Netscout University - Lab - DoS Host Alerts p2
Netscout University - Lab - DoS Host Alerts p2
Netscout University - Lab - DoS Host Alerts p2
Finished
Host Anomaly Detection
Lab Description
Review the key elements to differentiate a real attack from a false
positive
Review the detection and classification process
Duration:
30 minutes
Platform:
https://slvis1.ne.netscout.com/
Username:
NE186
Password:
Vafaseyu2!
⚠ Please ensure you read each step carefully before performing the required task in the order described.
1. Examining DoS Host alerts
Username: NE186
Password: Vafaseyu2!
2 In the Menu, browse to Alerts > DoS page, use the search box or wizard if needed, search for the
following alert characteristics:
Severity: High
Managed Object: SFPOP, Middlestate, Scouts, University
Alert Type: DoS Host
Need Help
You can find the complete search keyword list in the help, section: Acceptable search keywords and
values for alerts. To search for a managed object use the syntax of mo:object-name.
Search String Suggestion: at:"DoS Host" sev:high mo:SFPOP,Middlestate,Scouts,University
3 By default, alerts are sorted by Start Time, the most recent listed first. You will study the last or most
recent high alert. Find the following details for the most recent high alert listed:
ID
Duration
https://cx.netscout.com/lab/464/EN 1/6
25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"
Finished Importance
Target IP
Size in bps
Size in pps
4 Click on the alert ID or Mini Graph of the alert you studied to open the alert details.
5 Answer the following questions if multiple misuse type thresholds were exceeded:
Need Help
Both the graph and the annotations (last tab) can help you get an idea of the alert timeline (Misuse
type triggering order).
6 At a glance, using the Alert Characterization table and Traffic Details tab, find the information relative to
the alert IP sources:
Top 1 Country:
Top 2 Country:
7 Can you reliably use all of the previously collected top information to characterize your alert?
When looking at all the TOP X statistic, look at how much traffic each characteristic represents.
Example:
ASN 8075 (MICROSOFT-CORP) 9.62 Kpps / 29.42% = Significant
IP - 13.93.68.35/32 59.00 pps / 0.18% = Not Significant
8 At a glance, using the Alert Characterization table and Traffic Details tab, find the information relative to
the alert IP sources:
https://cx.netscout.com/lab/464/EN 2/6
25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"
Finished
9 Packet size distribution is a great tool to help you differentiate real attacks from false positive. If we assume
the attack target IP is a DNS server, would the packet size distribution displayed in the alert (Summary
tab) match DNS query/response pattern?
10 Looking at the Routers tab, can you find through which interface most of the alert traffic was seen as
coming IN to your network?
Need Help
The Direction is shown on the Summary tab and can only be Incoming or Outgoing.
12 In your opinion, was this alert a real attack or a false positive? Write in a few words the key elements that
helped you to conclude.
In a virtual training, send this and the alert ID chosen to your instructor via the WebEx chat function.
1 We assume that the following configuration is in place, globally and for a managed object called MSU.
https://cx.netscout.com/lab/464/EN 3/6
25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"
Finished
https://cx.netscout.com/lab/464/EN 4/6
25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"
Finished
3 If a host belonging to the MSU managed object is receiving 25,000 pps of ICMP traffic for 5 minutes,
answer the following questions:
Will an alert be trigger? Yes No
Importance in %?
Make sure you look also at the start latency configured...
Check Solution
4 If a host belonging to the MSU managed object is receiving 65,000 pps of DNS traffic for 95 seconds,
answer the following questions:
Will an alert be trigger? Yes No
Importance in %?
Make sure you look also at the start latency configured...
Check Solution
5 For the attack traffic from the previous question, if fast flood was enabled, would an alert have been
triggered?
Attack size * Attack length = Attack volume
Attack:
65 000 pps * 95 seconds = 6.17M packets
High Sev.
Alert Threshold: * 60 seconds = X packets
Threshold
Check Solution
Well Done
You can click on the button below to report back to the trainer.
Tell us what do you think of this lab, and how it could be improved ?
https://cx.netscout.com/lab/464/EN 5/6
25/01/2023 12:13 Netscout University - Lab "DoS Host Anomaly Detection"
Finished
Save
If you would like a copy of this lab select either the Print or the Save Page As (Control-S) menu options
from your browser’s dropdown menu. Need Help
https://cx.netscout.com/lab/464/EN 6/6