Huawei AntiDDoS8000 DDoS Protection System

Huawei AntiDDoS8000 DDoS Protection SystemTerabit-level Capacity, Second-level Response, Precise

Protection, Value-added Operation

HUAWEI TECHNOLOGIES CO., LTD.

Huawei AntiDDoS8000 DDoS Protection SystemTerabit-level Capacity, Second-level Response, Precise Protection, Value-added Operation

Product Appearances

As the Internet and IoT thrive, DDoS attacks are developing new characteristics:

• Attacksincreaseinfrequencyandtrafficvolume,andthepeakattacktrafficisupto600Gbpsin2015.

• Reflectionamplificationattacksspreadacrosstheworld,congestinglinks.

• Low-rateapplication-layerattackstargetpreciselyatservicesystemslikee-financeorgaming.

Reflectionamplificationand low-rateapplication-layerattacksaregainingmomentum,and layered

defensebecomesthefirstchoice inanti-DDoS.HuaweiAntiDDoS8000employsbigdataanalysis to

conductmodelingfor60+typesoftraffic,offeringTerabit-levelprotection,second-levelresponse,and

comprehensivedefenseagainst100+typesofattacks. ItworkswithHuaweicloudcleaningcenterto

deliver layered cleaning, providing full-fledged protection that covers network link bandwidths and

onlineservices.

AntiDDoS8030 AntiDDoS8080 AntiDDoS8160

Solution Function

Defense against high-volume DDoS attacks

• Multi-core distributed architecture and big data-based intelligent protection engine to offer Terabit-level

protectionperformance.

• Second-levelattackresponsetorapidlyblockattacktraffic.

Defense against application-layer DDoS attacks

• Collectionofalltraffic,Layer3~7per-packetanalysis,andmodelingfor60+typesofnetworktrafficto

providethemostpreciseandcomprehensiveattackdetection.

• All-roundreputationsystemof localsessionbehavior reputation, locationreputation,andBotnet IP

reputationtopreciselydefendagainstapplication-layerDDoSattacks launchedfromBotnets,reducing

falsepositivesandimprovinguserexperience.

• Comprehensivedefenseagainst100+typesofattackstoprotectkeyservicesystems,suchasWeb,DNS,

DHCP,andVoIP.

Anti-DDoS operation

• Tenant-specificautomaticandmanualdefensepoliciesforcomprehensiveprotection.

• Tenant-specificreportstatisticsandreportsendingviaemailtosimplifymanagement.

• Self-serviceportalfortenantstoincreasetheirloyalty.

• Differentiatedoperationfor100,000tenants.

Dual-stack (IPv4/IPv6) DDoS attack defense

• Defenseagainstdual-stack(IPv4/IPv6)DDoSattacks.

On-premise + Cloud layered anti-DDoS

• Theon-premisedeviceisonlineinrealtimetoprotectuserservices.

• Whena link iscongested, theon-premisedevicecanautomaticallysendcloudsignals tostartcloud

cleaningandprotectuserlinks.

• 2Tbps+cloudmitigationcapacity.10+cloudscrubbingcenterwithglobal scheduling.Minute-level

defenseresponse.

Typical Scenarios

Scenario 1: MAN Attack Defense

Ametropolitanareanetwork (MAN)providesaplatformonwhichcomprehensiveservicesofacityare

transmitted.MANsoftenapplyto largeandmedium-sizedcities.TheMANsprovidecommonandpublic

networkarchitectureandallowdata,voice,images,andvideostobeeffectivelytransmittedathighspeeds,

meetingchangeableInternetapplicationrequirements.

Onthenetworkshown inabovefigure,anetflowdetectiondevicecollects the logsfromrouters inreal

timetodeterminewhetherthetrafficinthenetworkisabnormal.Whentrafficisabnormal,cleaningdevice

isnotifiedtostartthecleaning.Thecleaningdevice isattachedtothecorerouterRouter1tocleantraffic

destinedfortheZone.Aftercleaningtraffic,thecleaningdeviceinjectsnormaltrafficbacktotheoriginallink

inMPLSLSPinjectionmode.Router2thenforwardsthetraffictotheZone.

Thecleaningdevice isdirectlyconnectedtoRouter1onlythroughone interface.Traffic isdivertedtothe

cleaningdevicethroughthemaininterface,whileinjectedbackthroughasub-interface.Thetrafficcanalso

beinjectedbackthroughanotherinterfaceifthereareenoughinterfaces.

Scenario 2: Data Center Protection and Managed Security Service

AnInternetDataCenter(IDC)isapartofbasicnetworkresources.Itprovideslarge-scale,high-quality,secure,

andreliabledatatransmissionservicesandhigh-speedaccessservicesforInternetcontentproviders,enterprises,

media,andeachtypesofwebsites.TheIDCprovidesDNSservers,Webservers,gameservers,andotherservices.

Inrecentyears,moreandmoreInternet-initiatedDDoSattackstargetIDCs.Asaresult, importantserversare

attacked;datacenterlinkbandwidthisoccupied;videosandgamesarecompromisedbyapplication-layerattacks.

Cleaning device

Switch

Netflow

Legitimate PC Legitimate PC

Botnet

ATICManagement center

RegionalNetwork

RegionalNetwork

BackboneNetwork

Router2

Router1

Attackedtarget

Legitimate traffic

Attack traffic

Netflow traffic

Management traffic

Onthenetworkshowninabovefigure,acleaningdevice isattachedtothecorerouter1androuter2to

detectandcleanthetrafficdestinedfortheZone.Thetrafficmustbedivertedtothecleaningdeviceusing

BGPinrealtime.Aftertrafficiscleaned,normaltrafficisinjectedbacktotheoriginallinkthroughPBRand

finallyforwardedtotheZone.

ATICmanagementcentersupportsmanagedsecurityservice.ATICmanagementcentercanbeconfigured

withcustomizeddefensepoliciesbasedon the tenant's service features.Whenattackhappened,ATIC

managementcenter can initiateautomaticprotectionand sendalarm informationbyemailorother

methods.Tenantscanqueryattackandprotection informationbyvisitingself-serviceportal.Datacenter

operatorscandesignbusinessmodelsbasedontenantsandexpandbusinessrevenue.

Defense against protocol abuse attacks

DefenseagainstLand,Fraggle,Smurf,WinNuke,

PingofDeath,Teardrop,andTCPerrorflagattacks

Webapplicationprotection

DefenseagainstHTTPGETflood,HTTPPOSTflood,

HTTPslowheader,HTTPslowpost,HTTPS flood,

SSLDoS/DDoS,WordPressreflectionamplification,

RUDY, and LOIC attacks; packet validity check

Specifications

DDoS Defense Specifications

Attack TargetNormal traffic

Attack traffic

Split traffic

Management traffic

Normalnetwork

Opticalspliter

Detecting device

Cleaningdevice

ATIC managementcenter

DCInternet

access area

SwitchRouter1

Router2

Firewall

Core switch

gameZone dnsZone

webZone

Game server Web server DNS server

Botner

Managementfunctions

Accountmanagementandpermissionallocation;

defense policy configuration and report display

basedonZones (up to100,000Zones,namely

tenants);deviceperformancemonitoring; source

tracingandfingerprintextractionthroughpacket

capture;email,shortmessage,andaudioalarms;

logdumping;dynamicbaselinelearning

Report functions

Comparisonof trafficbeforeandaftercleaning;

topN traffic statistics; application-layer traffic

comparisonanddistribution;protocoldistribution;

trafficstatisticsbasedonthesourcelocation;attack

eventdetails; topNattackevents (byduration

or numberof packets); distributionof attacks

bycategory;attack traffic trend;DNS resolution

successratio;application-layertopNtrafficstatistics

(bysource IPaddress,HTTPURI,HTTPHOST,and

domainname); downloadof reports inHTML/

PDF/Excelformat;reportpushviaemail;periodical

generationofdaily,weekly,monthly,andyearly

reports; self-service portal for tenants

Management and Report

Defenseagainstscanningandsniffingattacks

Defense against address and port scanning attacks,

and attacks using Tracert packets and IP options,

suchasIPsourceroute,timestamp,andrecordroute

DNSapplicationprotection

DefenseagainstDNSqueryflood,DNSreplyflood,

andDNScachepoisoningattacks;sourcelimit

Defense against network-type attacks

DefenseagainstSYNflood,SYN-ACKfloodACK

flood,FIN flood,RST flood,TCP fragment flood,

UDP flood,UDP fragment flood, IP flood, ICMP

flood, TCP connection flood, sockstress, TCP

retransmission,andTCPemptyconnectionattacks

SIP application protection

Defense against SIP flood/SIPmethods flood

attacks, including Register, Deregistration,

Authentication,andCallfloodattacks;sourcelimit

DefenseagainstUDP-basedreflectionamplification

attacks

DefenseagainstNTP,DNS,SSDP,Chargen,TFTP,

SNMP,NetBIOS,QOTD,QuakeNetworkProtocol,

Portmapper,Microsoft SQLResolution Service,

RIPv1,andSteam

Protocolreflectionamplificationattacks

Filter

IP,TCP,UDP,ICMP,DNS,SIP,andHTTPpacketfilters

Location-basedfiltering

TrafficblockorlimitbasedonthesourceIPaddress

location

Attack signature database

RUDY, slowhttptest, slowloris, LOIC, AnonCannon,

RefRef, ApacheKill, andApacheBench attack

signaturedatabases;automaticweeklyupdateof

these signature databases

IP reputation

Trackingofmost active5million zombies and

automatic daily update of the IP reputation

database to rapidly block attacks; local access IP

reputationlearningtocreatedynamicIPreputation

based on local service sessions, rapidly forward

serviceaccesstraffic,andenhanceuserexperience

Deploymentmode

In-lineorout-of-pathdeployment

Trafficdiversionandinjection

Trafficdiversion:supportsmanual,andPBRorBGP

basedautomatictrafficdiversion.

Traffic injection: supports static route injection,

MPLSVPNinjection,MPLSLSPinjection,GREtunnel

injection,Layer2injection,PBRbasedinjection,etc

Deployment

Model AntiDDoS8030 AntiDDoS8080 AntiDDoS8160

Interfacesandperformance

Throughput Upto120Gbps Upto720Gbps Upto1440Gbps

Throughput/slot Upto80Gbps Upto160Gbps Upto160Gbps

Mitigation rate/slot Upto60Mpps Upto60Mpps Upto60Mpps

Latency 80μs 80μs 80μs

Expansionslot 3 8 16

ExpansionLPUFW-LPUF-120,2sub-

slots

FW-LPUF-120,2sub-slots

FW-LPUF-240,2sub-slots

FW-LPUF-120,2sub-slots

FW-LPUF-240,2sub-slots

Expansioninterfaces24×GE(SFP);5×10GE(SFP+);6×10GE(SFP+);12×10GE(SFP+);1×40GE(CFP);

1×100GE(CFP)

Dimensions

Height×Width×Depth

DC:175mm×442mm

×650mm(4U)

AC:220mm×442mm

×650mm(5U)

620mm×442mm×

650mm(14U)

1420mm×442mm×

650mm(32U)

Weight

DCchassis:15kg(empty),

30.7kg(full)

ACchassis:25kg(empty),

40.7kg(full)

43.2kg(empty),

112.9kg(full)

94.4kg(empty),

233.9kg(full)

PowerandEnvironment

Power supply

Rated input voltage:

DC:-48V

AC:175Vto264V;

50/60Hz

Maximuminputvoltage

range:

DC:-72Vto-38V

AC:90Vto264V;

50/60Hz

Rated input voltage:

DC:-48V

AC:175Vto264V;

50/60Hz

Maximuminputvoltage

range:

DC:-72Vto-38V

AC:90Vto264V;

50/60Hz

Rated input voltage:

DC:-48V

AC:175Vto264V;

50/60Hz

Maximuminputvoltage

range:

DC:-72Vto-38V

AC:90Vto264V;

50/60Hz

Hardware Specifications

Model Description

MainEquipment

ADS8030-BASE-DC-01 AntiDDoS8030DCBasicConfiguration(includeX3DCChassis,2*MPU)

ADS8030-BASE-AC-01 AntiDDoS8030ACBasicConfiguration(includeX3ACChassis,2*MPU)

ADS8080-BASE-DC-01AntiDDoS8080200GDCBasicConfiguration(includeX8DCChassis,

2*SRU200A,1*SFU200C)

ADS8160-BASE-DC-01AntiDDoS8160200GDCBasicConfiguration(includeX16DCChassis,

2*MPU,4*SFU200B)

Service Processing Card Module

ADS-SPUC-B AntiDDoS8030ServiceProcessingUnit(BaseBoard)

ADS-SPUD-B AntiDDoS8080&AntiDDoS8160ServiceProcessingUnit(BaseBoard)

ADS-SPC-40-01 DDoSProtectionServiceCard(with1CPU)

Order Information

Model AntiDDoS8030 AntiDDoS8080 AntiDDoS8160

Powerconsumption

1×FW-LPUF-120+2×

ADS-SPUC-B+2× ADS-

SPC-80-01:

DC:1066W(avg),

1272W(max)

AC:1185W(avg),

1414W(max)

3×FW-LPUF-240+5

×ADS-SPUD-B+10×

ADS-SPC-80-01:

DC:4025W(avg),

4823W(max)

AC:4282W(avg),

5132W(max)

6×FW-LPUF-240+9

×ADS-SPUD-B+18×

ADS-SPC-80-01:

DC:7387W(avg),

8930W(max)

AC:7858W(avg),

9500W(max)

Power redundancy

DC: Double hot-

swappable power

modules

AC: Double hot-

swappable power

modules

DC: 4 hot-swappable

PEMmodules

AC:4PEMmodules+1

externalACpower

chassis

DC:8hot-swappable

PEMmodules

AC:8PEMmodules+2

externalACpower

chassises

Operatingtemperature 0°Cto45°C(long-term),-5°Cto50°C(short-term)

Storagetemperature -40°Cto70°C

Operatinghumidity5%RHto85%RH,non-condensing(long-term),5%RHto95%RH,non-

condensing(short-term)

Storagehumidity 0%RHto95%RH

Certifications

SafetyCertificationsElectroMagneticCompatibility(EMC)certification

CB,Rohs,FCC,MET,C-tick,andVCCIcertification

Model Description

ADS-SPC-80-01 DDoSProtectionServiceCard(with2CPUs)

Line Processing Card Module

FW-LPUF-120 120GLineProcessingUnit

FW-LPUF-240 240GLineProcessingUnit

FW-6X10G-SFP+ 6*10GESFP+DaughterCard

FW-1X100G-CFP 1*100GECFPDaughterCard

FW-12X10G-SFP+ 12*10GESFP+DaughterCard

E8KE-X-101-5X10GE-SFP+5-Port10GBaseLAN/WAN-SFP+FlexibleCardA(P101,1/2wide,Occupy

twosub-slots)

E8KE-X-101-24XGE-SFP24-Port100/1000Base-X-SFPFlexibleCard(P101,1/2wide,Occupytwo

sub-slots)

E8KE-X-101-1X40GE-CFP1-Port40GBaseLANCFPFlexibleCard(P101,1/2wide,Occupytwosub-

slots)

ManagementSoftware

LIC-ADS-NOFA00 ATICBasicFeatureSummary

Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.

NopartofthisdocumentmaybereproducedortransmittedinanyformorbyanymeanswithoutpriorwrittenconsentofHuaweiTechnologiesCo.,Ltd.

Trademark Notice

, HUAWEI,andaretrademarksorregisteredtrademarksofHuaweiTechnologiesCo.,Ltd.

Othertrademarks,product,serviceandcompanynamesmentionedarethepropertyoftheirrespectiveowners.

General Disclaimer

Theinformationinthisdocumentmaycontainpredictivestatementsincluding,

withoutlimitation,statementsregardingthefuturefinancialandoperatingresults,

futureproductportfolio,newtechnology,etc.Thereareanumberoffactors

thatcouldcauseactualresultsanddevelopmentstodiffermateriallyfromthose

expressedorimpliedinthepredictivestatements.Therefore,suchinformation

is provided for reference purpose only and constitutes neither an offer nor an

acceptance.Huaweimaychangetheinformationatanytimewithoutnotice.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Industrial Base

Bantian Longgang

Shenzhen 518129, P.R. China

Tel: +86-755-28780808

Version No.: M3-032102-20161220-C-1.0

www.huawei.com