Professional Documents
Culture Documents
Arbor Networks Sightline 9.1.1 9.1 Release-Notes 2020-07-16
Arbor Networks Sightline 9.1.1 9.1 Release-Notes 2020-07-16
Arbor Networks Sightline 9.1.1 9.1 Release-Notes 2020-07-16
Release Notes
Version 9.1.1
Version 9.1
Sightline Release Notes
Legal Notice
The information contained within this document is subject to change without notice. Arbor Networks, Inc.
makes no warranty of any kind with regard to this material, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. Arbor Networks, Inc. shall not be liable
for errors contained herein or for any direct or indirect, incidental, special, or consequential damages in
connection with the furnishings, performance, or use of this material.
© 2019-2020 Arbor Networks, Inc. All rights reserved. Proprietary and Confidential Information of Arbor
Networks, Inc.
Contents
Insight: Support for excluding certain managed objects from Insight data .................................... 19
Changes in Behavior ............................................................................................................................ 20
Unsupported TMS devices removed from TMS and Sightline ....................................................... 20
Flood detection for TCP ACK and SYN/ACK now includes the TCP PUSH and URG flags ......... 20
New default port numbers used for RADIUS connections ............................................................. 21
New default action for flow specification mitigations ...................................................................... 21
New version of ArbOS required when running Sightline ................................................................ 21
Mitigation drop–down on alerts page no longer includes mitigation information ........................... 21
Trigger Rate selector removed from Alerts Traffic graph ............................................................... 21
Dropped Traffic graph replaces Dropped Traffic selector .............................................................. 21
Profiled Network graphs no longer show pre-alert traffic ............................................................... 21
TMS HD1000 Chassis–based Licenses ........................................................................................ 22
Updated MIB .................................................................................................................................. 22
Insight: “SP Matched Applications” facet was renamed ................................................................ 22
Insight: New default MTU setting in ArbOS ................................................................................... 22
Information about the REST API in Sightline ....................................................................................... 23
REST API enhancements .............................................................................................................. 23
REST API support added for all Sightline devices with the user interface role ............................. 23
Updated endpoints in the REST API .............................................................................................. 23
Upgrade Information for Insight ............................................................................................................ 26
New default MTU setting in ArbOS for Insight ............................................................................... 26
Using Insight in a Sightline deployment ......................................................................................... 26
Upgrade Information for Sightline ......................................................................................................... 26
Supported upgrade paths .............................................................................................................. 26
Multi-version compatibility .............................................................................................................. 26
Deployments that use flexible licensing require a new license file ................................................ 26
TMS HD1000 (4x100G + 8x10G) automatic configuration replaces user configuration ................ 27
TMS services must be stopped and started again if using GRE tunnels ....................................... 27
Upgrade process ............................................................................................................................ 28
Upgrading requires a current maintenance and support contract ................................................. 28
Device certificates .......................................................................................................................... 28
Support for DSA keys was deprecated .......................................................................................... 28
Support for TLS v1.1 was deprecated ........................................................................................... 28
Pre-upgrade raw flows are not viewable after upgrading to Sightline 9.1 ..................................... 28
System Requirements for Sightline ...................................................................................................... 29
Supported devices ......................................................................................................................... 29
Supported web browsers ............................................................................................................... 29
Router requirements ...................................................................................................................... 29
Communication ports ..................................................................................................................... 29
Revision History
The following table lists the dates when these release notes were updated and a description of the
changes that were made:
Date Description of Changes
2020-07-21 • Added Sightline 9.1.1 release notes.
• Added “Sightline ignores abnormally large and small packets for alerting purposes” on page 18.
• Added “Updated MIB” on page 22.
• Added fixed issues for Sightline 9.1.1.
• Added Appendix A: Changes to notifications in Sightline 9.1 on page 41.
2019-11-15 • Added known issue 89099 and updated “Automatically download managed objects that match
OTT traffic in ATLAS” section with workaround.
• Added fixed issue 87185.
2019-08-13 • Updated the information about “Improved accuracy and performance for flow matching in alert
traffic” on page 15.
• Added fixed issue 83412.
2019-08-02 Updated the new feature description “IPv6 support for flowspec mitigations” on page 9 to include
information about IPv6 flowspec auto-mitigations.
2019-07-12 Initial release.
Introduction
This document includes release information about Sightline 9.1.x. For release information about Threat
Mitigation System (TMS) 9.1.x, see the separate Threat Mitigation System Release Notes.
Sightline 9.1 is scheduled for General Availability on July 16, 2019, and will reach End of Maintenance on
July 16, 2021.
Note: Beginning with 9.0, the SP product has been renamed “Sightline”.
New Features
New dropped traffic graphs and more flowspec impact details for DoS alerts
If your deployment has the Smart Mitigation licensed capability, the alert pages for DoS alerts affected by
flowspec or blackhole mitigations include the following new information:
• On the Summary tab, Dropped Traffic graphs show the alert traffic dropped by the mitigations that
affected the DoS alert. The Dropped Traffic graphs only appear when mitigations influence an alert's
traffic. If the alert has flowspec mitigations impacting its traffic, you can use tabs on the Dropped
Traffic graph to select the following views:
▪ All Mitigation Types displays the alert traffic along with the traffic dropped by the mitigations
affecting the alert. The graph includes alert traffic not dropped, the alert traffic dropped by each
type of mitigation affecting the alert, and the total alert traffic.
Note: On the All Mitigation Types graph, the amount of dropped Flowspec traffic shown can
exceed the All Alert Traffic line. This is because Sightline assumes any dropped flowspec traffic
is dropped at the network boundary by Sightline flowspec mitigations. However, Sightline can
also see traffic being dropped by flowspecs running on routers outside the network boundary.
When this happens, Sightline might report more dropped Flowspec traffic than amount of traffic
that matches the alert.
▪ Flowspecs displays a graph of the alert traffic dropped by each flowspec mitigation impacting the
alert.
• On the Traffic Details tab, the Flowspec Mitigations section appears if you select the Router view
and flowspec mitigations are impacting the alert.
• The new Flowspec Details tab gives you several options for viewing information about traffic
dropped by flowspec mitigations affecting the alert. For example, you can:
▪ Change the timeframe and units for all dropped traffic graphs and statistics on the tab.
▪ Display the dropped traffic graph for individual flowspec mitigation filters by clicking the statistics
table for that filter, or by clicking View Graph below the table.
▪ Download all source IP addresses in traffic dropped by flowspec mitigations affecting the alert.
• The new Flowspec Routers tab displays a graph of traffic dropped by flowspec mitigations impacting
an alert for selected routers. You can display the dropped traffic for up to 10 routers. The table below
the graph lists the routers and their interfaces that are associated with the dropped traffic.
Multiple notification groups can use the same webhook URI. Each alert or event notification generates a
unique POST for every configured notification group. The data sent in a webhook POST for an alert
notification is the same as the data you receive from the REST API when you GET that alert ID from the
/alerts/ endpoint.
If you want to send a test webhook notification to the HTTP server URI configured in the default
notification group default, or in a specific notification group group_name, use the following CLI
command: / services sp notification test webhooks {default | group_name}
If a webhook notification fails, Sightline continues to retry the POST indefinitely every 24 hours (86400
seconds) by default. You can change the maximum number of retries and the retry timeout as follows:
• If you want to change the maximum number of retries for webhooks, max_retries, enter the
following CLI commands:
/ services sp notification webhooks retry_count_limit enable
/ services sp notification webhooks retry_count_max max_retries
For unlimited retries, enter:
/ services sp notification webhooks retry_count_max set default
• If you want to change the maximum amount of time (in seconds) that Sightline continues to retry
POSTing a failed webhook notification, max_seconds, enter the following CLI commands:
/ services sp notification webhooks retry_seconds_limit enable
/ services sp notification webhooks retry_seconds_max max_seconds
For more information, see “Configuring Notification Groups” in the Sightline and Threat Mitigation System
User Guide.
Note: You can also configure webhooks in the /notification_groups/ endpoint for the Sightline V.6
REST API. For more information, see “/notification_groups/” on page 25.
More accurate traffic reports for customer managed objects outside the network boundary
Previously, Sightline would report double the amount of traffic to customer managed objects if their
managed object boundary was outside the network boundary. This is because traffic to the customer
managed object had to enter and exit the network boundary before entering the external managed object
boundary. This is normal for peer managed objects which are, by definition, outside the network
boundary. However, customer managed objects are typically inside the network boundary.
To prevent the double-counting traffic for external customer managed objects, Sightline 9.1 includes the
new CLI command: / services sp managed_objects edit managed_object_name
treat_external_as_internal
When you run this command for an external customer managed object, managed_object_name,
Sightline 9.1 treats the network boundary and the boundary for the external customer as if they were the
same for traffic counting and reporting. However, for alerting, Sightline 9.1 continues to treat these two
boundaries separately.
Sightline 9.1 includes a new ATLAS Intelligence Feed (AIF): the “AIF managed object feed”. This feed
automatically downloads preconfigured profile managed objects called “AIF managed objects”. The match
settings in AIF managed objects are the CIDR blocks used by providers of high-volume over-the-top
(OTT) services such as video streaming, gaming, and VOIP.
ASERT configures the match settings for AIF managed objects based on ATLAS traffic data for OTT
services. When ASERT changes the match settings or makes new AIF managed objects available, your
deployment automatically receives the latest AIF managed object configurations at the next update.
If your deployment has the new AIF for Sightline flexible-licensed capability, Sightline automatically
checks the AIF server every day for changes to the AIF managed object feed. If the feed content
changed, Sightline downloads all AIF managed objects in the feed.
For more information, see “About ATLAS Services” and “About the AIF Managed Object Feed for
Sightline” in the Sightline and Threat Mitigation System User Guide.
peer ASN associated with the destination of the flow record. For traffic exiting the View boundary, the
remote peer ASN is the peer ASN associated with the source of the flow record.
Enhancements
Precise protection prefixes can be updated and applied to a running TMS auto-mitigation
The prefixes identified as precise protection prefixes can now change over time as traffic changes. If the
prefixes that Sightline has identified change significantly over time, Sightline can now reuse existing TMS
auto-mitigations by updating the prefixes that are protected. Note that although this capability involves the
reuse of auto-mitigations for profiled router alerts, it does not require that the Reuse TMS Auto-
Mitigations for Multiple Alerts setting be enabled.
You can configure precise protection prefixes on the Mitigation tab when editing a customer-type
managed object displayed on the Configure Managed Objects page (Administration > Monitoring >
Managed Objects).
Note: The precise protection prefixes identifies only prefixes that are the destination of inbound traffic that
crosses the managed object’s boundary. Although it relies on profiled router detection, it will not identify
prefixes when traffic crosses the router boundary only.
For more information, see “Configuring Mitigation Settings for Customer Managed Objects” in the
Sightline and Threat Mitigation System User Guide.
New “Apply to Graph” option on the Host Automatic Rate Calculation page
When displaying results on the Host Automatic Rate Calculation page (Administration > Detection >
Host Automatic Rate Calculation), you can now view the Current Thresholds and Suggested
Thresholds easily by clicking Apply to Graph under the desired set of thresholds.
For more information, see “About Host Automatic Rate Calculation” in the Sightline and Threat Mitigation
System User Guide.
Wizard reports with the Security Summary content type can be scoped
When configuring the Security Summary content of a wizard report, you can now select which managed
objects are included in the report. If you specify no managed objects, the report contains information for
the entire deployment.
You can configure the Security Summary content when editing a wizard report displayed on the Configure
Reports page (Administration > Reports).
For more information, see “Configuring Wizard Reports” in the Sightline and Threat Mitigation System
User Guide.
For additional information, see “Configuring Advanced Settings for a TMS Model” in the Sightline and
Threat Mitigation System User Guide.
Increased maximum number of entries in IPv4 and IPv6 address filter lists
The maximum number of entries that can be in an IPv4 or IPv6 address filter list has been increased. The
limit is now enforced per TMS device rather than per TMS mitigation.
All TMS devices now support the following:
• a maximum of 2,000,000 IPv4 filter list entries
• a maximum of 1,272,800 IPv6 filter list entries
See the following for additional information:
• Sightline and Threat Mitigation System Deployment and Appliance Limits
• “About Filter Lists for TMS Mitigations and Templates” in the Sightline and Threat Mitigation System
User Guide
• “About IPv4 and IPv6 Address Filter List Sizes” in the Sightline and Threat Mitigation System User
Guide
Destination MAC Address and VLAN ID details added to the Alerts details page
When displaying the details of a host alert, Sightline can now display the MAC address of the destination
host and the corresponding VLAN ID. Sightline can display this information only if the router sends the
information to Sightline.
Sightline ignores abnormally large and small packets for alerting purposes
To prevent alerts from being generated for traffic with bad flow records, Sightline ignores traffic with
packets that are abnormally large (more than 100,000 bpp) and small (less than 1 bpp) for the purposes
of alerting.
Insight: Support for excluding certain managed objects from Insight data
You can specify certain managed objects to not be included in Insight data. This prevents the specified
managed objects from being subject to or appearing in Insight queries. This enhancement is available
only by using the REST API. See the information about the managed_objects endpoint on page 24.
Note: This feature does not affect data already stored in your Insight cluster; it only affects flow ingested
by Insight after the feature is enabled. Any flow stored by Insight before using this feature will continue to
be associated with the managed object in Insight.
Changes in Behavior
Flood detection for TCP ACK and SYN/ACK now includes the TCP PUSH and URG flags
The host detection misuse types TCP ACK and TCP SYN/ACK Amplification now match flows in attack
traffic that contain the TCP flags PUSH and URG (urgent pointer). This allows Sightline 9.1 to alert on
new, increasingly frequent variants of ACK and SYN/ACK flood attacks that include the PUSH and URG
flags.
The table below shows the TCP flags matched:
TCP Flags matched in TCP flood traffic flows
Host Detection Misuse Type Sightline 9.0.1 and lower Sightline 9.1
TCP ACK • ACK • ACK
• ACK + PUSH • ACK + PUSH
• ACK + URG
• ACK + PUSH + URG
TCP SYN/ACK Amplification • SYN + ACK • SYN + ACK
• SYN + ACK + PUSH
• SYN + ACK + URG
• SYN + ACK + PUSH + URG
Updated MIB
SNMP traps now report correct information when the maximum impact of the alert traffic is 4.3 Gbps or
more. To implement this change, download the updated Sightline MIB. For details about the updated MIB,
see Appendix A: Changes to notifications in Sightline 9.1 on page 41.
You can download the updated MIB on the SNMP tab of the Configure Network Services page
(Administration > System Maintenance > Network Services).
This change was made in response to bug 86101.
REST API support added for all Sightline devices with the user interface role
Previously, the REST API was only supported for Sightline leaders. Arbor now supports REST API
requests to any Sightline device with the user interface role.
/alerts/
• The REST API can now return the MAC address of the destination host and the corresponding VLAN
ID of DoS host alert traffic. This information is returned as values for the destination_mac_address
and the dot1q_vlan_id attributes of an alert. These are the REST API equivalents of the new Dest
MAC Address and VLAN ID details that appear on the alert details page. See "Destination MAC
Address and VLAN ID details added to the Alerts details page 18.
• You can now use the alerts endpoint to view traffic dropped by flowspec and blackhole mitigations.
Set the query_view attribute to flowspec or blackhole to return traffic dropped by flowspec of
blackhole mitigations, respectively. This is the REST API equivalent of the capabilities added to the
DoS Alert details page in the Sightline web UI. See "View multiple mitigation impacts from a single
DoS Alert page" on page 7.
/devices/
The cloud_signaling_only attribute was added. When this attribute is set to true, the corresponding
user interface device can only receive and forward Cloud Signaling mitigation requests from AED or APS
devices. No other UI appliance functions are available. This is the REST API equivalent of the new Cloud
Signaling Only setting available for non-leader user interface appliances on the Add/Edit Appliance page
(Administration > Appliances > Add/Edit Appliance). See “Configure user interface appliances for
Cloud Signaling only” on page 11.
/insight/
• The following facets were added: Customer_Tag, Peer_Tag, Profile_Tag, IPv4_Address,
IPv6_Address, Remote_AS, Remote_Community, Remote_IPv4_BGP_Nexthop, Remote_Origin_ASN,
Remote_Peer_ASN. These are the REST API equivalents of the new facets added to the Insight page
(Explore > Traffic) in the Sightline web UI. See Insight: New facets added on page 12.
• The following views were added: Customer_Tag, Peer_Tag, Profile_Tag. These are the REST API
equivalents of the new views added to the Insight page (Explore > Traffic) in the Sightline web UI.
See Insight: New views added on page 12.
• The name of the SP_Matched_Applications facet was changed to Applications. This is the REST
API equivalent of the change that was made to the Insight page (Explore > Traffic) in the Sightline
web UI. See Insight: “SP Matched Applications” facet was renamed on page 22.
• Existing crumbs that use the SP Matched Applications facet no longer work. You can use the
/insight/crumbs endpoint to PATCH these crumbs and replace SP_Matched_Applications with
Applications.
/managed_objects/
• The atlas_feed_id attribute was added.
• The scrub_insight_mo_match attribute was added. It allows you to specify certain managed objects
to not be included in Insight data. This prevents the specified managed objects from being subject to
or appearing in Insight queries.
Note: This feature does not affect data already stored in your Insight cluster; it only affects flow
ingested by Insight after the feature is enabled. Any flow stored by Insight before using this feature
will continue to be associated with the managed object in Insight.
• The match_enabled attribute was added. When this attribute is set to true, Sightline will record flow
for the corresponding managed object. Sightline will not record flow for the managed object if you set
this attribute to false. This is the REST API equivalent of the new Traffic Collection setting added
to the Edit Managed Object page in the Sightline web UI. See “Traffic collection can be disabled for a
managed object” on page 15.
/mitigations/
• The ip_version attribute is now available for flowspec mitigations.
• The type sub-attribute of the action attribute now accepts traffic-marking as its value. When you
set type to traffic-marking, you must also specify a value for the dscp sub-attribute. These
changes allow you to use a flowspec mitigation to mark traffic that matches the mitigation’s filter with
a DCSP value. This is the REST API equivalent of the new traffic marking action available when
editing a flowspec mitigation listed on the Flow Specifications page (Mitigation > Flow
Specification). See New “traffic marking” action added to manual flowspec mitigations on page 18.
• The diversion_prefix_enabled attribute was removed and replaced with the
diversion_prefix_mode attribute. The diversion_prefix_mode attribute can be set to one of the
following values:
▪ custom: Allows you to use the diversion_prefixes attribute to specify the address ranges to
be diverted to the TMS.
▪ default: Allows you to divert the same prefixes to the TMS as the prefixes that the mitigation
protects.
▪ mask_length: Allows you to use the diversion_prefix_max_mask_len attribute to specify the
length of the less specific mask to be used for routing announcements.
This is the REST API equivalent of the new custom diversion prefixes feature. See “Custom diversion
prefixes for mitigations and mitigation templates” on page 14.
/mitigation_templates/
The dns_scoping and http_scoping attributes were added for TMS mitigation templates. Previously,
these attributes were available only for individual TMS mitigations. This is the REST API equivalent of the
new DNS scoping and HTTP scoping settings added to the Edit Mitigation Template page in the
Sightline web UI. See “DNS scoping and HTTP scoping are available for TMS mitigation templates” on
page 15.
This enhancement was made in response to bug 53146.
/notification_groups/
• The snmp_message_type attribute was added. This attribute is available when snmp_version is 2 or
3. The available values are trap and inform. This is the REST API equivalent of the new Message
Type option on the Notification Group page (Administration > Notification > Groups). See “Inform-
type messages now available for SNMP notifications” on page 17.
• The new webhooks_uri attribute to specifies the HTTP server URI for a notification group. The
notification group posts webhoosk notifications to the HTTP server at webhooks_uri. If the HTTP
server requires authentication for POST requests, use the webhooks_authtype attribute to specify
the authentication method, basic or digest. Then, use the attributes webhooks_username and
webhooks_password to specify the login credentials.
These REST API attributes correspond to the new Webhook notification settings on the Notification
Group page (Administration > Notification > Groups). See “Webhook notifications for alerts and
events” on page 9.
/routers/
• The key is_proxy was added. This key allows Sightline to treat the corresponding router as a proxy
for other routers, in which case Sightline associates flow with routers that are behind the proxy
according to the IPv4 address found in the ExporterIPv4Address field of the flow received from the
proxy.
• The key poll_alcatel_ifmib was added.
/tms_groups/
• In Sightline 9.1, you cannot configure TMS clusters or mitigate traffic with TMS clusters. Likewise, you
cannot add TMS clusters to TMS groups. As a result, the members_cluster attribute always returns
an empty string.
• The dns_auth_active_secondary_servers attribute was changed and now accepts and returns an
array of strings. In previous versions of the REST API, it accepted and returned a boolean.
When using Arbor hardware to run Insight, we now recommend that the network used for intra-
cluster communication supports an MTU (maximum transmission unit) of 9000. As a result of
this recommendation, the default MTU setting for 10 GbE interfaces (eth2 to eth5, which are
typically used for intra-cluster communication) was changed to 9000 beginning with the version
of ArbOS that was released with Insight 7.
Discrepancies between the MTU setting used by ArbOS for Insight and your network’s MTU can
cause errors during Insight installation and will cause issues with communication between
Insight nodes.
Multi-version compatibility
Sightline 9.1 is compatible with previous versions of SP and TMS. This allows you to upgrade the devices
in your deployment in stages. For details about multi-version compatibility, refer to the
Sightline and Threat Mitigation System Compatibility Guide, available from the Arbor Technical
Assistance Center (https://support.arbornetworks.com).
3. Proceed with the upgrade procedure and install the new version of Sightline on the leader. For more
information, see “Upgrading the Software and Installing Maintenance Releases on a Sightline
Appliance” in the Sightline and Threat Mitigation System Advanced Configuration Guide at
https://support.arbornetworks.com/
The new TMS HD1000 (4x100G + 8x10G) automatic configuration replaces your previous
configuration with the PPM configuration sent from the appliance. See “TMS HD1000 (4x100G +
8x10G) automatic configuration” in the Threat Mitigation System Release Notes for more
information.
TMS services must be stopped and started again if using GRE tunnels
To maintain proper functionality, follow the procedure below if you have TMSes in your deployment that
use GRE tunnels.
1. Upgrade the Sightline leader to Sightline 9.1.
2. Confirm that the Appliance Status page in the Sightline leader’s web UI (System > Status >
Appliance Status) lists each TMS status as “RUNNING”.
3. Log in to the CLI of the TMS and run the following commands:
▪ / services tms stop
▪ / services tms start
4. Repeat the previous step for each TMS in the deployment.
Upgrade process
When upgrading your Sightline deployment, you must upgrade your Sightline devices in a specific order.
For more information, see “Multi-Version Deployment Upgrade Process” in the Sightline and Threat
Mitigation System Compatibility Guide. Be aware of the following when upgrading:
• You must upgrade the leader device before upgrading any other user interface devices in your
deployment.
• The upgraded leader must be running when you upgrade the other user interface devices. If the
leader is not upgraded or not running, you will need to manually resync the database when it is.
• When upgrading from SP 8.2 or higher, a database sync for non-leader user interface devices may
be needed if the devices have been down for an extended time period, usually on the order of hours.
Syncing the database should take less than 10 minutes; however, large databases on slow
connections could take longer.
Device certificates
Contact the Arbor Technical Assistance Center (https://support.arbornetworks.com) and obtain a
certificate for your device if you plan to use the device for one of the following:
• Remote services
• Web UI secure login
Pre-upgrade raw flows are not viewable after upgrading to Sightline 9.1
Previously logged raw flows are lost when upgrading to Sightline 9.1. Sightline will begin collecting raw
flows again after the upgrade.
Supported devices
For information about Sightline appliances and TMS devices that are supported by Sightline, see the
Sightline and Threat Mitigation System Compatibility Guide, available from the Arbor Technical
Assistance Center (https://support.arbornetworks.com).
For more information about running Sightline in a virtual machine, see the Sightline Virtual Machine
Installation Guide, available from the Arbor Technical Assistance Center
(https://support.arbornetworks.com/).
Router requirements
Sightline is compatible with any router that exports RFC-compliant netflow and includes all the RFC-
required fields. Sightline supports netflow v5, v9, IPFIX, and sFlow.
Communication ports
Required ports
The following table lists the ports that Sightline uses and that are required for a deployment to operate
correctly. When the following terms appear in this table, they refer to appliance roles with flexible
licensing and to appliance types with appliance‑based licensing:
• data storage
• traffic and routing analysis
• user interface
References in this table to the FS appliance (Flow Sensor) only apply to appliance-based licensing.
Service Ports Required Protocol Direction
ArborFlow 31373 UDP • FS appliance to traffic and routing analysis
• FS appliance to data storage traffic and routing
analysis to data storage
• traffic and routing analysis to data storage
ArborFlow (if ArborFlow 5000 (default) UDP TMS appliance to traffic and routing analysis
from TMS is enabled)
BGP 179 TCP • traffic and routing analysis to router
• FS appliance to router
• Router to traffic and routing analysis
• Router to FS appliance
• Router to TMS appliance
Optional ports
The following ports are optional and only need to be enabled if you are using the corresponding service:
Service Ports Protocol Direction
Cloud-based 443 TCP • Leader to cloud license server
licensing • Cloud license server response to leader
Cloud signaling 443 TCP • APS to leader appliance
handshake • Leader appliance response to APS
(HTTPS)
Cloud signaling 7550 UDP • APS to leader appliance
heartbeat • Leader appliance response to APS
FTP 20-21 TCP • Sightline appliance query to FTP server
• FTP server response to Sightline appliance
HTTP 80 TCP • Sightline appliance to HTTP server
• HTTP server response to Sightline appliance
NTP 123 UDP • Sightline appliance request to NTP server
• NTP server response to Sightline appliance
ping echorequest, ICMP • Sightline appliance request to remote device
echoreply • Remote device response to Sightline appliance
RADIUS 1812 UDP • Sightline appliance query to RADIUS server
Authentication • RADIUS server response to Sightline appliance
Untracked interfaces
In addition to the data gathered on a per-interface basis, there can be untracked interfaces, which have
the following properties:
• They are on a router that was configured with the “Enable Dynamic Subscriber Interface Handling”
option.
• Their SNMP interface names/descriptions do not match a configured Interface Classification rule OR
the interfaces are not represented in the SNMP data obtained from the involved router.
Note: Only 400,000 interfaces with SNMP information can be processed, even if they are untracked
interfaces. The 700,000-interface limit can only be reached if a very large number of the interfaces
have no SNMP presence whatsoever.
• They do not appear in any interface page or report in the product.
• They do not impact any interface scaling limitation on the deployment. Therefore, there can be an
unlimited number of these kinds of interfaces on a particular collector or on the deployment in
general.
• They can have flow sent for them by the router and it will be tracked on a per-router basis in a single
aggregate interface. This appears in normal interface pages and reports.
• The flow sent for these interfaces is constrained by the normal stated flow processing limits on a per-
appliance basis, as well as the normal licensed limits on a per-deployment basis for flex licensing
deployments.
Additional Information
Documentation
User documentation is available from the Arbor Technical Assistance Center at
https://support.arbornetworks.com using the Software Downloads link.
The user documentation for Sightline includes the following documents:
Document Description
Sightline and Threat Mitigation Information about how to install, connect, and configure Sightline
System Quick Start Cards appliances.
Online Help Information about the feature on the current page is displayed, with links to
supporting information and a table of contents to the complete Sightline
and Threat Mitigation System User Guide and Sightline and Threat
Mitigation System Advanced Configuration Guide.
Sightline and Threat Mitigation Information about how to use Sightline.
System User Guide
Sightline and Threat Mitigation Information about configuring advanced settings in Sightline, including
System Advanced Configuration those that can only be configured using the command line interface (CLI).
Guide
Sightline and Threat Mitigation Information about cloud-based and locally-managed flexible licensing,
System Licensing Guide appliance-based licensing, and volumetric licensing for TMS appliances.
Managed Services Customer Guide Information about deploying and using Sightline managed services.
Sightline Virtual Machine Installation Information about running Sightline in a virtual machine.
Guide
Software Threat Mitigation System Information about running Software TMS in a virtual machine.
Virtual Machine Installation Guide
Software Threat Mitigation System Information about installing Software TMS on hardware.
Installation on Hardware
Sightline and Threat Mitigation Information about the enforced and guideline limits for an Arbor Networks
System Deployment and Appliance deployment and for Arbor Networks appliances.
Limits
REST API Documentation Online information about the REST API endpoints.
Sightline API Guide Instructions for remotely accessing Sightline using the REST, SOAP, and
Arbor Web Services APIs.
Hardware tested
• Arista 7280CR2A-60
• 60 QSFP100 ports, 2U, 1760W
• 12 Tbps, 5.02 Bpps, L2/3 throughput
• Hardware version 21.01
• Software image version 4.22.0F (internal build version 4.22.0F-12170486.4220F)
Baseline
In the baseline test case, there were no existing flowspec mitigations on the Arista switch. The results
show that after Sightline announces the flowspec, the traffic is affected very quickly, and within 10
seconds the 5-second input rate on the TMS reflects the stopped/running state.
20,000,000,000
0,000,000,000
0,000,000,000
10,000,000,000
0
0
5s
10s
15s
20s
25s
0s
5s
0s
5s
50s
55s
1m
1m s
1m 11s
1m 1 s
1m 21s
1m 2 s
1m 1s
1m s
1m 1s
1m s
1m 51s
1m 5 s
2m 1s
2m s
2m 11s
2m 1 s
2m 21s
43
Sightline Release Notes
0,000,000,000 10 97
bits second (ingress interface of TMS connected to Arista switch)
0,000,000,000
20,000,000,000
10 95
10,000,000,000
bits sec
Number of Flowspecs
0 10 9
0
5s
1m
2m
m
10s
15s
20s
25s
0s
5s
0s
5s
50s
55s
1m 5s
2m 5s
m 5s
1m 10s
1m 15s
1m 20s
1m 25s
1m 0s
1m 5s
1m 0s
1m 5s
1m 50s
1m 55s
2m 10s
2m 15s
2m 20s
2m 25s
2m 0s
2m 5s
2m 0s
2m 5s
2m 50s
2m 55s
m 10s
m 15s
m 20s
m 25s
Test 2: How accurate is the sFlow received from the Arista switch?
The purpose of this test was to see if a large number of flowspec announcements from Sightline affected
the accuracy of sFlow from the Arista switch.
In these tests, memcached attack traffic (again, using the Tolly distribution) was generated from the Ixia
targeting a /29 of an MO with a protected /24. 40 Gbps of attack traffic was started, and 8 DoS host alerts
were detected by Sightline corresponding to the /29 being targeted, which then triggered eight auto
flowspec mitigations. The attack was left running for one hour, and then the flow data from each of the 8
alerts was retrieved from the dos_alerts/refine_data SQLite database.
The results show the accuracy of the sampled flow over the one-hour attack. The “Ideal” line represents
perfect sampling.
Baseline
In this test, there were no existing flowspec announcements on the Arista switch, so when Sightline
detected the attack, it announced 8 flowspecs, bringing the total to 8.
7 ,500,000
Frames per minute per alert
Ideal
7 ,000,000
7 ,500,000
7 ,000,000
0
58
10
12
18
20
22
28
50
52
0
1
Minute
7 ,500,000
Frames per minute per alert
Ideal
7 ,000,000
7 ,500,000
7 ,000,000
0
58
10
12
18
20
22
28
50
52
0
1
5
Minute
7,500,000
1
Frames per minute per alert
Ideal
7,000,000
,500,000
,000,000
0
58
10
12
18
20
22
28
50
52
0
1
5
Minute
For reference, running show int e60/1 (the ingress interface from the Ixia) during the above test
showed the following:
5 minutes input rate 95.9 Gbps (99.9% with framing overhead), 24666350 packets/sec
Running show int e3/1 (the egress interface to the TMS) showed the following:
5 minutes output rate 76.7 Gbps (79.9% with framing overhead), 19727385 packets/sec
Running tmsdump on the TMS confirmed that there was no memcached traffic reaching the TMS.
Test 3: How fast are flowspec announcements ingested by the Arista switch?
Overall, the Arista accepted flowspec announcements as fast as Sightline could announce them.
Every 15 seconds, we counted the number of flowspec rules that were on the Arista switch by running the
following (there are 5 header lines in the output, so the command subtracts 5 to indicate the number of
rules):
while true; do (sleep 15&; echo -n "`date`: "; echo $((`ssh hostname show bgp flow-
spec ipv4 | wc -l` - 5)); wait); done
Timing examples of going from 0 Flowspec rules to 8,192 rules as announced by Sightline:
Example 1
13:17:05 GMT 2019: 0
13:17:20 GMT 2019: 51
13:17:35 GMT 2019: 51
13:17:50 GMT 2019: 51
13:18:05 GMT 2019: 51
13:18:20 GMT 2019: 2352
13:18:35 GMT 2019: 2352
13:18:50 GMT 2019: 2352
13:19:05 GMT 2019: 2352
13:19:20 GMT 2019: 4598
13:19:35 GMT 2019: 4598
13:19:50 GMT 2019: 4598
13:20:05 GMT 2019: 4598
13:20:20 GMT 2019: 6790
13:20:35 GMT 2019: 6790
13:20:50 GMT 2019: 6790
13:21:05 GMT 2019: 6790
13:21:20 GMT 2019: 8192
Example 2
19:09:12 GMT 2019: 0
19:09:27 GMT 2019: 1299
19:09:42 GMT 2019: 1299
19:09:57 GMT 2019: 1299
19:10:12 GMT 2019: 1299
19:10:27 GMT 2019: 3348
19:10:42 GMT 2019: 3348
19:10:57 GMT 2019: 3348
19:11:12 GMT 2019: 3348
19:11:27 GMT 2019: 5358
19:11:42 GMT 2019: 5358
19:11:57 GMT 2019: 5358
19:12:12 GMT 2019: 5358
19:12:27 GMT 2019: 7338
19:12:42 GMT 2019: 7338
19:12:57 GMT 2019: 7338
19:13:12 GMT 2019: 7338
19:13:27 GMT 2019: 8192