HUAWE Anti-DDoS Solution Description PDF

HUAWEI Secospace Anti-DDoS Solution V100R001
Solution Description
Issue Date 04 2013-04-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 04 (2013-04-30)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
HUAWEI Secospace Anti-DDoS Solution Solution Description
About This Document
About This Document

Related Versions
The related product version of the document is as follows: Product Name AntiDDoS8000 AntiDDoS1000 ATIC Management Center Product Version V100R001 V100R001 V200R001
Intended Audience
This document presents a solution consisting of the Anti-DDoS device and Abnormal Traffic Inspection and Control (ATIC) management center and describes the working principle, system planning, installation, configuration, and maintenance of the ATIC solution. This document is intended for: l l l l l Technical support engineers Maintenance engineers Network engineers Network administrators Network maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
Issue 04 (2013-04-30)
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.
ii
About This Document
Symbol
Description Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Issue 04 (2013-04-30)
iii
About This Document
Convention Boldface >
Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Issue 04 (2013-04-30)
iv
Contents
Contents
About This Document.....................................................................................................................ii 1 Solution Positioning and Features.............................................................................................1
1.1 Solution Positioning and Components...............................................................................................................2 1.2 Features...............................................................................................................................................................4
2 Application Example.....................................................................................................................7
2.1 MAN Defense Solution......................................................................................................................................8 2.2 IDC Defense Solution.........................................................................................................................................9 2.3 Defense Solution for Enterprise Networks.......................................................................................................10 2.4 Defense Solution for Financial Organizations..................................................................................................12 2.5 DNS Defense Solution......................................................................................................................................13
3 Products in the Solution.............................................................................................................16

3.1 AntiDDoS1000.................................................................................................................................................17 3.1.1 Appearance of the AntiDDoS1000..........................................................................................................17 3.1.2 Device Parameters...................................................................................................................................18 3.1.3 Fixed Interface and Interface Cards.........................................................................................................19 3.2 AntiDDoS8000.................................................................................................................................................20 3.2.1 Product Appearance.................................................................................................................................20 3.2.2 Device Parameters...................................................................................................................................29 3.2.3 Board.......................................................................................................................................................33 3.3 ATIC Management center................................................................................................................................34 3.3.1 Basic Components...................................................................................................................................34 3.3.2 Software and Hardware Planning in Centralized Mode..........................................................................36 3.3.3 Software and Hardware Planning in Distributed Mode...........................................................................38
4 Functions and Features...............................................................................................................42

4.1 Zone..................................................................................................................................................................43 4.2 Traffic Diversion..............................................................................................................................................44 4.3 Zone Protection.................................................................................................................................................47 4.3.1 Defense Mode..........................................................................................................................................47 4.3.2 Traffic Model Learning...........................................................................................................................47 4.3.3 Defense Policy........................................................................................................................................49 4.4 Packet Capture, Analysis and Report...............................................................................................................51 Issue 04 (2013-04-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
5 Technical Specifications.............................................................................................................55
5.1 AntiDDoS1000.................................................................................................................................................56 5.1.1 Functions and Features............................................................................................................................56 5.1.2 Performance Specifications.....................................................................................................................58 5.1.3 Environment Requirements.....................................................................................................................59 5.1.4 Standard and Protocol Compliance.........................................................................................................60 5.2 AntiDDoS8000.................................................................................................................................................63 5.2.1 Functions and Features............................................................................................................................63 5.2.2 Performance Specifications.....................................................................................................................66 5.2.3 Environment Requirements.....................................................................................................................67 5.2.4 Compliant Standards and Protocols.........................................................................................................68 5.3 ATIC Management Center...............................................................................................................................71
Issue 04 (2013-04-30)
vi
1 Solution Positioning and Features
1
1.2 Features
Solution Positioning and Features
About This Chapter

1.1 Solution Positioning and Components
Issue 04 (2013-04-30)
1.1 Solution Positioning and Components

The abnormal traffic cleaning solution is an industry-leading dedicated anti-DDoS solution launched by Huawei for carrier and non-carrier markets to defend against DDoS attacks. This improves online services to the greatest extent and ensures service continuity.
System Components
The abnormal traffic cleaning solution comprises Huawei-proprietary Anti-DDoS device (including the detecting center and the cleaning center) and the ATIC management center. l Detecting center Consists of one or multiple detecting devices. It detects network traffic. Collects statistics on and analyzes all traffic, and reports traffic logs to the ATIC management center. Compares the detected traffic volume with the pre-configured defense policy. Once the traffic volume hits the threshold, the detecting center immediately notifies the ATIC management center of delivering a traffic-diversion task to the cleaning center. Supports ACL-based packet capture and abnormal event-based packet capture, providing essential evidence to analyze unknown traffic. For details on packet capture, see 4.4 Packet Capture, Analysis and Report. l Cleaning center Consists of one or multiple cleaning devices. It cleans abnormal traffic and delivers detecting functions, such as traffic statistics and analysis. Provides multiple defense policies to clean and discard abnormal traffic, and forward legitimate traffic. Meanwhile, it logs attack behaviors and reports them to the ATIC management center. For details on defense policies, see 4.3.3 Defense Policy. Supports traffic diversion and injection. When an anomaly occurs, the cleaning center receives the traffic-diversion policy delivered by the ATIC management center to advertise a route to divert the traffic for cleaning. After that, the cleaning center injects legitimate traffic to the original link. For details on traffic diversion and injection, see 4.2 Traffic Diversion. Supports ACL-based packet capture, global packet capture, and Zone-based packet capture of attacks and anomalies, providing essential evidence for analyzing unknown traffic. For details on packet capture, see 4.4 Packet Capture, Analysis and Report. l ATIC management center Serves as the backbone of the solution and consists of the VSM system. Performs unified management over the cleaning center and detecting center. Configures and manages the detecting center and cleaning center in an interworking manner, and supports decentralized and region-based management. With the ATIC management center, the administrator delivers defense policies and tasks to the cleaning center and detecting center. Learns traffic models based on the traffic statistics reported by the detecting center during the customized learning period to dynamically create an abnormal traffic baseline. For details on traffic models, see 4.3.2 Traffic Model Learning.
Issue 04 (2013-04-30) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2
Provides the report display, attack source tracing, packet parsing, and fingerprint extraction. The abnormal traffic cleaning solution supports extensive deployments. The off-line deployment is used as an example to describe how to process abnormal traffic. As shown in Figure 1-1, to protect downstream users, the ATIC system defends against traffic from the Internet by following the subsequent steps: 1. 2. The administrator configures a defense policy in the ATIC management center and delivers the policy to the detecting center and cleaning center. Traffic from the Internet is mirrored or split to the detecting center. Then the detecting center collects statistics on traffic, compares traffic, and reports exception logs to the ATIC management center in the case of anomalies. After receiving exception logs, the ATIC management center delivers a traffic-diversion policy to the cleaning center. With the traffic-diversion route advertised, abnormal traffic is diverted from Router1 to the cleaning center. The cleaning center cleans traffic based on the policy. After cleaning is complete, the cleaning center discards abnormal traffic and injects legitimate traffic to the original link. The ATIC management center delivers the task of canceling traffic diversion to the cleaning device after attacks terminate. In this manner, traffic is directly forwarded by Router1.
3.
4. 5.
Figure 1-1 Abnormal traffic cleaning solution
ATIC system Detecting center Optical splitter
Router1 Cleaning center Router2
Management center
Mirrored/Optically split traffic Pre-cleaning traffic Post-cleaning traffic Log and packet-capture traffic Intranet Management traffic
The Anti-DDoS device is categorized as high-end AntiDDoS8000 series and mid-range AntiDDoS1000 series by performance.
Issue 04 (2013-04-30)
AntiDDoS8000 Series
The AntiDDoS8000 series is classified into the following models: l l l AntiDDoS8030 AntiDDoS8080 AntiDDoS8160
The AntiDDoS8000 series has a plug-in design. Both anti-DDoS detecting SPU and anti-DDoS cleaning SPU are available: l l l The AntiDDoS8000 works as a detecting device when it holds only the detecting SPU. The AntiDDoS8000 works as a cleaning device when it holds only the cleaning SPU. The AntiDDoS8000 works as an intermixed device when it holds both the cleaning SPU and the detecting SPU.
For the appearance of the AntiDDoS8000 series, see 3.2.1 Product Appearance.
AntiDDoS1000 Series
The AntiDDoS1000 series is classified into the following models: l l l AntiDDoS1520 AntiDDoS1550 AntiDDoS1500-D
The AntiDDoS1000 series has a centralized design. The AntiDDoS1520 and AntiDDoS1550 act as cleaning devices, and the AntiDDoS1500-D acts as the detecting device. For the appearance of the AntiDDoS1000 series, see 3.1.1 Appearance of the AntiDDoS1000.
ATIC Management Center Components

The ATIC management center uses the easy-to-deploy browser/server (B/S) architecture. Therefore, services can be managed and monitored without the installation of client software. Additionally, the ATIC management center applies to the scenario where multiple detecting and cleaning devices are dispersedly deployed but require centralized management. The ATIC management center consists of the following components: l ATIC server Manages and configures the Anti-DDoS device in a centralized way, and displays service reports. l Anti-DDoS collector Collects, parses, summarizes, and stores the traffic logs, exception logs, and attack logs reported by the Anti-DDoS device, and stores captured packets. You are advised to deploy one anti-DDoS collector for each Anti-DDoS device. For details on the ATIC management center, see 3.3.1 Basic Components.
1.2 Features
The Anti-DDoS device adds the following features in traffic cleaning and operation besides its leading operating performance, high availability, and scalability. l High identification rate Seven-layer filtering: The Anti-DDoS device analyzes the packets by byte and builds a seven-layer filtering architecture by using malformed packet filtering, feature-based filtering, malformed source-based defense, real source-based behavior detection, session-based defense, behavior analysis, and traffic shaping. The seven-layer filtering architecture can accurately detect attacks, including flood attacks, application-layer attacks, scanning and sniffing attacks, and malformed packet attacks. Figure 1-2 Seven-layer filtering
Malformed packet filtering Featurebased filtering Forged source-based defense Real sourcebased behavior detection Session-based defense Behavior analysis Traffic shaping
Protocol stack threats
DoS/DDoS attacks
Transport-layer threats
Applicationlayer threats
Abnormal connections
Low-rate attacks
Abrupt traffic
Legitimate traffic
IPv6 security: The defense against IPv4 attacks applies to IPv6 packets, resolving the security problems in transition from IPv4 to IPv6. l Fast response Second-level detection: The detection based on Netflow requires massive log inspection and analysis, and features long duration and high latency. Huawei anti-DDoS solution capture attack features in real time, implementing second-level detecting. Second-level response: Sound session synchronization between the detecting center and the cleaning center, leads to optimal cleaning effects as well as fast attack response. The fast response ensures service continuity and optimizes user experience. l Operability Differentiated defense: The anti-DDoS solution offers differentiated defense. The defense policy can be customized based on global traffic volume, requirements of Zone, and service types. The solution supports attack event-based evidence collection and source tracing, which helps carriers to secure the operation. Self-service policy: The solution supports diverse service policies such as defense mode, traffic-diversion mode, defense policy template customization, CAR policy customization, and Zone blacklist/whitelist management. Report query: The solution supports report query. Users can query tens of reports through remote login to track network traffic and trace the attack evidence. The reports can be customized and sent to users by email periodically in the .xls or .pdf format. l
Issue 04 (2013-04-30)
Easy management
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5
Graphical User Interface (GUI) management: The solution supports the GUI-based configuration featuring flexibility, easy configuration, and low maintenance cost. Flexible evidence collection: The solution supports convenient ACL-based packet capture. With one-click automatic packet capture over attack events, users can collect evidence of attack traffic for audition purpose. Easy management: The solution adopts foreground distributed deployment, and background centralized management. In this way the initial investment and the maintenance cost is greatly reduced.
Issue 04 (2013-04-30)
2 Application Example
2
About This Chapter
2.1 MAN Defense Solution 2.2 IDC Defense Solution 2.5 DNS Defense Solution
Application Example
2.3 Defense Solution for Enterprise Networks 2.4 Defense Solution for Financial Organizations
Issue 04 (2013-04-30)
2.1 MAN Defense Solution

Heavy traffic floods the MAN and travels along different channels, which poses challenges for carrier operation. Massive attack traffic flows from the backbone network into the MAN, resulting in bandwidth congestion and poor experience at the cost of huge investments on bandwidth expansion. Application-layer attack traffic flows into the target server, leading to DoS attacks. To meet these requirements, Huawei rolls out the "Netflow device+cleaning device" solution. In this solution, the cleaning device delivers 200G performance, defends against hundreds of attacks, and supports 2000 Zones for differentiated defense, management, and reports. Moreover, the solution provides complete IPv6 traffic analysis to meet IPv6 deployment requirements. Figure 2-1 Interworking between the Netflow device and the cleaning device for MAN defense
Legitimate PC Legitimate PC Botnet
Cleaning device Backbone Network ATIC Management center
Netflow
Regional Network
Regional Network
Attacked target
Legitimate traffic Attack traffic Netflow traffic Management traffic
Issue 04 (2013-04-30)
As shown in Figure 2-1, the Netflow device is deployed at the network node to collect incoming and outgoing data. The cleaning device is connected to the core router in off-line mode. Static traffic diversion is used for key customers, whereas dynamic traffic diversion is used for common customers. The Netflow device collects, analyzes, and detects traffic. Upon detecting anomalies, the Netflow device interworks with the cleaning device in off-line mode to divert and mitigate traffic.
2.2 IDC Defense Solution

Enterprise services become centralized. As the representative of the centralized mode, the Internet Data Center (IDC) promotes enterprise development as well as poses demanding requirements on security. Enterprises suffer from great economic losses once the IDC is under attacks. The IDC is prone to flood attacks and application-layer attacks, due to heavy bandwidth traffic and extensive service types. However, traditional Gigabit defense solutions deliver simple defense means and unsatisfactory reliability design. Therefore, they cannot meet requirements on 10-Gigabit defense. To meet these requirements, Huawei launches a 10-Gigabit and comprehensive IDC defense solution. This solution filters out DDoS attacks, zombies, Trojan horses, and worms to improve IDC defense capabilities. Moreover, it provides refined defense to protect intranet Web servers against web page tampering and Trojan horse-embedded websites.
Issue 04 (2013-04-30)
Figure 2-2 Cleaning device in static traffic diversion for IDC defense
Legitimate network Legitimate network Botnet
Cleaning device Firewall
ATIC management center
Switch Service area A
Switch Service area B
Entrusted server
Attacked target Legitimate traffic Attack traffic Management traffic
As shown in Figure 2-2, the cleaning device is deployed at the IDC egress in off-line mode and statically diverts incoming traffic. When attacks occur, the cleaning device cleans traffic in real time. Because of excellent defense delivered by the cleaning device, carriers provide extensive defense capabilities, including DNS authoritative service defense, dedicated Web defense, online gaming defense, and cloud service defense, to secure network environments.
2.3 Defense Solution for Enterprise Networks

With the popularity of network technologies, enterprise networks are widely deployed and are prone to extensive attacks. In addition to defending against hacker attacks, viruses, DDoS
attacks, Trojan horses, and malicious programs, enterprise networks require smooth service operating and intranet terminal security. To meet these requirements, Huawei rolls out an all-around defense solution for enterprise networks. The solution provides refined defense against hundreds of attacks. Moreover, the solution defends against Trojan horses and worms to clear the built-in feature scanning engine. Figure 2-3 Enterprise network defense with the cleaning device (housing the built-in bypass card) in in-line mode
Cleaning device ATIC management center Firewall
Switch Enterprise A
Switch Enterprise B
As shown in Figure 2-3, the cleaning device is deployed at the ingress of the enterprise network in in-line mode to protect incoming and outgoing traffic. When anomalies occur, the cleaning device housing the built-in bypass card promptly enables attack defense.
Issue 04 (2013-04-30)
11
2.4 Defense Solution for Financial Organizations

E-banking and credit card centers are exposed to the Internet and are prone to UDP/ICMP composite flood attacks and application-layer attacks (including HTTP flood attacks and HTTPS flood attacks). Severe DDoS attacks may bring huge economic loss. Therefore, financial organizations pose demanding requirements on security and reliability. Catering for such requirements, Huawei unveils the interworking (between the detecting device and the cleaning device) cleaning solution to secure financial organization networks. In this solution, the cleaning device provides defense against kinds of flood and application-layer attacks to mitigate link congestion and ensure refined service protection.
Issue 04 (2013-04-30)
12
Figure 2-4 Interworking defense for financial organizations

Detecting device
Switch E-banking center
Switch Credit card center
Legitimate traffic Attack traffic Split traffic Management traffic
Attacked target
As shown in Figure 2-4, the cleaning device and detecting device are deployed at network nodes in off-line mode. The detecting device detects mirrored or split traffic. When any anomalies are identified, the cleaning device dynamically diverts traffic, filters out abnormal traffic, and forwards legitimate traffic.
2.5 DNS Defense Solution

The DNS server is a core component of network infrastructure and must be protected against DDoS attacks. Any DDoS attacks on the DNS server may adversely affect regional or nationwide networks.
To protect the DNS cache server, Huawei launches the "cleaning device in in-line mode" solution. This solution provides dedicated defense (against DNS cache poisoning, DNS query flood, and DNS response flood attacks) and powerful DNS cache to mitigate the load of the DNS cache server. To enable carriers to learn about the status of the DNS cache server in real time, this solution delivers perfect DNS traffic statistics displaying DNS domain name and resource distribution. Figure 2-5 Cleaning device in in-line mode for DNS cache server defense
Switch
Switch
DNS server
As shown in Figure 2-5, the cleaning device in in-line mode detects bidirectional traffic in real time, generates the DNS statistical report based on DNS status, and rapidly cleans abrupt DNS traffic. Two in-line deployments are available for the cleaning device: l Physical in-line mode (the AntiDDoS1000 with the built-in bypass card)
Issue 04 (2013-04-30)
14
Logical in-line mode (the AntiDDoS8000 in off-line mode for bidirectional traffic diversion)
Issue 04 (2013-04-30)
15
3 Products in the Solution
3
About This Chapter
3.1 AntiDDoS1000 3.2 AntiDDoS8000 3.3 ATIC Management center
Products in the Solution
Issue 04 (2013-04-30)
16
3.1 AntiDDoS1000
3.1.1 Appearance of the AntiDDoS1000
The 1 U AntiDDoS1000 supports FICs.
Chassis Dimensions
The AntiDDoS1000 consists of the integrated chassis and expansion interface cards. The height of the integrated chassis approximates to 1 U and the dimensions (H x W x D) of such chassis are 43.6 mm x 442 mm x 560 mm. The chassis can be installed in a 19-inch standard cabinet.
NOTE
1 U = 44.45 mm
Front Panel
Figure 3-1 shows the front panel of the AntiDDoS1000. Figure 3-1 Front panel of the AntiDDoS1000
SYS
PWR
TF CARD
TF CARD
1. ESD wrist strap socket 2. System reset button 4. microSD card slot 10. Console port 5. FIC2 11. USB 2.0 interfaces
3. Indicator area 6. FIC
7. GE Combo interfaces 8. 10/100/1000M adaptive electrical Ethernet interfaces 9. Management interface
NOTE
The AntiDDoS1000 does not support the microSD card slot numbered 4 in Figure 3-1.
Rear Panel
Figure 3-2 and Figure 3-3 show the rear panels of the AntiDDoS1000. Figure 3-2 Rear panel of the AntiDDoS1000 DC
Issue 04 (2013-04-30)
17
Figure 3-3 Rear panel of the AntiDDoS1000 AC
1. Grounding terminal 4. AC power cable clip jack
2. Power indicator 5. Power socket
3. Power switch 6. Fan frame
Components
The AntiDDoS1000 is designed as an integrated chassis. Table 3-1 shows main components. Table 3-1 Overview of the main components of the AntiDDoS1000 Component Power supply Overview The AntiDDoS1000 provides two models, namely, AC and DC hosts, which cannot be used together on the same device. Two power modules are configured for each chassis to provide 1+1 backup. They support hot swap. Fan Fans adopt the N+1 redundancy design. A total of six system fans with independent fan frames are available. They support hot swap. The cables of the AntiDDoS1000 include power cables, signal cables, and protection grounding cables.
Cable
3.1.2 Device Parameters

This describes the system and device parameters of the AntiDDoS1000. Table 3-2 shows the system and device parameters of the AntiDDoS1000. Table 3-2 System and device parameters of the AntiDDoS1000 Parameter Expansion slot Description two FIC slots
Issue 04 (2013-04-30)
18
Parameter Built-in interface
Description The built-in interfaces of the AntiDDoS1000 include: l Two USB 2.0 interfaces l One microSD card slot l One management interface l One console port l Four 10/100/1000M adaptive electrical Ethernet interfaces l Four GE Combo interfaces
Dimensions (H x W x D) Weight CPU NVRAM Memory Flash memory CF card Rated input voltage
43.6 mm x 442 mm x 560 mm 8.2 kg (net weight), 8.9 kg (in full configuration) Multi-core MIPS; dominant frequency 950 MHz; a total of eight kernels, each of which contains four threads 512 KB DDR2 2 x 2 GB 64 MB 2 GB AC: 100 V to 240 V, 50 Hz or 60 Hz DC: -48 V to -60 V
Maximum input voltage
AC: 90 V to 264 V, 47 Hz to 63 Hz DC: -36 V to -72 V
Maximum output power Running ambient temperature Storage ambient temperature Ambient relative humidity
150 W Long term: 0C to 45C Short term: -5C to +55C -40C to +70C Long term: 10% RH to 90 % RH (non-condensing) Short term: 5% RH to 95 % RH (non-condensing)
3.1.3 Fixed Interface and Interface Cards

Fixed Interface
The built-in LPU includes: l l
Issue 04 (2013-04-30)
Two USB 2.0 interfaces One microSD card slot (currently unavailable)
One management interface The management interface is an 10/100/1000M adaptive electrical Ethernet interface. Users can log in to the device through the management interface to configure, manage, or maintain the device out-of-band. The management interface cannot be used for data forwarding.
l l l
One console port Four 10/100/1000M adaptive electrical Ethernet interfaces Four GE Combo interfaces An optical/electrical (mutually exclusive) interface consists of one optical interface and one electrical one, whose numbers are the same. Either optical interface or electrical interface is available for each optical/electrical (mutually exclusive) interface. If they are used together, by default, only the electrical interface works. But you can set the optical interface works by command. For the optical/electrical (mutually exclusive) interface, the optical Ethernet interface supports 100M and 1000M optical modules, whose rates are 100M and 1000M respectively, and the electrical interface 10/100/1000M adaptive.
Interface Cards
The device provides FICs, which can host diversified FICs. l l 2 x 10GE Optical Interface Card Each 2 x 10GE optical interface card provides two 10-Gigabit optical interfaces. 8 x GE Electrical Interface Card Each 8 x GE electrical interface card provides eight 10/100/1000M adaptive electrical Ethernet interfaces. l 8 x GE Electrical+2 x 10GE Optical Interface Card Each 8 x GE electrical+2 x 10GE optical interface card provides eight 10/100/1000M adaptive electrical Ethernet interfaces and two 10-Gigabit optical Ethernet interfaces. l 4 x GE Electrical Bypass Interface Card Each 4 x GE electrical bypass interface card provides four 10/100/1000M adaptive electrical Ethernet interfaces. When the AntiDDoS1000 is powered off or faulty, the traffic passes between devices at both sides, realizing direct interconnection and hence ensuring service continuity. l Optical Bypass Interface Card Each optical bypass interface card supports two single-link bypass subcards BYPS (BYPM). When the bypass interface card is on the working path, the upstream and downstream traffic is transferred to the AntiDDoS1000 for processing. When the bypass interface card is on the protection path, devices at both sides of the AntiDDoS1000 interconnect directly. This ensures the service continuity. l 8 x GE Optical Interface Card Each 8 x GE optical interface card provides eight Gigabit optical interfaces.
3.2 AntiDDoS8000
3.2.1 Product Appearance
The Anti-DDoS device uses an integrated chassis. The chassis can be installed in an N68E-22 cabinet or a standard International Electrotechnical Commission (IEC) 19-inch cabinet with a depth no less than 800 mm.
AntiDDoS8030 Chassis Overview

The AntiDDoS8030 chassis have both AC and DC models. Figure 3-4 shows a DC chassis, and the Figure 3-5 shows an AC chassis. Figure 3-4 Appearance of a DC chassis
Issue 04 (2013-04-30)
21
Figure 3-5 Appearance of an AC chassis
Figure 3-6 shows the slots of the AntiDDoS8030. Figure 3-6 Diagram of the board slot area
MPU LPU LPU LPU
MPU
5 3 2 1 ESD
Table 3-3 Slot location of the AntiDDoS8030 Slot Number 1 to 3 Qua ntity 3 Slot Width 41 mm (1.6 inches) Remarks Indicates the slots for Line Processing Units (LPUs) and Service Processing Units (SPUs). The LPUs and SPUs can co-exist to suit your individual requirements. But at least one LPU and one SPU is needed. Indicates the slots that are dedicated for the Main Processing Unit (MPU). The slot can house two MPUs to form 1:1 backup.
U 4 to 5
41 mm (1.6 inches)
Issue 04 (2013-04-30)
22

Figure 3-7 shows the chassis of the AntiDDoS8080. Figure 3-7 Appearance of the chassis of the AntiDDoS8080
Figure 3-8 shows the slots of the AntiDDoS8080.
Issue 04 (2013-04-30)
23
Figure 3-8 Diagram of the board slot area
2 3 4 9 11 10 5
7 8
S F L L L L M U M L L L L P P P P P P P P P P U U U U U U U U U U S F U 1 2 3 4 9 12 10 5 6 7 8
ESD
Table 3-4 Diagram of slot location Slot Number 1 to 8 Qua ntity 8 Slot Width 41 mm (1.6 inches) Remarks Indicates the slots for LPUs and Service Processing Unit As (SPUAs). The LPUs and SPUAs can be inserted at the same time. Select the LPUs and SPUAs as required. But at least one LPU and one SPUA is needed. Indicates two slots that are dedicated for Switch Router Units (SRUs). The slots can house two MPUs to form 1:1 backup. Indicates the slot for the Switch Fabric Unit (SFU). The SFU interworks with the SFU integrated on the SRU to form 2+1 backup for load-balancing.
9 to 10
36 mm (1.4 inches)
11
36 mm (1.4 inches)

Figure 3-9 shows the chassis of the AntiDDoS8160.
Issue 04 (2013-04-30)
24
Figure 3-9 Appearance of the chassis
Figure 3-10 shows the slots of the AntiDDoS8160.
Issue 04 (2013-04-30)
25
Figure 3-10 Diagram of the board slot area
2 3 4 17 18 5
7 8 9
L L L L M M L L L L L P P P P P P P P P P P U U U U U U U U U U U
ESD
ESD
L L L L S S S S L L L P P P P F F F F P P P U U U U U U U U U U U
10 11 12 13 19 20 21 22 14 15 16
Table 3-5 Diagram of slot location Slot Number 1 to 16 Qua ntity 16 Slot Width 41 mm (1.6 inches) Remarks Indicates the slots for LPUs and SPUAs. The LPUs and SPUAs can be inserted at the same time. Select the LPUs and SPUAs as required. But at least one LPU and one SPUA is needed. Indicates the slots that are dedicated for MPUs. The slots can house two MPUs to form 1:1 backup. Indicates the slots for SFUs. The slots can house four SFUs to form 3+1 backup for load balancing.
17 to 18
41 mm (1.6 inches)
19 to 22
41 mm (1.6 inches)
Issue 04 (2013-04-30)
26
Power and Heat Dissipation Systems of the Anti-DDoS device

Table 3-6 shows the overview of the power and heat dissipation systems of the Anti-DDoS device of different models. Table 3-6 Overview of the power and heat dissipation systems of the Anti-DDoS device of different models Compon ent Power supply system AntiDDoS8030 AntiDDoS8080 AntiDDoS8160
Supports AC or DC power supplies. The power supply system consists of 1+1 redundant AC or DC power supply frames. Both the AC and DC power supply frames support power alarming. l In DC mode, four Power Entry Modules (PEMs) reside on the back panel to provide 2+2 backup. l In AC mode, an AC power supply frame resides externally, and connects to the power input ports of the PEMs through a rectifier that suits the total power of the integrated chassis. l In DC mode, eight PEMs reside on the back panel to provide 4+4 backup. l In AC mode, two AC power supply frames reside externally, and connect to the power input ports of the PEMs through a rectifier that suits the total power of the integrated chassis.
Issue 04 (2013-04-30)
27
Compon ent Heat dissipatio n system
AntiDDoS8030 l Air enters the chassis from the left and exits from the back. l The air intake vent is on the left of the chassis, and the air exhaust vent is on the back of the chassis. l The fans reside on the air exhaust vent. The two fan frames back against each other, each having two fans. The fan frame extracts air from the system for dissipation.
AntiDDoS8080 l Air enters the chassis from the front and exits from the back. l The air intake vent is above the front board slot area, and the air exhaust vent is above the rear board slot area. l The fans reside on the air exhaust vent. The two fan frames back against each other. Each fan frame has one fan. The fan frame extracts air from the system for dissipation.
AntiDDoS8160 l The two fan frames reside respectively on the upper and lower parts of the chassis. Air enters the chassis from the front and exits from the back. l For the upper fan frame, the air intake vent resides above the front board slot area, and the air exhaust vent resides above the rear board slot area. For the lower fan frame, the air intake vent resides above the rear board slot area, and the air exhaust vent resides above the front board slot area. The upper and lower fan frames function independently. l The board slot area for the SFU resides on the middle part of the device. The area intake vent for this slot area is on the left of chassis. To dissipate the SFUs in the two upper slots, the air enters from the left, and goes up on the right to converge with the air from the upper fan frame. To dissipate the SFUs in the two lower slots, the air enters from the left, and goes down on the right to converge with the air from the lower fan frame.
Issue 04 (2013-04-30)
28
3.2.2 Device Parameters

AntiDDoS8030
Table 3-7 lists the physical parameters of the AntiDDoS8030. Table 3-7 Physical parameters of the AntiDDoS8030 Item Dimensions (width x depth x height)
a
Description DC chassis: 442 mm x 650 mm x 175 mm (4 U) AC chassis: 442 mm x 650 mm x 220 mm (5 U) The depth is 750 mm covering the dust filter and cabling rack.
Installation position Typical power consumption
N68E cabinet or a standard 19-inch cabinet If one LPUF-40-A (40G) and two SPUAs (20G) are configured: l DC chassis: 1330W l AC chassis: 1360W
Heat dissipation
DC chassis: 4311 BTU/hour AC chassis: 4408 BTU/hour
Weight
Empty chassis
DC chassis: 15 kg AC chassis: 25 kg
Full configuration
If one LPUF-40-A (40G) and two SPUAs (20G) are configured: l DC chassis: 34 kg l AC chassis: 42 kg
DC input voltage
Rated voltage Maximum voltage range Rated voltage Maximum voltage range MTBF (year) MTTR (hour) Long-termc Short-term
-48 V -72 V to -38 V 200 V AC to 240 V AC; 50/60 Hz 180 V AC to 264 V AC; 50/60 Hz 25 0.5 0C to 45C -5C to 55C -40C to 70C
AC input voltage
System reliability Ambient temperatureb
Storage temperature
Issue 04 (2013-04-30)
29
Item Ambient relative humidity Long-term Short-term
Description 5% RH to 85% RH, no coagulation 5% RH to 95% RH, no coagulation 0% RH to 95% RH Lower than 3000 m Lower than 5000 m
Storage relative humidity Long-term altitude Storage altitude
NOTE a. The width does not include the width of the mounting ear attached. b. The measurement point of the temperature and humidity is 1.5 m over the floor and 0.4 m in front of the cabinet without the front and back doors. c. Short-term operation means that continuous operating time does not exceed 48 hours and accumulated operating time per year does not exceed 15 days. If an operation exceeds either of these conditions, it is called a long-term operation.
AntiDDoS8080
Table 3-8 lists the physical parameters of the AntiDDoS8080. Table 3-8 Physical parameters of the AntiDDoS8080 Item Dimensions (width x depth x height)a Installation position Weight Empty chassis Full configuratio n Typical power consumption Description 442 mm x 650 mm x 620 mm (14 U). The depth is 770 mm covering the dust filter and cabling rack. N68E cabinet or a standard 19-inch cabinet 43.2 kg If three LPUF-40-As (40G) and five SPUAs (20G) are configured: 96.7 kg If three LPUF-40-As (40G) and five SPUAs (20G) are configured: 3110W Heat dissipation DC input voltage Rated voltage Maximum voltage range 10081 BTU/hour -48 V -72 V to -38 V
Issue 04 (2013-04-30)
30
Item AC input voltage Rated voltage Maximum voltage range System reliability MTBF (year) MTTR (hour) Ambient temperatureb Long-termc Short-term Remarks Storage temperature Ambient relative humidity Long-term Short-term
Description 200 V AC to 240 V AC; 50/60 Hz 180 V AC to 264 V AC; 50/60 Hz
25 0.5 0C to 45C -5C to 55C Limit of the temperature change rate: 30C/hour -40C to 70C 5% RH to 85% RH, no coagulation 5% RH to 95% RH, no coagulation 0% RH to 95% RH Lower than 3000 m Lower than 5000 m
NOTE a. The width does not include the width of the mounting ear attached. b. The measurement point of the temperature and humidity is 1.5 m over the floor and 0.4 m in front of the cabinet without the front and back doors. c. Short-term operation means that continuous operating time does not exceed 48 hours and accumulated operating time per year does not exceed 15 days. If an operation exceeds either of these conditions, it is called a long-term operation.
AntiDDoS8160
Table 3-9 lists the physical parameters of the AntiDDoS8160. Table 3-9 Physical parameters of the AntiDDoS8160 Item Dimensions (Width x Depth x Height)a Installation position Description 442 mm x 650 mm x 1420 mm (32 U). The depth is 770 mm covering the dust filter and cabling rack. N68E cabinet or a standard 19-inch cabinet
Issue 04 (2013-04-30)
31
Item Weight Empty chassis Full configuratio n Typical power consumption
Description 94.4 kg If six LPUF-40-As (40G) and ten SPUAs (20G) are configured: 196.4kg If six LPUF-40-As (40G) and ten SPUAs (20G) are configured: 5970W
Heat dissipation DC input voltage Rated voltage Maximum voltage range AC input voltage Rated voltage Maximum voltage range System reliability MTBF (year) MTTR (hour) Ambient temperatureb Long-termc Short-term Remarks Storage temperature Ambient relative humidity Long-term Short-term
19350 BTU/hour -48 V -72 V to -38 V
200 V AC to 240 V AC; 50/60 Hz 180 V AC to 264 V AC; 50/60 Hz
25 0.5 0C to 45C -5C to 55C Limit of the temperature change rate: 30C/hour -40C to 70C 5% RH to 85% RH, no coagulation 5% RH to 95% RH, no coagulation 0% RH to 95% RH Lower than 3000 m Lower than 5000 m
Issue 04 (2013-04-30)
32
Item
Description
NOTE a. The width does not include the width of the mounting ear attached. b. The measurement point of the temperature and humidity is 1.5 m over the floor and 0.4 m in front of the cabinet without the front and the back doors. c . Short-term operation means that the continuous operation time does not exceed 48 hours and the accumulated operation time per year does not exceed 15 days. Otherwise, it is called long-term operation.
3.2.3 Board
MPU
The MPU on the Anti-DDoS device performs system control and the learning of route information. The Anti-DDoS device MPU uses the 1:1 backup mechanism. When the active MPU is faulty, the standby immediately takes over the work. The backup mechanism ensures the normal running of the system.
SFU
The SFU in the Anti-DDoS device is in charge of data exchange among boards. l The AntiDDoS8080 is equipped with three switch network units, two of which together with two main control units are integrated on two MPUs respectively. The third one is placed on an independent SFU. Enables 2+1 load balancing backup in the switching network Provides a overall line switch of 7.08Tbit/s Four SFUs work simultaneously to share the service data. When one of them is faulty, the service data is automatically balanced to the other two with on service interruption. l The AntiDDoS8160 equips with four switch network units. Enables 3+1 load balancing backup in the switching network Provides a overall line switch of 12.58Tbit/s Four SFUs work simultaneously to share the service data. When any SPU is faulty, the service data is automatically balanced to the other three with no service interruption.
SPU
The SPU in the Anti-DDoS device is a core component which is in charge of processing every security service. The SPU in the Anti-DDoS device comes with high-performance multi-core central processing units (CPUs). A service processing card (SPC) with 20 Gbp/s processing capability can be installed on each SPU. The Anti-DDoS device comes with multiple SPUs. The system performance n terms of the throughput and the number of new connections per second will increase in a linear fashion with multiple SPUs support mutual backup. When one SPU is faulty, all its traffic is immediately balanced to other SPUs with no service interruption.
LPU
The Anti-DDoS device supports LPUF-21 with FPIC for expansion and LPUF-40 with FPIC for expansion. The LPUF-21 has two slots, each applicable to one FPIC. The entire LPUF-21 provides a maximum bandwidth of 20 Gbit/s. The LPUF-21 supports the following cards: l l l l l 1-port 10GBase LAN/WAN-XFP optical interface FPIC (one slot) 4-port 10GBase LAN/WAN-XFP optical interface FPIC (two slots, convergence) 12-port 100Base FX/1000Base-X-SFP optical interface FPI C(one slot) 12-port 10Base-T/100Base-TX/1000Base-T electrical interface FPIC (one slot) 1-port OC-192c/STM-64c POS-XFP optical interface FPIC (one slot)
The LPUF-40 has two slots, each applicable to one FPIC. The entire LPUF-40 provides a maximum bandwidth of 40 Gbit/s. The LPUF-40 supports the following cards: l l l 2-port 10GBase LAN/WAN-XFP optical interface FPIC (one slot) 4-port 10GBase LAN/WAN-XFP optical interface FPIC (one slot, convergence) 20-port 100Base-FX/1000Base-X-SFP optical interface FPIC (one slot)
3.3 ATIC Management center

3.3.1 Basic Components
The ATIC Management center uses the easy-to-deploy B/S (browser/server) architecture. Therefore, services can be managed and monitored without the installation of client software. Additionally, the ATIC Management center is applicable to the scenario where multiple detecting and cleaning devices are dispersedly deployed but require centralized management. In the ATIC system, the ATIC Management center consists of the following components: l ATIC server Manages and configures anti-DDoS devices in a centralized way, and displays service reports. l Anti-DDoS collector The anti-DDoS collector collects, resolves, summarizes, and stores traffic, exception, and attack logs reported by the anti-DDoS device, and stores captured packets. One anti-DDoS device needs to correspond to one anti-DDoS collector. In the abnormal-traffic mitigation solution, the ATIC Management center server and anti-DDoS collector support both centralized and distributed deployments. l In centralized deployment, the ATIC Management center server and the anti-DDoS collector are installed in the same task and on the same physical server. Figure 3-11 shows the networking of the ATIC Management center server and anti-DDoS collector deployed in centralized mode.
Figure 3-11 ATIC Management center server and anti-DDoS collector deployed in centralized mode
ATIC server+ATIC collector
Anti-DDoS device
Anti-DDoS device Monitored traffic
Anti-DDoS device
Traffic log&Cleaning log&Captured packet Management traffic
Consider the following factors in this networking mode: Anti-DDoS device networking The Anti-DDoS device must be deployed on the same LAN. If the Anti-DDoS devices are deployed on a WAN, mass log information occupies WAN bandwidth, which affects normal running of services. In addition, the instability of the WAN may result in data loss. Deployment scenarios of the Anti-DDoS device In in-line deployment, all traffic is checked and cleaned by the Anti-DDoS device. An anti-DDoS collector can collect anti-DDoS logs from about 10,000 IP addresses. If the number of the IP addresses of protected objects exceeds 10,000, it is recommended that you configure an independent anti-DDoS collector. In off-line deployment, only abnormal traffic is directed to the Anti-DDoS device for check and cleaning. Abnormal traffic accounts for 10% of the total traffic and therefore anti-DDoS collectors are reduced. For example, an anti-DDoS collector is configured for 100,000 IP addresses of protected objects. In off-line deployment, if the Anti-DDoS device are scattered, it is recommended that you configure multiple anti-DDoS collectors. l In distributed deployment, the ATIC Management center server and the anti-DDoS collector are installed in different tasks respectively and on different physical servers generally. Figure 3-12 shows the networking of the ATIC Management center server and anti-DDoS collector deployed in distributed mode.
Issue 04 (2013-04-30)
35
Figure 3-12 ATIC Management center server and anti-DDoS collectors deployed in distributed mode
Server Management center
Anti-DDoS collector
Anti-DDoS collector
Anti-DDoS collector
Anti-DDoS device
Anti-DDoS device Monitored traffic
Anti-DDoS device
Log and packet-capture traffic Management traffic
Consider the following factors in this networking mode: Anti-DDoS device networking The Anti-DDoS devices are distributed in multiple areas that are connected through a WAN. An anti-DDoS collector is deployed in each area to prevent mass log information from occupying bandwidth and reduce the bandwidth cost. In addition, the instability of the WAN may result in data loss. Deployment scenarios of the Anti-DDoS device In in-line deployment, all traffic is checked and cleaned by the Anti-DDoS device. An anti-DDoS collector can collect anti-DDoS logs from about 10,000 IP addresses. If the number of the IP addresses of protected objects exceeds 10,000, it is recommended that you configure an independent anti-DDoS collector. In off-line deployment, only abnormal traffic is directed to the Anti-DDoS device for check and cleaning. Abnormal traffic accounts for 10% of the total traffic and therefore anti-DDoS collectors are reduced. For example, an anti-DDoS collector is configured for 100,000 IP addresses of protected objects. In off-line deployment, if the Anti-DDoS devices are scattered, it is recommended that you configure multiple anti-DDoS collectors.
3.3.2 Software and Hardware Planning in Centralized Mode
Issue 04 (2013-04-30)
36
Software Planning for the Server

When the ATIC Management center is installed, the system automatically installs the MySQL database. For the operating system and Web browser planning, see Table 3-10. Table 3-10 Software planning for the server Hardware Platform x86 (64-bit Windows) Software Type Operating system Web browsers that can access the server x86 (32-bit Windows) Operating system Web browsers that can access the server Software Version Windows Server 2008 R2 Standard with SP1 Internet Explorer 6.0/7.0/8.0 Mozilla Firefox 3.6.X to 4.X Windows Server 2003 R2 Standard with SP2 Internet Explorer 6.0/7.0/8.0 Mozilla Firefox 3.6.X to 4.X
Hardware Planning for the Server

NOTE
l It is recommended that the anti-DDoS service be deployed on an independent server. If the anti-DDoS service shares a server with other services, the processing performance of the anti-DDoS service may decrease. l To ensure the normal startup of the ATIC Management center, the server must have a minimum of 2.5 GB free memory space.
Hardware planning information covers the minimum and recommended configuration. For details, see Table 3-11.
Issue 04 (2013-04-30)
37
Table 3-11 Hardware planning for the server Item Recommended configuration Requirements IBM X3650M4 server l CPU: Xeon quad-core E5506 2.13 GHz or higher l Memory: 8 GB l Hard disk: 2 x 300 GB RAID1 Recommended RAID card model: ServeRAID card (M5015). RAID 5 is recommended when the number of hard disks is 3 or greater.
NOTE Configuration for connecting an external disk cabinet: Huawei OceanStor S2600F that supports FC port is recommended. HBAs and optical jumpers need to be configured independently.
To improve system reliability and security, you are advised to partition the disk into at least two logical drives. The storage capacity of a drive is 40 GB and is only for the installation of the operating system. The remaining space is allocated to the other drive for the installation of the database software and the ATIC Management center as well as the storage of database files. Minimum configuration l CPU: dual-core X86 processor l Memory: 4 GB l Hard disk: 100 GB To improve system reliability and security, you are advised to partition the disk into at least two logical drives. The storage capacity of a drive is 30 GB and is only for the installation of the operating system. The remaining space is allocated to the other drive for the installation of the database software and the ATIC Management center as well as the storage of database files.
3.3.3 Software and Hardware Planning in Distributed Mode

Software Planning for the Server
When the ATIC Management center is installed, the system automatically installs the MySQL database. For the operating system and Web browser planning, see Table 3-12. Table 3-12 Software planning for the server Hardware Platform x86 (64-bit Windows) Software Type Operating system Software Version Windows Server 2008 R2 Standard with SP1
Issue 04 (2013-04-30)
38
Hardware Platform
Software Type Web browsers that can access the server
Software Version Internet Explorer 6.0/7.0/8.0 Mozilla Firefox 3.6.X to 4.X Windows Server 2003 R2 Standard with SP2 Internet Explorer 6.0/7.0/8.0 Mozilla Firefox 3.6.X to 4.X
x86 (32-bit Windows)
Operating system Web browsers that can access the server
Hardware Planning for the Server

NOTE
l It is recommended that the anti-DDoS service be deployed on an independent server. If the anti-DDoS service shares a server with other services, the processing performance of the anti-DDoS service may decrease. l To ensure the normal startup of the ATIC Management center, the server must have a minimum of 1.5 GB free memory space.
Hardware planning information covers the minimum and recommended configuration. For details, see Table 3-13. Table 3-13 Hardware planning for the server Item Recommended configuration Requirements IBM X3650M4 server l CPU: Xeon quad-core E5506 2.13 GHz or higher l Memory: 8 GB l Hard disk: 2 x 300 GB RAID1 Recommended RAID card model: ServeRAID card (M5015). RAID 5 is recommended when the number of hard disks is 3 or greater.
To improve system reliability and security, you are advised to partition the disk into at least two logical drives. The storage capacity of a drive is 40 GB and is only for the installation of the operating system. The remaining space is allocated to the other drive for the installation of the database software and the ATIC Management center as well as the storage of database files.
Issue 04 (2013-04-30)
39
Item Minimum configuration
Requirements l CPU: dual-core X86 processor l Memory: 4 GB l Hard disk: 100 GB To improve system reliability and security, you are advised to partition the disk into at least two logical drives. The storage capacity of a drive is 30 GB and is only for the installation of the operating system. The remaining space is allocated to the other drive for the installation of the database software and the ATIC Management center as well as the storage of database files.
Software Planning for Anti-DDoS Collectors

When the anti-DDoS collector is installed, the system automatically installs the MySQL database. For the operating system planning, see Table 3-14. Table 3-14 Software planning for an anti-DDoS collector Hardware Platform x86 (64-bit Windows) x86 (32-bit Windows) Software Type Operating system Operating system Software Version Windows Server 2008 R2 Standard with SP1 Windows Server 2003 R2 Standard with SP2
Hardware Planning of an Anti-DDoS Collector

NOTE
To ensure the normal startup of the anti-DDoS collector, the anti-DDoS collector must have a minimum of 1.5 GB free memory space.
Hardware planning information covers the minimum and recommended configuration. For details, see Table 3-15.
Issue 04 (2013-04-30)
40
Table 3-15 Hardware planning of an anti-DDoS collector Item Recommended configuration Requirements IBM X3650M4 server l CPU: Xeon quad-core E5506 2.13 GHz or higher l Memory: 8 GB l Hard disk: 2 x 300 GB RAID1 Recommended RAID card model: ServeRAID card (M5015). RAID 5 is recommended when the number of hard disks is 3 or greater.
To improve system reliability and security, you are advised to partition the disk into at least two logical drives. The storage capacity of a drive is 40 GB and is only for the installation of the operating system. The remaining space is allocated to the other drive for the installation of the database software and the anti-DDoS collector as well as the storage of database files. Minimum configuration l CPU: dual-core X86 processor l Memory: 4 GB l Hard disk: 100 GB To improve system reliability and security, you are advised to partition the disk into at least two logical drives. The storage capacity of a drive is 30 GB and is only for the installation of the operating system. The remaining space is allocated to the other drive for the installation of the database software and the anti-DDoS collector as well as the storage of database files.
Issue 04 (2013-04-30)
41
4 Functions and Features
4
About This Chapter
Functions and Features
4.1 Zone The ATIC system defends against DDoS attacks based on the Zone. To protect certain targets, add them to the Zone. 4.2 Traffic Diversion When the anti-DDoS device is in off-line mode, traffic needs to be diverted to the anti-DDoS device for detecting and cleaning. 4.3 Zone Protection The ATIC system provides Zone-based defense modes and refined defense policies. 4.4 Packet Capture, Analysis and Report The ATIC management center delivers packet capture, analysis, and report for subsequent maintenance. Packet capture is used to capture network traffic and locate network faults; analysis is used to analyze network traffic and attack logs; a report is used to periodically summarize Zone traffic and attack logs if desired.
Issue 04 (2013-04-30)
42
4.1 Zone
The ATIC system defends against DDoS attacks based on the Zone. To protect certain targets, add them to the Zone. A Zone is protected by the ATIC system. As shown in Figure 4-1, a Zone can be a server, a network, an Internet user, an enterprise, or an Internet service provider. A Zone in the ATIC system can be a collection of IP addresses or IP address segments. A Zone corresponds to either one or multiple IP addresses. Such IP addresses are those of protected objects. Actually, the ATIC system performs refined defense for these IP addresses. Figure 4-1 Zone
Router1 Anti-DDoS device
Router2
Zone Pre-cleaning traffic direction Post-cleaning traffic direction
In the ATIC system, a Zone is classified into three types: l User-Defined Zones To protect specific IP addresses/address segments, the administrator can manually create user-defined Zones and add the IP addresses/address segments to the user-defined Zones. The anti-DDoS device uses defense policies to provide refined defense for traffic of these IP addresses/address segments. The type of such Zones is User-Defined. l Default Zones One default Zone is automatically added when you add an anti-DDoS device. Each antiDDoS device can be associated with only one default Zone, which does not have any given
IP address. Refined defense can be implemented by the anti-DDoS device on the destination IP addresses except those in User-Defined Zones. The type of such Zones is Default. l Zones Synchronized from the SIG. After the SIG is added, the system automatically synchronizes Zones from the SIG system to protect them. the administrator cannot change the basic information and IP addresses of Zones of this type, but can select cleaning devices for Zones of this type, and apply the policies configured for the Zones to the traffic destined for corresponding IP addresses/ address segments for refined defense. The type of such Zones is SIG Zone. Generally, add the destination IP addresses to be protected to the user-defined Zone and unfixed IP addresses to the default Zone. Then apply various defense policies for the traffic destined for the Zones to protect destination IP addresses. Otherwise, default Zones are applied to MANs with heavy traffic. With default Zones, the traffic with uncertain destination IP addresses is defended against. The ATIC system can defend against multiple Zones simultaneously. You can add a maximum of 2000 Zones, and 10,000 IP addresses or address segments to each device. Meanwhile, the system can perform refined protection for 10,000 destination IP addresses together. The IP addresses that do not belong to the user-defined Zone but are within the threshold (that is, 10,000 destination IP addresses) are protected through the policy configured for the default Zone, in the case that default Zone functions are enabled. For example, the administrator creates user-defined Zones, adds 6000 IP addresses to different user-defined Zones, and configures different defense policies for the user-defined Zones. Then the ATIC system provides protection for the 6000 IP addresses using the defense policies configured for these user-defined Zones. The administrator also creates default Zones and configures defense policies for the default Zones. And then the ATIC system provides protection for the other 4000 IP addresses using the defense policies configured for the default Zones. The IP addresses of default Zones are unfixed and are protected in access order, and the IP addresses or IP address segments beyond the specified specifications are protected by using global defense policies.
4.2 Traffic Diversion

When the anti-DDoS device is in off-line mode, traffic needs to be diverted to the anti-DDoS device for detecting and cleaning. In normal cases, the traffic destined for the Zone is forwarded by the router on the backbone link to the destination zone, but not to the anti-DDoS device in off-line mode. To apply the antiDDoS function provided by the anti-DDoS device to Zone traffic, change the original link of Zone traffic to divert the traffic to the anti-DDoS device for defense. Traffic diversion is applicable to the scenarios where traffic is copied to the detecting device in mirroring or optical splitting mode, as well as the cleaning device diverts abnormal traffic and injects normal traffic to the original link.
Mirroring and Optical Splitting

When the detecting device is deployed independently and in off-line mode, all traffic on the network needs to be copied to the detecting device for detecting.
Traffic destined for the detecting device is copied traffic. After the detecting is complete, the traffic is directly discarded. Traffic can be copied to the detecting device in two modes: l Optical splitting An optical splitter is deployed on the network to optically split traffic on the link to the detecting device. l Mirroring The mirroring function is configured on the router to copy traffic on the router to the detecting device. For details on optical splitting and mirroring, see Configuring Optical Splitting and Mirroring.
Traffic Diversion and Injection

When the cleaning device is in off-line mode, all traffic destined for the Zone needs to be diverted to the cleaning device for cleaning. After that, cleaned traffic is injected to the original link and subsequently is forwarded to the Zone. As shown in Figure 4-2, traffic destined for the Zone is directly forwarded to the Zone through Router1 and Router2. After a cleaning device is deployed in off-line mode, the original traffic forwarding path changes. In this case, traffic is issued from Router1 to the cleaning device and is injected to the original link for forwarding after being cleaned. Thereby, traffic diversion and injection are required. Figure 4-2 Traffic direction when the cleaning device is in off-line mode
1 2 Router1 3 4 Anti-DDoS device
Router2 5
Zone
Pre-cleaning traffic direction Post-cleaning traffic direction
Issue 04 (2013-04-30)
45
Traffic diversion In traffic diversion, traffic is diverted to the cleaning device in off-line mode, in the case of changing the original path of Zone traffic on the network. As shown in Figure 4-2, the cleaning device advertises a traffic-diversion route through Router1 to change the traffic transmission path. In this manner, traffic is issued from Router1 to the cleaning device. Traffic diversion supports the following two modes: Policy-based route diversion BGP traffic diversion
Traffic injection In traffic injection, cleaned traffic is injected to the original link and then forwarded to the Zone. As shown in Figure 4-2, the cleaning device injects cleaned traffic to Router1, which in turn forwards traffic to the Zone. Traffic injection provides the following modes. You can apply traffic-injection modes based on routing protocols running on the network: Layer 2 injection Static route injection Policy-based route injection GRE injection MPLS LSP injection MPLS VPN injection
In traffic diversion and injection mechanisms, two types of routers are involved: l Traffic-diversion router Indicates the router through which traffic is diverted to the cleaning device. As shown in Figure 4-2, the traffic-diversion router is Router1. l Traffic-injection router Indicates the router to which normal traffic is injected. As shown in Figure 4-2, the trafficdiversion router is also Router1. Traffic-diversion and traffic-injection routers can be the same router or different ones. You can plan them if desired.
Traffic-Diversion Mode
In the ATIC system, traffic diversion falls into three modes: l Automatic traffic diversion Upon detecting anomalies, the detecting device reports them to the Management center. Then the Management center automatically generates a traffic-diversion task and delivers the task to the cleaning device. After the Zone state turns to normal, the Management center automatically delivers the task of canceling traffic diversion to the cleaning device to stop traffic diversion. The default mode is automatic traffic diversion. l Manual traffic diversion Upon detecting anomalies, the detecting device reports them to the Management center. Then the Management center generates a traffic-diversion task automatically and does not deliver the task to the cleaning device until the administrator confirms the delivery.
After the Zone state turns to normal, the Management center automatically delivers the task of canceling traffic diversion to the cleaning device to stop traffic diversion. l Static traffic diversion In addition to manual and automatic traffic diversion, you can configure a static trafficdiversion task to divert traffic to the cleaning device no matter whether the traffic is normal or not. Static traffic diversion is mainly applicable to the scenarios where Zones are fixed and there is a relatively short delay, such as cyber bar users and video chatting.
4.3 Zone Protection

The ATIC system provides Zone-based defense modes and refined defense policies.
4.3.1 Defense Mode

The ATIC system provides three defense modes, namely, automatic defense, manual defense, and detecting only. l Automatic When the defense mode is set to Automatic and abnormal traffic is identified, the system automatically enables attack defense to clean abnormal traffic, and report anomalies and attack events to the Management center. The default mode is automatic defense. l Manual When the defense mode is set to Manual, and the system identifies abnormal traffic, the administrator determines whether to enable attack defense, and reports anomalies and attack events to the Management center. l Detecting only When the defense mode is set to Detecting only, the system only reports anomalies to the Management center after detecting abnormal traffic.
4.3.2 Traffic Model Learning

Traffic model learning falls into two types, service learning and dynamic baseline learning. In service learning, the system learns the service model (protocol type and port number of the traffic destined for the Zone) of the Zone to enable a proper attack defense policy. Dynamic baseline learning provides references for configuring the defense threshold. The defense policy refers to setting a proper threshold for the traffic volume of a protocol. When the traffic on the live network exceeds the threshold, the system identifies that an anomaly occurs and triggers the corresponding attack defense. Before configuring the defense policy, you may be assailed by two doubts: 1. 2. What types of attack defense need to be enabled? How to set a proper threshold?
The ATIC system supports diversified types of attack defense. You can enable corresponding attack defense if desired, but not all defense functions. When services on the network are unknown, you can learn about services on the network by using service learning, and then determine whether to enable attack defense.
During defense policy configurations, the system prompts you to set defense thresholds for policies. When the number of the packets of a type destined for the Zone hits the threshold, the system enables defense against such packets. Because improper configurations may affect normal services, you are advised to learn the dynamic baseline and set a proper defense threshold according to the learning result.
Service Learning
The anti-DDoS device provides Zones with differentiated defense policies based on the service and default policy template: l Service-based defense protects services defined by the Zone, that is, performing refined defense for a certain port of the specified IP address. This effectively protects the traffic of main services, ensuring service continuity. Default policy template-based defense protects the traffic of non-services in the Zone. This avoids network congestion.
When multiple ports are enabled for the Zone and refined defense is required for a certain port, you need to adopt service-based defense to learn about the traffic model and identify Zone services, thereby providing defense policies for given services in the Zone. With service learning, the anti-DDoS device can identify the services of the Zone and figure out TCP and UDP services whose traffic hits the threshold, including the protocol type, port, IP address, and specific traffic value. In this way, the device obtains the service list of the Zone. In service learning, the anti-DDoS device learns statistics on inbound traffic, regardless of normal or abnormal traffic. Therefore, service learning needs to be enabled when Zone traffic is normal. During the learning, if the Zone is abnormal or under attacks, you need to terminate the current service learning task and recover it until Zone traffic resumes normal. For details on how to configure service learning, see Configuring a Service and a Defense Policy (by Service Learning).
Dynamic Baseline Learning

In attack detection, the detection device collects statistics on traffic and then compares the traffic with the pre-defined threshold. If the traffic hits the threshold, the device considers that an anomaly occurs and reports the anomaly to the Management center. Therefore, attack judgment is subject to the specified threshold; however, different networks have diversified applications, each of which is equipped with its actual bandwidth. l l If the threshold is set to a smaller value, the system enables attack defense even if no attack occurs. If the threshold is set to a larger value, the system cannot enable attack defense in a timely manner.
Therefore, before you configure the threshold, learn about the basic traffic model first. In dynamic baseline learning, the system learns peak traffic at an interval in the normal network environment and presents the data in curve to the administrator by using the Management center. You are advised to deliver the learning result as the defense threshold, after dynamic baseline learning is complete. The threshold must be set to a value higher than normal peak traffic. The dynamic baseline can be learned repeatedly to cope with the changes of network traffic models.
For details on how to configure the dynamic baseline, see Adjusting a Threshold (by Baseline Learning).
4.3.3 Defense Policy

The ATIC system delivers the layer-to-layer filtering mechanism and refined defense policies for abnormal traffic. Figure 4-3 shows defense policies for abnormal traffic. Figure 4-3 Defense policy
Global defense policy Basic attack defense Incoming traffic Interfacebased defense policy Global filter Malware check First-packet check DNS cache
Zone-based defense policy Default defense policy Service-based defense policy Traffic destined for the Zone
Network segmentbased defense
Before configuring defense policies, you are advised to learn the traffic model first. With the traffic model, you can learn about service types on the protected network and the curve values of the traffic of all types. For details on how to learn the traffic model, see 4.3.2 Traffic Model Learning. The defense procedure is as follows: 1. Interface-based defense The administrator must configure interface-based defense policies first to cope with heavy traffic attacks. Upon receiving packets, the anti-DDoS device performs validity check on the LPU. That is, traffic is checked based on validity check. The illegitimate packets are directly discarded. In this defense mode, attack packets can be immediately processed on the LPU. This enhances the processing performance of the anti-DDoS device. The anti-DDoS device can defend against the following attacks based on the interface: l SYN Flood l SYN-ACK Flood l ACK Flood l RST Flood l TCP-abnormal Flood l TCP Fragment Flood l UDP Flood l UDP Fragment Flood l ICMP Flood
l DNS Request Flood l DNS Reply Flood l HTTP Flood l SIP Flood For details on how to configure interface-based defense, see Configuring an Interface-based Defense Policy. 2. Global defense After global defense is configured, the device detects and cleans all available traffic regardless of Zones. The following global defense policies are available: l Global filter The anti-DDoS device supports TCP, UDP, IP, ICMP, DNS, HTTP, and SIP filters. The filter matches the packets destined for the anti-DDoS device based on configured packet features and performs any of the following actions for fine-grained filtering: Discard Discard+Blacklist Pass Pass+Whitelist Rate limiting Source authentication (applying only to the HTTP filter) l First-packet check The anti-DDoS device supports the check on first SYN, TCP, UDP, ICMP, and DNS packets. l Basic attack defense Basic attacks are traditional single-packet Denial of Service (DoS) attacks, including scanning and sniffing attacks, malformed packet attacks, and special packet attacks. l Malware check The cleaning device employs the user-defined malware rule or loads the predefined signature database to check malware attacks. l DNS cache The cleaning device stores the IP address and domain name of the DNS cache server by loading a file. Upon attacks, the DNS cache-enabled cleaning device, instead of the DNS authoritative server, responds to the DNS cache server with cache information. This avoids the performance bottleneck of the DNS authoritative server. For details on how to configure global defense policies, see Configuring a Global Filter, Configuring the First-Packet Check, Configuring Basic Attack Defense, Configuring the Malware Detection Function, and Configuring the DNS Smart Cache Function. 3. Zone-based defense l Network segment-based defense In network segment-based defense, the defense threshold is specified for all Zones. Statistics on traffic destined for all Zones are collected and the defense function is triggered once traffic hits the threshold. The anti-DDoS device can defend against following attacks based on the network segment: SYN Flood
ACK Flood DNS Request Flood DNS Reply Flood TCP Ratio TCP Connection Flood HTTP Flood For details on how to configure network segment-based defense, see Configuring Network Segment-based Defense Policies. l Service-based defense Before you enable service-based defense, verify main services on the defense network. The service learning function helps you learn about service types on the network. For details, see Configuring a Service and a Defense Policy (by Service Learning). The cleaning device defines traffic destined for the Zone as the services of different types by destination IP address, protocol type, and destination port. Different defense policies are configured for such services to address refined and differentiated defense. Service-based defense distinguishes service traffic from non-service traffic and provides diversified defense measures for different traffic. The following defense measures are provided: Block: denies the packets of protocols that are not in the Zone. Defense: checks the traffic features of various services and validity to allow legitimate packets through and deny illegitimate ones. Traffic limiting: limits the traffic volume of a protocol in the Zone within the threshold. Excess traffic is denied. l Default policy Zone-based defense Default policy defense targets at non-service traffic destined for the Zone. Such nonservice traffic can be traffic generated by user operations (such as Telnet and ping), redundant traffic, or attack traffic. You can configure different defense measures for the traffic of different types. The traffic generated by user operations is slight. Therefore, defend against or limit such traffic. For redundant or attack traffic, block it. For details on how to configure Zone-based defense, see Configuring the Zone-based Defense Policy. 4. Source IP address-based defense In source IP address-based defense, when the packets from a source IP address hits the threshold, source validity check is triggered. Thereby, source IP addresses that are not authenticated are under rate limiting or blacklisted. This function mainly targets at TCP packets. After the layer-to-layer filtering mechanism is complete, Zone traffic complies with threshold specifications.
4.4 Packet Capture, Analysis and Report

The ATIC management center delivers packet capture, analysis, and report for subsequent maintenance. Packet capture is used to capture network traffic and locate network faults; analysis
is used to analyze network traffic and attack logs; a report is used to periodically summarize Zone traffic and attack logs if desired.
Packet Capture
In packet capture, the anti-DDoS device captures packets according to the packet capture task delivered by the management center. Then the device encapsulates captured packets in a fixed format and sends them to the anti-DDoS collector for resolution. In actual applications, packet capture is mainly used to analyze and locate network problems. Different packet capture types are applicable to diversified application scenarios: l ACL-based packet capture When the anti-DDoS device does not detect attacks, and packet loss occurs on the protected network or access fails, you can adopt ACL-based packet capture to identify packet types and thereby analyze defense failure. l Global packet capture A global packet capture task captures all discarded packets, including those discarded due to non-anti-DDoS policies such as malformed packet check and packet filtering. In so doing, causes for service interruption are exploited. l Zone attack matched packet capture The anti-DDoS device captures the packets discarded by attacks upon the Zone. This assists in analyzing attack events. l Zone anomaly matched packet capture The anti-DDoS device captures the abnormal packets of different types. This assists in analyzing abnormal events. After the packet-capture task is complete, the captured packets are saved in the packet-capture file. With the packet-capture file, you can view attack events, trace attack sources, parse attack packets, and extract fingerprints for locating attacks, and obtaining features and details on attackers, so that proper defense policies can be configured. The packet-capture file can also be downloaded to the local for other operations. l Viewing attack events By viewing abnormal or attack events associated with the packet-capture file, you can analyze their details. l Attack source tracing You can obtain information about attack sources by using attack source tracing. Additionally, the system adds suspicious source IP addresses to the static blacklist to effectively defend against attacks. l l Packet parsing You can obtain details on each packet by using packet parsing. Fingerprint extracting With fingerprint extracting, the system extracts the features of abnormal or attack packets. Additionally, the system adds extracted fingerprints to the Zone fingerprint list as the reference of traffic cleaning. l Packet-capture file download The packet-capture file can be downloaded to the local for future operations.
Analysis
The ATIC management center provides several types of analysis, traffic analysis, anomaly/ attack analysis, DNS analysis, HTTP analysis, SIP analysis, and Botnets/Trojan horses/Worms Analysis. Thereby, the administrator can comprehensively learn about network data in a timely manner and export the analysis result. Figure 4-4 shows the analysis diagram. Figure 4-4 Analysis diagram
Analysis types Query condition setting area
display area
Report
The ATIC management center comes with both the system report and the Zone report, and supports diversified reports. The system provides scheduled report generating and downloading functions for comprehensive reports. This minimizes labor investment and facilitates periodical network status monitoring and further query. Figure 4-5 shows the comprehensive report.
Issue 04 (2013-04-30)
53
Figure 4-5 Diagram of a report
Report query condition setting area
Report types displayed in the comprehensive report
Issue 04 (2013-04-30)
54
5 Technical Specifications
5
About This Chapter
5.1 AntiDDoS1000 5.2 AntiDDoS8000 5.3 ATIC Management Center
Technical Specifications
Issue 04 (2013-04-30)
55
5.1 AntiDDoS1000
5.1.1 Functions and Features
Table 5-1 shows the functions and features supported by the Anti-DDoS device. Table 5-1 Functions and features Feature Zone SubFeature Description Zones fall into the following types: l User-defined Zone l Default Zone Traffic guide Optical splitting and mirroring Traffic diversi on Traffic injecti on Traffic diversion falls into the following modes: l Policy-based route diversion l BGP diversion Traffic injection falls into the following modes: l Layer 2 injection l Static route injection l Policy-based route injection l GRE injection l MPLS LSP injection l MPLS VPN injection Defense mode Defense modes fall into the following types: l Automatic l Manual l Detecting Only Blacklist Blacklists fall into the following types: l Global blacklist l LPU blacklist l Zone blacklist Whitelist Whitelists fall into the following types: l Global whitelist l Zone whitelist
Issue 04 (2013-04-30)
56
Interface-based defense
Interface-based defense falls into the following types: l SYN flood attack defense l SYN-ACK flood attack defense l ACK flood attack defense l RST flood attack defense l TCP anomaly flood attack defense l TCP fragment flood attack defense l UDP flood attack defense l UDP fragment flood attack defense l ICMP flood attack defense l DNS request flood attack defense l DNS reply flood attack defense l HTTP flood attack defense l SIP flood attack defense
Global defense policy
Basic attack defens e
Defense against malformed packet attacks, including IP spoofing, Land, Fraggle, WinNuke, Ping of Death, Tear Drop, IP option, illegitimate IP fragment, illegitimate TCP flag, large ICMP, and Smurf attacks. Defense against scanning and sniffing attacks, including address scanning, port scanning, Tracert, IP timestamp option, IP source routing options, IP route record options, ICMP redirection, and ICMP unreachable attacks. Zombie, Trojan horse, and worm check
Malwa re check
DNS cache DNS domain name blocking Zonebased defense Netwo rk segme ntbased defens e Network segment-based defense falls into the following types: l SYN flood attack defense l ACK flood attack defense l DNS request flood attack defense l DNS reply flood attack defense l TCP ratio attack defense l TCP connection flood attack defense l HTTP flood attack defense Servic ebased defens e Service-based defense falls into the following types: l TCP defense SYN flood attack defense SYN-ACK flood attack defense ACK flood attack defense
Issue 04 (2013-04-30)
57
RST/FIN flood attack defense TCP fragment flood attack defense TCP connection flood attack defense l UDP defense UDP flood attack defense UDP fragment flood attack defense l ICMP flood attack defense l DNS packet attack defense DNS request flood attack defense DNS reply flood attack defense DNS cache poisoning attack defense DNS hijacking attack defense DNS reflection attack defense DNS unknown domain name request defense DNS packet validity check Rate limiting on DNS packets based on the domain name and source IP address DNS cache DNS top N statistics DNS detailed statistics l HTTP flood attack defense HTTP source authentication URI behavior monitoring Host filtering l HTTPS flood attack defense l SIP flood attack defense Source IP address-based defense Packet capture TCP packet attack defense
Defaul t defens e
Packet capture falls into the following types: l ACL-based packet capture l Global packet capture l Zone-based packet capture of anomalies l Zone-based packet capture of attacks
5.1.2 Performance Specifications
Issue 04 (2013-04-30)
58
Table 5-2 Overall system specifications Item Dimensions (H x W x D) Weight CPU Memory NVRAM Flash memory CF card microSD card Rated input voltage AntiDDoS1000 43.6 mm x 442 mm x 560 mm Base chassis: 8.24 kg; fully configured chassis: 8.9 kg Multi-core MIPS processor; frequency: 950 MHz 4 GB 512 KB 64 MB 2GB Not supported AC: 100 V to 240 V (50 Hz/60 Hz) DC: -48 V to -60 V Maximum power 150 W
5.1.3 Environment Requirements

Table 5-3 Environment requirements Item Altitude Atmospheric pressure Operating temperature Description 2000 m ( Long-term operating temperature: 0C to 45 C) 70 kPa to 106 kPa Long term: 0C to 45C Short term: 5 C to +55 C Storage temperature Relative humidity (operating and storage) 40 C to +70 C Long term: 10% RH to 90% RH, non-condensing Short term: 5% RH to 95% RH, non-condensing
Issue 04 (2013-04-30)
59
5.1.4 Standard and Protocol Compliance

Table 5-4 Compliant standards Standard ETS 300 386 Content Electromagnetic compatibility and Radio spectrum Matters (ERM); Telecommunication network equipment; Electromagnetic Compatibility (EMC) requirements Safety of equipment electrically connected to a telecommunication network MAC bridges Traffic Class Expediting and Dynamic Multicast Filtering Virtual Bridged Local Area Networks Definition of Fast Ethernet (100BTX, 100BT4, 100BFX) Definition of Gigabit Ethernet (over Fibre) Characteristics of a single-mode optical fibre and cable User datagram protocol (UDP) Internet protocol (IP) Internet Control Massage Protocol (ICMP) Transport Control Protocol (TCP) Telnet Technical specification For network access server Simple Network Management Protocol (SNMP) Management information base for network management of TCP/ IP-based Internets: MIB-II Extensions to the generic-interface MIB Point-to-point links (PPP) Remote network monitoring management information base Remote authentication dial in user service (RADIUS) RADIUS extensions Generic AAA architecture AAA authorization framework AAA authorization requirements An access control protocol, sometimes called TACACS
IEC 62151 IEEE 802.1d IEEE 802.1p IEEE 802.1q IEEE 802.3u IEEE 802.3z ITU-T G.652 RFC0768 RFC0791 RFC0792 RFC0793 RFC0854 RFC0894 RFC1157 RFC1213 RFC1229 RFC1661 RFC1757 RFC2865 RFC2869 RFC2903 RFC2904 RFC2906 RFC1492
Issue 04 (2013-04-30)
60
Standard RFC2401 RFC2405 RFC2407 RFC2408 RFC2578 RFC2579 RFC2580 RFC1157 RFC1155 RFC1213 RFC1212 RFC1901 RFC1035 RFC854 RFC857 RFC858 RFC1091 RFC4250 RFC4251 RFC4252 RFC4253 RFC4254 RFC4255 RFC4256 RFC4335 RFC4344
Content Security architecture for the Internet protocol The ESP DES-CBC cipher algorithm with explicit IV The Internet IP security domain of interpretation for ISAKMP Internet security association and key management protocol (ISAKMP) Structure of management information version 2 (SMIv2) Textual conventions for SMIv2 Conformance statements for SMIv2 SNMP Structure and identification of management information for TCP/ IP-based Internets Management information base for network management of TCP/ IP-based Internets: MIB-II Concise MIB definitions Introduction to community-based SNMPv2 NTPv3 specification Telnet protocol specification Telnet echo option Telnet "Suppress Go Ahead" option Telnet terminal type option The Secure Shell (SSH) Protocol Assigned Numbers The Secure Shell (SSH) Protocol Architecture The Secure Shell (SSH) Authentication Protocol The Secure Shell (SSH) Transport Layer Protocol The Secure Shell (SSH) Connection Protocol Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) The Secure Shell (SSH) Session Channel Break Extension The Secure Shell (SSH) Transport Layer Encryption Modes
Issue 04 (2013-04-30)
61
Standard RFC4419 RFC4462
Content Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol TFTPv2 FTP Hypertext Transfer Protocol -- HTTP/1.0 Use and Interpretation of HTTP Version Numbers Hypertext Transfer Protocol -- HTTP/1.1 HTTP Authentication: Basic and Digest Access Authentication An HTTP Extension Framework HTTP State Management Mechanism DSA and RSA Key and Signature Encoding for the KeyNote Trust Management System Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 Domain names - concepts and facilities Domain names - implementation and specification SIP: Session Initiation Protocol HTTP Over TLS The Secure Shell (SSH) Protocol Assigned Numbers The Secure Shell (SSH) Protocol Architecture The Secure Shell (SSH) Authentication Protocol The Secure Shell (SSH) Transport Layer Protocol The Secure Shell (SSH) Connection Protocol Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) The Secure Shell (SSH) Session Channel Break Extension The Secure Shell (SSH) Transport Layer Encryption Modes
RFC1350 RFC959 RFC1945 RFC2145 RFC2616 RFC2617 RFC2774 RFC2965 RFC2792 RFC3447 RFC1034 RFC1035 RFC2543 RFC2818 RFC4250 RFC4251 RFC4252 RFC4253 RFC4254 RFC4255 RFC4256 RFC4335 RFC4344
Issue 04 (2013-04-30)
62
Standard RFC4419 RFC4462
Content Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol TFTPv2 FTP Hypertext Transfer Protocol -- HTTP/1.0 Use and Interpretation of HTTP Version Numbers Hypertext Transfer Protocol -- HTTP/1.1 HTTP Authentication: Basic and Digest Access Authentication An HTTP Extension Framework HTTP State Management Mechanism DSA and RSA Key and Signature Encoding for the KeyNote Trust Management System Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 Domain names - concepts and facilities Domain names - implementation and specification SIP: Session Initiation Protocol HTTP Over TLS
RFC1350 RFC959 RFC1945 RFC2145 RFC2616 RFC2617 RFC2774 RFC2965 RFC2792 RFC3447 RFC1034 RFC1035 RFC2543 RFC2818
5.2 AntiDDoS8000
5.2.1 Functions and Features
Table 5-5 shows the functions and features supported by the Anti-DDoS device.
Issue 04 (2013-04-30)
63
Table 5-5 Functions and features Feature Zone SubFeature Description Zones fall into the following types: l User-defined Zone l Default Zone Traffic guide Optical splitting and mirroring Traffic diversi on Traffic injecti on Traffic diversion falls into the following modes: l Policy-based route diversion l BGP diversion Traffic injection falls into the following modes: l Layer 2 injection l Static route injection l Policy-based route injection l GRE injection l MPLS LSP injection l MPLS VPN injection Defense mode Defense modes fall into the following types: l Automatic l Manual l Detecting Only Blacklist Blacklists fall into the following types: l Global blacklist l LPU blacklist l Zone blacklist Whitelist Whitelists fall into the following types: l Global whitelist l Zone whitelist
Issue 04 (2013-04-30)
64
Interface-based defense
Interface-based defense falls into the following types: l SYN flood attack defense l SYN-ACK flood attack defense l ACK flood attack defense l RST flood attack defense l TCP anomaly flood attack defense l TCP fragment flood attack defense l UDP flood attack defense l UDP fragment flood attack defense l ICMP flood attack defense l DNS request flood attack defense l DNS reply flood attack defense l HTTP flood attack defense l SIP flood attack defense
Global defense policy
Basic attack defens e
Defense against malformed packet attacks, including IP spoofing, Land, Fraggle, WinNuke, Ping of Death, Tear Drop, IP option, illegitimate IP fragment, illegitimate TCP flag, large ICMP, and Smurf attacks. Defense against scanning and sniffing attacks, including address scanning, port scanning, Tracert, IP timestamp option, IP source routing options, IP route record options, ICMP redirection, and ICMP unreachable attacks. Zombie, Trojan horse, and worm check
Malwa re check
DNS cache DNS domain name blocking Zonebased defense Netwo rk segme ntbased defens e Network segment-based defense falls into the following types: l SYN flood attack defense l ACK flood attack defense l DNS request flood attack defense l DNS reply flood attack defense l TCP ratio attack defense l TCP connection flood attack defense l HTTP flood attack defense Servic ebased defens e Service-based defense falls into the following types: l TCP defense SYN flood attack defense SYN-ACK flood attack defense ACK flood attack defense
Issue 04 (2013-04-30)
65
RST/FIN flood attack defense TCP fragment flood attack defense TCP connection flood attack defense l UDP defense UDP flood attack defense UDP fragment flood attack defense l ICMP flood attack defense l DNS packet attack defense DNS request flood attack defense DNS reply flood attack defense DNS cache poisoning attack defense DNS hijacking attack defense DNS reflection attack defense DNS unknown domain name request defense DNS packet validity check Rate limiting on DNS packets based on the domain name and source IP address DNS cache DNS top N statistics DNS detailed statistics l HTTP flood attack defense HTTP source authentication URI behavior monitoring Host filtering l HTTPS flood attack defense l SIP flood attack defense Source IP address-based defense Packet capture TCP packet attack defense
Defaul t defens e
Packet capture falls into the following types: l ACL-based packet capture l Global packet capture l Zone-based packet capture of anomalies l Zone-based packet capture of attacks
5.2.2 Performance Specifications

If the Anti-DDoS device houses only SPUs and no other type of board, the performance specifications of the integrated device is as follows:
Issue 04 (2013-04-30)
66
Table 5-6 Performance specifications of the Anti-DDoS device of each model Item Maximum throughput of each SPU Maximum throughput of each LPU Maximumthroughput configurations of the integrated device Maximum throughput of the integrated device Number of concurrent connections Number of new connections per second Maximum number of ACL rules Mean time between failures AntiDDoS8030 20Gbit/s AntiDDoS8080 AntiDDoS8160
40Gbit/s
1 x LPU+2 x SPU
3 x LPU+5 x SPU
6 x LPU+10 x SPU
40Gbit/s
100Gbit/s
200Gbit/s
16,000,000 (8,000,000 x 2) 1,000,000 (500,000 x 2) 128000
40,000,000 (8,000,000 x 5) 2,500,000 (500,000 x 5)
80,000,000 (8,000,000 x 10) 5,000,000 (500,000 x 10)
25 years
5.2.3 Environment Requirements

Table 5-7 Environment requirements Item Altitude Atmospheric pressure Operating temperature Description 2000 m ( Long-term operating temperature: 0C to 45 C) 70 kPa to 106 kPa Long term: 0C to 45C Short term: 5 C to +55 C Storage temperature 40 C to +70 C
Issue 04 (2013-04-30)
67
Item Relative humidity (operating and storage)
Description Long term: 10% RH to 90% RH, non-condensing Short term: 5% RH to 95% RH, non-condensing
5.2.4 Compliant Standards and Protocols

Table 5-8 Compliant standards Standard ETS 300 386 Content Electromagnetic compatibility and Radio spectrum Matters (ERM); Telecommunication network equipment; Electromagnetic Compatibility (EMC) requirements Safety of equipment electrically connected to a telecommunication network MAC bridges Traffic Class Expediting and Dynamic Multicast Filtering Virtual Bridged Local Area Networks Definition of Fast Ethernet (100BTX, 100BT4, 100BFX) Definition of Gigabit Ethernet (over Fibre) Characteristics of a single-mode optical fibre and cable User datagram protocol (UDP) Internet protocol (IP) Internet Control Massage Protocol (ICMP) Transport Control Protocol (TCP) Telnet Technical specification For network access server Simple Network Management Protocol (SNMP) Management information base for network management of TCP/ IP-based Internets: MIB-II Extensions to the generic-interface MIB Point-to-point links (PPP) Remote network monitoring management information base Remote authentication dial in user service (RADIUS)
IEC 62151 IEEE 802.1d IEEE 802.1p IEEE 802.1q IEEE 802.3u IEEE 802.3z ITU-T G.652 RFC0768 RFC0791 RFC0792 RFC0793 RFC0854 RFC0894 RFC1157 RFC1213 RFC1229 RFC1661 RFC1757 RFC2865
Issue 04 (2013-04-30)
68
Standard RFC2869 RFC2903 RFC2904 RFC2906 RFC1492 RFC2401 RFC2405 RFC2407 RFC2408 RFC2578 RFC2579 RFC2580 RFC1157 RFC1155 RFC1213 RFC1212 RFC1901 RFC1035 RFC854 RFC857 RFC858 RFC1091 RFC4250 RFC4251 RFC4252 RFC4253 RFC4254 RFC4255
Content RADIUS extensions Generic AAA architecture AAA authorization framework AAA authorization requirements An access control protocol, sometimes called TACACS Security architecture for the Internet protocol The ESP DES-CBC cipher algorithm with explicit IV The Internet IP security domain of interpretation for ISAKMP Internet security association and key management protocol (ISAKMP) Structure of management information version 2 (SMIv2) Textual conventions for SMIv2 Conformance statements for SMIv2 SNMP Structure and identification of management information for TCP/ IP-based Internets Management information base for network management of TCP/ IP-based Internets: MIB-II Concise MIB definitions Introduction to community-based SNMPv2 NTPv3 specification Telnet protocol specification Telnet echo option Telnet "Suppress Go Ahead" option Telnet terminal type option The Secure Shell (SSH) Protocol Assigned Numbers The Secure Shell (SSH) Protocol Architecture The Secure Shell (SSH) Authentication Protocol The Secure Shell (SSH) Transport Layer Protocol The Secure Shell (SSH) Connection Protocol Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
Issue 04 (2013-04-30)
Standard RFC4256 RFC4335 RFC4344 RFC4419 RFC4462
Content Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) The Secure Shell (SSH) Session Channel Break Extension The Secure Shell (SSH) Transport Layer Encryption Modes Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol TFTPv2 FTP Hypertext Transfer Protocol -- HTTP/1.0 Use and Interpretation of HTTP Version Numbers Hypertext Transfer Protocol -- HTTP/1.1 HTTP Authentication: Basic and Digest Access Authentication An HTTP Extension Framework HTTP State Management Mechanism DSA and RSA Key and Signature Encoding for the KeyNote Trust Management System Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 Domain names - concepts and facilities Domain names - implementation and specification SIP: Session Initiation Protocol HTTP Over TLS The Secure Shell (SSH) Protocol Assigned Numbers The Secure Shell (SSH) Protocol Architecture The Secure Shell (SSH) Authentication Protocol The Secure Shell (SSH) Transport Layer Protocol The Secure Shell (SSH) Connection Protocol Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
RFC1350 RFC959 RFC1945 RFC2145 RFC2616 RFC2617 RFC2774 RFC2965 RFC2792 RFC3447 RFC1034 RFC1035 RFC2543 RFC2818 RFC4250 RFC4251 RFC4252 RFC4253 RFC4254 RFC4255
Issue 04 (2013-04-30)
70
Standard RFC4256 RFC4335 RFC4344 RFC4419 RFC4462
Content Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) The Secure Shell (SSH) Session Channel Break Extension The Secure Shell (SSH) Transport Layer Encryption Modes Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol TFTPv2 FTP Hypertext Transfer Protocol -- HTTP/1.0 Use and Interpretation of HTTP Version Numbers Hypertext Transfer Protocol -- HTTP/1.1 HTTP Authentication: Basic and Digest Access Authentication An HTTP Extension Framework HTTP State Management Mechanism DSA and RSA Key and Signature Encoding for the KeyNote Trust Management System Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 Domain names - concepts and facilities Domain names - implementation and specification SIP: Session Initiation Protocol HTTP Over TLS
RFC1350 RFC959 RFC1945 RFC2145 RFC2616 RFC2617 RFC2774 RFC2965 RFC2792 RFC3447 RFC1034 RFC1035 RFC2543 RFC2818
5.3 ATIC Management Center

Table 5-9 lists the functions and features of the ATIC management center, and Table 5-10 lists those of anti-DDoS services.
Issue 04 (2013-04-30)
71
Table 5-9 Functions and features of the ATIC management center Feature NE Management Description Automatically discovers NEs and synchronizes NE data in batches. Manages NEs using SNMP, Telnet, or STelnet. Configures firewalls through the embedded Web UI. Performance Management Supports the batch configuration of the performance specifications on NEs, boards, and interfaces according to the granularity of the collecting rules. It can also specify the collection cycle for each performance specification. Generates alarms according to the threshold configured for each performance specification, and sends the alarms to the integrated alarm management system. Then users can deal with the alarms accordingly. Customizes performance specifications. Generates performance reports for NEs, boards, interfaces, and multi-CPU devices. Alarm Management Provides the monitoring page for users to monitor alarms round the clock. It supports alarming notifications by sound, text message, and email. Generates NE alarms, performance threshold alarms and DDoS alarms. Supports various alarm operations such as alarm confirmation, alarm confirmation cancellation, manual deletion, and automatic deletion. Masks the alarms that are not necessary to handle according to the learned experience. Merges repeatedly reported alarms. Queries historical alarms. System Management Supports the features of user right management, permission/domainspecific management, and the forcible logout of users. Supports the monitoring of system services. Queries and exports operating logs of the system. Dumps alarms and operating logs to improve the performance of the managed NEs. Maintains anti-DDoS data.
Issue 04 (2013-04-30)
72
Table 5-10 Functions and features of anti-DDoS services Feature Zone Description Zones include the following types: l User-Defined Zones l Default Zones l Zones Synchronized from the SIG Traffic diversion Traffic diversion falls into three modes: l Automatic traffic diversion l Manual traffic diversion l Static traffic diversion Defense mode Defense Modes include the following types: l Automatic l Manual Blacklist The blacklist is classified into two types: l Static blacklist l Dynamic blacklist Whitelist The whitelist is classified into two types: l Static whitelist l Dynamic whitelist Basic attack defense Defense against malformed packet attacks and scanning and sniffing attacks, including Fraggle, ICMP redirection packet, ICMP unreachable packet, WinNuke, Land, Ping of Death, IP route record option, Smurf, IP source route option, TCP flag bit, Tear of Drop, large ICMP packet, IP timestamp option, tracert, and large UDP packet. Network segment-based defense falls into the following types: l SYN flood attack defense l ACK flood attack defense l DNS request flood attack defense l DNS reply flood attack defense l TCP ratio attack defense Service-based defense falls into the following types: l TCP defense SYN flood attack defense SYN-ACK flood attack defense ACK flood attack defense FIN/RST flood attack defense TCP fragment attack defense TCP connection flood attack defense
Zonebased defense
Netwo rk segme ntbased defens e Servic ebased defens e
Issue 04 (2013-04-30)
73
l UDP Defense UDP flood attack defense UDP fragment attack defense l ICMP defense l DNS defense DNS request flood attack defense DNS reply flood attack defense DNS cache poisoning attack defense Reflection attack defense Detection of the requests for unknown domains Packet format check Rate limiting on DNS packets based on the domain name and source IP address DNS cache DNS top N statistics DNS detailed statistics l HTTP Flood HTTP source authentication defense Destination IP-based URI behavior monitoring Host filtering l HTTPS Flood l SIP Flood Packet Capture Packet capture falls into the following types: l ACL-based packet capture l global defense packet capture l Zone anomaly-based packet capture l Zone attacked packet capture Captured files are processed as follows: l View Event l Trace Source l Parse Packet l Extract Fingerprint Report Traffic Analys is l Data Overview l Traffic Comparison l Top N Zones by Traffic l Protocol Traffic Distribution l Number of TCP Connections l Board Traffic
Defaul t Policy Zonebased Defens e
Issue 04 (2013-04-30)
74
Anom aly/ Attack Analys is
l Data Overview l Top N Zones by Anomaly/Attack l Top N Attacks l Anomaly/Attack Type Distribution l Packet Discarding Trend l Anomaly/Attack Details
DNS Analys is
l Data Overview l Request Top N Trend l Cache Request Trend l Request Category Trend l Successful Resolution Ratio l Anomaly Packet Analysis l Malicious Domains Log l Malicious Domains Top N by Access Counts
Botnet s/ Trojan Horses / Worm s Analys is Syste m Report Zone Report Sched uled Task Report Downl oad
l Botnets/Trojan Horses/Worms Log l Botnets/Trojan horses/Worms Top N
Various reports generated for the NE.
Various reports generated for a Zone. The system periodically generates reports and send the reports to the specified email box. You can view, and download reports generated by scheduled tasks.
Issue 04 (2013-04-30)
75

HUAWE Anti-DDoS Solution Description PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HUAWE Anti-DDoS Solution Description PDF

Uploaded by

Copyright:

Available Formats

HUAWEI Secospace Anti-DDoS Solution V100R001

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

About This Document

Convention Boldface >

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

3 Products in the Solution.............................................................................................................16

4 Functions and Features...............................................................................................................42

HUAWEI Secospace Anti-DDoS Solution Solution Description

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

1 Solution Positioning and Features

Solution Positioning and Features

About This Chapter

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

1 Solution Positioning and Features

1.1 Solution Positioning and Components

HUAWEI Secospace Anti-DDoS Solution Solution Description

1 Solution Positioning and Features

Figure 1-1 Abnormal traffic cleaning solution

ATIC system Detecting center Optical splitter

Router1 Cleaning center Router2

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

1 Solution Positioning and Features

ATIC Management Center Components

HUAWEI Secospace Anti-DDoS Solution Solution Description

1 Solution Positioning and Features

Protocol stack threats

HUAWEI Secospace Anti-DDoS Solution Solution Description

1 Solution Positioning and Features

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

2.1 MAN Defense Solution

Cleaning device Backbone Network ATIC Management center

Legitimate traffic Attack traffic Netflow traffic Management traffic

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

2.2 IDC Defense Solution

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI Secospace Anti-DDoS Solution Solution Description

Cleaning device Firewall

ATIC management center

Switch Service area A

Switch Service area B

Attacked target Legitimate traffic Attack traffic Management traffic

2.3 Defense Solution for Enterprise Networks

HUAWEI Secospace Anti-DDoS Solution Solution Description