Huawei AntiDDoS8000 DDoS Protection System
8
Huawei AntiDDoS8000 DDoS Protection System Terabit-level Capacity, Second-level Response, Precise Protection, Value-added Operation Product Appearances As the Internet and IoT thrive, DDoS attacks are developing new characteristics: • Attacks are increasing both in terms of frequency and traffic volume, with peak attack traffic up to 1.7 Tbit/s in 2018. • Reflection amplification attacks spread across the world, congesting links. • Low-rate application-layer attacks target precisely at service systems like e-finance or gaming. Reflection amplification and low-rate application-layer attacks are gaining momentum, and layered defense becomes the first choice in anti-DDoS. Huawei AntiDDoS8000 employs big data analysis to conduct modeling for 60+ types of traffic, offering Terabit-level protection, second-level response, and comprehensive defense against 100+ types of attacks. It works with Huawei cloud cleaning center to deliver layered cleaning, providing full-fledged protection that covers network link bandwidths and online services. AntiDDoS8030 AntiDDoS8080 AntiDDoS8160
Transcript of Huawei AntiDDoS8000 DDoS Protection System
Huawei AntiDDoS8000 DDoS Protection SystemTerabit-level Capacity, Second-level Response, Precise Protection, Value-added Operation
Product Appearances
As the Internet and IoT thrive, DDoS attacks are developing new characteristics:
• Attacksareincreasingbothintermsoffrequencyandtrafficvolume,withpeakattacktrafficupto1.7
Tbit/sin2018.
• Reflectionamplificationattacksspreadacrosstheworld,congestinglinks.
• Low-rateapplication-layerattackstargetpreciselyatservicesystemslikee-financeorgaming.
Reflectionamplificationandlow-rateapplication-layerattacksaregainingmomentum,andlayereddefense
becomesthefirstchoice inanti-DDoS.HuaweiAntiDDoS8000employsbigdataanalysis toconduct
modelingfor60+typesoftraffic,offeringTerabit-levelprotection,second-levelresponse,andcomprehensive
defenseagainst100+typesofattacks. ItworkswithHuaweicloudcleaningcentertodeliver layered
cleaning,providingfull-fledgedprotectionthatcoversnetworklinkbandwidthsandonlineservices.
AntiDDoS8030 AntiDDoS8080 AntiDDoS8160
Solution Function
Defense against high-volume DDoS attacks
• Multi-core distributed architecture and big data-based intelligent protection engine to offer Terabit-level
protectionperformance.
• Second-levelattackresponsetorapidlyblockattacktraffic.
Defense against application-layer DDoS attacks
• Collectionofalltraffic,Layer3~7per-packetanalysis,andmodelingfor60+typesofnetworktrafficto
providethemostpreciseandcomprehensiveattackdetection.
• All-round reputation system of local session behavior reputation, location reputation, and Botnet IP
reputation to precisely defend against application-layer DDoS attacks launched from Botnets, reducing
falsepositivesandimprovinguserexperience.
• Comprehensivedefenseagainst100+typesofattackstoprotectkeyservicesystems,suchasWeb,DNS,
DHCP,andVoIP.
Anti-DDoS operation
• Tenant-specificautomaticandmanualdefensepoliciesforcomprehensiveprotection.
• Tenant-specificreportstatisticsandreportsendingviaemailtosimplifymanagement.
• Differentiatedoperationfor100,000tenants.
Dual-stack (IPv4/IPv6) DDoS attack defense
• Defenseagainstdual-stack(IPv4/IPv6)DDoSattacks.
On-premise + Cloud layered anti-DDoS
• Theon-premisedeviceisonlineinrealtimetoprotectuserservices.
• Whena link iscongested, theon-premisedevicecanautomaticallysendcloudsignals tostartcloud
cleaningandprotectuserlinks.
• 2Tbps+cloudmitigationcapacity.10+cloudscrubbingcenterwithglobal scheduling.Minute-level
defenseresponse.
Typical Scenarios
Scenario 1: MAN Attack Defense
Ametropolitanareanetwork (MAN)providesaplatformonwhichcomprehensiveservicesofacityare
transmitted.MANsoftenapplyto largeandmedium-sizedcities.TheMANsprovidecommonandpublic
network architecture and allow data, voice, images, and videos to be effectively transmitted at high speeds,
meetingchangeableInternetapplicationrequirements.
Onthenetworkshown inabovefigure,anetflowdetectiondevicecollects the logsfromrouters inreal
timetodeterminewhetherthetrafficinthenetworkisabnormal.Whentrafficisabnormal,cleaningdevice
isnotifiedtostartthecleaning.Thecleaningdevice isattachedtothecorerouterRouter1tocleantraffic
destinedfortheZone.Aftercleaningtraffic,thecleaningdeviceinjectsnormaltrafficbacktotheoriginallink
inMPLSLSPinjectionmode.Router2thenforwardsthetraffictotheZone.
Thecleaningdevice isdirectlyconnectedtoRouter1onlythroughone interface.Traffic isdivertedtothe
cleaningdevicethroughthemaininterface,whileinjectedbackthroughasub-interface.Thetrafficcanalso
beinjectedbackthroughanotherinterfaceifthereareenoughinterfaces.
Scenario 2: Data Center Protection and Managed Security Service
AnInternetDataCenter(IDC)isapartofbasicnetworkresources.Itprovideslarge-scale,high-quality,secure,
and reliable data transmission services and high-speed access services for Internet content providers, enterprises,
media,andeachtypesofwebsites.TheIDCprovidesDNSservers,Webservers,gameservers,andotherservices.
Inrecentyears,moreandmoreInternet-initiatedDDoSattackstargetIDCs.Asaresult, importantserversare
attacked;datacenterlinkbandwidthisoccupied;videosandgamesarecompromisedbyapplication-layerattacks.
Cleaning device
Switch
Netflow
Legitimate PC Legitimate PC
Botnet
ATICManagement center
RegionalNetwork
RegionalNetwork
BackboneNetwork
Router2
Router1
Attackedtarget
Legitimate traffic
Attack traffic
Netflow traffic
Management traffic
Onthenetworkshowninabovefigure,acleaningdevice isattachedtothecorerouter1androuter2to
detectandcleanthetrafficdestinedfortheZone.Thetrafficmustbedivertedtothecleaningdeviceusing
BGPinrealtime.Aftertrafficiscleaned,normaltrafficisinjectedbacktotheoriginallinkthroughPBRand
finallyforwardedtotheZone.
ATICmanagementcentersupportsmanagedsecurityservice.ATICmanagementcentercanbeconfigured
withcustomizeddefensepoliciesbasedon the tenant's service features.Whenattackhappened,ATIC
management center can initiate automatic protection and send alarm information by email or other
methods.Datacenteroperatorscandesignbusinessmodelsbasedontenantsandexpandbusinessrevenue.
Defense against the following protocol anomaly attacks:
Land,Fraggle,Smurf,WinNuke,PingofDeath,Teardrop,
andTCPerrorflagattacks
DNSapplicationprotectionagainstthefollowingattacks:
• DNSqueryflood,DNSreplyflood,andDNSspoofing
• Source rate limiting and domain name rate limiting
Defense against the following network attacks:
SYNflood,ACKflood,FIN flood,RST flood,TCP
fragment flood, UDP flood, UDP fragment flood, IP
flood,ICMPflood,TCPconnectionflood,sockstress,
TCP retransmission, and TCP empty connection attacks
SIP application protection against the following attacks:
SIP flood and SIP method flood attacks, including
registerflood,deregistrationflood,authenticationflood,
andcallfloodattacks
Source rate limiting
Specifications
DDoS Defense Specifications
Attack TargetNormal traffic
Attack traffic
Split traffic
Management traffic
Normalnetwork
Opticalspliter
Detecting device
Cleaningdevice
ATIC managementcenter
DCInternet
access area
SwitchRouter1
Router2
Firewall
Core switch
gameZone dnsZone
webZone
Game server Web server DNS server
Botner
Management functions:
• Account management and permission allocation
• Defensepolicyconfigurationandreportsbasedon
Zones(tenants),atascaleofupto100,000Zones
• Device performance monitoring
• Source tracing and fingerprint extraction by
capturing packets
• Email, short message, and audio alarms
• Log dumping
• Dynamic baseline learning
• Policy interworking and log interworking APIs
Report functions:
• Trafficcomparisonbeforeandaftercleaning
• TopNtrafficstatistics
• Application-layertrafficcomparisonanddistribution
• Protocol distribution
• Trafficstatisticsbasedonthesourcelocation
• Attack event details
• TopNattackevents(bydurationornumberofpackets)
• Distribution of attacks by category
• Attacktraffictrends
• DNSresolutionsuccessratio
• TopNtrafficstatistics for theapplication layer
(bysourceIPaddress,HTTPURI,HTTPHOST,and
domain name)
• DownloadingofreportsinHTML,PDF,orExcelformat
• Report pushing via email
Management and Report
DefenseagainstthefollowingUDP-basedreflection
andamplificationattacks:
NTP,DNS,SSDP,Chargen,TFTP,SNMP,NetBIOS,
QOTD,QuakeNetwork Protocol, Portmapper,
MicrosoftSQLResolutionService,RIPv1,andSteam
Protocolreflectionandamplificationattacks
Filters:
IP,TCP,UDP,ICMP,DNS,SIP,andHTTPpacketfilters
Location-basedfiltering:
Traffic isblockedor limitedbasedonthe location
ofthesourceIPaddress.
Attack signature databases:
RUDY, slowhttptest, slowloris, LOIC, AnonCannon,
RefRef,ApacheKill,andApacheBenchattacksignature
databases, which are updated automatically each
week
Webapplicationprotectionagainst thefollowing
attacks:
• HTTPGet flood,HTTPPost flood,HTTP slow
header, HTTP slow post, HTTPS flood, SSL
(renegotiation) DoS/DDoS, WordPress
amplification,RUDY,andLOICattacks
• Packet validity check
IP reputation:
• Mostactive zombiesare tracked,and the IP
reputation database is updated automatically on
adailybasistoblockattacksfast.
• Localreputationrecordsareautomaticallylearned.
• The learning of local access IP reputations creates
dynamic IP reputation records based on local
service sessions, helping to forward service access
trafficquicklyandenhanceuserexperience.
Trafficdiversion:
Manual traffic diversion and automatic PBR- or
BGP-basedtrafficdiversion
Trafficinjection:
Static route,MPLSVPN,MPLSLSP,GRE tunnel,
Layer2,andPBR-basedinjection
Traffic Diversion and Injection
Model AntiDDoS8030 AntiDDoS8080 AntiDDoS8160
Interfaces and performance
Throughput Upto120Gbps Up to 960 Gbps Upto1920Gbps
Throughput/slot Upto120Gbps Up to 240 Gbps Up to 240 Gbps
Mitigation rate/slot Up to 60 Mpps Up to 60 Mpps Up to 60 Mpps
Latency 80μs 80μs 80μs
Expansion slot 3 8 16
Expansion interface
board
FW-LPUF-120,withtwo
sub-slots
FW-LPUF-120,withtwo
sub-slots
FW-LPUF-240,withtwo
sub-slots
FW-LPUF-120,withtwo
sub-slots
FW-LPUF-240,withtwo
sub-slots
Expansion card
• 24 × GE (SFP)
• 5×10GE(SFP+)
• 6×10GE(SFP+)
• 12×10GE(SFP+)
• 1×40GE(CFP)
• 1×100GE(CFP)
• 3×40GE(QSPF+)
Dimensions
Dimensions(W× D × H)
DC:442mm×650mm
×175mm(4U)
AC:442mm×650mm
×220mm(5U)
442mm×650mm×
620mm(14U)
Hardware Specifications
• Generation of daily, weekly, monthly, and yearly reports
• Self-service portal for tenants
• Creation, deletion, updating, and viewing of Zones,
and addition and deletion of protected IP addresses
• Creationanddeletionoftrafficdiversionpolicies
• Creation and deletion of blackhole routes
• TrafficandattacklogsforeachIPaddress
• Sending of logs in syslog format
442mm×650mm×
1420mm (32U)
Model AntiDDoS8030 AntiDDoS8080 AntiDDoS8160
Weight
DC:15kg(empty)or
30.7kg(fullyconfigured)
AC:25kg(empty)or
40.7kg(fullyconfigured)
43.2kg(empty)or112.9
kg(fullyconfigured)
94.4kg(empty)or233.9
kg(fullyconfigured)
Power and Environment
Power supply
Rated input voltage:
DC:-48V
AC:175Vto264V;
50/60Hz
Maximum input voltage
range:
DC:-72Vto-38V
AC:90Vto264V;
50/60Hz
Rated input voltage:
DC:-48V
AC:175Vto264V;
50/60Hz
Maximum input voltage
range:
DC:-72Vto-38V
AC:90Vto264V;
50/60Hz
Rated input voltage:
DC:-48V
AC:175Vto264V;
50/60Hz
Maximum input voltage
range:
DC:-72Vto-38V
AC:90Vto264V;
50/60Hz
Power consumption
1×FW-LPUF-120+2×
ADS-SPUC-B + 2 × ADS-
SPC-80-01:
DC:1066W(avg),
1272W(max)
AC:1185W(avg),
1414W(max)
3×FW-LPUF-240+5
×ADS-SPUD-B+10×
ADS-SPC-80-01:
DC:4025W(avg),
4823W(max)
AC:4282W(avg),
5132W(max)
6×FW-LPUF-240+9
×ADS-SPUD-B+18×
ADS-SPC-80-01:
DC:7387W(avg),
8930W(max)
AC:7858W(avg),
9500W(max)
Power redundancy
DC: Double hot-
swappable power
modules
AC: Double hot-
swappable power
modules
DC: 4 hot-swappable
PEM modules
AC:4PEMmodules+1
external AC power
chassis
DC:8hot-swappable
PEM modules
AC:8PEMmodules+2
external AC power
chassises
Operating temperature 0°Cto45°C(long-term),-5°Cto50°C(short-term)
Storage temperature -40°Cto70°C
Operating humidity5%RHto85%RH,non-condensing(long-term),5%RHto95%RH,non-
condensing (short-term)
Storage humidity 0%RHto95%RH
Certifications
SecuritycertificationsElectromagnetic compatibility (EMC)
CB,RoHS,FCC,MET,C-Tick,andVCCI
About This PublicationThispublicationisforreferenceonlyanddoesnotconstituteanycommitmentsorguarantees.Alltrademarks,pictures,logos,andbrandsmentionedinthisdocumentarethepropertyofHuaweiTechnologiesCo.,Ltd.orathirdparty.
Copyright©2018 Huawei Technologies Co., Ltd. All rights reserved.
Model Description
Main Equipment
ADS8030-BASE-DC-01 AntiDDoS8030DCBasicConfiguration(includeX3DCChassis,2*MPU)
ADS8030-BASE-AC-01 AntiDDoS8030ACBasicConfiguration(includeX3ACChassis,2*MPU)
ADS8080-BASE-DC-01AntiDDoS8080200GDCBasicConfiguration(includeX8DCChassis,
2*SRU200A,1*SFU200C)
ADS8160-BASE-DC-01AntiDDoS8160200GDCBasicConfiguration(includeX16DCChassis,
2*MPU,4*SFU200B)
Service Processing Card Module
ADS-SPUC-B AntiDDoS8030ServiceProcessingUnit(BaseBoard)
ADS-SPUD-B AntiDDoS8080&AntiDDoS8160ServiceProcessingUnit(BaseBoard)
ADS-SPC-40-00 DDoSProtectionServiceCard(with1CPU)
ADS-SPC-80-00 DDoS Protection Service Card(with 2 CPUs)
ADS-SPC-60-00 DDoSProtectionServiceCardIV(with1CPU)
ADS-SPC-120-00 DDoSProtectionServiceCardV(with2CPU)
Line Processing Card Module
FW-LPUF-120 120GLineProcessingUnit
FW-LPUF-240 240G Line Processing Unit
FW-6X10G-SFP+ 6*10GESFP+DaughterCard
FW-1X100G-CFP 1*100GECFPDaughterCard
FW-12X10G-SFP+ 12*10GESFP+DaughterCard
FW-3X40G-QSFP+ 3-Port40GBase-QSFP+FlexibleCard
E8KE-X-101-5X10GE-SFP+5-Port10GBaseLAN/WAN-SFP+FlexibleCardA(P101,1/2wide,Occupy
two sub-slots)
E8KE-X-101-24XGE-SFP24-Port100/1000Base-X-SFPFlexibleCard(P101,1/2wide,Occupytwo
sub-slots)
E8KE-X-101-1X40GE-CFP 1-Port40GBaseLANCFPFlexibleCard(P101,1/2wide,Occupytwosub-slots)
Management Software
LIC-ADS-NOFA00 ATIC Basic Feature Summary
Order Information
