Scribd
Upload
77 views9 pages

NE - 13 - Using Cloud Signaling

This document provides instructions on how to configure and use cloud signaling on an Arbor Edge Defense (AED) appliance to mitigate a volumetric DDoS attack. The lab steps guide configuring cloud signaling settings on the AED, testing a attack, and observing how cloud signaling helps drop malicious traffic at the source before it reaches the AED.

Uploaded by

Roberth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
77 views9 pages

NE - 13 - Using Cloud Signaling

This document provides instructions on how to configure and use cloud signaling on an Arbor Edge Defense (AED) appliance to mitigate a volumetric DDoS attack. The lab steps guide configuring cloud signaling settings on the AED, testing a attack, and observing how cloud signaling helps drop malicious traffic at the source before it reaches the AED.

Uploaded by

Roberth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

15/9/22, 15:56 NE | 13 - Using Cloud Signaling

AED Training
Using Cloud Signaling
Overview
Description

In this lab you will configure NETSCOUT AED cloud signaling and use it to protect against a large
volumetric attack.

Objectives

After completing this lab exercise, you will be able to:


Configure cloud signaling for your AED.

Test and monitor cloud signaling status for your AED.


Mitigate and monitor a volumetric attacks with cloud signaling support.

Estimated Completion Time

The estimated completion time for this lab is 60 minutes.

Lab Topology

Please ensure you read each step carefully before performing the required task in the order described.

If you are asked for your [POD] number in this lab, use the number that is part of your NE
username.

Example: Username NE312 <=> [POD] = 312

Mitigating a Volumetric Attack in the Cloud


1. Skip to Step 3 if a tab to the AED web UI is open. If not, then from your NETSCOUT Experience user
dashboard click on the AED link to open a new tab to the web UI.

2. Login to your AED web UI with your NETSCOUT Experience user credentials.

Username: NE102
Password: Kinemumo4^
https://portal.ne.netscout.com/dashboard/lab_guide/449/45085/ 1/9
15/9/22, 15:56 NE | 13 - Using Cloud Signaling

or

Username: admin
Password: Welcome123

3. NETSCOUT Experience dashboard and click on the Victim Open Link icon to open to the ArborTrade
web page in a new window. You may want to monitor the status of this server during targeted attacks.

4. Check the status of the Cloud Signaling widget on the Summary page, what does the current status
display?

Solution

The current status of the Cloud Signaling widget should show that cloud signaling is not
enabled.

The Cloud Signaling widget is located on both the Summary page and the Configure Cloud
Signaling Settings page.

The widget allows you to monitor the status of the Cloud Signaling connection,
communications, and mitigations on a specific AED.

5. Ensure that the Deployment Mode on your AED is set to Active and the Protection Level is set
to Low (globaly and for every PG).

6. Ask the instructor to start the attack towards your network.

7. On the Summary page view the Top Protection Group listing.

What is the total traffic volume that you see for your Top Protection Groups?

How many or which Protection Groups are experiencing the attack traffic?

Solution

Look for the Protection Group called dns servers.

8. For each Protection Group attacked look into the View Protection Group page.

How much Total Traffic is received?

Are any Attack Categories identified? If so, which categories?

How much Blocked Traffic is there?


How much Passed Traffic is there?

Are there any traffic alerts generated?

9. Change the Protection Level to High and monitor the status of traffic into your AED for any changes.

Has the volume of traffic into your AED changed?

With the Protection Level set to High, is your AED dropping any additional traffic than previously?

Are any new Attack Categories identified?

Is your AED passing any more traffic than previously identified?

https://portal.ne.netscout.com/dashboard/lab_guide/449/45085/ 2/9
15/9/22, 15:56 NE | 13 - Using Cloud Signaling

How would you rate the current situation, knowing that this AED is defending an 10Mbps internet
access?

Solution

Though you may notice that a lot of the incoming traffic is being dropped by your AED, the overall
volume of traffic received by your AED is still near or at the full bandwidth of the 10Mbps connection
for this site.
To ensure you are able to receive again legitimate client traffic, you need a filtering that is happening
upstream, aka infront of your AED.

10. AED Cloud Signaling Configuration

Important: When you enable Cloud Signaling you should configure an NTP server to avoid clock-
related problems that might interfere with communications to the Cloud Signaling Servers. Your lab
AED system is already configured with the correct NTP settings.

11. Configure Cloud Signaling and go to menu item Administration > Cloud Signaling.

For the next steps the Cloud Signaling Server, APS ID, password, and Management Portal details are
typically provided to you by your cloud mitigation service operator.

On the Configure Cloud Signaling Settings page:

Select the checkbox to Enable Cloud Signaling.

Set the Cloud Signaling Server address as 10.2.32.110.

For the APS ID enter AED102.

Important: The APS ID should be in the form of “AED[POD]"

Set the Password as Arbor123!

Set the Verify as Arbor123!


Click Save to update the Cloud Signaling settings.

Note: Normally Cloud Signaling would be provisioned before you experience an attack. When
configuring under attack condition the establishment of the TCP connection to the cloud mitigation
service operator could fail because there is not enough bandwidth available to negotiate all
information.

12. Setup GRE termination on the AED, we will need to assign an IP to the AEDs mitigation interface,
therefore go to Administration > Interfaces.

For the ext0 / int0 interface, click inside the Edit button to edit the GRE details for this interface.
Important: do not select the ext1/int1 interface, ext1/int1 is not connected and is not in use.

For GRE Remote IP, enter: 192.168.254.2

For GRE Local IP, enter: 172.17.102.2

For GRE Local IP Subnet Mask Length, enter: 21

Click Save to commit changes

13. Using Global Cloud Signaling

The AED's Protection Level should still be set to High, and viewing the Top Protection Groups on
the Summary page again the attack traffic is blocked by the AED, but there is no change to the total
traffic received.

The total ttraffic continues to be very high and continues to flood or congest the link, making it difficult
for good, legitimate traffic to pass through to the servers.

14. Click the Activate button in the Cloud Signaling widget on the Summary page.

You should quickly get a message that a “Manual Cloud Signaling Requested” and the button changes
and now says Deactivate.

Wait for two-to-three minutes for the Cloud Signal heartbeat to be received by the Cloud Signaling
Server. (You may need to refresh the Summary page)

Once the heartbeat is received an alert is generated on the Cloud Signaling Server that a “Cloud
Signaling Mitigation Request” has been received from your AED AED102.

https://portal.ne.netscout.com/dashboard/lab_guide/449/45085/ 3/9
15/9/22, 15:56 NE | 13 - Using Cloud Signaling

An auto-mitigation begins at the Cloud Signaling Server and a BGP diversion path is advertised
redirecting the traffic to the Cloud Signaling Server.

You may notice a new Cloud Signal alert indicating “A global Cloud Signaling mitigation was
started manually.”

After another minute you should see two things occur on the Summary page:

1. The total traffic for the Top Protections Groups section should drop significantly becasue the
attack traffic is successfully blocked by the Cloudserver.

2. A graph will appear in the Cloud Signaling widget showing how much traffic is being dropped by
that Cloud Signaling Server.

From the Summary page can you determine which IP prefixes have requested mitigation?

Solution

This is called a Global Cloud mitigation request and the AED requested the cloud mitigation provider
to protect all IP addresses that were provisioned on their side and match addresses in the different
protection groups.

15. Go to the Active Cloud Signaling Requests page by selecting the menu item Protect > Active Cloud
Signaling.

The Active Cloud Signaling Requests page displays a list of all of the prefixes that are included in a
"targeted" Cloud Signaling request or will be included in a request.

You will notice there are no addresses specified but you may notice the alert at the top of the page that
indicates:

“A global Cloud Signaling request is active. All of the prefixes protected by this AED are included in the
request.”

Note the second sentence that all prefixes protected by the AED are included, this can be verified by
looking at the mitigation on the Cloud Signaling Server.

16. View the status of your cloud-based mitigation from your NETSCOUT Experience dashboard,
click Cloudserver Open Link icon to connect to the cloud signaling server.

17. Login to the Cloudserver with your student credentials of username NE102 and password Kinemumo4^.

If you see a Popup about new Features in Sightline, close the window by using the [x] in the
upper right hand corner

Go to Mitigation > Ongoing

What IP prefixes are specified in the Protection Prefixes column in the Mitigations
Ongoing dashboard?

Solution

18. When you are ready to stop the cloud-based mitigation, go back to your AED UI.

Click the Deactivate button in the Cloud Signaling widget on the Summary page.

You should receive a confirmation message indicating “Manual mitigation request was stopped.”

Wait two minutes for the Cloud Signalling to update. When the heartbeat with the deactivate
request is received, the cloud-based mitigation will be withdrawn and all traffic will take the
native IP path back to your servers.

Once the Manual Cloud Signaling Activated message and the Cloud Signal alert has cleared, the AED
has returned back to normal operating state, though it is still under attack.

https://portal.ne.netscout.com/dashboard/lab_guide/449/45085/ 4/9
15/9/22, 15:56 NE | 13 - Using Cloud Signaling

Additionally, viewing the Cloudserver you should notice the mitigation for all your Protection Prefixes
has ended too, it is no longer present in the menu Mitigation > Ongoing (press Search Button to
refresh).

Instead it can be seen in Mitigation > Recent and should indicate in the Duration column the status
Ended.

19. Using Group Cloud Signaling

Before proceeding, ensure that the mitigation on the Cloudserver has ended.

If you are not familiar on how to do this on the Sightline UI, here are some helpful steps or ask your
instructor.

Go to menu item Alerts > Ongoing and the search for AED102. If there is an ongoing Alert for
your pod, wait for 2-3 minutes until it ends [make sure all AED mitigation requests are
deactivated - this is what generates the alert in Sightline].

Go to menu item Mitigation > Ongoing, there should be no mitigations listed for your IP
prefixes.

Once you are certain the alert and mitigation has ended, proceed with the next steps.

20. On the AED UI, go to menu item Protect > Inbound Protection > Protection Groups, then click on
the protection group that is under attack.

Solution

Look for the Protection Group called dns servers.

21. On the View Protection Group page, click on the Activate button for the Cloud Signaling widget.

The message “Manual Cloud Signaling Requested” should appear within the Cloud Signaling
widget.

Eventually a message should pop up confirming that a “Manual Cloud Signaling Activated.” The
traffic for your Protection Group will be redirected to the Cloudserver for mitigation.

Wait two minutes for the cloud mitigation to begin.

Cloud Mitigation in progress:

What further changes have occurred on the View Protection Group page to indicate a mitigation
is running?
Can you determine which IP prefixes have requested this mitigation?

Solution

You should notice that the traffic level in this protection group dropped noticable.

The cloud mitigation should include all IP addresses from this protection group as you
triggered the signalling based on this protection group widget.

22. View the status of the cloud-based mitigation.

If you need to reconnect to the cloud signaling server, from your student dashboard click
the Cloudserver link to connect to the cloud signaling server.

Login with your student credentials of username NE102 and password Kinemumo4^.

Go to Mitigation > Ongoing

Cloud Mitigation:

What IP prefixes are specified in the Protection Prefixes colum in the


Mitigations Ongoing dashboard?

From the AED Summary page is there any indicator of a Cloud Signaling mitigation? Are there
any active Cloud Signaling alerts present on this page?

What is the status of the Cloud Signaling widget on the Summary page?
https://portal.ne.netscout.com/dashboard/lab_guide/449/45085/ 5/9
15/9/22, 15:56 NE | 13 - Using Cloud Signaling

From the AED's List Protection Groups page (Protect > Inbound Protection > Protection Groups)
are there any indicators of a Cloud Signaling mitigation?

From the AED's Active Cloud Signaling Requests page (Protect > Active Cloud Signaling) are there
any indicators or a Cloud Signaling mitigation?

Solution

Protect > Inbound Protection > Protection Groups should show a lightning bolt icon on the
protection group that you used to start the cloud mitigation.

Protect > Active Cloud Signaling does not show any indicator of this cloud mitigation.

23. Go to menu item Administration > Cloud Signaling to view its status.

Is there a message indicating that cloud signaling is active?

Solution

There is no indicator here as the cloud mitigation started wasn't a global but instead a per
Protection Group cloud signaling...

24. Return to the View Protection Group page for the protection group under attack, Protect > Inbound
Protection > Protection Groups > select the protection group.

25. Click the Deactivate button in the Cloud Signaling widget to stop the cloud signaling request for the
group.

Wait for the heartbeat to be updated and the cloud-based mitigation to be withdrawn.

Proceed to the next step once the AED cloud signaling mitigation stops.

26. Using (Manual) Targeted Cloud Signaling

Once you are certain the alert and mitigation has ended on the CloudServer, proceed with the next
steps.

27. Go to Protect > Active Cloud Signaling.

In the IP Address, CIDR Block, Hostname box add the IP address for your dns
server, 172.17.102.21. Use a /32 mask when adding the IP address.

Click the Add button to add the entry into the table, you should receive a message that “The
specified prefix was added.”

28. View the new entry on the Targeted Destination Cloud Signaling page and monitor its status for a
minute, possibly two minutes.

Initially the Duration shows “Not Yet Mitigating”, this should change to a timer once the updated
heartbeat is received by the Cloud Signaling Server.

29. View the Summary page and make a note of the Cloud Signaling widget.

If you viewed the page quickly enough, you would see the widget display the message “Targeted Cloud
Signaling Requested”. Eventually this should change to “Targeted Cloud Signaling Activated” when the
Cloud Signal Server starts mitigating.

Are there any Cloud Signaling Alerts?

30. Go to Protect > Inbound Protection > Protection Groups and check for any updates to the page.
https://portal.ne.netscout.com/dashboard/lab_guide/449/45085/ 6/9
15/9/22, 15:56 NE | 13 - Using Cloud Signaling

Solution

You should see a lightning bolt icon indicating that protection group has cloud signaling activated.

31. Click on the protection group under attack and identify any changes that have occurred on the View
Protection Group page.

32. Go to Administration > Cloud Signaling and identify any differences.

33. View the status of the cloud-based mitigation.

If you need to reconnect to the cloud signaling server, from your student dashboard click
the Cloudserver link to connect to the cloud signaling server.

Login with your student credentials of username NE102 and password Kinemumo4^.

Go to Mitigation > Ongoing

Cloud Mitigation

What IP prefixes are specified in the Protection Prefixes column on the Mitigations
Ongoing dashboard?

34. To stop cloud signaling, go back to Protect > Active Cloud Signaling to view the Active Cloud
Signaling Requests page.

35. Click on the red remove icon at the end of the row of the IP address, this withdraws the cloud
signaling request to the Cloud Signaling Server.

Important: Verify that the cloud signaling deactivates prior to continuing to the next step.

36. Using Automatic Cloud Signaling

Go to menu item Administration > Cloud Signaling to update the Cloud Signaling settings.

37. Select the checkbox to Enable Automatic Cloud Signaling.

Note: In the following steps the configuration settings used are to demonstrate cloud signaling
behavior only for this lab exercise. Do not use these settings for your network without first reviewing
your network’s requirements.

38. Set the Global Cloud Signaling Threshold to 10 MBPS and 5 KPPS.

You may want to view the Summary page and the View Protection Group pages to confirm that
these traffic thresholds will work. Setting a threshold too high may yield “no action”, no automatic
cloud signaling.

You may need to consult with your instructor to determine the best threshold value to use for your lab.

39. In order to see the automatic cloud signaling occur more quickly, set the Interval by moving the slider
to 1 minute.

This Interval specifies the amount of time over which to average the inbound traffic.

When the average inbound traffic exceeds the configured threshold, and remains above the
threshold for this time ‘interval’, a cloud signaling request will be automated.

The interval can be specified from 1 minute to 10 minutes. For example, you might configure an
interval of 2 minutes and thresholds of 1 Mbps and 1 Mpps.

If at any time the 2-minute moving average rate of traffic exceeds either of the thresholds, then
the AED sends a mitigation request to the cloud signaling server.

All the mitigation requests are included in the Cloud Signaling heartbeat messages, which occur
every minute. If the threshold interval is less than one minute, AED sends any associated
mitigation request during the next heartbeat.

40. Click Save to update the Cloud Signaling configuration.


https://portal.ne.netscout.com/dashboard/lab_guide/449/45085/ 7/9
15/9/22, 15:56 NE | 13 - Using Cloud Signaling

Recall that the AED still sees active attack traffic, so after about 1 minute and 30 seconds, a cloud
signaling request should be sent to the Cloud Signaling Server.

41. Continue to monitor the Configure Cloud Signaling Settings page, this may take about two minutes,
are there any changes that occur that indicate cloud signaling has been initiated?

You should see in the Cloud Signaling widget update a couple of times, once when the request is
made, and a second time when cloud signaling has been activated.

42. Go to the Summary page and view the changes.

Are there Cloud Signal alerts?

What does the Cloud Signaling widget display?

What status is indicated in the Cloud Signaling widget?

The Cloud Signaling widget should indicate that cloud signaling was activated based on a
threshold.

Is there any change to the traffic in the Top Protection Groups section?

43. Go to Protect > Inbound Protection > Protection Groups and check for any changes that may have
occurred from the automatic signaling.

Solution

You will not notice any specific activity on this page.

44. Click on the protection group name that is under attack.

Are there any details on this page that indicate cloud signaling is active?

Solution

The Group Cloud Signaling should state that a Global Threshold based cloud signaling was activted.

45. Go to Protect > Active Cloud Signaling, are there any details here that a cloud-based mitigation is
active?

Solution

You should see a message that says “A global Cloud Signaling request is active. All of the prefixes
protected by this AED are included in the request.”

46. View the status of the cloud-based mitigation.

If you need to reconnect to the cloud signaling server, from your student dashboard click
the Cloudserver link to connect to the cloud signaling server.

Login with your student credentials of username NE102 and password Kinemumo4^.

Go to Mitigation > Ongoing

What IP prefixes are specified in the Protection Prefixes column on the Mitigations Ongoing
dashboard?

https://portal.ne.netscout.com/dashboard/lab_guide/449/45085/ 8/9
15/9/22, 15:56 NE | 13 - Using Cloud Signaling

47. On the AED UI go to Administration > Cloud Signaling and click the deactivate button to stop
the current cloud signaling request.

This lab has demonstrated several capabilities of the AEDs Cloud Signaling feature:

1. Using Global Cloud Signaling

2. Using Group Cloud Signaling

3. Using Manual Targeted Cloud Signaling

4. Using Automatic Cloud Signaling

48. Ask your instructor to stop your attack.

49. Go to Administration > Cloud Signaling and deselect Enable Cloud Signaling.

Click Save to update the configuration.

50. The attack has have cleared and the network has returned to normal operations, the Protection Level
should be set to Low.

51. Congraulations!

You have successfully configured, launched, and monitored cloud signaled mitigations on your AED.

52. Please notify the instructor that you have completed this lab exercise.

If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu
options from your browser’s dropdown menu.

Depending on which browser you are using, to access these menu options select either:

Select "File" from the your browser's menu, then choose either:

1.) Print > Print to PDF


2.) Save Page As > Web Page Complete.

Or select the three dot vertical ellipsis, then choose either:

1.) Print > Print to PDF


2.) Save Page As > Web Page Complete.

Or select the three line hamburger menu button, then choose either:

1.) Print > Print to PDF


2.) Save Page As > Web Page Complete.

Select whichever method that works best with your browser.

This completes the lab exercise for the quick installation script for your AED. For more information about the
configuration settings for your AED's installation, refer to the AED Quick Start Card / Installation
Guide and/or the Arbor Edge Defense User Guide.

© Copyright 2022 NETSCOUT, Inc. All rights reserved

https://portal.ne.netscout.com/dashboard/lab_guide/449/45085/ 9/9

You might also like