Anti-DDoS1000 DDoS Protection Systems

Responds within seconds to defend your critical online services against more than 100 types of DDoS attacks. Financial enterprises, government sectors, ICPs, and data centers all depend on Huawei’s DDoS protection system.

Accurate, comprehensive solution ensures service continuity. The system can “learn” more than 60 types of traffic patterns, so you can generate automatic security policies.

Shield your services against organized hackers with Huawei’s AntiDDoS1000 Series DDoS Protection System.

ant-ddos1000

Product Hightlight 

Overview

Designed for carriers, enterprises, data centers, and ICP service providers (including providers for Web portals, online games, online videos, and DNS services), Huawei anti-DDoS solution incorporates extensive experience in network security and full understanding of customer demands.

Huawei anti-DDoS solution enhances defense against application-layer attacks, IPv4-IPv6 attack defense, and defense against zombies, Trojan horses, and worms. This fully ensures network security and service continuity.

Huawei anti-DDoS solution uses the leaser-specific service design for management configuration, which implements a series of functions, including leaser service model learning, leaser configuration, and report self-service. Moreover, IDC operators can provide the anti-DDoS solution for their leasers as an SAAS service to increase the leaser viscosity, improve IDC competitiveness, and add IDC operation profits.

Functions

Service-based defense policy

Huawei anti-DDoS solution supports continuously periodic learning and analysis on the service traffic of the Zone, draws the outline of normal service traffic, and enables differentiated defense types and policies for various services or one service in different time ranges, therefore implementing refined defense.

Accurate abnormal traffic cleaning

Huawei anti-DDoS solution uses the per-packet detect technology. Defense is triggered immediately by an attack. This solution applies multiple technologies, including seven-layer filtering, behavior analysis, and session monitoring, to accurately defend against various flood attacks, Web application attacks, DNS attacks, SSL DoS/DDoS attacks, and protocol stack vulnerability attacks. In this way, application servers are protected.

Intelligently caching DNS traffic

Besides accurately defending against various attacks on the DNS server, Huawei anti-DDoS solution supports DNS cache for improved performance under heavy DNS server traffic.

Defense against prevailing zombies/Trojan horses/worms

By spreading Trojan horses and worms to large numbers of hosts, hackers control the hosts hierarchically and form the botnet to launch attacks. Therefore, botnets breed DDoS attacks. Huawei anti-DDoS solution identifies and blocks over 200 common zombies/Trojan horses/worms worldwide, therefore smashing botnets.

Perfect IPv4-IPv6 defense

In February 2011, IANA declared that IPv4 addresses were exhausted. Enterprises have no new IPv4 addresses and begin to put IPv6 network construction into agenda. The particular IPv4-IPv6 technology of Huawei anti-DDoS solution supports concurrent defense against DDoS attacks on both IPv4 and IPv6 networks. The solution addresses the DDoS attack defense requirements in dual stack and helps users transit to the next generation network.

Flexible networking

The anti-DDoS solution must be adaptive to various network environments and address different grades of service requirements. On this basis, Huawei anti-DDoS solution provides multiple in-line and off-line deployments, which enable customers to select flexibly by their services and networks.
In-line deployment: serially connects the detecting and cleaning modules to the network to be protected for direct traffic
detecting and cleaning. The high-performance and multi-core hardware platform in use not only ensures the detecting and
cleaning accuracy, but also minimizes the processing delay. Moreover, Huawei anti-DDoS solution provides the bypass module. When an anomaly occurs, traffic is sent to the cleaning module, which avoids introducing new failures.
Off-line traffic-diversion deployment: deploys the cleaning module on the network in off-line mode. Once detecting DDoS
attack traffic, the detecting and cleaning centers perform actions based on the policies configured in the management center.

Specification

Model AntiDDoS1520 AntiDDoS1550 AntiDDoS1500-D
Flood defense performance 3 Mpps 3 Mpps 3 Mpps
Detecting/Cleaning performance 2 Gbit/s 5 Gbit/s 5 Gbit/s (detecting)
Defense start latency ≤ 2 seconds ≤ 2 seconds ≤ 2 seconds
Fixed interface 4 × GE (RJ45)+4 × GE (combo)
Expansion slot 2 × FIC
Expansion interface card 2 × 10GE (SFP+);2 × 10GE (SFP+)+8 × GE (RJ45);8 × 1GE (SFP);8 × 1GE (RJ45)
Bypass card 4 × 1 GE (RJ45);Dual-link LC/UPC multi-mode optical interface;Dual-link LC/UPC single-mode optical interface
Dimensions (H × W × D) 43.6 × 442 × 560 43.6 × 442 × 560 43.6 × 442 × 560
Maximum power consumption 150 W 150 W 150 W
IPv4 defense types
Anomaly filtering Blacklist, HTTP field-based filtering, and TCP/UDP/Other protocol load feature-based filtering
Protocol vulnerability defense Defense against IP spoofing, LAND, Fraggle, Smurf, WinNuke, Ping of Death, Tear Drop, IP Option, IP fragment control packet, TCP label validity check, large ICMP control packet, ICMP redirect control packet, and ICMP unreachable control packet attacks
Transport-layer attack defense Defense against SYN flood, ACK flood, SYN-ACK flood, FIN/RST flood, TCP fragment flood, UDP flood, UDP fragment flood, and ICMP flood attacks
Scanning and sniffing attack defense Defense against port scanning, address scanning, Tracert control packet, IP Option, IP timestamp, and IP routing record attacks
DNS attack defense Defense against forged source DNS query flood attacks, real source DNS query flood attacks, DNS reply flood attacks, DNS cache poisoning attacks, DNS protocol vulnerability attacks.
Web attack defense Defense against HTTP get/post flood attacks, CC attacks, HTTP slow header/post attacks, HTTPS flood attacks, SSL DoS/DDoS attacks, TCP connection attacks, Sockstress attacks, TCP retransmission attacks, and TCP null connection attacks
VoIP attack defense Defense against SIP flood attacks
Zombie/Trojan horse/Worm attack defense Defense against over 200 zombies, Trojan horses, and worms, such as LOIC, HOIC, Slowloris, Pyloris, HttpDosTool, Slowhttptest, and Thc-ssl-dos
IPv6 defense types
IPv6 defense types Defense against ICMP fragment attacks, blacklist, HTTP field-based filtering, TCP/UDP/Other protocol load feature-based filtering, SYN flood attacks, ACK flood attacks, SYN-ACK flood attacks, FIN/RST flood attacks, TCP fragment flood attacks, UDP flood attacks, UDP fragment flood attacks, ICMP flood attacks, Forged source DNS query flood attacks, real source DNS query flood attacks, DNS reply flood attacks, DNS cache poisoning attacks, DNS protocol vulnerability attacks, fast flux botnet, HTTP get/post flood attacks, CC attacks, HTTP slow header/post flood attacks, HTTPS flood attacks, SSL DoS/DDoS attacks, TCP connection attacks, Sockstress attacks, TCP retransmission attacks, TCP null connection attacks, and SIP flood attacks
IPv4/IPv6 dual-stack attack defense Supported

Ordering Information

Ordering Information of AntiDDoS1000
Basic configurations of the AntiDDoS1500-D
AntiDDoS1500D-AC AntiDDoS1500 D-SUBZ31UAH-AMS1500-D AC Host, with HW General Security Platform Software Alternative
AntiDDoS1500D-DC AntiDDoS1500 D-SUBZ31UDH-AMS1500-D DC Host, with HW General Security Platform Software
Basic configurations of the AntiDDoS1520
AntiDDoS1520-AC AntiDDoS1520-SUBZ11UAH-AMS1520 AC Host,with HW General Security Platform Software Alternative
AntiDDoS1520-DC AntiDDoS1520-SUBZ11UDH-AMS1520 DC Host,with HW General Security Platform Software
Basic configurations of the AntiDDoS1550
AntiDDoS1550-AC AntiDDoS1550-SUBZ21UAH-AMS1550 AC Host,with HW General Security Platform Software Alternative
AntiDDoS1550-DC AntiDDoS1550-SUBZ21UDH-AMS1550 DC Host,with HW General Security Platform Software
Interface modules of the AntiDDoS series
FIC-2SFP+&8GE 2 x 10GE optical interface card+8 GE electrical interface card,with HW General Security Platform Software Optional
FIC-8GE 8 GE electrical interface card,with HW General Security Platform Software Optional
FIC-2SFP+ 2 x 10GE optical FIC,with HW General Security Platform Software Optional
FIC-8SFP 8 GE optical FIC,with HW General Security Platform Software Optional
FIC-8SFP 8 GE optical FIC,with HW General Security Platform Software Optional
FIC-2LINE-M-BYPASS 2 Link LC/UPC Multimode Optical Interface Bypass Protect Card,with HW General Security Platform Software Optional
FIC-2LINE-S-BYPASS 2 Link LC/UPC Singlemode Optical Interface Bypass Protect Card,with HW General Security Platform Software Optional
Anti-DDoS components
ADSERVER-OS-EN Windows English Platform(AC PC Server,Hard Disk,Microsoft Windows Server,English),Including OS License Optional
G0MYSQL02 System Application Software,Light Application Data Management Software Package(5.5 S), 1 Year Standard Product Services Optional
NS19MKM00 USB KB&Mouse, Monitor 19-Inch TFT LCD, Max. Pels 1280*1024/75Hz,100~240VAC Power, No Doc., Black Optional
Anti-DDoS management center
LIC-ADS-NOFA00 ATIC Basic Feature Summary, with HW General Security Platform Software Alternative

 

DDoS Protection/Defence

With the IT and Internet evolution, the Distributed Denial of Service (DDoS) attack has already broken away from original hacker behaviors. Instead, it forms an integral dark industry chain with overwhelming damages. At present, a single DDoS attack consumes more than 100 Gbit/s bandwidth, ten times of that in 2007. DDoS attacks have increased by 20 times and over 30,000,000 zombie hosts flood the network. Moreover, attack tools become intelligent and attack behaviors become hidden and emulational. Especially, those attacks upon DC applications are rampant, disabling the current defense measures of customers.

Competitive products from other vendors include Arbor Networks TMS 2300,2800,500, SP2000, 2100, 2200, 2600, 2800 and A10 Networks Thunder 3030S, 4435(S), 5435(S), 6435(S), 6635(S) TPS.