Download Perfect IPv4-IPv6 Defense

AntiDDoS8000 Series DDoS Defend System
<<<<<<< Linkbar star>>>>>>>
Brochure
Support
Software
Partner Materials
<<<<<<< Linkbar end>>>>>>>
tabRegion_start
<<<<<<<tab title starting>>>>>>
Product Overview
Features and Benefits
Specifications
Application Scenarios
Ordering
<<<<<<<tab title ending>>>>>>>
<<<<<<< 产品特点_start>>>>>>>
Background
With the IT and network evolution, the Distributed Denial of Service (DDoS) attack has already broken away from
original hacker behaviors. Instead, it forms an integral dark industry chain with overwhelming damages.
Severe DDoS attacks
At present, a single DDoS attack consumes more than 100 Gbit/s bandwidth. The number of DDoS attacks is 20
times of that in 2007, and over 30,000,000 zombie hosts flood the network. Moreover, attack tools become easily
available. Large numbers of botnets break off the technical threshold for DDoS attacks. A DDoS attack is launched
by only three steps, namely, downloading the attack tool, purchasing zombie hosts, and initiating the attack.
Traffic DDoS attacks evolve to application attacks
In the past, flood attacks were prevailing on the carrier network and infrastructure. In comparison, current DDoS
attacks are specific to applications and services, such as enterprise portal applications, e-shopping, online videos,
online games, DNS, and email. The targets of attacks become more extensive. A single attack consumes less traffic
and fewer costs. The attack behavior becomes more complex and difficult to distinguish. This brings difficulty in
detecting and defending against DDoS attacks.
Service interruption adversely affects enterprise operation
DDoS attacks frequently intrude into the service systems of enterprises, and severely interrupt the normal service
operation. On the one hand, service interruption damages enterprises' brand images, takes away their customers,
and reduces their profits, especially for small Internet enterprises on e-business, online games, and portals. On the
other hand, constructing an anti-DDoS system brings intensive investment and maintenance pressure on these
enterprises and deteriorates their normal service operation.
DDoS attacks cause IDC customer loss
If a service system suffers from DDoS attacks, the attack traffic occupies the entire IDC bandwidth, affecting the
service systems of other leasers. As a result, IDC leasers quit, competitiveness lowers, and operation costs rise.
These side impacts severely deteriorate the service operation and profits.
Solution Overview
Designed for carriers, enterprises, data centers, and ICP service providers (including providers for Web portals,
online games, online videos, and DNS services) , HUAWEI Anti-DDoS solution incorporates extensive experience
in network security and full understanding of customer demsands.
HUAWEI Anti-DDoS solution enhances defense against application-layer attacks, IPv4-IPv6 attack defense, and
defense against zombies, Trojan horses, and worms. This fully ensures network security and service continuity.
HUAWEI Anti-DDoS solution uses the leaser-specific service design for management configuration, which
implements a series of functions, including leaser service model learning, leaser configuration, and report
self-service. Moreover, IDC operators can provide the Anti-DDoS solution for their leasers as an SAAS service to
increase the leaser viscosity, improve IDC competitiveness, and add IDC operation profits.
Related Products
<<<<<<<table starting>>>>>>>
Table
Picture
Models
AntiDDoS8030 has three expansion slots
AntiDDoS8080 has eight expansion slots
AntiDDoS8160 has 16 expansion slots
table
<<<<<<<table ending>>>>>>>
<<<<<<<产品特点_end>>>>>>>
<<<<<<<产品规格_star>>>>>>>
Service-Based Defense Policy
Huawei anti-DDoS solution supports continuously periodic learning and analysis on the service traffic of the Zone,
draws the outline of normal service traffic, and enables differentiated defense types and policies for various
services or one service in different time ranges, therefore implementing refined defense.
Accurate Abnormal Traffic Cleaning
Huawei anti-DDoS solution uses the per-packet detect technology. Defense is triggered immediately by an attack.
This solution applies multiple technologies, including seven-layer filtering, behavior analysis, and session
monitoring, to accurately defend against various flood attacks, Web application attacks, DNS attacks, SSL
DoS/DDoS attacks, and protocol stack vulnerability attacks. In this way, application servers are protected.
Intelligently Caching DNS Traffic
Besides accurately defending against various attacks on the DNS server, Huawei anti-DDoS solution supports
DNS cache for improved performance under heavy DNS server traffic.
Defense Against Prevailing Zombies/Trojan Horses/Worms
By spreading Trojan horses and worms to large numbers of hosts, hackers control the hosts hierarchically and form
the botnet to launch attacks. Therefore, botnets breed DDoS attacks. Huawei anti-DDoS solution identifies and
blocks over 200 common zombies/Trojan horses/worms worldwide, therefore smashing botnets.
Perfect IPv4-IPv6 Defense
In February 2011, IANA declared that IPv4 addresses were exhausted. Enterprises have no new IPv4 addresses
and begin to put IPv6 network construction into agenda. The particular IPv4-IPv6 technology of Huawei
anti-DDoS solution supports concurrent defense against DDoS attacks on both IPv4 and IPv6 networks. The
solution addresses the DDoS attack defense requirements in dual stack and helps users transit to the next
generation network.
Flexible Networking
The anti-DDoS solution must be adaptive to various network environments and address different grades of service
requirements.
On this basis, Huawei anti-DDoS solution provides multiple in-line and off-line deployments, which enable
customers to select flexibly by their services and networks.
In-line deployment: serially connects the detecting and cleaning modules to the network to be protected for direct
traffic detecting and cleaning. The high-performance and multi-core hardware platform in use not only ensures the
detecting and cleaning accuracy, but also minimizes the processing delay. Moreover, Huawei anti-DDoS solution
provides the bypass module. When an anomaly occurs, traffic is sent to the cleaning module, which avoids
introducing new failures.
Off-line traffic-diversion deployment: deploys the cleaning module on the network in off-line mode. Once
detecting DDoS attack traffic, the detecting and cleaning centers perform actions based on the policies configured
in the management center.
Highlights
High performance and rapid response: 200 Gbit/s defense performance
and response within seconds
High-performance and multi-core CPU, providing Anti-DDoS products covering 2 Gbit/s to 200 Gbit/s
performance to defend against all types of DDoS attack.
Self-learning of the service model and per-packet detect technology. Once a traffic or packet anomaly is found, the
defense policy is automatically triggered. The defense latency is within two seconds.
Accurate and all-rounded: defense against hundreds of attacks and IPv6
defense
Multiple technologies, including seven-layer filtering, behavior analysis, and session monitoring, to defend against
over 100 DDoS attacks, with the industry-leading defense types.
Defense against over 200 zombies, Trojan horses, and worms, protecting users from hackers.
IPv4/IPv6, as the first to support IPv6 attack defense and concurrent IPv4 and IPv6 attack defense.
Particular terminal identification technology to accurately identify client types, such as smart terminals, set-boxes,
and common clients, as well as client-specific defense technologies to ensure zero false positive.
Value-added operation: protection for tens of thousands of leasers and
diverse self-services
Leaser-based service design to protect 100,000 leasers concurrently.
Self-configuration of defense policies and the generation of independent security reports, providing visibility into
defense effects.
Capture of attack packets, extraction of attack features, and user-defined attack feature filtering to effectively
defend against DDoS attacks and zero-day attacks.
<<<<<<<产品规格_end>>>>>>>
<<<<<<<Datasheet_star>>>>>>>
<<<<<<<table starting>>>>>>>
Table
AntiDDoS8000 series
Model
AntiDDoS8030
AntiDDoS8080
AntiDDoS8160
150 Mpps
Flood defense
30 Mpps (15 Mpps/SPU)
75 Mpps (15 Mpps/SPU)
performance
(15 Mpps/SPU)
Detecting/Cleaning 40 Gbit/s (20 Gbit/s per
100 Gbit/s (20 Gbit/s per
200 Gbit/s (20 Gbit/s per
performance
SPU)
SPU)
SPU)
Defense start
≤ 2 seconds
≤ 2 seconds
≤ 2 seconds
3
8
16
latency
Expansion slot
Expansion interface 1 × 10GE (XFP)
card
2 × 10GE (XFP)
1 × 10G POS (XFP)
12 × 1GE (SFP)
20 × 1GE (SFP)
Dimensions (H ×
175 × 442 × 650 (DC)
620 × 442× 650 (DC)
1420 × 442 × 650 (DC)
W × D)
220 × 442 × 650 (AC)
709 × 442 × 650 (AC)
1598 × 442 × 650 (AC)
Maximum power
1330 W (DC)
3038 W (DC)
5824 W (DC)
consumption
1368 W (AC)
3231 W (AC)
6195 W (AC)
IPv4 defense types
Anomaly filtering
Blacklist, HTTP field-based filtering, and TCP/UDP/Other protocol load
feature-based filtering
Protocol
Defense against IP spoofing, LAND, Fraggle, Smurf, WinNuke, Ping of Death, Tear
vulnerability
Drop, IP Option, IP fragment control packet, TCP label validity check, large ICMP
defense
control packet, ICMP redirect control packet, and ICMP unreachable control packet
attacks
Transport-layer
Defense against SYN flood, ACK flood, SYN-ACK flood, FIN/RST flood, TCP
attack defense
fragment flood, UDP flood, UDP fragment flood, and ICMP flood attacks
Scanning and
Defense against port scanning, address scanning, Tracert control packet, IP Option, IP
sniffing attack
timestamp, and IP routing record attacks
defense
DNS attack defense Defense against forged source DNS query flood attacks, real source DNS query flood
attacks, DNS reply flood attacks, DNS cache poisoning attacks, DNS protocol
vulnerability attacks, and fast flux botnet
Web attack defense Defense against HTTP get/post flood attacks, CC attacks, HTTP slow header/post
attacks, HTTPS flood attacks, SSL DoS/DDoS attacks, TCP connection attacks,
Sockstress attacks, TCP retransmission attacks, and TCP null connection attacks
VoIP attack
Defense against SIP flood attacks
defense
Zombie/Trojan
Defense against over 200 zombies, Trojan horses, and worms, such as LOIC, HOIC,
horse/Worm attack Slowloris, Pyloris, HttpDosTool, Slowhttptest, and Thc-ssl-dos
defense
IPv6 defense types
IPv6 defense types Defense against ICMP fragment attacks, blacklist, HTTP field-based filtering,
TCP/UDP/Other protocol load feature-based filtering, SYN flood attacks, ACK flood
attacks, SYN-ACK flood attacks, FIN/RST flood attacks, TCP fragment flood attacks,
UDP flood attacks, UDP fragment flood attacks, ICMP flood attacks, Forged source
DNS query flood attacks, real source DNS query flood attacks, DNS reply flood
attacks, DNS cache poisoning attacks, DNS protocol vulnerability attacks, fast flux
botnet, HTTP get/post flood attacks, CC attacks, HTTP slow header/post flood
attacks, HTTPS flood attacks, SSL DoS/DDoS attacks, TCP connection attacks,
Sockstress attacks, TCP retransmission attacks, TCP null connection attacks, and SIP
flood attacks
IPv4/IPv6
dual-stack attack
defense
Supported
table
<<<<<<<table ending>>>>>>>
<<<<<<< Datasheet _end>>>>>>>
<<<<<<< 产品特点_start>>>>>>>
IDC Secure and Profitable Operation
HUAWEI Anti-DDoS solution deployed at the IDC egress delivers the following functions:
1. Defends against attacks on the DNS server, for example, DNS protocol stack vulnerability attacks, DNS
reflection attacks, DNS flood attacks, and DNS Cache-Miss attacks, and supports DNS cache for improved DNS
server performance under heavy traffic.
2. Defends against attacks on Web servers, for example, SYN flood attacks, HTTP flood attacks, CC attacks, and
low-rate connection attacks.
3. Defends against attacks on online games, for example, UDP flood attacks, SYN flood attacks, and TCP attacks.
4. Defends against SSL DoS/DDoS attacks on HTTPS servers.
5. Provides customers with self-service policy configuration and report by operating Anti-DDoS as a security
service.
<<<<<<<产品特点_end>>>>>>>
<<<<<<<Datasheet_star>>>>>>>
<<<<<<<table starting>>>>>>>
Table
AntiDDoS8030
AntiDDoS8030 DC Basic Configuration(include X3 DC
AntiDDoS8030-BAS
Chassis,2*MPU),with HS General Security Platform
E-DC
Software
Alternative
AntiDDoS8030 DC Basic Configuration(include X3 DC
AntiDDoS8030-BAS
Chassis,2*MPU),with HS General Security Platform
E-AC
Software
AntiDDoS8080
AntiDDoS8080 DC Basic Configuration(include X8 DC
AntiDDoS8080-BAS
Chassis,2*SRU,1*SFU),with HS General Security
E-DC
Platform Software
Mandatory
CR52-PWRA-AC-D
AC Distribution Frame for Cabinet,2 or 6 Input,6(2*3)
F
Output,6 Group of 2 Poles 20A Air Switch
USG9500-PWR-AC
AC Power Supply Module
AC mandatory
AC mandatory
AntiDDoS8160
AntiDDoS8160 DC Basic Configuration(include X16 DC
AntiDDoS8160-BAS
Chassis,2*MPU,4*SFU),with HS General Security
Mandatory
E-DC
Platform Software
CR52-PWRA-AC-D
AC Distribution Frame for Cabinet,2 or 6 Input,6(2*3)
F
Output,6 Group of 2 Poles 20A Air Switch
USG9500-PWR-AC
AC Power Supply Module
AC mandatory
AC mandatory
SPU of the AntiDDoS 8000 series
Service Processing Unit, Double CPUs, with HS General
ADS-SPUA01
Security Platform Software
Optional (the
LIC-ADS-10GDDD0
Capability for Detector(a multiple of 10G),with HS
SPU must be
0
General Security Platform Software
used with a
license)
LIC-ADS-10GDDC0
Capability for Cleaning (a multiple of 10G),with HS
0
General Security Platform Software
Service Processing Unit, Four CPUs, with HS General
ADS-SPUA02
Security Platform Software
LIC-ADS-20GDDD0
Capability for Detector(a multiple of 20G),with HS
0
General Security Platform Software
Optional (the
SPU must be
used with a
license)
LIC-ADS-20GDDC0
Capability for Cleaning (a multiple of 20G),with HS
0
General Security Platform Software
LPU of the AntiDDoS 8000 series
LPUF40
Flexible Card Line Processing Unit(LPUF-40,2 sub-slots)
FWCD0LPUF40A01
Optional
A, with HS General Security Platform Software
FWCD00L2XX01
2-Port 10GBase LAN/WAN-XFP Flexible Card(P40)
Optional
FWCD00EFGF01
20-Port 100/1000Base-X-SFP Flexible Card(P40)
Optional
LPUF21
Flexible Card Line Processing Unit(LPUF-21,2 Sub-Slots)
FWCD0LPUKD01
Optional
B, with HS General Security Platform Software
1-Port 10GBase WAN/LAN XFP Flexible Interface
FWCD00L1XX01
Daughter Card, with HS General Security Platform
Optional
Software
12-Port 100/1000Base-X SFP Flexible Interface Daughter
FWCD00EBGF01
Optional
Card, with HS General Security Platform Software
12-Port 10/100/1000Base-TX RJ45 Flexible Interface
FWCD00EBGE01
Daughter Card, with HS General Security Platform
Optional
Software
1 Port OC-192c/STM-64c POS-XFP Flexible Card, with
FWCD0P1XBZ01
Optional
HS General Security Platform Software
Anti-DDoS components
Windows Chinese Platform(AC PC Server, Hard Disk,
ADSCT001WIN01
Microsoft Windows Server and Patches, Chinese),
Optional
Including OS License
Windows Chinese Platform(DC PC Server, Hard Disk,
ADSCT001WIN03
Microsoft Windows Server and Patches, Chinese),
Optional
including OS License
NS19MKM00
KB&Mouse, Monitor 19-Inch TFT LCD
Optional
Anti-DDoS management center
ATIC Basic Feature Summary ,with HS General Security
LIC-ADS-NOFA00
Platform Software
ATIC Operation Feature Summary ,with HS General
LIC-ADS-DOFA00
Alternative
Security Platform Software (including professional DNS
defense)
Product
customization and
development expense
Extra Product Function Requirement Customized
E8KE-EXTRAD01
Development Fee-with HS General Security Platform
Software
Professional Anti-DDoS defense
Optional
DNS Professional Protection Function ,with HS General
LIC-ADS-DNS00
Optional
Security Platform Software
Web Professional Protection Function ,with HS General
LIC-ADS-WEB00
Optional
Security Platform Software
Number of DDoS Zone(a multiple of 10),with HS General
LIC-ADS-DOM50
Optional
Security Platform Software
LIC-ADS-10GDDD0
Capability for Detector(a multiple of 10G),with HS
0
General Security Platform Software
LIC-ADS-10GDDC0
Capability for Cleanning (a multiple of 10G),with HS
0
General Security Platform Software
LIC-ADS-20GDDD0
Capability for Detector(a multiple of 20G),with HS
0
General Security Platform Software
LIC-ADS-20GDDC0
Capability for Cleaning (a multiple of 20G),with HS
0
General Security Platform Software
Optional
Optional
Optional
Optional
Subrack optical splitter
Optical Splitter ,Single Mode ,Support Three Optical
Links(1*4
OOS314S00
Optional
each),1310/1550nm,+/-40nm,70:10:10:10,LC/UPC,0.25m
m,SMF-28e,180.3*144.45*18.1
Optical Splitter ,Single Mode ,Support Four Optical
OOS412S00
Links(1*2
each),1310/1550nm,+/-40nm,80:20,LC/UPC,0.25mm,SM
Optional
F-28e,0.2dB,180.3*144.45*18.1
Optical Splitter ,Single Mode ,Support Four Optical
Links(1*3
OOS413S00
Optional
each),1310/1550nm,+/-40nm,70:15:15,LC/UPC,0.25mm,S
MF-28e,180.3*144.45*18.1
Optical Splitter ,Multi-mode ,Support Four Optical
Links(1*2
OOS412M00
Optional
each),850nm,+/-40nm,50:50,LC/UPC,0.25mm,62.5/125u
me, 250um loose tube,0.2dB,180.3*144.45*18.1
Optical Splitter ,Single Mode /Multi-mode ,Rack-mounted
OOSSMRC00
Optical Splitter Chassis(Used with Optical Splitter
Optional
Cards),850/1310/1550nm,482.6*209*43.6mm
Optical Splitter ,Single Mode , Support Four Optical
Links(1*2
OOS412S01
Optional
each),1310/1550nm,+/-40nm,50:50,LC/UPC,0.25mm,SM
F-28e,0.2dB,180.3*144.45*18.1mm
table
<<<<<<<table ending>>>>>>>
<<<<<<< Datasheet _end>>>>>>>
<<<<<<<tabRegion_end>>>>>>>