can search this blacklist for specific hosts, CIDRs, countries, domains, or URLs. You can enter only one item per search but the search can return multiple results. You also can use the Inbound Blacklists page to blacklist inbound traffic for all of the managed APS devices. See “Blacklisting Inbound Traffic” on page 174. Viewing the inbound blacklist To view the inbound blacklist: 1. Select Protect > Inbound Protection > Blacklists. 2. On the Inbound Blacklists page, select the Source IP Address tab or the Domains and URLs tab. 3. (Optional) You can collapse or expand the sections on the page at any time by clicking (collapse) or (expand), respectively. By default, all of the sections appear. If the blacklisted items continue on multiple pages, you can use the paging icons at the upper-right of each section to view additional items for that section. See “Using Navigation Controls” on page 24. 4. To filter the list to display items of interest, you can search for specific blacklisted items. See “Searching the inbound blacklist” below. Searching the inbound blacklist When you view the inbound blacklist, you can filter the list to display items of interest by searching for one or more blacklisted items. A search for any of the items on the Source IP Address tab returns any blacklisted IP addresses, CIDRs, or countries that are associated with that address. To search the inbound blacklist: 1. Select Protect > Inbound Protection > Blacklists. 2. On the Inbound Blacklists page, select the Source IP Address tab or the Domains and URLs tab. 3. In the Search box, type a search string as follows: Proprietary and Confidential Information of Arbor Networks, Inc. 177 APS Console User Guide, Version 6.3 Selected tab Search strings Source IP Address tab Type one of the following search strings: n n n n Domains and URLs tab An IPv4 or IPv6 address. An IPv4 or IPv6 address range, with a hyphen to separate the beginning IP address and ending IP address. For example: 192.0.2.1-192.0.2.10 A CIDR. A country name. As you type, the system displays the countries that match your entry. You can continue to type the country name or select a country from the list. Type one of the following search strings: n n A full domain name or partial domain name. A full URL or partial URL. 4. Click Search . 5. If an item that you searched for is not on the inbound blacklist, a message appears. The following options might be available: l l You can click (add) in the message to add that item to the blacklist. (Source IP Address tab only) If the host is on the inbound whitelist, you can click the link in the message to open the Inbound Whitelists page and display that host. Information on the Inbound Blacklists page By default, the inbound blacklist is sorted by the Since column, beginning with the most recent items. You also can sort the inbound blacklist by the Hostname , Country, Domain Name , or URLs columns on their respective tabs. For more information about sorting, see “Sorting information in tables” on page 24. For each blacklisted item, the Inbound Blacklists page displays the following information: 178 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists Inbound Blacklists details Information Description Hosts (Source IP Address tab only) Displays the blacklisted host’s IP address or CIDR. If the system can identify the host’s country, this column also includes a flag icon that represents the country. If the system can resolve the hostname, you can see the hostname by hovering your mouse pointer over the IP address or CIDR. For IPv4 hosts that are not private networks, you can see the country name by hovering your mouse pointer over the flag icon. Note Country mappings do not exist for IPv6 addresses. If the source is an IPv6 address, then this column includes an IPv6 flag icon instead of a country flag icon. Also, for private networks, this column includes a 10 icon or a 192 icon. Country (Source IP Address tab only) Displays the blacklisted country. If the system can identify the country’s flag, this column also displays a flag icon. Domain Name (Domains and URLs tab only) Displays the blacklisted domain. URLs (Domains and URLs tab only) Displays the blacklisted URL. Since Indicates the amount of time that the item has been on the inbound blacklist. (information) Displays the audit trail entry, if any, that was created when this item was added to the list. Click column. PGs Affected next to the time period in the Since Displays the protection groups for which the item is blacklisted. When multiple protection groups are listed, you can hover your mouse pointer over a protection group to display Click (Remove ). to remove the item from the blacklist for that protection group only. Whitelist button (Remove ) Allows you to add the item to the inbound whitelist. Because you only can whitelist hosts, this option is available in the Blacklisted Hosts section only. Allows you to remove the item from the inbound blacklist for all of the protection groups without whitelisting it. If you whitelist a host or remove a host from the blacklist, and that host is temporarily blocked, it is removed from the Temporarily Blocked Sources list immediately. When you do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed from the Temporarily Blocked Sources list within five minutes. You can unblock an individual IP address immediately by whitelisting that IP address. Proprietary and Confidential Information of Arbor Networks, Inc. 179 APS Console User Guide, Version 6.3 Blacklisting Outbound Traffic Use outbound blacklisting to block the IPv4 traffic that originates from your network and is sent from specific internal hosts or to specific external hosts. APS always blocks the traffic from the blacklisted hosts without further inspection, regardless of the current protection level. For the outbound blacklist to take effect, you must enable the outbound threat filter. See “Configuring the Outbound Threat Filter” on page 115. Note You cannot add IPv6 traffic to the outbound blacklist. When you use APS Console to manage APS, you can configure the blacklists in APS Console and propagate the configurations to each managed APS as appropriate. You also can view the items that were added to the outbound blacklist from APS Console and on all of the APS devices that APS Console manages. See “Viewing and Searching the Outbound Blacklist” on page 182. For general information about blacklisting, see “About Blacklisting and Whitelisting Traffic” on page 168 . Caution Because the configurations from APS Console can overwrite the configurations on APS, any local changes that you make on APS might be lost. Generally, you should not edit the configurations locally on a managed APS. About the outbound blacklist settings On the Outbound Blacklists page, you can blacklist the traffic’s source or destination by specifying an IPv4 address or CIDR. If the blacklists or whitelists contain an IP address and a CIDR that overlaps that IP address, the most specific address always takes precedence. For example, if the IP address 10.2.3.141 is on the whitelist, and you blacklist the CIDR 10.2.3.0/24, the IP address remains whitelisted. If you whitelist a host or remove a host from the blacklist, and that host is temporarily blocked, it is removed from the Temporarily Blocked Sources list immediately. When you do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed from the Temporarily Blocked Sources list within five minutes. You can unblock an individual IP address immediately by whitelisting that IP address. Adding items to the outbound blacklist To add items to the outbound blacklist: 1. Select Protect > Outbound Protection > Blacklists. 2. In the Add box, type one or more IPv4 addresses or CIDRs separated by commas. 3. Click Add. 4. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. This audit trail information will be visible from the Outbound Blacklists page. Deleting items from the outbound blacklist Deleting an item from the outbound blacklist does not add it to the outbound whitelist. If 180 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists you want to move a host from the outbound blacklist to the outbound whitelist, see “Whitelisting blacklisted hosts” below. To delete an item from the outbound blacklist: 1. Select Protect > Outbound Protection > Blacklists. 2. On the Outbound Blacklists, click (Remove ) to the far right of the item. 3. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Whitelisting blacklisted hosts When you whitelist a blacklisted host, it is removed from the outbound blacklist and added to the outbound whitelist. To whitelist a blacklisted host: 1. Select Protect > Outbound Protection > Blacklists. 2. On the Outbound Blacklists page, click the Whitelist button to the far right of the item. 3. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. This audit trail information will be visible from the Outbound Whitelists page. Proprietary and Confidential Information of Arbor Networks, Inc. 181 APS Console User Guide, Version 6.3 Viewing and Searching the Outbound Blacklist The Outbound Blacklists page in APS Console allows you to view the entire outbound blacklist for all of the APS devices managed by APS Console. You can search this blacklist for specific IPv4 addresses or CIDRs, or for IPv4 addresses and CIDRs that match a specific country. Note The outbound blacklist does not include IPv6 addresses. You also can use the Outbound Blacklists page to blacklist outbound IPv4 traffic on any APS device that is managed by APS Console. See “Blacklisting Outbound Traffic” on page 180 . Important You must enable the outbound threat filter for the outbound blacklist to take effect. See “Configuring the Outbound Threat Filter” on page 115. Viewing the outbound blacklist To view the outbound blacklist: 1. Select Protect > Outbound Protection > Blacklists. 2. If the blacklisted items continue on multiple pages, you can use the paging icons at the upper-right of the page to view the additional items. See “Using Navigation Controls” on page 24. 3. To filter the list to display items of interest, you can search for specific blacklisted items. See “Searching the outbound blacklist” below. Searching the outbound blacklist When you view the outbound blacklist, you can filter the list to display items of interest by searching for one or more blacklisted items. To search the outbound blacklist: 1. Select Protect > Outbound Protection > Blacklists. 2. In the Search box on the Outbound Blacklists page, type one of the following search strings: l l l l An IPv4 address. An IPv4 address range, with a hyphen to separate the beginning IP address and ending IP address. For example: 192.0.2.1-192.0.2.10 A CIDR. A country name. As you type, the system displays the countries that match your entry. You can continue to type the country name or select a country from the list. 3. Click Search . 4. If you search for a host that is not on the outbound blacklist, a message appears. The following options might be available: l l 182 You can click (add) in the message to add the host to the outbound blacklist. If the host is on the outbound whitelist, you can click the link in the message to open the Outbound Whitelists page and display that host. Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists Information on the Outbound Blacklists page By default, the outbound blacklist is sorted by the Since column, beginning with the most recent items. You also can sort the outbound blacklist by the Hosts column. For more information about sorting, see “Sorting information in tables” on page 24 . For each blacklisted item, the Outbound Blacklists page displays the following information: Outbound Blacklists details Information Description Hosts Displays the blacklisted host’s IP address or CIDR. If the system can identify the host’s country, this column also includes a flag icon that represents the country. If the system can resolve the hostname, you can see the hostname by hovering your mouse pointer over the IP address or CIDR. For IPv4 hosts that are not private networks, you can see the country name by hovering your mouse pointer over the flag icon. Since Indicates the amount of time that the item has been on the outbound blacklist. (information) Displays the audit trail entry, if any, that was created when this item was added to the list. Click column. Whitelist button (Remove ) next to the time period in the Since Allows you to add the item to the outbound whitelist. Allows you to remove the item from the outbound blacklist without adding it to the outbound whitelist. If you whitelist a host or remove a host from the blacklist, and that host is temporarily blocked, it is removed from the Temporarily Blocked Sources list immediately. When you do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed from the Temporarily Blocked Sources list within five minutes. You can unblock an individual IP address immediately by whitelisting that IP address. Proprietary and Confidential Information of Arbor Networks, Inc. 183 APS Console User Guide, Version 6.3 Whitelisting Inbound Traffic Use inbound whitelisting to pass the inbound traffic that originates from specific external hosts. APS always passes the traffic from the whitelisted hosts without further inspection, regardless of the current protection level. When you use APS Console to manage APS, you can configure the whitelists in APS Console and propagate the configurations to each managed APS as appropriate. For general information about whitelisting, see “About Blacklisting and Whitelisting Traffic” on page 168 . Whitelisting exception An exception to the whitelisting behavior is when APS detects invalid packets. Because the Invalid Packets protection takes precedence over the whitelist, APS blocks invalid packets even if the source host is whitelisted. See “Invalid Packets” on page 202. About the whitelist settings On the Inbound Whitelists page, you can whitelist the traffic’s source by specifying an IP address, hostname, or CIDR. If the blacklists or whitelists contain an IP address and a CIDR that overlaps that IP address, the most specific address always takes precedence. For example, if the IP address 10.2.3.141 is on the whitelist, and you blacklist the CIDR 10.2.3.0/24, the IP address remains whitelisted. When you whitelist a host that is temporarily blocked, it is removed from the Temporarily Blocked Sources list immediately. When you do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed from the Temporarily Blocked Sources list within five minutes. You can unblock an individual IP address immediately by whitelisting that IP address. Adding hosts to the inbound whitelist To add hosts to the inbound whitelist: 1. Select Protect > Inbound Protection > Whitelists. 2. In the Add box, type one or more IPv4 or IPv6 addresses or CIDRs separated by commas, and then click Add. 3. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. This audit trail information will be visible from the Inbound Whitelists page. Deleting items from the inbound whitelist Deleting an item from the whitelist does not add it to the blacklist. If you want to blacklist an item from the Inbound Whitelists page, see “Blacklisting whitelisted hosts” on the facing page. 184 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists To delete an item from the inbound whitelist: 1. Select Protect > Inbound Protection > Whitelists. 2. On the Inbound Whitelists page, delete the item as follows: l l To delete the item for all of the protection groups, click of the item. (Remove ) to the far right To delete the item for a specific protection group, hover your mouse pointer over the protection group in the PGs Affected column. Click the appears. (Remove ) icon that 3. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Blacklisting whitelisted hosts When you blacklist a whitelisted host, it is removed from the whitelist and added to the blacklist. If the host was whitelisted for specific protection groups only, then it is blacklisted for those protection groups. To blacklist a whitelisted host: 1. Select Protect > Inbound Protection > Whitelists. 2. On the Inbound Whitelists page, click the Blacklist button to the far right of the item. 3. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. This audit trail information will be visible from the Inbound Blacklists page. Proprietary and Confidential Information of Arbor Networks, Inc. 185 APS Console User Guide, Version 6.3 Viewing and Searching the Inbound Whitelist The Inbound Whitelists page in APS Console allows you to view the entire whitelist for all of the APS devices managed by APS Console. You can search this whitelist for specific IP addresses or CIDRs, or for IP addresses and CIDRs that match a specific country. You can enter only one item per search but the search can return multiple results. You also can use the Inbound Whitelists page to whitelist inbound traffic for all of the managed APS devices. See “Whitelisting Inbound Traffic” on page 184. Viewing the inbound whitelist To view the inbound whitelist: 1. Select Protect > Inbound Protection > Whitelists. 2. If the whitelisted items continue on multiple pages, you can use the paging icons at the upper-right of the section to view additional items. See “Using Navigation Controls” on page 24. 3. To filter the list to display items of interest, you can search for specific whitelisted items. See “Searching the inbound whitelist” below. Searching the inbound whitelist When you view the inbound whitelist, you can filter the list to display items of interest by searching for one or more whitelisted items. n re associated with that country. To search the inbound whitelist: 1. Select Protect > Inbound Protection > Whitelists. 2. On the Inbound Whitelists page, in the Search box, type one of the following search strings: l l l l An IPv4 or IPv6 address. An IPv4 or IPv6 address range, with a hyphen to separate the beginning IP address and ending IP address. For example: 192.0.2.1-192.0.2.10 A CIDR. A country name. As you type, the system displays the countries that match your entry. You can continue to type the country name or select a country from the list. 3. Click Search . 4. If you search for a host that is not on the inbound whitelist, a message appears. The following options might be available: l l You can click (add) in the message to add that host to the whitelist. If the host is on the inbound blacklist, you can click the link in the message to open the Inbound Blacklists page and display that host. Information on the Inbound Whitelists page By default, the inbound whitelist is sorted by the Since column, beginning with the most recent items. You also can sort the inbound whitelist by the Hostname column. For more information about sorting, see “Sorting information in tables” on page 24 186 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists For each whitelisted item, the Inbound Whitelists page displays the following information: Inbound Whitelists details Information Description Hosts Displays the whitelisted host’s IP address or CIDR. If the system can identify the host’s country, this column also includes a flag icon that represents the country. If the system can resolve the hostname, you can see the hostname by hovering your mouse pointer over the IP address or CIDR. For IPv4 hosts that are not private networks, you can see the country name by hovering your mouse pointer over the flag icon. Note Country mappings do not exist for IPv6 addresses. If the source is an IPv6 address, then this column includes an IPv6 flag icon instead of a country flag icon. Also, for private networks, this column includes a 10 icon or a 192 icon. Since (information) Indicates the amount of time that the item has been on the inbound whitelist. Displays the audit trail entry, if any, that was created when this item was added to the list. Click column. PGs Affected next to the time period in the Since Displays the protection groups for which the item is whitelisted. When multiple protection groups are listed, you can hover your mouse pointer over a protection group to display Click (Remove ). to remove the item from the whitelist for that protection group only. Blacklist button (Remove ) Allows you to add the item to the inbound blacklist. Allows you to remove the item from the inbound whitelist for all the protection groups without blacklisting it. Proprietary and Confidential Information of Arbor Networks, Inc. 187 APS Console User Guide, Version 6.3 Whitelisting Outbound Traffic Use outbound whitelisting to pass the IPv4 traffic that originates from your network and is sent from specific internal hosts or to specific external hosts. APS always passes the traffic from or to the whitelisted hosts without further inspection, regardless of the current protection level. When you use APS Console to manage APS, you can configure the whitelists in APS Console and propagate the configurations to each managed APS as appropriate. Important You must enable the outbound threat filter for the outbound whitelist to take effect. See “Configuring the Outbound Threat Filter” on page 115. For general information about whitelisting, see “About Blacklisting and Whitelisting Traffic” on page 168 . Whitelisting exception An exception to the whitelisting behavior is when APS detects invalid packets. Because the Invalid Packets protection takes precedence over the whitelist, APS blocks invalid packets even if the source host is whitelisted. See “Invalid Packets” on page 202. About the outbound whitelist settings On the Outbound Whitelists page, you can whitelist the traffic’s source by specifying an IPv4 address or CIDR. Note You cannot add IPv6 traffic to the outbound whitelist. If the blacklists or whitelists contain an IP address and a CIDR that overlaps that IP address, the most specific address always takes precedence. For example, if the IP address 10.2.3.141 is on the whitelist, and you blacklist the CIDR 10.2.3.0/24, the IP address remains whitelisted. When you whitelist a host that is temporarily blocked, it is removed from the Temporarily Blocked Sources list immediately. When you do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed from the Temporarily Blocked Sources list within five minutes. You can unblock an individual IP address immediately by whitelisting that IP address. Important When you deploy APS in monitor mode, the outbound traffic does not go through APS and is not analyzed. Adding hosts to the outbound whitelist To add IPv4 hosts to the outbound whitelist: 1. Select Protect > Outbound Protection > Whitelists. 2. In the Add box, type one or more IPv4 addresses or CIDRs separated by commas. 3. Click Add. 188 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists 4. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. This audit trail information will be visible from the Outbound Whitelists page. Deleting items from the outbound whitelist Deleting an item from the outbound whitelist does not add it to the outbound blacklist. If you want to move a host from the outbound whitelist to the outbound blacklist, see “Blacklisting whitelisted hosts” below. To delete an item from the outbound whitelist: 1. Select Protect > Outbound Protection > Whitelists. 2. On the Outbound Whitelists page, click (Remove ) to the far right of the item. 3. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Blacklisting whitelisted hosts When you blacklist a whitelisted host, it is removed from the outbound whitelist and added to the outbound blacklist. To blacklist a whitelisted host: 1. Select Protect > Outbound Protection > Whitelists. 2. On the Outbound Whitelists page, click the Blacklist button to the far right of the item. 3. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. This audit trail information will be visible from the Outbound Blacklists page. Proprietary and Confidential Information of Arbor Networks, Inc. 189 APS Console User Guide, Version 6.3 Viewing and Searching the Outbound Whitelist The Outbound Whitelists page in APS Console allows you to view the entire outbound whitelist for all of the APS devices managed by APS Console. You can search this whitelist for specific IPv4 addresses and CIDRs, or for IPv4 addresses and CIDRs that match a specific country. You also can use the Outbound Whitelists page to whitelist outbound IPv4 traffic on any APS device that is managed by APS Console. See “Whitelisting Outbound Traffic” on page 188 . You must enable the outbound threat filter for the outbound whitelist to take effect. See “Configuring the Outbound Threat Filter” on page 115. Note The outbound whitelist does not include IPv6 addresses. Viewing the outbound whitelist To view the outbound whitelist: 1. Select Protect > Outbound Protection > Whitelists. 2. If the whitelisted items continue on multiple pages, you can use the paging icons at the upper-right of the page to view additional items. See “Using Navigation Controls” on page 24. 3. To filter the list to display items of interest, you can search for specific whitelisted items. See “Searching the outbound whitelist” below. Searching the outbound whitelist When you view the outbound whitelist, you can filter the list to display items of interest by searching for one or more whitelisted items. To search the outbound whitelist: 1. Select Protect > Outbound Protection > Whitelists. 2. In the Search box on the Outbound Whitelists page, type one of the following search strings: l l l l An IPv4 address. An IPv4 address range, with a hyphen to separate the beginning IP address and ending IP address. For example: 192.0.2.1-192.0.2.10 A CIDR. A country name. As you type, the system displays the countries that match your entry. You can continue to type the country name or select a country from the list. 3. Click Search . 4. If a host that you searched for is not on the outbound whitelist, a message appears. The following options might be available: l l You can click (add) in the message to add the host to the outbound whitelist. If the host is on the outbound blacklist, you can click the link in the message to open the Outbound Blacklists page and display that host. Information on the Outbound Whitelists page By default, the outbound whitelist is sorted by the Since column, beginning with the most 190 Proprietary and Confidential Information of Arbor Networks, Inc. Section 10: Managing the Blacklists and Whitelists recent items. You also can sort the outbound whitelist by the Hosts column. For information about sorting, see "Sorting information in tables" on page 24 . For each whitelisted item, the Outbound Whitelists page displays the following information: Outbound Whitelists details Information Description Hosts Displays the whitelisted host’s IP address or CIDR. If the system can identify the host’s country, this column also includes a flag icon that represents the country. If the system can resolve the hostname, you can see the hostname by hovering your mouse pointer over the IP address or CIDR. For IPv4 hosts that are not private networks, you can see the country name by hovering your mouse pointer over the flag icon. Since Indicates the amount of time that he item has been on the outbound whitelist. (information) Displays the audit trail entry, if any, that was created when this item was added to the list. Click column. Blacklist button (Remove ) next to the time period in the Since Allows you to add the item to the outbound blacklist. Allows you to remove the item from the outbound whitelist without adding it to the outbound blacklist. Proprietary and Confidential Information of Arbor Networks, Inc. 191 APS Console User Guide, Version 6.3 192 Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic This section describes the many ways in which you can view the traffic that APS inspects. In this section This section contains the following topics: Viewing the Traffic Activity for a Protection Group 194 Viewing the Traffic Overview for a Protection Group 197 Filtering the Traffic Data by APS 199 Viewing the Attack Categories for a Protection Group 200 Viewing the Top URLs for a Protection Group 206 Viewing the Top Domains for a Protection Group 208 Viewing the Top IP Locations for a Protection Group 210 Viewing the Top Protocols for a Protection Group 212 Viewing the Top Services for a Protection Group 214 APS Console User Guide, Version 6.3 193 APS Console User Guide, Version 6.3 Viewing the Traffic Activity for a Protection Group The View Protection Group page allows you to view information in real time about the traffic that is destined for the prefixes in a protection group. The traffic information that appears on this page is for incoming traffic only. The information does not include server response traffic. Use the information on this page to monitor how effectively the managed APS devices mitigate attacks and to decide whether you need to take action to block the traffic. The View Protection Group page displays aggregated traffic data for all of the APS devices that are assigned to the protection group. You can filter the data on the View Protection Group page to view information for a single APS. See “Filtering the traffic data for a single APS” on page 199. The View Protection Group page also allows you to blacklist certain hosts or remove them from the blacklist, which is also referred to as unblocking. See “About Blacklisting and Whitelisting Traffic” on page 168. Navigating to the View Protection Group page To navigate to the View Protection Group page: 1. Select Protect > Inbound Protection > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Click the protection group name. Sections on the View Protection Group page The View Protection Group page contains the following sections: Sections on the View Protection Group page Section Description and reference Time selector Allows you to filter the information that appears on the View Protection Group page by a specific increment or by a time range. See “Changing the display timeframe” on page 28. Bytes and Packets buttons Click Bytes or Packets to change the display unit of measure on the View Protection Group page. Protection Group Overview Displays summary data about all of the protection group’s traffic during the selected timeframe. See “Viewing the Traffic Overview for a Protection Group” on page 197. Total Protection Group Traffic graph 194 Shows a stacked graph that represents the total passed traffic in green and the total blocked traffic in red. Below the graph, you can click (Passed) or (Blocked) to show and hide the different types of traffic. Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Sections on the View Protection Group page (continued) Section Description and reference Traffic Views Lists the different types of inbound traffic that are destined for the prefixes in the protection group. You can click a link in the list to view the data for that type of traffic. See “Viewing the inbound traffic by type” below. Select Display All to display the data for all of the traffic views, in the order in which they appear in the list. To include all of the traffic view data when you create a PDF of the View Protection Group page, select this option. See “About the Arbor Smart Bar” on page 26 for PDF instructions. Attack Categories See “Viewing the Attack Categories for a Protection Group” on page 200. Viewing the inbound traffic by type In the Traffic Views section, you can view the data for the inbound traffic that is destined for the protection group’s prefixes. To select the type of traffic to view: n Click (expand), and then click a link in the list of traffic views. The graph and table display the data for the selected type of traffic. You can click (collapse) to hide the list of traffic views. When the list is hidden, the graph and table continue to display the data for the selected type of traffic. The types of traffic that are available in the list depend on the server type for the protection group. For example, when you display this page for a Web Server protection group, only the sections that are relevant for Web servers appear. The list of traffic views can include the following types of traffic: Types of Traffic in the Traffic Views section Type Description and reference Attack Categories Displays a graph of the attack categories that are responsible for blocking current traffic. See “Viewing the Attack Categories for a Protection Group” on page 200. Web Traffic by URL Displays the 10 URLs that have the highest amounts of inbound IPv4 traffic. See “Viewing the Top URLs for a Protection Group” on page 206. Note This traffic data is not available for IPv6 protection groups. Proprietary and Confidential Information of Arbor Networks, Inc. 195 APS Console User Guide, Version 6.3 Types of Traffic in the Traffic Views section (continued) Type Description and reference Web Traffic by Domain Displays the 10 domains that have the highest amounts of inbound IPv4 traffic. See “Viewing the Top URLs for a Protection Group” on page 206. Note This traffic data is not available for IPv6 protection groups. IP Location Displays the 10 identifiable countries that send the most IPv4 traffic. See “Viewing the Top IP Locations for a Protection Group” on page 210. Note This traffic data is not available for IPv6 protection groups. Protocols Displays the 10 protocols that have the highest amounts of inbound traffic. See “Viewing the Top Protocols for a Protection Group” on page 212 . Services Displays the 10 services that have the highest amounts of inbound traffic. See “Viewing the Top Services for a Protection Group” on page 214. 196 Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Viewing the Traffic Overview for a Protection Group On the View Protection Group page, the Protection Group Overview section displays summary data about the protection group’s traffic during the selected timeframe. Use the information in this section to quickly view the protection group’s activity, assess its performance, and look for problems. For example, a significant increase or a large spike in the passed traffic might indicate an attack. To view information in real time about the traffic that is destined to a protection group, see “Viewing the Traffic Activity for a Protection Group” on page 194 . Filtering traffic data APS Console aggregates the traffic data for all of the APS devices that are assigned to the protection group. To filter the page to view the traffic data for a single APS, click the All APSes link under APS Assignments. See “Filtering the Traffic Data by APS” on page 199. Navigating to the View Protection Group page To navigate to the View Protection Group page: 1. Select Protect > Inbound Protection > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Click the protection group name. Information in the Protection Group Overview section The Protection Group Overview section contains the following information: Information in the Protection Group Overview section Section Description Total Traffic Displays a minigraph that represents the total traffic, and displays the following values: n Total summarizes the total amount of traffic during the specified timeframe. n Rate summarizes the average rate of this traffic during the specified timeframe. Passed Traffic Displays a minigraph that represents the passed traffic, and displays the following values: n Total summarizes the total amount of passed traffic during the specified timeframe. n Rate summarizes the average rate of the passed traffic during the specified timeframe. Proprietary and Confidential Information of Arbor Networks, Inc. 197 APS Console User Guide, Version 6.3 Information in the Protection Group Overview section (continued) 198 Section Description Blocked Traffic Displays a minigraph that represents the blocked traffic, and displays the following values: n Total summarizes the total amount of blocked traffic during the specified timeframe. n Rate summarizes the average rate of the blocked traffic during the specified timeframe. Blocked Hosts Displays a minigraph that represents the blocked hosts. The Average value indicates the average number of blocked hosts during the specified timeframe. Total Traffic graph Shows the percentage of the total traffic that is passed in green and the percentage that is blocked in red. Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Filtering the Traffic Data by APS The View Protection Group page displays aggregated traffic data for all of the APS devices that are assigned to the protection group. You can filter the data on the View Protection Group page to view only the traffic data for a single APS. After you filter the page, the APS remains selected even if you navigate away from the View Protection Group page. You must clear the selection manually to revert to viewing the traffic data for all the APS assignments. See “Viewing the traffic data for all the APS assignments” below. About APS Assignments In the Protection Group Details section, under APS Assignments, APS Console indicates whether it displays the traffic for all APS assignments or for a single APS. The APS Assignments section also displays the total number of APS assignments for the protection group. Filtering the traffic data for a single APS To filter the traffic data on the View Protection Group page for a single APS: 1. Navigate to the View Protection Group page as follows: a. Select Protect > Inbound > Protection Groups. b. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. c. Click the protection group name. 2. At the top of the View Protection Group page, click the All APSes link to open the Filter by APS window. The Filter by APS window displays the following information for each APS: l a graph that shows the percentage of blocked traffic l the number of active alerts, if any 3. (Optional) In the Filter by APS name box, type all or part of a name to locate a specific APS. As you type, the list displays only the APS names that match the string. 4. If there is only one match, the APS name is selected automatically. If there are multiple matches, select an APS. APS Console updates the sections for Total Protection Group Traffic, Mode , Traffic Overview , and Recent Alerts to display data for the selected APS. 5. Click Apply. After you apply the filter, the name of the selected APS replaces the All APSes link on the View Protection Group page. Viewing the traffic data for all the APS assignments You can clear the selected APS to display data for all of the APS assignments on the View Protection Group page: n Click (clear). The All APSes link appears when the View Protection Group page is no longer filtered for a specific APS. Proprietary and Confidential Information of Arbor Networks, Inc. 199 APS Console User Guide, Version 6.3 Viewing the Attack Categories for a Protection Group The Attack Categories section on the View Protection Group page displays the categories of protections that are responsible for blocking current traffic. The data display for the attack categories refreshes approximately every 60 seconds. Use this information to determine why APS blocked the traffic. For example, if blocked traffic is shown for the Invalid Packets category, you can display the details for that category to view the reasons why that traffic was considered to be invalid. For general information about the protection settings, see “About the Protection Settings Configuration” on page 111 . Navigating to the Attack Categories section To navigate to the Attack Categories section on the View Protection Group page: 1. Select Protect > Inbound > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Click the protection group name. 4. (Optional) In the Traffic Views section, click (expand). 5. In the list of traffic views, select Attack Categories. 6. (Optional) Filter the information that appears on the page as follows: l l To change the timeframe for which the data is displayed, click one of the time increments or click From and select a time range. To select the unit of measure for displaying traffic, click Bytes or Packets. Information in the Attack Categories section The Attack Categories section contains the following information: Information in the Attack Categories section 200 Information Description Attack Categories graph APS Console updates the data display once per minute. Key Shows the color that represents the source in the Attack Categories graph and allows you to filter the graph display. Click the key for an attack category to hide or show that category on the graph. APS Console retains your selections until you navigate away from the View Protection Group page. Graph Represents the traffic that the category blocks. You can hover your mouse pointer over the minigraph to view a larger version of the graph. Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Information in the Attack Categories section (continued) Information Description Category Displays the attack category that is blocking the traffic. Several of the categories do not correspond to specific protection settings. See “About the non-configurable categories” on the next page. (context menu) Appears when you hover your mouse pointer over an attack category name. You can click , and then select Blocked Hosts to display the Blocked Hosts Log page for this protection group and attack category. See “About the Blocked Hosts Log” on page 260. Bytes blocked Packets blocked Shows the amount of blocked traffic for the attack category in bytes and packets. bps blocked pps blocked Shows the rate of blocked traffic for the attack category in bits per second and packets per second. Details button Allows you to view additional information about the blocked traffic. The information that APS displays varies for each attack category. Detailed information is not available for all of the attack categories. You can hide the details by clicking Details again. Proprietary and Confidential Information of Arbor Networks, Inc. 201 APS Console User Guide, Version 6.3 About the non-configurable categories The Attack Categories section might include the following categories. These attack categories are not configurable on the Configure Server Type page or Outbound Threat Filter page. Non-configurable categories Category Description Blacklisted Hosts The Blacklisted Hosts category represents the hosts that are blocked because they are on the blacklist. You can configure the blacklists on the Configure Inbound Blacklists page and the Configure Outbound Blacklist page. Note The Invalid Packets category takes precedence over blacklists. As a result, any traffic from blacklisted hosts that matches invalid packets is attributed to invalid packets in the Attack Categories graphs. HTTP Blocked Locations The HTTP Blocked Locations category represents the following hosts and domains: n The domains that were blocked because they are on the inbound blacklist n The blocked hosts that appear in the Web Traffic By URL section on the View Protection Group page n The blocked domains that appear in the Web Traffic By Domain section on the View Protection Group page Invalid Packets The Invalid Packets category blocks invalid TCP/IP packets. Click Details for this category to view the reasons that APS blocked the packets. Note The Invalid Packets category takes precedence over the whitelist and blacklist. As a result, APS blocks invalid packets from whitelisted hosts. Also, any traffic from hosts on the blacklist or whitelist that matches invalid packets is attributed to invalid packets in the Attack Categories graphs. 202 Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Detailed information in the Attack Categories section for protection groups Detailed information about blocked traffic is available for the protection group attack categories. Detailed information in the Attack Categories section for protection groups Category Details ATLAS Threat Categories Lists the ATLAS threat categories that blocked traffic, and shows the amount of blocked traffic for each category. APS displays a traffic minigraph for each category. Application Misbehavior Shows the average number of blocked hosts. Block Malformed SIP Traffic Shows statistics about the blocked hosts, including the total number of hosts that were blocked. See “About the total hosts blocked” on page 205. Botnet Prevention Displays blocking information for the following subcategories: n n n Basic Botnet Prevention These details show a graph and summary statistics of the botnet traffic that would have been blocked under a higher protection level. They also show the average number of hosts that were blocked and the number of requests that were examined. AIF Botnet Signatures These details show the botnet traffic that was blocked or that would be blocked by the AIF signatures that are associated with each protection level. For example, if the active global protection level is medium, the blocking details for the medium protection level and low protection level represent traffic that was blocked. The blocking details for the high protection level represent traffic that would be blocked if you change to the high protection level. Slow Request Attacks These details show the average number of hosts that were blocked and the number of requests that were examined. DNS Authentication Shows the number of hosts that were tested and the number of hosts that were validated. DNS NXDomain Rate Limiting Shows the average number of hosts and the total number of hosts that were blocked. See “About the total hosts blocked” on page 205. DNS Rate Limiting Shows statistics about the hosts that were blocked, including the total number of hosts that were blocked. See “About the total hosts blocked” on page 205. Fragment Detection Shows the average number of hosts that were blocked. Proprietary and Confidential Information of Arbor Networks, Inc. 203 APS Console User Guide, Version 6.3 Detailed information in the Attack Categories section for protection groups (continued) Category Details HTTP Header Regular Expressions Shows the average number of hosts that were blocked. HTTP Rate Limiting Shows statistics about the hosts that were blocked and whether they were blocked for exceeding the request limit or the URL limit. This section also shows the total number of hosts that were blocked. See “About the total hosts blocked” on the facing page. ICMP Flood Detection Shows the average number of hosts that were blocked. Invalid Packets Lists the reasons why traffic was considered to be invalid and shows the amount of traffic that was blocked for each reason. A traffic minigraph is displayed for each reason, and a stacked graph summarizes the blocked traffic with one row for each reason. Malformed HTTP Filtering Shows the average number of hosts that were blocked and the number of requests that were examined. Rate-based Blocking Shows the average number of hosts that were blocked. SIP Request Limiting Shows the average number of hosts and the total number of hosts that were blocked. See “About the total hosts blocked” on the facing page. Spoofed SYN Flood Prevention Shows statistics about the number of hosts that were allowed to form connections, the total number of connections, and the total number of HTTP requests on those connections. TCP Connection Limiting Lists the top 10 hosts whose concurrent TCP connections exceeded the rate limit, and shows the amount of traffic that was blocked for each host. Connection statistics are displayed for each host. Important This section includes traffic for all of the categories that affect each host, not just the TCP Connection Limiting category. TCP Connection Reset Shows statistics for the connections and hosts that were blocked, including the total number of hosts that were blocked. See “About the total hosts blocked” on the facing page. 204 TCP SYN Flood Detection Shows the average number of hosts that were blocked. TLS Attack Prevention Lists the reasons why the SSL or TLS traffic was considered to be invalid and shows statistics about the traffic that was blocked for each reason. You can click Details next to each reason to view the average number of hosts that were blocked for that reason. Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Detailed information in the Attack Categories section for protection groups (continued) Category Details Traffic Shaping Shows statistics about the traffic that exceeded the configured thresholds and the traffic that was passed. UDP Flood Detection Shows the average number of hosts that were blocked. Detailed information in the Attack Categories section for the Outbound Threat Filter Detailed information about blocked traffic is available for outbound threat filter attack categories. Detailed information in the Attack Categories section for the Outbound Threat Filter Category Details ATLAS Threat Categories Lists the ATLAS threat categories that blocked traffic, and shows the amount of blocked traffic for each category. APS displays a traffic minigraph for each category. DNS Rate Limiting Shows statistics about the hosts that were blocked, including the total number of hosts that were blocked. See “About the total hosts blocked” below. Malformed HTTP Filtering Shows the average number of hosts that were blocked and the number of requests that were examined. About the total hosts blocked The detail information for several of the attack categories shows the total hosts blocked. This number represents the total number of times that any and all hosts were blocked, and might contain hosts that were blocked multiple times. For example, if one host is blocked 15 times, then the total is 15. Proprietary and Confidential Information of Arbor Networks, Inc. 205 APS Console User Guide, Version 6.3 Viewing the Top URLs for a Protection Group The Web Traffic By URL section of the View Protection Group page identifies the top URLs for all of the APS devices that are assigned to the protection group. If you filter the page to view the data for only one APS, the Web Traffic By URL section displays the top URLs for that APS only. See “Filtering the Traffic Data by APS” on page 199. Use this information to identify problems or determine the target of an attack. For example, a URL whose traffic is significantly higher than normal might be under attack. Also, a URL that has a high percentage of the total HTTP traffic is often an attack target. Note This traffic data is not available for IPv6 protection groups. Navigating to the Web Traffic By URL section To navigate to the Web Traffic By URL section on the View Protection Group page: 1. Select Protect > Inbound > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Click the protection group name. 4. (Optional) In the Traffic Views section, click (expand). 5. In the list of traffic views, select Web Traffic By URL. 6. (Optional) Filter the information that appears on the page as follows: l l To change the timeframe for which the data is displayed, click one of the time increments or click From and select a time range. To select the unit of measure for displaying traffic, click Bytes or Packets. Information in the Web Traffic By URL section The Web Traffic By URL section contains the following information: Information in the Web Traffic By URL section 206 Information Description Web Traffic By URL graph Displays a stacked graph of the traffic for the top URLs in requests per minute. Key Shows the color that represents the specific URL in the Web Traffic By URL graph and allows you to filter the graph display. You can click the key for a URL to hide or show that URL on the graph. Your selections are retained until you navigate away from the View Protection Group page. Graph Represents the number of requests per minute that are sent to the URL. You can hover your mouse pointer over a minigraph to view a larger version of the graph. Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Information in the Web Traffic By URL section (continued) Information Description URL Displays the URL for which the traffic is destined. If “Other” appears in this list, it represents the aggregated traffic data for the URLs that are not listed here. Note If a URL is truncated because it does not fit in the column, you can view the entire URL by hovering your mouse pointer over it. If you copy a truncated URL, the entire URL is copied. Requests Displays the number of requests that are sent to the URL. Percent Displays the percentage of the total HTTP traffic that the traffic for that URL represents, shown as a figure and as a proportion bar. The bar for the top URL is the full column width and the remaining bars are in proportion to it. Request bps Shows the average rate of the requests that are sent to the URL. Blacklist button Allows you to add the URL to the inbound blacklist for this protection group or for all IPv4 protection groups. When you blacklist a URL, APS blocks all of the IPv4 traffic from the clients that access the blacklisted URL. See “About Blacklisting and Whitelisting Traffic” on page 168. Unblock button Allows you to remove the URL from the inbound blacklist. This button appears only when a URL has been blacklisted. Proprietary and Confidential Information of Arbor Networks, Inc. 207 APS Console User Guide, Version 6.3 Viewing the Top Domains for a Protection Group The Web Traffic By Domain section on the View Protection Group page identifies the top domains for all of the APS devices that are assigned to the protection group. If you filter the page to view the data for only one APS, the Web Traffic By Domain section displays the top domains for that APS only. See “Filtering the Traffic Data by APS” on page 199. Use this information to identify problems or determine the target of an attack. For example, a domain whose traffic is significantly higher than normal might be under attack. Also, a domain that has a high percentage of the total HTTP traffic is often an attack target. The data display for the top domains refreshes approximately every five minutes. The slower update rate is due to the way each APS collects and averages the domain data. Note This traffic data is not available for IPv6 protection groups. Navigating to the Web Traffic By Domain section To navigate to the Web Traffic By Domain section on the View Protection Group page: 1. Select Protect > Inbound > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Click the protection group name. 4. (Optional) In the Traffic Views section, click (expand). 5. In the list of traffic views, select Web Traffic By Domain . 6. (Optional) Filter the information that appears on the page as follows: l l To change the timeframe for which the data is displayed, click one of the time increments or click From and select a time range. To select the unit of measure for displaying traffic, click Bytes or Packets. Information in the Web Traffic By Domain section The Web Traffic By Domain section contains the following information: Information in the Web Traffic By Domain section 208 Information Description Web Traffic By Domain graph Displays a stacked graph of the traffic for the top domains in requests per minute. Key Shows the color that represents the specific domain in the Web Traffic By Domain graph and allows you to filter the graph display. You can click a domain’s key to hide or show that domain on the graph. Your selections are retained until you navigate away from the View Protection Group page. Graph Represents the number of requests per minute that are sent to the domain. You can hover your mouse pointer over a minigraph to view a larger version of the graph. Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Information in the Web Traffic By Domain section (continued) Information Description Domain Name Displays the domain for which the traffic is destined. If “Other” appears in this list, it represents the aggregated traffic data for the domains that are not listed here. Requests Shows the number of requests that are sent to the domain. Percent Displays the percentage of the total HTTP traffic that the domain’s traffic represents, shown as a figure and as a proportion bar. The bar for the top domain is the full column width and the remaining bars are in proportion to it. Request bps Shows the average rate of the requests that are sent to the domain. Blacklist button Allows you to add the domain to the inbound blacklist for this protection group or for all IPv4 protection groups. When you blacklist a domain, APS blocks all of the IPv4 traffic from the clients that access the blacklisted domain. See “About Blacklisting and Whitelisting Traffic” on page 168. Unblock button Allows you to remove the domain from the inbound blacklist. This button appears only when a domain has been blacklisted. Proprietary and Confidential Information of Arbor Networks, Inc. 209 APS Console User Guide, Version 6.3 Viewing the Top IP Locations for a Protection Group The IP Location section on the View Protection Group identifies the top countries for all of the APS devices that are assigned to the protection group. If you filter the page to view the data for only one APS, the IP Location section displays the top countries for that APS only. See “Filtering the Traffic Data by APS” on page 199. Use this section to identify problems or to determine the source of an attack. For example, traffic that is significantly higher than normal or a spike in the passed traffic might indicate an attack. The data display for the top IP locations refreshes approximately every 60 seconds. Note This traffic data is not available for IPv6 protection groups. Navigating to the IP Location section To navigate to the IP Location section on the View Protection Group page: 1. Select Protect > Inbound > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Click the protection group name. 4. (Optional) In the Traffic Views section, click (expand). 5. In the list of traffic views, select IP Location . 6. (Optional) Filter the information that appears on the page as follows: l l To change the timeframe for which the data is displayed, click one of the time increments or click From and select a time range. To select the unit of measure for displaying traffic, click Bytes or Packets. Information in the IP Location section The IP Location section contains the following information: Information in the IP Location section Information Description IP Location graph Displays a stacked graph of the total traffic from the top countries. The graph displays the traffic in bytes per second or packets per second, depending on the unit of measure that is selected. Key Shows the color that represents the country in the IP Location graph and allows you to filter the graph display. You can click a country’s key to hide or show the data for that country on the graph. Your selections are retained until you navigate away from the View Protection Group page. Country Displays the name of the country from which the traffic was sent. The ATLAS Intelligence Feed (AIF) supplies the information that identifies the country. See “About the ATLAS Intelligence Feed” on page 52. 210 Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Information in the IP Location section (continued) Information (context menu) Description Appears when you hover your mouse pointer over a country name if the data on the page is for a single APS. You can select the Packet Capture option on this menu to capture packets for the protection group and the country. When you select Packet Capture , it opens the Packet Capture page on the selected APS. The protection group and the country are selected as filter criteria on this page. You can start the packet capture or you can specify additional filter criteria. See “About Capturing Packets” on page 274. Graph Represents the country’s passed traffic (green) and blocked traffic (red). You can hover your mouse pointer over the minigraph to view a larger version of the graph. Passed Traffic Blocked Traffic Shows the average rate of the passed and blocked traffic for the country. Percent Bytes Displays the percentage of the total blocked traffic that the country’s traffic represents, shown as a figure and as a proportion bar. The bar for the top country is the full column width and the remaining bars are in proportion to it. Blacklist button Allows you to add the country to the inbound blacklist for this protection group or for all protection groups. See “About Blacklisting and Whitelisting Traffic” on page 168. Unblock button Allows you to remove the country from the inbound blacklist. This button appears only when a country has been blacklisted. Proprietary and Confidential Information of Arbor Networks, Inc. 211 APS Console User Guide, Version 6.3 Viewing the Top Protocols for a Protection Group The Protocols section on the View Protection Group page identifies the top protocols for all of the APS devices that are assigned to the protection group. If you filter the page to view the data for only one APS, the Protocols section displays the top protocols for that APS only. See “Filtering the Traffic Data by APS” on page 199. This information is provided primarily for informational purposes. However, any traffic on your network that is unexpected could represent an attack. For example, if you expect only TCP traffic, but traffic is displayed for the UDP protocol, you should investigate this traffic. The data display for the top protocols refreshes approximately every 60 seconds. Navigating to the Protocols section To navigate to the Protocols section on the View Protection Group page: 1. Select Protect > Inbound > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Click the protection group name. 4. (Optional) In the Traffic Views section, click 5. In the list of traffic views, select Protocols. (expand). 6. (Optional) Filter the information that appears on the page as follows: l l To change the timeframe for which the data is displayed, click one of the time increments or click From and select a time range. To select the unit of measure for displaying traffic, click Bytes or Packets. Information in the Protocols section The Protocols section contains the following information: Information in the Protocols section 212 Information Description Protocols graph Displays a stacked graph of the total traffic for the top protocols. The graph displays the traffic in bytes per second or packets per second, depending on the unit of measure that is selected. Key Shows the color that represents the specific protocol in the Protocols graph and allows you to filter the graph display. You can click a protocol’s key to hide or show that protocol on the graph. Your selections are retained until you navigate away from the View Protection Group page. Graph Represents the total traffic for a specific protocol. You can hover your mouse pointer over a minigraph to view a larger version of the graph. Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Information in the Protocols section (continued) Information Description Protocol Displays the destination port number of the specific protocol and the name of the protocol, if it is known. APS Console sorts the list of protocols by bytes, in descending order. If “Other” appears in this list, it represents the totals for all of the other protocols that are not listed here. Bytes Packets Shows the amount of traffic for the specific protocol in bytes and packets. bps pps Shows the rate of traffic for the specific protocol in bits per second and packets per second. Proprietary and Confidential Information of Arbor Networks, Inc. 213 APS Console User Guide, Version 6.3 Viewing the Top Services for a Protection Group The Services section on the View Protection Group page identifies the top services for all of the APS devices that are assigned to the protection group. If you filter the page to view the data for only one APS, the Services section displays the top services for that APS only. See “Filtering the Traffic Data by APS” on page 199. The data display for the top services refreshes approximately every 60 seconds. This information is provided primarily for informational purposes. However, any traffic on your network that is unexpected could represent an attack. For example, if you expect only web traffic, but traffic is displayed for SMTP, you should investigate the traffic further. About service data for ephemeral ports APS stores service data for individual ephemeral ports for one week, after which it combines and stores the data in groups of 200 ephemeral ports. An ephemeral port is a temporary port, numbered 1024 or greater, that the TCP/IP stack allocates when a client does not specifically request a port number. When the communication session terminates, the ephemeral port is available for reuse. When the display timeframe on the View Protection Group page is more than one week, the service data for ephemeral ports is displayed by port range. For example, when the UDP service on port 5000 has a high amount of traffic and the display timeframe is one hour, that traffic appears as UDP/5000. When the display timeframe is two weeks, that traffic is included in the entry for UDP/5000-5199. In the Services graph, the data for ephemeral ports is always displayed by port range, regardless of the display timeframe. Navigating to the Services section To navigate to the Services section on the View Protection Group page: 1. Select Protect > Inbound > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Click the protection group name. 4. (Optional) In the Traffic Views section, click 5. In the list of traffic views, select Services. (expand). 6. (Optional) Filter the information that appears on the page as follows: l l 214 To change the timeframe for which the data is displayed, click one of the time increments or click From and select a time range. To select the unit of measure for displaying traffic, click Bytes or Packets. Proprietary and Confidential Information of Arbor Networks, Inc. Section 11: Viewing APS Traffic Information in the Services section The Services section contains the following information: Information in the Services section Information Description Services graph Displays a stacked graph of the total traffic for the top services. The graph displays the traffic in bytes per second or packets per second, depending on the unit of measure that is selected. The keys below the graph show the colors that represent the specific services in the graph. You can click a service’s key to hide or show that service on the graph. If you hide a service, then APS Console also dims any rows in the table that are associated with that service. Your selections are retained until you navigate away from the View Protection Group page. Graph Represents the total traffic for a specific service. If the service is on an ephemeral port, the data is always displayed by port range. See “About service data for ephemeral ports” on the previous page. You can hover your mouse pointer over a minigraph to view a larger version of the graph. Service (context menu) Displays the name of the protocol and the port or the range of ports. APS Console also displays the name of the service in parentheses, if known. If “Other” appears in this list, it represents the totals for all of the other services that are not listed here. APS Console sorts the list of services by bytes, in descending order. Appears when you hover your mouse pointer over a service if the data on the page is for a single APS. You can select the Packet Capture option on this menu to capture packets for the protection group and the service on the selected APS. When you select Packet Capture , it opens the Packet Capture page on the selected APS. The protection group and the country are selected as filter criteria on this page. You can start the packet capture or you can specify additional filter criteria. See “About Capturing Packets” on page 274. bps pps Shows the rate of traffic for the specific service in bits per second and packets per second. Proprietary and Confidential Information of Arbor Networks, Inc. 215 APS Console User Guide, Version 6.3 216 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups This section describes how to manage protection groups on APS Console. It also describes how to add new protection groups and how to assign APS devices to the protection groups. User access Users at all authorization levels can view the protection groups. Only administrators can perform the configuration tasks that are described in this section. See “About User Accounts” on page 36. In this section This section contains the following topics: About Protection Groups 218 About Bandwidth Alerts 223 Viewing the Status of Protection Groups 225 Adding, Editing, and Deleting Protection Groups 231 Assigning APS Devices to Protection Groups 237 Overriding a Protection Group’s Settings on a Managed APS 240 APS Console User Guide, Version 6.3 217 APS Console User Guide, Version 6.3 About Protection Groups APS monitors your network traffic and mitigates attacks by using the protection settings that are defined for one or more protection groups. A protection group represents either IPv4 hosts or IPv6 hosts that you need to protect. Each protection group is associated with a server type and one or more host servers of that type. For example, a protection group can represent a single web server or a specific group of DNS servers. Maximum number of protection groups vAPS supports a maximum of 50 protection groups. Because the default protection group counts toward this maximum, you can add 49 custom protection groups. Important If you use the minimum vAPS configuration, vAPS only supports a maximum of 10 protection groups. Because the default protection group counts toward this maximum, you can add 9 custom protection groups. See the “Minimum System Resources” information in the Virtual APS Installation Guide . About the default protection group The default protection group provides protection for all of the IPv4 hosts in your enterprise as soon as you put APS into an active protection mode. The default protection group is preconfigured to protect all IPv4 hosts and is associated with the generic server type, which contains nearly all of the protection settings categories. You can edit the default protection group, but only to configure its protection mode, protection level, and bandwidth alert thresholds. You cannot delete the default protection group. Note The default protection group only protects IPv4 hosts. It does not protect IPv6 hosts. You can configure a custom IPv6 protection group to serve as the default IPv6 protection group. For an example that illustrates how to create a default protection group for all of the unprotected IPv6 hosts, see the “IPv6 prefix matching example” on page 221 . About custom protection groups A custom protection group protects a specific host or group of hosts and allows you to configure the most appropriate protection settings for those hosts. You can add protection groups to protect either IPv4 hosts or IPv6 hosts. Throughout APS and APS Console, you can monitor traffic and mitigate attacks by protection group, so that you can focus your attention on your most critical hosts. We recommend that you create a protection group for each of the services that you want to protect. See “Adding, Editing, and Deleting Protection Groups” on page 231. 218 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups Protection group concepts A protection group is associated with the following items: Protection group concepts Concept Description Protection protocol You can create protection groups to protect IPv4 hosts or IPv6 hosts. Protected hosts Protection groups monitor and mitigate the traffic that is destined for one or more host servers. You define the protected hosts by their prefixes or a set of prefixes. A protection group can protect either IPv4 hosts or IPv6 hosts. You cannot add IPv4 hosts and IPv6 hosts to a single protection group. See “Prefix matching in protection groups” on page 221. Server type The server type represents a class of servers that APS protects. The server type determines which protection settings are available for a protection group and the application-specific data that APS collects and displays for the group. When you create an IPv4 protection group, you can select a standard IPv4 server type or a custom IPv4 server type, if any. When you create an IPv6 protection group, you can select the Generic IPv6 Server standard server type or a custom IPv6 server type, if any. See “About the Server Types” on page 92. Protection settings The protection settings are the criteria by which APS defines clean traffic and attack traffic. For example, if a setting specifies a threshold based on the number of requests per second, then traffic that exceeds the threshold is considered to be an attack. Protection categories The protection settings are organized into categories, each of which detects a different type of attack traffic. A protection group contains the categories of settings that are most appropriate for its server type. For example, a Web Server protection group contains the HTTP categories of settings, which detect HTTP-based attacks. Proprietary and Confidential Information of Arbor Networks, Inc. 219 APS Console User Guide, Version 6.3 Protection group concepts (continued) Concept Description Protection levels For each of the protection settings, you can specify different values for the low, medium, and high protection levels. The current protection level determines which protection settings are in use at any given time. By default, all of the protection groups use a global protection level. You can continue to use the global protection level or you can configure individual protection levels for specific protection groups. These individual protection levels take precedence over the global protection level. You also can use the total traffic threshold or the global total traffic threshold to automate the protection level for a protection group. See “About protection level automation” on page 235. Protection mode The protection mode determines whether APS mitigates traffic. In active mode, APS mitigates attacks in addition to monitoring traffic. In inactive mode, APS detects attacks but does not mitigate them. You can set the protection mode for an individual protection group without affecting any other traffic. For example, you can set a protection group to inactive mode for testing while keeping the rest of the system in active mode. See “Setting the Protection Mode (Active or Inactive)” on page 84. About managing the protection groups from APS Console When you use APS Console to manage APS devices, you can add the protection groups in APS Console and then assign APS devices to those protection groups. See “Adding, Editing, and Deleting Protection Groups” on page 231. APS Console can determine how many protection groups an APS is assigned to. So if an APS is assigned to the maximum number of protection groups, APS Console does not allow you to assign that APS to another protection group. Before APS Console allows you to assign the APS to another protection group, you must unassign the APS from at least one protection group. See “Maximum number of protection groups” on page 218. When you first connect APS to APS Console, the protection groups on APS Console are merged with any existing protection groups on the assigned APS devices. Thereafter, any changes to the protection groups on APS Console are periodically copied to each APS that is assigned to the protection group. See “1About the APS Console - APS Data Synchronization” on page 78. Caution If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any changes that you make on an APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. 220 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups Prefix matching in protection groups When different length prefixes of the same network are protected by one protection group or separate protection groups, APS matches traffic to the most specific (longest) prefix. IPv4 prefix matching examples In the first IPv4 prefix matching example, the protection groups protect the following IPv4 hosts: n Protection Group 1 — 198.51.100.0/24 n Protection Group 2 — 198.51.100.5/32 When traffic is destined to the IP address 198.51.100.5, APS matches it to Protection Group 2, which is the most specific match. In the second IPv4 prefix matching example, the protection groups protect the following IPv4 hosts: IPv4 prefix matching Protection group name Protected Hosts setting Matched traffic Protection Group 3 192.0.2.2/32 All the traffic that is destined to 192.0.2.2 Protection Group 4 192.0.2.0/24 All the traffic that is destined to 192.0.2.0/24, except for the traffic that is destined to 192.0.2.2 IPv4 default protection group 0.0.0.0/0 All IPv4 traffic, except for the traffic that is destined to 192.0.2.0/24 IPv6 prefix matching example In the following IPv6 prefix matching example, the protection groups protect the following IPv6 hosts: IPv6 prefix matching Protection group name Protected Hosts setting Matched traffic Protection Group 5 fe80:22:ab00::3bf:159a:1/128 All the traffic that is destined to fe80:22:ab00::3bf:159a:1 Protection Group 6 fe80:22:ab00::/40 All the traffic that is destined to fe80:22:ab00::/40 except for the traffic that is destined to fe80:22:ab00::3bf:159a:1 Proprietary and Confidential Information of Arbor Networks, Inc. 221 APS Console User Guide, Version 6.3 IPv6 prefix matching (continued) 222 Protection group name Protected Hosts setting Matched traffic Protection Group 7 (serves as a default protection group for IPv6 hosts) ::/0 All IPv6 traffic, except for the traffic that is destined to fe80:22:ab00::/40 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups About Bandwidth Alerts APS uses bandwidth alerts to inform you about attacks and other traffic anomalies that require your attention. To implement bandwidth alerts, you define traffic thresholds based on traffic baselines and specific traffic rate limits for specific types of traffic. When the traffic for a protection group exceeds a threshold, APS creates a bandwidth alert. The alert includes the protection group name and the level of traffic that triggered the alert. You can configure bandwidth alert thresholds globally or for individual protection groups. The global thresholds are enabled by default. APS uses the global thresholds for any protection group that does not have its own thresholds configured. The threshold settings for a specific protection group override the global threshold settings. You can view bandwidth alerts in several areas of the APS Console UI. See “Viewing a Summary of Alerts” on page 304. About the types of bandwidth alerts You can configure baseline thresholds and specify rate limits to generate bandwidth alerts for the following types of traffic: Types of bandwidth alerts Alert Description Total traffic alert Occurs when a protection group’s total traffic exceeds the threshold. Total traffic alerts inform you of spikes in the traffic to protected services so that you can investigate the cause and take action if necessary. Blocked traffic alert Occurs when a protection group’s blocked traffic exceeds the threshold. A spike in blocked traffic typically indicates that an attack is underway and is blocked. Blocked traffic alerts inform you of the system’s response to an attack so that you can respond with further actions. For example, if you determine that the traffic is legitimate, you can whitelist the source. Botnet alert Occurs when a protection group’s unblocked botnet traffic exceeds the threshold. Botnet alerts indicate that a botnet attack might be underway and suggest the protection level that would block the botnet traffic. License limit alert Occurs when your system’s traffic exceeds 90 percent of its licensed throughput limit. Your licensed throughput limit is the threshold for the license limit alerts; this threshold is not user-configurable. About traffic baselines APS generates bandwidth alerts when a protection group’s total traffic, blocked traffic, or botnet traffic exceeds a specified baseline threshold for the corresponding traffic type. Proprietary and Confidential Information of Arbor Networks, Inc. 223 APS Console User Guide, Version 6.3 Before APS can evaluate traffic against the baseline thresholds, it must calculate the baselines based on a protection group’s traffic for the past week. Therefore, the alerts may not begin to appear until a week after you create a protection group. After the APS calculates the initial baselines, it recalculates them every hour. Configuring global bandwidth alerts You configure the global bandwidth alert thresholds on the System Alerts page in APS. The global thresholds are enabled by default, but you can change the default settings or turn off some or all of the global bandwidth alerts. A global bandwidth alert threshold consists of a baseline threshold, and, optionally, a minimum threshold. The baseline threshold is a percentage of the traffic above the baseline for the corresponding traffic type. The minimum threshold is a traffic rate that you specify in bps or pps. If you specify a minimum threshold, then a protection group’s traffic must exceed both the baseline threshold and the minimum threshold before APS generates an alert. For example, a specific protection group’s baseline might be a low level of traffic. If that group’s traffic suddenly increases by the global percentage, no alerts are created if the traffic level is still below the minimum threshold. For more information, see “Configuring Global Thresholds for Bandwidth Alerts” in the APS User Guide . Configuring bandwidth alerts for individual protection groups You configure protection group alert thresholds when you create a protection group in APS Console. You can use the global thresholds that are configured on APS or specify traffic thresholds for the protection group in bps or pps. You also can disable one or more bandwidth alert types for a protection group. See “Adding, Editing, and Deleting Protection Groups” on page 231. Bandwidth alert expiration Initially, a bandwidth alert remains active for one hour after it is created. The longer that a bandwidth alert condition continues, the more the alert’s expiration time is extended. The expiration time is never more than 24 hours after the alert condition disappears. In addition, an alert expires instantly in the following situations: n when you disable that type of alert in the configuration n when you change the type of threshold (global threshold or specified traffic threshold) for a protection group n when you configure a protection group’s alert threshold to a level that is higher than the level that triggered the alert n (botnet alerts only) when the protection level is changed to be greater than or equal to the level that triggered the alert Configuring notifications for bandwidth alerts In APS, you can configure notifications that send messages when a bandwidth alert occurs. See “Configuring Notifications” in the APS User Guide . 224 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups Viewing the Status of Protection Groups The List Protection Groups page displays the protection groups that are configured for the APS devices that APS Console manages. This page allows you to view which protection groups and which of the managed APS devices have active threshold alerts. You can also add, edit, and delete protection groups on this page. See “Adding, Editing, and Deleting Protection Groups” on page 231. Viewing information for each protection group and its assigned APS devices You can view the following information about each protection group in the list: the APS devices that are assigned to that protection group n n the server type and a list of the protected hosts n the protection level and whether the protection level automation is enabled n the protection mode n the traffic that was passed and blocked during the past hour n the configuration status for the bandwidth threshold alerts n a description of the protection group, and information about when the protection group was last modified If you expand a protection group, you can view the following information about each APS device that is assigned to the protection group: n the protection level and whether the protection level automation is enabled n the protection mode n the traffic that was passed and blocked for the protection group on the APS during the past hour n the configuration status for the bandwidth threshold alerts Viewing the Protection Groups list To view the list of protection groups: 1. Select Protect > Inbound Protection > Protection Groups. By default, all of the protection groups appear on the List Protection Groups page. The number to the right of the Protection Group Configuration subheading at the top of the page indicates the total number of protection groups in the list. If the list contains more than 10 protection groups, use the paging controls at the upper right of the page to view the additional protection groups. See “Using Navigation Controls” on page 24. 2. (Optional) To filter the list, search for specific protection groups. See “Searching for protection groups” on the next page. 3. View additional information about the protection groups in the following ways: l l l To view traffic activity for a single protection group, click the protection group name link. See “Viewing the Traffic Activity for a Protection Group” on page 194. To view all of the APS devices that are assigned to all of the protection groups, if any, click Expand All. To hide all of the APS assignments, click Collapse All. To view the APS devices that are assigned to a single protection group, click Proprietary and Confidential Information of Arbor Networks, Inc. 225 APS Console User Guide, Version 6.3 (expand) next to a protection group name. To hide APS assignments for a protection group, click (collapse). Searching for protection groups By default, all of the protection groups appear on the List Protection Groups page, which can span multiple pages. The number to the right of the Protection Group Configuration section heading indicates the total number of protection groups in the list. You can filter the list to view only specific protection groups. To search for specific protection groups: 1. Select Protect > Inbound Protection > Protection Groups. 2. On the List Protection Groups page, In the Search box, type a search string in any of the following ways: l As the partial name or full name of a protection group, APS, or server type. l As any portion of a protection group’s description. l As a partial prefix or full prefix. The search returns only the protection groups that contain an exact match to the partial prefix or full prefix. It does not return any matches to the prefixes that are within a subnet mask. 3. Click Search . 4. To clear the results of a search and view the entire list of protection groups, click the x in the Search box. Information on the List Protection Groups page By default, the protection groups are sorted by the Protection Group Name column in ascending order. You also can sort the list by the following columns: n Server Type n Protection Mode n Protection Level n Alerts n Last Modified For more information about sorting, see “Sorting information in tables” on page 24 . The List Protection Groups page contains the following information: Information on the List Protection Groups page 226 Information Description Search box Allows you to filter the list of protection groups that appear on the List Protection Groups page. Add IPv4 Protection Group, Add IPv6 Protection Group buttons Allow you to add an IPv4 protection group or an IPv6 protection group. See “Adding, Editing, and Deleting Protection Groups” on page 231. Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups Information on the List Protection Groups page (continued) Information Description Expand All, Collapse All buttons Allow you to view or hide the APS devices that are assigned to the protection groups, if any. Protection Group Name column Displays the protection group name in the form of a link. You can click the link to view the traffic activity for the protection group. See “Viewing the Traffic Activity for a Protection Group” on page 194. This section also displays a list of the protected hosts. If the list contains more than a few hosts, you can click [more] to view the entire list. Click [less] to collapse the list. (protection group context menu) Appears when you hover your mouse pointer over a protection group name. You can use the options on the protection group context menu to perform the following actions: n Edit or delete the protection group. See “Adding, Editing, and n n n (APS context menu) Deleting Protection Groups” on page 231. Manage the APS devices that are assigned to the protection group. See “Assigning APS Devices to Protection Groups” on page 237. Delete the protection group. View the blocked hosts that are related to the protection group on the Blocked Hosts Log page. See “Viewing the Blocked Hosts Log” on page 262. Appears when you hover your mouse pointer over the name of an APS. You can use the options on the APS context menu to perform the following actions: n Change the protection group settings for protection level, protection mode, and threshold alerts for the APS. See n n n “Overriding a Protection Group’s Settings on a Managed APS” on page 240. View the blocked hosts that are related to the protection group on the APS. See “Viewing the Blocked Hosts Log” on page 262. Remove the APS from the protection group. See “Assigning APS Devices to Protection Groups” on page 237. Capture information about packets destined for a protection group’s prefixes on the APS. See “About Capturing Packets” on page 274. Proprietary and Confidential Information of Arbor Networks, Inc. 227 APS Console User Guide, Version 6.3 Information on the List Protection Groups page (continued) Information Description bps and pps columns Display minigraphs that represent the traffic flow during the last hour for the protection group or the APS, in bits per second and packets per second. Passed and Blocked show the average rate of traffic that was passed and blocked by the protection group or the APS during that time. The y-axis scale for protection group minigraphs can vary. However, for analysis purposes, the APS minigraphs for a protection group use the same y-axis scale as the protection group. Every 60 seconds APS Console refreshes the data display for the minigraphs and the Passed and Blocked statistics. (cannot retrieve data) Indicates that APS Console cannot retrieve the data for a protection group minigraph from at least one APS. To identify the problem, expand the protection group and locate each APS that has and a No Data message instead of a minigraph. You can hover your mouse over to view a warning message. Server Type column Lists the type of server that the protection group protects, in the form of a link. You can click the link to view or edit the protection settings. See “Changing the Protection Settings for Server Types” on page 100. (protection group setting override) Indicates an override of the original protection group setting for an APS. See “Overriding a Protection Group’s Settings on a Managed APS” on page 240. The next to the setting in a protection group row indicates an override for at least one APS. The next to the setting in an APS row indicates an override for that APS. Protection Mode column Indicates whether the protection mode for the protection group or the APS is Active or Inactive . See “Setting the Protection Mode (Active or Inactive)” on page 84. 228 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups Information on the List Protection Groups page (continued) Information Description Protection Level column Displays the protection level that is set for the protection group or the APS. The protection level determines which protection settings the protection group uses. The protection level icons are defined as follows: — Global, which indicates that the protection group n inherits the protection level of each APS to which it is assigned. n — Low n — Medium n — High n — low automated n — high automated To view the protection level for the APS devices that are assigned to a protection group, click (expand) next to the protection group name. See “About the Protection Levels” on page 86. For information about protection level automation, see “About protection level automation” on page 235 . Indicates that one or more of the bandwidth threshold alerts are configured for the protection group or for an assigned APS. You can click this icon to view the threshold alert settings in the Alerts window. (alerts configured) See “About Bandwidth Alerts” on page 223. Indicates that bandwidth threshold alerts are not configured for the protection group or that the alerts are disabled for an APS assignment. (alerts not configured) (active alerts) Displays the total number of active bandwidth threshold alerts for the protection group in the red circle (5 in this example). You can click this icon to open the Alerts window to view additional information about the active threshold alerts. See “About the active threshold alerts” below. Last Modified column (information) Indicates the last time that the protection group or the APS was changed by a user or by the system. Appears in the Last Modified column if there is an audit trail entry for the last change to the protection group or the APS. You can click this icon to view the audit trail entry. To close the information window, click the x. About the active threshold alerts You can click (active alerts) to open the Alerts window. Proprietary and Confidential Information of Arbor Networks, Inc. 229 APS Console User Guide, Version 6.3 When you click for a protection group, APS Console displays the following information in the Alerts window: n the total number of active alerts by type for the protection group n the threshold alert settings for the protection group When you click for an APS, APS Console displays the following information in the Alerts window: the number of active alerts by type for the protection group on that APS n n the protection group’s threshold alert settings and any settings that have been overridden on that APS To close the Alerts window, click the x. You also can click the View Alerts link in the Alerts window, which opens the Alerts page. If you click (active alerts) for a protection group, APS Console filters the Alerts page to display the active alerts for that protection group. If you click (active alerts) for an APS, APS Console filters the Alerts page to display the active alerts for the protection group on that APS. See “Viewing a Summary of Alerts” on page 304. 230 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups Adding, Editing, and Deleting Protection Groups In APS Console, you can create protection groups to protect hosts on one or more APS devices, with the most appropriate protection settings for those hosts. We recommend that you create a custom protection group for each of the services that you want to protect. See “About Protection Groups” on page 218. After you add a protection group in APS Console, you can assign one or more APS devices to it. See “Assigning APS Devices to Protection Groups” on page 237. Adding a protection group To add a protection group: 1. Select Protect > Inbound Protection > Protection Groups. 2. On the List Protection Groups page, click Add IPv4 Protection Group or Add IPv6 Protection Group. Tip If you add both IPv4 protection groups and IPv6 protection groups, we recommend that you prepend “IPv4” or “IPv6” to the protection group name. This prefix helps you to quickly identify the protection group’s protocol when you see the name. 3. In the Add Protection Group window, configure the protection group settings. See “Protection group settings” on page 233. 4. Click Save. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 6. On the List Protection Groups page, you can assign one or more APS devices to the protection group in the following ways: l l In the status message at the top of the List Protection Groups page, click Assign it to an APS. In the protection groups list, click (context menu) to the right of the protection group name, and then select Manage APS Assignments. You can assign an APS to a maximum of 50 protection groups. See “Assigning APS Devices to Protection Groups” on page 237. About editing a protection group You can make the following changes to protection groups in APS Console: When you first create and test a new protection group, you can set its protection mode to inactive so that it does not affect traffic. After you assign APS devices to the protection group and test the protection group on those APS devices, you can change the protection mode to active. n n You can change a protection group’s protection level to mitigate attacks against the protected hosts on the APS devices that are assigned to the protection group. n You can change the bandwidth thresholds that determine the amount of traffic that automates the protection level or triggers an alert for a protection group. Proprietary and Confidential Information of Arbor Networks, Inc. 231 APS Console User Guide, Version 6.3 n You can add or remove protected hosts. The default protection group protects any IPv4 hosts that are not assigned to a custom protection group. n You can rename a protection group, and change its description. Note You can override a protection group’s settings for protection mode, protection level, threshold alerts, and protection level automation on an individual APS. See “Overriding a Protection Group’s Settings on a Managed APS” on page 240. Editing a protection group To edit a protection group: 1. Select Protect > Inbound Protection > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Hover your mouse pointer over the protection group name, and then click (context menu). 4. In the context menu, select Edit. 5. In the Edit Protection Group window, change the protection group settings. See “Protection group settings” on the facing page. 6. Click Save. 7. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. About deleting a protection group You can delete protection groups on the List Protection Groups page in APS Console. However, you cannot delete the default protection group. When you delete a protection group, APS Console makes the following changes on all of the APS devices that are assigned to the protection group: n removes the protection group, and the default protection group protects any of the IPv4 prefixes that are not assigned to another protection group Note The default protection group does not protect IPv6 prefixes. n removes the items that were blacklisted or whitelisted for that protection group n removes the protection group from any scheduled reports in which the protection group is included Note APS never removes data from existing reports. Deleting a protection group To delete a protection group: 1. Select Protect > Inbound Protection > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Hover your mouse pointer over the protection group name, and then click (context menu). 232 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups 4. In the context menu, select Delete. 5. In the confirmation message window, click Delete. 6. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Protection group settings The following table describes the protection group settings in the Add Protection Group window and Edit Protection Group window. Protection group settings Setting Description Name box Type a name to identify the protection group throughout the UI. Protected Hosts box You can specify IPv4 hosts and IPv6 hosts in any of the following forms: n n n A host IP address, such as 192.0.2.1 or 2001:DB8::2. A valid hostname, such as myserver.mycompany.net. The hostname resolves to its corresponding IP address and prefix. An IP address and routing prefix in CIDR form, such as 192.0.2.0/24 or 2001:DB8::/32. To protect a large number of hosts — for example, thousands of hosts — We recommend that you use a CIDR prefix instead of specifying individual prefixes. Note You can add the same prefix to multiple protection groups. However, you cannot assign an APS device to multiple protection groups that contain the same prefix. Server Type list Select the type of server that the protection group protects. The server type determines the protection settings that are available for the protection group. When you create an IPv4 protection group, you can select a standard IPv4 server type. When you create an IPv6 protection group, the Generic IPv6 Server server type is selected by default. This server type is the only standard server type that is available for IPv6 protection groups. Protection Mode options Select Active or Inactive to configure the protection mode. APS mitigates traffic for a protection group only when the protection mode is active for both the protection group and the APS. To change the protection mode for all of the APS devices that are assigned to the protection group, see “About editing a protection group” on page 231 . To change the protection mode for a specific APS, see “Overriding a Protection Group’s Settings on a Managed APS” on page 240 . See “Setting the Protection Mode (Active or Inactive)” on page 84. Proprietary and Confidential Information of Arbor Networks, Inc. 233 APS Console User Guide, Version 6.3 Protection group settings (continued) Setting Description Protection Level options Select an icon to set the protection level for the protection group (global, low, medium, or high). A check mark in the icon indicates which level is selected. The protection level icons are defined as follows: — Global — Low — Medium — High If you select the global icon, the protection group uses the APS protection level. For information about the global protection level, see “About the Protection Levels” on page 86 . Also, see “Changing the Protection Level” on page 253 . Note To change the protection level for a protection group on a specific APS, see “Overriding a Protection Group’s Settings on a Managed APS” on page 240 . Description box Type a description that can help to identify the protection group. Detection and Automation Policy section Use the settings in this section to configure alerting that is based on a user-specified traffic threshold or a global traffic threshold. You also can automate the protection level for a protection group, based on the total traffic threshold. See “About protection level automation” on the facing page. Total Traffic options Select an option to configure the level of total traffic that causes the APS to automate the protection level or trigger total traffic alerts for the protection group: n n n n n 234 Automatically change the protection level using the global total traffic threshold setting on APS APS uses the global total traffic threshold setting to determine when to automate the protection level and trigger this type of alert. Automatically change the protection level when traffic exceeds Specify a total traffic threshold in bps, pps, or both bps and pps. Alert using global total traffic threshold setting on APS APS uses the global total traffic threshold setting to determine when to trigger this type of alert. Alert when traffic exceeds Specify a traffic threshold in bps, pps, or both bps and pps. Do not alert based on the total traffic threshold Disables the protection level automation and total traffic alerts for the protection group. Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups Protection group settings (continued) Setting Description Blocked Traffic options Select an option to configure the level of blocked traffic that causes the APS to trigger blocked traffic alerts for the protection group: n n n Botnet Traffic options Alert using global blocked traffic threshold setting on APS APS uses the global blocked traffic threshold setting to determine when to trigger this type of alert. Alert when traffic exceeds Specify a traffic threshold in bps, pps, or both bps and pps. Do not alert based on the blocked traffic threshold Disables the blocked traffic alerts for the protection group. (IPv4 protection groups only) Select an option to configure the level of botnet traffic that causes APS to trigger botnet traffic alerts for the protection group: n n n Alert using global botnet traffic threshold setting on APS APS uses the global botnet traffic threshold setting to determine when to trigger this type of alert. Alert when traffic exceeds Specify a traffic threshold in bps, pps, or both bps and pps. Do not alert based on botnet traffic threshold Disables the botnet traffic alerts for the protection group. About protection level automation To automate the protection level for a protection group, you select a Detection and Automation Policy for total traffic to change the protection level automatically . After you select a policy that changes the protection level, APS sets the protection group’s protection level to low. If traffic to the protection group exceeds the total traffic threshold, then, within one minute, APS changes the protection level to high and triggers an alert. The protection level remains high for at least five minutes. At any time after that, if the traffic level falls below the threshold, the protection level returns to low. After APS Console synchronizes with the managed APS devices, the protection group's protection level is set to low on each APS that is assigned to the protection group. However, after the synchronization, APS Console no longer controls the protection group’s protection level on the APS devices. Instead, on the List Protection Groups page, the Protection Level column for each APS displays the current state of the protection level on that APS. See “Viewing the Status of Protection Groups” on page 225. If you change a protection group’s protection level when automation is enabled, then APS Console disables automation and changes the protection level on the assigned APS devices. Proprietary and Confidential Information of Arbor Networks, Inc. 235 APS Console User Guide, Version 6.3 You also can disable the automation by changing the total traffic setting to an alerting option or by turning off the automation and alerting. In this case, the protection level is set to low on all of the APS devices, even APS devices that are at the high protection level. To disable the protection level automation on a single APS, see “Overriding a Protection Group’s Settings on a Managed APS” on page 240 . Propagating protection group settings to APS devices APS Console propagates the settings you configure for the protection groups to the APS devices that are assigned to the protection groups. Caution If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any changes that you make on an APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. 236 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups Assigning APS Devices to Protection Groups After you add a protection group in APS Console, you can assign one or more APS devices to the protection group. After you assign an APS to a protection group, the next time APS Console synchronizes with the APS devices it manages, it copies the protection group to that APS. The maximum number of custom protection groups to which you can assign APS depends on the APS device, as shown in the following table. Maximum number of APS assignments to custom protection groups APS device Maximum number of assignments 2800 99 2600 99 2100 49 2000 49 vAPS 49 vAPS with a minimum configuration 9 Note For information about the vAPS minimum configuration, see the Virtual APS Installation Guide . All of the APS devices that APS Console manages are assigned automatically to the default protection group. However, the default protection group only protects IPv4 prefixes. The default protection group does not protect IPv6 prefixes. After you assign at least one APS device to a protection group, you can view the protection group traffic on the View Protection Group page. See “Viewing the Traffic Activity for a Protection Group” on page 194. You can override the protection group settings for protection level, protection mode, and threshold alerts on any managed APS. See “Overriding a Protection Group’s Settings on a Managed APS” on page 240. User access Only administrators can assign APS devices to, or remove APS devices from, protection groups. See “About User Groups” on page 38. Proprietary and Confidential Information of Arbor Networks, Inc. 237 APS Console User Guide, Version 6.3 Assigning APS devices to a protection group To assign APS devices to a protection group: 1. Navigate to the Manage APS Assignments window in one of the following ways: From the status message that appears at the top of the List Protection Groups page after adding a protection group Click the Assign it to an APS link. From the menu a. Select Protect > Inbound Protection > Protection Groups. b. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. c. Hover your mouse pointer over the name of a specific protection group, and then click (context menu). d. In the context menu, select Manage APS Assignments. 2. (Optional) In the Manage APS Assignments window, type a string in the Filter List box to filter the APS names in the Available list. The Available and Assigned lists display up to 25 characters of an APS name. If an APS name exceeds 25 characters, hover your mouse pointer over it to view the entire name. 3. Assign APS devices to the protection group in one of the following ways: To assign all of the available APS devices Click Assign All. To assign individual APS devices a. Select the APS names in the Available list. b. Click Assign . To assign a single APS device Double-click the name in the Available list. 4. Click Save. If a prefix in the protection group is included in a protection group that is already assigned to a selected APS, you cannot save the assignments. You also cannot save the assignments if a selected APS is assigned to its maximum number of protection groups. To proceed, unassign any APS devices that cannot be assigned or click Cancel. 5. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Removing APS assignments from a protection group To unassign APS devices that are assigned to a protection group: 1. Select Protect > Inbound Protection > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection 238 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups group. See “Searching for protection groups” on page 226. 3. Hover your mouse pointer over the protection group name, and then click menu). (context 4. In the context menu, select Manage APS Assignments. 5. (Optional) In the Manage APS Assignments window, type a string in the Filter List box to filter the names in the Assigned list. The Available and Assigned lists display up to 25 characters of an APS name. If an APS name exceeds 25 characters, hover your mouse pointer over it to view the entire name. 6. Remove an APS from the protection group in one of the following ways: To unassign a single APS device Double-click the APS name in the Assigned list. To unassign individual APS devices a. Select the APS names in the Assigned list. b. Click Unassign . To unassign all of the APS devices Click Unassign All. 7. Click Save. 8. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Removing a single APS assignment from a protection group To unassign a single APS: 1. Select Protect > Inbound Protection > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. To view the APS devices that are assigned to a protection group, click the left of a protection group name. (expand) to 4. Hover your mouse pointer over the name of a specific APS, and then click menu). (context 5. In the context menu, select Unassign from Protection Group. 6. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Proprietary and Confidential Information of Arbor Networks, Inc. 239 APS Console User Guide, Version 6.3 Overriding a Protection Group’s Settings on a Managed APS By default, every APS device that is assigned to a protection group uses the settings that you configure for that protection group. However, for a specific APS device, you can override the protection group’s settings for protection level, protection mode, and bandwidth alerts. Indicator of an override To indicate the override of a protection group setting, APS Console displays group override) next to the setting on the List Protection Groups page. (protection The in a protection group row indicates that there is an override for the setting on at least one APS device. The in the row for an APS device indicates that there is an override for the setting on that APS. Overriding a protection group’s settings for an APS To override a protection group’s settings for a specific APS: 1. Select Protect > Inbound Protection > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Click (expand) next to the name of a protection group to view its APS assignments. 4. Next to the name of an APS, click (context menu), and then select Edit . 5. In the Configure Protection Group on APS window, for each setting that you want to change, click Configure the Protection Group Setting for this APS. You can change the following settings: l Protection level. You also can choose to automate the protection level by using a total traffic threshold. See “About protection level automation” on page 235. l Protection mode l Threshold alerts for total traffic, blocked traffic, and botnet traffic 6. Configure the protection group settings that you selected to override on this APS. See “Protection group settings” on page 233 for the descriptions of these settings. 7. Click Save. 8. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Reverting to the original protection group settings To revert to the original protection group settings for a specific APS: 1. Select Protect > Inbound Protection > Protection Groups. 2. (Optional) On the List Protection Groups page, filter the list to find a specific protection group. See “Searching for protection groups” on page 226. 3. Next to the name of a protection group, click 4. Next to the name of an APS, click (expand) to view its APS assignments. (context menu), and then select Edit . 5. In the Configure Protection Group on APS window, click Use the Protection Group 240 Proprietary and Confidential Information of Arbor Networks, Inc. Section 12: Managing Protection Groups setting for each setting that you want to revert. 6. Click Save. 7. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Proprietary and Confidential Information of Arbor Networks, Inc. 241 APS Console User Guide, Version 6.3 242 Proprietary and Confidential Information of Arbor Networks, Inc. Section 13: Mitigating Attacks APS blocks attacks automatically based on the protection settings that define malicious traffic. However, certain attacks may require that you take action to block them. This section describes how to respond to attacks that are not blocked automatically. In this section This section contains the following topics: About Attack Mitigation 244 Workflow for Routine System Monitoring 246 Indicators of Attacks and Mitigations 248 Mitigating an Attack by Raising the Protection Level 251 Changing the Protection Level 253 Identifying and Blocking an Attack 255 APS Console User Guide, Version 6.3 243 APS Console User Guide, Version 6.3 About Attack Mitigation The focus of APS is on the automatic detection and mitigation of attacks. When APS is in active mode, it continually blocks any malicious traffic that it detects. However, additional solutions are available to help you to monitor the system and block the attacks that are not mitigated automatically. When to actively mitigate an attack You might need to take steps to block an attack under the following conditions: The protection settings and thresholds for the active protection level do not block the attack. n For example, if the ICMP Flood Detection settings are disabled for the low protection level, then APS does not detect ICMP floods at that protection level. n The threshold for automatic Cloud Signaling is disabled or no threshold is configured. n APS cannot mitigate the attack for reasons beyond its control. For example, if an attack overloads routers that are deployed upstream of APS, then APS cannot detect or mitigate that attack. About attack mitigation from APS Console When you use APS Console to manage APS devices, you should perform any mitigation tasks in APS Console. Caution Because the configurations from APS Console can overwrite the ones on APS, any local changes that you make on APS might be lost. Generally, you should not make local changes on a managed APS, although you might occasionally need to do so. For example, you might lose the connection between APS Console and an APS during a highvolume DDoS attack. In that case, you can make local changes on the APS to mitigate the attack. 244 Proprietary and Confidential Information of Arbor Networks, Inc. Section 13: Mitigating Attacks Options for mitigating inbound attacks The following table describes your options for blocking an attack that is not mitigated automatically. The options that you use depend on the type of attack, your knowledge of network security, and your organization's policies. Options for mitigating inbound attacks Option Description Follow your organization’s standard procedures. If your organization has an attack policy, or playbook, follow the procedures that are provided there. If your organization does not have an attack playbook, then continue with the following steps. Raise the protection level. You can try to mitigate an attack by raising the global protection level or the protection group protection level. Use this option when you have little time or knowledge of network security and you need to stop an attack as quickly as possible. Alternatively, you might raise the protection level only after other attempts to mitigate an attack are unsuccessful. See “Mitigating an Attack by Raising the Protection Level” on page 251. Remember that the risk of blocking clean traffic increases with the level of protection. For information about the protection levels and the protection and risk that are associated with each one, see “About the Protection Levels” on page 86. Identify and block specific attack traffic. If you can identify the source of an attack, you can block its traffic in the following ways: n Blacklist the traffic source. n Create a regular expression to match the traffic and enter it in the appropriate protection setting. n Create an FCAP expression to match the traffic and enter it in the appropriate protection setting. See “Identifying and Blocking an Attack” on page 255. Edit the protection settings. If you can identify the type of attack, you can try to block it by changing the protection settings that typically block that type of attack. See “Changing the Protection Settings for Server Types” on page 100. For example, your network experiences an ICMP flood but APS does not detect it. If you can block the attack by changing the Maximum Request Rate for the target protection group, you can avoid changing the protection level. Proprietary and Confidential Information of Arbor Networks, Inc. 245 APS Console User Guide, Version 6.3 Workflow for Routine System Monitoring Because APS can detect and mitigate most attacks automatically, the majority of your interaction with the system should be to monitor its operations. By developing a routine system monitoring workflow, you can ensure that APS always provides optimum protection from attacks. Regular monitoring can help you to learn about your network’s normal traffic levels so that you can more easily recognize anomalies. Regular monitoring can also help you to detect the attacks that are not mitigated automatically. As you learn more about those types of attacks, you can refine the protection settings so that APS can detect and mitigate them according to your preferences. When you use APS Console to manage APS, you can perform these tasks for multiple APS devices or multiple protection groups. Workflow Your APS monitoring workflow should allow you to answer the following questions: Workflow for routine system monitoring Question Task Do any system problems need attention? On the Dashboard page, view the Active Alerts section. See If you use APS Console to manage APS, is the APS connected and synchronized? In APS Console, view the connection status and synchronization status for each managed APS in the System Information section on the Summary page. Is the ATLAS Intelligence Feed (AIF) update working? On the Configure AIF Settings page, view the status of the AIF update. On the Change Log page, view the update information. See “Viewing the Status of ATLAS Intelligence “Viewing Active Alerts on the Dashboard” on page 297. Feed Updates” on page 62. Is the network under an attack that APS is not blocking? APS can proactively inform you of attacks and other traffic anomalies that require your attention. If you have enabled thresholds for total traffic alerts or botnet alerts, an alert occurs when a protection group’s traffic exceeds one of the thresholds. These alerts appear on the System Alerts page as well on other pages in the UI. In the absence of alerts, you can view specific pages in the UI for information that can help you to detect an attack. See “Indicators of Attacks and Mitigations” on page 248. 246 Proprietary and Confidential Information of Arbor Networks, Inc. Section 13: Mitigating Attacks Workflow for routine system monitoring (continued) Question Task Is APS blocking the appropriate traffic? n n What hosts are currently blocked, and should they be unblocked or whitelisted? n Display and review the Blocked Hosts Log page. See “Viewing the Blocked Hosts Log” on page 262. For each protection group, display and review the View Protection Group page. See “Viewing the Traffic Activity for a Protection Group” on page 194. Display and review the Blocked Hosts Log page. See “Viewing the Blocked Hosts Log” on page 262. Proprietary and Confidential Information of Arbor Networks, Inc. 247 APS Console User Guide, Version 6.3 Indicators of Attacks and Mitigations APS provides several ways for you to determine whether your network is under attack and whether APS is blocking the attack traffic. If you have enabled alert thresholds, an alert can be the first sign that you are under attack, in addition to any external indications. See “Alerts that indicate attacks” below and “External attack symptoms” on page 250 . Whether or not you receive an alert, you can view the extensive traffic statistics that appear in APS Console. In particular, you can view the traffic graphs that provide a quick visual indication of the state of your network traffic. Additional statistics provide more details about the data that is provided in the graphs. See “Graphic indicators of an attack” on the facing page. For general information about mitigation, see “About Attack Mitigation” on page 244 . How to verify that a mitigation is working After you take steps to block an attack, confirm that the attack is blocked. n View the protected service from a customer’s perspective. For example, open a web browser and try to open the web site that was reported as unavailable. n If you received a bandwidth alert, use the information in the alert to find where to view the behavior that triggered the alert. You might also note whether the alert expired. n View the graphs and statistics that indicated the attack. Alerts that indicate attacks If you have enabled thresholds for total traffic alerts or botnet alerts, an alert occurs when a protection group’s traffic exceeds one of the thresholds. These alerts are collectively called bandwidth alerts. n Total traffic alerts inform you of spikes in the traffic to protected services so that you can investigate the cause and take action if necessary. n Botnet alerts indicate that a botnet attack might be underway and suggest the protection level that would block the botnet traffic. n Blocked host alerts inform you of spikes in the amount of blocked traffic, which might indicate that an attack is underway. You might want to determine if blocking the traffic restored a sufficient level of service or if you need to take action to block additional traffic. Each alert includes information that can help you to investigate the alerting behavior further. The information varies by the type of alert. For example, an alert might include the protection group name, the blocked host IP address, or a URL to the page where you can view further information. When you use APS Console to manage APS, you can view the alerts for multiple APS devices. To do so, view the Dashboard page or the Alerts page (Explore > Alerts) in APS Console. 248 Proprietary and Confidential Information of Arbor Networks, Inc. Section 13: Mitigating Attacks Graphic indicators of an attack In the absence of alerts, you can view specific pages in the UI for information that can help you to detect an attack. In particular, look for a significant increase in traffic or an unexpected traffic spike in any of the following graphs. In APS Console, these graphs typically represent an aggregate of the inbound traffic for multiple protection groups or multiple APS devices. Total traffic graphs This type of graph can represent the amount of traffic flow, the traffic rate, or the request rate. Depending on where the graph appears, the traffic might appear in a color other than blue, and the graph might display stacked data. Attack and mitigation indicators in the total traffic graphs Graph Meaning Unblocked attack — A significant increase in the level of total traffic usually indicates an attack that is not sufficiently blocked. Partially blocked attack — The graph shows only a minor drop in the level of traffic. Additional mitigation steps might be necessary. Blocked attack — The graph shows a significant drop in the level of traffic. The level of traffic appears to be normal. Blocked-passed traffic graph This type of graph shows the level of passed traffic in green and the level of blocked traffic in red, and appears in the following locations: n On the Dashboard page, in the Total Inbound APS Traffic graph n On the List Protection Groups page, in the minigraphs for the protection groups and appliances n On the View Protection Group page, in the following sections: Total Protection Group Traffic and IP Location Attack and mitigation indicators in the blocked-passed traffic graphs Graph Meaning Unblocked attack — A significant increase in the level of passed traffic (green) and a low level of blocked traffic (red) usually indicates an attack that is not sufficiently blocked. Partially blocked attack — The graph shows only a minor drop in the level of passed traffic (green). Additional mitigation steps might be necessary. Proprietary and Confidential Information of Arbor Networks, Inc. 249 APS Console User Guide, Version 6.3 Attack and mitigation indicators in the blocked-passed traffic graphs (continued) Graph Meaning Blocked attack — The graph shows a significant drop in the level of passed traffic (green). The level of passed traffic appears to be normal. External attack symptoms The initial signs of an attack might occur external to the APS Console UI. The United States Computer Emergency Readiness Team (US-CERT) states that the following symptoms could indicate a DoS attack or DDoS attack: n unusually slow network performance (opening files or accessing web sites) n unavailability of a particular web site n inability to access any web site n dramatic increase in the amount of spam you receive in your account If you experience any of these symptoms, use the APS Console UI to investigate. 250 Proprietary and Confidential Information of Arbor Networks, Inc. Section 13: Mitigating Attacks Mitigating an Attack by Raising the Protection Level Typically, APS can block most attacks automatically. However, when an attack is not blocked automatically, you must take some action to block the attack traffic. You can try to mitigate an attack by raising the global protection level or the protection group protection level. Use this option when you have little time or knowledge of network security and you need to stop an attack as quickly as possible. Alternatively, you might raise the protection level only after other attempts to mitigate an attack are unsuccessful. For additional mitigation options, see “About Attack Mitigation” on page 244 . The more finely tuned your protection settings are, the more successful this method of blocking traffic will be. On APS Console, you can change the protection level for a protection group. The new protection level setting is then synchronized on all of the APS devices assigned to that protection group. Testing protection levels Protection level icons Throughout the UI, the following icons represent the protection levels: global, low, medium, and high. The current protection level is indicated by a check mark in the corresponding icon. To change the protection level, you click the appropriate icon. Proprietary and Confidential Information of Arbor Networks, Inc. 251 APS Console User Guide, Version 6.3 Mitigating an attack by raising the protection level This workflow assumes that you are already aware of an attack on your network. It also assumes that you can identify the protection group that is under attack. See “Indicators of Attacks and Mitigations” on page 248 for information about how to recognize an attack. Workflow for mitigating an attack by raising the protection level Step Action 1 Does the attack affect all of the APS devices that are assigned to the protection group? n Yes — In the following steps, change the protection level for the protection group. This setting is synchronized on all of the APS devices that are assigned to the protection group. See “1About the APS Console - APS Data n 2 Synchronization” on page 78. No — If the protection group is under attack on a specific APS, then in the following steps, change the protection level for that APS. Change the protection level to Medium in one of the following ways: n For a protection group — On the View Protection Group page, edit the protection group and select Medium. This setting is synchronized on all of the APS devices that are assigned to the protection group. See “1About the n APS Console - APS Data Synchronization” on page 78. For an APS — On the List Protection Groups page, view the protection group’s APS assignments and edit the affected APS to change its level to Medium. If the attack is not blocked sufficiently, then change the protection level to High . 3 At the higher protection levels, APS might block valid hosts and services, such as email servers, DNS servers, database servers, or VPNs. When you raise the protection level, view the Blocked Hosts Log page. If you identify a valid host, whitelist it by clicking its Details button, and then clicking Whitelist in the Blocked Host Detail window . See “Viewing the Blocked Hosts Log” on page 262. 4 Is the attack blocked now? Yes — Go to Step 6. n No — Go to Step 5. n 252 5 Follow your organization’s procedure for escalating the attack mitigation. This procedure might include requesting cloud mitigation. 6 When the level of traffic returns to normal, it indicates that the attack stopped, and you can reset the protection level to Low. To remain protected in case the attack recurs, you might wait a few hours before you reset the protection level. Proprietary and Confidential Information of Arbor Networks, Inc. Section 13: Mitigating Attacks Changing the Protection Level The protection level determines which protection settings are in use at any given time. For example, if the protection level is low, then the low protection settings are used to inspect the current traffic. You can change the protection level as needed to mitigate attacks. Generally, you should set the protection level to low, which offers the least protection but reduces the risk of blocking clean traffic. Reserve the medium and high levels for mitigating attacks. See “Balancing protection and risk” on page 88. About the different protection levels The global protection level in APS affects all of the protection groups except those that have their own protection level configured. The protection group protection level determines which protection settings are in use for a specific protection group. The outbound threat filter can use the global protection level or it can have its own protection level. The protection group protection levels and the outbound threat filter’s protection level override the global protection level. See “About the Protection Levels” on page 86. Changing the protection level for multiple APS devices When you use APS Console to manage APS, you can change the protection level for multiple APS devices, as follows: n By default, every APS to which a protection group is assigned uses the protection level that you configure for that protection group. However, for a specific APS, you can override the protection group’s protection level. n All of the managed APS devices use the protection level that is set in the APS Console outbound threat filter for outbound traffic. For example, when an attack targets the servers that are protected by several protection groups, you can raise the protection level for all of those protection groups. Caution If you make local changes on an APS device that is managed by APS Console, those changes are not copied to APS Console. As a result, any changes that you make on an APS are lost because the configurations from APS Console overwrite the configurations on APS. Generally, you should not edit the configurations locally on a managed APS. Protection level icons Throughout the UI, the following icons represent the protection levels: global, low, medium, and high. The current protection level is indicated by a check mark in the corresponding icon. Proprietary and Confidential Information of Arbor Networks, Inc. 253 APS Console User Guide, Version 6.3 Changing the protection level for a protection group To change the protection level for a specific protection group: 1. Select Protect > Inbound Protection > Protection Groups. 2. On the List Protection Groups page, hover your mouse pointer over the protection group name, and then click (context menu). 3. In the context menu, select Edit. 4. In the Edit Protection Group window, under Protection Level, select Global, Low, Medium, or High . 5. Click Save. Changing the protection level for the outbound threat filter To change the protection level for the outbound threat filter: 1. Select Protect > Outbound Protection > Outbound Threat Filter. 2. On the Outbound Threat Filter page, click (configure). 3. Under Protection Level, select Global, Low, Medium, or High . 4. Click Save. 254 Proprietary and Confidential Information of Arbor Networks, Inc. Section 13: Mitigating Attacks Identifying and Blocking an Attack Typically, APS can block most attacks automatically. However, when an attack is not blocked automatically, you must take some action to block the attack traffic. This process assumes that you are already aware of an attack on your network and that APS is not blocking the attack. See “Indicators of Attacks and Mitigations” on page 248 for information about how to recognize an attack. If you do not want to spend time investigating, you can try to mitigate the attack by raising the protection level or by some other method. For additional mitigation options, see “About Attack Mitigation” on page 244 . Identifying and blocking the source of an attack We recommend the following process for identifying and blocking the source of an attack. However, you can perform any of the steps in any order. n Did you see a total traffic alert or a botnet alert, or did you receive a notification that contained one of these alerts? Follow the link in the alert to view the View Protection Group page. If APS is not blocking the traffic that caused the alert, follow the next steps to investigate. n View the Dashboard page and look for critical traffic alerts or traffic behavior that is unusual or unexpected. See “Using the Dashboard page to identify an attack” below. n Look for the ATLAS threat categories that are blocking attack traffic. n If you can identify the protection group that is under attack, use the View Protection Group page to try determine the source of the attack. See “Identifying an attack against a protection group” on the next page. n Run and review a packet capture and try to determine the nature of the attack. See “Identifying an attack by examining captured packets” on page 257. After any attempt to block the attack traffic, check the attack indicators to determine whether your actions mitigated the attack. See “Indicators of Attacks and Mitigations” on page 248. Using the Dashboard page to identify an attack View the active alerts, graphs, and data on the Dashboard page and look for traffic behavior that is unusual or unexpected. In particular, look for unexplained traffic spikes or a sudden, significant increase in the traffic level or traffic rate, or blocked threats. Proprietary and Confidential Information of Arbor Networks, Inc. 255 APS Console User Guide, Version 6.3 If you see any suspicious traffic, you can take steps to investigate further. Options for investigation or mitigation on the Dashboard page Section Options for investigation or mitigation Active Alerts n n ATLAS Threat Categories n n Go to the View Protection Group page for the alerting protection group. Go to the Alerts page to view additional details about an alert or find additional DDoS alerts. From there, you can go to the View Protection Group page. Go to the Blocked Hosts Log page for a category and view the associated blocked hosts. Go to the Explore ATLAS Threat Categories page to examine the threats that are blocked from your network as a result of the ATLAS Intelligence Feed settings. Identifying an attack against a protection group If you can identify the protection group that is under attack, use the View Protection Group page to try determine the source of the attack. You can view and take action on the protection group information for an individual APS or for all of the managed APS devices. Look for traffic behavior that is unusual or unexpected. In particular, look for unexplained traffic spikes, a sudden, significant increase in the traffic level or traffic rate, or traffic from an unknown or unexpected source. Also, a URL or domain that has a very high percentage of the total traffic is often an attack target. Options for investigation or mitigation on the View Protection Group page Section Options for investigation or mitigation Attack Categories Is one category blocking much more traffic than the others? If so, it is possible that even more of that type of traffic is not blocked. If the category is one that can be edited, edit its protection settings so that more traffic is blocked at the lower protection levels. Web Traffic By URL and Web Traffic By Domain Blacklist the URL or domain. IP Location n n Protocols Create an FCAP expression to match a protocol and enter it in the Filter List settings for the appropriate server type. Services n n 256 Capture the packets for a country. Blacklist the country for the protection group or all protection groups. Capture the packets for a service. Create an FCAP expression to match a service and enter it in the Filter List settings for the appropriate server type. Proprietary and Confidential Information of Arbor Networks, Inc. Section 13: Mitigating Attacks Identifying an attack by examining captured packets On the Packet Capture page, run and review a packet capture for a specific APS. By examining the packet payloads, you might be able to determine the nature of the attack. For example, you might see HTTP packets that are destined for a web page that does not exist. When you identify a pattern in the attack traffic, you can create a payload regular expression to block that type of traffic. See “Configuring Regular Expression Settings from Captured Packets” in the APS User Guide . Investigating and blocking an attack from the Blocked Hosts Log page After you identify the host IP address that is responsible for the attack, view information about that host on the Blocked Hosts Log page. From there, you can add the host to the blacklist to prevent future attacks from that host. If you determine that the host is no longer a threat, you can remove that host from the blacklist. If you determine that a legitimate host is blocked, you can whitelist that host. Proprietary and Confidential Information of Arbor Networks, Inc. 257 APS Console User Guide, Version 6.3 258 Proprietary and Confidential Information of Arbor Networks, Inc. Section 14: Traffic Forensics APS provides reporting and packet capture features that enable you to gather forensic information about traffic and attacks. In APS Console, you can view traffic information and run packet captures for all of the instances of APS that are under management. In this section This section contains the following topics: About the Blocked Hosts Log 260 Viewing the Blocked Hosts Log 262 Information on the Blocked Hosts Log Page 266 Viewing the ATLAS Threat Categories that Block Traffic 269 About Capturing Packets 274 Capturing Packet Information 275 APS Console User Guide, Version 6.3 259 APS Console User Guide, Version 6.3 About the Blocked Hosts Log The Blocked Hosts Log page (Explore > Blocked Hosts) provides a single view of all the DDoS attacks and threats that were blocked from your network. The Blocked Hosts Log page displays the hosts that were blocked by all of the APS devices that are under APS Console management. The blocked hosts data in APS Console is an aggregation of the data from all of the APS devices. You can specify search criteria to limit the scope of the list and you can export the resulting list. For information about searching and viewing the Blocked Hosts Log page, see “Viewing the Blocked Hosts Log” on page 262 . The Blocked Hosts Log page allows you to navigate to other areas of the UI, where you can take action on specific /blocked hosts. See “Taking action on a blocked host” on page 262. Why a host appears in the blocked hosts log A source host can appear in the blocked hosts log for any of the following reasons: It is on the inbound blacklist and all of its traffic is blocked n n A protection category blocked its traffic and temporarily blocked the host. n A protection category blocked some of its traffic but did not block the host. For example, the TCP Connection Limiting category blocks the traffic that exceeds a certain threshold but it does not block the host. In such cases, the host appears in the blocked hosts log but not in the Temporarily Blocked Sources list. The traffic that is blocked by the Traffic Shaping settings is an exception. Its source does not appear in the blocked hosts log. Because the outbound blacklist in APS and certain protection categories can block outbound traffic, the blocked hosts log can contain hosts whose outbound traffic was blocked. In APS, you can configure notifications that send messages when a host is blocked. How you can use the blocked hosts log The following scenarios are examples of how you can use the blocked hosts log: Global viewing of all blocked traffic When the APS Traffic section on the Dashboard page shows a large amount of blocked traffic, you can view the Blocked Hosts Log page to investigate. On the Blocked Hosts Log page, you can view an aggregate of the traffic that is blocked for each host across all of the APS devices. If you need to examine a specific host further, you can navigate to the Blocked Hosts Log page in the APS that blocked the host. Forensic reporting After an attack on a specific server, you can search the blocked hosts log for that server’s destination IP address. The resulting list shows the hosts that were involved in the attack. You can export the list to a file and include it in a report on the attack. 260 Proprietary and Confidential Information of Arbor Networks, Inc. Section 14: Traffic Forensics Protection settings verification After you configure a new protection group or change protection settings, you can search the blocked hosts log for that group or attack category. Inspect the log to determine the level of traffic that the protection group or attack category blocks, and use that information to further refine the settings. Debugging When a customer reports that a legitimate host cannot access the server, you can search the blocked hosts log for that source host. After you determine why the host was blocked, you can edit your protection settings, whitelist that host, or relay the information to the customer for corrective action. Threat investigation During or after an attack or another event, the traffic graphs and statistics might indicate that certain traffic is blocked. The traffic may be blocked by an ATLAS threat category or by the STIX IOCs in a TAXII collection. View the blocked hosts log to identify the specific threat and the IP address (external or internal) from which the threat originated. You can blacklist the IP address to block its traffic in the future. If the attack traffic originated from within your network, you can notify your security operations center to the possible threats that are in the network. Proprietary and Confidential Information of Arbor Networks, Inc. 261 APS Console User Guide, Version 6.3 Viewing the Blocked Hosts Log The Blocked Hosts Log page displays the hosts that are blocked now or that were blocked in the past. You can specify search criteria to limit the scope of the list and you can export the resulting list. For general information about the Blocked Hosts Log page and how you can use it, see “About the Blocked Hosts Log” on page 260 . For details about the information on the Blocked Hosts Log page, see “Information on the Blocked Hosts Log Page” on page 266 . Viewing blocked hosts To view blocked hosts: 1. Select Explore > Blocked Hosts. 2. On the Blocked Hosts Log page, in the Filter section, specify the search criteria. See “Blocked hosts search criteria” on page 264. 3. Click Search . 4. If you do not see the results you expect, adjust the search criteria and click Search again. From the Blocked Hosts Log page, you can navigate to other areas of the UI, where you can take action on a specific blocked host. See “Taking action on a blocked host” below. Opening the Blocked Hosts Log page from other UI pages For your convenience, certain pages in the UI allow you to open the Blocked Hosts Log page and focus on a specific item. The item that you are viewing, such as a protection group or a source IP address, becomes the filter criteria for the page. You can search the Blocked Hosts Log page with that filter or specify additional filter criteria. Typically, the option to open the Blocked Hosts Log page is available from a context menu. Taking action on a blocked host As you review the information on the Blocked Hosts Log page, you can take action on a specific blocked host. For example, after an attack, you can review the blocked hosts log to determine the hosts that were involved in the attack. You can export the blocked hosts information to a file for forensic reporting, and then decide which of those hosts to blacklist to prevent future attacks. The following actions are available from the Blocked Hosts Log page: Blacklist or whitelist a blocked host After you analyze a blocked host’s traffic, you can add the host to the blacklist or whitelist, unblock the host, or remove the host from the whitelist. Unblocking a host removes it from the blacklist. In the Blocked Host Detail window, click one of the following buttons: n Blacklist 262 n Whitelist n Unblock n Remove from Whitelist Proprietary and Confidential Information of Arbor Networks, Inc. Section 14: Traffic Forensics The host’s current status determines which options are available. The direction of the blocked traffic (inbound or outbound) determines whether the action affects the blacklist or whitelist for inbound traffic or outbound traffic. If the host’s inbound traffic was blocked, then these actions apply to all of the protection groups. (Outbound traffic is not associated with the protection groups.) See “About Blacklisting and Whitelisting Traffic” on page 168. Capture packets for a blocked host You can navigate to the Packet Capture page and view the packet-level information about the traffic on a specific blocked host. Hover your mouse pointer over a source IP address, click (context menu), and then select Packet Capture . When the Packet Capture page opens, the host’s IP address is entered in the Filter section. You can start the packet capture or specify additional filter criteria. See “Capturing Packet Information” on page 275. View the blocking protection group (Inbound traffic only) You can view information about the protection group that blocked a host’s traffic by opening the View Protection Group page for that protection group. On the Blocked Hosts Log page or in the Blocked Host Detail window, click the protection group name link. See “Viewing the Traffic Activity for a Protection Group” on page 194. Export the blocked hosts information To save a record of the current blocked hosts view, you can export the blocked hosts information in the following ways: n Save as a PDF file by clicking (Create a PDF) on the Arbor Smart Bar. The PDF file contains the hosts that appear on the current page. Investigate why a DNS server appears to be blocked The ATLAS threat categories contain threat policies that define domains that host threats. When APS matches a domain threat policy, it does not block all of the traffic to the DNS server and it does not block the host. APS only blocks the DNS request for a known bad host. See “About matching domain policies” on page 54. APS sees only the request to the DNS server, not the resolution of the IP address for the bad host. However, the DNS server appears as a blocked destination IP address on the Blocked Hosts Log page. When a host is blocked by an ATLAS threat policy that contains domain-related rules, appears next to the destination IP address on the Blocked Hosts Log page. Click to display an explanatory message. To determine the hostname that APS is blocking: 1. Click next to the destination address. Click the link in the message to open the Packet Capture page with the host information entered in the Filter section. 2. On the Packet Capture page, run a packet capture and display the dropped packets. See “Capturing Packet Information” on page 275. If the DNS requests are intermittent, you might have to wait until the next occurrence. 3. Select a packet and view the packet details. 4. View the packet payload to see the hostname that is being requested and blocked. Proprietary and Confidential Information of Arbor Networks, Inc. 263 APS Console User Guide, Version 6.3 If you think that the blocked traffic is legitimate, contact the Arbor Technical Assistance Center (ATAC) at https://support.arbornetworks.com/. Your feedback helps us to continually improve the AIF content. Blocked hosts search criteria The search criteria that you specify determine the blocked hosts that appear on the Blocked Hosts Log page. For more information, see “Information on the Blocked Hosts Log Page” on page 266 . You can search for blocked hosts by completing any of the following options: Blocked hosts search criteria Option Description Traffic Direction options n Select one of the following options: n Time selector Inbound — Displays the source hosts that are responsible for the inbound blocked traffic. The Blocked Hosts Log page initially defaults to the inbound blocked traffic. Outbound — Displays the source hosts or destination hosts that are responsible for the outbound blocked traffic. Select one of the time increments or click From to change the timeframe for which the data is displayed. Only the hosts that were blocked within this timeframe appear in the search results. See “Changing the display timeframe” on page 28. Filter box To find the hosts that were blocked for specific devices or protection groups, click the Filter box and then select a device from the list. If you are searching for inbound blocked hosts, you also can select from a list of protection groups. If you are searching for outbound blocked hosts, then the Outbound Threat Filter option appears instead of the protection groups. You can select additional devices and protection groups in any combination. Attack Categories check boxes To find the hosts that were blocked by one or more specific attack categories, select the appropriate check boxes. You can select individual categories or groups of categories: n n n To search all of the AIF threat categories, select the ATLAS Threat Categories check box. To search all of the TAXII collections, select the STIX Threats check box. To search all of the categories in the list, select the Attack Categories check box. Note Blacklisted Hosts is considered a category. This category displays the blocked traffic for blacklisted hosts. 264 Proprietary and Confidential Information of Arbor Networks, Inc. Section 14: Traffic Forensics Blocked hosts search criteria (continued) Option Description Threats list If you select one or more threat categories under ATLAS Threat Categories, you can select a specific threat within the selected categories. Select a threat from the list or type all or part of a threat name. As you type, the system displays a list of matching threats from which to select. Source Hosts box Type one or more hostnames, IP addresses, or CIDR blocks to specify the source hosts to find. Type commas or press ENTER to separate multiple hosts. See “Searching for hosts on the Blocked Hosts Log page” below. Searching for hosts on the Blocked Hosts Log page You can search for IPv4 hosts and IPv6 hosts that are on the Blocked Hosts Log page. If you search for IPv6 hosts, you can specify IPv6 addresses that are compressed or expanded. For example, APS searches for the same host whether you specify 2001:DB8:0:0:0:0:0:0/32 or 2001:DB8::/32. Proprietary and Confidential Information of Arbor Networks, Inc. 265 APS Console User Guide, Version 6.3 Information on the Blocked Hosts Log Page The Blocked Hosts Log page contains several options that allow you to take action on a specific blocked host. See “Taking action on a blocked host” on page 262. For information about viewing and using the blocked hosts log, see “Viewing the Blocked Hosts Log” on page 262 . For general information about the Blocked Hosts Log page and how you can use it, see “About the Blocked Hosts Log” on page 260 . About the Blocked Hosts Log page search The search criteria that you specify determine the blocked hosts that appear on the Blocked Hosts Log page. The display includes all of the available information about each host as follows: n If you search for a specific attack category, then the display includes all of the categories or the TAXII collections that blocked each host within the selected timeframe. The information about the hosts that are blocked by multiple instances of APS Console can represent a large amount of data. For efficiency’s sake, when you open the Blocked Hosts Log page, no data appears until you specify the search criteria. For more information about searching on the Blocked Hosts Log page, see “Blocked hosts search criteria” on page 264 . When the search is complete, the resulting information remains on the Blocked Hosts Log page for an hour, or until you perform another search or cancel a search. After an hour, the system deletes the search results and resets the Blocked Hosts Log page to an empty state. 266 Proprietary and Confidential Information of Arbor Networks, Inc. Section 14: Traffic Forensics Information on the Blocked Hosts Log page After you complete the search, a summary of the search appears at the top of the Results section. The Results section contains the following information: Information on the Blocked Hosts Log page Column Description Source Displays the IP address of the source host. For inbound traffic, this column represents the host that was blocked. However, if outbound traffic was blocked because the destination host is on the outbound blacklist, then this column does not represent the blocked host. (A host that is on the outbound blacklist is blocked when it is either the source or the destination of traffic that originates from your network.) Devices Displays the name of the APS that blocked the host and the protection group for which the host is blocked. If multiple APS devices blocked the host, or if multiple protection groups are associated with the blocked host, this column displays the number of devices or protection groups. You can view a list of those devices and protection groups by hovering your mouse pointer over the device name. You can click the device name or protection group name to navigate to the Blocked Hosts Log page in the APS that blocked the host. The Blocked Hosts Log page displays the protection groups for which the host is blocked. Destination Lists the range of destination IP addresses that the blocked host targeted. However, if outbound traffic was blocked because the destination host is on the outbound blacklist, then this column represents the blocked host. (A host that is on the outbound blacklist is blocked when it is either the source or the destination of traffic that originates from your network.) When a host is blocked by an ATLAS threat policy that contains domain-related rules, appears next to the destination IP address on the Blocked Hosts Log page. The DNS server appears as the blocked destination IP address. However, APS does not block all of the traffic to the DNS server; it only blocks the DNS request for a known bad host. See “About matching domain policies” on page 54 and “Investigate why a DNS server appears to be blocked” on page 263 . Port Displays the destination port or destination port range on which the traffic was blocked. Proprietary and Confidential Information of Arbor Networks, Inc. 267 APS Console User Guide, Version 6.3 Information on the Blocked Hosts Log page (continued) Column Description Attack Category Displays the protection categories that blocked the traffic. If multiple protection categories are associated with the blocked host, this column displays the number of categories. You can hover your mouse pointer over the number of protection categories to view a list of the specific categories. If the list includes the ATLAS Threat Categories, then the specific threat categories are listed. Note Blacklisted Hosts is considered a category. This category displays the blocked traffic for blacklisted hosts. 268 Threats Displays any threats that were blocked by the ATLAS threat categories. Click next to a threat to view a description of that threat. Last Activity Displays the amount of time since the last time that the host’s traffic was blocked. If multiple devices blocked the host, you can view a list of those devices by hovering your mouse pointer over the Last Activity entry. You can click a device name to navigate to the Blocked Hosts Log page in the APS that blocked the host. The Blocked Hosts Log page is filtered for that particular host. Total Traffic Displays the amount of the host’s traffic that was blocked during the specified time period. The traffic is displayed in bytes and packets. Traffic Rate Displays the rate of the host’s traffic that was blocked during the specified time period. The traffic rate is displayed in bits per second or packets per second. Proprietary and Confidential Information of Arbor Networks, Inc. Section 14: Traffic Forensics Viewing the ATLAS Threat Categories that Block Traffic The Explore ATLAS Threat Categories page displays the ATLAS threat categories that block inbound traffic and outbound traffic on all of the APS that APS Console manages. Use this information to examine the threats that are blocked from your network as a result of the ATLAS Intelligence Feed settings. From this page, you can display the Threat Category Details page to view the specific threats that each threat category blocked. For general information about the threat categories, see “About the ATLAS Threat Policies” on page 54. Viewing the blocking ATLAS threat categories To view the blocking ATLAS threat categories: 1. Select Explore > ATLAS Threat Categories. 2. (Optional) On the Explore ATLAS Threat Categories page, filter the information that appears on the page as follows: l l l To change the timeframe for which the data is displayed, click one of the time increments or click From, select a time range, and then click Update . To limit the display to specific APS devices, click the Showing All APSes link that appears to the right of the time selector. In the Select APS Devices window, select each APS whose traffic and threat categories that you want to view, and then click Apply. To select the unit of measure for displaying traffic, click Bytes or Packets in the upper-right corner of the page. 3. Select one of the following tabs: l Inbound — To display the threat categories that are blocking inbound traffic. l Outbound — To display the threat categories that are blocking outbound traffic. 4. On the Explore ATLAS Threat Categories page, you can view additional information about the threat categories as follows: l l To hide or show the graph data for one or more threat categories, click the category’s Key column. To view information about the threats that were blocked at a given time, hover your mouse pointer over a section of a graph until a popup window appears. 5. To view the top 10 threats that a threat category blocked, click the category’s name link or click in the area of the graph that represents the category. When the Threat Category Details page appears, it is filtered by the same criteria as the Explore ATLAS Threat Categories page. You can change the filter criteria as needed. 6. On the Threat Category Details page, you can view additional information about the threats as follows: l l To hide or show the graph data for one or more threats, click the threat’s Key column. To view information about the threats that were blocked at a given time, hover your mouse pointer over a section of a graph until a popup window appears. Proprietary and Confidential Information of Arbor Networks, Inc. 269 APS Console User Guide, Version 6.3 Information on the Explore ATLAS Threat Categories page The Explore ATLAS Threat Categories page displays the following information for the threat categories that blocked traffic within the display timeframe. The selected tab (Inbound or Outbound) determines which columns appear. Information on the Explore ATLAS Threat Categories page Information Description Inbound Blocked Threats graph (Inbound tab only) Represents the average rate of the inbound traffic that was blocked for all of the blocking threat categories. You can hover your mouse pointer over a section of the graph until a popup window appears. The popup window displays the threat category name, amount of blocked traffic, and time that are associated with the nearest data point on the graph. The pointer on the popup window indicates the data point. Outbound Blocked Threats graphs (Outbound tab only) Displays the blocked outbound traffic for all of the blocking threat categories on the following graphs: n The stacked graph represents the average rate of the outbound traffic that was blocked, in bytes per second or packets per second. n The line graph represents the number of source hosts that were blocked per minute. You can hover your mouse pointer over a section of either graph until a popup window appears. The popup window displays the threat category name, amount of blocked traffic or blocked hosts, and time that are associated with the nearest data point on the graph. The pointer on the popup window indicates the data point. Key Shows the color that represents the specific threat category in the blocked threat graphs and allows you to filter the graph displays. You can click a threat category’s key to hide or show that category on the graph, so that you can focus on the traffic for specific categories. Category Displays the name of the threat category that blocked the traffic. You can click the threat category’s name link to open the Threat Category Details page for that category. See “Information on the Threat Category Details page” on page 272. 270 Proprietary and Confidential Information of Arbor Networks, Inc. Section 14: Traffic Forensics Information on the Explore ATLAS Threat Categories page (continued) Information (context menu) Description Appears when you hover your mouse pointer over a threat category. Click , and then select one of the following options: n Blocked Hosts — Displays the Blocked Hosts Log page with the search criteria selected. You can start the search or specify additional search criteria. See “Viewing the Blocked Hosts Log” on page 262. n (Learn more ) — Displays a description of the threat category. Source Hosts Blocked (Outbound tab only) Shows the aggregate sum of the hosts that the threat category blocked for each minute of the display timeframe. For example, if the timeframe is 1 hour, then this column represents the sum of the hosts that were blocked for each of the last 60 minutes. Source Hosts Blocked Rate (Outbound tab only) Shows the average number of source hosts per minute (pm) that the threat category blocked. Total Bytes Blocked, Bytes Blocked Rate or Total Packets Blocked, Packets Blocked Rate Shows the amount of traffic and the average rate of traffic that the threat category blocked. The traffic is displayed in bytes or packets, depending on the unit of measure that is selected for this page. Proprietary and Confidential Information of Arbor Networks, Inc. 271 APS Console User Guide, Version 6.3 Information on the Threat Category Details page The Threat Category Details page displays the following information for the top 10 threats that the selected threat category blocked. The selected tab (Inbound or Outbound) determines which columns appear. Information on the Threat Category Details page Information Description Inbound Blocked Threats graph (Inbound tab only) Represents the average rate of the inbound traffic that was blocked for the top 10 threats. You can hover your mouse pointer over a section of the graph until a popup window appears. The popup window displays the threat name, amount of blocked traffic, and time that are associated with the nearest data point on the graph. The pointer on the popup window indicates the data point. Outbound Blocked Threats graphs (Outbound tab only) Displays the blocked outbound traffic for the top 10 threats on the following graphs: n The stacked graph represents the average rate of outbound traffic that was blocked, in bytes per second or packets per second. n The line graph represents the number of source hosts that were blocked per minute. You can hover your mouse pointer over a section of either graph until a popup window appears. The popup window displays the threat name, amount of blocked traffic or blocked hosts, and time that are associated with the nearest data point on the graph. The pointer on the popup window indicates the data point. Key Shows the color that represents the specific threat in the blocked threat graphs and allows you to filter the graph displays. You can click a threat’s key to hide or show that threat on the graphs, so that you can focus on the traffic for specific threats. Threat Displays the name of the threat that the selected category blocked. (context menu) Appears when you hover your mouse pointer over a threat. Click , and then select one of the following options: n Blocked Hosts — Displays the Blocked Hosts Log page with the search criteria selected. You can start the search or specify additional search criteria. See “Viewing the Blocked Hosts Log” on page 262. n Severity 272 (Learn more ) — Displays a description of the threat. Indicates the severity level that ASERT assigned to this threat. Proprietary and Confidential Information of Arbor Networks, Inc. Section 14: Traffic Forensics Information on the Threat Category Details page (continued) Information Description Source Hosts Blocked (Outbound tab only) Shows the aggregate sum of the hosts that were blocked for this threat for each minute of the display timeframe. For example, if the timeframe is 1 hour, then this column represents the sum of the hosts that were blocked for each of the last 60 minutes. Source Hosts Blocked Rate (Outbound tab only) Shows the average number of source hosts per minute (pm) that were blocked for this threat. Total Bytes Blocked, Bytes Blocked Rate or Total Packets Blocked, Packets Blocked Rate Shows the amount of traffic and the average rate of traffic that was blocked for this threat. The traffic is displayed in bytes or packets, depending on the unit of measure that is selected for this page. Proprietary and Confidential Information of Arbor Networks, Inc. 273 APS Console User Guide, Version 6.3 About Capturing Packets The Packet Capture page in APS allows you to sample the packets that APS inspects, and capture information about the packets in real time. You can save the packet information and you can use it to update protection settings to provide more targeted protection. The packet capture provides a sample of the traffic data. It is not intended to capture complete information about any given stream or application session. How you can use captured packets The following scenarios are examples of how you can use the captured packet information: How you can use captured packets 274 Use Scenario Create protection settings for unique attacks Your network is under an attack that is outside the scope of the current protection settings; for example, a custom URL attack. You identify the target protection group and service, but you cannot determine the target URL. You can capture and inspect the packets that target the protection group and service. When you identify the target URL, you can blacklist it from within the Packet Capture page on APS to block all future traffic to that URL. Forensic reporting During an attack on a specific service, you capture a sample of the packets that contain headers for that service. After inspecting the packets, you save the packet information to a packet capture (PCAP) file. You can use the PCAP file in a packet analysis program, save it for reporting purposes, or send it to Arbor for technical assistance. Investigate false positives Clean traffic is blocked and you need to determine the cause so that you can change your protection settings or whitelist the host. You can investigate false positives by capturing the packet or packets that caused a specific host’s traffic to be blocked. Proprietary and Confidential Information of Arbor Networks, Inc. Section 14: Traffic Forensics Capturing Packet Information The Packet Capture page in APS allows you to sample the packets that APS inspects, and capture information about the packets in real time. Important If multiple users on APS capture packets simultaneously, APS returns different packets for each user. No two users receive the same packet. You also can perform the following tasks on the Packet Capture page: Inspect the packet information. See “Information on the Packet Capture Page” in the APS User Guide . n n Save the packet information to a packet capture (PCAP) file. n Blacklist a packet’s source address, target domain, or target URL. n Use the information from a captured packet to update the settings in the Payload Regular Expression protection category. See “Configuring Regular Expression Settings from Captured Packets” in the APS User Guide . Capturing packet information To capture packet information: 1. Navigate to the Packet Capture page on a managed APS in one of the following ways: From the Protection Groups page a. Select Protect > Inbound Protection > Protection Groups. b. On the List Protection Groups page, click (expand) next to a protection group name to view the APS assignments for that protection group. c. Hover your mouse pointer over an APS name, and then click (context menu). d. On the context menu, select Packet Capture. From the Blocked Hosts Log page a. Select Explore > Blocked Hosts. b. On the Blocked Hosts Log page, hover your mouse pointer over a source IP address, and then click (context menu). c. On the context menu, select Packet Capture 2. On the Packet Capture page, in the Filter section, specify the criteria for filtering the packet capture. See “Packet filter criteria” in the APS User Guide . If you do not want to filter the packets, do not specify any filter criteria. 3. In the Capture section, click Start. Note If you specify filter criteria but do not click when you click Start . (add), that filter criteria is added for you 4. To limit the display of the capture results, either during the capture or after the capture, click Passed, Dropped, or All. Proprietary and Confidential Information of Arbor Networks, Inc. 275 APS Console User Guide, Version 6.3 APS always captures all of the packets that match the criteria in the Filter section, regardless of how you choose to display them. 5. When you want to stop the packet capture, click Pause. If you do not stop the packet capture, it will stop automatically at 5,000 packets. 6. To view detailed information about a packet, click the packet, and then scroll down to the Packet Details section. 7. (Optional) As you inspect the packet details, you can take action to block future traffic from the source of the packet, as follows: l To blacklist the source address, domain, or URL, click the associated Blacklist button. Note The item is blacklisted for all IPv4 protection groups or all IPv6 protection groups. l 276 To add packet information to the Payload Regular Expression protection category, click the Add to Payload Regex button. See “Configuring Regular Expression Settings from Captured Packets” in the APS User Guide . Proprietary and Confidential Information of Arbor Networks, Inc. Section 15: Managing Centralized Reports This section provides information about how to configure and manage centralized reports on the APS Console. A centralized report aggregates the data for multiple APS devices that the APS Console manages. In this section This section contains the following topics: About Centralized Reports 278 About the Centralized Executive Summary Report 279 Configuring On-Demand Centralized Reports 283 Viewing and Deleting Centralized Reports 286 APS Console User Guide, Version 6.3 277 APS Console User Guide, Version 6.3 About Centralized Reports From the Centralized Reports page on the APS Console, you can create and manage centralized reports. A centralized report aggregates the data for multiple APS devices that the APS Console manages. The report provides information about the attacks that one or more APS devices detected and blocked on your network over time. The report also provides information about highlevel traffic trends on your network over time. For details about how to configure a centralized report, see “Configuring On-Demand Centralized Reports” on page 283 . Selecting the APS devices to include in a centralized report When you configure a centralized report, you can select the APS devices to include in the report. You refine the report further by selecting the protection groups on those APS devices whose data you want to include in the report. Selecting the date range for a centralized report When you configure a report, you select a timeframe for that report. You can select a predefined timeframe for days, weeks, or months. You also can specify a custom timeframe, to include data from a specific time period. Generating a centralized report After you configure and submit a centralized report, the APS Console generates the report. The report runs on each of the selected APS devices and then APS Console aggregates the data in the centralized report. About the report data A centralized report may include the following types of data if the data is available for the selected protection groups: n inbound traffic statistics n top inbound sources n top inbound destinations n top inbound countries n outbound traffic statistics n top blocked threat categories For more details about the information included in a centralized report, see “About the Centralized Executive Summary Report” on the facing page. 278 Proprietary and Confidential Information of Arbor Networks, Inc. Section 15: Managing Centralized Reports About the Centralized Executive Summary Report The centralized Executive Summary report provides information about the attacks that one or more APS devices detected and blocked on your network over time. This report also provides information about high-level traffic trends on your network over time. You configure these reports on the Reports page. See “Configuring On-Demand Centralized Reports” on page 283. About the top hosts data To include data about the top hosts in a report, you first must enable Top Sources and Destinations tracking on the APS devices. See “Configuring General Settings” in the APS User’s Guide Important Some of the data in the Executive Summary report is based on the traffic for the selected protection groups. However, the data for the top hosts is based on all of the traffic for all of the selected APS devices. About the outbound traffic data To include data about the outbound traffic in a report, you must enable the outbound threat filter on the APS devices. See “Viewing the Outbound Threat Activity” in the APS User’s Guide . The outbound information includes IPv4 traffic data only. Information in the Executive Summary report Report header and footer The report header contains descriptive information about the report. Some of this information is configurable when you create the report. Information in the report header Section Description Report name The user-configurable name of the report, which appears at the top left of the page. APS Console name The hostname of the APS Console on which the report is run, which appears below the report name. Description The optional user-configurable description for the report, which appears below the APS Console name. Summary A summary of the number of protection groups and APS devices whose data is aggregated in the report. This information appears below the description. Logo The Arbor Networks logo. Date range The user-selected date range for the data in the report, which appears below the logo. Proprietary and Confidential Information of Arbor Networks, Inc. 279 APS Console User Guide, Version 6.3 The report footer contains the following information: The user name of the person who requested the report n n The date and time on the APS Console when the report was generated n Explanations about the data that was not included in the report, if applicable Cloud Signaling Important Some of the data in the Executive Summary report is based on the traffic for the selected protection groups. However, the data for Cloud Signaling is based on all of the traffic for all of the selected APS devices. If cloud-based mitigation occurred during the specified date range, the report includes Cloud Signaling data. Events Mitigated shows the number of unique DDoS attacks that were mitigated. Targeted IPs Protected shows the number of hosts in your network that the selected APS devices protected from DDoS attacks by using cloud-based mitigation. See “About Cloud Signaling for DDoS Protection” in the APS User Guide . DDoS Protection If data about the inbound traffic is available, the report includes the following information for the selected protection groups: n The amount of blocked inbound traffic, in bytes n The percentage of inbound traffic that was blocked versus the total amount of inbound traffic n The number of unique hosts that were blocked Note If the number of blocked hosts exceeds 100,000, the report displays 100000+ as the blocked hosts statistic. n A stacked graph that displays the amount of blocked inbound traffic versus the amount of passed inbound traffic n The average daily amount, in bytes, of the total inbound traffic, blocked inbound traffic, and passed inbound traffic during the specified date range To calculate the average daily inbound traffic, the total amount of outbound traffic for the selected APS devices is divided by the number of days in the specified date range. n The average rate, in bps, for the total inbound traffic, the blocked inbound traffic, and the passed inbound traffic during the specified date range If data about the outbound traffic is available, the report includes the following information for the selected protection groups: n The amount of blocked outbound traffic, in bytes 280 n The percentage of outbound traffic that was blocked versus the total amount of outbound traffic n The number of unique hosts that were blocked n A stacked graph that displays the amount of blocked outbound traffic versus the amount of passed outbound traffic Proprietary and Confidential Information of Arbor Networks, Inc. Section 15: Managing Centralized Reports n The average daily amount, in bytes, of the total outbound traffic, blocked total traffic, and passed outbound traffic during the specified date range To calculate the average daily outbound traffic, the total amount of outbound traffic for the selected APS devices is divided by the number of days in the specified date range. n The average rate, in bps, for the total outbound traffic, blocked outbound traffic, and passed outbound traffic during the specified date range If no outbound traffic is available during the specified date range, the report omits the outbound traffic section. The outbound information includes IPv4 traffic data only. Top Inbound Countries If the data is available, the report includes the following information about the five countries that sent the most traffic: n A flag icon that represents the country Note In APS, country mappings do not exist for IPv6 addresses. As a result, the report displays an IPv6 flag instead of a country flag when the source is an IPv6 address. n A stacked graph that represents each country’s total passed traffic in green and its total blocked traffic in red n The amount of traffic from each country that was passed and blocked, in bps and pps n The percentage of the total traffic that each country’s traffic represents, shown as a number and as a proportion bar. The bar for the top country is the full column width and the remaining bars are in proportion to it. In this case, total traffic refers to the total traffic for the countries that are included in this report. Top Blocked Threat Categories If the data is available, the report includes the following information about the five threat categories in the ATLAS Intelligence Feed that blocked the most traffic: n A stacked graph that represents the amount of inbound traffic that was blocked n A stacked graph that represents the amount of outbound traffic that was blocked n A key for each graph that shows the color that represents a specific threat category in the graph n The name of the threat category that blocked the traffic n The amount of inbound traffic and the amount of outbound traffic that was blocked The outbound information includes IPv4 traffic data only. Top Inbound Sources Important Some of the data in the Executive Summary report is based on the traffic for the selected protection groups. However, the data for Top Inbound Sources is based on all of the traffic for the selected APS devices. Proprietary and Confidential Information of Arbor Networks, Inc. 281 APS Console User Guide, Version 6.3 If the data is available, the report includes the following information about the five external IP addresses that sent the most traffic: n The IP address for the source host. If APS can identify the host’s country, this column also includes a flag icon that represents the country. Note In APS, country mappings do not exist for IPv6 addresses. As a result, the report displays an IPv6 flag instead of a country flag when the source is an IPv6 address. n A graph that represents the total traffic from the source n The total amount of traffic from the source, in bytes and packets n The average rate of traffic from the source, in bps and pps Top Inbound Destinations Important Some of the data in the Executive Summary report is based on the traffic for the selected protection groups. However, the data for Top Inbound Destinations is based on all of the traffic for the selected APS devices. If the data is available, the report includes information about the five internal IP addresses groups that received the most traffic: n The IP address to which the traffic is destined n A graph that represents the total traffic to the destination n The total amount of traffic to the destination, in bytes and packets n The average rate of traffic to the destination, in bps and pps APS Devices This section lists the APS devices whose data is included in the report. You select the APS devices when you configure the report. See “Configuring On-Demand Centralized Reports” on the facing page. Protection Groups This section lists the protection groups whose data is included in the report. You select the protection groups when you configure the report. See “Configuring On-Demand Centralized Reports” on the facing page. 282 Proprietary and Confidential Information of Arbor Networks, Inc. Section 15: Managing Centralized Reports Configuring On-Demand Centralized Reports You can configure centralized reports on the APS Console. Centralized reports aggregate the data for multiple APS devices that the APS Console manages. The APS Console runs the report once, immediately after you create the report. Note The time zone that appears on the report results is the time zone for the APS Console. For an overview of centralized reports, see “About Centralized Reports” on page 278 . For a description of the information that the APS Console includes in the report, see “About the Centralized Executive Summary Report” on page 279 . Configuring an on-demand centralized report To configure an on-demand centralized report: 1. Select the Reports menu. 2. On the Centralized Reports page, click Configure New Report. 3. On the Step 1 page, select a date range for the data to include in the report in one of the following ways: l To select a predefined timeframe, select Quick Date Range, type a number in the Last box, and select Days, Weeks, or Months. Note The report includes data for complete days, weeks, or months only. (A complete week is Sunday through Saturday.) For example, if you specify a 2-month timeframe and the APS Console generates the report on April 10, the report includes the data for February and March only. l To specify a custom timeframe, select Custom Date Range. Select a start date in the From calendar and select an end date in the To calendar. For guidelines on how to specify a custom date range, see “Setting a custom date range” on page 285 . 4. Click Next. 5. On the Step 2 page, all of the APS devices that the APS Console manages are selected by default. If you do not want to include all of the APS devices in the report, complete one of the following steps: l l To deselect all of the APS devices, select the check box next to the APS column header. Then select the check box next to each APS device to include. To exclude an APS device, clear the check box next to the APS device in the Name column. You must select at least one APS device before you can continue to the next step. Tip To filter a large list of APS devices, search by an APS device name or an IP address in the Search box. To search by name, enter the full name or a partial name of one or more APS devices. To search by IP address, enter the full IP address or a partial IP address. 6. Click Next. Proprietary and Confidential Information of Arbor Networks, Inc. 283 APS Console User Guide, Version 6.3 7. On the Step 3 page, all of the protection groups are selected by default. The list includes all of the protection groups to which the selected APS devices are assigned. If you do not want to include all of the protection groups in the report, complete one of the following steps: l l To deselect all of the protection groups, select the check box next to the Protection Groups column header. Then select the check box next to each protection group to include. To exclude a protection group, clear the check box next to the protection group name. You must select at least one protection group before you can continue to the next step. Tip To filter a large list of protection groups, enter the name of a protection group or a server type in the Search box. You can enter the full name or the partial name of one or more protection groups or server types. 8. Click Next. 9. On the Step 4 page, in the Reporting on section, review the settings that you selected on the previous pages. To change any of these settings, click Previous to return to the appropriate page. 10. In the Name box, type a name for the report. The name may contain up to 56 characters. 11. (Optional) In the Description box, type a description for the report. The description may contain up to 132 characters. 12. (Optional) In the Audit Trail Change Message box, type a message that describes the change. This message will appear in the audit trail. See “Viewing the Audit Trail Log” on page 319. 13. (Optional) To deliver the report results as a PDF file to specific destinations, type one or more email addresses in the Email Addresses box. Enter multiple emails as a comma-separated list. Important To send emails from APS Console, you must configure an SMTP server on the Configure General Settings page (Administration > General). See “Configuring General Settings” on page 32. 14. Click Submit. After you submit the report, the report is added to the list on the Centralized Reports page. The location of the report in the list is based on the selected sort order. However, if you sort the reports by Run Date (ascending or descending), any requested reports or running reports appear at the top of the list. After APS Console generates the report, the report is added to the list in the selected Run Date order. For information about sort order, see “Sorting the list of reports” on page 288 . For information about how to view the report results, see “Viewing the results for a centralized report” on page 286 . 284 Proprietary and Confidential Information of Arbor Networks, Inc. Section 15: Managing Centralized Reports Setting a custom date range When you specify a custom date range on the Step 1 page of the Configure New Centralized Report wizard, the following guidelines apply: n To change the month that appears in a calendar, click (previous) or (next). n After you select a start date in the From calendar, you cannot select any dates prior to that date in the To calendar. n If you select start and end dates that are in the same month, you cannot select a new start date in any month that follows the selected month. You have to pick a new date in the To calendar first. n In the To calendar, you cannot select an end date that falls after the current date. n The timeframe for the report starts at 12:00 A.M. on the selected start date and ends at 11:59:59 P.M. on the selected end date. Note If you select the current day as the end date in the To calendar, the end time for the report is the time at which you submit the report. Viewing the results After the APS Console generates a centralized report, you can view the results online with your default browser. You also can export the results as a PDF file. See “Viewing and Deleting Centralized Reports” on the next page. Proprietary and Confidential Information of Arbor Networks, Inc. 285 APS Console User Guide, Version 6.3 Viewing and Deleting Centralized Reports On the Centralized Reports page, you can view the centralized reports that you configure and run on the APS Console. Centralized reports aggregate the data from multiple APS devices that the APS Console manages. You also can delete centralized reports on this page. See “Deleting centralized reports” on page 288. For instructions on how to configure centralized reports, see “Configuring On-Demand Centralized Reports” on page 283 . For a description of the information that the APS Console includes in these reports, see “About the Centralized Executive Summary Report” on page 279 . Viewing the results for a centralized report To view the report results: 1. Select the Reports menu. 2. (Optional) On the Centralized Reports page, change the sort order of the reports in the list. See “Sorting the list of reports” on page 288. 3. (Optional) To limit the number of reports in the list, filter the list. See “Filtering the list of reports” on the facing page. 4. Complete one of the following steps: l l Click the report name link to view the report in your default browser. Click (context menu) to the right of the report name and select Export as PDF to generate a PDF file of the report. Information on the Centralized Reports page The Centralized Reports page provides the following information: Centralized Reports information Information Description Search box Allows you to filter the list of reports by the information in the following columns: n n Configure New Report button Name Requested by Allows you to configure an on-demand report that aggregates data from multiple APS devices that the APS Console manages. See “Configuring On-Demand Centralized Reports” on page 283. Selection check boxes 286 Allow you to select one or more of the reports to delete. You cannot delete reports with a status of Requested or Running. Proprietary and Confidential Information of Arbor Networks, Inc. Section 15: Managing Centralized Reports Centralized Reports information (continued) Information Description Name column Displays the name of the report. After the APS Console generates the report, the report name appears in the form of a link. Click the link to open the report in your default browser. Note If the report fails, the report name appears, but the name is not linked to report results. Instead, the Report Status column indicates that the report failed. (context menu) Appears in the Name column. Click the icon and select Export as PDF to generate a PDF file of the report. Run Date column Indicates the date and time on which the APS Console generated the report. The run date is based on the time zone for the APS Console. Report Status column Indicates the state of the report. The possible states are as follows: n Requested — Appears after the report has been configured, but before APS Console starts generating the report n Running — Appears while APS Console is generating the report n Completed — Appears after the report is complete, and you can view the results n Failed — Appears if the APS Console cannot complete the report. If the report fails, click (error) to view the reason for the failure. Date Range column Indicates the start date and the end date for the data in the report. Requested by column Indicates the name of the person who configured the report. Delete button Deletes the selected reports. Filtering the list of reports To filter the list of reports on the Centralized Reports page, you can search for one or more reports. You can search by report name or by the name of the person who requested the report. To filter the reports: 1. Select the Reports menu. 2. On the Centralized Reports page, in the Search box at the top of the page, enter any of the following text strings: l the full name or partial name of one or more reports l the full name or partial name of a person who requested a report The APS Console filters the list of reports as you type. Proprietary and Confidential Information of Arbor Networks, Inc. 287 APS Console User Guide, Version 6.3 Note If you enter the name of a report or the name of a requester that is not in the list, the APS Console hides all of the reports. 3. To clear the filtered list and view all of the reports, click (clear). Sorting the list of reports On the Centralized Reports page, you can sort the reports by the information in the following columns, in ascending or descending order: n Name n Run Date n Report Status n Requested By The selected sort applies to all of the reports in the list, including reports that APS Console is generating or reports that have the Requested status. However, if you sort the reports by Run Date (ascending or descending), any requested reports or running reports always appear at the top of the list. After the reports are complete, the APS Console adds them to the list in the selected Run Date order. To change the sort order of the reports on the Centralized Reports page: 1. Select the Reports menu. 2. On the Centralized Reports page, change the order of the reports in one of the following ways: l l To change the direction of the sort in the currently selected column, click (ascending) or (descending) to the right of the column name. To change the column to sort the reports by, click (ascending) or (descending) to the right of different column name. Deleting centralized reports Caution You cannot undo the deletion of reports. To delete one or more of the centralized reports: 1. Select the Reports menu. 2. On the Centralized Reports page, complete one of the following steps: l l Select the check box for each report to delete, and then click Delete . Select the check box to the left of the Name column header to select all of the reports, and then click Delete . 3. (Optional) in the Confirmation Needed window, type a message in the Audit Trail Change Message box that describes the change. This message will appear in the audit trail. See “Viewing the Audit Trail Log” on page 319. 4. Click Delete. 288 Proprietary and Confidential Information of Arbor Networks, Inc. Part IV: Network Management APS Console User Guide, Version 6.3 290 Proprietary and Confidential Information of Arbor Networks, Inc. Section 16: Viewing Network Activity on the Dashboard This section describes how to use the Dashboard page to view the security status of your network. In this section This section contains the following topics: Viewing a Dashboard of Network Activity 292 Viewing APS Traffic on the Dashboard 294 Viewing Active Alerts on the Dashboard 297 APS Console User Guide, Version 6.3 291 APS Console User Guide, Version 6.3 Viewing a Dashboard of Network Activity The Dashboard page provides an overview of the security status of your network. On the Dashboard page, you can view an aggregation of the critical events, traffic, and threats that are identified, blocked, and monitored by APS Console and APS. The Dashboard page appears by default when you log in to APS Console. Note The filters for the timeframe and the unit of measure do not affect the Active Alerts section. Viewing the Dashboard page To view the Dashboard page: 1. Select the Dashboard menu. 2. (Optional) On the Dashboard page, filter the information that appears on the page as follows: l l l 292 To change the timeframe for which the data is displayed, click one of the time increments or click From, select a time range, and then click Update . To limit the display to specific APS devices, click the Showing All APSes link that appears to the right of the time selector. In the Select APS Devices window, select each APS whose traffic and threat categories that you want to view, and then click Apply. To select the unit of measure for displaying traffic, click Bytes or Packets in the upper-right corner of the page. Proprietary and Confidential Information of Arbor Networks, Inc. Section 16: Viewing Network Activity on the Dashboard Information on the Dashboard page The Dashboard page contains the following sections: Sections on the Dashboard page Section Description Active Alerts Displays the five most critical alerts of any type in APS Console and any APS devices that it manages. Use this information to determine which alerts require immediate attention. See “Viewing Active Alerts on the Dashboard” on page 297. APS Traffic Displays the following information about APS traffic: Total APS Traffic section — Displays a real-time aggregate of the traffic that is blocked and passed by all of the APS devices across the network over time. Use this information to gain visibility into the combined performance of the managed APS devices. n ATLAS Threat Categories section — Displays the five threat categories that were responsible for blocking the most inbound traffic and outbound traffic across all the managed APS devices. Use this information to determine the amount of traffic that was blocked across all of the managed APS devices as a result of the ATLAS Intelligence Feed settings. n See “Viewing APS Traffic on the Dashboard” on the next page. Proprietary and Confidential Information of Arbor Networks, Inc. 293 APS Console User Guide, Version 6.3 Viewing APS Traffic on the Dashboard On the Dashboard page, the APS Traffic section displays information about the traffic for all the managed APS devices. If no APS devices are under APS Console management, then a “No Data” message appears. For general information about the Dashboard page, see “Viewing a Dashboard of Network Activity” on page 292 . Viewing the Dashboard page To view the Dashboard page: 1. Select the Dashboard menu. 2. (Optional) On the Dashboard page, filter the information that appears on the page as follows: l l l To change the timeframe for which the data is displayed, click one of the time increments or click From, select a time range, and then click Update . To limit the display to specific APS devices, click the Showing All APSes link that appears to the right of the time selector. In the Select APS Devices window, select each APS whose traffic and threat categories that you want to view, and then click Apply. To select the unit of measure for displaying traffic, click Bytes or Packets in the upper-right corner of the page. Information in the Total APS Traffic section This section displays a real-time aggregate of the traffic that is blocked and passed across all of the managed APS devices over time. Total APS Traffic details Information Description Traffic graph Displays a stacked graph that represents the total passed traffic in green and the total blocked traffic in red. Below the traffic graph, you can click (Passed) or (Blocked) to show and hide the different types of traffic. Your selections are retained until you navigate away from the Dashboard page. APS devices reporting message Displays the number of APS devices that are reporting traffic compared to the total number of APS devices that are under management. This information can indicate any communication errors that might affect the data in the graph. Information in the ATLAS Threat Categories section This section shows how the ATLAS Intelligence Feed (AIF) helps APS to block threats automatically. This section displays the five ATLAS threat categories that blocked the most inbound traffic and outbound traffic on all of the managed APS devices. Use this 294 Proprietary and Confidential Information of Arbor Networks, Inc. Section 16: Viewing Network Activity on the Dashboard information to examine the threats that are blocked from your network as a result of the ATLAS Intelligence Feed settings. This section contains two graphs and their accompanying data tables; one for inbound traffic and one for outbound traffic. ATLAS Threat Categories details Information Description Inbound Blocked Threats graph Represents the average rate of the inbound traffic that was blocked for the top five threat categories. You can hover your mouse pointer over a section of the graph until a popup window appears. The popup window displays the threat category name, amount of blocked traffic, and time that are associated with the nearest data point on the graph. The pointer on the popup window indicates the data point. Outbound Blocked Threats graph For outbound traffic, represents the number of source hosts that were blocked per minute for the top five threat categories. You can hover your mouse pointer over a section of the graph until a popup window appears. The popup window displays the threat category name, number of blocked hosts, and time that are associated with the nearest data point on the graph. The pointer on the popup window indicates the data point. Key Shows the color that represents the specific threat category in the blocked threat graphs and allows you to filter the graph displays. You can click a category’s key to hide or show that threat category on the graphs, so that you can focus on the traffic for specific categories. Category Displays the category’s name as a link that allows you to open the Threat Category Details page for the category. See “Information on the Threat Category Details page” on page 272. (context menu) Appears when you hover your mouse pointer over a threat category. Click , and then select one of the following options: n n Bytes Blocked or Packets Blocked Blocked Hosts — Displays the Blocked Hosts Log page with the search criteria selected. You can start the search or specify additional search criteria. See “Viewing the Blocked Hosts Log” on page 262. (Learn more ) — Displays a description of the threat category. (Inbound only) Shows the amount of inbound traffic that the threat category blocked. The traffic is displayed in bytes or packets, depending on the unit of measure that is selected for this page. Proprietary and Confidential Information of Arbor Networks, Inc. 295 APS Console User Guide, Version 6.3 ATLAS Threat Categories details (continued) Information Description Source Hosts Blocked (Outbound only) Shows the aggregate sum of the hosts that the threat category blocked for each minute of the display timeframe. For example, if the timeframe is 1 hour, then this column represents the sum of the hosts that were blocked for each of the last 60 minutes. Explore ATLAS Threat Categories link Displays the Explore ATLAS Threat Categories page, on which you can view the threat categories that are blocking traffic on all of the managed APS devices. See “Viewing the ATLAS Threat Categories that Block Traffic” on page 269. 296 Proprietary and Confidential Information of Arbor Networks, Inc. Section 16: Viewing Network Activity on the Dashboard Viewing Active Alerts on the Dashboard On the Dashboard page, the Active Alerts section displays the five most critical alerts in APS Console and on any APS devices that it manages. This section can include all types of alerts. Use the Active Alerts section to determine which alerts require immediate attention. For general information about the Dashboard page, see “Viewing a Dashboard of Network Activity” on page 292 . For general information about alerts, see “About Alerts” on page 302 . Viewing the Dashboard page The Dashboard page appears by default when you log in to APS Console. To navigate to the Dashboard page from another page in the UI: Select the Dashboard menu. n Information in the Active Alerts section The alerts are sorted by severity in descending order, and then by start time in ascending order. This sorting results in a view of the most critical alerts that have been active for the longest time. Active Alerts details Information Description Total, DDoS, System Display the total number of active alerts and the number of DDoS alerts and system alerts. You can click a number to open the Alerts page. The Alerts page is filtered according to the number that you click. For example, if you click the number of DDoS alerts, the Alerts page displays all of the active DDoS alerts. Alert description Displays a description of the alert and the hostname of the appliance or other device that generated the alert. You can click an alert to open a window that contains additional information about that alert, including the appliance, severity, date, duration, and category. The window can contain links to other pages, where you can explore specific aspects of the alert. The type of alert that you select determines the information and links that appear. See “Links to additional alert information” on the next page. Date and time Indicates when the alert started. Proprietary and Confidential Information of Arbor Networks, Inc. 297 APS Console User Guide, Version 6.3 Active Alerts details (continued) Information Description Severity indicator box Indicates the severity of the alert as follows: n — Low (1-3) n — Medium (4-7) n — High (8-10) You can hover your mouse pointer over the severity box to view the numerical severity value. See “About alert severity levels” on page 302. View All Alerts link Displays the Alerts page, where you can view all of the alerts that were generated by APS Console and the managed APS devices. See “Viewing a Summary of Alerts” on page 304. Links to additional alert information When you click an alert, the information window that appears may contain links to other pages, where you can explore specific aspects of the alert. The type of alert that you select determines the links that appear. You also can ignore alerts from the information window. Note Some of the links in the information window open APS. If your APS user account has the same username as your APS Console user account, the APS opens without prompting you to log in. Links in the information window Link Type of alert Description Appliance APS alerts Opens the Summary page in the APS that generated the alert, where you can view information about the system condition or traffic that caused the alert. See “Viewing the Traffic Summary” in the APS User Guide . Protection Group APS alerts that are associated with a protection group Opens the View Protection Group page in the APS that generated the alert, where you can view detailed information in real time about the protection group’s traffic. See “Viewing the Traffic Activity for a Protection Group” on page 194. Ignore button 298 All alerts Allows you to prevent a specific alert from appearing on the Dashboard page. Proprietary and Confidential Information of Arbor Networks, Inc. Section 16: Viewing Network Activity on the Dashboard Removing alerts from the Dashboard page As you review the alerts, you might decide that a certain alert is not critical and does not need to appear on the Dashboard page. You can prevent a specific alert from appearing on the Dashboard page by setting it to be ignored. When you ignore an alert, it is removed from the Dashboard page, but it is not removed from the system. The alert still appears on the Alerts page, where its status is marked as Active (Ignored). The alert remains ignored until it expires. If the associated event recurs after the initial alert expires, a new alert is created. You can remove an alert from the Dashboard page in the following ways: n On the Dashboard page: a. In the Active Alerts section, click the alert. b. In the information window, click Ignore. n On the Alerts page (Explore > Alerts): l l To ignore a single alert, click (context menu) for the alert, and then select Ignore. To ignore multiple alerts, select the check boxes that correspond to the alerts that you want to ignore, and then click Ignore Alerts. Proprietary and Confidential Information of Arbor Networks, Inc. 299 APS Console User Guide, Version 6.3 300 Proprietary and Confidential Information of Arbor Networks, Inc. Section 17: Monitoring Alerts This section describes how to view all of the alerts in APS Console and any managed APS devices to determine which alerts are the most critical. In this section This section contains the following topics: About Alerts 302 Viewing a Summary of Alerts 304 Filtering the Alerts on the Alerts page 306 APS Console User Guide, Version 6.3 301 APS Console User Guide, Version 6.3 About Alerts Alerts are indicators of certain system events and security events that occur in APS Console or in managed APS devices. To organize and provide additional information about the alerts, APS Console groups the alerts into categories. For example, you can filter the display of the Alerts page by category, and the Dashboard page displays security alerts by category. About the alert categories The alert categories are as follows: Alert categories Category and type Example DDoS (security) The traffic on an APS device exceeds a configured threshold. You can set thresholds for blocked traffic, botnet traffic, and total traffic. Internal Resource (system) Issues with a resource that is internal to the device. For example: An interface is down, disk space is low, or a power supply fails. Infrastructure (system) Issues with a resource that is external to the device. For example: A GRE tunnel is down, Cloud Signaling fails, or a backup fails. License (system) The APS Console license is about to expire or the traffic on an APS device exceeds a certain percentage of its licensed throughput limit. About alert severity levels The severity of an alert determines the level of attention that it should receive. APS Console uses the severity level to rank alerts. The severity level also determines which alerts appear on the Dashboard page. You can use the severity level to search for alerts and to filter the display on the Alerts page. The alert severity levels are expressed as either numbers or icons. Typically, when the icons are displayed, you can hover your mouse over an icon to view the numerical value. Alert severity levels Icon 302 Severity level Description Low (1-3) Traffic is being monitored but does not yet require investigation. For example, a hardware device failure might mean that a secondary power source is down, which does not require immediate attention. Medium (4-7) The problem is not severe but warrants investigation. Proprietary and Confidential Information of Arbor Networks, Inc. Section 17: Monitoring Alerts Alert severity levels (continued) Icon Severity level Description High (8-10) The situation requires immediate attention. For example, if a physical interface is down, then traffic is not being forwarded. The default severity level for all types of alerts is predefined. You can change the default severity level for system event alerts. See “Configuring System Alerts” on page 42. Where you can view alerts You can view alerts on the following pages in APS Console: Where to view alerts Location Description Dashboard page Displays the five most critical alerts of any type. See “Viewing Active Alerts on the Dashboard” on page 297. Alerts page (Explore > Alerts) Provides a single view of all the security alerts and system alerts that are generated by APS Console and any APS devices that it manages. See “Viewing a Summary of Alerts” on the next page. About alert expiration When an alert expires, it no longer appears in the UI, except for the Alerts page. System alerts and APS alerts expire automatically when the behavior that triggered the alert stops. For example, a device that was down is restarted, or the APS traffic drops below a configured threshold. About ignoring alerts When you review the alerts in the system, you need to address the issues that the alerts describe. For example, you might need to fix a hardware problem or adjust a configured traffic threshold. Sometimes, you might decide that a certain alert is not critical and does not need to appear on the Dashboard page. You can prevent a specific alert from appearing on the Dashboard page by setting it to be ignored. The options to ignore alerts appear on both the Dashboard page and the Alerts page. Ignoring an alert does not delete it from the system. See “Removing alerts from the Dashboard page” on page 299. Proprietary and Confidential Information of Arbor Networks, Inc. 303 APS Console User Guide, Version 6.3 Viewing a Summary of Alerts The Alerts page (Explore > Alerts) displays the alerts that are triggered by APS Console and the APS devices that are under APS Console management. The list of alerts includes system alerts and security alerts, and shows both active alerts and expired alerts. Use the Alerts page to identify the most critical alerts. The Alerts page includes active alerts and expired alerts. An alert continues to appear on the Alerts page until you clear it or delete it. This page also serves as a starting point to explore additional details about specific alerts on managed APS devices. For general information about alerts, see “About Alerts” on page 302 . Viewing a summary of all alerts To view a summary of alerts, navigate to the Alerts page in one of the following ways: n From the menu — Click the Explore > Alerts link. n From the Dashboard page — Click the View All Alerts link in the Active Alerts section. If a protection group has any active alerts, you also can access the Alerts page from the Protection Group page and the View Protection Group page. See “Viewing the Status of Protection Groups” on page 225 and “Viewing the Traffic Activity for a Protection Group” on page 194 . For each alert, the Alerts page displays the following information. By default, the alerts are sorted by start time in descending order (the most recent alerts first). You can sort by any of the columns on the Alerts page. Alert details Information Description Selection check box Allows you to select the alert to be ignored. See “Removing alerts Severity Indicates the severity of the alert as follows: from the Dashboard page” on page 299. The check box does not appear for the alerts that cannot be ignored. n — Low (1-3) n — Medium (4-7) n — High (8-10) To view the numerical severity value, hover your mouse pointer over the severity box. See “About alert severity levels” on page 302. 304 Description Displays information about the nature of the alert. Category Displays the threat category to which the alert belongs. Appliance Displays the hostname of the appliance that generated the alert. Proprietary and Confidential Information of Arbor Networks, Inc. Section 17: Monitoring Alerts Alert details (continued) Information Description Status Indicates whether the alert is Active , Expired, or Active (Ignored). A status of Active (Ignored) means that the alert has been ignored, or removed from the Dashboard page, but it has not expired. See “Removing alerts from the Dashboard page” on page 299. Time (context menu) Indicates when the alert began and displays the alert’s duration. Appears when you hover your mouse pointer over an active alert’s name. The options that appear on the context menu allow you to view additional information about the alert. The options that are available depend on the type of alert. The context menu is available for certain types of active alerts only. Filtering the alerts You can filter the display of alerts on the Alerts page, to view a subset of the alerts. For example, you can view all of the active security alerts that have a high severity level. The list of alerts on the Alerts page changes as you select the filter criteria. See “Filtering the Alerts on the Alerts page” on the next page. Alerts associated with protection groups If a protection group is deleted from an APS device, then any active alerts that are associated with that protection group are expired. Those alerts continue to appear on the Alerts page, but their context menus are disabled. Note APS alerts appear on the Alerts page even if the associated protection group is inactive. About ignoring alerts As you review the alerts, you might decide that a certain alert is not critical and does not need to appear on the Dashboard page. You can prevent a specific alert from appearing on the Dashboard page by setting it to be ignored. Options to ignore alerts appear on the Dashboard page and the Alerts page. See “Removing alerts from the Dashboard page” on page 299. Proprietary and Confidential Information of Arbor Networks, Inc. 305 APS Console User Guide, Version 6.3 Filtering the Alerts on the Alerts page You can filter the display of alerts on the Alerts page, to view a subset of the alerts. For example, you can view all of the active security alerts that have a high severity level. The list of alerts on the Alerts page changes as you select the filter criteria. Note To sort the alerts by a specific column, click the column’s heading. Options on the Alerts context menu The options on the context menu allow you to view additional information about the alert and edit the alert’s configuration. To access the context menu, if available, hover your mouse pointer over the name of an alert. For certain types of active alerts, the context menu also provides links to other pages, some of which may be on an APS. The type of alert that you select determines the options that appear on the context menu. Filtering alerts To filter alerts: On the Alerts page, specify one or more criteria to filter the alerts display. See Filter criteria for alerts. n Note The Alerts page is already filtered when you access the page from the List Protection Groups page or the View Protection Group page. Filter criteria for alerts You can filter the alerts on the Alerts page using the following criteria: Filter criteria for alerts Option Description Status buttons Select All, Active, or Expired. Type buttons Select one of the following options: n n n Start box, End box 306 All Security — Alerts that provide information about advanced network threats. The security alerts also provide information about the availability threats that APS identified, blocked, and monitored. These alerts occur when the traffic that flows into APS exceeds a configured threshold. System — Alerts that provide information about the equipment that APS Console manages. Define the timeframe for which to display the alerts, based on when the alerts were active. In the calendar that appears, select the date and time or click Now to select the current date and time. Click Done to close the calendar window. Proprietary and Confidential Information of Arbor Networks, Inc. Section 17: Monitoring Alerts Filter criteria for alerts (continued) Option Description Severity buttons Select any combination of the following options to display only the alerts that have specific severity levels. For example, you can view only the alerts with a high severity level or all of the alerts with a medium severity level or high severity level. n — Low (1-3) n — Medium (4-7) n — High (8-10) To view all of the alerts, select all of the security level options, which is the default setting. See “About alert severity levels” on page 302. Filter box Type all or part of a category name, appliance name, protection group name, or a custom term by which to filter the alerts list. As you type, the Filter box displays a list of the matching categories, appliances, and protection groups. Your options are as follows: n Select a name in the list of Categories , Appliances , or Protection Groups to filter by that selection. n Type a custom term, and then press ENTER. Use the custom term to filter by the alert descriptions, hostnames, categories, appliances, and protection groups that match the string. You can use select multiple categories, appliances, protection groups, and custom terms in any combination. See “How APS Console combines multiple filter criteria” below. How APS Console combines multiple filter criteria When you specify multiple items in the Filter box, APS Console combines the items as follows: n The same types of items (category, appliance, protection group, or custom term) are joined with ORs. n The different types of items are joined with ANDs. For example, if you enter category1, category2, appliance5, and appliance6, the system filters the display as follows: (category1 OR category2) AND (appliance5 OR appliance6) Tip You can use custom terms to filter different items with ORs. For example, to display the alerts that belong to either category1 or appliance5, type each item as a separate custom term. n To ignore all of the active alerts on the current page, select the check box in the table heading row, and then click Ignore Alerts. Proprietary and Confidential Information of Arbor Networks, Inc. 307 APS Console User Guide, Version 6.3 You also can ignore alerts from the Dashboard page. See “Viewing Active Alerts on the Dashboard” on page 297. If necessary, you can unignore an ignored alert, which allows it to reappear on the Dashboard page if it is among the most critical alerts. To unignore an alert: 1. On the Alerts page, click (context menu) for the alert. 2. Select Unignore. 308 Proprietary and Confidential Information of Arbor Networks, Inc. Section 18: Monitoring the Status of the Network and Devices The Summary page provides an overview of the current state of your APS Console deployment, including the historical traffic across your configured devices. User access System analysts and system users can search and view the summary information, but they cannot access all the pages that are described in this section. Only administrators can access all the pages and perform all the tasks that are available from the Summary page. In this section This section contains the following topics: Viewing a Summary of System Activity 310 Viewing System Information on the Summary Page 311 Viewing Audit Trail Information on the Summary Page 313 APS Console User Guide, Version 6.3 309 APS Console User Guide, Version 6.3 Viewing a Summary of System Activity The Summary page provides a snapshot of your system and includes links to additional information. The system displays important status messages at the top of the page to alert you to any problems that require immediate attention. For more details, see “Viewing System Information on the Summary Page” on the facing page. Viewing the Summary page To access the Summary page, select Summary from the menu. Sections on the Summary page The Summary page shows different aspects of the system status in the following sections: Sections on the Summary page Section Description System response area This section is located directly below the menu bar. It displays any critical messages. System Status Displays the statistics for your APS Console. This section also lists the total number of devices that are under APS Console management. System Information Displays detailed information about your APS Console and the devices that are under APS Console management. Audit Trail Displays the most recent Audit Trail entries. See “Viewing Audit Trail Information on the Summary Page” on page 313. Auto-refresh option on the Summary page The data that appears on the Summary page refreshes automatically every 120 seconds. To stop the automatic refresh of the page (for example, to preserve interesting data): n Click (Auto-Refresh ) on the Arbor Smart Bar. If you hover your mouse over the icon, it displays a message that indicates whether clicking the icon will turn on or turn off the auto-refresh option. 310 Proprietary and Confidential Information of Arbor Networks, Inc. Section 18: Monitoring the Status of the Network and Devices Viewing System Information on the Summary Page On the Summary page, the System Information section displays detailed information about APS Console and the devices that it manages. Use the information in this section to determine how the device is performing. If a device experiences connectivity problems, then APS Console displays that device’s status at the top of the Summary page to alert you immediately. For general information about the Summary page, see “Viewing a Summary of System Activity” on the previous page. Viewing the Summary page To access the Summary page, select Summary from the menu. Information in the System Status section This section displays the following status information about APS Console: Information in the System Status section Information Description Last AIF Update Check Indicates the last time that APS Console polled the AIF server for new information. You can update the AIF interval time and poll the server on the Configure AIF Settings page. If you do not enable automatic AIF updates, this area displays Autoupdate Disabled instead of Last AIF Update Check . See “Configuring the ATLAS Intelligence Feed” on page 60. Last Backup Indicates the time at which the system backed up APS Console data. The APS Console data is backed up automatically every 24 hours. You can download a copy of the last backup file or upload an older saved version. For a description and instructions, see “Configuring Remote Backup Settings” on page 44. Total Devices Displays the number of APS devices and AED devices under APS Console management. Information in the System Information section This section displays the following information for each device: System Information section Column Description Severity The relative severity of the alerts that are on the device. See “About alert severity levels” on page 302. Device Type Indicates whether the device is an APS Console, an APS, or an AED. Hostname Displays the user-assigned hostname for the device. Proprietary and Confidential Information of Arbor Networks, Inc. 311 APS Console User Guide, Version 6.3 System Information section (continued) Column Description Serial Number Displays the serial number for the device. Uptime Displays the time that has elapsed since the device was last restarted, in days, hours, and minutes. If the device is down, “Offline” appears in this column. If the device remains down, then you can delete it. See “Deleting Offline Devices” on page 89. 312 Last Seen Indicates the last time that the device reported to APS Console. Status Describes the overall status of a device. The status can be one of the following messages: n High memory usage: <usage percentage> n High disk usage: <amount of MB remaining> n Communication error, last heartbeat received: <time last received> n Synchronize times: skew is <amount of time> n Device is down: last seen <time last seen> n Multiple Problems: <the list of problems> n Good n RAID error: <error message> n Preparing configuration n Initial synchronization n Out of sync n Unsupported device version. The configurations cannot be synchronized. Version Displays the current software version that the appliance is running. Proprietary and Confidential Information of Arbor Networks, Inc. Section 18: Monitoring the Status of the Network and Devices Viewing Audit Trail Information on the Summary Page On the Summary page, the Audit Trail section displays the 10 most recent Audit Trail entries. The Audit Trail section contains the same columns as the table on the Audit Trail page (Administration > Audit Trail). For more information about the Audit Trail, see “Information in the audit trail” on page 319 and “ Including Change Messages in the Audit Trail” on page 318 . For general information about the Summary page, see “Viewing a Summary of System Activity” on page 310 . Viewing a complete Audit Trail entry To view a detailed audit trail entry, including the long description, in the Audit Trail Entry Viewer: 1. Select the Summary menu. 2. On the Summary page, in the Audit Trail section, click a More link that appears in the Description column. 3. When you finish viewing the audit trail information, click Done. Viewing all Audit Trail entries To view all Audit Trail entries on the Audit Trail page: On the Summary page, in the lower right corner of the Audit Trail section, click the View Full Audit Trail link. n Proprietary and Confidential Information of Arbor Networks, Inc. 313 APS Console User Guide, Version 6.3 314 Proprietary and Confidential Information of Arbor Networks, Inc. Section 19: Monitoring System Changes in the Audit Trail This section describes how to use the audit trail, which records all of the changes that are made in APS Console. User access Users at all authorization levels can include change messages in the audit trail. Only administrators can view the audit trail and configure the audit trail settings. In this section This section contains the following topics: About the Audit Trail 316 Including Change Messages in the Audit Trail 318 Viewing the Audit Trail Log 319 APS Console User Guide, Version 6.3 315 APS Console User Guide, Version 6.3 About the Audit Trail The audit trail records all of the changes that are made in APS Console, which allows you to view and track the changes. You can view the audit trail entries on the Audit Trail page. See “Viewing the Audit Trail Log” on page 319. On the Audit Trail page, you can specify a default change message and configure the kinds of changes that trigger the appearance of the Audit Trail window. See “Configuring the Audit Trail Settings” on page 41. About the Audit Trail window By default, when a user makes a change in the APS Console UI, the Audit Trail window appears and prompts the user to describe the change. See “ Including Change Messages in the Audit Trail” on page 318. If you disable the Audit Trail window for certain changes, the window does not appear when users make those types of changes. APS Console logs the changes, but does not include any messages. When APS Console adds audit trail entries APS Console adds audit trail entries in the following situations: System changes occur, such as an ATLAS update. n n Users make changes in the APS Console UI. n Users export data from the system by sending email, creating PDF files, or exporting CSV files. n Users enter commands in the command line interface (CLI). How CLI commands are logged in the audit trail APS Console transfers entries from the command log to the audit trail at one-minute intervals. The command information that is included in the audit trail depends on the type of CLI command, as follows: How CLI commands are logged in the audit trail 316 Command type What is included in the audit trail All commands The following information is included in the audit trail for all types of CLI commands: n the time and date on which the change occurred n the user who entered the command n the component that was changed n the command that was typed Commands that include a password or secret The sensitive data is replaced with “*****”. Proprietary and Confidential Information of Arbor Networks, Inc. Section 19: Monitoring System Changes in the Audit Trail How CLI commands are logged in the audit trail (continued) Command type What is included in the audit trail Commands that include abbreviations The absolute path is included and any abbreviations are expanded to full words. For example, the command / serv aps-console inter is logged as / services aps-console interface. Command help These commands are not included in the audit trail. Directory help These commands are included in the audit trail. About exporting the audit trail You can export the audit trail in the following ways: As a comma-separated values (CSV) file. n See “Exporting the audit trail as a CSV file” on page 320. n To a syslog destination that you configure in the CLI. See “Configuring the Syslog Destination for the Audit Trail” in the APS Console Advanced Configuration Guide . Proprietary and Confidential Information of Arbor Networks, Inc. 317 APS Console User Guide, Version 6.3 Including Change Messages in the Audit Trail When you make a change in the APS Console UI, the system records the change in the audit trail. By default, when you make a change, the Audit Trail window appears and prompts you to enter a change message. The best practice is to add a message that provides some insight into what you did and why you made the change. However, you also have the following options: n Do not enter a change message. n Enter a default message for all of the future changes that you make. n Disable the Audit Trail window for all of the future changes of that type that you make. Settings on the Audit Trail page determine the default change message (if any) and the kinds of changes that trigger the appearance of the Audit Trail window. See “Configuring the Audit Trail Settings” on page 41. Administrators can view the audit trail log in the Audit Trail page (Administration > Audit Trail). See “Viewing the Audit Trail Log” on the facing page. For general information about the audit trail, see “About the Audit Trail” on page 316 . Entering a change message in the Audit Trail window To enter a change message in the Audit Trail window: 1. In the Audit Trail window, type a description of the change in the change message box. You can enter a maximum of 1024 characters. 2. (Optional) Select Set as my default audit trail message to use this change message for all of the future changes that you make. 3. (Optional) Select Do not show this dialog again... to disable the Audit Trail window for all of the future changes of this type that you make. APS Console logs the changes even if the Audit Trail window is disabled. 4. Click Save. 318 Proprietary and Confidential Information of Arbor Networks, Inc. Section 19: Monitoring System Changes in the Audit Trail Viewing the Audit Trail Log The audit trail records all of the changes that are made in APS Console, which allows you to view and track the changes. See “About the Audit Trail” on page 316. For information about recording changes to APS Console, see “ Including Change Messages in the Audit Trail” on the previous page. For information about editing the default settings for audit trail changes, see “Configuring the Audit Trail Settings” on page 41. Viewing the audit trail To view the audit trail: 1. Select Administration > Audit Trail. 2. On the Audit Trail page, select the Audit Trail Log tab. 3. (Optional) To find specific entries, use the Search All Audit Trail Entries box. 4. (Optional) To view additional information about an entry, click the More link to the right of the entry’s description. Information in the audit trail The Audit Trail page displays the following information for each entry: Audit trail details Information Description Time Displays the time and date on which the change occurred. User Displays the user who made the change, or “system” if it is a system-generated change. Appliance Displays the APS Console name. Action Indicates the type of change, such as Add, Edit, Delete , Update , and so on. Component Indicates the type of object that was changed. Name Displays the name of the changed object, if it has one. Message Displays the text from the change message that a user typed, or a system message for system-generated entries. Description Describes the change. More link Allows you to view additional information about an entry by opening the Audit Trail Entry Viewer window. Note You also can view the entries in the audit trail on the Summary page. See “Viewing Audit Trail Information on the Summary Page” on page 313 . Proprietary and Confidential Information of Arbor Networks, Inc. 319 APS Console User Guide, Version 6.3 Exporting the audit trail as a CSV file You can save a copy of the audit trail by exporting it to a comma-separated values (CSV) file. To export the audit trail as a CSV file: 1. Select Administration > Audit Trail. 2. On the Audit Trail page, display the entries that you want to export, as described in “Viewing the audit trail” on the previous page. 3. Select one of the following options: l Export — Exports only the entries that appear on the current page. If you use a search to filter the audit trail list, the exported file contains the search results only. l Export All — Exports all of the audit trail entries. 4. Open or save the file according to your browser options. 320 Proprietary and Confidential Information of Arbor Networks, Inc. Part V: APS Console Maintenance and Management APS Console User Guide, Version 6.3 322 Proprietary and Confidential Information of Arbor Networks, Inc. Section 20: Managing APS Console Files This section describes how to use the Manage Files page (Administration > Files) to manage the files that are on APS Console. You can also manage files that are on the APS devices that APS Console manages. User access Only administrators can perform the tasks that are described in this section. System users cannot view the Files page. In this section This section contains the following topics: About the Files Page 324 Managing the Files on APS Console and Managed APS Devices 326 Managing Diagnostics Packages 328 APS Console User Guide, Version 6.3 323 APS Console User Guide, Version 6.3 About the Files Page The Manage Files page (Administration > Files) is the central location from which you can manage the files that are on APS Console. You also can use this page to manage the files on the APS devices that APS Console manages. The Files page is divided into sections that allow you to perform the following file management tasks: n Upload, download, and delete the files on APS Console and managed APS devices. n View the amount of free space on the selected device. See “Managing the Files on APS Console and Managed APS Devices” on page 326. About the Files section The Files section of the Manage Files page contains the following information: n A Show files on list, from which you can select the device whose files you want to view. n A disk space pie chart that displays the amount of used disk space and free disk space on the selected device. n A table that includes detailed information about the files on the selected device. The tables displays the following information for each file that is on the selected device: File listing details Information Description Name The name of the file. Size The size of the file. Date The time and date when the file was uploaded. Type The type of file. A file can be one of the following types: n n n n n n 324 Text file Directory Gzip compressed Signed package SSH host keys Unknown Status Indicates whether the file has been installed on the selected device. This status applies to installation packages only. Selection check box Allows you to select the file for deletion. Proprietary and Confidential Information of Arbor Networks, Inc. Section 20: Managing APS Console Files About the Diagnostics Packages section Diagnostics packages are helpful if you need the Arbor Technical Assistance Center (ATAC) to troubleshoot APS Console system problems. For information about creating the diagnostics packages, see “Managing Diagnostics Packages” on page 328 . The table in the Diagnostics Packages section contains the following information for each package: Diagnostics package details Information Description Name The name of the diagnostics package. You can download the package by clicking the name link. Size The size of the diagnostics package. Date The time and date on which a diagnostics package was created. Email button Allows you to email the diagnostics package. Create Diagnostics Package button Allows you to create a new diagnostics package. About the SSL Certificate section You can upload a custom SSL certificate to authenticate users in the APS Console UI. See “Using a Custom SSL Certificate for User Authentication” on page 47. About the Logo section You can upload a custom logo to replace the default APS Console logo. See “Adding a Custom Logo to the UI” on page 49. About the System Files section The System Files section allows you to download the MIB files from APS Console. The MIB files can help you decode the SNMP traps that APS Console sends for notifications. The MIB files can also help you understand the OIDs (object identifiers) that can be queried on APS Console. See “About SNMP Polling” on page 34. For information about downloading the files, see “Managing the Files on APS Console and Managed APS Devices” on the next page. Proprietary and Confidential Information of Arbor Networks, Inc. 325 APS Console User Guide, Version 6.3 Managing the Files on APS Console and Managed APS Devices You can use the Manage Files page (Administration > Files) to manage the various files that are on APS Console and managed APS devices. When you manage files on the Manage Files page, the changes apply only to the device that is selected in the Show files on list. Viewing the files on a managed APS By default, the Manage Files page lists the files that are on APS Console. You also can view the files that are on APS devices that APS Console manages. To view the files on a managed APS: 1. Select Administration > Files. 2. On the Manage Files page, in the Show files on list, select the device whose files you want to view. Uploading files to APS Console To upload a file to APS Console using SCP or HTTP: 1. Select Administration > Files. 2. On the Manage Files page, in the Show files on list, select the APS Console. 3. Click Upload. 4. In the Upload File window, click Browse to locate the file. 5. In the File Upload window, select the file, and then click Open . 6. In the Upload File window, click Upload. 7. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. Deleting files from a managed APS Caution You cannot undo the deletion of files. To delete a file from a managed APS: 1. Select Administration > Files. 2. On the Manage Files page, in the Show files on list, select the APS on which you want to delete a file. 3. In the list of files, complete one of the following tasks: l Select the check box for each file that you want to delete. l Select the Select All check box to delete all of the files. 4. Click Delete. 5. In the confirmation message that appears, click OK . 6. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. 326 Proprietary and Confidential Information of Arbor Networks, Inc. Section 20: Managing APS Console Files Downloading files from APS Console You can download diagnostics packages and MIB files from the Manage Files page on APS Console. To download a file from APS Console: 1. Select Administration > Files. 2. On the Manage Files page, in the Show files on list, select the APS Console. 3. Select the file to download in any of the following ways: l In the System Files section, click the APS Console MIB link or the SMI MIB link. l In the Diagnostics Packages section, click the file name link. 4. Save the file according to your browser options. Proprietary and Confidential Information of Arbor Networks, Inc. 327 APS Console User Guide, Version 6.3 Managing Diagnostics Packages A diagnostics package contains debugging information for APS Console. The diagnostics package helps the Arbor Technical Assistance Center (ATAC) to diagnose and correct any potential issues that are related to your system. You can create new diagnostics packages and download, email, and delete the packages. Viewing diagnostics packages The Files page displays the existing diagnostics packages and their creation dates, file names, and file sizes. For general information about the Files page, see “About the Files Page” on page 324 . Creating a diagnostics package To create a diagnostics package: 1. Select Administration > Files. 2. In the Diagnostics Packages section, click Create Diagnostics Package. 3. If the Audit Trail window appears, type a message for the audit trail or accept your default message, if any. The package creation might take several minutes. A message at the top of the page indicates that the package creation is in progress. Tip If the diagnostics package does not appear within a few minutes, click (Refresh This Page) on the Arbor Smart Bar. Emailing a diagnostics package to the Arbor Technical Assistance Center To email a diagnostics package to the Arbor Technical Assistance Center (ATAC): 1. Select Administration > Files. 2. In the Diagnostics Packages section, to the right of the package that you want to send, click Email. 3. In the Email Diagnostics window, type the following information: Setting Description From box Type your email address. Subject box Type a subject for the email message. Message box Type a message that explains how you want Arbor to process the diagnostics package. 4. Click Email. Downloading a diagnostics package If you cannot email from APS Console, you can download the diagnostics package. See “Downloading files from APS Console” on the previous page. 328 Proprietary and Confidential Information of Arbor Networks, Inc. Section 21: Backing Up APS Console This section describes how to back up APS Console data. User access Users at all authorization levels can view the backup configurations. Only administrators can perform the backup tasks that are described in this section. In this section This section contains the following topics: About APS Console Backups 330 Running a Local Backup Manually 332 APS Console User Guide, Version 6.3 329 APS Console User Guide, Version 6.3 About APS Console Backups APS Console supports remote backups and local backups. Both remote backups and local backups copy the same APS Console configuration settings and data. About remote backups For remote backups, you configure a recurring backup schedule. About remote backups Typical use To recover data after a hardware failure or other outage. How they are created APS Console runs remote backups automatically, based on a userdefined schedule. You also can run a remote backup manually at any time. See “Configuring Remote Backup Settings” on page 44. Where they are stored On a remote backup server. How many are stored 1 About local backups Local backups run automatically every night at midnight or that you can run manually. About local backups Typical use To restore a known configuration state. For example, you might want to restore APS Console to a known configuration state after you perform benchmark tests or try new configurations. How they are created APS Console runs local backups automatically, every night at midnight. You also can run a local backup manually at any time. See “Running a Local Backup Manually” on page 332. Where they are stored On APS Console. How many are stored 5 About backing up and restoring in a central management environment APS Console synchronizes configuration data with the APS devices that it manages by copying the data that is specific to a managed APS to that APS. When you back up and restore APS Console and APS, you must follow certain guidelines to maintain the data synchronization. See “How Restoring Backups Affects the APS Console - APS Synchronization” on page 82. 330 Proprietary and Confidential Information of Arbor Networks, Inc. Section 21: Backing Up APS Console About restoring backup data To restore APS Console from a backup, you must use the command line interface (CLI). See “Restoring APS Console from a Backup” in the APS Console Advanced Configuration Guide . Proprietary and Confidential Information of Arbor Networks, Inc. 331 APS Console User Guide, Version 6.3 Running a Local Backup Manually APS Console generates a local backup automatically every night at midnight. The Backup Settings page also allows you to run local backups manually. You might back up APS Console locally in the following situations: n To save the initial system configuration after you finish configuring settings. n To save a known configuration state before you perform benchmark tests or try new configurations. When you finish your tests, use the backup to restore APS Console to the last known configuration. n To save any configuration changes immediately instead of waiting for the next scheduled backup. For general information about backups, see “About APS Console Backups” on page 330 . For information on configuring remote backups, see See “Configuring Remote Backup Settings” on page 44. Running a local backup manually To run a local backup manually: 1. Select Administration > Backup. 2. On the Backup Settings page, in the Local Backups of APS Console Configuration and Data section, click Run Backup Now. About the Backups list A list of the last five local backups appears in the Local Backups of APS Console Configuration and Data section on the Backup Settings page. The list includes the following information for each backup: Backup details Information Description Date The date and time on which the backup was created. Age The length of time since the backup was run. Size The size of the backup file. Username Displays APS Console for an automatic backup. For a manual backup, this column displays the user name of the person who requested the backup. Download Downloads the backup file to a user-specified location. See “Downloading a local backup file” on the facing page. 332 Proprietary and Confidential Information of Arbor Networks, Inc. Section 21: Backing Up APS Console Downloading a local backup file You can download a local backup file at any time. To download a local backup file: 1. Select Administration > Backup. 2. On the Backup Settings page, in the Local Backups of APS Console Configuration and Data section, click the Download button for the file to download. 3. Save the file according to your browser options. Proprietary and Confidential Information of Arbor Networks, Inc. 333 APS Console User Guide, Version 6.3 334 Proprietary and Confidential Information of Arbor Networks, Inc. Appendixes APS Console User Guide, Version 6.3 336 Proprietary and Confidential Information of Arbor Networks, Inc. Appendix A: Notification Formats This section provides examples of the notifications that APS Console sends to the configured destinations when it detects system alerts. In this section This section contains the following topics: Email Notification Examples 338 Syslog Notification Examples 339 APS Console User Guide, Version 6.3 337 APS Console User Guide, Version 6.3 Email Notification Examples The following examples show the different types of email notifications that APS Console sends when it detects system alerts. APS down alert The following example shows an APS down alert: APS Down: system.arbor.net Type: APS Down URL: https://aps.example.com/summary/ APS: system.APS Console.net Last seen: 20:07 09/03/16 APS up alert The following example shows an APS up alert: APS Up: system.arbor.net Type: APS Up URL: https://aps.example.com/summary/ APS: system.APS Console.net Down since: 20:02 09/03/16 Downtime: 0h05m Infrastructure alert The following example shows an infrastructure alert: Infrastructure: Your cert will expire in 1 day Type: Infrastructure URL: https://aps.example.com/summary/ Message: Your cert will expire in 1 day 338 Proprietary and Confidential Information of Arbor Networks, Inc. Appendix A: Notification Formats Syslog Notification Examples The following examples show the different types of syslog notifications that APS Console sends when it detects system alerts. APS down alert The following example shows an APS down alert: APS Down: system.arbor.net,URL: https://aps.example.com/summary/,Last seen: 20:23 09/03/16 APS up alert The following example shows an APS up alert: APS Up: system.arbor.net,URL: https://aps.example.com/summary/,Last seen: 20:18 09/03/16,Downtime: 0h05m Infrastructure alert The following example shows an infrastructure alert: Infrastructure: Your cert will expire in 1 day,URL: https://aps.example.com/summary/ Proprietary and Confidential Information of Arbor Networks, Inc. 339 APS Console User Guide, Version 6.3 340 Proprietary and Confidential Information of Arbor Networks, Inc. Appendix B: Using FCAP Expressions This section describes the FCAP (Flow Capture) fingerprint expression language that you can use to match layer 3 traffic information. This expression language is an extended version of the standard fingerprint expression language that is used by programs such as tcpdump. In this section This section contains the following topics: Available FCAP Expressions 342 FCAP Expression Reference 344 Logical Operators for Compound FCAP Expressions 349 FCAP Expressions that Indicate Direction 350 Examples of FCAP Expressions 351 APS Console User Guide, Version 6.3 341 APS Console User Guide, Version 6.3 Available FCAP Expressions This topic discusses the basic FCAP expressions that APS supports, and well as the syntax conventions in the documentation for these expressions. Conventions for commands and expressions The following table shows the syntax of commands and expressions. Do not type the brackets, braces, or vertical bar in commands or expressions. Conventions for commands and expressions Convention Description Monospaced bold Information that you must type exactly as shown. Monospaced italics A variable for which you must supply a value. { } (braces) A set of choices for options or variables, one of which is required. For example: {option1 | option2}. [ ] (square brackets) A set of choices for options or variables, any of which is optional. For example: [variable1 | variable2]. | (vertical bar) Separates the mutually exclusive options or variables. Basic FCAP expressions These expressions are case insensitive. For example, both src and SRC are valid. Available FCAP expressions 342 Expression Reference [src | dst] [net | host] addr “Matching networks and hosts” on page 344 [protocol | proto] protocol-name {protocol | proto} number “Matching protocols” on page 345 {tflags | tcpflags} flags/flag-mask “Matching TCP flags” on page 345 [src | dst] port {port-name | number } [ .. {port-name | number} ] “Matching ports” on page 346 bytesnumber [ ..number] “Matching IP length” on page 346 icmptype {icmptype | number} icmpcodecode “Matching ICMP messages” on page 347 Proprietary and Confidential Information of Arbor Networks, Inc. Appendix B: Using FCAP Expressions Available FCAP expressions (continued) Expression Reference tosnumber “Matching the Type of Service” on page 348 Note This expression is for IPv4 traffic only. ttlnumber “Matching the Time to Live” on page 348 Note This expression is for IPv4 traffic only. frag “Matching fragments” on page 348 Note This expression is for IPv4 traffic only. Proprietary and Confidential Information of Arbor Networks, Inc. 343 APS Console User Guide, Version 6.3 FCAP Expression Reference This topic describes how to use the FCAP expressions. For additional information, see the following topics. n basic expressions — See “Basic FCAP expressions” on page 342. n the operators AND, OR, NOT, and () — See “Logical Operators for Compound FCAP Expressions” on page 349. n expressions that indicate direction — See “FCAP Expressions that Indicate Direction” on page 350. n examples — See “Examples of FCAP Expressions” on page 351. Note Unless otherwise noted, FCAP expressions are supported for IPv4 traffic and IPv6 traffic. Comments in FCAP expressions To add a comment to an FCAP expression, type the number sign (#) at the beginning of the line of text. Any line that begins with # is considered a comment and is not evaluated as part of the FCAP expression. Numbers in FCAP expressions In expressions that contain a number, you can type the number in decimal notation or hexadecimal notation. For example, the following expressions are equivalent: tos 255 tos 0XFF Action expressions that drop or pass traffic Use the FCAP action expressions to either drop traffic or pass traffic without further inspection. To specify which action to perform, precede the FCAP expressions with one of the following expressions: pass drop The action expression is optional. If you do not specify one, APS uses a drop action. Matching networks and hosts Use the following expression to match a network or a host: [src | dst] [net | host] addr To match a network or host, specify its IP address. You can use CIDR notation (IP/number) to specify a network. For example: net 192.0.2.0/24 host 192.0.2.1 If you specify an address without a netmask or without the expression net or host, the address is assumed to be a host. 344 Proprietary and Confidential Information of Arbor Networks, Inc. Appendix B: Using FCAP Expressions If you do not specify a direction, then both the source and the destination are evaluated. See “FCAP Expressions that Indicate Direction” on page 350. Additional examples of expressions for matching hosts or networks Item to match Expression any source or destination that is part of the network 198.51.100.0/24 Either of the following expressions: any source that is part of the network 198.51.100.0/24 src net 198.51.100.0/24 192.0.2.0/24 src net 192.0.2.0/24 or dst net 203.113.0/24 Matching protocols Use the following expressions to match a protocol: [protocol | proto] protocol-name {protocol | proto} number To match a protocol, specify its name or number. If you specify the protocol by name, you can omit the expression protocol. For example: protocol tcp tcp proto 6 Matching TCP flags Use the following expression to match a packet’s TCP flags: {tflags | tcpflags} flags/flag-mask flags = the flag or flags that must be set for the expression to match flag-mask = the flag or flags to examine For example, tflags FSA/FSA matches all of the traffic whose SYN, ACK, and FIN flags are set. For the flag fields, you can specify any combination of the following TCP flags: n F — FIN n S — SYN n R — RST (reset) n P — PSH (push) n A — ACK n U — URG (urgent) n E — ECE (ECN-Echo) n W — CWR (Congestion Window Reduced) Do not separate multiple flags with any characters, including spaces or commas. Proprietary and Confidential Information of Arbor Networks, Inc. 345 APS Console User Guide, Version 6.3 Additional examples of expressions for matching TCP flags Item to match Expression packets that contain the SYN flag Either of the following expressions: tflags S/S proto tcp and (tflags S/S) all of the TCP SYN traffic that is not SYNACK Either of the following expressions: all of the traffic for which the A bit is set, but the F bit is not set tflags A/FA proto tcp and (tflags S/SA) proto tcp and (tflags S/S) and ! (tflags SA/SA) Matching ports Use the following expression to match ports: [src | dst] port {port-name | number} [ .. {port-name | number} ] To match a port, specify its name or number. For example: port http port 22 To match a range of port numbers, separate the first number and the last number with two periods. For example: port 0..1024 If you do not specify the source or the destination, then both the source and the destination are evaluated. See “FCAP Expressions that Indicate Direction” on page 350. Additional examples of expressions for matching ports Item to match Expression IP address 192.0.2.1, port 22 host 192.0.2.1 port 22 any traffic with a destination IP address of 192.0.2.1 and a destination port of either 22 or 80 dst host 192.0.2.1 and (dst port 22 or dst port http) Matching IP length Use the following expression to match a packet’s IP length: bytes number [..number] Specify the IP length as a number of bytes. For example: bytes 100 To match a range of bytes, separate the first number and the last number with two periods. For example: bytes 100..102 346 Proprietary and Confidential Information of Arbor Networks, Inc. Appendix B: Using FCAP Expressions Matching ICMP messages Use the following expressions to match an ICMP message by specifying its type: icmptype {name | number} icmpcodecode For example, to match ICMPv4 echo request traffic by type, you can use either of the following expressions: icmptype icmp-echo icmptype 8 Note APS supports both ICMPv4 and ICMPv6 message types. However, for ICMPv6, you can specify message type numbers only. You cannot use message type names for ICMPv6. The ICMP code is a subtype of a given type. For example, the following expressions match the ICMP control message type “Destination Unreachable”, and the subtype of “Host Unreachable” (ICMPv4) or “address unreachable” (ICMPv6): n ICMPv4 icmptype icmp-unreach and icmpcode 1 ICMPv6 n icmptype 1 and icmpcode 3 The table below lists some common ICMPv4 message types. ICMPv4 message types ICMP type number ICMP type name Description 0 icmp-echoreply Echo Reply 3 icmp-unreach Destination Unreachable 4 icmp-sourcequench Source Quench 5 icmp-redirect Redirect 8 icmp-echo Echo Request 9 icmp-routeradvert Router Advertisement 10 icmp-routersolicit Router Selection 11 icmp-timxceed Time Exceeded 12 icmp-paramprob Parameter Problem 13 icmp-tstamp Timestamp 14 icmp-tstampreply Timestamp Reply 15 icmp-ireq Information Request Proprietary and Confidential Information of Arbor Networks, Inc. 347 APS Console User Guide, Version 6.3 ICMPv4 message types (continued) ICMP type number ICMP type name Description 16 icmp-ireqreply Information Reply 17 icmp-maskreq Address Mask Request 18 icmp-maskreply Address Mask Reply For a complete list of the ICMPv4 message types and codes, refer to an IPv4 reference or go to the following URL: http://www.iana.org/assignments/icmp-parameters/icmp- parameters.xhtml For a complete list of the ICMPv6 message types and codes, refer to an IPv6 reference or go to the following URL: http://www.iana.org/assignments/icmpv6-parameters/icmpv6- parameters.xhtml Matching the Type of Service Note This expression is for IPv4 traffic only. You cannot filter by the IPv6 header field Traffic Class. Use the following expression to match the Type of Service (TOS): tosnumber Specify the eight-bit TOS field as a number from 0 to 255. For example: tos 255 tos 0XFF Matching the Time to Live Note This expression is for IPv4 traffic only. You cannot filter by the IPv6 header field Hop Limit. Use the following expression to match the Time to Live (TTL ) value: ttlnumber Specify the eight-bit TTL field as a number from 0 to 255. For example: ttl 6 Matching fragments This expression is for IPv4 traffic only. The following expression allows you to match IP fragments: frag 348 Proprietary and Confidential Information of Arbor Networks, Inc. Appendix B: Using FCAP Expressions Logical Operators for Compound FCAP Expressions You can create compound FCAP expressions by using logical operators to join expressions. For more information about using FCAP expressions, see the following topics: n “FCAP Expression Reference” on page 344 n “FCAP Expressions that Indicate Direction” on the next page n “Available FCAP Expressions” on page 342 n “Examples of FCAP Expressions” on page 351 Operators for joining expressions To join FCAP expressions, use the following operators: n parentheses ( ) — establishes precedence for complex expressions n NOT — negates an expression (negation) For example, not port 33 matches all of the ports except port 33. You can also use an exclamation mark (!) instead of not. n OR — joins expressions where any can be true (alternation) For example, dst port 22 or dst port 25 or dst port 80 matches all of the traffic that is destined for any one of these three ports. n AND — joins expressions where both are true (concatenation) For example, dst host 192.0.2.1 and dst port 22 matches all of the traffic that is destined for port 22 on the host 192.0.2.1. How APS evaluates compound expressions APS evaluates expressions in the following order: 1. Expressions in parentheses. If you use a combination of adjacent objects with AND and OR operators, use parentheses so that APS knows the explicit order. 2. NOT expressions. 3. OR and AND expressions, which have equal precedence and are evaluated from left to right. For example, the following expressions are equivalent: not tcp port 3128 and tcp port 23 (not tcp port 3128) and tcp port 23 Omitting the operators and parentheses can produce unexpected results. For example, to block all TCP traffic on port 80 or port 443, you might type the following expression: tcp port 80 or tcp port 443 However, this expression does not do what you intend because the order of operations interprets it as follows: tcp and (port 80 or tcp) and (port 443) Instead, you should use one of the following expressions: tcp (port 80 or port 443) (tcp port 80) or (tcp port 443) Proprietary and Confidential Information of Arbor Networks, Inc. 349 APS Console User Guide, Version 6.3 FCAP Expressions that Indicate Direction The direction expressions indicate whether a network, host, or port represents the source or the destination. In an FCAP expression, the direction refers to the source or destination section of the packets that are evaluated. For information about how to use FCAP expressions, see “FCAP Expression Reference” on page 344 . Indicating direction The following expressions indicate direction: src — source dst — destination For example: src host 192.0.2.1 dst port 33 Default direction If you do not specify a direction, then both the source and the destination are evaluated. For example, the following expressions are equivalent: host 192.0.2.1 (src host 192.0.2.1) or (dst host 192.0.2.1) 350 Proprietary and Confidential Information of Arbor Networks, Inc. Appendix B: Using FCAP Expressions Examples of FCAP Expressions To help further your understanding of FCAP expressions, this topic provides examples of expressions and shows how APS interprets them. In particular, observe how APS interprets expressions when you omit certain components. For example, you can omit the direction and the drop or pass action. You can also omit the logical operators, although doing so can produce unexpected results. For more information about FCAP expressions, see “FCAP Expression Reference” on page 344 . Examples The following examples show how APS interprets FCAP expressions and how it makes assumptions about any information that is omitted from the typed expressions. Note APS interprets FCAP expressions that use IPv6 addresses in the same way that it interprets FCAP expressions that use IPv4 addresses. FCAP expressions and how they are interpreted Expression Interpretation host 192.0.2.1 203.0.113.1 drop src host 192.0.2.1 or dst host 203.0.113.1 protocol tcp tcp drop proto 6 tflags saf/saf drop tflags FSA/FSA You do not have to type the flags in any particular order; the system orders them for you. port 33 drop src port 33 or dst port 33 not port 33 drop (src port 0..32 or src port 34..65535) and (dst port 0..32 or dst port 34..65535) dst host 192.0.2.1 and port 22 drop dst host 192.0.2.1 and (src port 22 or dst port 22) src 192.0.2.1 src 192.0.2.9 drop (src net 0.0.0.0/0) The system assumes that the two addresses are joined by an AND operator. However, because no packet can ever have two sources, the expression is interpreted as “drop everything.” src 192.0.2.4 or src 192.0.2.9 drop src host 192.0.2.4 or src host 192.0.2.9 src 192.0.2.1 dst 203.0.113.1 drop src host 192.0.2.1 and dst host 203.0.113.1 Proprietary and Confidential Information of Arbor Networks, Inc. 351 APS Console User Guide, Version 6.3 352 Proprietary and Confidential Information of Arbor Networks, Inc. Glossary A AAA (Authentication, Authorization, & Accounting) — An acronym that describes the process of authorizing access to a system, authenticating the identity of users, and logging their behaviors. ACL (Access Control List) — A list composed of rules and filters stored in a router to allow, deny, or otherwise regulate network traffic based on network parameters such as IP addresses, protocol types, and port numbers. active mode — A state within the inline deployment modes, in which APS mitigates attacks in addition to monitoring traffic and detecting attacks. address — A coded representation that uniquely identifies a particular network identity. AIF (ATLAS Intelligence Feed) — A service that downloads real-time threat information from our Active Threat Level Analysis System (ATLAS). This information is used to detect and block emerging botnet attacks and application-layer attacks. alert — A message informing the user that certain events, conditions, or errors in the system have occurred. anomaly — An event or condition in the network that is identified as an abnormality when compared to a predefined illegal traffic pattern. API (Application Programming Interface) — A well-defined set of function calls providing high-level controls for underlying services. APS — A protection system that focuses on securing the internet data center edge from threats against availability by analyzing and blocking malicious traffic. APS Console — A single user interface that allows for the central management of multiple APS devices, to more effectively monitor and respond to attacks across your network. Arbor Cloud DDoS Protection — A cloud-based DDoS mitigation service that scrubs the highbandwidth, volumetric attacks that are too large to mitigate at the data center’s premises. Arbor Smart bar — An area of the product's user interface that contains icons for performing certain actions. ArbOS — Arbor’s proprietary, embedded operating system. ARP (Address Resolution Protocol) — A protocol for mapping an IP address to a physical machine address. APS Console User Guide, Version 6.3 353 APS Console User Guide, Version 6.3 ASCII (American Standard Code for Information Interchange) — A coded representation for standard alphabetic, numeric, and punctuation characters, also referred to as “plain text”. ATLAS (Active Threat Level Analysis System) — A globally scoped threat analysis network that analyzes data from darknets and the core backbone of the internet to provide information to participating customers about malware, exploits, phishing, and botnets. authentication — An identity verification process. B black hole routing — A technique to route traffic to null interfaces that can never forward the traffic. blacklist — A list of hosts whose traffic is blocked without further inspection. To add a host to the blacklist. block — To prevent traffic from passing to the network, or to prevent a host from sending traffic. In APS, blocking occurs for a specific length of time, after which the traffic is allowed to pass again. bot — A program that runs automated tasks over the internet. botnet — A set of compromised computers (bots) that respond to a controlling server to generate attack traffic against a victim server. bps — Bits per second. Bps — Bytes per second. C CA (Certificate Authority) — A third party that issues digital certificates for use by other parties. CAs are characteristic of many public key infrastructure (PKI) schemes. CAR (Committed Access Rate) — A tool for managing bandwidth that provides the same control as ACL with the additional property that traffic can be regulated based on bandwidth usage rates in bits per second. CDN (Content Delivery Network) — A collection of web servers that contain duplicated content and are distributed across multiple locations to deliver content to users based on proximity. cflowd — Developed to collect and analyze the information available from NetFlow. It allows the user to store the information and enables several views of the data. It produces port matrices, AS matrices, network matrices, and pure flow structures. CIDR (Classless Inter-Domain Routing) — Method for classifying and grouping internet addresses. CLI (command line interface) — A user interface that uses a command line, such as a terminal or console (as opposed to a graphical user interface). client — The component of client/server computing that uses a service offered by a server. cloud — A metaphor for the internet. Cloud Signaling — Cloud Signaling is the process of requesting and receiving cloud-based mitigation of volumetric attacks in real time from an upstream service provider. 354 Proprietary and Confidential Information of Arbor Networks, Inc. Glossary Cloud Signaling widget — A graphical element in the UI that allows the user to monitor the status of the Cloud Signaling connection and mitigations in real time. It also allows the user to enable, activate, and deactivate Cloud Signaling. Common Event Format (CEF) — An open log management standard, which Arbor APS can use to format syslog notifications. CSV (comma-separated values) file — A file that stores spreadsheet or database information in plain text, with one record on each line, and each field within the record separated by a comma. customer — An ISP, ASP, or enterprise user of APS. customer edge — The location at the customer premises of the router that connects to the provider edge of one or more service provider networks. customer edge router — A router within a customer's network that is connected to an ISP's customer peering edge. D Dark IP — Regions of the IP address space that are reserved or known to be unused. data center — A centralized facility that houses computer systems and associated components, such as telecommunications and storage systems, and is used for processing or transmitting data. DDoS (Distributed Denial of Service) — An interruption of network availability typically caused by many, distributed malicious sources. deployment mode — Indicates how APS is installed in the network: inline bridged, inline routed (layer 3 traffic; vAPS only), or out-of-line through a span port or network tap (monitor). DNS (Domain Name System) — A system that translates numeric IP addresses into meaningful, human-consumable names and vice-versa. DNS server — A server that uses the Domain Name System (DNS) to translate or resolve human-readable domain names and hostnames into the machine-readable IP addresses. DoS (Denial of Service) — An interruption of network availability typically caused by malicious sources. E edge — The outer perimeter of a network. encryption — The process by which plain text is scrambled in such a way as to hide its content. Ethernet — A series of technologies used for communication on local area networks. exploit — Tools intended to take advantage of security holes or inherent flaws in the design of network applications, devices, or infrastructures. Proprietary and Confidential Information of Arbor Networks, Inc. 355 APS Console User Guide, Version 6.3 F fail closed — The hardware bypass mode in which APS disconnects the protection interfaces and does not allow traffic to pass after a system failure occurs. The hardware bypass mode is set from the CLI. fail open — The hardware bypass mode in which APS allows unmonitored network traffic to bypass the protection interfaces after a system failure occurs. The hardware bypass mode is set from CLI. failover — A configuration of two devices so that if one device fails, the second device takes over the duties of the first, ensuring continued service. FCAP — A fingerprint expression language that describes and matches traffic information. Fibre Channel — Gigabit-speed network technology primarily used for storage networking. fidelity period — The maximum amount of time for which APS saves data in the connection database. fingerprint — A pattern or profile of traffic that suggests or represents an attack. Also known as a signature. firewall — A security measure that monitors and controls the types of packets allowed in and out of a network, based on a set of configured rules and filters. FQDN (Fully Qualified Domain Name) — A complete domain name, including both the registered domain name and any preceding node information. FTP (File Transfer Protocol) — A TCP/IP protocol for transferring files across a network. G Gb — Gigabit. GB — Gigabyte. Gbps — Gigabits per second. global protection level — Determines which protection settings are in use for an APS. GMT (Greenwich Mean Time) — A world time standard that is deprecated and replaced by UTC. GRE (Generic Routing Encapsulation) — A protocol that is used to transport packets from one network through another network. GRE tunnel — A logical interface whose endpoints are the tunnel source address and tunnel destination address. H handshake — The process or action that establishes communication between two telecommunications devices. header — The data that appears at the beginning of a packet to provide information about the file or the transmission. 356 Proprietary and Confidential Information of Arbor Networks, Inc. Glossary heartbeat — A periodic signal generated by hardware or software to indicate that it is still running. host — A networked computer (client or server); in contrast to a router or switch. HTTP (HyperText Transfer Protocol) — A protocol used to transfer or convey information on the World Wide Web. Its original purpose was to provide a way to publish and retrieve HTML pages. HTTPS (HyperText Transfer Protocol over SSL) — The combination of a normal HTTP interaction over an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) transport mechanism. I ICMP (Internet Control Message Protocol) — An IP protocol that delivers error and control messages between TCP/IP enabled network devices, for example, ping packets. IMAP (Internet Message Access Protocol) — An application layer internet protocol that allows a local client to access email on a remote server. (Also known as Internet Mail Access Protocol, Interactive Mail Access Protocol, and Interim Mail Access Protocol.) inactive mode — A state within an inline deployment mode, in which APS analyzes traffic and detects attacks without performing mitigations. inline mode — A deployment mode in which APS acts as a physical connection between two end points. All of the traffic that traverses the network flows through APS. interface — An interconnection between routers, switches, or hosts. IP (Internet Protocol) — A connectionless network layer protocol used for packet delivery between hosts and devices on a TCP/IP network. IP address — A unique identifier for a host or device on a TCP/IP network. IPS (Intrusion Prevention System) — A computer security device that exercises access control to protect computers from exploitation. ISP (Internet Service Provider) — A business or organization that provides to consumers access to the internet and related services. L LAN (Local Area Network) — A typically small network that is confined to a small geographic space. Log Event Extended Format (LEEF) — An event format that Arbor APS can use to format syslog notifications. K Kbps — Kilobits per second. M MAC (Media Access Control) Address — A unique hardware number associated with a networking device. Proprietary and Confidential Information of Arbor Networks, Inc. 357 APS Console User Guide, Version 6.3 malformed — Refers to requests or packets that do not conform to the RFC standards for internet protocol. Such requests or packets are often used in DoS attacks. Mbps — Megabits per second. MBps — Megabytes per second. MIB (Management Information Base) — A database used by the SNMP protocol to manage devices in a network. Your SNMP polling device uses this database to understand APS SNMP traps. mitigation — The process of using recommendations to apply policies to the network to reduce the effects of an attack. monitor mode — A deployment mode in which APS is deployed out-of-line through a span port or network tap. APS monitors traffic and detects attacks but does not mitigate the attacks. MPLS (Multiprotocol Label Switching) — A packet-switching protocol developed by the Internet Engineering Task Force (IETF) initially to improve switching speeds, but other benefits are now seen as being more important. MSSP (Managed Security Service Provider) — An internet service provider (ISP) that provides an organization with network security management, multicast — Protocols that address multiple IP addresses with a single packet (as opposed to unicast and broadcast protocols). N NetFlow — A technology that Cisco Systems, Inc. developed to allow routers and other network devices to periodically export information about current network conditions and traffic volumes. netmask — A dotted quad notation number that routers use to determine which part of the address is the network address and which part is the host address. network tap — A hardware device that sends a copy of network traffic to another attached device for passive monitoring. NIC (Network Interface Card) — A hardware component that maintains a network interface connection. notification — An email message, SNMP trap, or syslog message that is sent to specified destinations to communicate certain alerts. NTP (Network Time Protocol) — A protocol that synchronizes clock times in a network of computers. NXDomain — A response that results when DNS cannot resolve a domain name. O outbound threat filter — A group of protection settings that block malicious outbound traffic. out-of-band — Communication signals that occur outside of the channels that are normally used for data. 358 Proprietary and Confidential Information of Arbor Networks, Inc. Glossary P packet — A unit of data transmitted across the network that includes control information along with actual content. password — A secret code used to gain access to a computer system. payload — The data in a packet that follows the TCP and UDP header data. PCAP (packet capture) file — A file that consists of data packets that have been sent over a network. ping — An ICMP request to determine if a host is responsive. policy — The set of rules that network operators determine to be acceptable or unacceptable for their network. POP (Post Office Protocol) — A TCP/IP email protocol for retrieving messages from a remote server. PoP (Point of Presence) — A physical connection between telecommunications networks. port — A field in TCP and UDP packet headers that corresponds to an application level service (for example TCP port 80 corresponds to HTTP). pps — Packets per second. prefix — The initial part of a network address, which is used in address delegation and routing. protection category — A group of related protection settings that detect a specific type of attack traffic. protection group — A collection of one or more protected hosts that are associated with a specific type of server. protection level — Defines the strength of protection against a network attack and the associated intrusiveness and risk of blocking clean traffic. The protection level can be set globally or for specific protection groups. protection mode — A state within an inline deployment mode, in which the mitigations are either active or inactive. protection settings — The criteria by which APS defines clean traffic and attack traffic. protocol — A well-defined language used by networking entities to communicate with one another. R RADIUS (Remote Authentication Dial In User Service) — A client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. rate limit — The number of requests, packets, bits, or other measurement of data that a host is allowed to send within a specified amount of time. RDN (Registered Domain Name) — A domain name as registered, without any preceding node information (for example, “example.net” instead of www.example.net). Proprietary and Confidential Information of Arbor Networks, Inc. 359 APS Console User Guide, Version 6.3 real time — When systems respond or data is supplied as events happen. redundancy — The duplication of devices, services, or connections so that, in the event of a failure, the duplicate item can perform the work of the item that failed. refinement — The process of continually gathering information about anomalous activity that is observed on a network. regular expression — A standard set of rules for matching a specified pattern in text. Often abbreviated as regex or regexp. report — An informational page that presents data about a traffic type or event. route — A path that a packet takes through a network. router — A device that connects one network to another. Packets are forwarded from one router to another until they reach their ultimate destination. S secret key — A secret that is shared only between a sender and receiver of data. server type — A class of servers that APS protects and that is associated with one or more protection groups. shared secret — A word or phrase that APS Console uses to authenticate the internal communication between itself and APS devices. signature — A pattern or profile of traffic that suggests or represents an attack. Also known as a fingerprint. SIP (Standard Initiation Protocol) — An IP network protocol that is used for VoIP (Voice Over IP) telephony. SMTP (Simple Mail Transfer Protocol) — The de facto standard protocol for email transmissions across the internet. SNMP (Simple Network Management Protocol) — A standard protocol that allows routers and other network devices to export information about their routing tables and other state information. span port — A designated port on a network switch onto which traffic from other ports is mirrored. spoofing — A situation in which one person or program successfully masquerades as another by falsifying data (usually an IP address) and thereby gains an illegitimate advantage. SSH (Secure Shell) — A command line interface and protocol for securely accessing a remote computer. SSH is also known as Secure Socket Shell. SSL (Secure Sockets Layer) — A protocol for secure communications on the internet for such things as web browsing, email, instant messaging, and other data transfers. SSL certificate — A file that is installed on a secure web server to identify a web site and verify that the web site is secure and reliable. 360 Proprietary and Confidential Information of Arbor Networks, Inc. Glossary stacked graph — A graph in an Arbor Networks product that displays multiple types of data in a colorcoded stack. STIX™ (Structured Threat Information eXpression) — A language that describes cyber threat information in a standardized and structured manner. syslog — A file that records certain events or all of the events that occur in a particular system. Also, a service for logging data. T TACACS+ (Terminal Access Controller Access Control System +) — An authentication protocol common to UNIX networks that allows a remote access server to forward a user’s login password to an authentication server to determine whether that user is allowed to access a given system. target — A victim host or network of a malicious denial of service (DoS) attack. TAXII™ (Trusted Automated Exchange of Intelligence Information) — An application layer protocol for the communication of cyber threat information in a simple and scalable manner. TCP (Transmission Control Protocol) — A connection-based, transport protocol that provides reliable delivery of packets across the internet. TCP/IP — A suite of protocols that controls the delivery of messages across the internet. throughput — The data transfer rate of a network or device. TLS (Transport Layer Security) — An encryption protocol for the secure transmission of data over the internet. TLS is based on, and has succeeded, SSL. U UDP (User Datagram Protocol) — An unreliable, connectionless, communication protocol. unblock — To remove a source or destination from the temporarily blocked list without adding it to the whitelist. UNC (Universal Naming Convention) — A standard which originated from UNIX for identifying servers, printers, and other resources in a network. URI (Uniform Resource Identifier) — A protocol, login, host, port, path, etc. in a standard format used to reference a network resource, (for example http://example.net/). URL (Uniform Resource Locator) — Usually a synonym for URI. UTC (Universal Time Coordinated) — The time zone at zero degrees longitude, which replaces GMT as the world time standard. V vAPS — The virtual version of APS that is hardware-independent. vAPS contains all of the APS software packages and configurations but does not require a physical APS appliance. Proprietary and Confidential Information of Arbor Networks, Inc. 361 APS Console User Guide, Version 6.3 VLAN (Virtual Local Area Network) — Hosts connected in an infrastructure that simulates a local area network, when the hosts are remotely located, or to segment a physical local network into smaller, virtual pieces. VoIP (Voice over Internet Protocol) — Routing voice communications (such as phone calls) through an IP network. volumetric attack — A type of DDoS attack that is generally high bandwidth and that originates from a large number of geographically distributed bots. VPN (Virtual Private Network) — A private communications network that is often used within a company, or by several companies or organizations, to communicate confidentially over a public network using encrypted tunnels. vulnerability — A security weakness that could potentially be exploited. W WAN (Wide Area Network) — A computer network that covers a broad area. (Also Wireless Area Network, meaning a wireless network.) UI (User Interface) — A web-based interface for using an Arbor Networks product. whitelist — A list of hosts whose traffic is passed without further inspection. To add a host to the whitelist. widget — A graphical element in a user interface that displays information about an application and allows the user to interact with the application. X XML (eXtensible Markup Language) — A metalanguage written in Standard Generalized Markup Language (SGML) that allows one to design a markup language for easy interchange of documents on the World Wide Web. 362 Proprietary and Confidential Information of Arbor Networks, Inc. Index A About page 23 active protection mode about 84 for a protection group 85 for the outbound threat filter 85 Active Threat Level Analysis System See ATLAS 52 AIF enabling updates 60 proxy server configuration 61 AIF (ATLAS Intelligence Feed) about 52 attack rules 52 botnet signatures 52 components 52 geoip_countries 53 location data 53 reputation feed 52 status 62 threat policies 52, 54 traffic statistics 63 AIF updates configuring 60 proxy server configuration 61 alert notifications about 66 configuring 68 email 67 SNMP 67 syslog 67 alerts about 302 bandwidth 223 category 302 for system events 42 ignoring 299, 303 removing from the Dashboard 299 summary 304 viewing all 304 viewing on the Dashboard 297 Alerts page contents 306 viewing 304 APS Console User Guide, Version 6.3 appliance deleting offline appliances 89 Application Misbehavior settings 119 APS aggregated data 283 assigning to a protection group 238 communications with APS Console 15 configuring for APS Console management 76 log in from APS Console 15 managing from APS Console 14 total traffic 294 traffic status 294 unassigning protection group from 239 viewing traffic activity for 199 APS Console build number 23 communicating with APS 14 data synchronization with APS 78 initial requirements 18 license 23 managing APS devices 14 APS Console - APS synchronization effect of restoring backups 82 APSlocal protection group settings 240 Arbor Smart Bar 26 Arbor Technical Assistance Center, contacting 10 Arbor Threat Feed See ATLAS Intelligence Feed 60 See ATLAS Intellligence Feed 52 ATAC, contacting 10 ATF See ATLAS Intelligence Feed 52 ATLAS confidence index about 56 confidence value 56 ATLAS Intelligence Feed threat categories 269 ATLAS Intelligence Feed (AIF) about 52 Also see AIF 52 attack rules 52 botnet signatures 52 components 52 geoip_countries 53 location data 53 reputation feed 52 363 Index: ATLAS threat categories – CDN and Proxy Support settings settings 120 status 62 threat policies 52, 54 traffic statistics 63 ATLAS threat categories about 54 ATLAS threat category viewing 269 Attack Categories view 200 attack detection attack indicators 248 source identification 255 attack mitigation 244 attack rules, AIF 52 audit trail about 316 configuring settings 41 default change message 41 enabling change messages 41 entering change messages 318 exporting to CSV 320 log 319 recent entries 313 summary 313 viewing 319 audit trail log viewing AIF updates 62 authentication custom SSL certificate 47 DNS 129 B backup about 330 configuration data 332 configuring 44 manual 332 policy data 332 recurring remote 44, 330 scheduling 44 settings 44 backups restoring 82 bandwidth alerts about 223 baselines 223-224 blocked traffic 223 botnet 223 configuration 223-224 expiration 224 thresholds, about 223-224 total traffic 223 baseline calculation 223-224 364 blacklist about 168 by protection group 170 capacity 172 country 211 domain 209 global 170 URL 207 blacklist, inbound creating 174, 180 searching 177 settings 174 viewing 177 blacklist, outbound searching 182 settings 180 viewing 182 Block Malformed DNS Traffic settings 124 Block Malformed SIP Traffic settings 125 block traffic about 168 by protection level 251 by URL 206 See also blacklist 168 blocked host in blocked hosts log 260 blocked hosts total number 205 blocked hosts log about 260 contents 266 page 260 searching 264 viewing 262 blocked traffic attack categories 200 blocked traffic alert 223 botnet alert 223 botnet attack preventing 126 Botnet Prevention settings 126 botnet signatures, AIF 52 build number, APS Console 23 C capacity, blacklist and whitelist 172 capture packets 274 capture traffic data 104 categories, protection 111 category, alerts 302 category, threat about 54 CDN and Proxy Support settings 128 Proprietary and Confidential Information of Arbor Networks, Inc. Index: central management from APS Console – FCAP expressions central management from APS Console about 14 configuring 76 data synchronization 78 centralized report descripton of 279 centralized reports about 278 configuring 283 deleting 288 filtering the list of 287 managing 286 sorting the list of 288 viewing results for 286 change messages in audit trail 318 command syntax 9, 342 comment in FCAP 344 components of AIF 52 confidence index about 56 confidence value 56 confidence value about 56 configuring 122 configuration and policy backup about 330 creating 332 Configure Notifications page 72 connection limit, TCP 150 connection status ATLAS Intelligence Feed 62 context menu on Alerts page 306 context menu icon opening the Blocked Hosts Log 262 conventions, typographic commands 9, 342 countries traffic blacklisting 211 unblocking 211 viewing by protection group 210 custom logo 49 custom protection groups 218 custom server type about 93 adding 98 deleting 98 duplicating 99 maximum allowed 92, 98 settings, configuring 100 customer support, contacting 10 D dashboard active alerts 297 APS traffic 294 ignoring alerts 299 viewing network activity on 292 data synchronization with APS Console 78 debugging information 328 default protection group 218 default logo 49 details attack categories 203, 205 diagnostics package 328 DNS Authentication settings 129 DNS malformed 124 DNS NXDomain Rate Limiting settings 130 DNS Rate Limiting settings 131 DNS Regular Expression settings 132 documentation 8 domains blacklisting 209 unblocking 209 viewing traffic for 208 download file 327 E email notifications about 67 configuring 69 examples 338 ephemeral ports in Services view 214 error page 23 examples email notifications 338 syslog notifications 339 export to PDF file 27 F FCAP expressions about 342 comment line 344 direction 350 examples 351 filter lists 160, 164 joining 349 master filter lists 162 operators 349 reference 344 specifying direction 350 Proprietary and Confidential Information of Arbor Networks, Inc. 365 Index: files – malformed SIP files deleting from an appliance 326 downloading from an appliance 327 Files page 324 uploading to an appliance 326 viewing 326 filter lists about 160 per server type 164 filter lists for server types, about 160 flood attack ICMP 137 spoofed SYN flood 146-147 SYN flood detection 153 TCP SYN flood detection 153 UDP flood detection 158 Fragment Detection settings 133 fragmentation attack 133 G general settings configuring 32 global blacklist 170 global protection level about 86 changing 253 global whitelist 170 graph data about 28 changing timeframe 28 minigraph 28 stacked 28 unit of measure 28 H help using 22 histograms 105 hosts total number blocked 205 HTTP attack malformed 138 slow 127 HTTP Blocked Locations category 202 HTTP Header Regular Expressions settings 134 HTTP malformed attack protection settings 138 HTTP Rate Limiting settings 135 HTTP Reporting settings 136 I ICMP Flood Detection settings 137 366 idle TCP attack 151 ignore alerts about 303 inactive protection mode about 84 for a protection group 85 for the outbound threat filter 85 inbound blacklist creating 174 searching 177, 182 settings 174 viewing 177 Inbound Blacklist page 174 inbound traffic viewing by type 195 inbound whitelist creating 184 searching 186 settings 184 viewing 186 Inbound Whitelist page 184 installed hardware information 23 installed software information 23 Invalid Packets category 202 IP fragmentation attack 133 IP locations location data updates 53 viewing traffic by protection group 210 IPv4 prefix matching in protection groups 221 L license agreements 23 limits custom protection groups 218 custom server types 92 List Protection Groups page viewing 226 log audit trail 319 log in from APS Console 15 UI 19 log out UI 19 logo default 49 logo, adding to UI 49 M malformed DNS 124 Malformed HTTP Filtering settings 138 malformed SIP 125 Proprietary and Confidential Information of Arbor Networks, Inc. Index: manual backup – protection categories manual backup about 330 creating 332 master filter lists about 160 configuring 162 menu bar 22 minigraph 28 mitigation about 244 by blocking source 255 manual 251 options 245 when to mitigate manually 244 workflow 251, 255 mode protection, see protection mode 84 monitoring traffic 246 Multicast Blocking settings 139 N navigation controls 24 UI 22 network activity viewing on dashboard 292 notification SNMP 67 syslog 67 notifications about 66 adding and editing 68 email 67, 69 email examples 338 SNMP 69 syslog 70 syslog examples 339 viewing 72 O offline appliance 89 outbound blacklist creating 180 settings 180 viewing 182 outbound Blacklist page 180 outbound threat filter configuring 113, 115 filter lists 164 protection level 253 protection mode 84-85 outbound whitelist creating 188 searching 190 settings 188 viewing 190 Outbound Whitelist page 188 P packet capture about 274 capturing packets 275 uses 274 packets evaluating and processing 161 page, UI creating PDF 27 emailing as PDF 27 password changing 20 choosing 36 criteria 36 requirements 36 payload inspection, UDP 140 Payload Regular Expression settings about 140 PDF file creating from UI page 27 emailing UI page 27 exporting centralized report as 286 permanent blacklist 168 permanent whitelist 168 ping exploitation 137 policy and configuration backup 332 ports ephemeral 214 prefix matching IPv4 221 IPv6 221 prefix matching in protection groups 221 Private Address Blocking settings 143 private IP address 143 profiling changes made to protection categories 102 profiling traffic about 102 viewing data 105 protected host about 219 protection categories about 111 blocked traffic 200 configuring from traffic profiles 105 configuring settings 100 restoring default settings 108 Proprietary and Confidential Information of Arbor Networks, Inc. 367 Index: protection group – routine monitoring protection group about 218 adding 231 assigning APS to 238 blacklist 170 custom 218 default 218 deleting 232 domain traffic 208 editing 231 prefix matching 221 removing from APS 239 searching for 226 settings 233 settings, configuring from traffic profiles 105 settings, restoring 108 top countries 210 top protocols 212 top services 214 top URLs 206 traffic summary 197 viewing 225 viewing traffic for 194 whitelist 170 protection group protection level about 86 changing 253 changing from APS Console 253 protection group protection mode changing 85 changing from APS Console 84 protection group settings original 240 overriding 240 revert to original 240 protection groups limits 218 protection level about 86 changing 253 changing from APS Console 253 for protection settings 86, 112 global 86 protection group level 86 recommendations 88 viewing 87 protection mode about 84 active and inactive 84 changing by protection group 85 changing from APS Console 84 protection mode, outbound threat filter about 84 changing 85 368 protection settings about 111 categories 111 configuring 100 configuring from traffic profiles 105 protection level 86, 112 restoring defaults 108 when to change 112 protocols, top 10 212 proxy server for AIF 61 proxy support settings 128 publications 8 R Rate-based Blocking settings 144 rate-based protection categories changes for profiling 102 rate limit any source host 144 DNS 131 DNS NXDomain 130 HTTP 135 SIP 145 traffic shaping 157 recurring remote backups about 330 creating 44 regular expression DNS 132 HTTP header 134 payload 140 reports aggregated 286 aggregated APS data 283 custom date range 285 reports, centralized about 278 configuring 283 deleting 288 description of 279 exporting as PDF file 286 filtering the list of 287 managing 286 sorting the list of 288 viewing results for 286 reputation feed, AIF 52 requirements APS Console 18 restoring backups affect on synchronization 82 routine monitoring 246 Proprietary and Confidential Information of Arbor Networks, Inc. Index: scheduled backups – traffic S scheduled backups about 330 configuring 44 search engine web crawler support 59 server types about 92 adding 98 custom server types 98 deleting 98 duplicating 99 filter lists for 160, 164 limits 92 restoring default settings 108 settings, configuring 100 standard server types 92 viewing 96 Server Types page 100 services traffic 214 sign-on from APS Console 15 SIP malformed 125 SIP Request Limiting settings 145 slow HTTP attack preventing 127 SNMP notifications about 67 configuring 69 SNMP polling about 34 agent community 32, 35 enabling 34 source of attack 255 Spoofed SYN Flood Prevention settings 146 automating 147 SSL attack, prevention 155 certificate, custom 47 stacked graph 28 standard server types 92 status ATLAS Intelligence Feed 62 Summary page audit trail information 313 System Information 311 viewing 310 support, contacting 10 SYN flood spoofed 146-147 TCP 153 syntax FCAP expressions 342 syntax, commands 9, 342 syslog notifications about 67 configuring 70 examples 339 system alerts configuring 42 System Information summary 311 T tables sorting by column 24 TCP idle connections 151 payload inspection 140 TCP Connection Limiting settings 150 TCP Connection Reset settings 151 TCP SYN Flood Detection settings 153 temporarily blocked hosts in blocked hosts log 260 temporarily blocked sources in blocked hosts log 260 temporary ports in Services view 214 threat blocked 269 threat categories, ATLAS about 54 threat category viewing 269 threat policies, AIF 52 threat policy, ATLAS about 54 categories 54 confidence index 56 confidence value 56 threshold, bandwidth alerts about 223-224 timeframe, display blocked hosts log 264 changing 28 View Protection Group page 194 TLS Attack Prevention settings 155 top domains per protection group 208 top IP locations per protection group 210 top protocols per protection group 212 top services per protection group 214 top URLs per protection group 206 total traffic alert 223 traffic blocking, see block traffic 168 monitoring 246 Proprietary and Confidential Information of Arbor Networks, Inc. 369 Index: traffic alert – workflow statistics, ATLAS Intelligence Feed 63 viewing for protection group 194 traffic alert 223 traffic data filtering by APS 199 traffic profile about 102 capturing 104 stopping 104 viewing 105 traffic profile capture changes for 102 Traffic Shaping settings 157 traffic status, viewing 294 traffic summary for protection group 197 transient ports in Services view 214 typographic conventions commands 9, 342 U UDP Flood Detection settings 158 UDP payload inspection 140 UI about 16 log into and out of 19 navigating 22 unblock country 211 domain 209 URL 207 unit of measure, graphs 28 upload file 326 URL blacklisting 207 unblocking 207 viewing traffic for 206 user account about 36 adding 39 configuring 39 deleting 40 editing your account 20 password 36 user group, about 38 username APS Console 15 entering 39 requirements 39 blacklisting domains 209 blacklisting URLs 207 unblocking countries 211 unblocking domains 209 unblocking URLs 207 viewing AIF updates 62 VoIP attack, preventing 145 W web crawler support about 59 Web Traffic By Domain disabling 136 viewing 208 Web Traffic By URL disabling 136 viewing 206 web UI custom logo 49 whitelist about 168 by protection group 170 capacity 172 global 170 whitelist, inbound creating 184 searching 186 settings 184 viewing 186 whitelist, outbound creating 188 searching 190 settings 188 viewing 190 workflow manual mitigation 251 mitigation 255 routine system monitoring 246 V version number, APS Console 23 View Protection Group page 194 blacklisting countries 211 370 Proprietary and Confidential Information of Arbor Networks, Inc. End User License Agreement The end user license agreement (EULA) contains updated terms and conditions with respect to your license of Arbor product and services and is deemed to replace any previous license terms provided with respect thereto; provided, however, if you and Arbor have executed a direct agreement, such direct agreement shall govern your license of Arbor product and services. To read the complete end user license agreement online, click one of the following links: Links to the EULA Products EULA link Arbor APS, Arbor Sightline, and Arbor Threat Mitigation System https://www.netscout.com/cloud-and-managed-services-eula Arbor Edge Defense and Edge Defense Manager https://www.netscout.com/sites/default/files/2018-06/NetScoutSystems-End-User-Product-License-Agreement.pdf

pdfcoffee.com user-guide-arbor-aps-console-pdf-free

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib