Documente Academic
Documente Profesional
Documente Cultură
System
Terabit-level Capacity, Second-level Response, Precise Protection,
Value-added Operation
As the Internet and IoT thrive, DDoS attacks are developing new characteristics:
• Attacks are increasing both in terms of frequency and traffic volume, with peak attack traffic up to 1.7
Tbit/s in 2018.
• Reflection amplification attacks spread across the world, congesting links.
• Low-rate application-layer attacks target precisely at service systems like e-finance or gaming.
Reflection amplification and low-rate application-layer attacks are gaining momentum, and layered defense
becomes the first choice in anti-DDoS. Huawei AntiDDoS8000 employs big data analysis to conduct
modeling for 60+ types of traffic, offering Terabit-level protection, second-level response, and comprehensive
defense against 100+ types of attacks. It works with Huawei cloud cleaning center to deliver layered
cleaning, providing full-fledged protection that covers network link bandwidths and online services.
Product Appearances
Anti-DDoS operation
• Tenant-specific automatic and manual defense policies for comprehensive protection.
• Tenant-specific report statistics and report sending via email to simplify management.
• Differentiated operation for 100,000 tenants.
Legitimate PC Legitimate PC
Botnet
Legitimate traffic
Attack traffic
Netflow traffic
Management traffic
Switch ATIC
Netflow Management center
Router2
On the network shown in above figure, a netflow detection device collects the logs from routers in real
time to determine whether the traffic in the network is abnormal. When traffic is abnormal, cleaning device
is notified to start the cleaning. The cleaning device is attached to the core router Router1 to clean traffic
destined for the Zone. After cleaning traffic, the cleaning device injects normal traffic back to the original link
in MPLS LSP injection mode. Router2 then forwards the traffic to the Zone.
The cleaning device is directly connected to Router1 only through one interface. Traffic is diverted to the
cleaning device through the main interface, while injected back through a sub-interface. The traffic can also
be injected back through another interface if there are enough interfaces.
Detecting device
Optical
spliter
Router2
Router1 Switch ATIC management
center
Cleaning
device
DC
Firewall Internet
access area
Core switch
gameZone dnsZone
Normal traffic
Attack Target
webZone Attack traffic
Split traffic
Game server Web server DNS server Management traffic
On the network shown in above figure, a cleaning device is attached to the core router1 and router2 to
detect and clean the traffic destined for the Zone. The traffic must be diverted to the cleaning device using
BGP in real time. After traffic is cleaned, normal traffic is injected back to the original link through PBR and
finally forwarded to the Zone.
ATIC management center supports managed security service. ATIC management center can be configured
with customized defense policies based on the tenant's service features. When attack happened, ATIC
management center can initiate automatic protection and send alarm information by email or other
methods. Data center operators can design business models based on tenants and expand business revenue.
Specifications
DDoS Defense Specifications
Defense against the following protocol anomaly attacks: DNS application protection against the following attacks:
Land, Fraggle, Smurf, WinNuke, Ping of Death, Teardrop, • DNS query flood, DNS reply flood, and DNS spoofing
and TCP error flag attacks • Source rate limiting and domain name rate limiting
Defense against the following network attacks: SIP application protection against the following attacks:
SYN flood, ACK flood, FIN flood, RST flood, TCP SIP flood and SIP method flood attacks, including
fragment flood, UDP flood, UDP fragment flood, IP register flood, deregistration flood, authentication flood,
flood, ICMP flood, TCP connection flood, sockstress, and call flood attacks
TCP retransmission, and TCP empty connection attacks Source rate limiting
Defense against the following UDP-based reflection Filters:
and amplification attacks: IP, TCP, UDP, ICMP, DNS, SIP, and HTTP packet filters
NTP, DNS, SSDP, Chargen, TFTP, SNMP, NetBIOS,
QOTD, Quake Network Protocol, Portmapper,
Microsoft SQL Resolution Service, RIPv1, and Steam
Protocol reflection and amplification attacks
Hardware Specifications
Latency 80 μs 80 μs 80 μs
Expansion slot 3 8 16
• 24 × GE (SFP)
• 5 × 10 GE (SFP+)
• 6 × 10 GE (SFP+)
Expansion card • 12 × 10 GE (SFP+)
• 1 × 40 GE (CFP)
• 1 × 100 GE (CFP)
• 3 × 40 GE (QSPF+)
Dimensions
DC: 15 kg (empty) or
30.7 kg (fully configured) 43.2 kg (empty) or 112.9 94.4 kg (empty) or 233.9
Weight
AC: 25 kg (empty) or kg (fully configured) kg (fully configured)
40.7 kg (fully configured)
Certifications
Model Description
Main Equipment
E8KE-X-101-1X40GE-CFP 1-Port 40GBase LAN CFP Flexible Card(P101, 1/2wide, Occupy two sub-slots)
Management Software