Beruflich Dokumente
Kultur Dokumente
Y S. Shashidar
Managing Director
Frost & Sullivan
Middle East, North Africa and South Asia
2 Solution Highlights
2.1 Overview
Designed for carriers, enterprises, data centers, and ICP service providers (including providers for Web portals, online games,
online videos, and DNS services), Huawei anti-DDoS solution incorporates extensive experience in network security and full
understanding of customer demands.
Huawei anti-DDoS solution enhances defense against application-layer attacks, IPv4-IPv6 attack defense, and defense against
zombies, Trojan horses, and worms. This fully ensures network security and service continuity.
Huawei anti-DDoS solution uses the leaser-specific service design for management configuration, which implements a series
of functions, including leaser service model learning, leaser configuration, and report self-service. Moreover, IDC operators can
provide the anti-DDoS solution for their leasers as an SAAS service to increase the leaser viscosity, improve IDC competitiveness,
and add IDC operation profits.
2.2 Functions
Service-based defense policy
Huawei anti-DDoS solution supports continuously periodic learning and analysis on the service traffic of the Zone, draws the
outline of normal service traffic, and enables differentiated defense types and policies for various services or one service in
different time ranges, therefore implementing refined defense.
Accurate abnormal traffic cleaning
Huawei anti-DDoS solution uses the per-packet detect technology. Defense is triggered immediately by an attack. This solution
applies multiple technologies, including seven-layer filtering, behavior analysis, and session monitoring, to accurately defend
against various flood attacks, Web application attacks, DNS attacks, SSL DoS/DDoS attacks, and protocol stack vulnerability
attacks. In this way, application servers are protected.
Intelligently caching DNS traffic
Besides accurately defending against various attacks on the DNS server, Huawei anti-DDoS solution supports DNS cache for
improved performance under heavy DNS server traffic.
Defense against prevailing zombies/Trojan horses/worms
By spreading Trojan horses and worms to large numbers of hosts, hackers control the hosts hierarchically and form the botnet
to launch attacks. Therefore, botnets breed DDoS attacks. Huawei anti-DDoS solution identifies and blocks over 200 common
zombies/Trojan horses/worms worldwide, therefore smashing botnets.
Perfect IPv4-IPv6 defense
In February 2011, IANA declared that IPv4 addresses were exhausted. Enterprises have no new IPv4 addresses and begin
to put IPv6 network construction into agenda. The particular IPv4-IPv6 technology of Huawei anti-DDoS solution supports
concurrent defense against DDoS attacks on both IPv4 and IPv6 networks. The solution addresses the DDoS attack defense
requirements in dual stack and helps users transit to the next generation network.
Flexible networking
The anti-DDoS solution must be adaptive to various network environments and address different grades of service requirements.
On this basis, Huawei anti-DDoS solution provides multiple in-line and off-line deployments, which enable customers to select
flexibly by their services and networks.
In-line deployment: serially connects the detecting and cleaning modules to the network to be protected for direct traffic
detecting and cleaning. The high-performance and multi-core hardware platform in use not only ensures the detecting and
cleaning accuracy, but also minimizes the processing delay. Moreover, Huawei anti-DDoS solution provides the bypass module.
When an anomaly occurs, traffic is sent to the cleaning module, which avoids introducing new failures.
Off-line traffic-diversion deployment: deploys the cleaning module on the network in off-line mode. Once detecting DDoS
attack traffic, the detecting and cleaning centers perform actions based on the policies configured in the management center.
2.3 Highlights
Highlights of Huawei anti-DDoS solution:
Efficient and speedy: 200 Gbit/s defense performance and response within seconds
High-performance and multi-core CPU, providing anti-DDoS products covering 2 Gbit/s to 200 Gbit/s performance to
defend against all types of DDoS attack.
Self-learning of the service model and per-packet detect technology. Once a traffic or packet anomaly is found, the defense
policy is automatically triggered. The defense latency is within two seconds.
Accurate and comprehensive: "V-ISA" reputation technical system, Can defend against hundreds of attacks
"V-ISA" reputation technical system, Can defend against hundreds of DDoS attacks, with the industry-leading
defense types.
Protocol
stack threat
Featured
DoS/DDoS attack
Abnormal
traffic filtering
Transport-layer
threat
Feature
filtering
Application-layer
threat
Forged source
authentication
Abnormal
connection threat
Application-layer
authentication
Low-rate
attack
Session
analysis
Burst traffic
Behavior
analysis
Normal traffic
Intelligent
rate limiting
Defense against over 200 zombies, Trojan horses, and worms, protecting users from hackers.
IPv4/IPv6, as the first to support IPv6 attack defense and concurrent IPv4 and IPv6 attack defense.
Particular terminal identification technology to accurately identify client types, such as smart terminals, set-boxes, and
common clients, as well as client-specific defense technologies to ensure zero false positive.
Value-added operation: protection for tens of thousands of leasers and diverse self-services
Leaser-based service design to protect 100,000 leasers concurrently.
Self-configuration of defense policies and the generation of independent security reports, providing visibility into defense effects.
Capture of attack packets, extraction of attack features, and user-defined attack feature filtering to effectively defend
against DDoS attacks and zero-day attacks.
Management
center
Policy interworking
Detecting
center
Device management
Policy management
Control interworking
Report display
Cleaning
center
Detecting center: As the "antenna" of the entire solution, the detecting center receives detecting policies delivered by the ATIC
management center, identities and detects DDoS traffic, and gives detecting results back to the ATIC management center.
Cleaning center: As the "executor" of the entire solution, the cleaning center cleans DDoS traffic on the network based on
the control signals delivered by the ATIC management center.
ATIC management center: As the "brain" of the solution, the ATIC management center allows the user to customize
detecting and cleaning policies and delivers the policies to the detecting center and cleaning center to control the detecting
and cleaning process.Meanwhile, the user can also generate and view attack reports and cleaning records in the ATIC
management center.
Note 1: In practice, the detecting center can be a Per-packet detect technology-enabled detecting device or Netflow sampling
detecting device.
Note 2: The cleaning center can be serially connected to the user network, without a detecting center, for bidirectional defense. The
networking depends on actual requirements.
Internet
Anti-DDoS cleaning center
Leaser A
Leaser A
Huawei anti-DDoS solution deployed at the IDC egress delivers the following functions:
1. D
efends against attacks on the DNS server, for example, DNS protocol stack vulnerability attacks, DNS reflection attacks,
DNS flood attacks, and DNS CacheMiss attacks, and supports DNS cache for improved DNS server performance under
heavy traffic.
2. Defends against attacks on Web servers, for example, SYN flood attacks, HTTP flood attacks, CC attacks, and low-rate
connection attacks.
3. D
efends against attacks on online games, for example, UDP flood attacks, SYN flood attacks, and TCP attacks.
4. D
efends against SSL DoS/DDoS attacks on HTTPS servers.
5. P rovides customers with self-service policy configuration and report by operating anti-DDoS as a security service.
4 Success Stories
4.1 Tencent IDC Service Protection
Customer Challenges
Tencent IDC processes huge services and suffers from various DDoS attacks from the Internet every day, especially those
attacks on online games and DNS servers. Defending devices, such as traditional firewalls and IPS devices, are not sharp in
DDoS attack defense. When DDoS attacks are launched, these devices may exhaust connections and resources. Enabling
attack defense may interrupt normal services. Therefore, Tencent is confronted with big security challenges.
Solution
Deploy an anti-DDoS cleaning device at the Tencent IDC egress in off-line mode to defend against DDoS attacks on the IDC service system.
Management center
Cleaning center
Detecting center
Detecting center
Internet
Cleaning center
Data center A
Data center B
This deployment requires high performance, reliability, and scalability of the anti-DDoS device. Then, the device must be able
to restore services rapidly after an incident occurs. Next, all the deployed anti-DDoS devices can be managed in a global way.
Huawei anti-DDoS solution, applying to multiple Tencent IDCs, features high performance, sound reliability, and fine defense
effects, and meets with a favorable reception in Tencent.
Customer Benefits
"Huawei device displays normal status during IDC attack defense and successfully defends against continuous DNS flood attacks.
The protected services operate stably, and no user complaint is received. Therefore, Huawei device is highly regarded by the
personnel in the service line."
----Tencent Aegis team
AntiDDoS1000 series
AntiDDoS8000 series
6 Specifications
AntiDDoS1000 series
AntiDDoS8000 series
Model
AntiDDoS1520
AntiDDoS1550
AntiDDoS1500-D
AntiDDoS8030
AntiDDoS8080
AntiDDoS8160
Flood defense
performance
3 Mpps
3 Mpps
3 Mpps
30 Mpps
(15 Mpps/SPU)
75 Mpps
(15 Mpps/SPU)
150 Mpps
(15 Mpps/SPU)
Detecting/
Cleaning
performance
2 Gbit/s
5 Gbit/s
5 Gbit/s
(detecting)
40 Gbit/s (20
Gbit/s per SPU)
Defense start
latency
2 seconds
2 seconds
2 seconds
2 seconds
2 seconds
2 seconds
Fixed interface
4 GE (RJ45)+4 GE (combo)
Expansion slot
2 FIC
16
Expansion
interface card
2 10GE (SFP+)
2 10GE (SFP+)+8 GE (RJ45)
8 1GE (SFP)
8 1GE (RJ45)
1 10GE (XFP)
2 10GE (XFP)
1 10G POS (XFP)
12 1GE (SFP)
20 1GE (SFP)
Bypass card
4 1 GE (RJ45)
Dual-link LC/UPC multi-mode optical interface
Dual-link LC/UPC single-mode optical interface
None
Dimensions
(H W D)
43.6 442
560
175 442
650 (DC)
220 442
650 (AC)
620 442
650 (DC)
709 442
650 (AC)
1420 442
650 (DC)
1598 442
650 (AC)
2 FIC
43.6 442
560
None
2 FIC
43.6 442
560
AntiDDoS1000 series
AntiDDoS8000 series
Model
AntiDDoS1520
AntiDDoS1550
AntiDDoS1500-D
AntiDDoS8030
AntiDDoS8080
AntiDDoS8160
Maximum power
consumption
150 W
150 W
150 W
1330 W (DC)
1368 W (AC)
3038 W (DC)
3231 W (AC)
5824 W (DC)
6195 W (AC)
Blacklist, HTTP field-based filtering, and TCP/UDP/Other protocol load feature-based filtering
Protocol
vulnerability
defense
Defense against IP spoofing, LAND, Fraggle, Smurf, WinNuke, Ping of Death, Tear Drop, IP Option, IP fragment
control packet, TCP label validity check, large ICMP control packet, ICMP redirect control packet, and ICMP
unreachable control packet attacks
Transport-layer
attack defense
Defense against SYN flood, ACK flood, SYN-ACK flood, FIN/RST flood, TCP fragment flood, UDP flood, UDP
fragment flood, and ICMP flood attacks
Scanning and
sniffing attack
defense
Defense against port scanning, address scanning, Tracert control packet, IP Option, IP timestamp, and IP
routing record attacks
DNS attack
defense
Defense against forged source DNS query flood attacks, real source DNS query flood attacks, DNS reply flood
attacks, DNS cache poisoning attacks, DNS protocol vulnerability attacks, and fast flux botnet
Web attack
defense
Defense against HTTP get/post flood attacks, CC attacks, HTTP slow header/post attacks, HTTPS flood attacks,
SSL DoS/DDoS attacks, TCP connection attacks, Sockstress attacks, TCP retransmission attacks, and TCP null
connection attacks
VoIP attack
defense
Zombie/Trojan
horse/Worm
attack defense
Defense against over 200 zombies, Trojan horses, and worms, such as LOIC, HOIC, Slowloris, Pyloris,
HttpDosTool, Slowhttptest, and Thc-ssl-dos
IPv6 defense
types
Defense against ICMP fragment attacks, blacklist, HTTP field-based filtering, TCP/UDP/Other protocol load
feature-based filtering, SYN flood attacks, ACK flood attacks, SYN-ACK flood attacks, FIN/RST flood attacks,
TCP fragment flood attacks, UDP flood attacks, UDP fragment flood attacks, ICMP flood attacks, Forged
source DNS query flood attacks, real source DNS query flood attacks, DNS reply flood attacks, DNS cache
poisoning attacks, DNS protocol vulnerability attacks, fast flux botnet, HTTP get/post flood attacks, CC attacks,
HTTP slow header/post flood attacks, HTTPS flood attacks, SSL DoS/DDoS attacks, TCP connection attacks,
Sockstress attacks, TCP retransmission attacks, TCP null connection attacks, and SIP flood attacks
Supported
7 Ordering Information
7.1 Ordering Information of AntiDDoS1000
Ordering Information of AntiDDoS1000
Basic configurations of the AntiDDoS1500-D
AntiDDoS1500D-AC
AntiDDoS1500D-DC
Alternative
AntiDDoS1520-DC
Alternative
AntiDDoS1550-DC
Alternative
2 x 10GE optical interface card+8 GE electrical interface card, with HS General Security
Platform Software
Optional
FIC-8GE
Optional
FIC-2SFP+
Optional
FIC-8SFP
Optional
FIC-8SFP
Optional
FIC-2LINE-MBYPASS
2 Link LC/UPC Multimode Optical Interface Bypass Protect Card, with HS General Security
Platform Software
Optional
FIC-2LINE-S-BYPASS
2 Link LC/UPC Singlemode Optical Interface Bypass Protect Card, with HS General Security
Platform Software
Optional
ADSCT001WIN01
Windows Chinese Platform (AC PC Server, Hard Disk, Microsoft Windows Server and
Patches, Chinese), Including OS License
Optional
ADSCT001WIN03
Windows Chinese Platform (DC PC Server, Hard Disk, Microsoft Windows Server and
Patches, Chinese), Including OS License
Optional
Anti-DDoS components
10
11
Optional
Alternative
Optional
AntiDDoS8030BASE-AC
Alternative
AntiDDoS8080
AntiDDoS8080BASE-DC
Mandatory
CR52-PWRA-AC-DF
AC Distribution Frame for Cabinet, 2 or 6 Input, 6 (2*3) Output, 6 Group of 2 Poles 20A
Air Switch
AC
mandatory
USG9500-PWR-AC
AC
mandatory
AntiDDoS8160BASE-DC
Mandatory
CR52-PWRA-AC-DF
AC Distribution Frame for Cabinet, 2 or 6 Input, 6 (2*3) Output, 6 Group of 2 Poles 20A
Air Switch
AC
mandatory
USG9500-PWR-AC
AC
mandatory
AntiDDoS8160
AntiDDoS8000 Series
ADS-SPUA01
Service Processing Unit, Double CPUs, with HS General Security Platform Software
LIC-ADS-10GDDD00
Capability for Detector (a multiple of 10G), with HS General Security Platform Software
LIC-ADS-10GDDC00
Capability for Cleanning (a multiple of 10G), with HS General Security Platform Software
ADS-SPUA02
Service Processing Unit, Four CPUs, with HS General Security Platform Software
LIC-ADS20GDDD00
Capability for Detector (a multiple of 20G), with HS General Security Platform Software
LIC-ADS-20GDDC00
Capability for Cleanning (a multiple of 20G), with HS General Security Platform Software
Optional (the
SPU must be
used with a
license)
Optional (the
SPU must be
used with a
license)
Flexible Card Line Processing Unit (LPUF-40, 2 sub-slots) A, with HS General Security
Platform Software
Optional
FWCD00L2XX01
Optional
FWCD00EFGF01
Optional
FWCD0LPUKD01
Flexible Card Line Processing Unit (LPUF-21, 2 Sub-Slots) B, With HS General Security
Platform Software
Optional
FWCD00L1XX01
1-Port 10GBase WAN/LAN XFP Flexible Interface Daughter Card, With HS General
Security Platform Software
Optional
FWCD00EBGF01
12-Port 100/1000Base-X SFP Flexible Interface Daughter Card, With HS General Security
Platform Software
Optional
FWCD00EBGE01
Optional
FWCD0P1XBZ01
Optional
LPUF21
Anti-DDoS components
ADSCT001WIN01
Windows Chinese Platform (AC PC Server, Hard Disk, Microsoft Windows Server and
Patches, Chinese), Including OS License
Optional
ADSCT001WIN03
Windows Chinese Platform (DC PC Server, Hard Disk, Microsoft Windows Server and
Patches, Chinese), Including OS License
Optional
NS19MKM00
Optional
12
13
AntiDDoS8000 Series
Anti-DDoS management center
LIC-ADS-NOFA00
LIC-ADS-DOFA00
ATIC Operation Feature Summary, with HS General Security Platform Software (including
professional DNS defense)
Alternative
Optional
Optional
LIC-ADS-WEB00
Optional
LIC-ADS-DOM50
Number of DDoS Zone (a multiple of 10G), with HS General Security Platform Software
Optional
LIC-ADS-10GDDD00
Capability for Detector (a multiple of 10G), with HS General Security Platform Software
Optional
LIC-ADS-10GDDC00
Capability for Cleanning (a multiple of 10G), with HS General Security Platform Software
Optional
LIC-ADS20GDDD00
Capability for Detector (a multiple of 20G), with HS General Security Platform Software
Optional
LIC-ADS-20GDDC00
Capability for Cleanning (a multiple of 20G), with HS General Security Platform Software
Optional
OOS314S00
Optical Splitter, Single Mode, Support Three Optical Links (1*4 each), 1310/1550nm,
+/-40nm, 70:10:10:10, LC/UPC, 0.25mm, SMF-28e, 180.3*144.45*18.1
Optional
OOS412S00
Optical Splitter, Single Mode, Support Four Optical Links (1*2 each), 1310/1550nm,
+/-40nm, 80:20, LC/UPC, 0.25mm, SMF-28e, 0.2dB, 180.3*144.45*18.1
Optional
OOS413S00
Optical Splitter, Single Mode, Support Four Optical Links (1*3 each), 1310/1550nm,
+/-40nm, 70:15:15, LC/UPC, 0.25mm, SMF-28e, 180.3*144.45*18.1
Optional
OOS412M00
Optical Splitter, Multi-mode, Support Four Optical Links (1*2 each), 850nm, +/-40nm,
50:50, LC/UPC, 0.25mm, 62.5/125ume, 250um loose tube, 0.2dB, 180.3*144.45*18.1
Optional
OOSSMRC00
Optional
OOS412S01
Optical Splitter, Single Mode, Support Four Optical Links (1*2 each), 1310/1550nm,
+/-40nm, 50:50, LC/UPC, 0.25mm, SMF-28e, 0.2dB, 180.3*144.45*18.1mm
Optional
14
Other trademarks, product, service and company names mentioned are the property of their respective owners.
General Disclaimer
THE INFORMATION IN THIS DOCUMENT MAY CONTAIN PREDICTIVE STATEMENTS
INCLUDING, WITHOUT LIMITATION, STATEMENTS REGARDING THE FUTURE FINANCIAL
AND OPERATING RESULTS, FUTURE PRODUCT PORTFOLIO, NEW TECHNOLOGY, ETC.
THERE ARE A NUMBER OF FACTORS THAT COULD CAUSE ACTUAL RESULTS AND
DEVELOPMENTS TO DIFFER MATERIALLY FROM THOSE EXPRESSED OR IMPLIED IN THE
PREDICTIVE STATEMENTS. THEREFORE, SUCH INFORMATION IS PROVIDED FOR REFERENCE
www.huawei.com