® ™

NETSCOUT | Arbor Sightline : TMS Mitigation Status "DoS Alert 65153" (IPv4) Sat 18 Jul 2020 23:10:00 UTC

Summary

Status Jul 18 23:02 - Jul 18 23:09

Mode Active
Alert 65153
Template DNS Amplification and UDP Frag
Managed Object INT_61922
Learning Dataset None
TMS Group ALL_Metrotel
Protection 190.104.216.75/32
Prefixes

1 Min Avg 5 Min Avg Summary Avg 1 Min Avg 5 Min Avg Summary Avg

Dropped: 57.0 Kbps 616.0 Mbps 673.3 Mbps Dropped: 139.3 pps 58.8 Kpps 64.3 Kpps

Passed: 2.1 Mbps 33.0 Mbps 35.7 Mbps Passed: 574.9 pps 4.2 Kpps 4.5 Kpps

Total: 2.1 Mbps 649.0 Mbps 709.1 Mbps Total: 714.1 pps 63.0 Kpps 68.8 Kpps

Percent Dropped: 2.70% 94.92% 94.96% Percent Dropped: 19.50% 93.34% 93.47%

Blocked Hosts: 0 hosts 0 hosts 0 hosts Blocked Hosts: 0 hosts 0 hosts 0 hosts

1 Min Avg 5 Min Avg Summary Avg 1 Min Avg 5 Min Avg Summary Avg

ATENTO-TMS-01 57.01 Kbps 616.02 Mbps 673.35 Mbps ATENTO-TMS-01 139.29 pps 58.83 Kpps 64.33 Kpps

page 1 of 9
Black/White Lists Invalid Packets TCP SYN Authentication Black/White Lists Invalid Packets TCP SYN Authentication

DNS Authentication

page 2 of 9
 Countermeasures

Timeframe: 5 minutes

Dropped: 20.4 Mbps 1.8 Kpps

Malformed IP Header: 0 bps 0 pps

Incomplete Fragment: 19.4 Mbps 1.7 Kpps
Bad IP Checksum: 0 bps 0 pps
Duplicate Fragment: 4.3 Kbps 0 pps
Fragment Too Long: 0 bps 0 pps
Short Packet: 0 bps 0 pps
Short TCP Packet: 0 bps 0 pps
Short UDP Packet: 0 bps 0 pps
Short ICMP Packet: 0 bps 0 pps
Bad TCP / UDP Checksum: 1.3 Mbps 122.3 pps
Invalid TCP Flags: 0 bps 0 pps
Invalid ACK Number: 0 bps 0 pps

Dropped: 595.5 Mbps 56.8 Kpps

Example:
pass port 80 and src 192.168.6.0/24
Inline Filters drop src 192.168.5.0/24 and proto tcp and tflags S/SA
drop udp frag

Black/White Lists are applied in the order shown below.

IPv4 Black/White Filter Lists

Fingerprints are applied in the order shown below.

Blacklist Fingerprints

Blacklists every source that has any traffic dropped because of the Black/White Lists. All traffic from these sources is then dropped, including traffic that matches a
Blacklist Sources pass rule in the Black/White Lists.
Disabled
Filter List: Total

Filter List: Total

Inline Filters: 605.5 M dropped bps 0 passed bps

page 3 of 9
Dropped: 0 bps 0 pps

Enable UDP Reflection/Amplification Protection: Enabled

Action to Apply: Blacklist Hosts
Automate Non-DNS Filters based on Host Detection  : Disabled
Automate DNS Filter based on Host Detection  : Disabled
chargen: Disabled

chargen Match Expression: proto udp and src port 19

Additional Match Criteria:

CLDAP: Disabled

CLDAP Match Expression: proto udp and src port 389

Additional Match Criteria:

L2TP: Disabled

L2TP Match Expression: proto udp and src port 1701 and bytes 500..65535

Additional Match Criteria:

mDNS: Disabled

mDNS Match Expression: proto udp and src port 5353

Additional Match Criteria:

memcached: Disabled

memcached Match Expression: proto udp and src port 11211

Additional Match Criteria:

MS SQL RS: Disabled

MS SQL RS Match Expression: proto udp and src port 1434

Additional Match Criteria:

NetBIOS: Disabled

NetBIOS Match Expression: proto udp and (src port 137 or src port 138)

Additional Match Criteria:

NTP: Disabled

NTP Match Expression: proto udp and src port 123 and not bytes 76

Additional Match Criteria:

RIPv1: Disabled

RIPv1 Match Expression: proto udp and src port 520

Additional Match Criteria:

rpcbind: Disabled

rpcbind Match Expression: proto udp and src port 111

Additional Match Criteria:

SNMP: Disabled

SNMP Match Expression: proto udp and (src port 161 or src port 162)

Additional Match Criteria:

SSDP: Disabled

SSDP Match Expression: proto udp and src port 1900

Additional Match Criteria:

Custom 1: Disabled

Match Expression:

Custom 2: Disabled

Match Expression:

DNS: Enabled

DNS Match Expression: proto udp and src port 53

Additional Match Criteria: bytes 2049..65535

Active Blocked Hosts: 0 hosts

chargen: 0 bps 0 pps
CLDAP: 0 bps 0 pps
L2TP: 0 bps 0 pps
mDNS: 0 bps 0 pps
memcached: 0 bps 0 pps
MS SQL RS: 0 bps 0 pps
NetBIOS: 0 bps 0 pps

page 4 of 9
NTP: 0 bps 0 pps
RIPv1: 0 bps 0 pps
rpcbind: 0 bps 0 pps
SNMP: 0 bps 0 pps
SSDP: 0 bps 0 pps
Custom 1: 0 bps 0 pps
Custom 2: 0 bps 0 pps
DNS: 0 bps 0 pps

Dropped: 161.1 Kbps 146.5 pps

Automate TCP SYN Authentication based on Host Detection Disabled

Enable TCP SYN Authentication Enabled

Ignore Source Ports Example: '22,25'

Ignore Destination Ports Example: '22,25'

Example: '90' (Leave blank to use default '60')

TCP SYN Authentication Idle Timeout
60 seconds

Enable Out-of-sequence Authentication Disabled

Enable Outbound Out-of-sequence Authentication Disabled

Automate Spoofed Flood Protection based on Host Detection Disabled

Enable Spoofed Flood Protection Disabled

Enable Application Reset Disabled

Enable HTTP Authentication Disabled

Requires the browser of the source host to be able to run JavaScript before a TCP connection can be authenticated.
Require JavaScript for HTTP Authentication
Disabled

HTTP Ports Example: '80' (Leave blank to use default '80, 8080')

Authenticated due to SYN Authentication: 0 hosts per second

Authenticated due to HTTP Redirect: 0 hosts per second
Authenticated due to proper retransmit behaviour: 3.3 hosts per second
Total Authenticated: 3.3 hosts per second
Average Authenticated Hosts: 551.6 hosts
Connections Tested: 14.9 connections per second

Dropped: 0 bps 0 pps

Enable DNS Authentication Enabled

Protection Mode Passive

Example: '90' (Leave blank to use default '60')

DNS Authentication Timeout
60 seconds

Hosts Tested: 0 hosts per second

Hosts Validated: 0 hosts per second

page 5 of 9
Dropped: 0 bps 0 pps

Enable TCP Connection Reset Enabled

TCP Connection Idle Timeout 90 seconds

TCP Connection Initial Timeout seconds

Initial Timeout Required Data bytes

Track Connections After Initial State Enabled

Consecutive Idles Before Blacklisting Host

Enable Application Slow Request Attack Note: Enabling this check will blacklist
Prevention hosts which send extremely slow
requests
Disabled

Application Slow Request Advanced Settings

Most users should not need to edit the advanced settings. Application Slow Request Attack Prevention is designed to operate automatically using the preset configuration settings.

Minimum Request Bit Rate 200 bps

Time Period for Computing the Minimum Rate 60 seconds

Minimum Time to Allow for Header Transmission 60 seconds

Connections Reset: 0 connections per second

Total Connections: 0 connections per second
Average Blocked Hosts: 0 hosts

Dropped: 0 bps 0 pps

Enable Malformed DNS Filtering Enabled

Dropped: 0 bps 0 pps

The prevention level blacklists hosts that violate configured levels of malformed HTTP traffic checks. When you raise the enforcement level to Medium or High, the countermeasure matches
and drops more types of HTTP traffic with a higher risk of dropping good traffic.

Enable Malformed HTTP Filtering X Low

Hosts Blocked: 0 hosts per second

Average Blocked Hosts: 0 hosts

page 6 of 9
Dropped: 0 bps 0 pps

Enable HTTP Object Limiting Enabled

Example: '20' (Leave blank to use default '10')

HTTP Object Limit
10 requests per second per object

Enable HTTP Request Limiting Enabled

Example: '200' (Leave blank to use default '100')

HTTP Request Limit
100 requests per second

Requests Blocked due to Object Limiting: 0 requests per second

Requests Blocked due to Request Limiting: 0 requests per second
Unique Connections Observed: 0 connections per second
Total Objects Seen: 0 objects per second
Active Blocked Hosts: 0 hosts

Dropped: 0 bps 0 pps

Enable Malformed SIP Filtering Enabled

Hosts Blocked: 0 hosts per second

Average Blocked Hosts: 0 hosts

page 7 of 9
Dropped: 0 bps 0 pps

Enable SIP Source Limiting Enabled

Example: '200' (Leave blank to use default '100')

SIP Source Limit
100 messages per second

Unique connections seen: 0 connections per second

Hosts Blocked due to Rate Limiting: 0 hosts per second
Average Blocked Hosts: 0 hosts

page 8 of 9
 Annotations

Mitigation stopped.

rallazetta on Sat Jul 18 23:09:55

Alert ID set to "65153".

Template set to "DNS Amplification and UDP Frag".
Managed object set to "INT_61922".
TMS group set to "ALL_Metrotel".
Black/White filters set to "drop udp frag".
HTTP Regex and Filter List Blacklist Blocked enabled.
TCP idle countermeasure enabled.
TCP idle timeout set to "90".
Track Connections After Initial State enabled.
Minimum Request Bit Rate set to "200".
Time Period for Computing the Minimum Rate set to "60".
Minimum Time to Allow for Header Transmission set to "60".
SYN authentication countermeasure enabled.
SYN authentication timeout set to "60".
DNS authentication countermeasure enabled.
DNS authentication timeout set to "60".
DNS malformed countermeasure enabled.
HTTP request countermeasure enabled.
HTTP request limit set to "100".
HTTP object countermeasure enabled.
HTTP object limit set to "10".
Payload regular expression host blacklisting disabled.
HTTP malformed countermeasure enabled.
SIP malformed countermeasure enabled.
SIP request limiting countermeasure enabled.
SIP request limiting limit set to "100".
AIF Malware Family Blocking level set to "low".
HTTP malformed prevention level set to "low".
UDP reflection/amplification protection enabled.
UDP reflection/amplification host blacklisting enabled.
DNS UDP reflection/amplification protection enabled.
DNS UDP reflection/amplification additional match criteria set to "bytes 2049..65535".
Protection Prefixes set to "190.104.216.75/32"
Diversion Prefixes set to Protection Prefixes

rallazetta on Sat Jul 18 23:02:48

Mitigation started.

rallazetta on Sat Jul 18 23:02:47

Alert 65153 Scratchpad (0)


You currently have no items in your Alert Scratchpad.

Click the arrow next to a traffic element or traffic pattern to add it to your Alert Scratchpad.

For assistance with this product, please contact soportecorporativo@metrotel.com.ar.

page 9 of 9