Huawei Traffic Cleaning Solution

Transcription

1 Huawei Traffic Cleaning Solution Copyright Huawei Technologies Co., Ltd All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd. Other trademarks, product, service and company names mentioned are the property of their respective owners. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.

2 1 1.1 Introduction T h e m o d e r n w o r l d i s w i t n e s s i n g exponential growth of attacks. For example, in 2010 alone the rate of distributed denial-of-service (DDoS) traffic attacks on bandwidth was 100 Gbit/s, a 1000% increase compared with that in These emerging attacks target specific application-layer protocols, such as HTTP, HTTPS, SIP, and DNS. These new technologies and deep understanding on customer requirements, Huawei has devised a traffic cleaning solution able to secure customers' s while simplifying their management needs. The solution is specifically tailored for: Large and medium-sized enterprises Internet data centers (IDCs) Internet service providers (ISPs, including web portals, game service providers, and DNS service providers) Detecting center Acting like the "eyes" of the solution, the detecting center monitors traffic based on certain detection policies and reports abnormalities to the management center. Cleaning center Acting like the "heart" of the solution, the cleaning center receives instructions from the management center and cleans abnormal traffic based on traffic diversion policies. Management center Acting like the "brain" of the solution, the management center formulates detecting and cleaning policies, controls detecting and cleaning devices, and generates attack reports and cleaning logs. 1.3 Hardware The following figure shows detecting and 2 malicious attacks render conventional cleaning devices involved in the solution. flow devices ineffective. Consequently, customers are faced with the following problems: 1.2 Solution 160G How to withstand massive flooding and The Huawei traffic cleaning solution can application-layer attacks while securing the be divided into three centers, as shown in the following figure. 20G detecting board 20G cleaning board How to maximize investments on DDoS defense while reducing maintenance costs 10G detecting board 10G cleaning board E8080E E8016E Based on long-accumulated security 6G 6G detecting board 6G cleaning board E1000E-I (detecting device) E1000E-D (cleaning device) E1000E-I (detecting device) E1000E-D (cleaning device) Internet Management Security protection for small- and medium-sized enterprises. Security protection for IDCs/ large- and medium-sized enterprises The E1000E provides a gigabit-level cleaning capacity to secure services for small- and medium-sized Traffic Cleaning Solution Traffic Cleaning Solution enterprises (SMEs). The following table lists two models of the E1000E. Intranet Detecting Cleaning E1000E-I Detecting device E1000E-D Cleaning device

3 3 6G/10G An E8000E service board, coupled with a distributed E8000E series chassis, provides a cleaning capacity of 160 Gbit/s. The following table lists two models of the E8000E. 1.4 Features I n d u s t r y s H i g h e s t Performance to Secure the Network High Performance Attack traffic Legitimate traffic With an industry-leading processing capacity of 160 Gbit/s per chassis, the solution can withstand large-scale attacks. Advanced architecture Built on the processor (NP), multicore CPU, and distributed architecture, the detecting and cleaning centers provide linear capacity expansion capability to overcome bottlenecks in processing performance. High capacity The solution provides fine-grained Static filtering Whitelist Blacklist UDP Flood ICMP Flood DNS Flood Malformed packet filtering Transport layer source validity authentication LAND attack SYN Flood Fraggle attack ACK Flood Winnuke SYN-ACK Flood Ping of Death TCP Fragment Flood Tear Drop Invalid TCP flag attack Super large ICMP attack 20G protection for 2000 VIP customers and 10,000 IP addresses and provides coarse-grained protection for 1 million IP addresses. Highest Detection Rate With DPI technology and a solid 7-layer defense structure, the solution can efficiently prevent various attacks from occurring. Deep Packet Inspection (DPI) Unlike conventional Netflow-based devices, Huawei s detecting devices use DPI technology to analyze every byte inside packets, and use the 7-layer defense structure to effectively identify attack types, including traffic, application-layer, scanning and snooping, and malformed packet attacks. Dynamic analysis Source validity authentication HTTP Flood HTTPS Flood DNS Query Flood DNS Reply Flood SIP Flood Sessionbased cleaning Behavior analysis Connection exhaustion CC attack attack UDP Flood DNS cache poisoning DNS reflection attack Slow connection attack Retransmission attack Slow start attack Traffic shaping Forwarding Avoid congestion to the target IPv6 attack defense The solution supports IPv6/IPv4 dual stack to defend against IPv4 and IPv6 attacks simultaneously, secure the IPv4-to-IPv6 transition, and reduce transition costs. Quick Attack Response The solution detects and cleans abnormal traffic within seconds to ensure service continuity. Fast detection Conventional flow-based detecting devices analyze -wide router logs, which takes long time to detect attacks. Huawei s detecting devices use the DPI technology to capture attack characteristics in real time and detect attacks within seconds. Quick response The synchronization of sessions and detection results between detecting and cleaning centers enables the solution to respond to attacks within seconds (less than 10 seconds). High Reliability Reliable platform Hardware platform: 1+1 main processing engines 3+1 switching boards Key component (power module and fan) redundancy Core router-class service stability Versatile Routing Platform (VRP): Independent modules with little impact on each other 4 million devices on live s Reliable system The solution ensures 500,000 hours of mean time between failures (MTBF) and % reliability through: Inter-board load balancing Cross-board interface binding Two-node cluster hot backup Industry s Easiest Solution to Simplify the Management Easy Management and Low OPEX Graphical management T h e s o l u t i o n p r o v i d e s a f l e x i b l e graphical user interface which simplifies configuration and maintenance and reduces operating expenses (OPEX). Flexible evidence collection methods For security audit, the solution collects evidences in either of the following ways: Packet capture based on access control lists (ACLs) Automatic packet capture based on the types of attack events Centralized management The solution manages distributed peripheral devices in a centralized and simplified mode, which decreases management servers and significantly reduces maintenance costs. Easy Expansion and Low Expansion Cost Software license upgrade The E1000E supports software license upgrades to expand the cleaning capacity without adding hardware, which thereby greatly reduces costs. Smooth upgrade The E1000E supports smooth capacity expansion. Linear expansion The E1000E supports a maximum of eight service boards per chassis. Users can add service boards to expand the capacity. The expansion mode improves investment efficiency and reduces capacity expansion 4

4 5 costs. Cost-saving Traffic detecting and cleaning devices share the same chassis, which effectively saves on customers' investment. 1.5 Application Scenarios IDC Security The service-rich IDC with egress bandwidth is vulnerable to flooding attacks and application-layer attacks. Provides a processing capacity of 160 Gbit/s per chassis and quick response (within seconds). Withstands over 30 types of DDoS attacks, including e.g. : UDP Flood attacks CC attacks HTTP Flood attacks HTTPS Flood attacks DNS attacks Slow attacks attacks, including e.g. : UDP Flood attacks CC attacks HTTP Flood attacks Slow link attacks TCP retransmission attacks The following figure shows the anti-ddos of a web portal or game website. 6 Carrier 2 Carrier 1 Internet DDoS cleaning center Game server zone Web server zone Web Portal or Game Server Security Web portals or game servers with egress bandwidth are vulnerable to flooding DDoS cleaning center Service area 3 Hosted server Hosted server Hosted server Service area 1 Service area 2 attacks and application-layer attacks. Provides a processing capacity of 160 Gbit/s per chassis and quick response (within seconds). Withstands over 30 types of DDoS Enterprise Network Egress Security Large and medium-sized enterprises build s or rent links (about 10 GB) to enable office automation (OA) and internal communication, which is vulnerable to DDoS attacks. Withstands over 30 types of DDoS attacks, particularly those attacks aimed at OA Mail server zone s, including: UDP Flood attacks HTTP Flood attacks TCP Flood attacks The following figure shows the anti-ddos of an enterprise.

5 7 Carrier 1 Carrier 2 Detecting firewall Trust zone DDoS defense firewall DMZ 8 Cleaning Office area Living area DNS Security attacks, particularly those attacks aimed at DNS services, including: Online Service Security Online services are vulnerable to DDoS attacks. These attacks severely compromise a service provider s customer base, financial security, and reputation. Withstands over 30 types of DDoS attacks, particularly those attacks aimed at online transaction systems, including: HTTP Flood attacks HTTPS Flood attacks CC attacks Slow link attacks DNS servers, a vital part of the Internet infrastructure, are often subject to DDoS attacks, which brings serious consequences onto its customers whom have shown vested interests in securing their DNS services. Withstands over 30 types of DDoS DNS attacks (DNS Query and Reply Flood) DNS cache poisoning UDP Flood attacks Provides the Top N DNS cache function to alleviate the DNS server's pressure in coping with attacks. The following figure shows the anti-ddos of a DNS sever. DNS attacks (DNS Query and Reply Flood) The following figure shows the anti-ddos of online services. Internet DDoS Cleaning DNS Server Management

6 9 1.6 Product Specifications Model E1000E-I/D Number of slots For a 1 U device: 4 pairs of GE optical/electrical (mutually exclusive) interfaces 2 USB 2.0 interfaces Detecting and cleaning capacity 4G Model Eudemon8080E Eudemon8160E Number of slots 8 slots, a maximum of 4 detecting/ cleaning boards and 4 interface boards 16 slots, a maximum of 8 detecting/ cleaning boards and 8 interface boards Detecting and cleaning capacity 80G 160G Protected IP addresses Protected targets: 2000 IP addresses (fine-grained protection): 10,000 IP addresses (coarse-grained protection): 1 million 10 Protected destination IP addresses Protected targets: 400 Preventable DDoS attacks (Applicable to IPv4, IPv6, and IPv4- IPv6 s) IP addresses (fine-grained protection): 2048 Traffic-type attacks SYN Flood ACK Flood SYN-ACK Flood FIN/RST Flood IP Fragment Flood UDP Flood ICMP Flood Smurf attack Application-layer attacks Connection Flood DNS Query Flood DNS Reply Flood DNS cache poisoning HTTP Get /Post Flood CC attack SIP Flood HTTPS Flood Scanning and snooping attacks Port scanning Address scanning Tracert packet IP source routing option attack IP timestamp option attack IP routing record option attack Malformed packet attacks IP Spoofing LAND attack Fraggle attack Winnuke Ping of Death Tear Drop IP Option control IP fragment control packet Invalid TCP flag attack Super large ICMP control packet ICMP redirect packet ICMP unreachable packet Preventable DDoS attacks (Applicable to IPv4, IPv6, and IPv4-IPv6 s) Reliability Traffic-type attacks Scanning and snooping attacks SYN Flood Port scanning ACK Flood Address scanning SYN-ACK Flood Tracert packet FIN/RST Flood IP source routing option attack IP Fragment Flood IP timestamp option attack UDP Flood IP routing record option attack ICMP Flood Smurf attack Application-layer attacks Connection Flood DNS Query Flood DNS Reply Flood HTTP Get /Post Flood Malformed packet attacks IP Spoofing LAND attack Fraggle attack Winnuke Ping of Death Tear Drop CC attack IP Option control SIP Flood IP fragment control packet HTTPS Flood Invalid TCP flag attack Super large ICMP control packet ICMP redirect packet ICMP unreachable packet Module/Component hot swap, two-node cluster hot backup, link aggregation, and 1+1 main processing engines Reliability Interface board type Dimensions (W x D x H) Weight Power Mean time between failures (MTBF) Dual power modules and fans 2 expansion slots that support 4*FE RJ45 connectors and 2*GE Combo connectors 436 x 560 x 44.2 mm 10 kg 100 W years Interface board type Ethernet interface 1 x 10GE, 12 x 1G (optical/electrical) card P O S i n t e r f a c e 1 x 10G card Maximum interfaces Ethernet interface 8 x 12 x 1GE, 8 x 16 x 12 x 1GE, 16 x 10GE 10GE POS interface 8 x 10G 16 x 10G

7 11 Model Eudemon8080E Eudemon8160E Dimensions (W x D x H) 442 x 669 x 886 mm 442 x 669 x 1600 mm Weight 100 kg 150 kg Power 700 W 900 W MTBF 57 years 57 years Traffic statistics and limit Global packet capture attack event packet capture Abnormal event packet capture Static fingerprint Global feature filtering 12 Attack logs Model Traffic cleaning service board Abnormal logs Detecting capacity (max.) Cleaning capacity (max.) 20 Gbit/s 20 Gbit/s 1.7 Order Information Response delay DDoS Attack Defense Defense against attacks based on protection targets SYN Flood defense 10 seconds Model E1000E-I/D SU4Z1ADGD Description E1000E anti-ddos cleaning host, AC, 2G license SYN-ACK Flood defense ACK Flood defense SU4Z2ADGD E1000E anti-ddos cleaning host, DC, 2G license HTTP Flood defense SU4Z1ADGI E1000E anti-ddos detecting host, AC HTTPS Flood defense DNS Request Flood defense SU4Z2ADGI E1000E anti-ddos detecting host, DC DNS Reply Flood defense FWEM0004FE02 4-port 100 M Ethernet electrical interface module (RJ45) SIP Flood defense FWBM12GE 2-port 1000 M Ethernet electrical interface module (RJ45 and SFP) RST Flood/FIN Flood defense UDP Flood defense IP Fragment Flood defense Non-TCP/UDP/ICMP protocol packet flood defense CC attack defense LSU4ADGD01 ATIC3-WINDOWS E8000E Anti-DDoS E8080E-BUNDLE-AC License used to expand the anti-ddos cleaning capacity of the E1000E to 4G Software suite, ATIC management system installation package, DVD Eudemon8080E AC: 1 chassis, 2 power modules, 2 SRUs, 2 switch boards, 4 1G memory modules, 4 CF cards Connection flood defense E8080E-BUNDLE-DC Eudemon8080E DC: 1 chassis, 2 power modules, 2 SRUs, 2 switch boards, 4 1G memory modules, 4 CF cards

8 13 Model FWCD10GDDD01 FWCD10GDDC01 FWCD20GDDD01 Description Service processing unit, 10G detecting capacity Service processing unit, 10G cleaning capacity Service processing unit, 20G detecting capacity 14 FWCD20GDDC01 Service processing unit, 20G cleaning capacity FWCD10GDDU01 Plug-in board used to expand the anti-ddos detecting capacity from 10G to 20G FWCD10GDCU01 Plug-in board used to expand the anti-ddos cleaning capacity from 10G to 20G FWC2LPUKD1 Flexible card line processing unit (LPUF-21, two sub-slots) FWC2L1XX01 1-port 10GBase WAN/LAN-XFP flexible sub-card FWC2EBGF01 12-port 100/1000Base-X-SFP flexible sub-card FWC2EBGE01 12-port 10/100/1000Base-TX-RJ45 flexible sub-card FWC2P1XXBZ0 1-port OC-192c/STM-64c POS-XFP flexible sub-card FWCS00NOFA00 DDoS management center, a collection of functions for non-carrier customers FWCS00DOFA00 DDoS management center, a collection of functions for carriers FWCS00LCOP00 Data collector FWCS00BMOD00 DDoS management center-basic modules FWCS00STAT00 DDoS management center-statistical report management FWCS00ALAM00 DDoS management center-alarm management FWCS00PCAM00 DDoS management center-packet capture analysis management FWCS00SLHQ00 DDoS management center-self-service query FWCS05DMCL00 DDoS management center license (to add 5 control devices) FWCS10DMCL00 DDoS management center license (to add 10 control devices) FWCS25DMCL00 DDoS management center license (to add 25 control devices) FWCS50DMCL00 DDoS management center license (to add 50 control devices)