boot

The Pocket Guide

Arbor Security Products

June 2023
 The Pocket Guide
Glossary 3
Hardware Appliance Overview

➔ Front Panel SP6000/7000/7500 5

➔ SP-6000 5
Sightline ➔ SP-7000 5
➔ SP-7500 6
➔ K-09A0X - Insight 6

➔ TMS-2300 6
➔ TMS-2600 & 2800 7
TMS ➔ TMS-5000 7
➔ TMS-8100 7
➔ HD-1000 8

➔ APS-2600 & 2800, APS Console 7000, AED-2600 & 2800 11

➔ AED-8100 12
APS/AED
➔ AED-HD1000 14
➔ NETSCOUT 3296 Inline Bypass Switch 15

CLI Command Reference

 APS & AED 16

 Sightline & TMS 19

Mitigation
 TMS & APS/AED - FCAP Traffic Filtering 24

 TMS & APS/AED - Regular Expression 28

 TMS - Packet Header Filtering 30

 Other Types - BGP Flow Specification 32

Appendix
 AED Countermeasure Sequence 33

 Sightline & ArbOS - REST API Matrix 35

 Sightline & TMS - BGP Signaling Capabilities 35

 Sightline Alert Search Keywords 36

 Personal Notes 37

 Arbor Cloud Details 39

Page 2 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Glossary
AED NETSCOUT® Arbor Edge Defense
AIF® NETSCOUT® ATLAS Intelligence Feed
AMS 24/7 Arbor Managed Services
API Application Programming Interface
APM-E High Performance Packet Processing Card - NETSCOUT ® Arbor TMS-5000 Series
APS NETSCOUT® Arbor Availability Protection System
ArbOS NETSCOUT® Arbor Operating System
AS | ASN Autonomous System Number (BGP)
ASERT NETSCOUT® Arbor Security Engineering & Research Team
ATAC NETSCOUT® Arbor Technical Assistance Center
BGP Border Gateway Routing Protocol
BLO Blacklist Offloading via BGP FlowSpec or OpenFlow from Arbor TMS
bpp Bytes per packets
Bypass In Bypass mode, all packets received from one port are transmitted to the adjacent port
CAM Cryptographic Acceleration Module for AED-2600/2800 or APS-2600/2800
CLDAP Lightweight Directory Access Protocol
CLI NETSCOUT® Arbor Command Line Interface, available via Console or SSH connection
Cloud Signaling | CLD Dynamic signaling between APS or AED on premise and a cloud-based DDoS solution
Community BGP communities - Capability for tagging routes and for modifying BGP routing policy
DDoS Distributed Denial of Service
DNS Domain Name Service to resolve names into IP addresses
DS NETSCOUT® Arbor Sightline - Data Storage Appliance
DSCP Differential Service Code Point – Quality of Service (QOS) for IP
EOM NETSCOUT Software Status: End of Maintenance
EOS NETSCOUT Software Status: End of Support
FCAP (Flow Capture) fingerprint expression language
Flow Includes details such as about client and server IP address, protocol, ports, and so on that were used
FlowSpec Signals IP traffic parameters together with an action which needs to be perform between two devices
Fragment Breaking an IP packet into smaller pieces (fragments)
GA NETSCOUT Software Status: General Availability
GLBP Gateway Load Balancing Protocol
HSM Hardware Security Module
HSRP Hot Standby Router Protocol, automatic default gateway service
HTTP Hypertext Transfer Protocol
ICMP Internet Control Message Protocol - Send error messages and operational information within a network
IOC Indicator of Compromise - a threat signature
IPMI Intelligent Platform Management Interface - autonomous interface from computer subsystem
IPSEC Group of protocols to encrypt communication between two devices
ISAKMP Internet Security Association and Key Management Protocol
L2TP Layer Two Tunneling Protocol
Leader NETSCOUT Sightline - Central management function within a Deployment
LR Long Range tranceiver optics – mostly single-mode fibre connections
MCM-C Management Card - NETSCOUT® Arbor TMS-4000 and TMS-5000 Series
mDNS Multicast DNS
MemCache general-purpose distributed memory-caching system
MGT Management Interfaces on an NETSCOUT® Arbor TMS Appliance or APS Appliances

CONFIDENTIAL & PROPRIETARY Page 3

 The Pocket Guide
MM Management Card - NETSCOUT® Arbor HD-1000
mode active APS/AED inspects traffic and enforces decission on traffic
mode inactive APS/AED inspects traffic and only simulates decission on traffic
MPO Multi-fiber Push On - is a type of optical connector
Netbios Network Basic Input/Output System that enables applications on different computers to communicate
NTP Network Time Protocol
NXDOMAIN Non-existent Internet Domain Names Definition
PG | Protection Group Group of IP addresses that will be protected in the same way
PPM High Performance Packet Processing Card - NETSCOUT® Arbor HD-1000
Profile Capture Learning mode of rate-based protections
Protection Available check on traffic or source IP sending traffic through the APS/AED
PSM Switch and Control Blade - NETSCOUT® Arbor TMS-4000 and TMS-5000 Series
qinq IEEE 802.1ad - QinQ allows multiple VLAN tags to be inserted into a single frame
QSFP+ Quad (4-channel) Small Form-factor Pluggable Optics Transceiver – 4 × 10GBit/s
QSFP28 QSFP28 (quad small form-factor pluggable 28) is designed for 100G applications.
RADIUS Remote Authentication Dial-In User Service: providing Authentication, Authorization & Accounting
Regex Regular-Expression
RFC Request for Comments - IETF
RIPv1 Routing Information Protocol Version 1
rpcbind Remote Procedure Calls portmapping service
RT BGP Extended Community – Route Target
SFP | SFP + Small Form-factor Pluggable – pluggable network interface module
Sightline NETSCOUT® Arbor Sightline
SIP Session Initiation Protocol that include voice, video and messaging applications
SM0, SM1 Switch Module + Shelf Manager + Line Card - NETSCOUT® Arbor HD-1000
SMB Server Message Block, file server protocol
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SOAP Simple Object Access Protocol - Messaging protocol specification for exchanging structured information
SQL Structured Query Language to access and manage databases
SR Short Range tranceiver optics – mostly multi-mode fibre connections
SSDP Simple Service Discovery Protocol
SSH Secure Shell
SSL Secure Sockets Layer - standard for encrypted connections
ST | Server Type Group of protection settings that are applied to certail IP addresses
STIX Structured Threat Information eXpression, standardized language for describing cyber threat information
TACACS Terminal Access Controller Access Control System - Authentication protocol
TAXII Trusted Automated eXchange of Intelligence - messages shareing cyber threat information
TCP Transmission Control Protocol - Standard defining how to establish and maintain a network conversation
Telnet Bidirectional interactive text-oriented communication
TFTP Trivial File Transfer Protocol
TLS Transport Layer Security - deprecated, predecessor of SSL
TMS NETSCOUT® Arbor TMS - Threat Mitigation System
TRA NETSCOUT® Arbor Sightline - Traffic & Routing Analysis Appliance
UDP User Datagram Protocol - Communications protocol primarily used for low-latency applications
UI NETSCOUT® Arbor Sightline - User Interface Appliance
USB Universal Serial Bus, supports only FAT format

Page 4 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
VGA Video Graphics Array – monitor or display interface
VRF Virtual Routing and Forwarding – Logical routing instance
WS-Discovery Web Services Dynamic Discovery
ZTP Zero Touch Provisioning

Hardware Appliances Overview

Front Panel SP6000/7000/7500
1 Power button 8 Chassis ID button
2 System reset button 9 NIC1/NIC2 activity LED
3 Chassis information LED 10 Hard drive activity LED
4 Fan status LED 11 Power alarm LED
5 Critical alarm LED 12 Minor alarm LED
6 Major alarm LED 13 RJ45 serial console port
7 NMI (non-maskable interrupt) button
An alarm LED that is blinking green, solid amber, or solid red indicates
an error condition

SP-6000

1 DB-9 serial console port: 9600/8-N-1 5 Ethernet ports (eth1-eth3, top to bottom)
2 VGA connector 6 Ethernet ports (eth4-eth11)
3 Ethernet port (eth0) 7 AC power supply
4 4x USB ports (USB2.0)

SP-7000

1 VGA connector 8 2x ground studs for DC input

2 2x USB ports (USB2.0) 9 Power supply 2 (DC shown). Pin 1 (bottom) ground,
3 Not supported pin2 (middle) -48Vdc terminal and pin 3 (top) – return
4 2x USB ports (USB3.0) terminal
5 Ethernet ports (eth0, left and eth1, right) 10 Power supply 1 (AC shown)
6 2x 10GbE fiber Ethernet ports (eth6 and eth7) Either two AC or two DC power supplies
7 4x 1GbE copper Ethernet ports (eth2-eth5) ! Front RJ-45 serial console: 9600/8-N-1

CONFIDENTIAL & PROPRIETARY Page 5

 The Pocket Guide

SP-7500

1 VGA connector 8 2x ground studs for DC input

2 UBS1(top), USB2 (bottom) (USB3.0) 9 Power supply 2 (DC shown). Pin 1 (bottom) ground,
3 Not supported pin2 (middle) -48Vdc terminal and pin 3 (top) – return
4 UBS3(top), USB4 (bottom) (USB3.0) terminal
5 eth0: 10GBASE-T Ethernet (@1G or 10G) 10 Power supply 1 (AC shown)
6 eth1: 10GBASE-T Ethernet (@1G or 10G) Either two AC or two DC power supplies
7 4x10 GbE SFP+ copper/fiber (eth2-eth5) ! Front RJ-45 serial console: 115200/8-N-1

K-09A0X - Insight

1 Power supply (AC model) 5 Public-1 Interface

2 IPMI - Remote Mgmt Port 6 Private-1 Interface
3 4x USB ports 7 Private-0 Interface
4 VGA Port 8 Public-0 Interface

TMS-2300

1 DB-9 serial console port: 9600/8-N-1 5 Management Ethernet ports (mgt1-mgt3, top to bottom)
2 VGA connector 6 Ethernet ports (tmsx0 and tmsx1) - Mitigation only
3 Management Ethernet port (mgt0) 7 Ethernet ports (tmsx2 - tmsx5) - Mitigation only
4 4x USB ports (USB2.0) 8 AC power supply

Page 6 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

TMS-2600 & 2800

1 VGA connector 8 2x ground studs for DC input

2 2x USB ports (USB2.0) 9
Power supply 2 (DC shown). Pin 1 (bottom) ground, pin2
3 Not supported
(middle) -48Vdc terminal and pin 3 (top) – return terminal
4 2x USB ports (USB3.0)
5 Management Ethernet port (mgt0) 10 Power supply 1 (AC shown)
6 Management Ethernet port (mgt1) Either two AC or two DC power supplies
7 8x 10GbE Ethernet ports (tms0..7) ! Front RJ-45 serial console: 9600/8-N-1
4x 1GbE copper Ethernet ports (tms8..11)

TMS-5000

TMS-8100

1 VGA connector 8 2x ground studs for DC input

2 UBS1(top), USB2 (bottom) (USB3.0) 9 Power supply 2 (DC shown). Pin 1 (bottom)
3 Not supported ground, pin2 (middle) -48Vdc terminal and pin
4 UBS3(top), USB4 (bottom) (USB3.0) 3 (top) – return terminal
5 mgt0: 10GBASE-T Ethernet (@1G or 10G) 10 Power supply 1 (AC shown)
6 mgt1: 10GBASE-T Ethernet (@1G or 10G) Either two AC or two DC power supplies
7 8x10 GbE SFP+ (tms0..7), 8x1 GbE SFP (tms8..15) ! Front RJ-45 serial console: 115200/8-N-1

CONFIDENTIAL & PROPRIETARY Page 7

 The Pocket Guide

HD-1000

1 RJ-45-serial console port - SM0: 9600/8-N-1 5 RJ-45-serial console port -SM1: 9600/8-N-1
2 4x 10GbE ports (tms0.0-tms0.3) SFP+ SR/LR 6 4x 10GbE ports (tms1.0-tms1.3) SFP+ SR/LR
3 4x 10GbE ports (tms0.4.0-tms0.4.3) QSFP+ SR/LR 7 4x 10GbE ports (tms1.4.0-tms1.4.3) QSFP+ SR/LR
with breakout cable with breakout cable
4 1x 1GbE Management Ethernet port (mgt0) 8 1x 1GbE Management Ethernet port (mgt1)

1 RJ-45-serial console port SM-320G-0: 9600/8-N-1 6 RJ-45-serial console port SM-320G-1: 9600/8-N-1
2 1x100 GbE port (tms0.0) QSFP28 (SR4 or LR4) 7 1x100 GbE port (tms1.0) QSFP28 (SR4 or LR4)
3 4x 10GbE ports (tms0.1.0-tms0.1.3) QSFP+ SR4/LR4 8 4x 10GbE ports (tms1.1.0-tms1.1.3) QSFP+
with breakout cable SR4/LR4 with breakout cable
4 1x100 GbE port (tms0.2) QSFP28 (SR4 or LR4) 9 1x100 GbE port (tms1.2) QSFP28 (SR4 or LR4)
5 1x 1GbE Management Ethernet port (mgt0) 10 1x 1GbE Management Ethernet port (mgt1)

DC Power Connection

Obtain four DC power cables and four crimp

terminals (two each for each DC PSU). #8 AWG
THHN 90 C rated cable and Panduit LCBX8-10F-
L crimp terminals are recommended. DC cables
and crimp terminals are not available from
NETSCOUT

Page 8 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Chassis containing PPM-20G (max. 160G throughput)

Chassis containing PPM-50G (max. 400G throughput)

Mixing PPM-20G and PPM-50G within the same chassis requires the
1500W power supplies and Sightline Release 9.0

Comparison between PPM-20G and PPM-50G

CONFIDENTIAL & PROPRIETARY Page 9

 The Pocket Guide

HD-1000 - Manual Start-up and Shutdown

This insert describes how to manually start up and Fast Manual Shutdown
shut down the TMS HD1000 appliance using the
IMPORTANT: Before you do a fast manual
chassis power button. It also tells you how the LEDs
shutdown, first try a clean manual shutdown. A
on the front and rear panels appear during a manual
clean shutdown helps preserve data integrity.
start-up and shutdown.

To perform a fast manual shutdown, press and

hold the chassis power button for four seconds.
All components will shut down immediately. The
LEDs appear as follows before and after the fast
shutdown:
The LEDs are on the chassis faceplate and on the
faceplate of each module in the chassis. The
modules include SM0, SM1, MM, and all PPMs. To
locate these modules, see the front panel and rear
panel illustrations in this Quick Start Card.

If you have difficulty with manual start-up or

shutdown, contact the Arbor Technical Assistance
Center (https://support.arbor.net).
Note: After a fast shutdown, the red CRT (critical
Initial Start-Up alarm) LED on the chassis turns on.

When you connect facility power to the TMS

HD1000, the appliance starts up automatically. You Start-up after Shutdown
do not have press the chassis power button to start If power is connected to the TMS HD1000, but the
up manually. green power LEDs are off, the appliance is off. To
restart the appliance manually, press and quickly
release the chassis power button. The LEDs
Clean Manual Shutdown
appear as follows during manual startup:
To perform a clean manual shutdown, press and
quickly release the chassis power button. A clean
shutdown takes up to five minutes to complete. The
LEDs appear as follows before, during, and after the
clean shutdown:

Note: Led sequence in tables are based on PPM-20G,

the order of LEDs on the PPM-50G are reversed.

Page 10 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

APS-2600 & 2800, APS Console 7000, AED-2600 & 2800

Front-Panel
1 Power button 8 Chassis ID button
2 System reset button 9 NIC1/NIC2 activity LED
3 Chassis information LED 10 HDD activity LED
4 Fan status LED 11 Power alarm LED
5 Critial alarm LED 12 Minor alarm LED
6 Major alarm LED 13 RJ-45 serial console: 9600/8-N-1
7 NMI Button

Generic Chassis Overview

1 VGA Connector 9 2x ground studs for DC input

2 USB0 (bottom) and USB1 (top) 10 Power supply 2 (DC module shown). The -48V
3 Remote Management NIC – NOT SUPPORTED terminals are on the top and the return terminals (+)
4 USB2 (bottom) and USB3 (top) are on the bottom.
5 Management Ethernet port (mgt0) 11 Power supply 1 (AC model shown)
6 Management Ethernet port (mgt1) Either two AC or two DC power supplies
7 1GbE (fiber or copper) or 10 GbE fiber ports ! Front RJ-45 serial console: 9600/8-N-1
8 4x 1GbE ports, copper (or fiber)

Supported NIC Configuration for AED-2800

! Please note the slot distribution shown below, this must be strictly followed.

Slot1: 10 GbE
One or
Slot2: Not used
two
10 GbE Slot6: 10 GbE
Slot7: Not used

Two Slot1: 10 GbE

10 GbE
Slot2: Not used
+
one Slot6: 10 GbE
1 GbE Slot7: 1 GbE

CONFIDENTIAL & PROPRIETARY Page 11

 The Pocket Guide

Slot1: 40 GbE
One or
Slot2: Not used
two
40 GbE Slot6: 40 GbE
Slot7: Not used

One
40 GbE Slot1: 40 GbE
+ Slot2: 10 GbE
One ot Slot6: 10 GbE
two
Slot7: Not used
10 GbE

AED-8100
Front-Panel
1 Power button 8 Chassis ID button
2 System reset button 9 NIC1/NIC2 activity LED
3 Chassis information LED 10 HDD activity LED
4 Fan status LED 11 Power alarm LED
5 Critial alarm LED 12 Minor alarm LED
6 Major alarm LED 13 RJ-45 serial console: 115200/8-N-1
7 NMI Button

Generic Chassis Overview

1 VGA Connector 8 2x ground studs for DC input

2 USB0 (bottom) and USB1 (top) 9 Power supply 2 (DC module shown). The -48V
3 Remote Management NIC – NOT SUPPORTED terminals are on the top and the return terminals (+)
4 USB2 (bottom) and USB3 (top) are on the bottom.
5 10GBASE-T Management Ethernet port (mgt0) 10 Power supply 1 (AC model shown)
6 10GBASE-T Management Ethernet port (mgt1) Either two AC or two DC power supplies
7 Protection Ports (see supported NIC configuration) ! Front RJ-45 serial console: 9600/8-N-1

Page 12 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Supported NIC Configuration for AED-8100

! Please note the slot distribution shown below, this must be strictly followed.

One, Slot1: 1 GbE

two or Slot2: Not used
three Slot6: 1 GbE
1 GbE
Slot7: 1 GbE

One or Slot1: 10 GbE optional

two Slot2: empty
10 GbE
Slot6: 10 GbE
Slot7: Not used

One
10 GbE Slot1: 1 GbE
+ Slot2: 1 GbE optional
one or Slot6: 10 GbE
two
Slot7: Not used
1 GbE

Two Slot1: 10 GbE

10 GbE
Slot2: Not used
+
one Slot6: 10 GbE
1 GbE Slot7: 1 GbE

Slot1: 40 GbE optional

One or
Slot2: Not used
two
40 GbE Slot6: 40 GbE
Slot7: Not used

One
40 GbE Slot1: 10 GbE
+ Slot2: 10 GbE optional
one or Slot6: 40 GbE
two
Slot7: Not used
10 GbE

CONFIDENTIAL & PROPRIETARY Page 13

 The Pocket Guide

AED-HD1000

1 RJ-45-serial console port SM-320G-0: 9600/8-N-1 6 RJ-45-serial console port SM-320G-1: 9600/8-N-1
2 1x100 GbE port (ext0) QSFP28 7 1x100 GbE port (ext1) QSFP28
3 4x 10GbE ports (ext2/int2, ext3/int3) QSFP+ with 8 4x 10GbE ports (ext4/int4, ext5/int5) QSFP+ with
breakout cable breakout cable
4 1x100 GbE port (int0) QSFP28 9 1x100 GbE port (int1) QSFP28
5 1x 1GbE Management Ethernet port (mgt0) 10 1x 1GbE Management Ethernet port (mgt1)

AED-HD1000 Port Numbering

AED-HD1000 Slot Numbering

Page 14 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

NETSCOUT 3296 Inline Bypass Switch

1 Modul Bays Nr 1 (left), Nr 2 (right) 6 Bypass Module: 3296-SG-MMPO-2B

2 Segment Bypass Status (on=inline, off=bypass) 7 Bypass Module: 3296-SG-MM-2B
3 USB Port for Power and bypass heartbeat link 8 Bypass Module: 3296-SG-SM-2B (100 GbE)
4 Power LED (green=ok) 9 Bypass Module: 3296-SG-SM-2B (10 GbE)
5 Modul Bays Nr 3 (left), Nr 4 (right) Same module with 10 GbE instead of 100GbE

NETSCOUT 3296 Modules

Module Cables per bypass module
3296-SG-MMPO-2B • Two Ethernet patch cables
• Two 100 GbE multi-mode fiber optic cables, SR4 with MPO connectors
3296-SG-MM-2B • Four Ethernet patch cables
• One 4 x 10 GbE multi-mode MPO fiber optic cable, SR4 with LC breakout connectors
3296-SG-SM-2B 100 GbE bypass module:
• Two or four Ethernet patch cables
• Two or four 100 GbE single-mode fiber optic cables, LR4 with LC connectors
10 GbE bypass module:
• Four Ethernet patch cables
• One 4 x 10 GbE single-mode MPO fiber optic cable, PLR4 with LC breakout connectors

CONFIDENTIAL & PROPRIETARY Page 15

 The Pocket Guide

Command Reference - APS & AED

Global System
/ help global or help or ? see available command sub options
/ users list all CLI connected users on appliance
/ clock or clock set YYYY-mm-dd HH:MM:SS show or set the system clock
/ config show show only the running Arbos configuration
/ config write save current configuration
Remote Access
/ ip access show show active and inactive IP access rules
add IP access rule for remote access by protocol, ingress
/ ip access add proto int source-ip interface and source IP address or range.
proto: bgp, cloudsignaling, https, ping, snmp, ssh
/ ip access delete proto int source-ip delete an IP access rule
commit inactive IP access rules.
/ ip access commit
(Issue config write if changes should persist after reboot)
IP + Interface - Configuration and Verification
/ ip arp show show ARP entries (management interfaces only)
/ ip route show show IP routing configuration
/ ip route add default next-hop-ip add default gateway configuration
/ ip route add network/mask next-hop-ip add static route configuration
show network interface configuration. The option brief provides
/ ip interface show [brief|name]
a table formatted output or specify an interface name.
Identify appliance by activating the identification led on a MGT
/ ip interface identify int [sec]
port
/ ip interface ifconfig name up|down administratively enable or disable interface
/ ip interface ifconfig name ip/mask configure IP address on management interface
/ ip interface ifconfig name ip/mask alias configure alias/secondary IP address on management interface
adding VLAN subinterface on management interface (mgt0,
/ ip interface vlan int vlan-id
mgt1)
check physical interface settings for management or mitigation
/ ip interface media name
interfaces
configure physical interface settings for management and also
/ ip interface media name speed 10|100|1000 duplex full|half
mitigation interfaces (≤ 5.9)
/ ip interface media name mtu value set the interface MTU, values supported 1500..9216 byte (≤ 5.9)
/ services aed mitigation vlan-qinq show|enable|disable show, enabe or disable VLAN Q-in-Q tag support (≥ 6.2)
/ services aed mitigation vlan-qinq ethertype type set the ethertype used when AED generates own packets (≥ 6.2)
/ services aps|aed mitigation interface media name speed
configure interface settings for mitigation interfaces (≥ 5.10)
10|100|1000 duplex full|half
/ services aps|aed mitigation interface media name mtu value set interface MTU, values supported 1500..9216 byte (≥ 5.10)
/ services aps|aed mitigation interface media int auto remove all interface specific settings, like on hw changes (≥6.5)
/ services aps|aed mitigation interface int ip/mask set ip address on mitigation interface, only in L3 mode available
/ services aps|aed mitigation route add net nexthop add static route for protection interface, only in L3 mode available
/ system hardware interface name show protection interface settings (≥ 6.0)
/ system hardware interface name pause-frame show protection interface pause parameters (≥ 6.0)
/ system hardware interface name dump-regs show protection interface register information (≥ 6.0)
/ ip interface counter [name] show interface counters
/ ip interface counter [name] clear clear interface counters
System Initialization
/ services aps|aed database initialize initialize the APS. Warning all data will be lost!
/ services aps-console data initialize initialize the APS-Console. Warning all data will be lost!

Page 16 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

License Management and AIF

/ system license set Pravail, AED or APS-CONSOLE … configure appliance license with type
/ system license set ASERT … configure AIF license
/ system license show show installed licenses (incl. types and valid period)
/ services aps|aed aif version show show installed AIF packages and their version
/ services aps|aed aif url set|show|clear configure AIF update source
Service and System Verification
/ services aps|aed show|start|stop show status, start or stop software on the APS appliance
/ services aps-console show|start|stop show status, start or stop software on the APS-Console appliance
/ services ssh show show SSH configuration and status
/ services ntp show show NTP configuration and status
/ services dns show show DNS service details
/ system show show general system information
/ system file show show installed software packages
/ system file check check installed package integrity
/ system file directory disk: list contents of local file system
/ system file copy disk:filename … copy file to or from device via ftp, http, https or scp
CLI System Configuration Commands
/ system banner set configure a specific banner for console and SSH connections
/ system timezone set zone set time zone of the device, also available in the UI
/ system name set name configure device name
/ system idle set minutes configure idle timeout for console and SSH connections
/ services aed manager bind/unbind/test/show secret key attach AED to Arbor Enterprise Manager – AEM (≥7.0.0)
two or more AED signal to the same cloud provider:
/ services aps|aed cloud mode set normal/redundant normal - CS mitigation ends when traffic falls below the threshold
redundant – manually deactivate the CS mitigation
/ services aps|aed mode set inline|monitor switch between Arbor Networks APS deployment modes
/ services aps|aed bypass show show bypass configuration
/ services aps|aed bypass disable disable hardware bypass
/ services aps|aed bypass fail closed|open configure hardware bypass failure mode
/ services aps|aed bypass software enabled|disabled enable or disable software bypass
/ services aps|aed bypass force closed|open force hardware bypass to fail open or closed
/ services aps|aed protection show show protection configuration
/ services aps|aed protection reset option ST level reset protection configuration value to factory default
modify protection configuration:
option: connlimit.blacklist_enabled, connlimit.max_conn,
idle.header_time, idle.rate_interval,
tls.clients_can_alert, tls.early_whitelist,
tls.max_cipher_suites, tls.max_extensions, …
/ services aps|aed protection set option ST level value
ST: Server Type name
level: Low, medium or high
value: Value to apply
Please consult Arbor if you are unsure about the effects of
changing any of the above advanced parameters.
Sharing temporary blocked sources (AED 8100 only)
/ services aed standby enable|disable|clear enable, disable or clear sharing of temporary blocked sources
/ services aed standby set host apiToken specify hostname or IP of standby AED and the API token
Device Authentication and API access
/ services aaa show show AAA configuration, status and local accounts
/ services aaa radius … configure RADIUS server for user authentication
/ services aaa tacacs … configure TACACS server for user authentication
/ services aaa method set local radius tacacs configure authentication sequence

CONFIDENTIAL & PROPRIETARY Page 17

 The Pocket Guide
with exclusive authentication and the TACACS+ server is
operational, but the user does not have a TACACS+ account, then
/ services aaa method exclusive enable/disable that user cannot log in at all. APS only tries to
authenticate with the next method listed if the TACACS+ server is
not operational or is unreachable on the network
change the password of the admin account by typing it twice into
/ services aaa local password admin interactive
the CLI
/ services aaa local apitoken show show manually generated tokes for Rest API usage
/ services aaa local apitoken generate user description generate new token for Rest API
/ services aaa local apitoken remove token remove Rest API token from the system
/ services aaa local apitoken clear show local active alerts
https://aps-hostname/api/aps/doc/v1/endpoints.html online documentation about Rest API on APS appliance
https://aps-hostname/api/aps/doc/v2/endpoints.html online documentation about Rest API on APS appliance (≥ 5.12)
Crypto Support
/ system hsm key show|import|remove show, import or remove a key from the HSM module
/ system hsm init officer-name user-name fips|non-fips initialize HSM, set Crypto Officer username and Crypto User
persist|nopersist username, select fips mode, select if credentials are persistent
/ system hsm services authorize|deauthorize authorize or deauthorize the HSM module
/ system hsm stats show statistics on the HSM module operation
/ system hsm zeroize zeroized/remove all informations from the HSM module
/ system crypto keys local initialize initialize CAM module (≥ 6.2.1)
/ system crypto keys local import label disk:|usb:filename import crypto keys to CAM module (≥ 6.2.1)
/ system crypto keys local remove label remove a crypto key by label from CAM module (≥ 6.2.1)
/ system crypto keys local zeroize zeroized/remove all informations from CAM module (≥ 6.2.1)
/ system crypto hardware show hardware and software details of CAM module (≥ 6.2.1)
/ system crypto stats show statistics on CAM module operation (≥ 6.2.1)
/ service aed crypto authorize authorize the CAM module (≥ 6.2.1)
/ service aed crypto show show operational status of CAM module (≥ 6.2.1) and TLS Proxy
/ service aed crypto pg associate [keyName] [pgName] host keyName = name of the key
pgName = name of a PG
host = fully qualified domain name (FQDN) for the SNI host, must
match the common name in the certificate (≥ 6.4.0)
/ service aed crypto pg list list of the keys and their associations( ≥ 6.4.0)
/ service aed crypto pg disassociate [keyName] [pgName] disassociate a key from a single PG or from all (≥ 6.4.0)
/ services crypto cert_stats show [startTime endTime] [certs] statistics for passed traffic for each SSL certificate
[startTime endTime] = statistics covering UTC time period
(Format: YYYY-MM-DDTHH:MM:SS, default last 24h)
[certs] = The number of certificates to return (default 10)
Troubleshooting
/ traceroute, traceroute6 trace route to host for IPv4 or IPv6 (none mitigation interfaces)
/ ping, ping6 ping a network host for IPv4 or IPv6 (none mitigation interfaces)
/ ip interface snoop interface filter watch traffic on MGT interface. (filter = PCAP expression)
create diagnostics package. Please provide in case of a support
/ system diagnostics
ticket with ATAC.
/ services logging show show available log files
/ services logging view syslog options view system internal syslog messages
/ system hardware show hardware details: CPU, Memory, SN, …
/ system disk show show system disk configuration

Page 18 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Command Reference – Sightline & TMS

TRA/DS
Leader

TMS
Global System

UI
/ help global or help or ? see available command sub options - ✓ ✓ ✓
/ users list all CLI connected users on appliance - ✓ ✓ ✓
/ clock show or set the system clock - ✓ ✓ ✓
/ config show show the running configuration - ✓ ✓ ✓
/ config write or revert save or revert current configuration - ✓ ✓ ✓
/ config clear clear config on TMS to restart ZTP process (≥ 8.2) - - - ✓
/ config rcs diff|history|show show configuration commit history (≤9.2) ✓ - - -
Remote Access
/ ip access show show active and inactive IP access rules - ✓ ✓ ✓
add IP access rule for remote access by protocol, ingress -
/ ip access add proto int source-ip interface and source IP address or range. ✓ ✓ ✓
proto: cloudsignaling, bgp, https, ssh, ping, snmp, ssh, ...
/ ip access delete proto int source-ip delete an IP access rule - ✓ ✓ ✓
/ ip access commit commit inactive IP access rules (+config write to persist reboot) - ✓ ✓ ✓
System Initialization
configure device as a leader
ip: own management IPv4
/ services sp bootstrap leader ip secret role ✓ - - -
secret: shared zone secret
role: PI, CP
configure device as a non-leader (≤ 9.0.2)
ip: IPv4 address of the leader
/ services sp bootstrap non-leader ip secret role - ✓ ✓ -
secret: shared zone secret
role: PI, BI or CP
configure device as a non-leader (≥ 9.0.2)
ip: IPv4 address of the leader
/ services sp bootstrap non-leader ip own-ip
own-ip: IPv4 address of this device - ✓ ✓ -
secret role
secret: shared zone secret
role: PI, BI, CP or AC* *(≥9.4.0.0)
configure TMS
/ services tms bootstrap ip secret ip: is the IPv4 address of the leader - - - ✓
secret: shared zone secret
IP + Interface Configuration and Verification
/ ip arp show show ARP entries (management interfaces only) - ✓ ✓ ✓
/ ip route show show IP routing configuration - ✓ ✓ ✓
/ ip interface show [brief] show network interface configuration - ✓ ✓ ✓
/ ip interface counter int [clear] show or clear interface counters - - - ✓
/ ip interfaces ring_rx_buf_size intf rx-buf-size set interface rx buffer size (≥ 9.0) - ✓ ✓ -
/ ip interfaces ifconfig int ip/M state set interface ip address/mask & interface state (≥ 9.2) - ✓ ✓ ✓
/ ip interfaces ifconfig int dhcp enable|disable enable/disable dhcp on management interface - ✓ ✓ ✓
/ ip interface show sfp show SFP details (≥ 9.4.0.0) - ✓ ✓ ✓
/ system hardware sfp show SFP details (< 9.4.0.0) - - - ✓
/ system hardware interface name pluggable- show SFP/SFP+ details (≥ 9.1 and < 9.4.0.0) -
- - ✓
module-info
/ system hardware interface name pause-frames show interface pause frames settings (≥ 9.1) - - - ✓
/ system hardware interface name dump-regs dump registers from interface hardware (≥ 9.1) - - - ✓
/ system hardware 10g-mgmt show/enable/dis. flip 10G interfaces from mitigation to management (≥9.3) - - - ✓
CLI System Configuration Commands
/ system banner set set banner on console and SSH connections - ✓ ✓ ✓
/ system name set hostname set device name - ✓ ✓ ✓
/ system idle set seconds set idle timeout for console and SSH connections - ✓ ✓ ✓

CONFIDENTIAL & PROPRIETARY Page 19

 The Pocket Guide
/ services aaa local advanced harden_password enable hardened password usage on local accounts - ✓ ✓ ✓
/ services aaa max-login_failures set number set max login failures protection - ✓ ✓ ✓
/ services aaa password_length min number set minimum length of the account passwords - ✓ ✓ ✓
/ services aaa password_length max number set maximum length of the account passwords - ✓ ✓ ✓
/ services aaa local accounting set level lvl enable command accounting by setting lvl = commands ✓ - - -
/ services aaa local advanced hide non-local user data from User Account Login Records
✓ - - -
hide_none_local_history enable page
/ services aaa logging remote set host udp/tcp send AAA log messages to a remote syslog host
✓ - - -
port
/ services sp model address_space auto auto-discover and append your local IPv4 address space ✓ - - -
/ services sp model subscribers enable enable subscriber monitoring + AIF Threat Indicators (≥9.3) ✓ - - -
/ services sp preferences login_timeout set sec set idle timeout period for the UI ✓ - - -
/ services sp device edit name asidnsflow set comma separated IP address list of devices sending DNS
✓ - - -
prefix flow to ASI collector
/ services sp device edit name configure UI appliance as cloud signaling only (disable API +
✓ - - -
cloud_signalling_only set enable|disable graphical interface)
/ services sp device edit name deployment configure 10G managements ports on a HD-1000 appliance
✓ - - -
mgmt._ports_10g enable|disable (≥9.3)
Service and System Verification
/ services aaa show show AAA configuration, status and local accounts - ✓ ✓ ✓
/ services dns show show DNS servers and their state - ✓ ✓ ✓
/ services dns server add ip add a DNS server - ✓ ✓ ✓
/ services ssh show show SSH server state - ✓ ✓ ✓
/ services ntp show show NTP servers and their state - ✓ ✓ -
/ services ntp server add ip add a NTP server - ✓ ✓ -
/ services sp show|start|stop show status, start or stop software on Sightline appliance - ✓ ✓ -
system backup management -
/ services sp backup options ✓ ✓ -
options: show, create, stop, export, import …
/ services sp device leader show show name of the deployment leader - ✓ ✓ -
system backup management on TMS (≥ 8.4) -
services backup options - - ✓
options: show, create, stop, export, import …
/ services tms show|start|stop show status, start or stop software on TMS appliance - - - ✓
/ services tms show alert show local active alerts - - - ✓
/ services tms show arp show ARP entries (mitigation interfaces only) - - - ✓
/ services tms show blacklist show IP address count currently on dynamic blacklist - - - ✓
/ services tms show interface rate show mitigation interface processing rates - - - ✓
/ services tms show interface status show mitigation interface status - - - ✓
/ services tms show mitigation show running mitigations and their traffic rates - - - ✓
/ system file show show installed software packages - ✓ ✓ ✓
/ system file directory disk: list contents of local file system - ✓ ✓ ✓
/ system file copy disk:filename … copy file to or from device via ftp, http, https or scp - ✓ ✓ ✓
/ system hardware show hardware details: CPU, Memory, SN, … - ✓ ✓ ✓
Network and Data Configuration and Verification
/ services tms deployment bgp show neighbors show BGP neighbor status - - - ✓
/ services tms deployment bgp show routes show BGP route advertisement status - - - ✓
/ services tms show gre show reinjection GRE tunnel status - - - ✓
/ services sp data bgp show show BGP neighbor status - - ✓ -
/ services sp router edit name bgp configure explicit TRA source BGP IP address for a router
✓ - - -
update_source set ip
/ services sp router edit name bgp preselected router for the UI (blackhole or flowspec
✓ - - -
default_mitigations type enable|disable mitigation)

Page 20 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
BGP shared memory size details, Options:
/ services sp device edit name bgp show: show current shared memory size
✓ - - -
shared_memory_size options set size: set shared memory size in MB
clear: return to default value
/ services sp router edit name snmp configure explicit TRA source SNMP IP address for a router
✓ - - -
local_ip_address set ip
/ services sp router edit name snmp configure data encryption for SNMPv3, default: DES, or AES-
✓ - - -
priv_protocol AES/DES 128 (≥ 8.3)
/ services sp router edit name advanced poll virtual and IfMib from alcatel router
✓ - - -
poll_alcatel_ifmib
/ services sp router edit name flow enable missing flow tracking per source UDP port
✓ - - -
use_src_port_for_v9 enable|disable
use IPFIX exporterIPv4Address from FlowProxy for router
/ services sp router edit name flow is_proxy ✓ - - -
indentification
License Management
/ services sp license flexible capability show licensed deployment limits ✓ ✓ - -
import new local license file (also required on the backup
/ services sp license flexible import disk:file ✓ ✓ - -
leader)
/ services sp license flexible server enable or disable the cloud based licensing
✓ ✓ - -
cloud_licensing enable|disable
/ services sp license flexible server option configure cloud based server details, Options: port, url, … ✓ ✓ - -
/ services sp license flexible refresh manual refresh a cloud-based flexible license file ✓ ✓ - -
/ services sp license flexible clear Licensing (hidden command) (≥ 9.1)
✓ - - -
clear_all_ts|clear_llsd|clear_dmvd
Arbor Sightline – Insight
/ services sp device insight enable/disable restriction of flow ingestion based on managed
✓ ✓ - -
limit_ingestion_mos enable|disable objects
/ services sp device insight limit_mo_set add/remove managed object from the set of restricted
✓ ✓ - -
add|delete name managed objects
/ services sp device insight limit_mo_set clear clear all restricted managed objects ✓ ✓ - -
/ services sp device insight limit_mo_set show show the current set of restricted managed objects ✓ ✓ - -
/ services sp device insight enable/disable restriction of flow ingestion based on routers
✓ ✓ - -
limit_ingestion_routers enable|disable
/ services sp device insight limit_router_set add/remove router from the set of restricted routers
✓ ✓ - -
add|delete name
/ services sp device insight limit_router_set show/clear all restricted routers
✓ ✓ - -
show|clear
/ services sp managed_objects edit name scrub any of the nested managed objects on ingestion
✓ ✓ - -
scrub_insight_mo_match enable|disable
Unique CLI Configuration Commands
/ services sp managed_objects edit name prevent double-counting traffic for external customer
✓ - - -
treat_external_as_internal managed objects
/ services sp managed_objects edit name use DNS information from ISNG to match regular expressions
✓ - - -
dynamic_match regex_uris of managed objects (≥ 9.2)
check on Sightline for manual mitigations: If a CIDR is already
/ services sp mitigation tms prefix_check enable ✓ - - -
being mitigated, instead of using the TMS to check & suspend
/ services sp mitigation blackhole edit assign an IP filter list that will be used during a started
✓ - - -
mitigation_name filter_list set name blackhole mitigation (supports large number of prefixes)
/ services sp mitigation auto-mitigation disable check on Sightline for auto-mitigations, if a CIDR is
✓ - - -
prefix_check disable already being mitigated, rely on TMS to check & suspend
/ services sp mitigation sample_packets set sample packets max. packets
✓ - - -
max_packets set val
/ services sp mitigation sample_packets set sample packets max. time
✓ - - -
max_second set val

CONFIDENTIAL & PROPRIETARY Page 21

 The Pocket Guide
/ services sp mitigation nexthop custom IPver set ipv4/ipv6 nexthop for blackhole mitigations
✓ - - -
add name ip ip
/ services sp mitigation nexthop custom IPver delete ipv4/ipv6 nexthop for blackhole
✓ - - -
delete name
/ services sp mitigation tms edit_locked lock mitigation settings for non-scoped Sightline users on
✓ - - -
enable|disable mitigation configuration page, enabled by default
/ services sp mitigation tms flowspec log all changes to flowspec filter announcements to local
✓ - - -
log_all_changes enable|disable syslog for auditing reasons (≥9.3.5)
/ services sp mitigation auto-mitigation comma-seperated list of IP prefixes that should never be
✓ - - -
exclude_prefix v4|v6 set prefix-list auto-mitigated (≥9.5.0.0)
/ services sp mitigation auto-mitigation Sightline will not start flowspec auto-mitigations once limit is
✓ - - -
flowspec global_limit set value reached. Default = 2000 (≥9.6.0.0)
/ services sp auto-config irr ip_address set ip change Internet Routing Registry server IP ✓ - - -
/ services sp data mft alert_dbsize set value limit MFT alert data collection based on alert length in Mbytes ✓ - - -
/ services sp data mft alert_age set value limit MFT alert data collection based on alert length in days ✓ - - -
/ services sp preferences whois add ip add a Whois resolution server ✓ - - -
/ services sp preferences hide sensitive information from managed service users on
hide_sensitive_information mitigation TMS Mitigation Status page, this includes template name, ✓ - - -
enable|disable Managed Object name, TMS group, annotations, … (≥9.3.5)
/ services sp preferences enable redaction prompt which is displayed for non-managed
hide_sensitive_information mitigation services users when they share the TMS Mitigation Status ✓ - - -
prompt_for_redaction enable|disable page as a PDF or email. (≥9.3.5)
/ services sp preferences require or not require a source or destination prefix entered
flowspec_required_fields dst_prefix|src_prefix when starting a flowspec mitigation, when disabled the ✓ - - -
enable|disable system uses as source 0.0.0.0/0 or ::/0 (≥9.5.0.0)
/ services sp remote_services atf import import AIF signatures manually
✓ - - -
disk:filename
/ services sp remote_services aif server set ip configure the AIF server ip address ✓ - - -
/ services sp alerts system_errors type enable event forwarding for system errors.
✓ - - -
notifications enable Type: cpu_load, disk_space, …
/ services sp notification smtp port set port configure port for smtp communication ✓ - - -
configure Webhook, Options: retry_count_limit,
/ services sp notification webhooks option ✓ - - -
retry_count_max, retry_seconds_limit, retry_seconds_max
change the default TACACS+/Radius user group when none
/ services aaa groups default set account-group ✓ - - -
is provided
/ services sp device edit name metrics type set configure metrics for appliance health monitoring. Type:
✓ - - -
value bgp_routes, managed_objects_matched_per_flow, …
/ services sp tms mitigation orchestration return time (≥ 9.0)
✓ - - -
mitigation_return_retry_interval set minutes
/ services tms registry main|mitigation pending show pending configuration updates - - - ✓
/ services tms registry main set logger log blocked host to file blocked_hosts.log - - - ✓
default_local_logging_enable = 1
/ services tms registry main set interface GID enable LACP fast timers for an interface - - - ✓
lacp_fast_timer = 1
/ services tms registry main set patch_panel enable promiscuous mode on physical mitigation interface
- - - ✓
GID promiscuous = 1
/ services tms registry main set interface GID configure a static ARP entry for the mitigation interfaces
- - - ✓
static_arp a.b.c.d = 00:07:07:07:07:07
/ services tms registry main set status suppress alerts for next-hop unreachable alerts for a specific
- - - ✓
suppress_alerts nexthop = "interface:a.b.c.d" interface and next-hop IP
enable FEC-Forward Error Correction on HD1000 interfaces -
/ services tms deployment fec enable int - - ✓
(100GE) (≤ 9.1)
enable FEC-Forward Error Correction on HD1000 interfaces -
/ system hardware fec enable int - - ✓
(100GE) (≥ 9.2)

Page 22 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
AED Cloud Signaling
delete a filter list synchronized via Cloud Signaling after the
/ services sp mitigation filter delete filtername ✓ - - -
APS or AED has been removed
Managing Wizard Reports
/ services sp reports custom find_old find orphaned Wizard report non-leader (≥ 8.2) - ✓ - -
/ services sp reports custom find_old copy all|id copy orphaned Wizard report to leader (≥ 8.2) - ✓ - -
/ services sp reports custom check check for reports with missing definitions (≥ 8.2) ✓ - - -
REST API Details
https://sp-hostname/api/sp/vx/ URL Rest API end point (see REST Version Matrix for details) ✓ - - -
https://sp-hostname/api/sp/doc/index.html online REST API documentation ✓ - - -
Troubleshooting
/ traceroute, traceroute6 traceroute to IPv4/IPv6 host through MGT interfaces - ✓ ✓ ✓
/ ping, ping6 ping a IPv4 / IPv6 host through MGT interfaces - ✓ ✓ ✓
/ ip interface snoop interface filter watch traffic on local interface. filter: PCAP expression - ✓ ✓ ✓
create diagnostics package. Please provide in case of a -
/ system diagnostics ✓ ✓ ✓
support ticket with ATAC.
/ system disk show see the disk utilization and the RAID status - ✓ ✓ ✓
/ system disk expand expand disk size, only supported for sda4 file systems - ✓ ✓ -
/ services logging view syslog options view system internal syslog messages - ✓ ✓ ✓
/ services logging export syslog dst copy syslog logging file to local disk or scp destination (≥ 9.2) - ✓ ✓ -
/ services logging remote set host prot port send syslog messages to remote host via tcp|udp (≥ 9.2) - ✓ ✓ ✓
/ services sp iprep classification show show AIF Threat Indicator details (≥9.3) ✓ - - -
/ services sp data database resync resync the global database between UI devices, the Sightline - ✓ - -
service must be stopped (≥ 8.2)
/ services sp analyze pcap disk:file generate RegEX expression from uploaded pcap file (≥ 9.2) ✓ - - -
/ services sp deployment [disk:filename] gather deployment overview, output can also be written to file
✓ - - -
on internal flash-disk.
/ services sp data flow view int ip records view flow information received through an interface
ip: all or IP-Address of one router ✓ - - -
records: all records or first record only
/ services sp data snmp view ip comm oid test SNMPv2 query towards router
ip: address of the router
✓ - - -
comm: snmp community
oid: specific OID, else use ‘system’
/ services sp alerts system_errors show show configured handling of system errors detected ✓ - - -
generate a test notification
type: email, email_xml, snmp, syslog,
/ services sp notification test type destination ✓ - - -
webhook (≥ 9.2)
destination: default or an explicit group
/ services sp backup failover activate switch manually to a backup leader - ✓ - -
/ services sp portal soap age set days threshold when SOAP log entries will be auto deleted ✓ - - -
/ services sp portal login_page clear custom login page to be set back to default ✓ ✓ - -
/ services sp device edit name arf set on|off enable or disable ARF (fcap matching) binning ✓ - - -
/ services sp device zone_secret show see the configured zone secret in clear text (hidden
✓ ✓ ✓ -
commands command)
/ services sp mitigation tms learning end_all stop all running learning mitigations ✓ - - -
/ services sp mitigation tms stop name stop a running mitigation by it’s name ✓ - - -
/ services sp certificate show check validity period of installed certificate ✓ - - -
/ reload reboot the appliance ✓ ✓ ✓ ✓
/ reload [hard] reboot the TMS appliance, [hard] = with full power cycle - - - ✓
/ services tms firmware upgrade start firmware upgrade (≤ 9.1) - - - ✓
/ system hardware firmware start firmware upgrade (≥ 9.2) - - - ✓
/ services tms tms-ping ipv4|ipv6 addr intf ping from a mitigation interface with src interface - - - ✓
/ services tms tms-traceroute ipv4|ipv6 addr intf traceroute from a mitigation interface with src interface - - - ✓

CONFIDENTIAL & PROPRIETARY Page 23

 The Pocket Guide

Mitigation: TMS & APS/AED - FCAP Traffic Filtering

Actions
drop <expression> drop traffic matching condition, default behavior if not specified
pass <expression> allow (aka trusting), exempt traffic from all other countermeasures
Traffic not matching any of the above FCAP actions will be sent to the next enabled countermeasure.

Filter Elements
[src|dst] (host|net) <address> matches a host as IP source, destination or either address
[src|dst] <address>/<mask> matches a host as IP source, destination or either address
(proto|protocol) <name> matches IP protocol by name
(proto|protocol) <number> matches IP protocol by number
(proto|protocol) <number>..<number> matches IP protocol by a range of numbers
[src|dst] port <name> matches TCP or UDP packets send to/from or either by name
[src|dst] port <number> matches TCP or UDP packets send to/from or either by number
[src|dst] port <number>..<number> matches TCP or UDP packets send to/from or either by range
(tflags|tcpflags) <tcp-flags> matches TCP packet on included TCP Flags
(bytes|bpp) <size> matches packet equal to length
(bytes|bpp) <size>..<size> matches packet within range of length
icmptype <icmptype> matches ICMP packets based on message type
icmpcode <number> matches ICMP packets based on message code
tos <value> matches IP packets based on Type of Service setting
ttl <value> matches IP packets based on their included TTL value
frag matches IP packets that are fragments
(not|!) (proto|port|bpp|icmp…) negate adjacent element. Not supported for IP addresses
[and|or] often used with brackets to nest individual expressions

ICMP Type/Code TCP Flags

icmp-echoreply 0/0 icmp-echo 8/0 S SYN Synchronize
icmp-redirect 5/0-3 icmp-unreach 3/0-15 A ACK Acknowledgement
icmp-tstamp 13/0 icmp-tstampreply 14/0 F FIN Final
icmp-timxceed 15/0 icmp-ireqreply 16/0 R RST Reset
icmp-routeradvert 11/0 icmp-reastimxceed 11/1 P PUSH Push
icmp-sourcequench 9/0 icmp-fragneed 3/4 U URG Urgent
icmp-paramprob 4/0 or any type/code combination W CWR Congestion Window Reduced
ECN-Echo (Explicit Congestion
Traffic Filtering Concept E ECE
Notification - Echo)

Page 24 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

All examples provided should first be tested in inactive mode, even if they are
normally used without further constraints. However, it is possible that your valid
traffic requires adjustments to prevent over blocking.

Example: FCAP Filter Statements

drop 0.0.0.0/0 discard all traffic
drop proto udp and not dst port 53 discard all UDP except for dst port 53
drop src host 10.1.1.1 and dst 192.168.2.1/32 discard traffic from host 10.1.1.1 toward host 192.168.2.1
drop not (proto icmp or proto tcp) discard all IP protocols except ICMP and TCP
discard all ICMP packets with a size between 200 and 2000
drop proto icmp and bytes 200..2000
bytes
drop proto tcp and not (src port 1024..65535 and (dst port 80 or dst discard all TCP except when the source port is within 1024
port 443)) to 65535 and the destination port is either 80 or 443
discard ICMP except for “fragmentation needed and DF set”
drop proto icmp and not ((icmptype 3 and icmpcode 4) or
used by Path MTU Discovery and “Fragment Reassembly
(icmptype 11 and icmpcode 1))
Time Exceeded”
drop proto udp and port 123 and not bpp 76 discard NTP packets that are not 76 bytes (NTP Response)
discard TCP except when source port is within 1024 to
drop proto tcp and not ((src port 1024..65535 and dst port 25) or 65535 and the destination is 25 or when the source port is
(src port 25 and dst port 1024..65535)) 25 and the destination is within 1024 to 65535, therefore
allowing inbound and outbound SMTP connections.
drop proto tcp and dst port 80 and tflags S/S discard TCP packet when the SYN flag is present
drop proto tcp and dst port 80 and tflags /S discard TCP packet when the SYN flag is not present
drop proto tcp and dst port 80 and tflags S/SAFRPUEW discard TCP packet when the SYN flag is the only flag set
Example: Web Server (HTTP and HTTPS)
drop not (proto icmp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 80) or (src port 1024..65535 and dst port 443))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: Authoritative DNS server
drop not (proto icmp or proto udp or proto tcp)
drop proto tcp and not ((src port 53 or src port 1024..65535) and dst port 53)
drop proto udp and not ((src port 53 or src port 1024..65535) and dst port 53)
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: Recursive DNS server
drop not (proto icmp or proto udp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 53) or (src port 53 and dst port 1024..65535))
drop proto udp and not ((src port 1024..65535 and dst port 53) or (src port 53 and dst port 1024..65535))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: SMTP MTA
drop not (proto icmp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 25) or (src port 25 and dst port 1024..65535))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))

CONFIDENTIAL & PROPRIETARY Page 25

 The Pocket Guide
Example: Protecting a Black Box (Update where appropriate!)

# explicit approve critical infrastructure communication

pass src host x.x.x.x and proto tcp and port 179

# drop non-legitimate source addresses

drop src net 0.0.0.0/8
drop src net 10.0.0.0/8
drop src net 127.0.0.0/8
drop src net 172.16.0.0/12
drop src net 192.168.0.0/16
drop src net 240.0.0.0/4
drop src net 224.0.0.0/4

# drop your own prefixes if these are not expected to be seen coming via the internet
drop src net [your own prefix(es)]

# drop traffic from protocols normaly not needed

drop not (proto udp or proto tcp or proto esp or proto icmp or proto gre or proto ipv6)

# drop traffic often used in DDoS volumetric attacks

drop proto icmp and bytes 200..2000
drop proto udp and port 19
drop proto udp and port 69
drop proto udp and port 111
drop proto udp and (src port 123 or dst port 123) and not (bpp 36 or bpp 46 or bpp 76 or bpp 220)
drop proto udp and (port 137 or port 138)
drop proto udp and (port 161 or port 162)
drop proto udp and port 389
drop proto udp and port 520
drop proto udp and port 1434
drop proto udp and port 1701
drop proto udp and port 1900
drop proto udp and port 3283
drop proto udp and port 3702
drop proto udp and port 5353
drop proto udp and port 11211 and bpp 1420

# drop traffic normally not used via the internet, stop scanning…
drop proto tcp and dst port 23
drop proto tcp and dst port 445

# drop DNS queries, if there is no DNS service running on the protected host!
drop proto udp and dst port 53 !
# drop DNS replies, if there is no external DNS resolution done by the protected host!
drop proto udp and src port 53
!

Page 26 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Mitigate Fragmented Attack Traffic – Fragments reported as src and dst port 0

The TMS reassembles fragmented packets if they are complete sets before evaluating them against
active countermeasures. However, UDP amplification attacks causing congestion are likely to result
in complete sets. After reassembling a packet from a complete set of fragments, the TMS identifies
the source and destination ports and displays them in the sample packets window.

The Sample Packets Shown section shows actually a UDP packet with a size of 15000 bytes, which was
initially broken into 10 fragments (assuming a MTU of 1500 bytes). It also highlights that the packet
was actually forwarded.

The frag keyword match fragmented packets to be reassembled, with can be used in an FCAP
expression like the one below entered into the Black/White (Deny/Allow) Lists countermeasure.

If the mentioned FCAP filter is applied, we can now see that the previously forwarded traffic is now
dropped by the TMS.

CONFIDENTIAL & PROPRIETARY Page 27

 The Pocket Guide

Mitigation: TMS & APS/AED – Regular Expression

Anchors Notations
start of string or ^arbor matches arbor123 but not 123arbor Italics Regular
^
line-based: start of any line expression
end of string or arbor$ matches 123arbor but not arbor123 text Matching text
$
line-based: end of any line
\b word boundary \barbor\b matches arbor but not arbor123 text Alt matching
\B not word boundary \barbor\B matches arbor123 but not arbor or 12arbor12 text
\Barbor\B matches 123arbor123 but not 123arbor
Character Classes Metacharacters*
\c control character (Ctrl+x) \cC matches CTRL-C ^ $ [ ]
\s white space (“ “) arbor\s123 matches arbor 123 but not arbor123 { } ( )
\S not white space, not (“ “) arbor\S123 matches arbors123 but not arbor 123 \ . * +
\d digit [0-9] arbor\d matches arbor1, arbor2 but not 1arbor ? < >
\D not digit, not [0-9] \Darbor matches aarbor but not 1arbor *must be escaped with “\”

\w word[A-Za-z0-9_] \warbor matches 1arbor, aarbor, 12345arbor but not Logical OR

arbor or @arbor | logical or
\W not word, not [A-Za-z0-9_] \Warbor matches @arbor but not 1arbor or aarbor (.*\.com|.*\.net) matches
\xhh hexadecimal character hh \x00\xFF matches hex char 00FF arbor.com or arbor.net
Quantifiers
* 0 or more arbo* matches arbor, arboooor, arbr, arb but not rbo Special Characters (hex)
*? 0 or more, ungreedy arbo*? matches arbor, arboooor, arbr, arb but not rbo \ escape character
+ 1 or more arbo+ matches arbor, arboooor but not arbr \n new line (0A)
+? 1 or more, ungreedy arbo+? matches arbor, arboooor but not arbr \r carriage return (0D)
? 0 or 1 arbo? matches arbor, arbooor, arbr but not rbor or aror \t tab (09)
?? 0 or 1, ungreedy arbo?? matches arbor, arbooor, arbr but not rbor or aror \f form feed (0C)
{3} exactly 3 a{3} matches aaarbor but not aaaarbor \a alarm BEL char (07)
{3,} 3 or more a{3,} matches aaarbor, aaaaaaaaarbor but not aarbor [\b] backspace
{3,5} 3,4 or 5 a{3,5} matches aaarbor, aaaarbor, aaaaarbor, \e escape
aaarboraaa but not aarbor
{3,5}? 3,4,5, ungreedy a{3,5}? matches aaarbor, aaaarbor, aaaaarbor but not aarbor
Ranges Literal Text Span
. any char except \n (hex \x0a) a. matches arbor and azbor but not a \Q Begin literal string
(a|b) A or b (a|z) matches arbor, arboz but not brbor \E End literal string
(…) group of chars (arb) matches arbor, arborarb but not aror Escapes metacharacters
[abc] range, a or b or c [abc] matches arbor, aabbcc but not dddd between \Q and \E
[^abc] range, not a or b or c [^abc] matches dddd, arbor but not abc \QGET /cgi/page.cgi?id=1\E
[a-z] lowercase letter between a and z [a-z] matches arbor but not ARBOR or
[^a-z] not lowercase letter between a and z [^a-z] matches ARBOR, 1234 but not arbor GET \/cgi\/page\.cgi\?id=1
[A-Z] uppercase letter between A and Z [A-Z] matches ARBOR but not arbor
[^A-Z] not uppercase letter between A and Z [^A-Z] matches arbor, 1234 but not ARBOR
[0-9] digit between 0 and 9 [0-9] matches 1234 but not arbor
[^0-9] not digit between 0 and 9 [^0-9] matches ARBOR, arbor but not 1234
Pattern Modifiers Important Notes
(?mod) turns on modifier for rest of expression HTTP and payload regex are case sensitive (TMS ≥ 8.0)
(?-mod) turns off modifier for rest of expression DNS regex is case insensitive (TMS ≥8.0)
(?mod:<expression>) turns on modifier for expression in <...> Back references not supported
(?-mod:<expression>) turns off modifier for expression in <...> Assertions not supported
(?i) case insensitive \p {xx}, \P {xx}, \C, \R, \K not supported
(?-i) case sensitive Logical AND is not supported
(?# comment) adds comment
(?m) multiline match
(?s) single line match

Page 28 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Payload Regular Expression
Payload regular expressions treat the payload as a single input string. Payload regular expression can match on hex (\x77\x77\x77)
characters, ASCII (www) characters or a combination of the two (\x77w\x77).
Multiline and single line pattern modifiers can be used in payload regular expressions. (m?) Changes the behaviour of ^ and $ to match
next to newlines within the input string. ^ matches after any newline. $ matches before any newline. (?s) Changes the behaviour of . (dot)
to match all characters, including newlines, within the input string.
41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a Accept: */*\r\n ^\x41.*\x2f\x2a\x0d$ fails; (?m)^\x41.*\x2f\x2a\x0d$ succeeds
48 6f 73 74 3a 20 31 2e 31 2e 31 2e 31 0d 0a Host: 1.1.1.1\r\n \x41\x63.*\x48\x6f fails; (?s)\x41\x63.*\x48\x6f succeeds
In DNS queries, the Byte right before each label indicates the length of the label. \x03 indicates that the next label is 3 Bytes long.
A domain query for www.arbornetworks.com would be \x03www\x0darbornetworks\x03com. 10 Byte labels are preceded by \x0a and 13
Byte labels are preceded by \x0d. Be aware that in plain text \x0a and \x0d are \n (newline) and \r (carriage return) respectively. These two
characters are treated differently in regular expressions. Be sure to use the proper hex values for the field length fields or use (?s) single
line pattern modifier to allow “.” to match a newline. (?s)www.arbornetworks.com
DNS attack to mail.arbornetworks.com => \x04mail\x0darbornetworks\x03com or (?s)mail.arbornetworks.com
HTTP attack to www.arbornetworks.com => www\x2earbornetworks\x2ecom or \x77\x77\x77\x2earbornetworks\x2e\x63\x6f\x6d
DNS reflection attacks typically use Type=ANY, where the type field is “00ff” for ANY. Mitigate with domain\x03com\x00\x00\xff
Common DNS Type fields: A \x01, AAAA \x1c, PTR \x0c, MX \x0f, SOA \x06, NS \x02, TXT \x10

HTTP Header Regular Expression

HTTP header regular expressions treat each line of the HTTP header as a unique string. Each regular expression in the HTTP header regex is
applied to each HTTP header. If any of the regular expressions match any of the headers, then the packet matches and the appropriate
action is taken. HTTP headers are divided along the boundary of \r\n and exclude \r\n in the header string.
Regular expression spanning multiple headers across the \r\n boundary will not match.
HTTP headers should follow case sensitive canonical format of: Camel-Back: value
Deviations may indicate malware: Camel-Back:value or
Camel-Back: value or
Camel-back: value or
CAMEL-BACK: value or
Camel -Back: value
Common HTTP headers and approximate percent of legitimate requests containing each case sensitive header:
Host: 99,9% Accept-Language: 87,5% Via: 16,2% If-None-Match: 6,9% X-NovINet: 1,9% DNT: 0,6%
User-Agent: 97,9% Referer: 78,2% UA-CPU: 14,8% Content-Length: 5,0% Range: 1,3% From: 0,4%
Connection: 97,7% Cookie: 42,3% If-Modified-Since: 13,4% x-flash-version: 4,9% CUDA_CLIIP: 1,1%
All others
Accept: 93,8% Accept-Charset: 35,3% X-IMForwards: 12,9% Content-Type: 4,5% X-Forwarded-For: 0,9%
less than 0,5%
Accept-Encoding: 90,4% Keep-Alive: 25,1% Cache-Control: 10,5% Pragma: 2,3% X-Dropbox-Locale: 0,7%
Examples: 1) GET flood to /page.cgi?id=dosme HTTP/1.1 ^\/page\.cgi\?id\=dosme HTTP\/1\.1$
2) GET flood to Host: www.domain.com ^Host: www\.domain\.com$ or ^\QHost: www.domain.com\E$
3) Incorrect capitalization of User-Agent: (?-i)^User-agent or (?-i)^User-Agent

DNS Regular Expression

DNS regular expressions treat the Name field of the DNS packet as a unique string. Each DNS regular expression is applied to the Name field
for each DNS packet. If any of the regular expressions match the Name field in a DNS packet, it is a match, and the appropriate action is
taken.
Examples: 1) Query flood to www.arbornetworks.com www\.arbornetworks\.com or w{3}\.arbornetworks\.com
2) Random 8-character dictionary attack to domain.com [A-Za-z0-9_]{8}\.domain\.com
3) Attack to mail and smtp.domain.com (mail|smtp)\.domain\.com

CONFIDENTIAL & PROPRIETARY Page 29

 The Pocket Guide
Mitigation: TMS – Packet Header Filtering
Basic Rules
• max 1024 characters long (including spaces)
• all text must be lower case
• leading and trailing spaces are optional, but they are required for operators that use text characters such as ‘gt’
• ip.frag_offset + ip.flags.mf not supported because packet fragments are reassembled before countermeasures are invoked
Type Operator Allowed Formats
AND and &&
Boolean OR or ||
NOT not !
equal to eq ==
not equal to ne !=
greater than gt >
Comparison
less than lt <
greater than or equal to ge >=
less than or equal to le <=
Bitwise Bitwise and bitwise_and &

Filter Elements
IP Filters ICMP Filters TCP Filters UDP Filters
ip icmp tcp udp
ip.hdr_len icmp.checksum tcp.option_kind udp.checksum
ip.len icmp.code tcp.checksum udp.dstport
ip.version icmp.type tcp.dstport udp.length
ip.addr + (IP or CIDR) tcp.flags udp.port
ip.dsfield tcp.flags.{ack|push|reset|syn|fin|cwr|ecn|ns|urg} udp.srcport
ip.dsfield.{dscp|ecn} tcp.hdr_len
ip.dst + (IP or CIDR) tcp.options.{sack_perm|mss_val}
ip.flags tcp.port
ip.flags.{df|rb} tcp.srcport
ip.proto tcp.window_size_value
ip.src + (IP or CIDR)
ip.ttl

Example
tcp.window_size_value > 10000 and TCP window size is greater than 10.000 and TCP selective
tcp.options.sack_perm && tcp.options.mss_val ge 1450 acknowledgement is enabled and TCP MSS value is greater
and not tcp.port & 1 than or equal to 1450 bytes and the TCP port (bitwise verified)
is not 1, aka is not ‘an uneven port number’.

Release ≥9.5.0.0
The syntax in the Packet Header Filtering countermeasure for the ip.flags field has changed. The new
syntax matches the syntax that Wireshark uses. Although the ip.flags field is a 3-bit field, Wireshark treats
it as a full byte. The Packet Header Filtering countermeasure previously treated ip.flags as a 3-bit field, but
now also treats it as a full byte.

Match previous syntax new syntax

ip.flags & 2 ip.flags & 0x40
Don't Fragment (DF)
ip.flags == 2 ip.flags == 0x40

Page 30 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Filter Element Examples

IPv4 Header

TCP Header

UDP Header

ICMP Header

CONFIDENTIAL & PROPRIETARY Page 31

 The Pocket Guide

Mitigation: Other Types – BGP Flow Specification

Extended Communities
Extended Community Action Type Encoding Notes Sightline TMS
TMS: Deny List
traffic-rate drop or police 0x8006 2-byte as + 4-byte rate-shaper offload only  
traffic-VRF redirect by RT (ASN) 0x8008 2-byte AS, 4-byte Value 1234:5678  
redirect IPv4 redirect by RT (IPv4) 0x8108 4-byte IPv4 Address, 2-byte Value 1.2.3.4:5678  
redirect AS redirect by RT (ASN) 0x8208 4-byte AS, 2-byte Value 1.2.3.4L:5678  
6-bytes Simpson draft
redirect-IP redirect to IP nexthop 0x0800  
(all bits 0, last bit = C [copy bit]) used by Cisco
5 zero bytes, DSCP encoded in 6
traffic-marking set DSCP 0x8009   
least significant bits of 6th byte

Sightline Mitigation
To filter using the destination prefix, type the destination CIDR block
to match. Only one CIDR block is allowed in this field.

To filter using protocol numbers type the protocol numbers or

ranges to match. Example: 6 or 10-20

To filter using the source prefix, type the source CIDR block to
match. Only one CIDR block is allowed in this field.

To filter using the source port, type the source port number or range
to match. Example: 32768-49151,49159-65535

To filter using the destination port, type the destination port number
or range to match. Example: 80

To filter using the ICMP type or code, type the ICMP type or code
values or ranges in the appropriate fields: Example: 3,16-255

To filter using TCP flags, type the TCP flag numbers to match. The
common flag numbers are 1=fin, 2=syn, 4=rst, 8=psh, 16=ack,
32=urg, 64=ece, and 128=cwr. Example: 18 (SYN/ACK)

To filter on packet lengths, type the packet lengths or ranges to

match. Example: 1501-65535

To filter on packet DSCP (0-63), type the DSCP number or range.

To filter using a fragmentation bitmask, type an integer that

indicates the fragmentation bitmask value.
1 = Don't fragment 2 = Is a fragment
4 = First fragment 8 = Last fragment

Drop default, BGP Type 0x8006 [ASN, Rate:0]

Rate Limit bits per second, BGP Type 0x8006 [ASN, Rate:>0]
Traffic Marking DSCP value, BGP Type 0x9006

Page 32 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
AED Countermeasure Sequence

Per Packet Sequence

CONFIDENTIAL & PROPRIETARY Page 33

 The Pocket Guide

Event Driven Sequence

Page 34 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Sightline - REST API Matrix

The Arbor Sightline REST API is updated on a regular basis, which results in version changes and
deprecation of existing API functionality.

Release & REST API Version

Status 1 2 3 4 5 6 7 8 9 10
9.0.0 EOS ✓ ✓ ✓ ✓ ✓ X X X X X
9.1.0 EOS ✓ ✓ ✓ ✓ ✓ ✓ X X X X
9.2.0 EOS ✓ ✓ ✓ ✓ ✓ ✓ ✓ X X X
9.3.0 EOM ✓ ✓ ✓ ✓ ✓ ✓ ✓ X X X
9.3.5 EOM X X X ✓ ✓ ✓ ✓ ✓ X X
9.4.0.0 EOM X X X ✓ ✓ ✓ ✓ ✓ ✓ X
9.5.0.0 GA X X X X ✓ ✓ ✓ ✓ ✓ X
9.6.0.0 GA X X X X X ✓ ✓ ✓ ✓ ✓
9.7.0.0 GA X X X X X X ✓ ✓ ✓ ✓

The Sightline REST API output is in the JSON API format. The responses use return links to refer to
other resources and support pagination. When you make a request to the REST API, you can
specify which API version to use., to use the version 3 alerts endpoint:
https://sightline.example.com/api/sp/v3/alerts/

If a request contains no version information, it defaults to the latest version. In most cases, the
Sightline REST API keeps the full functionality of still-supported previous versions. However, there
could be a situation where an older endpoint provides only partial functionality or is removed
entirely. More information can be found in the Arbor Sightline and TMS API Guide for the used
software release.

ArbOS - REST API Matrix

The ArbOS REST API allows an authorized user to perform administrative tasks such as rebooting
the device, stopping services, and installing software packages. The ArbOS REST API is updated on
a regular basis, which results in version changes and deprecation of existing API functionality.

REST API Release & Status

Version 9.3.5 GA 9.4.0.0 GA 9.5.0.0 GA 9.6.0.0 GA 9.7.0.0 GA
1 ✓ ✓ ✓ ✓ ✓
2 X ✓ ✓ ✓ ✓

Sightline & TMS - BGP Signaling Capabilities

Route Announce FlowSpec FlowSpec Diversion FlowSpec
Analytics Mitigation Filter BLO
Device

Route
SAFI 133 SAFI 133 SAFI 134
IPv4 IPv6 VPNv4 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 VPNv4 VPNv6 IPv4 IPv6
TRA ✓ ✓ ✓ ✓ ✓ ✓ ✓* ✓ ✓ ✓ ✓ X X
TMS X X X ✓ ✓ X X X X X X ✓ ✓

CONFIDENTIAL & PROPRIETARY Page 35

 The Pocket Guide

Sightline Alert Search Keywords

Attribute Supported keyword and values Examples
resource • resource:managed-object, fingerprint, and/or ➢ resource:object3,service123
(a service, fingerprint, or service name ➢ mo:object1
managed object) • mo:managed object-name ➢ service:new_serv1
• fingerprint:fingerprint-name
• service:service-name

The resource keyword searches for alerts that involve

services, fingerprints, and managed objects. This search is
case-insensitive, and Sightline matches on partial resources.
router name • ro:router-name ➢ router:789xyz
• router:router-name ➢ ro:router123
➢ router:routerabc
device name • appliance:appliance-name ➢ appliance:app123
• collector:appliance-name ➢ collector:my_appliance
• device:appliance-name ➢ device:example_device
Each keyword returns the same search results. Collector
returns all devices with the entered appliance name, even
they are not collectors.
alert ID • ID ➢ 12345
• alert_id:ID ➢ alert_id:23456
alert class • ac:alert-class ➢ ac:TMS
• alert_class:alert-class ➢ alert_class:TMS
Alert-Classes: BGP, Cloud Signaling, Data, DOS, System Error,
System Event, TMS and Traffic
severity level • severity ➢ low
• sev:severity ➢ sev:low
• severity:severity ➢ severity:high,low
alert type • alert type ➢ BGP Trap”
• at:alert-type ➢ at:“BGP Trap”
• alert_type:alert-type ➢ alert_type:“BGP Trap”
Alert-Types: BGP Down, BGP Instability, Cloud Signaling Fault,
Cloud Signaling Mitigation Request, DOS, Flow Down, GRE Down,
Hardware Failure, Interface Usage, License Alert, Managed Object
Threshold, SNMP Down, TMS Fault, …
alert status • alert-status ➢ ongoing
• sts:alert-status ➢ sts:recent
• status:alert-status ➢ status:all
Status: all, ongoing, recent, ended, stopped, done or completed
classification • classification:classification ➢ classification:“No Attack”
• ax:classification ➢ ax:“network failure”
Classifications: False Positive, Flash Crowd, Network Failure,
Possible Attack, Trivial, Verified Attack
annotation • annotation ➢ Critical
• ann:annotation ➢ ann:Critical
• alert_annotation:annotation ➢ alert_annotation:Critical
• comment:annotation ➢ comment:”this is critical”
prefix • prefix:CIDR block ➢ prefix:10.0.0.0/8
➢ prefix:0.0.0.0/0 < all IPv4 Alerts
➢ prefix:0::0/0 < all IPv6 Alerts

Page 36 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Personal Notes:

CONFIDENTIAL & PROPRIETARY Page 37

 The Pocket Guide

Personal Notes:

Page 38 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Arbor Cloud Details
Unlimited
Type 1 Mitigation 6 Mitigations Always On Flow Monitoring
Mitigations
CLD-ENT- CLD-EN- CLD-EN-
Enterprise not available CLD-ENT-ESS+-*
CONNECT-* ALWAYS-ON-* FLOWDETECT-*
Service
not available CLD-SP-DDOS CLD-SP-CT*G-OP* not available not available
Providers

Arbor Cloud Options

Option Enterprise Service Provider
Additional/Redu. GRE Location CLD-DDOS-BGP-LOCATION* CLD-DDOS-BGP-LOCATION*
Additional Mitigations CLD-EN-CONNECT-*-MIT CLD-SP-DDOS-ADDITIONAL-MIT*
Sightline Signaling SVC-IMP-SPCS SVC-IMP-SPCS
Additional Hosts CLD-EN-DDOS-DNS-HOSTS* not applicable
SSL Inspection CLD-DDOS-DNS-SSL not applicable
Additional Clean Traffic CLD-ENT-ESS+-ADDL-1G CLD-1G-ADDL
CLD-ECX-DIRECT-CNCT-SETUP CLD-ECX-DIRECT-CNCT-SETUP
Physical Direct Connect
CLD-ECX-DIRECT-CNCT-10G CLDECX-DIRECT-CNCT-10G
Direct Connect via ECX CLD-ECX-L2CONN-* CLD-ECX-L2CONN-*
Managed APS/AED SVC-APS-DDOS-MANAGED-1 not applicable
Managed Sightline/TMS Contact your Account Team Contact your Account Team

Arbor Cloud Configuration Options (all available for free)

APS/AED Cloud Signaling To be noted in provisioning worksheet.
Ability to automatically start mitigations upon APS/AED Cloud Signaling, Sightline
Automitigation*
Signaling or other mechanisms.
Ability to use BGP to trigger traffic diversion.
Route Triggered Mitigation*
Cannot be used in conjunction with Route Suppression.
Ability to receive the protected prefix via BGP to automatically withdraw it.
Route Suppression*
Cannot be used in conjunction with Route Triggered Mitigation.
BGP Traffic Engineering* Ability to use BGP to dynamically advertise current location of protected prefixes.
* Must be raised to Account Team & SOC at pre-sale time

CONFIDENTIAL & PROPRIETARY Page 39

 The Pocket Guide

Contacts
CORPORATE HEADQUARTER
NETSCOUT
310 Littleton Road
Westford, MA 01886-4105, USA

 +1 978-614-4000 SCAN ME
 +1 888-357-7667 (Toll-free)
 support@NETSCOUT.com

www.NETSCOUT.com/arbor-ddos
Arbor Cloud
 +1 844-END-DDoS|  +1 734-794-5099
Portal: https://config.arborcloud.netscout.com/auth/login
mail: cloud@arbor.net

Arbor Technical Assistance Center

 +1 781-362-4301 |  +1 877-272-6721
Customers: https://my.netscout.com/
Partners: https://partnercenter.arbornetworks.com/

Stay up-to-date

Copyright © 2023 NETSCOUT Systems, Inc. All Rights Reserved.

3.2306.01

CONFIDENTIAL & PROPRIETARY