APS 6.0 Defend Unit 2 UI and Create PGs - 20180823 PDF

Defending Against DDoS
Attacks using Arbor APS
Unit 2: Deploying and Configuring Arbor APS

Objectives
At the conclusion of this unit you will learn to:

• Understand the management connections to and traffic flow
through the Arbor APS
• Discuss the Deployment options available for the APS
platform – Monitor vs. In-Line
• Navigate through the Arbor APS User Interface
• Define Protection Groups and adjust mitigation strategies
ahead of responding to network attacks
• Understand data reported within the Summary and Protection
Group landing pages
©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 2

APS Management Interfaces
• Management interfaces:
– Access the Command Line Interface (CLI):
• By direct connection using serial console or VGA/USB
• Via SSH over mgt0 or mgt1 ports
– Web User Interface (via HTTPS)
– Other management via SOAP APIs and a Web Services API

APS Protection Interfaces
Protection Interfaces
EXT INT
Inbound
Outbound
Protection interfaces are configured as predefined port pairs

• An external (ext) interface is specifically paired with internal (int)
interface
– External interfaces connect to routers/switches that are outside your network
– Internal interfaces connect to routers/switches that are inside your network
• Forwards traffic in both directions
– Layer 2 “bump in the wire”
– Bypass supported on all protection interfaces
– Inbound and outbound protections applied!
– No MAC address change, no IP interaction
– Pass-through for non-IP frames, such as STP or LACP
– Supports 802.1q VLANs transparently
– No support for packets with MPLS labels
Interface Pairing
EXT INT
ext0 int0
ext1 int1
. .
. .
. .
ext5 int5

Protection Interfaces: Bypass
EXT INT
• Hardware bypass settings:

– Fail open (bypass) is default
– Fail closed (disconnect)
• To view the configuration and status of hardware bypass and software bypass on
APS:
admin@demo:/# services aps bypass show
Hardware Bypass:
Configured: Fail Open (will bypass on failure)
Current: Fail Open (will bypass on failure)
Software Bypass: Enabled, Not bypassing
Bypass Subcommands
• Viewing bypass configuration and status:

admin@demo:/# service aps bypass ?
Subcommands:
disable Disable all interface bypass failure features
fail Configure hardware bypass failure mode
- open: Bypass the protection interfaces
- closed: Disconnect the APS from connected
equipment if a system failure occurs,
traffic is dropped.
force Force hardware bypass to fail open or closed
- [open | closed]
show Show the state of the bypass features
software Enable or disable software bypass
- [enable | disable]
• Note: When services are stopped the appliance will go into Software
Bypass.

Monitor Deployment Mode – Detection Only
• Typically used during Proof

of Concept trials and
evaluation tests
• Monitor mode: Potentially, this mode can be used
– APS Does not mitigate traffic in production environment in
– Detect and report on attack and conjunction with cloud signaling
botnet traffic
– Set policies for attack detection
and mitigation

Inline Deployment Mode – Detection and Mitigation
Fits numerous data center on-site

deployment scenarios
• Inline deployment mode with
Preferred northbound of other
hardware bypass security/application devices to
• Inline Inactive sub-mode protect:
• Analyzes traffic and detects attacks • FW
without performing mitigations • WAF
• set policies for detection and • IPS/IDS
mitigation
• Load balancers

User Interface (UI) Access
• Use HTTPS for access

• Access from either IPv4 or IPv6 hosts
v
10.2.24.76

Welcome to APS’s UI
The ultimate test of whether the

initial CLI configuration is good!

Demo: Web User Interface
Instructor Demo – Walkthrough of the UI
• Login to UI
• Viewing the Summary Page and UI Walkthrough
• Basic configuration tasks
– Configure DNS – DNS used to find AIF
– Check licensing status
– Check if AIF working and force an update
– Set NTP – optional, unless Cloud Signaling is configured
– Configure SMTP Server
– Create Notifications
– Create Protection Groups

Menu Tabs
Fixed page, no submenus
Protection monitoring
and configuration
Advanced tools for analysis of

filtered hosts and captured packets System configuration
and maintenance

Status Bar – Deployment Mode
Shows deployment mode
• Monitor mode never forwards traffic

– Traffic blocking is reported the same as Inline mode

Summary Page
• Alerts à DNS and SMTP are not configured yet

Administration > General

General System Settings
Configure:
• Time Zone
• DNS
• NTP Servers

AIF Alert
System alert is also generated upon failure of AIF update

Administration > ATLAS Intelligence Feed

Configuring AIF
• AIF could not synch until DNS is configured

AIF Connection Test
• It’s good practice to test AIF with a manual update before

relying on automatic updates
Update button
was clicked
AIF Update
In progress

AIF Configuration
Status of most
recent update
HTTPS proxy
service
Proxy user and

• AIF server is preconfigured password optional
– Uses domain name at Arbor: aif.arbor.net
– Cannot be changed

AIF Update Interval – Automatic Updates
Manual AIF
updates
Automatic AIF
updates
Adjustable
update interval
• AIF update can be manual, automatic or both

– Interval for automatic updates defaults to 24 hours from previous
update
Summary Page
• Default login page

• Dashboard view displays:
– Real-time traffic forensics
– If active alerts exist
– Top Protection Group Traffic
– Groups with AIF-detected
traffic
– Top sources, destinations, and
countries
– Protection interface traffic
– Current health of APS
– Identification of web crawler
traffic
• Traffic data shown is for the
last hour

Top Protection Groups
• Shows traffic per Protection Group (color coded)

• Out-of-the-box, APS starts with the Default Protection Group
tracking all traffic

Overview
Showing Blocked traffic:

Seems APS can mitigate the attack!

Top Countries
• Shows geographical distribution of incoming traffic

Top Sources & Destinations
• Provides visibility in which hosts are generating and

receiving most of the traffic in the last hour

AIF Highlights
• Shows AIF update status and how AIF Prevention is

seeing the traffic for each Protection Group and Level

Web Crawlers
• Shows traffic rates for different Web Crawlers

– Web Crawler traffic identifications is an AIF service

Viewing Protection Interfaces
• Traffic rates for protection interfaces

– Based on hardware interface counters

IMPROVING VISIBILITY WITH PROTECTION GROUPS

Protection Groups (PGs)
• Protection Groups (PGs) protect and provide extensive traffic analysis for a defined
group of hosts
• Represents either IPv4 hosts or IPv6 hosts that you need to protect
• Protection Groups are defined by a combination of
1. a list of protected internal hosts
• Host IP, subnet, or domain name
2. a Server Type
• A global object that provides prevention settings to this protection group

Default Protection Group
“Default Protection Group” is configured out-of-the-box

• Catch all à Reports on all traffic seen to any IPv4 host (match = 0.0.0.0/0)
– Traffic not associated with other PGs is reported in the Default PG
• Uses protection settings defined by Arbor to detect and mitigate basic DDoS
attacks
• You cannot delete the default protection group

Supported Protection Groups Limits
• Only APS 2600 and APS 2800 appliances support a maximum

of 100 PGs
– Default PG (IPv4 only) counts toward this maximum
– Allow up to 99 custom PGs + 1 Default PG
• vAPS and the APS 2000 and 2100 appliances support a
maximum of 50 PGs
– Allows up to 49 custom PGs + 1 Default PG
• Minimally configured vAPS supports a maximum of 10 PGs
– Minimally configured = 2 cores, 100 GB disk space, and 6 GB RAM
– Allows up to 9 custom PGs + 1 Default PG

Adding an IPv4 Protection Group (1 of 2)
Protection Groups are

added in the Protection
cv
Group List page
Define Name, Hosts, and Server Type
cv

Adding an IPv6 Protection Group
• Resolve IPv6 hostnames in “Protected Hosts” when creating an IPv6

protection group
DNS Hostname
Resolved IPv6 Address

Domain resolved message
Note: IPv4 Addresses will not be
protected by this IPv6 PG

New Protection Group is Immediately Available
Click Edit to change PG settings

Protection Group Settings and Setting Alerts

IPv4 Prefix Matching
Protection Group Protected Hosts Matched Traffic

Name Setting
Protection Group 3 192.0.2.2/32 All traffic that is destined to 192.0.2.2
All traffic that is destined to

Protection Group 4 192.0.2.0/24 192.0.2.0/24, except for the traffic that is
destined to 192.0.2.2
IPv4 Default All IPv4 traffic, except for the traffic that
0.0.0.0/0
Protection Group is destined to 192.0.2.0/24
When different length prefixes of the same network are protected by more
than 1 PG, APS matches traffic to the most specific (longest) prefix

IPv6 Prefix Matching
Protection Group Protected Hosts Matched Traffic

Name Setting
All traffic that is destined to

Protection Group 5 fe80:22:ab00::3bf:159a:1/128
fe80:22:ab00::3bf:159a:1
All the traffic that is destined

to fe80:22:ab00::/40 except for
Protection Group 6 fe80:22:ab00::/40
the traffic that is destined to
fe80:22:ab00::3bf:159a:1
Protection Group 7
All IPv6 traffic, except for the
(serving as a default
::/0 traffic that is destined to
Protection Group
fe80:22:ab00::/40
for IPv6 hosts)

Active / Inactive Protection Group Mode
• Protection Groups have individual selection of Active or

Inactive protection mode

Protection Level Setting
• Protection Groups have individual selection of Protection

Level
– By default it tracks the Global Protection Level

Server Types
• Every Protection Group is associated with a Server Type

• The APS has two classes
of Server Types
– Standard Server Types
– Custom Server Types
• Custom Server Types are derived
from Standard Server Types

Protection Group Server Type
• Clicking on the Server Type link brings you to its Settings

configuration page
Click to change settings of Amount of time that Protection

the Server Type Group has been configured

Server Types and Attack Protections
• Attack Protection settings are defined for each Server Type’s

configuration
• Each Server Type has a set of pre-defined Protections,
for example:
– Web Server does not have any DNS protections
– DNS Server does not have any HTTP protections
• This allows for optimal inspection and increased
performance
– Why test a Web Server traffic for DNS attacks, or vice-versa?

Protections per Standard Server Type
Generic RLogin VoIP
Settings category DNS Server File Server Mail Server VPN Server Web Server IPv6
Server Server Server
ATLAS Threat Categories x x x x x x x x
Application Misbehavior x x x x x x
Block Malformed DNS Traffic x x x
Block Malformed SIP Traffic x x
Botnet Prevention x x x
CDN and Proxy Support x x
DNS Authentication x x x
DNS NXDomain Rate Limiting x x x
DNS Rate Limiting x x x
DNS Regular Expression x x x
Filter List x x x x x x x x x
Fragment Detection x x x x x x x x
HTTP Header Regular
x x x x
Expressions
HTTP Rate Limiting x x x x
HTTP Reporting x x x
ICMP Flood Detection x x x x x x x x
Malformed HTTP Filtering x x x
Multicast Blocking x x x x x x x x
Payload Regular Expression x x x x x x x x x
Private Address Blocking x x x x x x x x
Rate-based Blocking x x x x x x x x x
SIP Request Limiting x x
Spoofed SYN Flood Prevention x x x x x x x x x
TCP Connection Limiting x x x x x
TCP Connection Reset x x x x x x x x x
TCP SYN Flood Detection x x x x x x x x
TLS Attack Prevention x x x x x
Traffic Shaping x x x x x x x x x
UDP Flood Detection x x x x x x x x

Inbound Protection Processing Sequence
PASS

Server Type Configuration
• Configuration of attack protections for the selected

Server Type
Change server type

being configured Another way to create
a custom server type
Best Practice – Custom Server Types
Click to add a new

custom server type
Select to edit existing

custom server types
• Custom server types are copies of standard server

types
– Same available preventions as standard type
• A copy from Generic Server makes all protections available
– Intended so that protection settings may be set differently than
standard server type
– Existing Custom Server Types may also be duplicated

Adding a Custom Server Type
Specify name of
new server type
Select existing server

type to duplicate
• Custom server types may also be added

from the duplicate button of existing
server types
– Name and base type are auto-filled

Restoring Protection Settings
Restore Server Type protection settings to their default

values by selecting Restore Defaults under the Options
button

Protection Level Automation for Protection Groups
• Reduce time to mitigation

• Configurable from APS or APS
Console
• Support for both IPv4 or IPv6
PGs
• Operates separately from global
Protection Level settings

About Protection Level Automation
• APS initially sets that PGs Protection Level to Low

• If traffic exceeds the Total Traffic Threshold
– APS continues to evaluate average traffic every 5 seconds
– If average traffic remains above the Total Traffic Threshold automation
activates within one minute of traffic increase
– APS automatically moves that PGs Protection Level from Low à High
• It does not change the Global Protection Level
• APS generates an alert when activated (automated)
• Remains at High Protection Level for at least five minutes

Setting the Detection and Automation Policy
• Automate and alert using the

Global Traffic Threshold
– Uses the global total traffic
threshold
– Administration > System Alerts >
Settings (tab)

Global Total Traffic Threshold Disabled?
If Protection Level Automation is enabled, but you do not enable the Global
Total Traffic Threshold, then the APS does not automate the protection level
or trigger this type of alert

Manually Define the Detection and Automation Policy
• Automate the protection level

and alert “when traffic exceeds”
• Manually define the total bps
and/or pps traffic to
automatically change the
Protection Level

Current Traffic Threshold Configuration
Use the threshold

graphs to view traffic
in comparison to
either the Global or
Manual Total Traffic
Thresholds as
compared to

View Protection Group Protection Level Status
©2018 ARBOR® CONFIDENTIAL & PROPRIETARY

Lab Introduction – Lab Topology
Attack Traffic
Good Traffic Web
172.17.##.20/30
DNS
172.17.XX.21/32
Firewall
File
172.17.##.22/32
DATA CENTER
Where ## = APS Pod Number

Lab Exercise
• Lab 1 – UI Workflow and Protection Settings

– Estimated completion time is 60 minutes
– Navigate the Web UI
– Update user and system settings
– Update the Deployment Mode and Protection Levels
– Display the status of your APS deployment including AIF license and
throughput
– Create protection groups and protection settings for your lab servers
– Initiate the tuning of rate-based protections
• Lab Review

UNDERSTANDING THE PROTECTION GROUP PAGE

Protection Group Page
• Extensive traffic details:

– Group details
– Group Cloud Signaling Status
– Overview
– Traffic Details
– Attack Categories
– Top Temporary Blocked Sources
– Web Traffic by URL
– Web Traffic by Domain
– Web Crawlers
– IP Location
– Top Protocols
– Top Services

Protection Group Page Details

Reporting Options
• Time Period
• bps x pps
Buttons to choose time
period for all data
Default is Buttons to display

1 hour bytes or packets
Custom report period Apply custom

report period

Protection Group Overview
• Single-glance overview of protection group

performance

Traffic Details
• Clearly shows relative amounts of traffic being passed

and blocked for this protection group

Blocked Sources – Who to Blame
Click buttons to whitelist sources

Attack Categories
• Shows which Protections have been triggered
Click for more info

Attack Categories – Detail Data
• Amount of detailed information varies for different

protection types
Click again to hide details

Protection Detail Breakdowns
• Some protections include detailed breakdowns

Protection Details – AIF Data Breakdown
• AIF Botnet Signatures offer

same breakdown format as
Basic Botnet Prevention
• Details include stats for low /
medium / high matching
– AIF is always matching all rules
at all protection levels
– Only way to know how
protection level affects AIF
matching
– AIF differs by having cumulative
level enabling
• All rules at set level and
below are active

Attack Categories – Blocked Hosts
• Using mouse-over popup menu you can see hosts blocked by

specific prevention
Hover mouse cursor

URL and Domain
• Breakdowns by embedded URL and domain part of URL

– Hover cursor over “…” for full URL as alt-text
– Copying “…” to clipboard will actually copy hidden part of URL
• Blacklist buttons available for these URLs

IP Location – Where the Attack is Coming From
Click buttons to block country sources

Protocols – How the Attack is Hitting
• Breakdown of the top Protocols

• If a protocol needs to be blocked, enter it in the filter list for
the protected service

Services – What the Attack is Hitting
• Breakdown of the top Services (protocol/port)

• If a service needs to be blocked, enter it in the filter list for the
protected service
FROM MONITORING TO MITIGATION
Changing the Deployment Mode

Monitor Deployment Mode is Safe to Start

Changing the Deployment Mode
Tasks to complete:
• In the CLI, change Deployment Mode to Inline (Inactive)
• Change cabling so that traffic now flows through the APS
– Connect router to ext0
– Connect firewall to int0
• Let the APS operate in Inactive Protection Mode and
validate that its introduction does not cause any new
issues
– Sometimes there are problems in the physical Ethernet connections
• Check for possible false positives while in Inactive
Protection Mode
• Move to Active Protection Mode to mitigate attacks
• Check for possible false positives or unwanted side effects

Set Deployment Mode to Inline
Must be done from the CLI:

admin@demo:/# services aps mode ?
set
show
admin@demo:/# services aps mode show
Deployment mode: monitor
admin@demo:/# services aps mode set ?
inline
l3
monitor
admin@demo:/# services aps mode set inline
admin@demo:/# services aps mode show
Deployment mode: inline (inactive)
admin@demo:/#
Note: L3 Deployment Mode used only for vAPS
About Layer 3 Mode
• Supported only on virtual APS (vAPS)

– Not supported on hardware-based APS appliances such a the APS 2000, APS
2100, APS 2600 and APS 2800
• Requires Arbor APS version 5.10.0 or later
• Viewing the status in the UI:
– Deployment Mode: Inline Routed
• Must specify static routes for the protection interfaces
• Uses static routes for the protection interfaces
– Distinct from the traffic and routes for management interfaces
– Configure IP addresses on protection interfaces
– Static routes define how vAPS handles routing traffic on its protection port
pair interfaces such as ext0 and int0
– vAPS forwards all of the traffic that meets the mitigation rules if a valid
route is configured to the destination network

Layer 3 Mode Example Configuration
• First change the Deployment Mode to l3 (Inline Routed)

admin@arbos:/# services aps mode set l3 active
• Configure an IP address for the protection interface pair

admin@arbos:/# services aps mitigation interface ext0 192.168.1.1/32
admin@arbos:/# services aps mitigation interface int0 192.168.1.2/32
admin@arbos:/# services aps mitigation interface show
ext0 192.168.1.1/32
int0 192.168.1.2/32
• Add a static route:

admin@arbos:/# / services aps mitigation route add 10.192.10.0/24 192.168.1.1
admin@arbos:/# / services aps mitigation route add 10.192.12.0/24 192.168.1.2
admin@arbos:/# / services aps mitigation route show
Flags Destination Interface Nexthop

S 10.192.10.0/24 ext0 192.168.1.1
S 10.192.12.0/24 int0 192.168.1.2

Inline Deployment Mode
• Change mode via CLI only: services aps mode set ?
• Without or with mitigations enabled (Protection Mode):

– Active: blocks malicious traffic according to protection group and
protection level settings
– Inactive: forwards all traffic and reports the traffic that it would block if in
Active protection mode
Inline Allows Mitigation
• Monitor and Inline Inactive modes are similar

– Except Monitor mode does no forwarding
• The APS is now in Inline but Inactive
Note: Inline deployment mode appears as Inline Bridged and the layer 3
deployment mode appears as Inline Routed.

System-wide Protection Mode
• System-wide Protection Mode selected via the UI at any time

− When setting Inline mode, defaults to Inactive mode
Click to change inline

deployment protection mode

TUNING PROTECTION SETTINGS USING TRAFFIC PROFILES

Traffic Profile Learning
• Simplifies the configuration of certain rate-based protection settings

• Learns typical network behaviors and suggests protection settings that are
appropriate for your network
– Profiles your network by capturing statistical data about certain types of traffic
– Use the profile data as a guide to configuring the protection settings in APS Console
1. Capture Profile Data 2. Analyze Profile Data
3. Fine Tune Protection Settings

Profile – Protections Supported
• Network traffic data is captured for the following Protections:
Protection Values Captured

bps threshold
Rate-Based Blocking
pps threshold
Fragment Detection Max bps and Max pps
ICMP Flood Detection Max bps and Max pps
UDP Flood Detection Max bps and Max pps
DNS NXDomain Rate Limiting DNS Nxdomain Rate Limit
DNS Rate Limiting DNS Query Rate Limit
HTTP Request Limit
HTTP Rate Limiting
HTTP URL Limit
SIP Request Limiting SIP Source Limit

Step 1 – Profile Capture: Select a Server Type
• To capture traffic profile, on the “Configure Server Type” page,

select the “Server Type”
Step 1- Select a Server Type

Profile Capture
Note:
Capture is independent for each Server Type
and can happen also in Inactive or Monitor modes

Step 2 – Profile Capture: Configure Protection Settings
• Ensure that the desired Protection Setting is enabled in order for Network
Profile to populate the profile window
• For the profile data to be accurate
– At a minimum the data must set for the current protection level
• In example we are using the low protection level
– Configured values for certain protection settings should be higher than the
traffic rates that you expect the capture to observe
• Example shows setting Low value to 999999999 (bps and pps) to populate the profile
window while not stopping any rate based traffic
Note: There is no View Profile icon next to Protection at this point
Step 2- Ensure Protection Setting is enabled

Steps 3 – Profile Capture: Enabling Profile Capture
Step 4 – Select Profile Capture

Steps 4 and 5 – Profile Capture: Starting the Capture
• Start / Stop Profile Capture and Length of Capture
Step 6 – Click Start / Stop
Step 5 – Move the length of capture slider to

specify duration of data capture up to 14 days

Profile Capture Status
• Profile Capture Status Icon Click on Profile Capture Status icon

to display status window

Profile Histograms
• Once capture is completed, histograms in the profile window

display the observed traffic volumes for a Protection
• In alignment with the Protection traffic data captured, there
are different types of histograms:
Packets per second Bits per second Request per second

Profile Histogram View
• View Profile Histogram Icon appears next to the settings

for the profile data available
©2018 ARBOR® CONFIDENTIAL & PROPRIETARY Choose icon to

97 view histogram
Profile Histograms Actions
• The following tasks can be performed in the Profile window:

– Set the thresholds for this Protection setting to values that APS recommends
– Drag the markers to different points on the histogram to change the threshold
values and view how they might affect the amount of passed traffic
– Change setting values in the Protection setting field and view information in the
Profile window to discover how those values would affect traffic

Auto - Action Details
• AUTO button sets the thresholds for the Protection setting to values that
should work well for most circumstances
– It is calculated according to the following rules
• Low: Maximum seen * 2
• Medium: 99.9 percentile
• High: 99.0 percentile

Profile Histogram Scales
• Change the scale of the y-axis in the histogram graph as follows:

– Linear presents the number of hosts on a linear scale, in which the lines
in the graph are proportional to the number of hosts
– Log presents the number of hosts on a logarithmic scale, in which each
unit increase represents an exponential increase in the number of hosts
Y-axis Scale

Profile Histogram Scales – Use Cases
• Log histograms are useful for seeing values observed in traffic from any
number of hosts
– Useful for choosing settings for Low protection levels
– Helps choose settings that include all legitimate observed hosts, even those with
extreme usage
• Even a single extreme legitimate client is easily seen
– Typical behavior of majority is not obvious
• Linear histograms are useful for seeing values observed in majority traffic
– Useful for choosing settings for High protection levels
– Helps choose settings that include all typical users
– Hosts with extreme usage are not obvious

Profile Capture - Recommendations
• A Protection must be enabled in order to populate the network profile

data for that Protection
– “Enable” button must be selected if it exists
• A rate setting must be configured with a numeric value
– Best practice for capturing accurate profiles – configure temporary values as
follows:
• Set the bit rates to 10000000000 (10 zeroes)
• Set the packet rates to 100000000 (8 zeroes)
• Set the other values to 1000000 (6 zeroes)
– A Protection that has rate settings configured should not block or blacklist any
traffic during the profile capture
• Blocked traffic will cause inaccurate network profile calculation
• This is valid even in Inactive or Monitor modes

Profile Capture Notes
APS captures profile data for the following protections:

• If the protection category is enabled:
– Fragmentation Detection
– ICMP Flood Detection
– UDP Flood detection
• If values are configured for the protection level that is current during the capture:
– DNS NXDomain Rate Limit
– DNS Rate Limit – Rate Based Blocking
– HTTP Rate Limit – SIP Request Limit
• Changing the Protection Level during a capture

– Applies only to Protection settings that temporarily block hosts if settings change
between levels

Inaccurate Profiled Data May Result
• Enabling or disabling the following Protections during a profile capture –

data will be accurate only for the time when the protection category was
enabled:
– Fragmentation Detection
– ICMP Flood Detection
– UDP Flood detection
• Changing the values of Protection settings during a profile data capture for
the following Protection settings:
– DNS NXDomain Rate Limit – Rate Based Blocking
– DNS Rate Limit – SIP Request Limit
– HTTP Rate Limit
• Changing the Protection Level during a capture

– If the protection settings have different values for the different protection levels
– Applies only to Protection settings that temporarily block hosts if settings change between
levels

Summary
In this unit you have learned about:

• Using Arbor APS management connections and identifying traffic
flow through the protection interfaces of the Arbor APS.
• Using either the Monitor or In-Line deployment modes for reporting
of or protection of DDoS threats.
• Navigation of The Arbor APS web User Interface menu dropdowns,
smart bar, and Help pages.
• How Protection Groups are used to protect resources in your
network and adjusting mitigation strategies ahead of responding to
network attacks.
• Viewing and monitoring the data reported within the Summary and
Protection Group landing pages.

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY

APS 6.0 Defend Unit 2 UI and Create PGs - 20180823 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

APS 6.0 Defend Unit 2 UI and Create PGs - 20180823 PDF

Caricato da

Copyright:

Formati disponibili

Defending Against DDoS

Attacks using Arbor APS

Unit 2: Deploying and Configuring Arbor APS

At the conclusion of this unit you will learn to:

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 2

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 3

Protection interfaces are configured as predefined port pairs

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 5

• Hardware bypass settings:

• Viewing bypass configuration and status:

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 7

• Typically used during Proof

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 8

Fits numerous data center on-site

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 9

• Use HTTPS for access

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 10

The ultimate test of whether the

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 11

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 13

Fixed page, no submenus

Advanced tools for analysis of

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 14

Shows deployment mode

• Monitor mode never forwards traffic

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 15

• Alerts à DNS and SMTP are not configured yet

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 16

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 17

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 18

System alert is also generated upon failure of AIF update

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 20

• AIF could not synch until DNS is configured

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 21

• It’s good practice to test AIF with a manual update before

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 22

Proxy user and

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 23

• AIF update can be manual, automatic or both

• Default login page

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 25

• Shows traffic per Protection Group (color coded)

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 26

Showing Blocked traffic:

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 27

• Shows geographical distribution of incoming traffic

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 28

• Provides visibility in which hosts are generating and

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 29

• Shows AIF update status and how AIF Prevention is

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 30

• Shows traffic rates for different Web Crawlers

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 31

• Traffic rates for protection interfaces

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 32

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 33

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 34

“Default Protection Group” is configured out-of-the-box

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 35

• Only APS 2600 and APS 2800 appliances support a maximum

©2018 ARBOR® CONFIDENTIAL & PROPRIETARY 36

Protection Groups are

Define Name, Hosts, and Server Type