AntiDDoS8000 DDoS Protection Systems



Similar documents
AntiDDoS1000 DDoS Protection Systems

HUAWEI TECHNOLOGIES CO., LTD. Anti-DDoS Solution

Huawei Traffic Cleaning Solution

Eudemon8000E Anti-DDoS SPU

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

Data Sheet. DPtech Anti-DDoS Series. Overview

NIP6300/6600 Next-Generation Intrusion Prevention System

USG6600 Next-Generation Firewall

USG6300 Next-Generation Firewall

Huawei Eudemon1000E-X series Firewall. Eudemon 1000E-X Series Firewall. Huawei Technologies Co., Ltd.

Big Data for Big Security

VALIDATING DDoS THREAT PROTECTION

Huawei Eudemon200E-N Next-Generation Firewall

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Eudemon1000E Series Firewall HUAWEI TECHNOLOGIES CO., LTD.

Complete Protection against Evolving DDoS Threats

FortiDDos Size isn t everything

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

DDoS Protection Technology White Paper

Application DDoS Mitigation

TDC s perspective on DDoS threats

SVN5800 Secure Access Gateway

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

HUAWEI USG6000 Next-Generation Firewall V100R001. Product Description. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Automated Mitigation of the Largest and Smartest DDoS Attacks

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

NSFOCUS Anti-DDoS System White Paper

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Security Technology White Paper

Introducing FortiDDoS. Mar, 2013

HUAWEI Secospace USG6600 Next-Generation Firewall Datasheet

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

Firewalls and Intrusion Detection

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Load Balancing Security Gateways WHITE PAPER

Arbor s Solution for ISP

CS 356 Lecture 16 Denial of Service. Spring 2013

Acquia Cloud Edge Protect Powered by CloudFlare

A Layperson s Guide To DoS Attacks

CloudFlare advanced DDoS protection

DDoS Overview and Incident Response Guide. July 2014

On-Premises DDoS Mitigation for the Enterprise

SECURING APACHE : DOS & DDOS ATTACKS - II

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

About Firewall Protection

Safeguards Against Denial of Service Attacks for IP Phones

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

DPtech ADX Application Delivery Platform Series

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Cheap and efficient anti-ddos solution

We keep internet traffic flowing Frank Ip VP of Marketing and Business Development

Application Security Backgrounder

Mitigating DDoS Attacks at Layer 7

Radware s Attack Mitigation Solution On-line Business Protection

Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

How To Block A Ddos Attack On A Network With A Firewall

CS5008: Internet Computing

How To Understand A Network Attack

Gigabit Content Security Router

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Seminar Computer Security

Distributed Denial of Service protection

How To Protect A Dns Authority Server From A Flood Attack

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DDoS Protection on the Security Gateway

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Are you safe from DDoS attacks?

Radware s Behavioral Server Cracking Protection

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

Why Is DDoS Prevention a Challenge?

Attack and Defense Techniques

IBM. Vulnerability scanning and best practices

UTT Technologies offers an effective solution to protect the network against 80 percent of internal attacks:

Chapter 8 Security Pt 2

Automated Mitigation of the Largest and Smartest DDoS Attacks

S5700S-LI Series Gigabit Enterprise Switches

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Network Security Fundamentals

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

IxLoad-Attack: Network Security Testing

Securing Cisco Network Devices (SND)

KASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks

Web Application Defence. Architecture Paper

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Business Case for a DDoS Consolidated Solution

Chapter 8 Router and Network Management

Clavister SSP Security Service Platform firewall VPN termination intrusion prevention anti-virus content filtering traffic shaping authentication

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Transcription:

AntiDDoS8000 DDoS Protection Systems Background and Challenges With the IT and network evolution, the Distributed Denial of Service (DDoS) attack has already broken away from original hacker behaviors. Instead, it forms an integral dark industry chain with overwhelming damages. Severe DDoS attacks At present, a single DDoS attack consumes more than 500 Gbit/s bandwidth. The number of DDoS attacksis 20 times of that in 2007, and over 30,000,000 zombie hosts flood the network. Moreover, attack toolsbecome easily available. Large numbers of botnets break off the technical threshold for DDoS attacks. A DDoS attack is launched by only three steps, namely, downloading the attack tool, purchasing zombie hosts,and initiating the attack. Traffic DDoS attacks evolve to application attacks In the past, flood attacks were prevailing on the carrier network and infrastructure. In comparison, current DDoS attacks are specific to applications and services, such as enterprise portal applications, online shopping, online videos, online games, Domain Name Service (DNS), and email. The targets of attacks become more extensive. A single attack consumes less traffic and fewer costs. The attack behavior becomes more complex and difficult to distinguish. This brings difficulty in detecting and defending against DDoS attacks. Service interruption adversely affects enterprise operation DDoS attacks frequently intrude into the service systems of enterprises, and severely interrupt the normal service operation.on the one hand, service interruption damages enterprises' brand images, takes away their customers, and reduces their profits, especially for small Internet enterprises on e-business, online games, and portals.on the other hand, constructing an anti-ddos system brings intensive investment and maintenance pressure on these enterprises and deteriorates their normal service operation. DDoS attacks cause IDC customer loss If a service system suffers from DDoS attacks, the attack traffic occupies the entire Internet Data Center (IDC) bandwidth, affecting the service systems of other leasers. As a result, IDC leasers quit, competitiveness lowers, and operation costs rise. These side impactsseverely deteriorate the service operation and profits. AntiDDoS8000 DDoS Protection Systems 6-1

Solution Highlights Overview Designed for carriers, enterprises, data centers, and ICP service providers (including providers for web portals, online games, online videos, and DNS services), Huawei AntiDDoS8000 series incorporates extensive experience in network security and full understanding of customer demands. Huawei AntiDDoS8000 series enhances defense against application-layer attacks, IPv4-IPv6 attack defense, and defense against zombies, Trojan horses, and worms. This fully ensures network security and service continuity. Huawei AntiDDoS8000 series uses the leaser-specific service design for management configuration, which implements a series of functions, including leaser service model learning, leaser configuration, and report self-service. Moreover, IDC operators can provide the anti-ddos solution for their leasers as a SaaSservice to increase the leaser viscosity, improve IDC competitiveness, and add IDC operation profits. Functions Service-based defense policy Huawei AntiDDoS8000 series supports continuously periodic learning and analysis on the service traffic of the Zone, draws the outline of normal service traffic, and enables differentiated defense types and policies for various services or one service in different time ranges, therefore implementing refined defense. Accurate abnormal traffic cleaning Huawei AntiDDoS8000series uses Big Data analyticstechnology to detect and defend against DDoS attacks, learning traffic models from over 60 dimensions and building traffic models. Once abnormal traffic occurs in a certain dimension, the corresponding defense policy is triggered and enabled immediately..this solution applies multiple technologies, including seven-layer filtering, behavior analysis, and session monitoring, to accurately defend against various flood attacks, Web application attacks, DNS attacks, SSL DoS/DDoS attacks, and protocol stack vulnerability attacks. In this way, application servers are protected. Intelligently caching DNS traffic Besides accurately defending against various attacks on the DNS server, Huawei Anti-DDoS Solution supports DNS cache for improved performance under heavy DNS server traffic. Defense against prevailing zombies/trojan horses/worms By spreading Trojan horses and worms to large numbers of hosts, hackers control the hosts hierarchically and form the botnet to launch attacks. Therefore, botnets breed DDoS attacks.huawei Anti-DDoS Solution identifies and blocks over 200 common zombies/trojan horses/worms worldwide, therefore smashing botnets. Perfect IPv4-IPv6 defense In February 2011, Internet Assigned Numbers Authority (IANA) declared that IPv4 addresses were exhausted. Enterprises have no new IPv4 addresses and begin to put IPv6 network construction into agenda.the particular IPv4-IPv6 technology of Huawei Anti-DDoS Solution supports concurrent defense against DDoS attacks on both IPv4 and IPv6 networks. The solution addresses the DDoS attack defense requirements in dual stack and helps users transit to the next generation network. Flexible networking The anti-ddos solution must be adaptive to various network environments and address different grades of service requirements. On this basis, Huawei AntiDDoS8000 series provides multiple in-line and off-line deployments, which enable 6-2 AntiDDoS8000 DDoS Protection Systems

customers to select flexibly by their services and networks. In-line deployment: serially connects the detecting and cleaning modules to the network to be protected for direct traffic detecting and cleaning.the high-performance and multi-core hardware platform in use not only ensures the detecting and cleaning accuracy, but also minimizes the processing delay. Off-line traffic-diversion deployment: deploys the cleaning module on the network in off-line mode. Once detecting DDoS attack traffic, the detecting and cleaning centers perform actions based on the policies configured in the management center. Highlights Highlights of Huawei AntiDDoS8000 series: Anti-Large-DDoS, Heavy Traffic DDoS Attack Defense Multi-core, distributed hardware architecture and Big Data-based Intelligent Defense Engine provide T-bit defense performance. Instant attack response within seconds protects link availability. Anti-App-DDoS, Application DDoS Attack Defense Performs all traffic collection and 3/4/7layer packet-by-packet analysis, create traffics models from over 60 dimensions, and provides the most precise and comprehensive attack detection. Fine-grained reputation system consisting of local session behavior-based reputation, service access behavior-based reputation, geographical location-based reputation, and botnet cloud-based reputation precisely guards against various lightweight, slow application-layer DDoS attacks launched by botnets. Full-scale defense against over 100 attacks guarantees continuous operations of key service systems that encompass enterprise web applications and DNS, DHCP, and VoIP services. Anti-Mobile-DDoS, Mobile DDoS Attack Defense Dynamic, real-time upgrade of 20,000 fingerprints and filtering of mobile terminal botnet tool features effectively defend DDoS attacks launched by botnets and mobile terminals and guarantees authorized access to mobile gateways. Protects availability of mobile data service systems such as mobile payment, mobile store, mobile social networking, and mobile game. Anti-Outbound-DDoS: Inbound-to-Outbound DDoS Attack Defense Blocks the global most active zombie, Trojan horse, and worm controlling traffic. Blocks C&C DNS request traffic. Prevents DDoS attacks at the source. Managed-Anti-DDoS, DDoS Attack Defense Operations Provides tenant/service-based automatic and manual defense policies and complete defense methods. Tenant/service-based independent statistics reports and email sending simplify defense management. Increases tenants' service stickiness by providing Portal-based self-service functions for tenants. Supports large-scale operations, for example, 100,000 tenants/services, and protects 200,000 IP addresses of each tenant/service simultaneously. AntiDDoS8000 DDoS Protection Systems 6-3

Solution Components As shown in the following figure, Huawei Anti-DDoS Solution comprises the detecting center, cleaning center, and ATIC management center.by means of policy interworking and control interworking, the three centers provide a professional anti-ddos solution with easy management and flexible deployment for customers. Management center Policy interworking Device management Policy management Report display Control interworking Detecting center Cleaning center Traffic feature exchange Detecting center: As the "antenna" of the entire solution, the detecting center receives detecting policies delivered by the ATIC management center, identities and detects DDoS traffic, and gives detecting results back to the ATIC management center. Cleaning center: As the "executor" of the entire solution, the cleaning center cleans DDoS traffic on the network based on the control signals delivered by the ATIC management center. ATIC management center: As the "brain" of the solution, the ATIC management center allows the user to customize detecting and cleaning policies and delivers the policies to the detecting center and cleaning center to control the detecting and cleaning process.meanwhile, the user can also generate and view attack reports and cleaning records in the ATIC management center. Typical Application Scenarios IDC Secure and Profitable Operation Huawei AntiDDoS8000 series deployed at the IDC egress delivers the following functions: Defends against attacks on the DNS server, for example, DNS protocol stack vulnerability attacks, DNS reflection attacks, DNS flood attacks, and DNS CacheMiss attacks, and supports DNS cache for improved DNS server performance under heavy traffic. Defends against attacks on Web servers, for example, SYN flood attacks, HTTP flood attacks, CC attacks, and low-rate connection attacks. Defends against attacks on online games, for example, UDP flood attacks, SYN flood attacks, and TCP attacks. Defends against SSL DoS/DDoS attacks on HTTPS servers. Provides customers with self-service policy configuration and report by operating anti-ddos as a security service. 6-4 AntiDDoS8000 DDoS Protection Systems

Internet Anti-DDoS cleaning center IDC Anti-DDoS management center Success Stories Leaser A Leaser B Customer Challenges Tencent IDC processes huge services and suffers from various DDoS attacks from the Internet every day, especially those attacks on online games and DNS servers. Defending devices, such as traditional firewalls and IPS devices, are not sharp in DDoS attack defense. When DDoS attacks are launched, these devices may exhaust connections and resources. Enabling attack defense may interrupt normal services. Therefore, Tencent is confronted with big security challenges. Solution Deploy an AntiDDoS8000 seriesas cleaning device at the Tencent IDC egress in off-line mode to defend against DDoS attacks on the IDC service system. Management center Detecting center Cleaning center Detecting center Cleaning center Data center A Data center B This deployment requires high performance, reliability, and scalability of the anti-ddos device. Then, the device must be able to restore services rapidly after an incident occurs. Next, all the deployed AntiDDoS8000 seriesdevices can be managed in a global way. Huawei Anti-DDoS Solution, applying to multiple Tencent IDCs, features high performance, sound reliability, and fine defense effects, and meets with a favorable reception in Tencent. AntiDDoS8000 DDoS Protection Systems 6-5

Customer Benefits Huawei device displays normal status during IDC attack defense and successfully defends against continuous DNS flood attacks. The protected services operate stably,and no user complaint is received.therefore,huawei device is highly regarded by the personnel in the service line. Specifications Attack Defense Functions (IPv4/IPv6 Supported) Protocol Abuse Attack Defense: Defense against IP spoofing, LAND, Fraggle, Smurf, Winnuke, Ping of Death, Tear Drop, IP Option, IP Fragment Control Packet, TCP Label Validity Check, Large ICMP Control Packet, ICMP Redirect Control Packet, and ICMP Unreachable Control Packet attacks, etc. Scanning and Sniffing Attack Defense: Defense against Port Scanning, IP Scanning, Tracert Control Packet, IP Option, IP Timestamp, and IP Routing Record attacks, etc. Network-layer Attack Defense: SYN Flood Attacks,ACK Flood Attacks, FIN/RST Flood Attacks,TCP fragment Flood Attacks,ICMP Flood, TCP Connection Flood, Sockstress Attacks, TCP Retransmission, and TCP Null Connection attacks, IPv6 Attacks, etc. Web Application Defense: Web application attacks defense: HTTP Get Flood attacks, HTTP Post Flood attacks, HTTP Head Flood attacks, HTTP Slow Header attacks, HTTP Slow Post attacks, HTTPS Flood attacks, SSL DoS/DdoS attacks, etc. Web application intrusion filter functions: SQL injection attacks filter;xss cross site attacks, etc. DNS Server Defense: Defense against DNS Query Flood attacks from real or spoofed source IP addresses, DNS Reply Flood attacks, DNS Cache Poisoning attacks, DNS Protocol Vulnerability Exploits, and DNS Reflection attacks. SIP Application Defesne: SIP Methods Flood;Register Flood; Deregistration Flood; Authentication Flood; Call Flooding,etc. UDP Application Defense: UDP Flood Attacks, UDP Fragment Flood Attacks, etc. Reflection And Amplification Attacks Defense: NTP Reflection and Amplification attacks, SNMP Reflection and Amplification attacks, TFTP Reflection and Amplification attacks,netbios Reflection and Amplification attacks, SSDP Reflection and Amplification attacks, QOTD Reflection and Amplification attacks, Quake Reflection and Amplification attacks, Steam Reflection and Amplification attacks, etc. Zombie, Trojan horse, Worm and Tools Traffic Blocking: Blocking of controlling traffic of active zombies, Trojan horses, worms, and tools, such as LOIC, HOIC, Slowloris, Pyloris, HttpDosTool, Slowhttptest,Thc-ssl-dos, YoyoDDOS, IMDDOS, Puppet, Storm, fengyun, AladinDDoS, And so on C&C DNS request traffic blocking DHCP Application Defense: DHCP Flood Mobile Attack Defense: Defensible DDoS attacks launched by mobile botnets, for example, AnDOSid/WebLOIC/Android. DDoS.1.origin Feature-based Filtering Blacklist, HTTP/DNS/SIP/DHCP field-based filtering, and IP/TCP/UDP/ICMP/Other Protocol field-based and load feature-based filtering. IP Reputation Database 12 data centers across the globe process 12 billion query analysis requests on a daily basis and tracks the global most active 5 million zombie hosts with a daily update. 6-6 AntiDDoS8000 DDoS Protection Systems

Management and Reports: Supports account management and rights allocation; supports 10,000 defense objects; supports import of defense policies in batches; supports device performance monitoring; supports source tracking through packet capture and fingerprint extraction; supports SMS/Voice/Email alarming; supports log dumping; supports network traffic model learning, supports multidimensional reports including attack traffic analysis, attack event analysis, and attack trend analysis; supports download of reports in multiple formats such as HTML, PDF, Excel, and CSV; supports report push through emails; and supports Portalbased operations. Networking and Traffic Diversion Policies Deployment Modes: Supports inline and bypass deployment. Traffic Diversion and Rejection Policies: Diversion Functions:Support manual traffic diversion, policy routing diversion and BGP Routing diversion. Rejection Functions:Support MPLS Rejection, MPLS LSP Rejection, GRE Tunnel Rejection, Layer-2 Rejection and policy Routing Rejection, etc. Interface and Hardware Parameters AntiDDoS8000 系 列 AntiDDoS8030 (4 U Height) AntiDDoS8080 (14 U Height) AntiDDoS8160 (32 U Height) Max Performance 120Gbps 720Gbps 1.44Tps Max Performance/ Slot 120Gbps 160Gbps 160Gbps slot 3 8 16 Interface Card Type Reliability Power Supply Type LPUF-40 interface card LPUF-120 interface card LPUF-240 interface card 20 1GE/2 10GE 12 10GE/6 10GE/5 10GE/24x1GE /1 100GE /1 40GE 12 10GE/6 10GE/5 10GE/24x1GE /1 100GE /1 40GE Supports dual MPUs and achieves a five-nine carrier-grade reliability (99.999%). Supports both DC and AC power supply.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information