The Pocket Guide

September 2018
 The Pocket Guide

Glossary …………………………………………………………………………………………………………………………………… 3
Appliance Overview
Arbor SP/TMS
Arbor SP-6000 ………………………………………………………………………………………………………… 4
Arbor SP-7000 …………………………………………………………………………………………………………. 4
Arbor SP-Insight P8000 & S8000……..………………………………………………………………………. 4
Arbor TMS-2300 ……………………………………………………………………………………………………… 5
Arbor TMS-2600 / TMS-2800 ..………………………………………………………………………………… 5
Arbor TMS-4000 ……………………………………………………………………………………………………… 6
Arbor TMS-5000 ……………………………………………………………………………………………………… 6
Arbor HD-1000 ……………………………………………………………………………………………………….. 7
Arbor HD-1000: Manual Start-up and Shutdown……………………………………………………. 9
Arbor APS
Arbor APS-2100 ………………………………………………………………………………………………………. 10
Arbor APS-2600 / APS-2800 / APS Console 7000, Netscout AED-2600 / AED-2800… 10
Arbor Spectrum
Arbor Spectrum 2200 …………………………..….………………………………………………………………. 11
Arbor Spectrum 2300 ………………………………………………………………………………………………. 11
CLI Command Reference
Arbor APS & Netscout AED……………………………………………………………………………………………… 12
Arbor SP/TMS ….....…………………………………………………………………………………………………………… 14
Spectrum ……..…………………………………………………………………………………………………………………… 18
Mitigation
Arbor TMS & APS - FCAP Traffic Filtering ………………………………………………………………………. 20
Arbor TMS & APS - Regular Expression ..………………………………………………………………………….. 22
Arbor TMS - Packet Header Filtering ...……………………………………………………………………………… 24
Other Types - BGP Flow Specification .…………………………………………………………………………….. 25
Appendix
Arbor SP - REST API Matrix……………………..……………………………………………………………………….. 26
Arbor SP/TMS - BGP Signaling Capabilities……………………………………………………………………… 26
Arbor SP Alert Search Keywords………………………………………………………………………………………. 27
Personal Notes …………………………………………………………………………………………………………………. 28

Page 2 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Glossary
AED Netscout® Arbor Edge Defense
AIF® Arbor Networks® ATLAS Intelligence Feed
API Application Programming Interface
APM-E High Performance Packet Processing Card - Arbor Networks® TMS-4000 Series
APS Arbor Networks® Availability Protection System
ArbOS Arbor Networks® Operating System
ASERT Arbor Networks® Security Engineering & Research Team
ASN Autonomous System Number (BGP)
ATAC Arbor Networks® Technical Assistance Center
ATF® Arbor Networks® Active Threat Feed
ATLAS® Arbor Networks® Active Threat Level Analysis System
BGP Border Gateway Routing Protocol
BLO Blacklist Offloading via BGP FlowSpec or OpenFlow
CLI Arbor Networks® APS Command Line Interface, available via Console or SSH connection
Cloud Signaling Dynamic signaling between Arbor Networks® APS on premise and a cloud-based DDoS solution
DDoS Distributed Denial of Service
DS Arbor Networks® SP – Data Storage Appliance (formerly called BI)
Flow data include information about client and server as well as which ports and protocol was used
Flow
together with the number of bytes and packets exchanged.
FlowSpec BGP Flow Spec signals IP traffic parameters and an action to perform between two devices
MCM-2 Management Card - Arbor Networks® TMS-4000 Series
MCM-C Management Card - Arbor Networks® TMS-4000 and TMS-5000 Series
MGT Management Interfaces on an Arbor Networks® TMS Appliance or APS Appliances
MM Management Card - Arbor Networks® HD-1000
MO Managed Object
NTP Network Time Protocol
PPM High Performance Packet Processing Card - Arbor Networks® HD-1000
PSM-400 Switch and Control Blade - Arbor Networks® TMS-5000 Series
Regex Regular-Expression
RFC Request for Comments - IETF
RT BGP Extended Community – Route Target
SM0, SM1 Switch Module + Shelf Manager + Line Card - Arbor Networks® HD-1000
SNMP Simple Network Management Protocol
SSH Secure Shell
TMS Arbor Networks® TMS - Threat Management System
TRA Arbor Networks® SP - Traffic and Routing Analysis Appliance (formerly called CP)
UI Arbor Networks® SP - User Interface Appliance (formerly called PI)
VGA Video Graphics Array
ZTP Zero Touch Provisioning

CONFIDENTIAL & PROPRIETARY Page 3

 The Pocket Guide

Hardware Appliances Overview

Arbor SP-6000

1 DB-9 serial console port (9600/8-N-1) 5 Ethernet ports (eth1-eth3, top to bottom)
2 VGA connector 6 Ethernet ports (eth4-eth11)
3 Ethernet port (eth0) 7 AC power supply
4 4x USB ports (USB2.0)

Arbor SP-7000

1 VGA connector 9 Power supply 2 (DC module shown). Pin 1 (bottom)

2 2x USB ports (USB2.0) ground, pin2 (middle) -48Vdc terminal and pin 3
3 Not supported (top) – return terminal
4 2x USB ports (USB3.0) 10 Power supply 1 (AC model shown)
5 Ethernet ports (eth0, left and eth1, right) Note: Each appliance has either two AC power
6 2x 10GbE fiber Ethernet ports (eth6 and eth7) supplies or two DC power supplies.
7 4x 1GbE coper Ethernet ports (eth2-eth5)
8 2x ground studs for DC input RJ-45 serial console (9600/8-N-1) on front side

Arbor SP-Insight P8000 & S8000

1 Power supply 1 (AC model) 6 2x USB ports (USB3.0)

2 Power supply 2 (AC model) 2x 1GbE coper Ethernet ports (eth0 and eth1)
7
3 DB-9 serial console (115200/8-N-1) Can be used for management or data
4 VGA connector 4x 10GbE coper Ethernet ports (eth2-eth5)
8
5 Not supported Can be used for management or data.

Page 4 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
SP Insight 8000 Appliance - Front Panel
1 Power button and LED
2 Unit ID button and LED*
3 eth0 activity LED
4 eth1 activity LED
5 Remote management LED*
6 Major alarm LED*
7 Reset button and LED

*not supported.

Arbor TMS-2300

1 DB-9 serial console port (9600/8-N-1) 5 Management Ethernet ports (mgt1-mgt3, top to bottom)
2 VGA connector 6 Ethernet ports (tmsx0 and tmsx1) - Mitigation only
3 Management Ethernet port (mgt0) 7 Ethernet ports (tmsx2 - tmsx5) - Mitigation only
4 4x USB ports (USB2.0) 8 AC power supply

Arbor TMS2600 / TMS-2800

1 VGA connector 9 Power supply 2 (DC module shown). The -48V

2 2x USB ports (USB2.0) terminals are on the top and the return terminals (+)
3 Not supported are on the bottom.
4 2x USB ports (USB3.0) 10 Power supply 1 (AC model shown)
5 Management Ethernet port (mgt0) Note: Each appliance has either two AC power
6 Management Ethernet port (mgt1) supplies or two DC power supplies.
7 8x 10GbE Ethernet ports (tms0-tms7)
8 2x ground studs for DC input RJ-45 serial console (9600/8-N-1) on front side

CONFIDENTIAL & PROPRIETARY Page 5

 The Pocket Guide

Arbor TMS-4000

Arbor TMS-5000

Page 6 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Arbor HD-1000

1 RJ-45-serial console port (SM0) (9600/8-N-1) 5 RJ-45-serial console port (SM1) (9600/8-N-1)
2 4x 10GbE ports (tms0.0-tms0.3) SFP+ SR/LR 6 4x 10GbE ports (tms1.0-tms1.3) SFP+ SR/LR
3 4x 10GbE ports (tms0.4.0-tms0.4.3) QSFP+ SR/LR 7 4x 10GbE ports (tms1.4.0-tms1.4.3) QSFP+ SR/LR
with breakout cable with breakout cable
4 1x 1GbE Management Ethernet port (mgt0) 8 1x 1GbE Management Ethernet port (mgt1)

1 RJ-45-serial console port SM-320G-0 (9600/8-N-1) 6 RJ-45-serial console port SM-320G-1 (9600/8-N-1)
2 1x100 GbE port (tms0.0) QSFP28 (LR) 7 1x100 GbE port (tms1.0) QSFP28 (LR)
3 4x 10GbE ports (tms0.1.0-tms0.1.3) QSFP+ SR/LR 8 4x 10GbE ports (tms1.1.0-tms1.1.3) QSFP+ SR/LR
with breakout cable with breakout cable
4 1x100 GbE port (tms0.2) QSFP28 (LR) 9 1x100 GbE port (tms1.2) QSFP28 (LR)
5 1x 1GbE Management Ethernet port (mgt0) 10 1x 1GbE Management Ethernet port (mgt1)

CONFIDENTIAL & PROPRIETARY Page 7

 The Pocket Guide

Chassis containing PPM-20G (max. 160G throughput)

Chassis containing PPM-50G (max. 400G throughput)

Never mix PPM-20G and PPM-50G within the same chassis.

Page 8 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Arbor HD-1000: Manual Start-up and Shutdown

This insert describes how to manually start up and Fast Manual Shutdown
shut down the TMS HD1000 appliance using the
IMPORTANT: Before you do a fast manual
chassis power button. It also tells you how the LEDs
shutdown, first try a clean manual shutdown. A
on the front and rear panels appear during a manual
clean shutdown helps preserve data integrity.
start-up and shutdown.

To perform a fast manual shutdown, press and

hold the chassis power button for four seconds.
All components will shut down immediately. The
LEDs appear as follows before and after the fast
shutdown:
The LEDs are on the chassis faceplate and on the
faceplate of each module in the chassis. The
modules include SM0, SM1, MM, and all PPMs. To
locate these modules, see the front panel and rear
panel illustrations in this Quick Start Card.

If you have difficulty with manual start-up or

shutdown, contact the Arbor Technical Assistance
Center (https://support.arbor.net).
Note: After a fast shutdown, the red CRT (critical
Initial Start-Up alarm) LED on the chassis turns on.

When you connect facility power to the TMS

HD1000, the appliance starts up automatically. You Start-up after Shutdown
do not have press the chassis power button to start If power is connected to the TMS HD1000, but the
up manually. green power LEDs are off, the appliance is off. To
restart the appliance manually, press and quickly
release the chassis power button. The LEDs
Clean Manual Shutdown
appear as follows during manual startup:
To perform a clean manual shutdown, press and
quickly release the chassis power button. A clean
shutdown takes up to five minutes to complete. The
LEDs appear as follows before, during, and after the
clean shutdown:

CONFIDENTIAL & PROPRIETARY Page 9

 The Pocket Guide

Arbor APS-2100

1 RJ-45-serial console port (9600/8-N-1) 9 4x 1GbE ports, LX fiber

2 VGA Connector 10 2x ground studs for DC input
3 USB0 (bottom) and USB1 (top) 11 Power supply 2 (DC module shown). The -48V
4 USB2 (bottom) and USB3 (top) terminals are on the top and the return terminals
5 Management Ethernet port (mgt0) (+) are on the bottom.
6 Management Ethernet port (mgt1) 12 Power supply 1 (AC model shown)
7 4x 1GbE ports, copper Note: Each appliance has either two AC power
8 4x 1GbE ports, SX fiber supplies or two DC power supplies.

Arbor APS-2600 / APS-2800 / APS Console 7000

Netscout AED-2600 / AED-2800

1 VGA Connector 10 Power supply 2 (DC module shown). The -48V

2 USB0 (bottom) and USB1 (top) terminals are on the top and the return terminals
3 Remote Management NIC – NOT SUPPORTED (+) are on the bottom.
4 USB2 (bottom) and USB3 (top) 11 Power supply 1 (AC model shown)
5 Management Ethernet port (mgt0) Note: Each appliance has either two AC power
6 Management Ethernet port (mgt1) supplies or two DC power supplies.
7 1GbE (fiber or copper) or 10 GbE fiber ports
8 4x 1GbE ports, coper (but can also be fiber) RJ-45 serial console (9600/8-N-1) on front side
9 2x ground studs for DC input

Page 10 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Arbor Spectrum 2200

1 Power supply modules (AC version shown) 6 Management Ethernet port (mgt1)
2 DB-9 serial console port (9600/8-N-1) 7 VGA Connector
3 IPMI over LAN port 8 2x 10GbE SFP+ ports (Flow Collector: interface
4 USB Ports flow4 and flow5)
5 Management Ethernet port (mgt0) 9 4x 1GbE SFP ports (Flow Collector: interface flow0
through flow3)

Arbor Spectrum 2300

1 Power supply modules (AC version shown) 6 Management Ethernet port (mgt1)
2 DB-9 serial console port (9600/8-N-1) 7 VGA Connector
3 IPMI over LAN port 8 2x 10GbE SFP+ ports (Flow Collector: interface
4 USB Ports flow4 and flow5)
5 Management Ethernet port (mgt0) 9 4x 1GbE SFP ports (Flow Collector: interface flow0
through flow3)

CONFIDENTIAL & PROPRIETARY Page 11

 The Pocket Guide

Command Reference - Arbor APS & Netscout AED

Global System
/ help global or help or ? see available command sub options
/ users list all CLI connected users on appliance
/ clock show or set the system clock
/ config show show only the running Arbos configuration
/ config write save current configuration
Remote Access
/ ip access show show active and inactive IP access rules
add IP access rule for remote access by protocol, ingress interface
/ ip access add proto int source-ip and source IP address or range.
proto: bgp, cloudsignaling, https, ping, snmp, ssh
/ ip access delete proto int source-ip delete an IP access rule
commit inactive IP access rules.
/ ip access commit
(Issue config write if changes should persist after reboot)
IP + Interface - Configuration and Verification
/ ip arp show show ARP entries (management interfaces only)
/ ip route show show IP routing configuration
/ ip route add default next-hop-ip add default gateway configuration
/ ip route add network/mask next-hop-ip add static route configuration
show network interface configuration. The option brief provides a
/ ip interface show [brief|name]
table formatted output or specify an interface name.
/ ip interface identify int [sec] Identify appliance by activating the identification led on a MGT port
/ ip interface ifconfig name up|down administratively enable or disable interface
/ ip interface ifconfig name ip/mask configure IP address on management interface
/ ip interface ifconfig name ip/mask alias configure alias/secondary IP address on management interface
/ ip interface vlan int vlan-id adding VLAN subinterface on management interface (mgt0, mgt1)
check physical interface settings for management or mitigation
/ ip interface media name
interfaces
/ ip interface media name speed 10|100|1000 duplex configure physical interface settings for management and also
full|half mitigation interfaces (≤ 5.9)
/ ip interface media name mtu value set the interface MTU, values supported 1500..9216 byte (≤ 5.9)
/ services [aps|aed] mitigation interface media name
configure interface settings for mitigation interfaces (≥ 5.10)
speed 10|100|1000 duplex full|half
/ services [aps|aed] mitigation interface media name mtu
set the interface MTU, values supported 1500..9216 byte (≥ 5.10)
value
/ services [aps|aed] mitigation interface int ip/mask set ip address on mitigation interface, only in L3 mode available
/ services [aps|aed] mitigation route add net nexthop add static route for protection interface, only in L3 mode available
/ system hardware interface name show protection interface settings (≥ 6.0)
/ system hardware interface name pause-frame show protection interface pause parameters (≥ 6.0)
/ system hardware interface name dump-regs show protection interface register information (≥ 6.0)
/ ip interface counter [name] show interface counters
/ ip interface counter [name] clear clear interface counters
System Initialization
/ services [aps|aed] database initialize initialize the APS. Warning all data will be lost!
/ services aps-console data initialize initialize the APS-Console. Warning all data will be lost!
License Management and AIF
/ system license set Pravail, AED or APS-CONSOLE … configure appliance license with type
/ system license set ASERT … configure AIF license
/ system license show show installed licenses (incl. types and valid period)
/ services [aps|aed] aif version show show installed AIF packages and their version

Page 12 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
/ services [aps|aed] aif url set|show|clear configure AIF update source
Service and System Verification
/ services [aps|aed] show|start|stop show status, start or stop software on the APS appliance
/ services aps-console show|start|stop show status, start or stop software on the APS-Console appliance
/ services ssh show show SSH configuration and status
/ services ntp show show NTP configuration and status
/ services dns show show DNS service details
/ system show show General system information
/ system file show show installed software packages
/ system file check check installed package integrity
/ system file directory disk: list contents of local flash disk:
/ system file copy disk:filename … copy file to or from device via ftp, http, https or scp
CLI System Configuration Commands
/ system banner set configure a specific banner for console and SSH connections
/ system timezone set zone set time zone of the device, also available in the UI
/ system name set name configure device name
/ system idle set minutes configure idle timeout for console and SSH connections
/ services [aps|aed] mode set inline|monitor switch between Arbor Networks APS deployment modes
/ services [aps|aed] bypass show show bypass configuration
/ services [aps|aed] bypass disable disable hardware bypass
/ services [aps|aed] bypass fail closed|open configure hardware bypass failure mode
/ services [aps|aed] bypass software enabled|disabled enable or disable software bypass
/ services [aps|aed] bypass force closed|open force hardware bypass to fail open or closed
CLI Protection Configuration Commands
/ services [aps|aed] protection show show protection configuration
/ services [aps|aed] protection reset option ST level reset protection configuration value to factory default
modify protection configuration:
option: connlimit.blacklist_enabled, connlimit.max_conn,
idle.header_time, idle.rate_interval,
tls.clients_can_alert, tls.early_whitelist,
tls.max_cipher_suites, tls.max_extensions, …
/ services [aps|aed] protection set option ST level value
ST: Server Type name
level: Low, medium or high
value: Value to apply
Please consult Arbor if you are unsure about the effects of
changing any of the above advanced parameters.
Device Authentication and API access
/ services aaa show show AAA configuration, status and local accounts
/ services aaa radius … configure Radius server for user authentication
/ services aaa tacacs … configure Tacacs server for user authentication
/ services aaa method set local radius tacacs configure authentication sequence
with exclusive authentication and the TACACS+ server is
operational, but the user does not have a TACACS+ account, then
/ services aaa method exclusive enable/disable that user cannot log in at all. APS only tries to
authenticate with the next method listed if the TACACS+ server is
not operational or is unreachable on the network.
change the password of the admin account by typing it twice into
/ services aaa local password admin interactive
the CLI.
/ services aaa local apitoken show show manually generated tokes for Rest API usage
/ services aaa local apitoken generate user description generate new token for Rest API
/ services aaa local apitoken remove token remove Rest API token from the system
/ services aaa local apitoken clear show local active alerts
https://aps-hostname/api/aps/doc/v1/endpoints.html online documentation about Rest API on APS appliance

CONFIDENTIAL & PROPRIETARY Page 13

 The Pocket Guide
https://aps-hostname/api/aps/doc/v2/endpoints.html online documentation about Rest API on APS appliance (≥ 5.12)
Troubleshooting
/ traceroute, traceroute6 trace route to host for IPv4 or IPv6 (none mitigation interfaces)
/ ping, ping6 ping a network host for IPv4 or IPv6 (none mitigation interfaces)
/ ip interface snoop interface filter watch traffic on MGT interface. filter: PCAP expression
create diagnostics package. Please provide in case of a support
/ system diagnostics
ticket with ATAC.
/ services logging show show available log files
/ services logging view syslog options view system internal syslog messages
/ system hardware show hardware details: CPU, Memory, SN, …
/ system disk show show system disk configuration

Command Reference - Arbor SP/TMS

Leader

TMS
TRA
Global System

DS
UI
/ help global or help or ? see available command sub options  ✓✓✓✓
/ users list all CLI connected users on appliance  ✓✓✓✓
/ clock show or set the system clock  ✓✓✓✓
/ config show show the running configuration  ✓✓✓✓
/ config write or revert save or revert current configuration  ✓✓✓✓
/ config clear clear config on TMS to restart ZTP process (≥ 8.2)  - - - ✓
Remote Access
/ ip access show show active and inactive IP access rules  ✓✓✓✓
add IP access rule for remote access by protocol, ingress interface and 
/ ip access add proto int source-ip source IP address or range. ✓✓✓✓
proto: cloudsignaling, bgp, https, ssh, ping, snmp, ssh, ...
/ ip access delete proto int source-ip delete an IP access rule  ✓✓✓✓
commit inactive IP access rules. (Issue config write if changes should 
/ ip access commit ✓✓✓✓
persist after reboot)
IP Configuration and Verification
/ ip arp show show ARP entries (management interfaces only)  ✓✓✓✓
/ ip route show show IP routing configuration  ✓✓✓✓
/ ip interface show [brief] show network interface configuration.  ✓✓✓✓
/ ip interface counter int [clear] show or clear interface counters  - - - ✓
System Initialization
configure device as a leader
ip: own management IPv4
/ services sp bootstrap leader ip secret role ✓- - - -
secret: shared zone secret
role: PI, CP
configure device as a non-leader 
ip: is the IPv4 address of the leader
/ services sp bootstrap non-leader ip secret role ✓✓✓-
secret: shared zone secret
role: PI, BI, CP or FS
configure TMS 
/ services tms bootstrap ip secret ip: is the IPv4 address of the leader - - - ✓
secret: shared zone secret
Network and Data Collection
/ services sp data bgp show show BGP neighbor status  - - ✓-
/ services tms deployment bgp show neighbors show BGP neighbor status  - - - ✓
/ services tms deployment bgp show routes show BGP route advertisement status  - - - ✓
/ services tms show gre show reinjection GRE tunnel status  - - - ✓

Page 14 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Service and System Verification

/ services sp device leader show show name of the deployment leader  ✓✓✓-
/ services aaa show show AAA configuration, status and local accounts  ✓✓✓✓
/ services dns show show DNS servers and their state  ✓✓✓✓
/ services dns server add ip add a DNS server  ✓✓✓✓
/ services ssh show show SSH server state  ✓✓✓✓
/ services ntp show show NTP servers and their state  ✓✓✓-
/ services ntp server add ip add a NTP server  ✓✓✓-
system backup management 
/ services sp backup options ✓✓✓-
options: show, create, stop, export, import, failover, …
/ services sp show|start|stop show status, start or stop software on the SP appliance  ✓✓✓-
/ services tms show|start|stop show status, start or stop software on the TMS appliance  - - - ✓
/ services tms show alert show local active alerts  - - - ✓
/ services tms show arp show ARP entries (mitigation interfaces only)  - - - ✓
/ services tms show blacklist show IP address count currently on dynamic blacklist  - - - ✓
/ services tms show interface rate show mitigation interface processing rates  - - - ✓
/ services tms show interface status show mitigation interface status  - - - ✓
/ services tms show mitigation show running mitigations and their traffic rates  - - - ✓
/ system file show show installed software packages  ✓✓✓✓
/ system file directory disk: list contents of local flash disk:  ✓✓✓✓
/ system file copy disk:filename … copy file to or from device via ftp, http, https or scp  ✓✓✓✓
/ system hardware show hardware details: CPU, Memory, SN, …  ✓✓✓✓
/ system hardware sfp show SFP details (works on most TMS Series)  - - - ✓
Flex License Management
/ services sp license flexible show show licensed elements ✓✓ - - -
/ services sp license flexible capability show licensed deployment limits ✓✓ - - -
import new local license file, also required on the backup
/ services sp license flexible import disk:file ✓✓ - - -
leader.
/ services sp license flexible server enable or disable the cloud based licensing
✓✓ - - -
cloud_licensing enable|disable
configure cloud based server details
/ services sp license flexible server option ✓✓ - - -
options: port, url, …
/ services sp license flexible refresh manual refresh a cloud-based flexible license file ✓✓ - - -
CLI System Configuration Commands
/ system banner set configure a banner for console and SSH connections  ✓✓✓✓
/ system name set hostname configure device name  ✓✓✓✓
/ system idle set seconds configure idle timeout for console and SSH connections  ✓✓✓✓
/ services aaa local advanced harden_password configure hardened password usage for local accounts  ✓✓✓✓
/ services aaa max-login_failures set number enable max login failures protection  ✓✓✓✓
/ services aaa password_length min number increase the minimum length of the account passwords  ✓✓✓✓
/ services aaa password_length max number increase the maximum length of the account passwords  ✓✓✓✓
/ services aaa local accounting set level lvl enable command accounting by setting lvl = commands ✓ - - - -
/ services aaa local advanced hide non-local user data from User Account Login
✓ - - - -
hide_none_local_history enable Records page
/ services sp preferences login_timeout set sec set idle timeout period for the UI ✓ - - - -
Arbor SP Insight
enable or disable the restriction of flow
/ services sp device insight limit_ingestion_mos enable|disable ✓-- - -
based on managed object.
add or remove a managed object from
/ services sp device insight limit_mo_set add|delete name ✓-- - -
the set of restricted managed objects.
/ services sp device insight limit_mo_set clear clear all restricted managed objects. ✓-- - -
show the current set of restricted
/ services sp device insight limit_mo_set show ✓-- - -
managed objects.

CONFIDENTIAL & PROPRIETARY Page 15

 The Pocket Guide
/ services sp device insight limit_ingestion_routers enable or disable the restriction to a set of
✓-- - -
enable|disable routers.
add or remove a router from the set of
/ services sp device insight limit_router_set add|delete name ✓-- - -
restricted routers.
/ services sp device insight limit_router_set clear clear all restricted routers. ✓-- - -
show the current set of restricted router
/ services sp device insight limit_router_set show ✓-- - -
objects.
Unique CLI Configuration Commands
/ services sp mitigation nexthop custom ver add name ip ip configure ipv4/ipv6 nexthop for blackhole ✓-- - -
/ services sp mitigation nexthop custom ver delete name delete ipv4/ipv6 nexthop for blackhole ✓-- - -
auto-discover and append your local IPv4
/ services sp model address_space auto ✓-- - -
address space
change the Internet Routing Registry
/ services sp auto-config irr ip_address set ip ✓-- - -
server
/ services sp preferences whois add ip add a Whois resolution server ✓-- - -
/ services sp remote_services aif server set ip configure the AIF server ip address ✓-- - -
/ services sp remote_services atf import disk:filename import AIF signatures manually ✓-- - -
configure explicit the destination port used
/ services sp notifications smtp port set port ✓-- - -
to contact the defined SMTP server.
configure an explicit source IP address for
/ services sp router edit name bgp update_source set ip ✓-- - -
the BGP peering with this router.
configure router as default selected BGP
/ services sp router edit name bgp default_mitigation type
peer in the UI for BGP Blackhole or BGP ✓-- - -
enable|disable
Flow Specification mitigations.
configure an explicit source IP address for
/ services sp router edit name snmp local_ip_address set ip ✓-- - -
the SNMP polling of this router.
configure the supported data encryption
/ services sp router edit name snmp priv_protocol AES/DES type when using SNMPv3 (default is DES, ✓-- - -
AES 128-bit key length) (≥ 8.3)
/ services sp router edit name flow use_src_port_for_v9 enable missing flow tracking per source
✓-- - -
enable|disable UDP port
/ services sp router edit name bgp default_mitigations type Configure router to be preselected in UI for
✓-- - -
enable|disable blackhole or flowspec mitigations
/ services sp device edit appliance_name bgp display the current BGP shared memory
✓-- - -
shared_memory_size show size
/ services sp device edit appliance_name bgp set the current BGP shared memory size in
✓-- - -
shared_memory_size set size MB MB
/ services sp device edit appliance_name bgp reset the current BGP shared memory size
✓-- - -
shared_memory_size clear to default
enable event forwarding for system errors.
/ services sp alerts system_errors type notifications enable type: cpu_load, disk_space, mem-usage, ✓-- - -
…
lock mitigation settings for non-scoped SP
/ services sp mitigation tms edit_locked enable|disable users on mitigation configuration page, ✓-- - -
enabled by default
change the default TACACS+/Radius user
/ services aaa groups default set account-group ✓-- - -
group, will be use when none is provided
/ services tms registry main set logger log blocked host to file blocked_hosts.log - - - ✓
default_local_logging_enable = 1
/ services tms registry main set patch_panel GID enable promiscuous mode on physical - - - ✓
promiscuous = 1 interface of a TMS appliance
/ services tms registry main set interface GID static_arp configure a static ARP entry for the - - - ✓
a.b.c.d = 00:07:07:07:07:07 mitigation interfaces

Page 16 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
suppress alerts for next-hop unreachable
/ services tms registry main set status suppress_alerts
alerts for a specific interface and next-hop - - - ✓
nexthop = "interface:a.b.c.d"
IP
Enable Forward Error Correction on
/ services tms deployment fec enable int - - - ✓
HD1000 interface (100GE)
APS Cloud Signaling
delete a filter list synchronized via Cloud Signaling after the
/ services sp mitigation filter delete filtername ✓-- - -
Arbor APS has been removed
Rest API
https://sp-hostname/api/sp/vx/ URL Rest API end point (see REST version matrix for details) ✓- - - -
https://sp-hostname/api/sp/doc/index.html Online REST API documentation ✓- - - -
Managing Reports
/ services sp reports custom find_old find orphaned Wizard report none-leader (≥ 8.2) ✓- - - -
/ services sp reports custom find_old copy all|id copy orphaned Wizard report to leader (≥ 8.2) ✓- - - -
/ services sp reports custom check Check for reports with missing definitions (≥ 8.2) ✓- - - -
Add TMS model to supported appliance list
/ system files copy scp://user@x.x.x.x/path/tms.conf.tgz disk: Step1: upload tms.conf.tgz (≥ 8.2) ✓- - - -
/ services sp tms update_tms_appliances Step2: update appliance list (≥ 8.2) ✓- - - -
Troubleshooting
/ traceroute, traceroute6 trace route to IPv4 / IPv6 host through MGT interfaces ✓✓✓✓
/ ping, ping6 ping a IPv4 / IPv6 host through MGT interfaces ✓✓✓✓
/ ip interface snoop interface filter watch traffic on local interface. filter: PCAP expression ✓✓✓✓
create diagnostics package. Please provide in case of a
/ system diagnostics ✓✓✓✓
support ticket with ATAC.
/ system disk show see the disk utilization and the RAID status ✓✓✓✓
/ services logging view syslog options view system internal syslog messages ✓✓✓✓
/ services sp data database resync resync the global database between UI devices, the SP
✓ - - -
service must be stopped (≥ 8.2)
/ services sp deployment [disk:filename] gather deployment overview, output can also be written
✓- - - -
to file on internal flash-disk.
/ services sp data flow view int ip records view flow information received through an interface. 
ip: all or IP-Address of one router - - ✓-
records: all records or first record only
/ services sp data snmp view ip comm oid test SNMPv2 query towards router 
ip: address of the router - - ✓-
comm: snmp community
oid: specific OID, else use ‘system’
/ services sp alerts system_errors show show configured handling of system errors detected ✓✓- - -
generate a test notification
/ services sp notification test type destination type: email, email_xml, snmp, syslog ✓✓- - -
destination: default or an explicit group
/ services sp backup failover activate switch manually to a backup leader -✓- - -
/ services sp portal login_page clear custom login page to be set back to default ✓✓- - -
/ services sp device edit name arf set on|off Enable or disable ARF (fcap matching) binning ✓- - - -
/ services sp device zone_secret show see the configured zone secret in clear text (hidden)
✓✓✓✓-
commands
/ services sp mitigation tms learning end_all stop all running learning mitigations ✓- - - -
/ services sp mitigation tms stop mitigation-name stop a running mitigation by it’s name ✓- - - -
/ services sp certificate show check validity period of installed certificate ✓✓✓✓-
/ reload reboot the appliance ✓✓✓✓✓
/ reload [hard] reboot the TMS appliance, [hard] = with full power cycle  - - - ✓
/ services tms tms-ping ipv4|ipv6 addr intf ping from a mitigation interface with src interface  - - - ✓
/ services tms tms-traceroute ipv4|ipv6 addr intf traceroute from a mitigation interface with src interface  - - - ✓

CONFIDENTIAL & PROPRIETARY Page 17

 The Pocket Guide

Command Reference - Arbor Spectrum

Global System
/ help global or help or ? see available command sub options
/ users list all CLI connected users on appliance
/ clock show or set the system clock
/ config show show only the running Arbos configuration
/ config write save current configuration
Remote Access
/ ip access show show active and inactive IP access rules
add IP access rule for remote access by protocol, ingress interface
/ ip access add proto int source-ip and source IP address or range.
proto: https, ping, snmp, ssh
/ ip access delete proto int source-ip delete an IP access rule
commit inactive IP access rules.
/ ip access commit
(Issue config write if changes should persist after reboot)
IP Configuration and Verification
/ ip arp show show ARP entries (management interfaces only)
/ ip route show show IP routing configuration
/ ip route add default next-hop-ip add default gateway configuration
/ ip route add network/mask next-hop-ip add static route configuration
show network interface configuration. The option brief provides a
/ ip interface show [name/brief]
table formatted output or specify an interface name.
/ ip interface ifconfig name up|down administratively enable or disable interface
/ ip interface ifconfig name ip/mask configure IP address on management interface
/ ip interface ifconfig name ip/mask alias configure alias/secondary IP address on management interface
/ ip interface media name check physical interface settings for management interfaces
/ ip interface media name speed 10|100|1000 duplex full|half configure physical interface settings for management interfaces
/ ip interface counter [name] show interface counters
/ ip interface counter [name] clear clear interface counters
System Initialization
/ services spectrum database initialize Initialize the database. Warning all data will be lost!
Service and System Verification
/ services spectrum show|start|stop show status, start or stop software on the Spectrum Appliance
/ services spectrum status show detailed information about System Status
show routers and probes allowed to send flows to this collector
/ services spectrum flowsources show
(Flow Collector only)
display status of all routers and probes which sent flow to this
/ services spectrum flowsources status
collector (Flow Collector only)
/ services spectrum settings ad show display current Active Directory settings
/ services ssh show show SSH configuration and status
/ services ntp show show NTP configuration and status
/ services dns show show DNS service details
/ system show show General system information
/ system file show show installed software packages
/ system file directory disk: list contents of local flash disk:
/ system file copy disk:filename … copy file to or from device via ftp, http, https or scp
CLI System Configuration Commands
/ system banner set configure a specific banner for console and ssh connections
/ system name set name configure device name
/ system idle set minutes configure idle timeout for console and ssh connections

Page 18 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
displays actual Device Type Setting (Console/Flow
/ services spectrum device_type show
Collector/Packet Collector)
set device type Warning all data will be lost!
/ services spectrum device_type set type
type: console, packet_collector, flow_collector
configure Proxy (Console only, Spectrum services must be
/ services spectrum settings proxy
stopped)
/ services spectrum settings snmp show display SNMP export settings
/ services spectrum settings smtp_host_and_port configure SMTP Server (required for setting up user accounts)
/ services spectrum settings smtp_username_and_pw configure SMTP Server authentication
configure SNMP export for specific indicator types to SNMP trap
receiver
/ services spectrum settings snmp add version ip indicator version: 2c or 3
ip: SNMP trap receiver
indicator: indicator type
/ services spectrum settings snmp remove ID remove SNMP export setting
/ services spectrum settings show displays device settings
connect Spectrum Collector to the Console (requires admin
/ services spectrum settings console set
password for authentication)
Device Authentication
chance password for the admin account, type in new password
/ services aaa local password admin interactive
twice when prompted
Troubleshooting
trace route to a network host for IPv4 or IPv6 (only none mitigation
/ traceroute, traceroute6
interfaces)
ping a network host for IPv4 or IPv6 (only for none mitigation
/ ping, ping6
interfaces)
/ ip interface snoop interface filter watch traffic on MGT interface. Filter: PCAP expression
create diagnostics package. Please provide in case of a support
/ system diagnostics
ticket with ATAC.
/ services logging show show available log files
/ services logging view syslog options view system internal syslog messages
/ system hardware show hardware details: CPU, Memory, SN, …
/ system disk show show system disk configuration

CONFIDENTIAL & PROPRIETARY Page 19

 The Pocket Guide

Mitigation: Arbor TMS & APS - FCAP Traffic Filtering

Actions
drop <expression> drop traffic matching condition, default behavior if not specified
pass <expression> white-listing (aka trusting), exempt traffic from all other countermeasures
Traffic not matching any of the above FCAP actions will be sent to the next enabled countermeasure.

Filter Elements
[src|dst] (host|net) <address> matches a host as IP source, destination or either address
[src|dst] <address>/<mask> matches a host as IP source, destination or either address
(proto|protocol) <name> matches IP protocol by name
(proto|protocol) <number> matches IP protocol by number
(proto|protocol) <number>..<number> matches IP protocol by a range of numbers
[src|dst] port <name> matches TCP or UDP packets send to/from or either by name
[src|dst] port <number> matches TCP or UDP packets send to/from or either by number
[src|dst] port <number>..<number> matches TCP or UDP packets send to/from or either by range
(tflags|tcpflags) <tcp-flags> matches TCP packet on included TCP Flags
(bytes|bpp) <size> matches packet equal to length
(bytes|bpp) <size>..<size> matches packet within range of length
icmptype <icmptype> matches ICMP packets based on message type
icmpcode <number> matches ICMP packets based on message code
tos <value> matches IP packets based on Type of Service setting
(not|!) (proto|port|bpp|icmp…) negate adjacent element. Not supported for IP addresses
ttl <value> matches IP packets based on their included TTL value
[and|or] often used with brackets to nest individual expressions

ICMP Type/Code TCP Flags

icmp-echoreply 0/0 icmp-echo 8/0 S SYN Synchronize
icmp-redirect 5/0-3 icmp-unreach 3/0-15 A ACK Acknowledgement
icmp-tstamp 13/0 icmp-tstampreply 14/0 F FIN Final
icmp-timxceed 15/0 icmp-ireqreply 16/0 R RST Reset
icmp-routeradvert 11/0 icmp-reastimxceed 11/1 P PUSH Push
icmp-sourcequench 9/0 icmp-fragneed 3/4 U URG Urgent
icmp-paramprob 4/0 or any type/code combination W CWR Congestion Window Reduced
ECN-Echo (Explicit Congestion
E ECE
Notification - Echo)

Filter Examples
drop 0.0.0.0/0 drop everything
drop proto udp and not dst port 53 drop all UDP except for dst port 53
drop src host 10.1.1.1 and dst 192.168.2.1/32 drop Traffic between from host 10.1.1.1 to host 192.168.2.1
drop not (proto icmp or proto tcp) drop all IP protocols except TCP and ICMP
drop proto icmp and bytes 200..2000 drop all ICMP packets with a size of 200 up to 2000 bytes
drop proto tcp and not (src port 1024..65535 and (dst drop all TCP except when the source port is within 1024 to 65535
port 80 or dst port 443)) and the destination port is either 80 or 443
drop proto icmp and not ((icmptype 3 and icmpcode 4) drop ICMP except for “fragmentation needed and DF set” used by
or (icmptype 11 and icmpcode 1)) Path MTU Discovery and “Fragment Reassembly Time Exceeded”
drop proto udp and port 123 and not bpp 76 drop NTP packets that are not 76 bytes (NTP Response)
drop TCP except when source port is within 1024 to 65535 and the
drop proto tcp and not ((src port 1024..65535 and dst destination is 25 or when the source port is 25 and the destination
port 25) or (src port 25 and dst port 1024..65535)) is within 1024 to 65535, therefore allowing inbound and outbound
SMTP connections.
drop proto tcp and dst port 80 and tflags S/S drop TCP packet when the SYN Flag is present
drop proto tcp and dst port 80 and tflags /S drop TCP packet when the SYN Flag is not present
drop proto tcp and dst port 80 and tflags S/SAFRPUEW drop TCP packet when the SYN Flag is the only Flag set

Page 20 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Example: Web Server (HTTP and HTTPS)
drop not (proto icmp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 80) or (src port 1024..65535 and dst port 443))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: Authoritative DNS server
drop not (proto icmp or proto udp or proto tcp)
drop proto tcp and not ((src port 53 or src port 1024..65535) and dst port 53)
drop proto udp and not ((src port 53 or src port 1024..65535) and dst port 53)
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: Recursive DNS server
drop not (proto icmp or proto udp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 53) or (src port 53 and dst port 1024..65535))
drop proto udp and not ((src port 1024..65535 and dst port 53) or (src port 53 and dst port 1024..65535))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: SMTP MTA
drop not (proto icmp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 25) or (src port 25 and dst port 1024..65535))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: SMTP MTA (with SMTPS and eMail message submission) [check if really used]
drop not (proto icmp or proto tcp)
drop proto tcp and not ((src port 1024..65535 and dst port 25) or (src port 25 and dst port 1024..65535) or (src port 1024..65535
and dst port 465) or (src port 465 and dst port 1024..65535) or (src port 1024..65535 and dst port 587) or (src port 587 and dst port
1024..65535))
drop proto icmp and not ((icmptype 3 and icmpcode 4) or (icmptype 11 and icmpcode 1))
Example: Protecting a black box
#White List critical infrastructure communication, like for routing protocols
pass src host x.x.x.x and proto tcp and port 179

drop src net [your own prefix(es)]

drop net 0.0.0.0/8
drop net 10.0.0.0/8
drop net 127.0.0.0/8
drop net 172.16.0.0/12
drop net 192.168.0.0/16
drop net 240.0.0.0/4
drop net 224.0.0.0/4
drop not (proto udp or proto tcp or proto esp or proto icmp or proto gre)
drop proto icmp and bytes 200..2000
drop proto udp and port 19
drop proto udp and port 69
drop proto udp and (src port 123 or dst port 123) and not (bpp 36 or bpp 46 or bpp 76 or bpp 220)
drop proto udp and port 161
drop proto udp and port 162
drop proto udp and port 1434
drop proto udp and port 1900
drop proto udp and port 11211 and bpp 1420

# DNS not as a service available?

drop proto udp and dst port 53
# DNS replies not to be expected?
drop proto udp and src port 53

CONFIDENTIAL & PROPRIETARY Page 21

 The Pocket Guide

Mitigation: Arbor TMS & APS – Regular Expression

Anchors Notations
^ start of line ^arbor matches arbor123 but not 123arbor Italic Regular
$ end of line arbor$ matches 123arbor but not arbor123 s expression
\b word boundary \barbor\b matches arbor but not arbor123 text Matching text
\B not word boundary \barbor\B matches arbor123 but not arbor or 123arbor123 text Alt matching text
\Barbor\B matches 123arbor123 but not 123arbor
Character Classes
\c control character (Ctrl+x) \cC matches CTRL-C
\s white space (“ “) arbor\s123 matches arbor 123 but not arbor123 Metacharacters
\S not white space, not (“ “) arbor\S123 matches arbors123 but not arbor 123 must be escaped with “\”
\d digit [0-9] arbor\d matches arbor1, arbor2 but not 1arbor ^ $ [ ]
\D not digit, not [0-9] \Darbor matches aarbor but not 1arbor { } ( )
\w word[A-Za-z0-9_] \warbor matches 1arbor, aarbor, 12345arbor but not \ . * +
arbor or @arbor ? < >
\W not word, not [A-Za-z0-9_] \Warbor matches @arbor but not 1arbor or aarbor
\xhh hexadecimal character hh \x00\xFF matches hex char 00FF
Quantifiers
* 0 or more arbo* matches arbor, arboooor, arbr, arb but not rbo Special Characters (hex)
*? 0 or more, ungreedy arbo*? matches arbor, arboooor, arbr, arb but not rbo \ escape character
+ 1 or more arbo+ matches arbor, arboooor but not arbr \n new line (0A)
+? 1 or more, ungreedy arbo+? matches arbor, arboooor but not arbr \r carriage return (0D)
? 0 or 1 arbo? matches arbor, arbooor, arbr but not rbor or aror \t tab (09)
?? 0 or 1, ungreedy arbo?? matches arbor, arbooor, arbr but not rbor or aror \f form feed (0C)
{3} exactly 3 a{3} matches aaarbor but not aaaarbor \a alarm BEL char (07)
{3,} 3 or more a{3,} matches aaarbor, aaaaaaaaarbor but not aarbor [\b] backspace
{3,5} 3,4 or 5 a{3,5} matches aaarbor, aaaarbor, aaaaarbor, \e escape
aaarboraaa but not aarbor
{3,5}? 3,4,5, ungreedy a{3,5}? matches aaarbor, aaaarbor, aaaaarbor but not
aarbor
Ranges
. any char except \n (hex \x0a) a. matches arbor and azbor but not a Literal Text Span
(a|b) A or b (a|z) matches arbor, arboz but not brbor \Q Begin literal string
(…) group of chars (arb) matches arbor, arborarb but not aror \E End literal string
[abc] range, a or b or c [abc] matches arbor, aabbcc but not dddd Escapes metacharacters
[^abc] range, not a or b or c [^abc] matches dddd, arbor but not abc between \Q and \E
[a-z] lowercase letter between a and z [a-z] matches arbor but not ARBOR Example
[^a-z] not lowercase letter between a and z [^a-z] matches ARBOR, 1234 but not arbor \QGET /cgi/page.cgi?id=1\E
[A-Z] uppercase letter between A and Z [A-Z] matches ARBOR but not arbor is the same as:
[^A-Z] not uppercase letter between A and Z [^A-Z] matches arbor, 1234 but not ARBOR GET \/cgi\/page\.cgi\?id=1
[0-9] digit between 0 and 9 [0-9] matches 1234 but not arbor
[^0-9] not digit between 0 and 9 [^0-9] matches ARBOR, arbor but not 1234
Pattern Modifiers Logical OR
(?mod) turns on modifier for rest of expression | logical OR
(?-mod) turns off modifier for rest of expression (.*\.com|.*\.net) matches arbor.com OR arbor.net
(?mod:<expression>) turns on modifier for expression in <...>
(?-mod:<expression>) turns off modifier for expression in <...> Important Notes
(?i) case insensitive HTTP and payload regex are case sensitive (since SP 8.0)
(?-i) case sensitive DNS regex is case insensitive (since SP 8.0)
(?# comment) adds comment Back references not supported
(?m) multiline match Assertions not supported
(?s) single line match \p {xx}, \P {xx}, \C, \R, \K not supported
Logical AND is not supported

Page 22 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide
Payload Regular Expression
Payload regular expressions treat the payload as a single input string. Payload regular expression can match on hex (\x77\x77\x77)
characters, ASCII (www) characters or a combination of the two (\x77w\x77).
Multiline and single line pattern modifiers can be used in payload regular expressions. (m?) Changes the behaviour of ^ and $ to match
next to newlines within the input string. ^ matches after any newline. $ matches before any newline. (?s) Changes the behaviour of . (dot)
to match all characters, including newlines, within the input string.
41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a Accept: */*\r\n ^\x41.*\x2f\x2a\x0d$ fails; (?m)^\x41.*\x2f\x2a\x0d$ succeeds
48 6f 73 74 3a 20 31 2e 31 2e 31 2e 31 0d 0a Host: 1.1.1.1\r\n \x41\x63.*\x48\x6f fails; (?s)\x41\x63.*\x48\x6f succeeds
In DNS queries, the Byte right before each label indicates the length of the label. \x03 indicates that the next label is 3 Bytes long.
A domain query for www.arbornetworks.com would be \x03www\x0darbornetworks\x03com. 10 Byte labels are preceded by \x0a and 13
Byte labels are preceded by \x0d. Be aware that in plain text \x0a and \x0d are \n (newline) and \r (carriage return) respectively. These two
characters are treated differently in regular expressions. Be sure to use the proper hex values for the field length fields or use (?s) single
line pattern modifier to allow “.” to match a newline. (?s)www.arbornetworks.com
DNS attack to mail.arbornetworks.com => \x04mail\x0darbornetworks\x03com or (?s)mail.arbornetworks.com
HTTP attack to www.arbornetworks.com => www\x2earbornetworks\x2ecom or \x77\x77\x77\x2earbornetworks\x2e\x63\x6f\x6d
DNS reflection attacks typically use Type=ANY, where the type field is “00ff” for ANY. Mitigate with domain\x03com\x00\x00\xff
Common DNS Type fields: A \x01, AAAA \x1c, PTR \x0c, MX \x0f, SOA \x06, NS \x02, TXT \x10

HTTP Header Regular Expression

HTTP header regular expressions treat each line of the HTTP header as a unique string. Each regular expression in the HTTP header regex is
applied to each HTTP header. If any of the regular expressions match any of the headers, then the packet matches and the appropriate
action is taken. HTTP headers are divided along the boundary of \r\n and exclude \r\n in the header string.
Regular expression spanning multiple headers across the \r\n boundary will not match.
HTTP headers should follow case sensitive canonical format of: Camel-Back: value
Deviations may indicate malware: Camel-Back:value or
Camel-Back: value or
Camel-back: value or
CAMEL-BACK: value or
Camel -Back: value
Common HTTP headers and approximate percent of legitimate requests containing each case sensitive header:
Host: 99,9% Accept-Language: 87,5% Via: 16,2% If-None-Match: 6,9% X-NovINet: 1,9% DNT: 0,6%
User-Agent: 97,9% Referer: 78,2% UA-CPU: 14,8% Content-Length: 5,0% Range: 1,3% From: 0,4%
Connection: 97,7% Cookie: 42,3% If-Modified-Since: 13,4% x-flash-version: 4,9% CUDA_CLIIP: 1,1%
All others
Accept: 93,8% Accept-Charset: 35,3% X-IMForwards: 12,9% Content-Type: 4,5% X-Forwarded-For: 0,9%
less than 0,5%
Accept-Encoding: 90,4% Keep-Alive: 25,1% Cache-Control: 10,5% Pragma: 2,3% X-Dropbox-Locale: 0,7%
Examples: 1) GET flood to /page.cgi?id=dosme HTTP/1.1 ^\/page\.cgi\?id\=dosme HTTP\/1\.1$
2) GET flood to Host: www.domain.com ^Host: www\.domain\.com$ or ^\QHost: www.domain.com\E$
3) Incorrect capitalization of User-Agent: (?-i)^User-agent or (?-i)^User-Agent

DNS Regular Expression

DNS regular expressions treat the Name field of the DNS packet as a unique string. Each DNS regular expression is applied to the Name field
for each DNS packet. If any of the regular expressions match the Name field in a DNS packet, it is a match, and the appropriate action is
taken.
Examples: 1) Query flood to www.arbornetworks.com www\.arbornetworks\.com or w{3}\.arbornetworks\.com
2) Random 8-character dictionary attack to domain.com [A-Za-z0-9_]{8}\.domain\.com
3) Attack to mail and smtp.domain.com (mail|smptp)\.domain\.com

CONFIDENTIAL & PROPRIETARY Page 23

 The Pocket Guide

Mitigation: Arbor TMS – Packet Header Filtering

Basic Rules
• max 1024 characters long (including spaces)
• all text must be lower case
• leading and trailing spaces are optional, but they are required for operators that use text characters such as ‘gt’

Filter Elements
tcp.srcport TCP source port
tcp.dstport TCP destination port
tcp.port TCP port
tcp.flags.ack TCP Flag - Acknowledgement
tcp.flags.push TCP Flag - Push
tcp.flags.reset TCP Flag - Reset
tcp.flags.syn TCP Flag - Synchronize
tcp.flags.fin TCP Flag - Final
tcp.flags.cwr TCP Flag - Congestion Window Reduced [RFC 3168]
tcp.flags.ecn TCP Flag - ECN-Echo (Explicit Congestion Notification - Echo) [RFC 3168]
tcp.flags.ns TCP Flag - Nonce Sum [RFC 3540]
tcp.flags.urg TCP Flag - Urgent
tcp.options.sack_perm TCP Option - Selective Acknowledgements
tcp.options.mss_val TCP Option - MSS Option Value
tcp.window_size_value TCP Window Size value
Type Operator Allowed Formats
AND and &&
Boolean OR or ||
NOT not !
equal to eq ==
not equal to ne !=
greater than gt >
Comparison less than lt <
greater than or equal to ge >=
less than or equal too le <=
Bitwise Bitwise and bitwise_and &

Example
tcp.window_size_value > 10000 and TCP window size is greater than 10.000 and TCP selective
tcp.options.sack_perm && tcp.options.mss_val ge 1450 acknowledgement is enabled and TCP MSS value is greater
and not tcp.port & 1 than or equal to 1450 bytes and the TCP port (bitwise verified)
is not 1

TCP Header Overview

Page 24 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Mitigation: Other Types – BGP Flow Specification

Extended Community Usage
Extended
Community
Action Type Encoding Notes SP TMS
TMS: Blacklist
traffic-rate drop or Police 0x8006 2-byte as + 4-byte rate-shaper
offload only
  8.1
traffic-VRF Redirect by RT, coded as ASN 0x8008 route-target: 2-byte AS, 4-byte Value 1234:5678  
redirect
IPv4
Redirect by RT, coded in IPv4 0x8108 4-byte IPv4 Address, 2-byte Value 1.2.3.4:5678  8.1 
redirect
AS
Redirect by RT, coded in ASN 0x8208 4-byte AS, 2-byte Value 1.2.3.4L:5678  8.1 
Simpson draft
redirect-IP Redirect to a IP nexthop 0x0800 6-bytes (all bits 0, last bit = C [copy bit])
used by Cisco
 8.1 

Arbor SP Mitigation Usage

CONFIDENTIAL & PROPRIETARY Page 25

 The Pocket Guide

Arbor SP - REST API Matrix

The Arbor Networks SP REST API is updated on a regular basis, which results in version changes and
deprecation of existing API functionality.

SP REST API Version

Releases 0.6* 1 2 3 4
8.0 ✓    
8.1 X ✓   
8.2 X ✓ ✓  
8.3 X ✓ ✓ ✓ 
8.4 X ✓ ✓ ✓ ✓
*Beta Version

The SP REST API output is in the JSON API format. The responses use return links to refer to other
resources and support pagination. When you make a request to the REST API, you can specify which
API version to use., to use the version 3 alerts endpoint: https://sp.example.com/api/sp/v3/alerts/

If a request contains no version information, it defaults to the latest version. In most cases, the SP
REST API keeps the full functionality of still-supported previous versions. However, there could be a
situation where an older endpoint provides only partial functionality or is removed entirely.

More information can be found in the Arbor Network SP and TMS API Guide for the used software
release.

Arbor SP/TMS - BGP Signaling Capabilities

BGP Route Route FlowSpec FlowSpec FlowSpec
Capability analytics advertisement Filter Diversion BLO
by Device IPv4 IPv6 VPNv4 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6
TRA ✓ ✓ ✓ ✓ ✓ ✓ X ✓ ✓** X X
TMS X X X ✓ ✓ X X X X ✓ ✓*
min. releases *8.2, **8.3

Page 26 CONFIDENTIAL & PROPRIETARY

 The Pocket Guide

Arbor SP Alert Search Keywords

Attribute Supported keyword and values Examples
resource • resource:managed-object, fingerprint, and/or ➢ resource:object3,service123
(a service, fingerprint, or service name ➢ mo:object1
managed object) • mo:managed object-name ➢ service:new_serv1
• fingerprint:fingerprint-name
• service:service-name
The resource keyword searches for alerts that involve
services, fingerprints, and managed objects. This search is
case-insensitive, and SP matches on partial resources.
router name • ro:router-name ➢ router:789xyz
• router:router-name ➢ ro:router123
➢ router:routerabc
device name • appliance:appliance-name ➢ appliance:app123
• collector:appliance-name ➢ collector:my_appliance
• device:appliance-name ➢ device:example_device
Each keyword returns the same search results. Collector
returns all devices with the entered appliance name, even
they are not collectors.
alert ID • ID ➢ 12345
• alert_id:ID ➢ alert_id:23456
alert class • ac:alert-class ➢ ac:TMS
• alert_class:alert-class ➢ alert_class:TMS
Alert-Classes: BGP, Cloud Signaling, Data, DOS, System Error,
System Event, TMS and Traffic
severity level • severity ➢ low
• sev:severity ➢ sev:low
• severity:severity ➢ severity:high,low
alert type • alert type ➢ BGP Trap”
• at:alert-type ➢ at:“BGP Trap”
• alert_type:alert-type ➢ alert_type:“BGP Trap”
This search is case-insensitive, and SP matches on partial
alert types.
Alert-Types: BGP Down, BGP Instability, Cloud Signaling Fault,
Cloud Signaling Mitigation Request, DOS, Flow Down, GRE Down,
Hardware Failure, Interface Usage, License Alert, Managed Object
Threshold, SNMP Down, TMS Fault, …
alert status • alert-status ➢ ongoing
• sts:alert-status ➢ sts:recent
• status:alert-status ➢ status:all
Status: all, ongoing, recent, ended, stopped, done or completed
classification • classification:classification ➢ classification:“Possible Attack”
• ax:classification ➢ ax:“network failure”
Classifications: False Positive, Flash Crowd, Network Failure,
Possible Attack, Trivial, Verified Attack
annotation • annotation ➢ Critical
• ann:annotation ➢ ann:Critical
• alert_annotation:annotation ➢ alert_annotation:Critical
• comment:annotation ➢ comment:”this is critical”
prefix • prefix:CIDR block ➢ prefix:10.0.0.0/8
On very short-lived alerts, you might not be able to find it by
using the prefix keyword.

CONFIDENTIAL & PROPRIETARY Page 27

 The Pocket Guide

Personal Notes:

Page 28 CONFIDENTIAL & PROPRIETARY

The Pocket Guide

Personal Notes:

CONFIDENTIAL & PROPRIETARY Page 29

 The Pocket Guide

Personal Notes:

Page 30 CONFIDENTIAL & PROPRIETARY

The Pocket Guide

Personal Notes:

CONFIDENTIAL & PROPRIETARY Page 31

 The Pocket Guide

Contacts
CORPORATE HEADQUARTERS
76 Blanchard Road
Burlington, MA 01803 USA
 +1 781 362 4300
 Toll-free +1 855 773 9200
 contact@arbor.net

Asia Pacific (APAC)  +65 6664 3140

Europe, Middle East and Africa (EMEA)  +44 207 127 8147
Latin and Central America (LATAM)  +52 55 4624 4842

www.netscout.com/arbor

Arbor Technical Assistance Center

 +1 781 362 4301 |  +1 877 272 6721

Customers: https://arbor.custhelp.com/

Partners: https://partnercenter.arbornetworks.com/

Stay up-to-date and use our Knowledge Base.

Copyright © 2018 Arbor Networks, Inc. All rights reserved.

Arbor Networks, the Arbor Networks logo, ArbOS, and ATLAS are all trademarks of Arbor Networks, Inc. All other brands may be the
trademarks of their respective owners. Proprietary and Confidential Information of Arbor Networks, Inc.

3.0918.01