Eudemon8000E Anti-DDoS SPU



Similar documents
Huawei Traffic Cleaning Solution

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

AntiDDoS1000 DDoS Protection Systems

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Data Sheet. DPtech Anti-DDoS Series. Overview

Eudemon1000E Series Firewall HUAWEI TECHNOLOGIES CO., LTD.

AntiDDoS8000 DDoS Protection Systems

HUAWEI TECHNOLOGIES CO., LTD. Anti-DDoS Solution

Security Technology White Paper

Log Audit Ensuring Behavior Compliance Secoway elog System

NIP6300/6600 Next-Generation Intrusion Prevention System

HUAWEI USG6000 Next-Generation Firewall V100R001. Product Description. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

United Security Technology White Paper

Huawei Eudemon1000E-X series Firewall. Eudemon 1000E-X Series Firewall. Huawei Technologies Co., Ltd.

DDoS Protection Technology White Paper

Eudemon8000E Series 10-Gigabits IPS security gateway

Huawei Agile WAN Solution

Radware s Attack Mitigation Solution On-line Business Protection

CS 356 Lecture 16 Denial of Service. Spring 2013

USG6600 Next-Generation Firewall

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

USG6300 Next-Generation Firewall

Huawei Eudemon200E-N Next-Generation Firewall

Quidway SVN3000 Security Access Gateway

IxLoad-Attack: Network Security Testing

SIG9800 Series Service Inspection Gateway

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

VALIDATING DDoS THREAT PROTECTION

TDC s perspective on DDoS threats

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Big Data for Big Security

A Layperson s Guide To DoS Attacks

Chapter 8 Security Pt 2

NSFOCUS Anti-DDoS System White Paper

A S B

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Automated Mitigation of the Largest and Smartest DDoS Attacks

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Safeguards Against Denial of Service Attacks for IP Phones

HUAWEI OceanStor Load Balancing Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

DPtech ADX Application Delivery Platform Series

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Complete Protection against Evolving DDoS Threats

NSFOCUS Web Application Firewall White Paper

Huawei One Net Campus Network Solution

Arbor s Solution for ISP

DDoS Attack and Its Defense

CS5008: Internet Computing

Acquia Cloud Edge Protect Powered by CloudFlare

Why Is DDoS Prevention a Challenge?

CloudFlare advanced DDoS protection

DDoS Overview and Incident Response Guide. July 2014

Introduction about DDoS. Security Functional Requirements

HUAWEI Secospace USG6600 Next-Generation Firewall Datasheet

Denial of Service Attacks

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

1. Firewall Configuration

Firewalls and Intrusion Detection

SonicWALL Unified Threat Management. Alvin Mann April 2009

Quality Certificate for Kaspersky DDoS Prevention Software

Huawei Network Edge Security Solution

Application DDoS Mitigation

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

Frequent Denial of Service Attacks

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

BlackRidge Technology Transport Access Control: Overview

DDoS Protection on the Security Gateway

Huawei Business Continuity and Disaster Recovery Solution

How To Stop A Ddos Attack On A Website From Being Successful

HUAWEI TECHNOLOGIES CO., LTD. USG9500 Series. Cloud Data Center Security Gateway

ACHILLES CERTIFICATION. SIS Module SLS 1508

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

1 Network Service Development Trends and Challenges

Datacenter Transformation

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

SonicOS 5.9 One Touch Configuration Guide

FortiDDos Size isn t everything

DDoS Attacks & Mitigation

Automated Mitigation of the Largest and Smartest DDoS Attacks

Security Toolsets for ISP Defense

Scalable DDoS mitigation using BGP Flowspec

How Cisco IT Protects Against Distributed Denial of Service Attacks

S5700S-LI Series Gigabit Enterprise Switches

Denial of Service (DOS) Testing IxChariot

Survey on DDoS Attack Detection and Prevention in Cloud

Transcription:

Today's network attack varieties and intensities grow exponentially. Distributed Denial of Service (DDoS) attacks in 2010 swallowed 100G bandwidths, experiencing a 1000% increase over 2005. The diversified network attacks based on application-layer protocols such as HTTP, HTTPS, SIP, and DNS have nearly go beyond of flow-based attack detection means. To handle these network attacks, carriers must provide immediate and effective solutions to two challenges: How to ensure a reliable network against mass attacks and application-layer attacks? How to minimize maintenance expenditure and improve the return on investment (ROI) of anti-ddos measures? Based on years' technical accumulation in security fields and the deep understanding of carriers' services, Huawei Symantec launches its anti-ddos Service Processing Unit (SPU). The anti- DDoS SPU supplies the multi-core and multi-threading hardware structure. Each board delivers both 10G and 20G processing capabilities, which enables flexible expansion and smooth upgrade through the subcard. Together with the distributed chassis of the Eudemon8000E series, the anti-ddos SPU offers 10G to 160G detecting and cleaning performance. 10G SPU 20G SPU SPU Features Industry's Highest Processing Performance High Performance 160G Anti-DDoS Capability Cutting-edge architecture: The detecting center and cleaning center use innovative network processor+multicore+distributed architecture to break through performance bottlenecks and allow linear expansion. Powerful processing capability: Huawei anti-ddos solution offers a processing capability of up to 160G to protect carriers against network attacks. Large capacity: Huawei anti-ddos solution can present 2000 Zones with refined protection for 10,000 IP addresses and common protection for 1 million IP addresses. High Detection Ratio DPI for Defeating DDoS Deep packet inspection (DPI): To accurately detect and identify DDoS traffic, Huawei anti-ddos solution introduces a "seven-layer purification" framework, which effectively identifies and protects against a comprehensive spectrum of modern security threats including scanning and sniffing, malformed packet attacks, as well as attacks at traffic and application-layer levels. Wide-ranging IPv6 defense: Huawei anti-ddos solution provides all IPv4 defense for IPv6, and supports IPv4 and IPv6 together to enable secure and low-cost transition from IPv4 to IPv6. HUAWEI TECHNOLOGIES CO., LTD.

Bypass Dynamic statistical analysis Attack traffic Normal traffic Static filtering Malformed packet filtering Special packet control Source validity authentication Session-based cleaning Feature identification filtering Traffic shaping Discard Whitelist Blacklist LAND Fraggle WinNuke Ping of death Teardrop TCP flag Oversized ICMP packets IP option ICMP redirection ICMP unreachable packet Tracert IP source routing option IP timestamp option IP route record option TCP fragment flood SN flood SN-ACK flood HTTP get flood HTTP post flood HTTPS flood DNS query flood DNS reply flood SIP flood TCP flood UDP flood ICMP flood Connection flood UDP flood UDP fragment flood ICMP flood CC HTTP get flood HTTP post flood Traffic shaping Congestion prevention Rapid Response Second Latency Second-level detection: Flow-based detection is inferior with a long latency because it needs to analyze large amounts of logs. Comparatively, Huawei anti-ddos solution employs the DPI technology to capture attack features in real time, detecting attack traffic within seconds. Second latency: The detecting center and cleaning center synchronize session status with results. The synchronization maintains service continuity while ensuring a rapid response (with 10 seconds) to attacks. Robust Reliability: 99.9999% Reliable platform: Huawei anti-ddos solution is equipped with redundant power supplies and fans, as well as 1+1 MPUs and 3+1 SFUs. The parts redundancy ensures a core routerlevel reliability. In addition, the industry-leading VRP of this solution has 4 million live-network success cases, further improving platform reliability. System reliability: Huawei anti-ddos solution delivers a mean time between failures (MTBF) of 500 thousand hours and a system reliability of 99.9999% by leveraging load balanced SPUs and links as well as dual-system hot backup networking. Flexible Expansion Smooth Upgrade and Linear Expansion for Maximized ROI Smooth upgrade: The anti-ddos SPU provides smooth upgrade. The 10G SPU and service subcard are scalable up to the 20G SPU. Linear expansion: The Eudemon8000E comes with a maximum of eight SPUs, with performance smoothly upgradeable from 10G to 160G. With linear performance, users can select service modules if desired at the initial phase of the project. For further capacity expansion, they only need to add required SPUs, effectively maximizing ROI. Minimum investment: The anti-ddos detecting and cleaning SPUs can be inserted on the same chassis.

Application Scenarios Security Defense at the MAN Egress Customer challenges Mass attack traffic swarms from the backbone network into the metropolitan area network (MAN), causing link congestion on the MAN. Consequently, carriers have to invest much in bandwidth expansion and user experience may deteriorate. Application-layer attack traffic causes target servers to deny services. As a result, users complain a lot and some may quit subscription, and carriers suffer huge economic loss. Solution strengths Resides at the MAN egress, with 160G cleaning performance to prevent link congestion. Defends against more than 30 types of attacks, including Denial of Service (DoS) attacks. Enables secure transition from IPv4 to IPv6 with powerful IPv6 defense. Backbone network 2. Split and monitor traffic. Monitoring center 3. Identify attack targets and report the detection result. 1. Attack traffic flows from the backbone network to targets, causing target breakdown and MAN congestion. 10G Cleaning center ATIC management center CSR BGP MAN Congestion Congestion E8000E 5. Use BGP to advertise route to the host, diverting attack traffic to the cleaning center. 4. Notify the cleaning center of attack targets. Protected zone Protected zone Protected zone 6. Inject cleaned traffic back to the original link using policy-based routing and MPLS VPN. 7. Send traffic and attack logs. Secure Operation at the MAN Egress Customer challenges Mass attack traffic swarms from the backbone network into the MAN, causing link congestion on the MAN. Consequently, carriers have to invest much in bandwidth expansion and user experience may deteriorate. Application-layer attack traffic causes target servers to deny services. As a result, users complain a lot and some may quit subscription, and carriers suffer huge economic loss. How to present Zones with differentiated defense services and ensure carriers' secure operation? Solution strengths Resides at the MAN egress, with 160G cleaning performance to prevent link congestion. Defends against more than 30 types of attacks, including DoS attacks. Enables secure transition from IPv4 to IPv6 with powerful IPv6 defense. Supports defense policies for up to 2000 virtual groups and offers defense, management, and reporting services.

Pre-cleaning After-cleaning Logging Management Mirroring Detecting device Upper-layer network ATIC management center Cleaning device Report Report Administrator Traffic cleaning center Zone C Servers Zone A Report Zone B IDC Security Defense Customer challenges The IDC has heavy egress traffic and processes various services. It is vulnerable to mass attacks and application-layer attacks. Solution strengths Delivers a 160G processing capability and rapid response within seconds. Defends against more than 30 types of attacks, including the attacks specifically aiming at IDCs such as UDP flood, CC attacks, HTTP flood, HTTPS flood, DNS attacks, and low-rate attacks. Botnet Normal network Internet Normal traffic DDoS attack traffic Anti-DDoS cleaning center Service zone 3 Entrusted server Service zone 2 Service zone 1 Entrusted server Entrusted server

SPU Specifications Model Maximum detecting performance Maximum cleaning performance Response delay Anti-DDoS Zone-based attack defense SN flood attack defense SN-ACK flood attack defense ACK flood attack defense HTTP flood attack defense HTTPS flood attack defense DNS request flood attack defense DNS reply flood attack defense SIP flood attack defense RST/FIN flood attack defense UDP flood attack defense IP fragment flood attack defense Non-TCP/UDP/ICMP flood attack defense CC attack defense Connection flood attack defense Traffic statistics and limit rate Global packet capture Attack event-based packet capture Abnormal event-based packet capture Static fingerprint Global feature filtering Attack log Exception log 20G 20G <= 10s Anti-DDoS SPU

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen 518129, P.R. China Tel: +86-755-28780808 Version No.: M3-110019999-20110805-C-1.0 www.huawei.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information