Arbor Networks SP/TMS Operator Course

This course focuses on using Arbor Networks SP and TMS to monitor network traffic, identify and react to alerts, and create an appropriate remediation plan to quell an attack. Participants will learn about the different types of DDoS attacks and how to use Arbor Networks SP to monitor and analyze DoS alerts. Through a series of hands-on simulations, participants will experience different types of DDoS attacks and learn the skills to create an appropriate mitigation strategy. Participants will then configure the necessary TMS countermeasures to drop or block the misuse traffic.

Target Audience:

Security Operations Center (SOC) Operators, Network Operations Center (NOC) Operators with a security focus, and any staff responsible for monitoring a network for security-related events and taking action to minimize the impact of offending traffic against the network.

Duration:

16 Course Hours (1.6 CEUs)

Course Objectives:

  • Check the status of the Arbor Networks deployment
  • Monitor and analyze network and customer traffic
  • Identify and analyze security events
  • Mitigate DDoS threats in the network

Upon completion, participants should be able to:

  • Access and navigate the Arbor Networks SP Web User Interface (UI)
  • Use system status and monitoring to analyze SP and TMS deployment health
  • Use network status and related reports to verify network operation
  • Differentiate anomalies that are DDoS attacks from non-attack, false-positive occurrences
  • Mitigate DDoS attacks using multiple, various TMS-based countermeasures including filters, rate-based countermeasures, event-driven countermeasures, and regular expressions

Unit Objectives:

Unit 1. Getting to Know Your Arbor Networks SP Deployment

  1. Identify the different Arbor Networks SP and TMS appliances and know the roles of each in a deployment
  2. Access and navigate the Arbor Networks web User Interface (UI) and identify key elements of the UI
  3. Check the status of the Arbor Networks deployment, appliances, and routers
  4. Recognize signs of operational issues that impact the operation of the Arbor Networks deployment
  5. Check and analyze alert and security status

Unit 2. Investigating Traffic

  1. Use dashboards to quickly view the most commonly needed data about your network
  2. Use network, router, and customer reports to analyze the network, monitored routers, and customer traffic
  3. View and understand network events using Explore pages and queries

Unit 3. Analyzing DDoS Alerts

  1. Access a DoS alert and view summary details to identify the characteristics that triggered the alert
  2. View further alert details and traceback the origin traffic
  3. Add traffic data to an Alert Scratchpad for later use
  4. Modify alert classification and add further annotations
  5. Use various reports to identify if the alert is a possible attack or false-positive
  6. Investigate the raw flows database to further analyze major traffic events

Unit 4. Identifying and Mitigating Volumetric DDoS Attacks

  1. Describe the characteristics and impact of a volumetric attack
  2. Identify the techniques available to Arbor Networks SP to drop or block malicious traffic
  3. Use the TMS to launch and monitor a mitigation
  4. Use filter Lists and TMS countermeasures to mitigate a volumetric attack
  5. Identify deployment issues with a running mitigation
  6. Identify when to blackhole an attack and create a SP-triggered blackhole mitigation
  7. Create and use a SP-triggered Flow Specification mitigation

Unit 5. Protecting Against TCP State Exhaustion DDoS Attacks

  1. Describe the characteristics and impact of a TCP State-Exhaustion attack
  2. Use the TMS to launch and monitor a mitigation
  3. Identify and use countermeasures to best protect against a TCP state-exhaustion attack

Unit 6. Stop an Application-layer DDoS Attack

  1. Describe the characteristics and impact of application-layer attacks including DNS, HTTP, SIP, and SSL
  2. Analyze the DoS alert then use the TMS to launch and monitor a mitigation
  3. Identify the TMS countermeasures to use to protect against a specific type of application-layer attack

Course Outline:

Unit 1: Getting to Know Your Arbor Networks SP Deployment

  1. The Arbor Networks SP and TMS deployment
  2. Accessing to the web User Interface (UI)
  3. View deployment and appliance status pages
  4. Check security status
    • Lab 1: Viewing Deployment and Appliance Status – monitor general deployment and system health, upgrade status, and status of monitored routers.

Unit 2: Investigating Traffic

  1. What is a Managed Object (MO)
  2. Traffic reporting concepts
  3. Traffic counting and boundary concepts
  4. Access and view customer and network reports
  5. "Explore" traffic
    • Lab 2: Investigating Traffic – view needed data about your network and customers.

Unit 3: Analyzing DDoS Alerts

  1. Analyze a DoS Host alerts
  2. About alert triggers
  3. View alert traffic details and traceback
  4. Alert classification and additional annotations
  5. Use system reports to verify alert details and traffic characteristics
  6. Access the raw flows database
    • Lab 3: Examining DDoS Alerts – how to search for and examine the information within DoS Host alerts.

Unit 4: Identifying and Mitigating Volumetric DDoS Attacks

  1. Characteristics of a volumetric attack
  2. SP-based mitigation techniques
    1. Use Arbor Networks TMS to mitigate traffic
    2. Use SP-triggered blackholes to block volumetric floods
    3. Use BGP Flow Specification (Flowspec) to block traffic
  3. What is the TMS
    1. Create a TMS mitigation
    2. TMS countermeasures to use against volumetric attacks
      1. Filter Lists and using FCAP expressions
      2. Zombie Detection
      3. Amplification countermeasure
      4. Shaping / IP Location Policing
      5. Payload Regex
  • Lab 4: Mitigating a Volumetric Attack – examine the details of an alert and launch a mitigation.

Unit 5: Protecting Against State-Exhaustion DDoS Attacks

  1. Characteristics of state-exhaustion Attacks
  2. TMS countermeasures to use against state-exhaustion attacks
    1. Filter Lists
    2. Flexible Zombie
    3. TCP SYN Authentication
    4. TCP Connection Limiting
    5. TCP Connection Reset
  • Lab 5: Mitigate state-exhaustion DDoS attacks – launch and monitor a mitigation and use countermeasures effective against state-exhaustion attacks.

Unit 6: Stop an Application-layer DDoS Attacks

  1. Characteristics of application-layer attacks
  2. TMS countermeasures to use against application-layer attacks
    1. DNS
    2. HTTP
    3. SIP
    4. SSL
  3. Working with Regular Expressions
  • Lab 6: Mitigate application layer attacks – mitigate a complex application layer attack using rate-based countermeasures and regular expressions.
  • Fire Drill – end of class exercise, as a group, use the newly learned skills to mitigate an unknown attack type against a customer’s infrastructure.