Huawei AntiDDoS8000 DDoS Protection System Terabit-level Capacity, Second-level Response, Precise Protection, Value-added Operation HUAWEI TECHNOLOGIES CO., LTD.
Huawei AntiDDoS8000 DDoS Protection SystemTerabit-level Capacity, Second-level Response, Precise
Protection, Value-added Operation
HUAWEI TECHNOLOGIES CO., LTD.
Huawei AntiDDoS8000 DDoS Protection SystemTerabit-level Capacity, Second-level Response, Precise Protection, Value-added Operation
Product Appearances
As the Internet and IoT thrive, DDoS attacks are developing new characteristics:
• Attacksincreaseinfrequencyandtrafficvolume,andthepeakattacktrafficisupto600Gbpsin2015.
• Reflectionamplificationattacksspreadacrosstheworld,congestinglinks.
• Low-rateapplication-layerattackstargetpreciselyatservicesystemslikee-financeorgaming.
Reflectionamplificationand low-rateapplication-layerattacksaregainingmomentum,and layered
defensebecomesthefirstchoice inanti-DDoS.HuaweiAntiDDoS8000employsbigdataanalysis to
conductmodelingfor60+typesoftraffic,offeringTerabit-levelprotection,second-levelresponse,and
comprehensivedefenseagainst100+typesofattacks. ItworkswithHuaweicloudcleaningcenterto
deliver layered cleaning, providing full-fledged protection that covers network link bandwidths and
onlineservices.
AntiDDoS8030 AntiDDoS8080 AntiDDoS8160
Solution Function
Defense against high-volume DDoS attacks
• Multi-core distributed architecture and big data-based intelligent protection engine to offer Terabit-level
protectionperformance.
• Second-levelattackresponsetorapidlyblockattacktraffic.
Defense against application-layer DDoS attacks
• Collectionofalltraffic,Layer3~7per-packetanalysis,andmodelingfor60+typesofnetworktrafficto
providethemostpreciseandcomprehensiveattackdetection.
• All-roundreputationsystemof localsessionbehavior reputation, locationreputation,andBotnet IP
reputationtopreciselydefendagainstapplication-layerDDoSattacks launchedfromBotnets,reducing
falsepositivesandimprovinguserexperience.
• Comprehensivedefenseagainst100+typesofattackstoprotectkeyservicesystems,suchasWeb,DNS,
DHCP,andVoIP.
Anti-DDoS operation
• Tenant-specificautomaticandmanualdefensepoliciesforcomprehensiveprotection.
• Tenant-specificreportstatisticsandreportsendingviaemailtosimplifymanagement.
• Self-serviceportalfortenantstoincreasetheirloyalty.
• Differentiatedoperationfor100,000tenants.
Dual-stack (IPv4/IPv6) DDoS attack defense
• Defenseagainstdual-stack(IPv4/IPv6)DDoSattacks.
On-premise + Cloud layered anti-DDoS
• Theon-premisedeviceisonlineinrealtimetoprotectuserservices.
• Whena link iscongested, theon-premisedevicecanautomaticallysendcloudsignals tostartcloud
cleaningandprotectuserlinks.
• 2Tbps+cloudmitigationcapacity.10+cloudscrubbingcenterwithglobal scheduling.Minute-level
defenseresponse.
Typical Scenarios
Scenario 1: MAN Attack Defense
Ametropolitanareanetwork (MAN)providesaplatformonwhichcomprehensiveservicesofacityare
transmitted.MANsoftenapplyto largeandmedium-sizedcities.TheMANsprovidecommonandpublic
networkarchitectureandallowdata,voice,images,andvideostobeeffectivelytransmittedathighspeeds,
meetingchangeableInternetapplicationrequirements.
Onthenetworkshown inabovefigure,anetflowdetectiondevicecollects the logsfromrouters inreal
timetodeterminewhetherthetrafficinthenetworkisabnormal.Whentrafficisabnormal,cleaningdevice
isnotifiedtostartthecleaning.Thecleaningdevice isattachedtothecorerouterRouter1tocleantraffic
destinedfortheZone.Aftercleaningtraffic,thecleaningdeviceinjectsnormaltrafficbacktotheoriginallink
inMPLSLSPinjectionmode.Router2thenforwardsthetraffictotheZone.
Thecleaningdevice isdirectlyconnectedtoRouter1onlythroughone interface.Traffic isdivertedtothe
cleaningdevicethroughthemaininterface,whileinjectedbackthroughasub-interface.Thetrafficcanalso
beinjectedbackthroughanotherinterfaceifthereareenoughinterfaces.
Scenario 2: Data Center Protection and Managed Security Service
AnInternetDataCenter(IDC)isapartofbasicnetworkresources.Itprovideslarge-scale,high-quality,secure,
andreliabledatatransmissionservicesandhigh-speedaccessservicesforInternetcontentproviders,enterprises,
media,andeachtypesofwebsites.TheIDCprovidesDNSservers,Webservers,gameservers,andotherservices.
Inrecentyears,moreandmoreInternet-initiatedDDoSattackstargetIDCs.Asaresult, importantserversare
attacked;datacenterlinkbandwidthisoccupied;videosandgamesarecompromisedbyapplication-layerattacks.
Cleaning device
Switch
Netflow
Legitimate PC Legitimate PC
Botnet
ATICManagement center
RegionalNetwork
RegionalNetwork
BackboneNetwork
Router2
Router1
Attackedtarget
Legitimate traffic
Attack traffic
Netflow traffic
Management traffic
Onthenetworkshowninabovefigure,acleaningdevice isattachedtothecorerouter1androuter2to
detectandcleanthetrafficdestinedfortheZone.Thetrafficmustbedivertedtothecleaningdeviceusing
BGPinrealtime.Aftertrafficiscleaned,normaltrafficisinjectedbacktotheoriginallinkthroughPBRand
finallyforwardedtotheZone.
ATICmanagementcentersupportsmanagedsecurityservice.ATICmanagementcentercanbeconfigured
withcustomizeddefensepoliciesbasedon the tenant's service features.Whenattackhappened,ATIC
managementcenter can initiateautomaticprotectionand sendalarm informationbyemailorother
methods.Tenantscanqueryattackandprotection informationbyvisitingself-serviceportal.Datacenter
operatorscandesignbusinessmodelsbasedontenantsandexpandbusinessrevenue.
Defense against protocol abuse attacks
DefenseagainstLand,Fraggle,Smurf,WinNuke,
PingofDeath,Teardrop,andTCPerrorflagattacks
Webapplicationprotection
DefenseagainstHTTPGETflood,HTTPPOSTflood,
HTTPslowheader,HTTPslowpost,HTTPS flood,
SSLDoS/DDoS,WordPressreflectionamplification,
RUDY, and LOIC attacks; packet validity check
Specifications
DDoS Defense Specifications
Attack TargetNormal traffic
Attack traffic
Split traffic
Management traffic
Normalnetwork
Opticalspliter
Detecting device
Cleaningdevice
ATIC managementcenter
DCInternet
access area
SwitchRouter1
Router2
Firewall
Core switch
gameZone dnsZone
webZone
Game server Web server DNS server
Botner
Managementfunctions
Accountmanagementandpermissionallocation;
defense policy configuration and report display
basedonZones (up to100,000Zones,namely
tenants);deviceperformancemonitoring; source
tracingandfingerprintextractionthroughpacket
capture;email,shortmessage,andaudioalarms;
logdumping;dynamicbaselinelearning
Report functions
Comparisonof trafficbeforeandaftercleaning;
topN traffic statistics; application-layer traffic
comparisonanddistribution;protocoldistribution;
trafficstatisticsbasedonthesourcelocation;attack
eventdetails; topNattackevents (byduration
or numberof packets); distributionof attacks
bycategory;attack traffic trend;DNS resolution
successratio;application-layertopNtrafficstatistics
(bysource IPaddress,HTTPURI,HTTPHOST,and
domainname); downloadof reports inHTML/
PDF/Excelformat;reportpushviaemail;periodical
generationofdaily,weekly,monthly,andyearly
reports; self-service portal for tenants
Management and Report
Defenseagainstscanningandsniffingattacks
Defense against address and port scanning attacks,
and attacks using Tracert packets and IP options,
suchasIPsourceroute,timestamp,andrecordroute
DNSapplicationprotection
DefenseagainstDNSqueryflood,DNSreplyflood,
andDNScachepoisoningattacks;sourcelimit
Defense against network-type attacks
DefenseagainstSYNflood,SYN-ACKfloodACK
flood,FIN flood,RST flood,TCP fragment flood,
UDP flood,UDP fragment flood, IP flood, ICMP
flood, TCP connection flood, sockstress, TCP
retransmission,andTCPemptyconnectionattacks
SIP application protection
Defense against SIP flood/SIPmethods flood
attacks, including Register, Deregistration,
Authentication,andCallfloodattacks;sourcelimit
DefenseagainstUDP-basedreflectionamplification
attacks
DefenseagainstNTP,DNS,SSDP,Chargen,TFTP,
SNMP,NetBIOS,QOTD,QuakeNetworkProtocol,
Portmapper,Microsoft SQLResolution Service,
RIPv1,andSteam
Protocolreflectionamplificationattacks
Filter
IP,TCP,UDP,ICMP,DNS,SIP,andHTTPpacketfilters
Location-basedfiltering
TrafficblockorlimitbasedonthesourceIPaddress
location
Attack signature database
RUDY, slowhttptest, slowloris, LOIC, AnonCannon,
RefRef, ApacheKill, andApacheBench attack
signaturedatabases;automaticweeklyupdateof
these signature databases
IP reputation
Trackingofmost active5million zombies and
automatic daily update of the IP reputation
database to rapidly block attacks; local access IP
reputationlearningtocreatedynamicIPreputation
based on local service sessions, rapidly forward
serviceaccesstraffic,andenhanceuserexperience
Deploymentmode
In-lineorout-of-pathdeployment
Trafficdiversionandinjection
Trafficdiversion:supportsmanual,andPBRorBGP
basedautomatictrafficdiversion.
Traffic injection: supports static route injection,
MPLSVPNinjection,MPLSLSPinjection,GREtunnel
injection,Layer2injection,PBRbasedinjection,etc
Deployment
Model AntiDDoS8030 AntiDDoS8080 AntiDDoS8160
Interfacesandperformance
Throughput Upto120Gbps Upto720Gbps Upto1440Gbps
Throughput/slot Upto80Gbps Upto160Gbps Upto160Gbps
Mitigation rate/slot Upto60Mpps Upto60Mpps Upto60Mpps
Latency 80μs 80μs 80μs
Expansionslot 3 8 16
ExpansionLPUFW-LPUF-120,2sub-
slots
FW-LPUF-120,2sub-slots
FW-LPUF-240,2sub-slots
FW-LPUF-120,2sub-slots
FW-LPUF-240,2sub-slots
Expansioninterfaces24×GE(SFP);5×10GE(SFP+);6×10GE(SFP+);12×10GE(SFP+);1×40GE(CFP);
1×100GE(CFP)
Dimensions
Height×Width×Depth
DC:175mm×442mm
×650mm(4U)
AC:220mm×442mm
×650mm(5U)
620mm×442mm×
650mm(14U)
1420mm×442mm×
650mm(32U)
Weight
DCchassis:15kg(empty),
30.7kg(full)
ACchassis:25kg(empty),
40.7kg(full)
43.2kg(empty),
112.9kg(full)
94.4kg(empty),
233.9kg(full)
PowerandEnvironment
Power supply
Rated input voltage:
DC:-48V
AC:175Vto264V;
50/60Hz
Maximuminputvoltage
range:
DC:-72Vto-38V
AC:90Vto264V;
50/60Hz
Rated input voltage:
DC:-48V
AC:175Vto264V;
50/60Hz
Maximuminputvoltage
range:
DC:-72Vto-38V
AC:90Vto264V;
50/60Hz
Rated input voltage:
DC:-48V
AC:175Vto264V;
50/60Hz
Maximuminputvoltage
range:
DC:-72Vto-38V
AC:90Vto264V;
50/60Hz
Hardware Specifications
Model Description
MainEquipment
ADS8030-BASE-DC-01 AntiDDoS8030DCBasicConfiguration(includeX3DCChassis,2*MPU)
ADS8030-BASE-AC-01 AntiDDoS8030ACBasicConfiguration(includeX3ACChassis,2*MPU)
ADS8080-BASE-DC-01AntiDDoS8080200GDCBasicConfiguration(includeX8DCChassis,
2*SRU200A,1*SFU200C)
ADS8160-BASE-DC-01AntiDDoS8160200GDCBasicConfiguration(includeX16DCChassis,
2*MPU,4*SFU200B)
Service Processing Card Module
ADS-SPUC-B AntiDDoS8030ServiceProcessingUnit(BaseBoard)
ADS-SPUD-B AntiDDoS8080&AntiDDoS8160ServiceProcessingUnit(BaseBoard)
ADS-SPC-40-01 DDoSProtectionServiceCard(with1CPU)
Order Information
Model AntiDDoS8030 AntiDDoS8080 AntiDDoS8160
Powerconsumption
1×FW-LPUF-120+2×
ADS-SPUC-B+2× ADS-
SPC-80-01:
DC:1066W(avg),
1272W(max)
AC:1185W(avg),
1414W(max)
3×FW-LPUF-240+5
×ADS-SPUD-B+10×
ADS-SPC-80-01:
DC:4025W(avg),
4823W(max)
AC:4282W(avg),
5132W(max)
6×FW-LPUF-240+9
×ADS-SPUD-B+18×
ADS-SPC-80-01:
DC:7387W(avg),
8930W(max)
AC:7858W(avg),
9500W(max)
Power redundancy
DC: Double hot-
swappable power
modules
AC: Double hot-
swappable power
modules
DC: 4 hot-swappable
PEMmodules
AC:4PEMmodules+1
externalACpower
chassis
DC:8hot-swappable
PEMmodules
AC:8PEMmodules+2
externalACpower
chassises
Operatingtemperature 0°Cto45°C(long-term),-5°Cto50°C(short-term)
Storagetemperature -40°Cto70°C
Operatinghumidity5%RHto85%RH,non-condensing(long-term),5%RHto95%RH,non-
condensing(short-term)
Storagehumidity 0%RHto95%RH
Certifications
SafetyCertificationsElectroMagneticCompatibility(EMC)certification
CB,Rohs,FCC,MET,C-tick,andVCCIcertification
Model Description
ADS-SPC-80-01 DDoSProtectionServiceCard(with2CPUs)
Line Processing Card Module
FW-LPUF-120 120GLineProcessingUnit
FW-LPUF-240 240GLineProcessingUnit
FW-6X10G-SFP+ 6*10GESFP+DaughterCard
FW-1X100G-CFP 1*100GECFPDaughterCard
FW-12X10G-SFP+ 12*10GESFP+DaughterCard
E8KE-X-101-5X10GE-SFP+5-Port10GBaseLAN/WAN-SFP+FlexibleCardA(P101,1/2wide,Occupy
twosub-slots)
E8KE-X-101-24XGE-SFP24-Port100/1000Base-X-SFPFlexibleCard(P101,1/2wide,Occupytwo
sub-slots)
E8KE-X-101-1X40GE-CFP1-Port40GBaseLANCFPFlexibleCard(P101,1/2wide,Occupytwosub-
slots)
ManagementSoftware
LIC-ADS-NOFA00 ATICBasicFeatureSummary
Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.
NopartofthisdocumentmaybereproducedortransmittedinanyformorbyanymeanswithoutpriorwrittenconsentofHuaweiTechnologiesCo.,Ltd.
Trademark Notice
, HUAWEI,andaretrademarksorregisteredtrademarksofHuaweiTechnologiesCo.,Ltd.
Othertrademarks,product,serviceandcompanynamesmentionedarethepropertyoftheirrespectiveowners.
General Disclaimer
Theinformationinthisdocumentmaycontainpredictivestatementsincluding,
withoutlimitation,statementsregardingthefuturefinancialandoperatingresults,
futureproductportfolio,newtechnology,etc.Thereareanumberoffactors
thatcouldcauseactualresultsanddevelopmentstodiffermateriallyfromthose
expressedorimpliedinthepredictivestatements.Therefore,suchinformation
is provided for reference purpose only and constitutes neither an offer nor an
acceptance.Huaweimaychangetheinformationatanytimewithoutnotice.
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-032102-20161220-C-1.0
www.huawei.com