HUAWE Anti-DDoS Solution Description .pdf

HUAWEI Secospace Anti-DDoS SolutionV100R001

Solution Description

Issue 04

Date 2013-04-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 04 (2013-04-30) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

Related VersionsThe related product version of the document is as follows:

Product Name Product Version

AntiDDoS8000 V100R001

AntiDDoS1000 V100R001

ATIC Management Center V200R001

Intended AudienceThis document presents a solution consisting of the Anti-DDoS device and Abnormal TrafficInspection and Control (ATIC) management center and describes the working principle, systemplanning, installation, configuration, and maintenance of the ATIC solution.

This document is intended for:

l Technical support engineers

l Maintenance engineers

l Network engineers

l Network administrators

l Network maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

HUAWEI Secospace Anti-DDoS SolutionSolution Description About This Document


ii

Symbol Description

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize orsupplement important points of the main text.

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

GUI ConventionsThe GUI conventions that may be found in this document are defined as follows.



iii

Convention Description

Boldface Buttons, menus, parameters, tabs, window, and dialog titlesare in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">"signs. For example, choose File > Create > Folder.



iv

Contents

About This Document.....................................................................................................................ii

1 Solution Positioning and Features.............................................................................................11.1 Solution Positioning and Components...............................................................................................................21.2 Features...............................................................................................................................................................4

2 Application Example.....................................................................................................................72.1 MAN Defense Solution......................................................................................................................................82.2 IDC Defense Solution.........................................................................................................................................92.3 Defense Solution for Enterprise Networks.......................................................................................................102.4 Defense Solution for Financial Organizations..................................................................................................122.5 DNS Defense Solution......................................................................................................................................13

3 Products in the Solution.............................................................................................................163.1 AntiDDoS1000.................................................................................................................................................17

3.1.1 Appearance of the AntiDDoS1000..........................................................................................................173.1.2 Device Parameters...................................................................................................................................183.1.3 Fixed Interface and Interface Cards.........................................................................................................19

3.2 AntiDDoS8000.................................................................................................................................................203.2.1 Product Appearance.................................................................................................................................203.2.2 Device Parameters...................................................................................................................................293.2.3 Board.......................................................................................................................................................33

3.3 ATIC Management center................................................................................................................................343.3.1 Basic Components...................................................................................................................................343.3.2 Software and Hardware Planning in Centralized Mode..........................................................................363.3.3 Software and Hardware Planning in Distributed Mode...........................................................................38

4 Functions and Features...............................................................................................................424.1 Zone..................................................................................................................................................................434.2 Traffic Diversion..............................................................................................................................................444.3 Zone Protection.................................................................................................................................................47

4.3.1 Defense Mode..........................................................................................................................................474.3.2 Traffic Model Learning...........................................................................................................................474.3.3 Defense Policy........................................................................................................................................49

4.4 Packet Capture, Analysis and Report...............................................................................................................51

HUAWEI Secospace Anti-DDoS SolutionSolution Description Contents


v

5 Technical Specifications.............................................................................................................555.1 AntiDDoS1000.................................................................................................................................................56

5.1.1 Functions and Features............................................................................................................................565.1.2 Performance Specifications.....................................................................................................................585.1.3 Environment Requirements.....................................................................................................................595.1.4 Standard and Protocol Compliance.........................................................................................................60

5.2 AntiDDoS8000.................................................................................................................................................635.2.1 Functions and Features............................................................................................................................635.2.2 Performance Specifications.....................................................................................................................665.2.3 Environment Requirements.....................................................................................................................675.2.4 Compliant Standards and Protocols.........................................................................................................68

5.3 ATIC Management Center...............................................................................................................................71

HUAWEI Secospace Anti-DDoS SolutionSolution Description Contents


vi

1 Solution Positioning and Features

About This Chapter

1.1 Solution Positioning and Components

1.2 Features

HUAWEI Secospace Anti-DDoS SolutionSolution Description 1 Solution Positioning and Features


1

1.1 Solution Positioning and Components

The abnormal traffic cleaning solution is an industry-leading dedicated anti-DDoS solutionlaunched by Huawei for carrier and non-carrier markets to defend against DDoS attacks. Thisimproves online services to the greatest extent and ensures service continuity.

System Components

The abnormal traffic cleaning solution comprises Huawei-proprietary Anti-DDoS device(including the detecting center and the cleaning center) and the ATIC management center.

l Detecting center

– Consists of one or multiple detecting devices. It detects network traffic.

– Collects statistics on and analyzes all traffic, and reports traffic logs to the ATICmanagement center.

– Compares the detected traffic volume with the pre-configured defense policy. Once thetraffic volume hits the threshold, the detecting center immediately notifies the ATICmanagement center of delivering a traffic-diversion task to the cleaning center.

– Supports ACL-based packet capture and abnormal event-based packet capture,providing essential evidence to analyze unknown traffic. For details on packet capture,see 4.4 Packet Capture, Analysis and Report.

l Cleaning center

– Consists of one or multiple cleaning devices. It cleans abnormal traffic and deliversdetecting functions, such as traffic statistics and analysis.

– Provides multiple defense policies to clean and discard abnormal traffic, and forwardlegitimate traffic. Meanwhile, it logs attack behaviors and reports them to the ATICmanagement center. For details on defense policies, see 4.3.3 Defense Policy.

– Supports traffic diversion and injection. When an anomaly occurs, the cleaning centerreceives the traffic-diversion policy delivered by the ATIC management center toadvertise a route to divert the traffic for cleaning. After that, the cleaning center injectslegitimate traffic to the original link. For details on traffic diversion and injection, see4.2 Traffic Diversion.

– Supports ACL-based packet capture, global packet capture, and Zone-based packetcapture of attacks and anomalies, providing essential evidence for analyzing unknowntraffic. For details on packet capture, see 4.4 Packet Capture, Analysis and Report.

l ATIC management center

– Serves as the backbone of the solution and consists of the VSM system. Performs unifiedmanagement over the cleaning center and detecting center.

– Configures and manages the detecting center and cleaning center in an interworkingmanner, and supports decentralized and region-based management. With the ATICmanagement center, the administrator delivers defense policies and tasks to the cleaningcenter and detecting center.

– Learns traffic models based on the traffic statistics reported by the detecting centerduring the customized learning period to dynamically create an abnormal trafficbaseline. For details on traffic models, see 4.3.2 Traffic Model Learning.



2

– Provides the report display, attack source tracing, packet parsing, and fingerprintextraction.

The abnormal traffic cleaning solution supports extensive deployments. The off-line deploymentis used as an example to describe how to process abnormal traffic.

As shown in Figure 1-1, to protect downstream users, the ATIC system defends against trafficfrom the Internet by following the subsequent steps:

1. The administrator configures a defense policy in the ATIC management center and deliversthe policy to the detecting center and cleaning center.

2. Traffic from the Internet is mirrored or split to the detecting center. Then the detectingcenter collects statistics on traffic, compares traffic, and reports exception logs to the ATICmanagement center in the case of anomalies.

3. After receiving exception logs, the ATIC management center delivers a traffic-diversionpolicy to the cleaning center. With the traffic-diversion route advertised, abnormal trafficis diverted from Router1 to the cleaning center.

4. The cleaning center cleans traffic based on the policy. After cleaning is complete, thecleaning center discards abnormal traffic and injects legitimate traffic to the original link.

5. The ATIC management center delivers the task of canceling traffic diversion to the cleaningdevice after attacks terminate. In this manner, traffic is directly forwarded by Router1.

Figure 1-1 Abnormal traffic cleaning solution

Detecting center

Cleaning center

Management center

Optical splitter

Router1

Router2

Post-cleaning trafficPre-cleaning trafficMirrored/Optically split traffic

ATIC system

Intranet

Log and packet-capture trafficManagement traffic

The Anti-DDoS device is categorized as high-end AntiDDoS8000 series and mid-rangeAntiDDoS1000 series by performance.



3

AntiDDoS8000 SeriesThe AntiDDoS8000 series is classified into the following models:

l AntiDDoS8030l AntiDDoS8080l AntiDDoS8160

The AntiDDoS8000 series has a plug-in design. Both anti-DDoS detecting SPU and anti-DDoScleaning SPU are available:

l The AntiDDoS8000 works as a detecting device when it holds only the detecting SPU.l The AntiDDoS8000 works as a cleaning device when it holds only the cleaning SPU.l The AntiDDoS8000 works as an intermixed device when it holds both the cleaning SPU

and the detecting SPU.

For the appearance of the AntiDDoS8000 series, see 3.2.1 Product Appearance.

AntiDDoS1000 SeriesThe AntiDDoS1000 series is classified into the following models:

l AntiDDoS1520l AntiDDoS1550l AntiDDoS1500-D

The AntiDDoS1000 series has a centralized design. The AntiDDoS1520 and AntiDDoS1550act as cleaning devices, and the AntiDDoS1500-D acts as the detecting device.

For the appearance of the AntiDDoS1000 series, see 3.1.1 Appearance of theAntiDDoS1000.

ATIC Management Center ComponentsThe ATIC management center uses the easy-to-deploy browser/server (B/S) architecture.Therefore, services can be managed and monitored without the installation of client software.Additionally, the ATIC management center applies to the scenario where multiple detecting andcleaning devices are dispersedly deployed but require centralized management.

The ATIC management center consists of the following components:

l ATIC serverManages and configures the Anti-DDoS device in a centralized way, and displays servicereports.

l Anti-DDoS collectorCollects, parses, summarizes, and stores the traffic logs, exception logs, and attack logsreported by the Anti-DDoS device, and stores captured packets. You are advised to deployone anti-DDoS collector for each Anti-DDoS device.

For details on the ATIC management center, see 3.3.1 Basic Components.

1.2 Features



4

The Anti-DDoS device adds the following features in traffic cleaning and operation besides itsleading operating performance, high availability, and scalability.

l High identification rate

– Seven-layer filtering: The Anti-DDoS device analyzes the packets by byte and builds aseven-layer filtering architecture by using malformed packet filtering, feature-basedfiltering, malformed source-based defense, real source-based behavior detection,session-based defense, behavior analysis, and traffic shaping. The seven-layer filteringarchitecture can accurately detect attacks, including flood attacks, application-layerattacks, scanning and sniffing attacks, and malformed packet attacks.

Figure 1-2 Seven-layer filtering

Protocol stack

threats

DoS/DDoS attacks

Transport-layer threats

Application-layer threats

Low-rate attacks

Abrupt traffic

Legitimate traffic

Malformed packet filtering

Feature-based filtering

Forged source-based

defense

Real source-based behavior

detection

Session-based defense

Behavior analysis Traffic shaping

Abnormal connections

– IPv6 security: The defense against IPv4 attacks applies to IPv6 packets, resolving thesecurity problems in transition from IPv4 to IPv6.

l Fast response

– Second-level detection: The detection based on Netflow requires massive log inspectionand analysis, and features long duration and high latency. Huawei anti-DDoS solutioncapture attack features in real time, implementing second-level detecting.

– Second-level response: Sound session synchronization between the detecting center andthe cleaning center, leads to optimal cleaning effects as well as fast attack response. Thefast response ensures service continuity and optimizes user experience.

l Operability

– Differentiated defense: The anti-DDoS solution offers differentiated defense. Thedefense policy can be customized based on global traffic volume, requirements of Zone,and service types. The solution supports attack event-based evidence collection andsource tracing, which helps carriers to secure the operation.

– Self-service policy: The solution supports diverse service policies such as defense mode,traffic-diversion mode, defense policy template customization, CAR policycustomization, and Zone blacklist/whitelist management.

– Report query: The solution supports report query. Users can query tens of reportsthrough remote login to track network traffic and trace the attack evidence. The reportscan be customized and sent to users by email periodically in the .xls or .pdf format.

l Easy management



5

– Graphical User Interface (GUI) management: The solution supports the GUI-basedconfiguration featuring flexibility, easy configuration, and low maintenance cost.

– Flexible evidence collection: The solution supports convenient ACL-based packetcapture. With one-click automatic packet capture over attack events, users can collectevidence of attack traffic for audition purpose.

– Easy management: The solution adopts foreground distributed deployment, andbackground centralized management. In this way the initial investment and themaintenance cost is greatly reduced.



6

2 Application Example

About This Chapter

2.1 MAN Defense Solution

2.2 IDC Defense Solution

2.3 Defense Solution for Enterprise Networks

2.4 Defense Solution for Financial Organizations

2.5 DNS Defense Solution

HUAWEI Secospace Anti-DDoS SolutionSolution Description 2 Application Example


7

2.1 MAN Defense Solution

Heavy traffic floods the MAN and travels along different channels, which poses challenges forcarrier operation. Massive attack traffic flows from the backbone network into the MAN,resulting in bandwidth congestion and poor experience at the cost of huge investments onbandwidth expansion. Application-layer attack traffic flows into the target server, leading toDoS attacks.

To meet these requirements, Huawei rolls out the "Netflow device+cleaning device" solution.In this solution, the cleaning device delivers 200G performance, defends against hundreds ofattacks, and supports 2000 Zones for differentiated defense, management, and reports.Moreover, the solution provides complete IPv6 traffic analysis to meet IPv6 deploymentrequirements.

Figure 2-1 Interworking between the Netflow device and the cleaning device for MAN defense

Cleaning device

Netflow

Regional Network

Regional Network

Attacked target

Backbone Network

Attack trafficLegitimate traffic

Netflow traffic

Botnet

ATIC Management

center

Legitimate PC Legitimate PC

Management traffic



8

As shown in Figure 2-1, the Netflow device is deployed at the network node to collect incomingand outgoing data. The cleaning device is connected to the core router in off-line mode. Statictraffic diversion is used for key customers, whereas dynamic traffic diversion is used for commoncustomers. The Netflow device collects, analyzes, and detects traffic. Upon detecting anomalies,the Netflow device interworks with the cleaning device in off-line mode to divert and mitigatetraffic.

2.2 IDC Defense Solution

Enterprise services become centralized. As the representative of the centralized mode, theInternet Data Center (IDC) promotes enterprise development as well as poses demandingrequirements on security. Enterprises suffer from great economic losses once the IDC is underattacks.

The IDC is prone to flood attacks and application-layer attacks, due to heavy bandwidth trafficand extensive service types. However, traditional Gigabit defense solutions deliver simpledefense means and unsatisfactory reliability design. Therefore, they cannot meet requirementson 10-Gigabit defense.

To meet these requirements, Huawei launches a 10-Gigabit and comprehensive IDC defensesolution. This solution filters out DDoS attacks, zombies, Trojan horses, and worms to improveIDC defense capabilities. Moreover, it provides refined defense to protect intranet Web serversagainst web page tampering and Trojan horse-embedded websites.



9

Figure 2-2 Cleaning device in static traffic diversion for IDC defense

Switch Switch

Firewall

Botnet


Cleaning device

Legitimate networkLegitimate network

Service area A

Service area B

ATIC management center

Entrusted serverAttacked target

Management traffic

As shown in Figure 2-2, the cleaning device is deployed at the IDC egress in off-line mode andstatically diverts incoming traffic. When attacks occur, the cleaning device cleans traffic in realtime. Because of excellent defense delivered by the cleaning device, carriers provide extensivedefense capabilities, including DNS authoritative service defense, dedicated Web defense,online gaming defense, and cloud service defense, to secure network environments.

2.3 Defense Solution for Enterprise Networks

With the popularity of network technologies, enterprise networks are widely deployed and areprone to extensive attacks. In addition to defending against hacker attacks, viruses, DDoS



10

attacks, Trojan horses, and malicious programs, enterprise networks require smooth serviceoperating and intranet terminal security.

To meet these requirements, Huawei rolls out an all-around defense solution for enterprisenetworks. The solution provides refined defense against hundreds of attacks. Moreover, thesolution defends against Trojan horses and worms to clear the built-in feature scanning engine.

Figure 2-3 Enterprise network defense with the cleaning device (housing the built-in bypasscard) in in-line mode

Switch Switch

Firewall

Botnet


Cleaning device


Enterprise A Enterprise B


Attacked target

Management traffic

As shown in Figure 2-3, the cleaning device is deployed at the ingress of the enterprise networkin in-line mode to protect incoming and outgoing traffic. When anomalies occur, the cleaningdevice housing the built-in bypass card promptly enables attack defense.



11

2.4 Defense Solution for Financial Organizations

E-banking and credit card centers are exposed to the Internet and are prone to UDP/ICMPcomposite flood attacks and application-layer attacks (including HTTP flood attacks and HTTPSflood attacks). Severe DDoS attacks may bring huge economic loss. Therefore, financialorganizations pose demanding requirements on security and reliability.

Catering for such requirements, Huawei unveils the interworking (between the detecting deviceand the cleaning device) cleaning solution to secure financial organization networks. In thissolution, the cleaning device provides defense against kinds of flood and application-layerattacks to mitigate link congestion and ensure refined service protection.



12

Figure 2-4 Interworking defense for financial organizations

Switch Switch

Firewall

Botnet


Cleaning device


E-banking center

Credit card center


Detecting device

Split traffic

Attacked target

Management traffic

As shown in Figure 2-4, the cleaning device and detecting device are deployed at network nodesin off-line mode. The detecting device detects mirrored or split traffic. When any anomalies areidentified, the cleaning device dynamically diverts traffic, filters out abnormal traffic, andforwards legitimate traffic.

2.5 DNS Defense Solution

The DNS server is a core component of network infrastructure and must be protected againstDDoS attacks. Any DDoS attacks on the DNS server may adversely affect regional or nationwidenetworks.



13

To protect the DNS cache server, Huawei launches the "cleaning device in in-line mode"solution. This solution provides dedicated defense (against DNS cache poisoning, DNS queryflood, and DNS response flood attacks) and powerful DNS cache to mitigate the load of the DNScache server. To enable carriers to learn about the status of the DNS cache server in real time,this solution delivers perfect DNS traffic statistics displaying DNS domain name and resourcedistribution.

Figure 2-5 Cleaning device in in-line mode for DNS cache server defense

DNS server

Switch Switch

Firewall

Botnet


Cleaning device



Attacked target

Management traffic

As shown in Figure 2-5, the cleaning device in in-line mode detects bidirectional traffic in realtime, generates the DNS statistical report based on DNS status, and rapidly cleans abrupt DNStraffic. Two in-line deployments are available for the cleaning device:

l Physical in-line mode (the AntiDDoS1000 with the built-in bypass card)



14

l Logical in-line mode (the AntiDDoS8000 in off-line mode for bidirectional trafficdiversion)



15

3 Products in the Solution

About This Chapter

3.1 AntiDDoS1000

3.2 AntiDDoS8000

3.3 ATIC Management center

HUAWEI Secospace Anti-DDoS SolutionSolution Description 3 Products in the Solution


16

3.1 AntiDDoS1000

3.1.1 Appearance of the AntiDDoS1000The 1 U AntiDDoS1000 supports FICs.

Chassis Dimensions

The AntiDDoS1000 consists of the integrated chassis and expansion interface cards. The heightof the integrated chassis approximates to 1 U and the dimensions (H x W x D) of such chassisare 43.6 mm x 442 mm x 560 mm. The chassis can be installed in a 19-inch standard cabinet.

NOTE

1 U = 44.45 mm

Front Panel

Figure 3-1 shows the front panel of the AntiDDoS1000.

Figure 3-1 Front panel of the AntiDDoS1000

SYS PWR TF CARDTF CARD

1. ESD wrist strap socket 2. System reset button 3. Indicator area4. microSD card slot 5. FIC2 6. FIC7. GE Combo interfaces 8. 10/100/1000M adaptive electrical Ethernet interfaces 9. Management interface10. Console port 11. USB 2.0 interfaces

NOTE

The AntiDDoS1000 does not support the microSD card slot numbered 4 in Figure 3-1.

Rear Panel

Figure 3-2 and Figure 3-3 show the rear panels of the AntiDDoS1000.

Figure 3-2 Rear panel of the AntiDDoS1000 DC



17

Figure 3-3 Rear panel of the AntiDDoS1000 AC

1. Grounding terminal 2. Power indicator 3. Power switch4. AC power cable clip jack 5. Power socket 6. Fan frame

ComponentsThe AntiDDoS1000 is designed as an integrated chassis. Table 3-1 shows main components.

Table 3-1 Overview of the main components of the AntiDDoS1000

Component Overview

Power supply The AntiDDoS1000 provides two models,namely, AC and DC hosts, which cannot beused together on the same device.Two power modules are configured for eachchassis to provide 1+1 backup. They supporthot swap.

Fan Fans adopt the N+1 redundancy design. Atotal of six system fans with independent fanframes are available. They support hot swap.

Cable The cables of the AntiDDoS1000 includepower cables, signal cables, and protectiongrounding cables.

3.1.2 Device ParametersThis describes the system and device parameters of the AntiDDoS1000.

Table 3-2 shows the system and device parameters of the AntiDDoS1000.

Table 3-2 System and device parameters of the AntiDDoS1000

Parameter Description

Expansion slot two FIC slots



18

Parameter Description

Built-in interface The built-in interfaces of the AntiDDoS1000 include:l Two USB 2.0 interfacesl One microSD card slotl One management interfacel One console portl Four 10/100/1000M adaptive electrical Ethernet interfacesl Four GE Combo interfaces

Dimensions (H x W x D) 43.6 mm x 442 mm x 560 mm

Weight 8.2 kg (net weight), 8.9 kg (in full configuration)

CPU Multi-core MIPS; dominant frequency 950 MHz; a total ofeight kernels, each of which contains four threads

NVRAM 512 KB

Memory DDR2 2 x 2 GB

Flash memory 64 MB

CF card 2 GB

Rated input voltage AC: 100 V to 240 V, 50 Hz or 60 HzDC: -48 V to -60 V

Maximum input voltage AC: 90 V to 264 V, 47 Hz to 63 HzDC: -36 V to -72 V

Maximum output power 150 W

Running ambienttemperature

Long term: 0°C to 45°CShort term: -5°C to +55°C

Storage ambienttemperature

-40°C to +70°C

Ambient relative humidity Long term: 10% RH to 90 % RH (non-condensing)Short term: 5% RH to 95 % RH (non-condensing)

3.1.3 Fixed Interface and Interface Cards

Fixed Interface

The built-in LPU includes:

l Two USB 2.0 interfaces

l One microSD card slot (currently unavailable)



19

l One management interfaceThe management interface is an 10/100/1000M adaptive electrical Ethernet interface. Userscan log in to the device through the management interface to configure, manage, or maintainthe device out-of-band. The management interface cannot be used for data forwarding.

l One console portl Four 10/100/1000M adaptive electrical Ethernet interfacesl Four GE Combo interfaces

An optical/electrical (mutually exclusive) interface consists of one optical interface andone electrical one, whose numbers are the same. Either optical interface or electricalinterface is available for each optical/electrical (mutually exclusive) interface. If they areused together, by default, only the electrical interface works. But you can set the opticalinterface works by command.For the optical/electrical (mutually exclusive) interface, the optical Ethernet interfacesupports 100M and 1000M optical modules, whose rates are 100M and 1000M respectively,and the electrical interface 10/100/1000M adaptive.

Interface CardsThe device provides FICs, which can host diversified FICs.

l 2 x 10GE Optical Interface CardEach 2 x 10GE optical interface card provides two 10-Gigabit optical interfaces.

l 8 x GE Electrical Interface CardEach 8 x GE electrical interface card provides eight 10/100/1000M adaptive electricalEthernet interfaces.

l 8 x GE Electrical+2 x 10GE Optical Interface CardEach 8 x GE electrical+2 x 10GE optical interface card provides eight 10/100/1000Madaptive electrical Ethernet interfaces and two 10-Gigabit optical Ethernet interfaces.

l 4 x GE Electrical Bypass Interface CardEach 4 x GE electrical bypass interface card provides four 10/100/1000M adaptiveelectrical Ethernet interfaces. When the AntiDDoS1000 is powered off or faulty, the trafficpasses between devices at both sides, realizing direct interconnection and hence ensuringservice continuity.

l Optical Bypass Interface CardEach optical bypass interface card supports two single-link bypass subcards BYPS(BYPM). When the bypass interface card is on the working path, the upstream anddownstream traffic is transferred to the AntiDDoS1000 for processing. When the bypassinterface card is on the protection path, devices at both sides of the AntiDDoS1000interconnect directly. This ensures the service continuity.

l 8 x GE Optical Interface CardEach 8 x GE optical interface card provides eight Gigabit optical interfaces.

3.2 AntiDDoS8000

3.2.1 Product Appearance



20

The Anti-DDoS device uses an integrated chassis. The chassis can be installed in an N68E-22cabinet or a standard International Electrotechnical Commission (IEC) 19-inch cabinet with adepth no less than 800 mm.

AntiDDoS8030 Chassis OverviewThe AntiDDoS8030 chassis have both AC and DC models. Figure 3-4 shows a DC chassis, andthe Figure 3-5 shows an AC chassis.

Figure 3-4 Appearance of a DC chassis



21

Figure 3-5 Appearance of an AC chassis

Figure 3-6 shows the slots of the AntiDDoS8030.

Figure 3-6 Diagram of the board slot area

LPU

LPU

LPU

MPU MPU 4 5

1

2

3

ESD

Table 3-3 Slot location of the AntiDDoS8030

SlotNumber

Quantity

Slot Width Remarks

1 to 3 3 41 mm (1.6 inches) Indicates the slots for Line Processing Units(LPUs) and Service Processing Units (SPUs).The LPUs and SPUs can co-exist to suit yourindividual requirements. But at least one LPUand one SPU is needed.

U4 to 5

2 41 mm (1.6 inches) Indicates the slots that are dedicated for theMain Processing Unit (MPU). The slot canhouse two MPUs to form 1:1 backup.



22

AntiDDoS8080 Chassis OverviewFigure 3-7 shows the chassis of the AntiDDoS8080.

Figure 3-7 Appearance of the chassis of the AntiDDoS8080




23


1 2 3 4 9 11 10 5 6 7 8

1 2 3 4 9 12 5 6 7 8

LPU

LPU

LPU

LPU

MPU

MPU

LPU

LPU

LPU

LPU

SFU

SFU

ESD

10

Table 3-4 Diagram of slot location

SlotNumber

Quantity

Slot Width Remarks

1 to 8 8 41 mm (1.6 inches) Indicates the slots for LPUs and ServiceProcessing Unit As (SPUAs). The LPUs andSPUAs can be inserted at the same time. Selectthe LPUs and SPUAs as required. But at leastone LPU and one SPUA is needed.

9 to 10 2 36 mm (1.4 inches) Indicates two slots that are dedicated forSwitch Router Units (SRUs). The slots canhouse two MPUs to form 1:1 backup.

11 1 36 mm (1.4 inches) Indicates the slot for the Switch Fabric Unit(SFU). The SFU interworks with the SFUintegrated on the SRU to form 2+1 backup forload-balancing.

AntiDDoS8160 Chassis OverviewFigure 3-9 shows the chassis of the AntiDDoS8160.



24

Figure 3-9 Appearance of the chassis




25


1 2 3 4 17 18 5 6 7 8

10 11 12 13 19 20 22 14 15 16

LPU

LPU

LPU

LPU

MPU

MPU

LPU

LPU

LPU

LPU

ESDESD

LPU

9

21

LPU

LPU

LPU

LPU

SFU

SFU

SFU

LPU

LPU

LPU

SFU

Table 3-5 Diagram of slot location

SlotNumber

Quantity

Slot Width Remarks

1 to 16 16 41 mm (1.6 inches) Indicates the slots for LPUs and SPUAs. TheLPUs and SPUAs can be inserted at the sametime. Select the LPUs and SPUAs as required.But at least one LPU and one SPUA is needed.

17 to 18 2 41 mm (1.6 inches) Indicates the slots that are dedicated for MPUs.The slots can house two MPUs to form 1:1backup.

19 to 22 4 41 mm (1.6 inches) Indicates the slots for SFUs. The slots canhouse four SFUs to form 3+1 backup for loadbalancing.



26

Power and Heat Dissipation Systems of the Anti-DDoS deviceTable 3-6 shows the overview of the power and heat dissipation systems of the Anti-DDoSdevice of different models.

Table 3-6 Overview of the power and heat dissipation systems of the Anti-DDoS device ofdifferent models

Component

AntiDDoS8030 AntiDDoS8080 AntiDDoS8160

Powersupplysystem

Supports AC or DC power supplies.

The power supplysystem consists of 1+1redundant AC or DCpower supply frames.Both the AC and DCpower supply framessupport power alarming.

l In DC mode, fourPower EntryModules (PEMs)reside on the backpanel to provide 2+2backup.

l In AC mode, an ACpower supply frameresides externally,and connects to thepower input ports ofthe PEMs through arectifier that suits thetotal power of theintegrated chassis.

l In DC mode, eightPEMs reside on theback panel to provide4+4 backup.

l In AC mode, two ACpower supply framesreside externally, andconnect to the powerinput ports of thePEMs through arectifier that suits thetotal power of theintegrated chassis.



27

Component

AntiDDoS8030 AntiDDoS8080 AntiDDoS8160

Heatdissipation system

l Air enters the chassisfrom the left and exitsfrom the back.

l The air intake vent ison the left of thechassis, and the airexhaust vent is on theback of the chassis.

l The fans reside on theair exhaust vent. Thetwo fan frames backagainst each other,each having two fans.The fan frameextracts air from thesystem fordissipation.

l Air enters the chassisfrom the front andexits from the back.

l The air intake vent isabove the front boardslot area, and the airexhaust vent is abovethe rear board slotarea.

l The fans reside on theair exhaust vent. Thetwo fan frames backagainst each other.Each fan frame hasone fan. The fanframe extracts airfrom the system fordissipation.

l The two fan framesreside respectivelyon the upper andlower parts of thechassis. Air enters thechassis from the frontand exits from theback.

l For the upper fanframe, the air intakevent resides abovethe front board slotarea, and the airexhaust vent residesabove the rear boardslot area. For thelower fan frame, theair intake vent residesabove the rear boardslot area, and the airexhaust vent residesabove the front boardslot area. The upperand lower fan framesfunctionindependently.

l The board slot areafor the SFU resideson the middle part ofthe device. The areaintake vent for thisslot area is on the leftof chassis. Todissipate the SFUs inthe two upper slots,the air enters from theleft, and goes up onthe right to convergewith the air from theupper fan frame. Todissipate the SFUs inthe two lower slots,the air enters from theleft, and goes downon the right toconverge with the airfrom the lower fanframe.



28

3.2.2 Device Parameters

AntiDDoS8030

Table 3-7 lists the physical parameters of the AntiDDoS8030.

Table 3-7 Physical parameters of the AntiDDoS8030

Item Description

Dimensions (width x depth x height)a

DC chassis: 442 mm x 650 mm x 175 mm (4 U)AC chassis: 442 mm x 650 mm x 220 mm (5 U)The depth is 750 mm covering the dust filter andcabling rack.

Installation position N68E cabinet or a standard 19-inch cabinet

Typical power consumption If one LPUF-40-A (40G) and two SPUAs (20G) areconfigured:l DC chassis: 1330Wl AC chassis: 1360W

Heat dissipation DC chassis: 4311 BTU/hourAC chassis: 4408 BTU/hour

Weight Empty chassis DC chassis: 15 kgAC chassis: 25 kg

Fullconfiguration

If one LPUF-40-A (40G) and two SPUAs (20G) areconfigured:l DC chassis: 34 kgl AC chassis: 42 kg

DC inputvoltage

Rated voltage -48 V

Maximumvoltage range

-72 V to -38 V

AC inputvoltage

Rated voltage 200 V AC to 240 V AC; 50/60 Hz

Maximumvoltage range

180 V AC to 264 V AC; 50/60 Hz

Systemreliability

MTBF (year) 25

MTTR (hour) 0.5

Ambienttemperatureb

Long-termc 0°C to 45°C

Short-term -5°C to 55°C

Storage temperature -40°C to 70°C



29

Item Description

Ambientrelativehumidity

Long-term 5% RH to 85% RH, no coagulation

Short-term 5% RH to 95% RH, no coagulation

Storage relative humidity 0% RH to 95% RH

Long-term altitude Lower than 3000 m

Storage altitude Lower than 5000 m

NOTEa. The width does not include the width of the mounting ear attached.

b. The measurement point of the temperature and humidity is 1.5 m over the floor and 0.4 m in front ofthe cabinet without the front and back doors.

c. Short-term operation means that continuous operating time does not exceed 48 hours and accumulatedoperating time per year does not exceed 15 days. If an operation exceeds either of these conditions, it iscalled a long-term operation.

AntiDDoS8080Table 3-8 lists the physical parameters of the AntiDDoS8080.


Item Description

Dimensions (width x depth xheight)a

442 mm x 650 mm x 620 mm (14 U). The depth is 770 mmcovering the dust filter and cabling rack.


Weight Emptychassis

43.2 kg

Fullconfiguration

If three LPUF-40-As (40G) and five SPUAs (20G) areconfigured:96.7 kg

Typical power consumption If three LPUF-40-As (40G) and five SPUAs (20G) areconfigured:3110W

Heat dissipation 10081 BTU/hour

DC inputvoltage

Ratedvoltage

-48 V

Maximumvoltagerange

-72 V to -38 V



30

Item Description

AC inputvoltage

Ratedvoltage

200 V AC to 240 V AC; 50/60 Hz

Maximumvoltagerange

180 V AC to 264 V AC; 50/60 Hz

Systemreliability

MTBF(year)

25

MTTR(hour)

0.5

Ambienttemperatureb



Remarks Limit of the temperature change rate: 30°C/hour









b. The measurement point of the temperature and humidity is 1.5 m over the floor and 0.4 m in front ofthe cabinet without the front and back doors.

c. Short-term operation means that continuous operating time does not exceed 48 hours and accumulatedoperating time per year does not exceed 15 days. If an operation exceeds either of these conditions, it iscalled a long-term operation.

AntiDDoS8160Table 3-9 lists the physical parameters of the AntiDDoS8160.


Item Description

Dimensions (Width x Depth xHeight)a

442 mm x 650 mm x 1420 mm (32 U). The depth is 770 mmcovering the dust filter and cabling rack.




31

Item Description

Weight Emptychassis

94.4 kg

Fullconfiguration

If six LPUF-40-As (40G) and ten SPUAs (20G) areconfigured:196.4kg

Typical power consumption If six LPUF-40-As (40G) and ten SPUAs (20G) areconfigured:5970W

Heat dissipation 19350 BTU/hour

DC inputvoltage

Ratedvoltage

-48 V

Maximumvoltagerange

-72 V to -38 V

AC inputvoltage

Ratedvoltage

200 V AC to 240 V AC; 50/60 Hz

Maximumvoltagerange

180 V AC to 264 V AC; 50/60 Hz

Systemreliability

MTBF(year)

25

MTTR(hour)

0.5

Ambienttemperatureb



Remarks Limit of the temperature change rate: 30°C/hour










32

Item Description


b. The measurement point of the temperature and humidity is 1.5 m over the floor and 0.4 m in front ofthe cabinet without the front and the back doors.

c . Short-term operation means that the continuous operation time does not exceed 48 hours and theaccumulated operation time per year does not exceed 15 days. Otherwise, it is called long-term operation.

3.2.3 Board

MPUThe MPU on the Anti-DDoS device performs system control and the learning of routeinformation.

The Anti-DDoS device MPU uses the 1:1 backup mechanism. When the active MPU is faulty,the standby immediately takes over the work. The backup mechanism ensures the normalrunning of the system.

SFUThe SFU in the Anti-DDoS device is in charge of data exchange among boards.

l The AntiDDoS8080 is equipped with three switch network units, two of which togetherwith two main control units are integrated on two MPUs respectively. The third one isplaced on an independent SFU.– Enables 2+1 load balancing backup in the switching network– Provides a overall line switch of 7.08Tbit/s– Four SFUs work simultaneously to share the service data. When one of them is faulty,

the service data is automatically balanced to the other two with on service interruption.l The AntiDDoS8160 equips with four switch network units.

– Enables 3+1 load balancing backup in the switching network– Provides a overall line switch of 12.58Tbit/s– Four SFUs work simultaneously to share the service data. When any SPU is faulty, the

service data is automatically balanced to the other three with no service interruption.

SPUThe SPU in the Anti-DDoS device is a core component which is in charge of processing everysecurity service.

The SPU in the Anti-DDoS device comes with high-performance multi-core central processingunits (CPUs). A service processing card (SPC) with 20 Gbp/s processing capability can beinstalled on each SPU.

The Anti-DDoS device comes with multiple SPUs. The system performance n terms of thethroughput and the number of new connections per second will increase in a linear fashion withmultiple SPUs support mutual backup. When one SPU is faulty, all its traffic is immediatelybalanced to other SPUs with no service interruption.



33

LPUThe Anti-DDoS device supports LPUF-21 with FPIC for expansion and LPUF-40 with FPICfor expansion.

The LPUF-21 has two slots, each applicable to one FPIC. The entire LPUF-21 provides amaximum bandwidth of 20 Gbit/s.

The LPUF-21 supports the following cards:

l 1-port 10GBase LAN/WAN-XFP optical interface FPIC (one slot)l 4-port 10GBase LAN/WAN-XFP optical interface FPIC (two slots, convergence)l 12-port 100Base FX/1000Base-X-SFP optical interface FPI C(one slot)l 12-port 10Base-T/100Base-TX/1000Base-T electrical interface FPIC (one slot)l 1-port OC-192c/STM-64c POS-XFP optical interface FPIC (one slot)

The LPUF-40 has two slots, each applicable to one FPIC. The entire LPUF-40 provides amaximum bandwidth of 40 Gbit/s.

The LPUF-40 supports the following cards:

l 2-port 10GBase LAN/WAN-XFP optical interface FPIC (one slot)l 4-port 10GBase LAN/WAN-XFP optical interface FPIC (one slot, convergence)l 20-port 100Base-FX/1000Base-X-SFP optical interface FPIC (one slot)

3.3 ATIC Management center

3.3.1 Basic Components

The ATIC Management center uses the easy-to-deploy B/S (browser/server) architecture.Therefore, services can be managed and monitored without the installation of client software.Additionally, the ATIC Management center is applicable to the scenario where multipledetecting and cleaning devices are dispersedly deployed but require centralized management.

In the ATIC system, the ATIC Management center consists of the following components:

l ATIC serverManages and configures anti-DDoS devices in a centralized way, and displays servicereports.

l Anti-DDoS collectorThe anti-DDoS collector collects, resolves, summarizes, and stores traffic, exception, andattack logs reported by the anti-DDoS device, and stores captured packets. One anti-DDoSdevice needs to correspond to one anti-DDoS collector.

In the abnormal-traffic mitigation solution, the ATIC Management center server and anti-DDoScollector support both centralized and distributed deployments.

l In centralized deployment, the ATIC Management center server and the anti-DDoScollector are installed in the same task and on the same physical server.Figure 3-11 shows the networking of the ATIC Management center server and anti-DDoScollector deployed in centralized mode.



34

Figure 3-11 ATIC Management center server and anti-DDoS collector deployed incentralized mode

Anti-DDoS device

Management traffic

Monitored trafficTraffic log&Cleaning log&Captured packet

Anti-DDoS device Anti-DDoS device

ATIC server+ATIC collector

Consider the following factors in this networking mode:– Anti-DDoS device networking

The Anti-DDoS device must be deployed on the same LAN. If the Anti-DDoSdevices are deployed on a WAN, mass log information occupies WAN bandwidth,which affects normal running of services. In addition, the instability of the WAN mayresult in data loss.

– Deployment scenarios of the Anti-DDoS device– In in-line deployment, all traffic is checked and cleaned by the Anti-DDoS device.

An anti-DDoS collector can collect anti-DDoS logs from about 10,000 IP addresses.If the number of the IP addresses of protected objects exceeds 10,000, it isrecommended that you configure an independent anti-DDoS collector.

– In off-line deployment, only abnormal traffic is directed to the Anti-DDoS devicefor check and cleaning. Abnormal traffic accounts for 10% of the total traffic andtherefore anti-DDoS collectors are reduced. For example, an anti-DDoS collector isconfigured for 100,000 IP addresses of protected objects. In off-line deployment, ifthe Anti-DDoS device are scattered, it is recommended that you configure multipleanti-DDoS collectors.

l In distributed deployment, the ATIC Management center server and the anti-DDoScollector are installed in different tasks respectively and on different physical serversgenerally.Figure 3-12 shows the networking of the ATIC Management center server and anti-DDoScollector deployed in distributed mode.



35

Figure 3-12 ATIC Management center server and anti-DDoS collectors deployed indistributed mode

Management center

Server

Anti-DDoS collector

Anti-DDoS collector

Anti-DDoS collector

Anti-DDoS device

Monitored trafficLog and packet-capture trafficManagement traffic

Anti-DDoS device Anti-DDoS device

Consider the following factors in this networking mode:

– Anti-DDoS device networking

The Anti-DDoS devices are distributed in multiple areas that are connected through aWAN. An anti-DDoS collector is deployed in each area to prevent mass log informationfrom occupying bandwidth and reduce the bandwidth cost. In addition, the instabilityof the WAN may result in data loss.

– Deployment scenarios of the Anti-DDoS device

– In in-line deployment, all traffic is checked and cleaned by the Anti-DDoS device.An anti-DDoS collector can collect anti-DDoS logs from about 10,000 IP addresses.If the number of the IP addresses of protected objects exceeds 10,000, it isrecommended that you configure an independent anti-DDoS collector.

– In off-line deployment, only abnormal traffic is directed to the Anti-DDoS devicefor check and cleaning. Abnormal traffic accounts for 10% of the total traffic andtherefore anti-DDoS collectors are reduced. For example, an anti-DDoS collector isconfigured for 100,000 IP addresses of protected objects. In off-line deployment, ifthe Anti-DDoS devices are scattered, it is recommended that you configure multipleanti-DDoS collectors.

3.3.2 Software and Hardware Planning in Centralized Mode



36

Software Planning for the ServerWhen the ATIC Management center is installed, the system automatically installs the MySQLdatabase. For the operating system and Web browser planning, see Table 3-10.

Table 3-10 Software planning for the server

HardwarePlatform

Software Type Software Version

x86 (64-bitWindows)

Operatingsystem

Windows Server 2008 R2 Standard with SP1

Web browsersthat can accessthe server

Internet Explorer 6.0/7.0/8.0Mozilla Firefox 3.6.X to 4.X

x86 (32-bitWindows)

Operatingsystem




Hardware Planning for the ServerNOTE

l It is recommended that the anti-DDoS service be deployed on an independent server. If the anti-DDoS serviceshares a server with other services, the processing performance of the anti-DDoS service may decrease.

l To ensure the normal startup of the ATIC Management center, the server must have a minimum of 2.5 GBfree memory space.

Hardware planning information covers the minimum and recommended configuration. Fordetails, see Table 3-11.



37

Table 3-11 Hardware planning for the server

Item Requirements

Recommendedconfiguration

IBM X3650M4 serverl CPU: Xeon quad-core E5506 2.13 GHz or higherl Memory: 8 GBl Hard disk: 2 x 300 GB RAID1

Recommended RAID card model: ServeRAID card (M5015).RAID 5 is recommended when the number of hard disks is 3 orgreater.NOTE

Configuration for connecting an external disk cabinet: Huawei OceanStorS2600F that supports FC port is recommended. HBAs and optical jumpersneed to be configured independently.

To improve system reliability and security, you are advised to partitionthe disk into at least two logical drives. The storage capacity of a driveis 40 GB and is only for the installation of the operating system. Theremaining space is allocated to the other drive for the installation ofthe database software and the ATIC Management center as well as thestorage of database files.

Minimumconfiguration

l CPU: dual-core X86 processorl Memory: 4 GBl Hard disk: 100 GBTo improve system reliability and security, you are advised to partitionthe disk into at least two logical drives. The storage capacity of a driveis 30 GB and is only for the installation of the operating system. Theremaining space is allocated to the other drive for the installation ofthe database software and the ATIC Management center as well as thestorage of database files.

3.3.3 Software and Hardware Planning in Distributed Mode

Software Planning for the ServerWhen the ATIC Management center is installed, the system automatically installs the MySQLdatabase. For the operating system and Web browser planning, see Table 3-12.

Table 3-12 Software planning for the server

HardwarePlatform


x86 (64-bitWindows)

Operatingsystem




38

HardwarePlatform




x86 (32-bitWindows)

Operatingsystem




Hardware Planning for the ServerNOTE

l It is recommended that the anti-DDoS service be deployed on an independent server. If the anti-DDoS serviceshares a server with other services, the processing performance of the anti-DDoS service may decrease.

l To ensure the normal startup of the ATIC Management center, the server must have a minimum of 1.5 GBfree memory space.


Table 3-13 Hardware planning for the server

Item Requirements




Configuration for connecting an external disk cabinet: Huawei OceanStorS2600F that supports FC port is recommended. HBAs and optical jumpersneed to be configured independently.

To improve system reliability and security, you are advised to partitionthe disk into at least two logical drives. The storage capacity of a driveis 40 GB and is only for the installation of the operating system. Theremaining space is allocated to the other drive for the installation ofthe database software and the ATIC Management center as well as thestorage of database files.



39

Item Requirements


l CPU: dual-core X86 processorl Memory: 4 GBl Hard disk: 100 GBTo improve system reliability and security, you are advised to partitionthe disk into at least two logical drives. The storage capacity of a driveis 30 GB and is only for the installation of the operating system. Theremaining space is allocated to the other drive for the installation ofthe database software and the ATIC Management center as well as thestorage of database files.

Software Planning for Anti-DDoS CollectorsWhen the anti-DDoS collector is installed, the system automatically installs the MySQLdatabase. For the operating system planning, see Table 3-14.

Table 3-14 Software planning for an anti-DDoS collector

HardwarePlatform

SoftwareType

Software Version

x86 (64-bitWindows)

Operatingsystem


x86 (32-bitWindows)

Operatingsystem


Hardware Planning of an Anti-DDoS CollectorNOTE

To ensure the normal startup of the anti-DDoS collector, the anti-DDoS collector must have a minimum of 1.5GB free memory space.




40

Table 3-15 Hardware planning of an anti-DDoS collector

Item Requirements




Configuration for connecting an external disk cabinet: HuaweiOceanStor S2600F that supports FC port is recommended. HBAs andoptical jumpers need to be configured independently.

To improve system reliability and security, you are advised topartition the disk into at least two logical drives. The storagecapacity of a drive is 40 GB and is only for the installation of theoperating system. The remaining space is allocated to the other drivefor the installation of the database software and the anti-DDoScollector as well as the storage of database files.


l CPU: dual-core X86 processorl Memory: 4 GBl Hard disk: 100 GBTo improve system reliability and security, you are advised topartition the disk into at least two logical drives. The storagecapacity of a drive is 30 GB and is only for the installation of theoperating system. The remaining space is allocated to the other drivefor the installation of the database software and the anti-DDoScollector as well as the storage of database files.



41

4 Functions and Features

About This Chapter

4.1 ZoneThe ATIC system defends against DDoS attacks based on the Zone. To protect certain targets,add them to the Zone.

4.2 Traffic DiversionWhen the anti-DDoS device is in off-line mode, traffic needs to be diverted to the anti-DDoSdevice for detecting and cleaning.

4.3 Zone ProtectionThe ATIC system provides Zone-based defense modes and refined defense policies.

4.4 Packet Capture, Analysis and ReportThe ATIC management center delivers packet capture, analysis, and report for subsequentmaintenance. Packet capture is used to capture network traffic and locate network faults; analysisis used to analyze network traffic and attack logs; a report is used to periodically summarizeZone traffic and attack logs if desired.

HUAWEI Secospace Anti-DDoS SolutionSolution Description 4 Functions and Features


42

4.1 ZoneThe ATIC system defends against DDoS attacks based on the Zone. To protect certain targets,add them to the Zone.

A Zone is protected by the ATIC system. As shown in Figure 4-1, a Zone can be a server, anetwork, an Internet user, an enterprise, or an Internet service provider.

A Zone in the ATIC system can be a collection of IP addresses or IP address segments. A Zonecorresponds to either one or multiple IP addresses. Such IP addresses are those of protectedobjects. Actually, the ATIC system performs refined defense for these IP addresses.

Figure 4-1 Zone

Router1

Router2

Post-cleaning traffic direction

Anti-DDoS device

ZonePre-cleaning traffic direction

In the ATIC system, a Zone is classified into three types:

l User-Defined ZonesTo protect specific IP addresses/address segments, the administrator can manually createuser-defined Zones and add the IP addresses/address segments to the user-defined Zones.The anti-DDoS device uses defense policies to provide refined defense for traffic of theseIP addresses/address segments.The type of such Zones is User-Defined.

l Default ZonesOne default Zone is automatically added when you add an anti-DDoS device. Each anti-DDoS device can be associated with only one default Zone, which does not have any given



43

IP address. Refined defense can be implemented by the anti-DDoS device on the destinationIP addresses except those in User-Defined Zones.The type of such Zones is Default.

l Zones Synchronized from the SIG.After the SIG is added, the system automatically synchronizes Zones from the SIG systemto protect them. the administrator cannot change the basic information and IP addresses ofZones of this type, but can select cleaning devices for Zones of this type, and apply thepolicies configured for the Zones to the traffic destined for corresponding IP addresses/address segments for refined defense.The type of such Zones is SIG Zone.

Generally, add the destination IP addresses to be protected to the user-defined Zone and unfixedIP addresses to the default Zone. Then apply various defense policies for the traffic destined forthe Zones to protect destination IP addresses.

Otherwise, default Zones are applied to MANs with heavy traffic. With default Zones, the trafficwith uncertain destination IP addresses is defended against.

The ATIC system can defend against multiple Zones simultaneously. You can add a maximumof 2000 Zones, and 10,000 IP addresses or address segments to each device. Meanwhile, thesystem can perform refined protection for 10,000 destination IP addresses together. The IPaddresses that do not belong to the user-defined Zone but are within the threshold (that is, 10,000destination IP addresses) are protected through the policy configured for the default Zone, in thecase that default Zone functions are enabled.

For example, the administrator creates user-defined Zones, adds 6000 IP addresses to differentuser-defined Zones, and configures different defense policies for the user-defined Zones. Thenthe ATIC system provides protection for the 6000 IP addresses using the defense policiesconfigured for these user-defined Zones. The administrator also creates default Zones andconfigures defense policies for the default Zones. And then the ATIC system provides protectionfor the other 4000 IP addresses using the defense policies configured for the default Zones. TheIP addresses of default Zones are unfixed and are protected in access order, and the IP addressesor IP address segments beyond the specified specifications are protected by using global defensepolicies.

4.2 Traffic DiversionWhen the anti-DDoS device is in off-line mode, traffic needs to be diverted to the anti-DDoSdevice for detecting and cleaning.

In normal cases, the traffic destined for the Zone is forwarded by the router on the backbonelink to the destination zone, but not to the anti-DDoS device in off-line mode. To apply the anti-DDoS function provided by the anti-DDoS device to Zone traffic, change the original link ofZone traffic to divert the traffic to the anti-DDoS device for defense.

Traffic diversion is applicable to the scenarios where traffic is copied to the detecting device inmirroring or optical splitting mode, as well as the cleaning device diverts abnormal traffic andinjects normal traffic to the original link.

Mirroring and Optical SplittingWhen the detecting device is deployed independently and in off-line mode, all traffic on thenetwork needs to be copied to the detecting device for detecting.



44

Traffic destined for the detecting device is copied traffic. After the detecting is complete, thetraffic is directly discarded.

Traffic can be copied to the detecting device in two modes:

l Optical splittingAn optical splitter is deployed on the network to optically split traffic on the link to thedetecting device.

l MirroringThe mirroring function is configured on the router to copy traffic on the router to thedetecting device.

For details on optical splitting and mirroring, see Configuring Optical Splitting and Mirroring.

Traffic Diversion and InjectionWhen the cleaning device is in off-line mode, all traffic destined for the Zone needs to be divertedto the cleaning device for cleaning. After that, cleaned traffic is injected to the original link andsubsequently is forwarded to the Zone.

As shown in Figure 4-2, traffic destined for the Zone is directly forwarded to the Zone throughRouter1 and Router2. After a cleaning device is deployed in off-line mode, the original trafficforwarding path changes. In this case, traffic is issued from Router1 to the cleaning device andis injected to the original link for forwarding after being cleaned. Thereby, traffic diversion andinjection are required.

Figure 4-2 Traffic direction when the cleaning device is in off-line mode

Router1

Router2

Anti-DDoS device

1

2

3

4

5

Zone

Post-cleaning traffic direction

Pre-cleaning traffic direction



45

l Traffic diversionIn traffic diversion, traffic is diverted to the cleaning device in off-line mode, in the caseof changing the original path of Zone traffic on the network. As shown in Figure 4-2, thecleaning device advertises a traffic-diversion route through Router1 to change the traffictransmission path. In this manner, traffic is issued from Router1 to the cleaning device.Traffic diversion supports the following two modes:– Policy-based route diversion– BGP traffic diversion

l Traffic injectionIn traffic injection, cleaned traffic is injected to the original link and then forwarded to theZone. As shown in Figure 4-2, the cleaning device injects cleaned traffic to Router1, whichin turn forwards traffic to the Zone.Traffic injection provides the following modes. You can apply traffic-injection modesbased on routing protocols running on the network:– Layer 2 injection– Static route injection– Policy-based route injection– GRE injection– MPLS LSP injection– MPLS VPN injection

In traffic diversion and injection mechanisms, two types of routers are involved:

l Traffic-diversion routerIndicates the router through which traffic is diverted to the cleaning device. As shown inFigure 4-2, the traffic-diversion router is Router1.

l Traffic-injection routerIndicates the router to which normal traffic is injected. As shown in Figure 4-2, the traffic-diversion router is also Router1.

Traffic-diversion and traffic-injection routers can be the same router or different ones. You canplan them if desired.

Traffic-Diversion ModeIn the ATIC system, traffic diversion falls into three modes:

l Automatic traffic diversionUpon detecting anomalies, the detecting device reports them to the Management center.Then the Management center automatically generates a traffic-diversion task and deliversthe task to the cleaning device. After the Zone state turns to normal, the Managementcenter automatically delivers the task of canceling traffic diversion to the cleaning deviceto stop traffic diversion.The default mode is automatic traffic diversion.

l Manual traffic diversionUpon detecting anomalies, the detecting device reports them to the Management center.Then the Management center generates a traffic-diversion task automatically and does notdeliver the task to the cleaning device until the administrator confirms the delivery.



46

After the Zone state turns to normal, the Management center automatically delivers the taskof canceling traffic diversion to the cleaning device to stop traffic diversion.

l Static traffic diversionIn addition to manual and automatic traffic diversion, you can configure a static traffic-diversion task to divert traffic to the cleaning device no matter whether the traffic is normalor not.Static traffic diversion is mainly applicable to the scenarios where Zones are fixed and thereis a relatively short delay, such as cyber bar users and video chatting.

4.3 Zone ProtectionThe ATIC system provides Zone-based defense modes and refined defense policies.

4.3.1 Defense ModeThe ATIC system provides three defense modes, namely, automatic defense, manual defense,and detecting only.

l AutomaticWhen the defense mode is set to Automatic and abnormal traffic is identified, the systemautomatically enables attack defense to clean abnormal traffic, and report anomalies andattack events to the Management center.The default mode is automatic defense.

l ManualWhen the defense mode is set to Manual, and the system identifies abnormal traffic, theadministrator determines whether to enable attack defense, and reports anomalies andattack events to the Management center.

l Detecting onlyWhen the defense mode is set to Detecting only, the system only reports anomalies to theManagement center after detecting abnormal traffic.

4.3.2 Traffic Model LearningTraffic model learning falls into two types, service learning and dynamic baseline learning. Inservice learning, the system learns the service model (protocol type and port number of the trafficdestined for the Zone) of the Zone to enable a proper attack defense policy. Dynamic baselinelearning provides references for configuring the defense threshold.

The defense policy refers to setting a proper threshold for the traffic volume of a protocol. Whenthe traffic on the live network exceeds the threshold, the system identifies that an anomaly occursand triggers the corresponding attack defense.

Before configuring the defense policy, you may be assailed by two doubts:

1. What types of attack defense need to be enabled?2. How to set a proper threshold?

The ATIC system supports diversified types of attack defense. You can enable correspondingattack defense if desired, but not all defense functions. When services on the network areunknown, you can learn about services on the network by using service learning, and thendetermine whether to enable attack defense.



47

During defense policy configurations, the system prompts you to set defense thresholds forpolicies. When the number of the packets of a type destined for the Zone hits the threshold, thesystem enables defense against such packets. Because improper configurations may affectnormal services, you are advised to learn the dynamic baseline and set a proper defense thresholdaccording to the learning result.

Service LearningThe anti-DDoS device provides Zones with differentiated defense policies based on the serviceand default policy template:

l Service-based defense protects services defined by the Zone, that is, performing refineddefense for a certain port of the specified IP address. This effectively protects the traffic ofmain services, ensuring service continuity.

l Default policy template-based defense protects the traffic of non-services in the Zone. Thisavoids network congestion.

When multiple ports are enabled for the Zone and refined defense is required for a certain port,you need to adopt service-based defense to learn about the traffic model and identify Zoneservices, thereby providing defense policies for given services in the Zone.

With service learning, the anti-DDoS device can identify the services of the Zone and figure outTCP and UDP services whose traffic hits the threshold, including the protocol type, port, IPaddress, and specific traffic value. In this way, the device obtains the service list of the Zone.

In service learning, the anti-DDoS device learns statistics on inbound traffic, regardless ofnormal or abnormal traffic. Therefore, service learning needs to be enabled when Zone trafficis normal. During the learning, if the Zone is abnormal or under attacks, you need to terminatethe current service learning task and recover it until Zone traffic resumes normal.

For details on how to configure service learning, see Configuring a Service and a Defense Policy(by Service Learning).

Dynamic Baseline LearningIn attack detection, the detection device collects statistics on traffic and then compares the trafficwith the pre-defined threshold. If the traffic hits the threshold, the device considers that ananomaly occurs and reports the anomaly to the Management center. Therefore, attack judgmentis subject to the specified threshold; however, different networks have diversified applications,each of which is equipped with its actual bandwidth.

l If the threshold is set to a smaller value, the system enables attack defense even if no attackoccurs.

l If the threshold is set to a larger value, the system cannot enable attack defense in a timelymanner.

Therefore, before you configure the threshold, learn about the basic traffic model first.

In dynamic baseline learning, the system learns peak traffic at an interval in the normal networkenvironment and presents the data in curve to the administrator by using the Managementcenter.

You are advised to deliver the learning result as the defense threshold, after dynamic baselinelearning is complete. The threshold must be set to a value higher than normal peak traffic.

The dynamic baseline can be learned repeatedly to cope with the changes of network trafficmodels.



48

For details on how to configure the dynamic baseline, see Adjusting a Threshold (by BaselineLearning).

4.3.3 Defense PolicyThe ATIC system delivers the layer-to-layer filtering mechanism and refined defense policiesfor abnormal traffic.

Figure 4-3 shows defense policies for abnormal traffic.

Figure 4-3 Defense policy

Zone-based defense policy

Global defense policy

Basic attack defense

Global filter

Malware check

First-packet check

DNS cache

Interface-based

defense policy

Traffic destined for

the Zone

Network segment-

based defense

Default defense policy

Service-based defense policy

Incoming traffic

Before configuring defense policies, you are advised to learn the traffic model first. With thetraffic model, you can learn about service types on the protected network and the curve valuesof the traffic of all types. For details on how to learn the traffic model, see 4.3.2 Traffic ModelLearning.

The defense procedure is as follows:

1. Interface-based defenseThe administrator must configure interface-based defense policies first to cope with heavytraffic attacks. Upon receiving packets, the anti-DDoS device performs validity check onthe LPU. That is, traffic is checked based on validity check. The illegitimate packets aredirectly discarded.In this defense mode, attack packets can be immediately processed on the LPU. Thisenhances the processing performance of the anti-DDoS device.The anti-DDoS device can defend against the following attacks based on the interface:l SYN Floodl SYN-ACK Floodl ACK Floodl RST Floodl TCP-abnormal Floodl TCP Fragment Floodl UDP Floodl UDP Fragment Floodl ICMP Flood



49

l DNS Request Floodl DNS Reply Floodl HTTP Floodl SIP FloodFor details on how to configure interface-based defense, see Configuring an Interface-basedDefense Policy.

2. Global defenseAfter global defense is configured, the device detects and cleans all available trafficregardless of Zones. The following global defense policies are available:l Global filter

The anti-DDoS device supports TCP, UDP, IP, ICMP, DNS, HTTP, and SIP filters.The filter matches the packets destined for the anti-DDoS device based on configuredpacket features and performs any of the following actions for fine-grained filtering:– Discard– Discard+Blacklist– Pass– Pass+Whitelist– Rate limiting– Source authentication (applying only to the HTTP filter)

l First-packet checkThe anti-DDoS device supports the check on first SYN, TCP, UDP, ICMP, and DNSpackets.

l Basic attack defenseBasic attacks are traditional single-packet Denial of Service (DoS) attacks, includingscanning and sniffing attacks, malformed packet attacks, and special packet attacks.

l Malware checkThe cleaning device employs the user-defined malware rule or loads the predefinedsignature database to check malware attacks.

l DNS cacheThe cleaning device stores the IP address and domain name of the DNS cache serverby loading a file. Upon attacks, the DNS cache-enabled cleaning device, instead of theDNS authoritative server, responds to the DNS cache server with cache information.This avoids the performance bottleneck of the DNS authoritative server.

For details on how to configure global defense policies, see Configuring a Global Filter,Configuring the First-Packet Check, Configuring Basic Attack Defense, Configuring theMalware Detection Function, and Configuring the DNS Smart Cache Function.

3. Zone-based defensel Network segment-based defense

In network segment-based defense, the defense threshold is specified for all Zones.Statistics on traffic destined for all Zones are collected and the defense function istriggered once traffic hits the threshold.The anti-DDoS device can defend against following attacks based on the networksegment:– SYN Flood



50

– ACK Flood– DNS Request Flood– DNS Reply Flood– TCP Ratio– TCP Connection Flood– HTTP FloodFor details on how to configure network segment-based defense, see ConfiguringNetwork Segment-based Defense Policies.

l Service-based defenseBefore you enable service-based defense, verify main services on the defense network.The service learning function helps you learn about service types on the network. Fordetails, see Configuring a Service and a Defense Policy (by Service Learning).The cleaning device defines traffic destined for the Zone as the services of differenttypes by destination IP address, protocol type, and destination port. Different defensepolicies are configured for such services to address refined and differentiated defense.Service-based defense distinguishes service traffic from non-service traffic andprovides diversified defense measures for different traffic.The following defense measures are provided:– Block: denies the packets of protocols that are not in the Zone.– Defense: checks the traffic features of various services and validity to allow

legitimate packets through and deny illegitimate ones.– Traffic limiting: limits the traffic volume of a protocol in the Zone within the

threshold. Excess traffic is denied.l Default policy Zone-based defense

Default policy defense targets at non-service traffic destined for the Zone. Such non-service traffic can be traffic generated by user operations (such as Telnet and ping),redundant traffic, or attack traffic. You can configure different defense measures for thetraffic of different types.The traffic generated by user operations is slight. Therefore, defend against or limit suchtraffic.For redundant or attack traffic, block it.

For details on how to configure Zone-based defense, see Configuring the Zone-basedDefense Policy.

4. Source IP address-based defenseIn source IP address-based defense, when the packets from a source IP address hits thethreshold, source validity check is triggered. Thereby, source IP addresses that are notauthenticated are under rate limiting or blacklisted. This function mainly targets at TCPpackets.

After the layer-to-layer filtering mechanism is complete, Zone traffic complies with thresholdspecifications.

4.4 Packet Capture, Analysis and ReportThe ATIC management center delivers packet capture, analysis, and report for subsequentmaintenance. Packet capture is used to capture network traffic and locate network faults; analysis



51

is used to analyze network traffic and attack logs; a report is used to periodically summarizeZone traffic and attack logs if desired.

Packet Capture

In packet capture, the anti-DDoS device captures packets according to the packet capture taskdelivered by the management center. Then the device encapsulates captured packets in a fixedformat and sends them to the anti-DDoS collector for resolution.

In actual applications, packet capture is mainly used to analyze and locate network problems.Different packet capture types are applicable to diversified application scenarios:

l ACL-based packet capture

When the anti-DDoS device does not detect attacks, and packet loss occurs on the protectednetwork or access fails, you can adopt ACL-based packet capture to identify packet typesand thereby analyze defense failure.

l Global packet capture

A global packet capture task captures all discarded packets, including those discarded dueto non-anti-DDoS policies such as malformed packet check and packet filtering. In sodoing, causes for service interruption are exploited.

l Zone attack matched packet capture

The anti-DDoS device captures the packets discarded by attacks upon the Zone. This assistsin analyzing attack events.

l Zone anomaly matched packet capture

The anti-DDoS device captures the abnormal packets of different types. This assists inanalyzing abnormal events.

After the packet-capture task is complete, the captured packets are saved in the packet-capturefile. With the packet-capture file, you can view attack events, trace attack sources, parse attackpackets, and extract fingerprints for locating attacks, and obtaining features and details onattackers, so that proper defense policies can be configured. The packet-capture file can also bedownloaded to the local for other operations.

l Viewing attack events

By viewing abnormal or attack events associated with the packet-capture file, you cananalyze their details.

l Attack source tracing

You can obtain information about attack sources by using attack source tracing.Additionally, the system adds suspicious source IP addresses to the static blacklist toeffectively defend against attacks.

l Packet parsing

You can obtain details on each packet by using packet parsing.

l Fingerprint extracting

With fingerprint extracting, the system extracts the features of abnormal or attack packets.Additionally, the system adds extracted fingerprints to the Zone fingerprint list as thereference of traffic cleaning.

l Packet-capture file download

The packet-capture file can be downloaded to the local for future operations.



52

AnalysisThe ATIC management center provides several types of analysis, traffic analysis, anomaly/attack analysis, DNS analysis, HTTP analysis, SIP analysis, and Botnets/Trojan horses/WormsAnalysis. Thereby, the administrator can comprehensively learn about network data in a timelymanner and export the analysis result.

Figure 4-4 shows the analysis diagram.

Figure 4-4 Analysis diagram

Query condition setting area

Analysis types

display area

ReportThe ATIC management center comes with both the system report and the Zone report, andsupports diversified reports. The system provides scheduled report generating and downloadingfunctions for comprehensive reports. This minimizes labor investment and facilitates periodicalnetwork status monitoring and further query.

Figure 4-5 shows the comprehensive report.



53

Figure 4-5 Diagram of a report

Report types displayed in the comprehensive report

Report query condition

setting area



54

5 Technical Specifications

About This Chapter

5.1 AntiDDoS1000

5.2 AntiDDoS8000

5.3 ATIC Management Center

HUAWEI Secospace Anti-DDoS SolutionSolution Description 5 Technical Specifications


55

5.1 AntiDDoS1000

5.1.1 Functions and Features

Table 5-1 shows the functions and features supported by the Anti-DDoS device.

Table 5-1 Functions and features

Feature Sub-Feature

Description

Zone Zones fall into the following types:l User-defined Zonel Default Zone

Trafficguide

Optical splitting and mirroring

Trafficdiversion

Traffic diversion falls into the following modes:l Policy-based route diversionl BGP diversion

Trafficinjection

Traffic injection falls into the following modes:l Layer 2 injectionl Static route injectionl Policy-based route injectionl GRE injectionl MPLS LSP injectionl MPLS VPN injection

Defense mode Defense modes fall into the following types:l Automaticl Manuall Detecting Only

Blacklist Blacklists fall into the following types:l Global blacklistl LPU blacklistl Zone blacklist

Whitelist Whitelists fall into the following types:l Global whitelistl Zone whitelist



56

Interface-baseddefense

Interface-based defense falls into the following types:l SYN flood attack defensel SYN-ACK flood attack defensel ACK flood attack defensel RST flood attack defensel TCP anomaly flood attack defensel TCP fragment flood attack defensel UDP flood attack defensel UDP fragment flood attack defensel ICMP flood attack defensel DNS request flood attack defensel DNS reply flood attack defensel HTTP flood attack defensel SIP flood attack defense

Globaldefensepolicy

Basicattackdefense

Defense against malformed packet attacks, including IP spoofing, Land,Fraggle, WinNuke, Ping of Death, Tear Drop, IP option, illegitimate IPfragment, illegitimate TCP flag, large ICMP, and Smurf attacks.Defense against scanning and sniffing attacks, including addressscanning, port scanning, Tracert, IP timestamp option, IP source routingoptions, IP route record options, ICMP redirection, and ICMPunreachable attacks.

Malwarecheck

Zombie, Trojan horse, and worm check

DNS cache

DNS domain name blocking

Zone-baseddefense

Networksegment-baseddefense

Network segment-based defense falls into the following types:l SYN flood attack defensel ACK flood attack defensel DNS request flood attack defensel DNS reply flood attack defensel TCP ratio attack defensel TCP connection flood attack defensel HTTP flood attack defense

Service-baseddefense

Service-based defense falls into the following types:l TCP defense

– SYN flood attack defense– SYN-ACK flood attack defense– ACK flood attack defense



57

– RST/FIN flood attack defense– TCP fragment flood attack defense– TCP connection flood attack defense

l UDP defense– UDP flood attack defense– UDP fragment flood attack defense

l ICMP flood attack defensel DNS packet attack defense

– DNS request flood attack defense– DNS reply flood attack defense– DNS cache poisoning attack defense– DNS hijacking attack defense– DNS reflection attack defense– DNS unknown domain name request defense– DNS packet validity check– Rate limiting on DNS packets based on the domain name and

source IP address– DNS cache– DNS top N statistics– DNS detailed statistics

l HTTP flood attack defense– HTTP source authentication– URI behavior monitoring– Host filtering

l HTTPS flood attack defensel SIP flood attack defense

Defaultdefense

Source IPaddress-baseddefense

TCP packet attack defense

Packet capture Packet capture falls into the following types:l ACL-based packet capturel Global packet capturel Zone-based packet capture of anomaliesl Zone-based packet capture of attacks

5.1.2 Performance Specifications



58

Table 5-2 Overall system specifications

Item AntiDDoS1000

Dimensions (H x W x D) 43.6 mm x 442 mm x 560 mm

Weight Base chassis: 8.24 kg; fully configuredchassis: 8.9 kg

CPU Multi-core MIPS processor; frequency: 950MHz

Memory 4 GB

NVRAM 512 KB

Flash memory 64 MB

CF card 2GB

microSD card Not supported

Rated input voltage AC: 100 V to 240 V (50 Hz/60 Hz)DC: -48 V to -60 V

Maximum power 150 W

5.1.3 Environment Requirements

Table 5-3 Environment requirements

Item Description

Altitude ≤ 2000 m ( Long-term operating temperature: 0°C to 45°C)

Atmospheric pressure 70 kPa to 106 kPa

Operating temperature Long term: 0°C to 45°CShort term: –5 °C to +55 °C

Storage temperature –40 °C to +70 °C

Relative humidity (operatingand storage)

Long term: 10% RH to 90% RH, non-condensingShort term: 5% RH to 95% RH, non-condensing



59

5.1.4 Standard and Protocol Compliance

Table 5-4 Compliant standards

Standard Content

ETS 300 386 Electromagnetic compatibility and Radio spectrum Matters (ERM);Telecommunication network equipment; ElectromagneticCompatibility (EMC) requirements

IEC 62151 Safety of equipment electrically connected to a telecommunicationnetwork

IEEE 802.1d MAC bridges

IEEE 802.1p Traffic Class Expediting and Dynamic Multicast Filtering

IEEE 802.1q Virtual Bridged Local Area Networks

IEEE 802.3u Definition of Fast Ethernet (100BTX, 100BT4, 100BFX)

IEEE 802.3z Definition of Gigabit Ethernet (over Fibre)

ITU-T G.652 Characteristics of a single-mode optical fibre and cable

RFC0768 User datagram protocol (UDP)

RFC0791 Internet protocol (IP)

RFC0792 Internet Control Massage Protocol (ICMP)

RFC0793 Transport Control Protocol (TCP)

RFC0854 Telnet

RFC0894 Technical specification For network access server

RFC1157 Simple Network Management Protocol (SNMP)

RFC1213 Management information base for network management of TCP/IP-based Internets: MIB-II

RFC1229 Extensions to the generic-interface MIB

RFC1661 Point-to-point links (PPP)

RFC1757 Remote network monitoring management information base

RFC2865 Remote authentication dial in user service (RADIUS)

RFC2869 RADIUS extensions

RFC2903 Generic AAA architecture

RFC2904 AAA authorization framework

RFC2906 AAA authorization requirements

RFC1492 An access control protocol, sometimes called TACACS



60

Standard Content

RFC2401 Security architecture for the Internet protocol

RFC2405 The ESP DES-CBC cipher algorithm with explicit IV

RFC2407 The Internet IP security domain of interpretation for ISAKMP

RFC2408 Internet security association and key management protocol(ISAKMP)

RFC2578 Structure of management information version 2 (SMIv2)

RFC2579 Textual conventions for SMIv2

RFC2580 Conformance statements for SMIv2

RFC1157 SNMP

RFC1155 Structure and identification of management information for TCP/IP-based Internets


RFC1212 Concise MIB definitions

RFC1901 Introduction to community-based SNMPv2

RFC1035 NTPv3 specification

RFC854 Telnet protocol specification

RFC857 Telnet echo option

RFC858 Telnet "Suppress Go Ahead" option

RFC1091 Telnet terminal type option

RFC4250 The Secure Shell (SSH) Protocol Assigned Numbers

RFC4251 The Secure Shell (SSH) Protocol Architecture

RFC4252 The Secure Shell (SSH) Authentication Protocol

RFC4253 The Secure Shell (SSH) Transport Layer Protocol

RFC4254 The Secure Shell (SSH) Connection Protocol

RFC4255 Using DNS to Securely Publish Secure Shell (SSH) KeyFingerprints

RFC4256 Generic Message Exchange Authentication for the Secure ShellProtocol (SSH)

RFC4335 The Secure Shell (SSH) Session Channel Break Extension

RFC4344 The Secure Shell (SSH) Transport Layer Encryption Modes



61

Standard Content

RFC4419 Diffie-Hellman Group Exchange for the Secure Shell (SSH)Transport Layer Protocol

RFC4462 Generic Security Service Application Program Interface (GSS-API)Authentication and Key Exchange for the Secure Shell (SSH)Protocol

RFC1350 TFTPv2

RFC959 FTP

RFC1945 Hypertext Transfer Protocol -- HTTP/1.0

RFC2145 Use and Interpretation of HTTP Version Numbers


RFC2617 HTTP Authentication: Basic and Digest Access Authentication

RFC2774 An HTTP Extension Framework

RFC2965 HTTP State Management Mechanism

RFC2792 DSA and RSA Key and Signature Encoding for the KeyNote TrustManagement System

RFC3447 Public-Key Cryptography Standards (PKCS) #1: RSACryptography Specifications Version 2.1

RFC1034 Domain names - concepts and facilities

RFC1035 Domain names - implementation and specification

RFC2543 SIP: Session Initiation Protocol

RFC2818 HTTP Over TLS












62

Standard Content



RFC1350 TFTPv2

RFC959 FTP













5.2 AntiDDoS8000

5.2.1 Functions and Features

Table 5-5 shows the functions and features supported by the Anti-DDoS device.



63

Table 5-5 Functions and features

Feature Sub-Feature

Description

Zone Zones fall into the following types:l User-defined Zonel Default Zone

Trafficguide

Optical splitting and mirroring

Trafficdiversion

Traffic diversion falls into the following modes:l Policy-based route diversionl BGP diversion

Trafficinjection

Traffic injection falls into the following modes:l Layer 2 injectionl Static route injectionl Policy-based route injectionl GRE injectionl MPLS LSP injectionl MPLS VPN injection

Defense mode Defense modes fall into the following types:l Automaticl Manuall Detecting Only

Blacklist Blacklists fall into the following types:l Global blacklistl LPU blacklistl Zone blacklist

Whitelist Whitelists fall into the following types:l Global whitelistl Zone whitelist



64

Interface-baseddefense

Interface-based defense falls into the following types:l SYN flood attack defensel SYN-ACK flood attack defensel ACK flood attack defensel RST flood attack defensel TCP anomaly flood attack defensel TCP fragment flood attack defensel UDP flood attack defensel UDP fragment flood attack defensel ICMP flood attack defensel DNS request flood attack defensel DNS reply flood attack defensel HTTP flood attack defensel SIP flood attack defense

Globaldefensepolicy

Basicattackdefense

Defense against malformed packet attacks, including IP spoofing, Land,Fraggle, WinNuke, Ping of Death, Tear Drop, IP option, illegitimate IPfragment, illegitimate TCP flag, large ICMP, and Smurf attacks.Defense against scanning and sniffing attacks, including addressscanning, port scanning, Tracert, IP timestamp option, IP source routingoptions, IP route record options, ICMP redirection, and ICMPunreachable attacks.

Malwarecheck

Zombie, Trojan horse, and worm check

DNS cache

DNS domain name blocking

Zone-baseddefense


Network segment-based defense falls into the following types:l SYN flood attack defensel ACK flood attack defensel DNS request flood attack defensel DNS reply flood attack defensel TCP ratio attack defensel TCP connection flood attack defensel HTTP flood attack defense



– SYN flood attack defense– SYN-ACK flood attack defense– ACK flood attack defense



65

– RST/FIN flood attack defense– TCP fragment flood attack defense– TCP connection flood attack defense

l UDP defense– UDP flood attack defense– UDP fragment flood attack defense

l ICMP flood attack defensel DNS packet attack defense

– DNS request flood attack defense– DNS reply flood attack defense– DNS cache poisoning attack defense– DNS hijacking attack defense– DNS reflection attack defense– DNS unknown domain name request defense– DNS packet validity check– Rate limiting on DNS packets based on the domain name and


l HTTP flood attack defense– HTTP source authentication– URI behavior monitoring– Host filtering

l HTTPS flood attack defensel SIP flood attack defense

Defaultdefense

Source IPaddress-baseddefense

TCP packet attack defense

Packet capture Packet capture falls into the following types:l ACL-based packet capturel Global packet capturel Zone-based packet capture of anomaliesl Zone-based packet capture of attacks

5.2.2 Performance Specifications

If the Anti-DDoS device houses only SPUs and no other type of board, the performancespecifications of the integrated device is as follows:



66

Table 5-6 Performance specifications of the Anti-DDoS device of each model

Item AntiDDoS8030 AntiDDoS8080 AntiDDoS8160

Maximumthroughput ofeach SPU

20Gbit/s

Maximumthroughput ofeach LPU

40Gbit/s

Maximum-throughputconfigurations ofthe integrateddevice

1 x LPU+2 x SPU 3 x LPU+5 x SPU 6 x LPU+10 x SPU

Maximumthroughput of theintegrated device

40Gbit/s 100Gbit/s 200Gbit/s

Number ofconcurrentconnections

16,000,000(8,000,000 x 2)

40,000,000(8,000,000 x 5)

80,000,000 (8,000,000x 10)

Number of newconnections persecond

1,000,000 (500,000 x2)

2,500,000 (500,000 x5)

5,000,000 (500,000 x10)

Maximumnumber of ACLrules

128000

Mean timebetween failures

25 years

5.2.3 Environment Requirements

Table 5-7 Environment requirements

Item Description

Altitude ≤ 2000 m ( Long-term operating temperature: 0°C to 45°C)

Atmospheric pressure 70 kPa to 106 kPa

Operating temperature Long term: 0°C to 45°CShort term: –5 °C to +55 °C

Storage temperature –40 °C to +70 °C



67

Item Description

Relative humidity (operatingand storage)

Long term: 10% RH to 90% RH, non-condensingShort term: 5% RH to 95% RH, non-condensing

5.2.4 Compliant Standards and Protocols

Table 5-8 Compliant standards

Standard Content

ETS 300 386 Electromagnetic compatibility and Radio spectrum Matters (ERM);Telecommunication network equipment; ElectromagneticCompatibility (EMC) requirements

IEC 62151 Safety of equipment electrically connected to a telecommunicationnetwork

IEEE 802.1d MAC bridges

IEEE 802.1p Traffic Class Expediting and Dynamic Multicast Filtering

IEEE 802.1q Virtual Bridged Local Area Networks

IEEE 802.3u Definition of Fast Ethernet (100BTX, 100BT4, 100BFX)

IEEE 802.3z Definition of Gigabit Ethernet (over Fibre)

ITU-T G.652 Characteristics of a single-mode optical fibre and cable

RFC0768 User datagram protocol (UDP)

RFC0791 Internet protocol (IP)

RFC0792 Internet Control Massage Protocol (ICMP)

RFC0793 Transport Control Protocol (TCP)

RFC0854 Telnet

RFC0894 Technical specification For network access server

RFC1157 Simple Network Management Protocol (SNMP)


RFC1229 Extensions to the generic-interface MIB

RFC1661 Point-to-point links (PPP)

RFC1757 Remote network monitoring management information base

RFC2865 Remote authentication dial in user service (RADIUS)



68

Standard Content

RFC2869 RADIUS extensions

RFC2903 Generic AAA architecture

RFC2904 AAA authorization framework

RFC2906 AAA authorization requirements

RFC1492 An access control protocol, sometimes called TACACS

RFC2401 Security architecture for the Internet protocol

RFC2405 The ESP DES-CBC cipher algorithm with explicit IV

RFC2407 The Internet IP security domain of interpretation for ISAKMP

RFC2408 Internet security association and key management protocol(ISAKMP)

RFC2578 Structure of management information version 2 (SMIv2)

RFC2579 Textual conventions for SMIv2

RFC2580 Conformance statements for SMIv2

RFC1157 SNMP

RFC1155 Structure and identification of management information for TCP/IP-based Internets


RFC1212 Concise MIB definitions

RFC1901 Introduction to community-based SNMPv2

RFC1035 NTPv3 specification

RFC854 Telnet protocol specification

RFC857 Telnet echo option

RFC858 Telnet "Suppress Go Ahead" option

RFC1091 Telnet terminal type option









69

Standard Content






RFC1350 TFTPv2

RFC959 FTP





















70

Standard Content






RFC1350 TFTPv2

RFC959 FTP













5.3 ATIC Management Center

Table 5-9 lists the functions and features of the ATIC management center, and Table 5-10 liststhose of anti-DDoS services.



71

Table 5-9 Functions and features of the ATIC management center

Feature Description

NEManagement

Automatically discovers NEs and synchronizes NE data in batches.

Manages NEs using SNMP, Telnet, or STelnet.

Configures firewalls through the embedded Web UI.

PerformanceManagement

Supports the batch configuration of the performance specifications onNEs, boards, and interfaces according to the granularity of the collectingrules. It can also specify the collection cycle for each performancespecification.

Generates alarms according to the threshold configured for eachperformance specification, and sends the alarms to the integrated alarmmanagement system. Then users can deal with the alarms accordingly.

Customizes performance specifications.

Generates performance reports for NEs, boards, interfaces, and multi-CPUdevices.

AlarmManagement

Provides the monitoring page for users to monitor alarms round the clock.It supports alarming notifications by sound, text message, and email.

Generates NE alarms, performance threshold alarms and DDoS alarms.

Supports various alarm operations such as alarm confirmation, alarmconfirmation cancellation, manual deletion, and automatic deletion.

Masks the alarms that are not necessary to handle according to the learnedexperience.

Merges repeatedly reported alarms.

Queries historical alarms.

SystemManagement

Supports the features of user right management, permission/domain-specific management, and the forcible logout of users.

Supports the monitoring of system services.

Queries and exports operating logs of the system.

Dumps alarms and operating logs to improve the performance of themanaged NEs.

Maintains anti-DDoS data.



72

Table 5-10 Functions and features of anti-DDoS services

Feature Description

Zone Zones include the following types:l User-Defined Zonesl Default Zonesl Zones Synchronized from the SIG

Traffic diversion Traffic diversion falls into three modes:l Automatic traffic diversionl Manual traffic diversionl Static traffic diversion

Defense mode Defense Modes include the following types:l Automaticl Manual

Blacklist The blacklist is classified into two types:l Static blacklistl Dynamic blacklist

Whitelist The whitelist is classified into two types:l Static whitelistl Dynamic whitelist

Basic attackdefense

Defense against malformed packet attacks and scanning and sniffingattacks, including Fraggle, ICMP redirection packet, ICMP unreachablepacket, WinNuke, Land, Ping of Death, IP route record option, Smurf,IP source route option, TCP flag bit, Tear of Drop, large ICMP packet,IP timestamp option, tracert, and large UDP packet.

Zone-baseddefense


Network segment-based defense falls into the following types:l SYN flood attack defensel ACK flood attack defensel DNS request flood attack defensel DNS reply flood attack defensel TCP ratio attack defense



– SYN flood attack defense– SYN-ACK flood attack defense– ACK flood attack defense– FIN/RST flood attack defense– TCP fragment attack defense– TCP connection flood attack defense



73

l UDP Defense– UDP flood attack defense– UDP fragment attack defense

l ICMP defensel DNS defense

– DNS request flood attack defense– DNS reply flood attack defense– DNS cache poisoning attack defense– Reflection attack defense– Detection of the requests for unknown domains– Packet format check– Rate limiting on DNS packets based on the domain name and


l HTTP Flood– HTTP source authentication defense– Destination IP-based URI behavior monitoring– Host filtering

l HTTPS Floodl SIP Flood

DefaultPolicyZone-basedDefense

Packet Capture Packet capture falls into the following types:l ACL-based packet capturel global defense packet capturel Zone anomaly-based packet capturel Zone attacked packet captureCaptured files are processed as follows:l View Eventl Trace Sourcel Parse Packetl Extract Fingerprint

Report TrafficAnalysis

l Data Overviewl Traffic Comparisonl Top N Zones by Trafficl Protocol Traffic Distributionl Number of TCP Connectionsl Board Traffic



74

Anomaly/AttackAnalysis

l Data Overviewl Top N Zones by Anomaly/Attackl Top N Attacksl Anomaly/Attack Type Distributionl Packet Discarding Trendl Anomaly/Attack Details

DNSAnalysis

l Data Overviewl Request Top N Trendl Cache Request Trendl Request Category Trendl Successful Resolution Ratiol Anomaly Packet Analysisl Malicious Domains Logl Malicious Domains Top N by Access Counts

Botnets/TrojanHorses/WormsAnalysis

l Botnets/Trojan Horses/Worms Logl Botnets/Trojan horses/Worms Top N

SystemReport

Various reports generated for the NE.

ZoneReport

Various reports generated for a Zone.

ScheduledTask

The system periodically generates reports and send the reports to thespecified email box.

ReportDownload

You can view, and download reports generated by scheduled tasks.



75

HUAWE Anti-DDoS Solution Description .pdf

Documents

Transcript of HUAWE Anti-DDoS Solution Description .pdf