Network Visibility and DDoS Attack Analysis Are Essential in Identifying and Mitigating Adversarial Attacks


All methods of distributed denial-of-service (DDoS) attack analysis—whether proactive, or in preparation for a DDoS attack; reactive, or during a DDoS attack; or even in post-attack—can prove valuable to strengthen current mitigations or to establish future protection strategies. These objectives require network operators or security personnel to follow a stepped methodology such as the one outlined in this NETSCOUT blog for managing DDoS incidents.

Boxes going right to left depicting lifecycle

Meeting the goals of a stepped methodology requires data gathered from the network protection infrastructure during the lifecycle of a DDoS attack. Additionally, there needs to be a reporting mechanism that not only analyzes the gathered data but also presents it in a manner that assists network and security staff to prepare and mitigate future attacks efficiently.

The NETSCOUT Solution

NETSCOUT’s Arbor Edge Defense (AED) is a stateless packet-processing solution that not only sees and understands inbound threats including DDoS, malicious scanning activity, brute force password attacks, and other indicators of compromise (IoCs) but also comprehends outbound communications to known bad IPs, URLs, and domains. NETSCOUT’s Arbor Enterprise Manager (AEM) offers a variety of workflows for the analysis of the data AED provides and employs adaptive DDoS protection to automate mitigations.

  • Security alerts: The AEM security alerts area provides an easy top-down workflow for users to have an overview of the DDoS alerts across the network and investigate each alert with its full context. Specifically, users will have visibility into what alerts happened within the selected time frame, what AED devices generated the most alerts, and which services are being targeted.
  • Threat analysis: The threat analysis workflow section is available for users to gain visibility into all the threats, DDoS and non-DDoS, that AED has detected and mitigated across your network, with specific context for each threat so users can understand not only what threats are blocked, but also why they are blocked and what services they were targeting. Users can start an investigation by looking at threat activities based on user-selected filters such as Attack Categories, Classifications, Countries, and Devices. You also gain analysis categorization based on the MITRE ATT&CK knowledge base of adversary tactics and techniques based on real-world observations. For each threat, users will be able to have visibility into the context of that specific threat, including but not limited to the time of the attack, country of origin, severity, confidence of identification, and what service or protocol is impacted.
  • Attack analysis: The attack analysis workflow in AEM allows users to have visibility into and manage the alerts and protection recommendations from the AED adaptive DDoS protection solution in order to effectively block any attacks that may have evaded existing countermeasures and protections.
  • Real-time mitigation visibility: Real-time mitigation visibility enables users to make protection configuration changes while monitoring the impact of those changes on traffic within seconds. This intelligent workflow takes away any guesswork from users when making configuration changes and enhances the effectiveness of protection.
  • Central management and policy control: AEM provides the one-stop shop for managing all the AEDs in the network, from provisioning to tuning and ongoing operations.

AED coupled with AEM can provide the information to ensure your DDoS and cyberthreat protection strategy is prepared and efficient.

Learn more about Arbor Edge Defense.