Anti-DDoS8000 DDoS Protection Systems

Carriers, large enterprises, data centers, and large ICPs can now protect their online services with the world’s first Terabit DDoS defense. Huawei’s AntiDDoS8000 Series responds within 2 seconds to more than 100 types of DDoS attacks.

Big Data analytics technologies “teach” systems to learn more than 60 traffic patterns and build a Huawei-proprietary reputation mechanism to guard against application-layer botnet attacks. Mobile botnet database defends mobile gateways. Customer-oriented management and reports improve security.

anti-ddos8000

AntiDDoS8000 Highlight

Overview

Designed for carriers, enterprises, data centers, and ICP service providers (including providers for Web portals, online games, online videos, and DNS services), Huawei anti-DDoS solution incorporates extensive experience in network security and full understanding of customer demands.

Huawei anti-DDoS solution enhances defense against application-layer attacks, IPv4-IPv6 attack defense, and defense against zombies, Trojan horses, and worms. This fully ensures network security and service continuity.

Huawei anti-DDoS solution uses the leaser-specific service design for management configuration, which implements a series of functions, including leaser service model learning, leaser configuration, and report self-service. Moreover, IDC operators can provide the anti-DDoS solution for their leasers as an SAAS service to increase the leaser viscosity, improve IDC competitiveness, and add IDC operation profits.

Functions

Service-based defense policy

Huawei anti-DDoS solution supports continuously periodic learning and analysis on the service traffic of the Zone, draws the outline of normal service traffic, and enables differentiated defense types and policies for various services or one service in different time ranges, therefore implementing refined defense.

Accurate abnormal traffic cleaning

Huawei anti-DDoS solution uses the per-packet detect technology. Defense is triggered immediately by an attack. This solution applies multiple technologies, including seven-layer filtering, behavior analysis, and session monitoring, to accurately defend against various flood attacks, Web application attacks, DNS attacks, SSL DoS/DDoS attacks, and protocol stack vulnerability attacks. In this way, application servers are protected.

Intelligently caching DNS traffic

Besides accurately defending against various attacks on the DNS server, Huawei anti-DDoS solution supports DNS cache for improved performance under heavy DNS server traffic.

Defense against prevailing zombies/Trojan horses/worms

By spreading Trojan horses and worms to large numbers of hosts, hackers control the hosts hierarchically and form the botnet to launch attacks. Therefore, botnets breed DDoS attacks. Huawei anti-DDoS solution identifies and blocks over 200 common zombies/Trojan horses/worms worldwide, therefore smashing botnets.

Perfect IPv4-IPv6 defense

In February 2011, IANA declared that IPv4 addresses were exhausted. Enterprises have no new IPv4 addresses and begin to put IPv6 network construction into agenda. The particular IPv4-IPv6 technology of Huawei anti-DDoS solution supports concurrent defense against DDoS attacks on both IPv4 and IPv6 networks. The solution addresses the DDoS attack defense requirements in dual stack and helps users transit to the next generation network.

Flexible networking

The anti-DDoS solution must be adaptive to various network environments and address different grades of service requirements. On this basis, Huawei anti-DDoS solution provides multiple in-line and off-line deployments, which enable customers to select flexibly by their services and networks.
In-line deployment: serially connects the detecting and cleaning modules to the network to be protected for direct traffic
detecting and cleaning. The high-performance and multi-core hardware platform in use not only ensures the detecting and
cleaning accuracy, but also minimizes the processing delay. Moreover, Huawei anti-DDoS solution provides the bypass module. When an anomaly occurs, traffic is sent to the cleaning module, which avoids introducing new failures.
Off-line traffic-diversion deployment: deploys the cleaning module on the network in off-line mode. Once detecting DDoS
attack traffic, the detecting and cleaning centers perform actions based on the policies configured in the management center.

Highlights

Highlights of Huawei anti-DDoS solution:
Efficient and speedy: 200 Gbit/s defense performance and response within seconds
High-performance and multi-core CPU, providing anti-DDoS products covering 2 Gbit/s to • 200 Gbit/s performance to
defend against all types of DDoS attack.
• Self-learning of the service model and per-packet detect technology. Once a traffic or packet anomaly is found, the defense policy is automatically triggered. The defense latency is within two seconds.

Accurate and comprehensive: "V-ISA" reputation technical system, Can defend against hundreds of attacks
• "V-ISA" reputation technical system, Can defend against hundreds of DDoS attacks, with the industry-leading defense types.

antiDDoS layered scanning methodology

• Defense against over 200 zombies, Trojan horses, and worms, protecting users from hackers.
• IPv4/IPv6, as the first to support IPv6 attack defense and concurrent IPv4 and IPv6 attack defense.
• Particular terminal identification technology to accurately identify client types, such as smart terminals, set-boxes, and
common clients, as well as client-specific defense technologies to ensure zero false positive.

Value-added operation: protection for tens of thousands of leasers and diverse self-services
• Leaser-based service design to protect 100,000 leasers concurrently.
• Self-configuration of defense policies and the generation of independent security reports, providing visibility into defense effects.
• Capture of attack packets, extraction of attack features, and user-defined attack feature filtering to effectively defend
against DDoS attacks and zero-day attacks.

Specification

Attack defense functions (IPv4/IPv6 Supported)

Protocol abuse attack defense

Defense against IP spoofing, LAND, Fraggle, Smurf, Winnuke, Ping of Death, Tear Drop, IP Option, IP Fragment Control Packet, TCP Label Validity Check, Large ICMP Control Packet, ICMP Redirect Control Packet, and ICMP Unreachable Control Packet attacks

Web attack defense

Defense against HTTP Get Flood, HTTP Post Flood, HTTP Head Flood, HTTP slow header flood, HTTP Slow Post Flood, HTTPS Flood, and SSL DoS/DDoS attacks

Scanning and sniffing attack defense

Defense against Port Scanning, IP Scanning, Tracert Control Packet, IP Option, IP Timestamp, and IP Routing Record attacks

DNS attack defense

Defense against DNS Query Flood attacks from real or spoofed source IP addresses, DNS Reply Flood attacks, DNS Cache Poisoning attacks, DNS Protocol Vulnerability Exploits, and DNS Reflection attacks

Network-layer attack defense

Defense against SYN Flood, ACK Flood, SYN-ACK Flood, FIN/RST Flood, TCP Fragment Flood, UDP Flood, UDP Fragment Flood, NTP Flood, ICMP Flood, TCP Connection Flood, Sockstress, TCP Retransmission, and TCP Null Connection attacks

SIP attack defense

Defense against SIP methods Flood attacks

DHCP attack defense

Defense against DHCP Flood attacks

Mobile attack defense

Defensible DDoS attacks launched by mobile botnets, for example, AnDOSid/WebLOIC/Android.DDoS.1.origin

Zombie, Trojan horse, worm and tools traffic blocking:

Blocking of controlling traffic of active zombies, Trojan horses, worms, and tools, such as LOIC, HOIC, Slowloris, Pyloris, HttpDosTool, Slowhttptest,Thc-ssl-dos, YoyoDDOS, IMDDOS, Puppet, Storm, fengyun, AladinDDoS, And so on C&C DNS request traffic blocking

Feature-based filtering Blacklist,

HTTP/DNS/SIP/DHCP field-based filtering, and IP/TCP/UDP/ICMP/Other Protocol field-based and load feature-based filtering

IP reputation database

12 data centers across the globe process 12 billion query analysis requests on a daily basis and tracks the global most active 5 million zombie hosts with a daily update.

Management and reports
Supports account management and rights allocation; supports 10,000 defense objects; supports import of defense policies in batches; supports device performance monitoring; supports source tracking through packet capture and fingerprint extraction; supports SMS/Voice/Email alarming; supports log dumping; supports network traffic model learning, supports multidimensional reports including attack traffic analysis, attack event analysis, and attack trend analysis; supports download of reports in multiple formats such as HTML, PDF, Excel, and CSV; supports report push through emails; and supports Portal-based operations.
Networking and traffic diversion policies

Deployment modes:

Supports inline and bypass deployment.

Traffic diversion policies:

Supports manual traffic diversion and multiple automatic traffic diversion modes such as policy-based routing and BGP routing.

Interface and hardware parameters
  AntiDDoS8030 (4 U Height) AntiDDoS8080 (14 U Height) AntiDDoS8160 (32 U Height)
Max. Performance 120 Gbit/s 720 Gbit/s
1.44 Tbit/s
Max. Performance/Slot 20 Gbit/s
20 Gbit/s
20 Gbit/s
80 Gbit/s, 2 slots 160 Gbit/s, 3 slots 160 Gbit/s, 3 slots
Expansion slots 3 8 16
Interface Card Types LPUF-21 interface card 12 x 1 GE (RJ45)/12 x 1 GE (SFP)/1 x 10 GE (XFP)/4 x 10 GE (XFP)/1 x 10 GE POS (XFP)
LPUF-40 interface card 20 x 1 GE (SFP)/2 x 10 GE (XFP)/4 x 10 GE (XFP)
LPUF-101 interface card 24 x GE (SPF)/4 x 10 GE (SPF+)/5 x 10 GE (SPF+)/1 x 40 GE (CPF)/1 x 100 GE (CPF)
Reliability Supports dual MPUs and achieves a five-nine carrier-grade reliability (99.999%).
Power Supply Types Supports both DC and AC power supply.

Ordering Infromation

AntiDDoS8000 Series
AntiDDoS8030
AntiDDoS8030-BASE-DC AntiDDoS8030 DC Basic Configuration (includes X3 DC Chassis, 2 x MPU), with HW General Security Platform Software Alternative
AntiDDoS8030-BASE-AC AntiDDoS8030 DC Basic Configuration (includes X3 DC Chassis, 2 x MPU), with HW General Security Platform Software
AntiDDoS8080
AntiDDoS8080-BASE-DC AntiDDoS8080 DC Basic Configuration (includes X8 DC Chassis, 2 x SRU, 1 x SFU), with HW General Security Platform Software Mandatory
CR52-PWRA-AC-DF AC Distribution Frame for Cabinet, 2 or 6 Inputs, 6(2 x 3) Outputs, 6 Groups of 2 Poles 20A Air Switch AC mandatory
USG9500-PWR-AC AC Power Supply Module AC mandatory
AntiDDoS8160
AntiDDoS8160-BASE-DC AntiDDoS8160 DC Basic Configuration (includes X16 DC Chassis, 2 x MPU, 4 x SFU), with HW General Security Platform Software Mandatory
CR52-PWRA-AC-DF AC Distribution Frame for Cabinet, 2 or 6 Inputs, 6(2 x 3) Outputs, 6 Group of 2 Poles 20A Air Switch AC mandatory
USG9500-PWR-AC AC Power Supply Module AC mandatory
SPU of the AntiDDoS 8000 series
ADS-SPUA01 Service Processing Unit, Double CPUs, with HW General Security Platform Software Optional (the SPU must be used with a license)
LIC-ADS-10GDDD00 Capability for Detector (a multiple of 10G), with HW General Security Platform Software
LIC-ADS-10GDDC00 Capability for Cleaning (a multiple of 10G), with HW General Security Platform Software
ADS-SPUA02 Service Processing Unit, Four CPUs, with HW General Security Platform Software Optional (the SPU must be used with a license)
LIC-ADS-20GDDD00 Capability for Detector (a multiple of 20G), with HW General Security Platform Software
LIC-ADS-20GDDC00 Capability for Cleaning (a multiple of 20G), with HW General Security Platform Software
LPU of the AntiDDoS 8000 series
LPUF40
FWCD0LPUF40A01 Flexible Card Line Processing Unit (LPUF-40, 2 sub-slots) A, with HW General Security Platform Software Optional
FWCD00L2XX01 2-Port 10G Base LAN/WAN-XFP Flexible Card (P40) Optional
FWCD00EFGF01 20-Port 100/1,000 Base-X-SFP Flexible Card (P40) Optional
LPUF21
FWCD0LPUKD01 Flexible Card Line Processing Unit (LPUF-21, 2 Sub-Slots) B, with HW General Security Platform Software Optional
FWCD00L1XX01 1-Port 10G Base WAN/LAN XFP Flexible Interface Daughter Card, with HW General Security Platform Software Optional
FWCD00EBGF01 12-Port 100/1,000 Base-X SFP Flexible Interface Daughter Card, with HW General Security Platform Software Optional
FWCD00EBGE01 12-Port 10/100/1,000 Base-TX RJ45 Flexible Interface Daughter Card, with HW General Security Platform Software Optional
FWCD0P1XBZ01 1 Port OC-192c/STM-64c POS-XFP Flexible Card, with HW General Security Platform Software Optional
Anti-DDoS components
ADSERVER-OS-EN Windows English Platform (AC PC Server, Hard Disk,Microsoft Windows Server, English), including OS License Optional
G0MYSQL02 System Application Software, Light Application Data Management Software Package (5.5 S), 1 Year Standard Product Services Optional
NS19MKM00 USB KB&Mouse, Monitor 19-Inch TFT LCD, Max. Pels 1,280 x 1,024/75 Hz, 100V to 240V AC Power, No Documentation, Black Optional
Anti-DDoS management center
LIC-ADS-NOFA00 ATIC Basic Feature Summary, with HW General Security Platform Software Alternative
LIC-ADS-DOFA00 ATIC Operation Feature Summary, with HW General Security Platform Software (including professional DNS defense)
Subrack optical splitter
OOS314S00 Optical Splitter, Single Mode, Supports Three Optical Links (1 x 4 each), 1,310/1,550 nm, +/-40 nm, 70:10:10:10, LC/UPC, 0.25 mm, SMF-28e, 180.3 mm x 144.45 mm x 18.1 mm Optional
OOS412S00 Optical Splitter, Single Mode, Supports Four Optical Links (1 x 2 each), 1,310/1,550 nm, +/-40 nm, 80:20, LC/UPC, 0.25 mm, SMF-28e, 0.2 dB, 180.3 mm x 144.45 mm x 18.1 mm Optional
OOS413S00 Optical Splitter, Single Mode, Supports Four Optical Links (1 x 3 each), 1,310/1,550 nm, +/-40 nm, 70:15:15, LC/UPC, 0.25 mm, SMF-28e, 180.3 mm x 144.45 mm x 18.1 mm Optional
OOS412M00 Optical Splitter, Multi-mode, Supports Four Optical Links (1 x 2 each), 850 nm, +/-40 nm, 50:50, LC/UPC, 0.25 mm, 62.5/125ume, 250um loose tube, 0.2 dB, 180.3 mm x 144.45 mm x 18.1 mm Optional
OOSSMRC00 Optical Splitter, Single Mode/Multi-mode, Rack-mounted Optical Splitter Chassis (Used with Optical Splitter Cards), 850/1,310/1550 nm, 482.6 mm x 209 mm x 43.6 mm Optional
OOS412S01 Optical Splitter, Single Mode, Supports Four Optical Links (1 x 2 each), 1,310/1,550 nm, +/-40 nm, 50:50, LC/UPC, 0.25 mm, SMF-28e, 0.2 dB, 180.3 mm x 144.45 mm x 18.1mm Optional

 

DDoS Protection/Defence

With the IT and Internet evolution, the Distributed Denial of Service (DDoS) attack has already broken away from original hacker behaviors. Instead, it forms an integral dark industry chain with overwhelming damages. At present, a single DDoS attack consumes more than 100 Gbit/s bandwidth, ten times of that in 2007. DDoS attacks have increased by 20 times and over 30,000,000 zombie hosts flood the network. Moreover, attack tools become intelligent and attack behaviors become hidden and emulational. Especially, those attacks upon DC applications are rampant, disabling the current defense measures of customers.

Competitive products from other vendors include Arbor Networks TMS 2300,2800,500, SP2000, 2100, 2200, 2600, 2800 and A10 Networks Thunder 3030S, 4435(S), 5435(S), 6435(S), 6635(S) TPS.