Scribd
Upload
57 views

Netscout University - Lab - Zombie Detection Countermeasure

Uploaded by

Elaouni Abdessamad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
57 views

Netscout University - Lab - Zombie Detection Countermeasure

Uploaded by

Elaouni Abdessamad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

25/01/2023 12:09 Netscout University - Lab "Volumetric Attacks"

Finished
Volumetric Attacks

Lab Description
Examine the details of a zombie attack and use the Zombie Detection countermeasure to mitigate the misuse traffic
for the customer managed object.

Duration:
25 minutes
Platform:
https://sightline186.ne.netscout.com
Username:
NE186
Password:
Vafaseyu2!
⚠ Please ensure you read each step carefully before performing the required task in the order described.
1. Zombie Attack

1 Login to the Sightline Deployment

Username: NE186
Password: Vafaseyu2!

1. Connect to this URL, if this page is not already open: https://sightline186.ne.netscout.com


2. If prompted, you must first authenticate with the lab proxy, after that you will be redirected to the Sightline
login page.
3. At the Sightline login page, use the credentials again to login.
4. Notify the proctor if you are unable to connect to your Sightline.

2 Monitor the deployment for new DoS alerts, go to Alerts > Ongoing. Answer the following questions by
reviewing the most recent alert listed.

For which managed object is an alert reported?

What is the alert type of this alert?

Which misuse types are reported for this alert?

Is the alert a fast flood alert? Yes No

What is the importance of the alert?

3 Select the alert and use the Summary and Traffic Details tabs to identify the following information:
What protocol(s) are reported?

What destination port(s) are reported?

4 Click on the Mitigate Alert button and select Threat Management to begin mitigating this alert.

5 We keep the provisioned mitigation configuration and select Save and Start for this mitigation.

https://cx.netscout.com/lab/468/EN 1/5
25/01/2023 12:09 Netscout University - Lab "Volumetric Attacks"

Finished
6 To counter this volumetric attack, we want to differentiate legitimate user from attackers. To do so, we will use
the Zombie Detection countermeasure. The goal is to count bps and pps sent by each source host
independently and compare it against a threshold. If above, then the source IP is considered a violating host.

7 From a previous peace time study, the system administrator found out that legitime users were usually not
sending more than 25 pps. (How this is done would be covered in the Sightline DDoS Detection and Mitigation
Administrator class).

With this information, find an appropriate threshold. Select Enable Zombie Detection and configure the All
Host pps threshold.
Answer the following questions:
What Zombie Detection - Threshold (pps) did you set?

What was your reasoning for this value?

Don’t forget to click on Save.

Need Help

It may be appropriate that the available reference values are viewed more liberally, which means that a
proportionate offset is added to it, thus ensuring that at least this configuration doesn't cause over-
dropping. The used threshold value can then be adjusted and reduced at any time, should this become
necessary.

8 After waiting a minute, do you notice traffic being dropped (1 Min Avg)?

How much traffic are you passing?

How much traffic are you blocking?

9 Is the Zombie Detection countermeasure dropping only packets above the configure threshold or blocking
offending hosts?

Check Solution

Source hosts violating any of the configured Zombie Detection Thresholds (All Hosts or Flexible 1 to 5)
will be blocked. This means they are added to the dynamic deny list and all traffic will be discarded for the
length the source host stays on this deny list.

10 How many Blocked Hosts are being reported by the countermeasure?

Need Help

You will find a counter at the bottom of the Zombie Detection countermeasure, below the graph.

11 Reviewing the packets using the Sample Packets, can you find a common attribute shared by most/all dropped
packets?

https://cx.netscout.com/lab/468/EN 2/5
25/01/2023 12:09 Netscout University - Lab "Volumetric Attacks"

Finished

Need Help

Blocked Packets: Sizes between 400 and 500 bytes

Pass packets: Diverse, size between 50 and 500 bytes

Check Solution

https://cx.netscout.com/lab/468/EN 3/5
25/01/2023 12:09 Netscout University - Lab "Volumetric Attacks"

Finished The packets dropped are on average larger (all are at least > 400 bytes) than those packets that are
passing.

12 Remove the threshold configuration for All Host and build a Flexible Zombie to match on packets larger then
400 bytes.
Filter: bpp 400..1500
Set the Threshold to 20 pps.
Don’t forget to click on Save.

13 Are you still dropping the same amount of traffic?


What is the benefit of using a more precise Flexible Zombie versus using All Hosts?

Check Solution

Since the proportion of large packets in legitimate user traffic is small, chances of dropping traffic from a
legitimate source as a false positive was reduced.

14 Click on the Download Blocked Hosts button and view the downloaded file.

15 Click on the Download Top Blocked Hosts button and view the downloaded file.
What is the difference between Blocked Hosts and Top Blocked Hosts file?

Check Solution

Top Blocked Hosts includes the blocked sources for which we dropped the most traffic since the
beginning of the mitigation.
Blocked Host only outputs the source IP adresses currently on the dynamic deny list.

16 Stop your mitigation.

17 Well Done, you have just successfully completed this exercise.

Well Done
You can click on the button below to report back to the trainer.

I successfully completed this unit

How would you rate this lab:

Tell us what do you think of this lab, and how it could be improved ?

https://cx.netscout.com/lab/468/EN 4/5
25/01/2023 12:09 Netscout University - Lab "Volumetric Attacks"

Finished

Save

If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu options from
your browser’s dropdown menu. Need Help

© Copyright 2022 NETSCOUT, Inc. All rights reserved

https://cx.netscout.com/lab/468/EN 5/5

You might also like