Huawei Traffic Cleaning Solutionmarket.huawei.com/hwgg/enterprise/u-channel/pdf/h.pdf · acceptance. Huawei may change the information at any time without notice. ... The Huawei traffic

Huawei Traffic Cleaning Solution

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.

Trademark Notice

General Disclaimer

, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.Other trademarks, product, service and company names mentioned are the property of their respective owners.

The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

1.1 Introduction

T h e m o d e r n w o r l d i s w i t n e s s i n g

exponential growth of network attacks.

For example, in 2010 alone the rate of

distributed denial-of-service (DDoS) traffic

attacks on bandwidth was 100 Gbit/s,

a 1000% increase compared with that

in 2005. These emerging attacks target

specific application-layer protocols, such

as HTTP, HTTPS, SIP, and DNS. These new

malicious attacks render conventional

flow devices ineffective. Consequently,

customers are faced with the following

problems:

How to withstand massive flooding and •

application-layer attacks while securing the

network

How to maximize investments on DDoS •

defense while reducing maintenance costs

Based on long-accumulated security

technologies and deep understanding

on customer requirements, Huawei has

devised a traffic cleaning solution able

to secure customers' networks while

simplifying their management needs. The

solution is specifically tailored for:

Large and medium-sized enterprises•

Internet data centers (IDCs)•

Internet serv ice prov iders ( ISPs , •

including web portals, game service

providers, and DNS service providers)

1.2 Solution

The Huawei traffic cleaning solution can

be divided into three centers, as shown in

the following figure.

ManagementCenter

Traffic Cleaning Solution

Cleaning Center

Detecting Center

Internet

Intranet

Botnet

Traffic Cleaning Solution

Detecting center•

Acting like the "eyes" of the solution, the

detecting center monitors traffic based

on certain detection policies and reports

abnormalities to the management center.

Cleaning center•

Acting like the "heart" of the solution,

the cleaning center receives instructions

from the management center and cleans

abnormal traffic based on traffic diversion

policies.

Management center•

Acting like the "brain" of the solution, the

management center formulates detecting

and cleaning policies, controls detecting

and cleaning devices, and generates attack

reports and cleaning logs.

1.3 Hardware

The following figure shows detecting and

cleaning devices involved in the solution.

The E1000E provides a gigabit-level cleaning capacity to secure services for small- and medium-sized

enterprises (SMEs).

The following table lists two models of the E1000E.

E1000E-I E1000E-D

Detecting device Cleaning device

160G

6G

20G detecting board

10G detecting board

6G detecting board

6G cleaning board

E1000E-I (detecting device)

E1000E-I (detecting device) E1000E-D (cleaning device)

Security protection for small- and medium-sized enterprises.

Security protection for IDCs/ large- and medium-sized enterprises

E1000E-D (cleaning device)

10G cleaning boardE8080E E8016E

20G cleaning board

Huaw

ei Traffic Cleaning Solution

1

>> >

>> >H

uawei Traffic C

leaning Solution

2

6G/10G 20G

1.4 Features

1 . 4 . 1 I n d u s t r y ’ s H i g h e s t Performance to Secure the Network

High Performance•

With an industry-leading processing

capacity of 160 Gbit/s per chassis, the

solution can withstand large-scale attacks.

Advanced architecture•

Built on the network processor (NP), multi-

core CPU, and distributed architecture, the

detecting and cleaning centers provide

linear capacity expansion capability to

overcome bottlenecks in processing

performance.

High capacity•

The so lut ion prov ides f ine-gra ined

protect ion for 2000 VIP customers

and 10,000 IP addresses and provides

coarse-grained protection for 1 million IP

addresses.

Highest Detection Rate•

With DPI technology and a solid 7-layer

defense structure, the solut ion can

efficiently prevent various attacks from

occurring.

Deep Packet Inspection (DPI)•

Unl ike convent ional Netf low-based

devices, Huawei’s detecting devices

use DPI technology to analyze every byte

inside packets, and use the 7-layer defense

structure to effectively identify attack

types, including traffic, application-layer,

scanning and snooping, and malformed

packet attacks.

An E8000E service board, coupled with a distributed E8000E series chassis, provides a cleaning

capacity of 160 Gbit/s.

The following table lists two models of the E8000E.

Whitelist

Blacklist

UDP Flood

ICMP Flood

DNS Flood

Attack traffic

Legitimate traffic

Static filtering

Session-based

cleaning

Behavioranalysis

Traffic shaping

ForwardingMalformed packet filtering

Transport layer source

validity authentication

Source validity authentication

SYN Flood

ACK Flood

SYN-ACK Flood

TCP Fragment Flood

HTTP Flood

HTTPS Flood

DNS Query Flood

DNS Reply Flood

SIP Flood

CC attack

UDP Flood

Avoid congestion to the

targetConnection exhaustion

attack

DNS cache poisoning

DNS reflection attack

Slow connection attack

Retransmission attack

Slow start attack

LAND attack

Fraggle attack

Winnuke

Ping of Death

Tear Drop

Invalid TCP flag attack

Super large ICMP attack

Dynamic analysis

IPv6 attack defense•

The solution supports IPv6/IPv4 dual stack

to defend against IPv4 and IPv6 attacks

simultaneously, secure the IPv4-to-IPv6

transition, and reduce transition costs.

Quick Attack Response•

The solution detects and cleans abnormal

traffic within seconds to ensure service

continuity.

Fast detection•

Convent ional f low-based detect ing

devices analyze network-wide router logs,

which takes long time to detect attacks.

Huawei’s detecting devices use the DPI

technology to capture attack characteristics

in real time and detect attacks within

seconds.

Quick response•

The synchronization of sessions and

detection results between detecting and

cleaning centers enables the solution to

respond to attacks within seconds (less

than 10 seconds).

High Reliability•

Reliable platform•

Hardware platform: –

1+1 main processing engines √

3+1 switching boards √

Key component (power module and √

fan) redundancy

Core router-class service stability √

Versatile Routing Platform (VRP): –

Independent modules with little √

impact on each other

4 million devices on live networks √

Reliable system•

The solution ensures 500,000 hours of

mean time between failures (MTBF) and

99.9999% reliability through:

Inter-board load balancing –

Cross-board interface binding –

Two-node cluster hot backup –

1.4.2 Industry’s Easiest Solution to Simplify the Management

Easy Management and Low OPEX•

Graphical management•

T h e s o l u t i o n p r o v i d e s a f l e x i b l e

graphical user interface which simplifies

configuration and maintenance and

reduces operating expenses (OPEX).

Flexible evidence collection methods•

For security audit, the solution collects

evidences in either of the following ways:

Packet capture based on access –

control lists (ACLs)

Automatic packet capture based on –

the types of attack events

Centralized management•

The so lu t ion manages d i s t r i bu ted

per iphera l dev ices in a centra l i zed

and simplified mode, which decreases

management servers and significantly

reduces maintenance costs.

Easy Expansion and Low Expansion •

Cost

Software license upgrade•

The E1000E supports software license

upgrades to expand the cleaning capacity

without adding hardware, which thereby

greatly reduces costs.

Smooth upgrade•

The E1000E supports smooth capacity

expansion.

Linear expansion•

The E1000E supports a maximum of eight

service boards per chassis. Users can add

service boards to expand the capacity.

The expansion mode improves investment

efficiency and reduces capacity expansion

Huaw


3

>> >

>> >H

uawei Traffic C

leaning Solution

4

costs.

Cost-saving•

Traffic detecting and cleaning devices

share the same chassis, which effectively

saves on customers' investment.

1.5 Application Scenarios

1.5.1 IDC Security

Customer Challenges•

The service-rich IDC with egress bandwidth

is vulnerable to flooding attacks and

application-layer attacks.

Solution Benefits•

Provides a processing capacity –

of 160 Gbit/s per chassis and quick

response (within seconds).

Withstands over 30 types of DDoS –

attacks, including e.g. :

UDP Flood attacks √

CC attacks √

HTTP Flood attacks √

HTTPS Flood attacks √

DNS attacks √

Slow attacks √

1.5.2 Web Portal or Game Server Security


Web portals or game servers with egress

bandwidth are vulnerable to flooding

attacks and application-layer attacks.


Provides a processing capacity –

of 160 Gbit/s per chassis and quick

response (within seconds).


Botnet

Normal traffic

DDoS traffic

Service area 3

Hosted serverHosted server

Hosted server

Service area 2

Service area 1

Normalnetwork Internet

DDoS cleaning center

1.5.3 Enterprise Network Egress Security


Large and medium-sized enterprises build

networks or rent links (about 10 GB) to

enable office automation (OA) and internal

communication, which is vulnerable to

DDoS attacks.


Withstands over 30 types of DDoS attacks,

particularly those attacks aimed at OA

networks, including:

UDP Flood attacks –

HTTP Flood attacks –

TCP Flood attacks –

The following figure shows the anti-DDoS

network of an enterprise.

attacks, including e.g. :


CC attacks √

HTTP Flood attacks √

Slow link attacks √

TCP retransmission attacks √


network of a web portal or game website.

Botnet

Normal traffic

Normal traffic

Mail server zone

Game server zone

Web server zone

DDoS traffic

Normalnetwork

DDoS cleaningcenter

Carrier 1

Carrier 2

Huaw


5

>> >

>> >H

uawei Traffic C

leaning Solution

6

1.5.4 Online Service Security


Online services are vulnerable to DDoS

attacks. These attacks severely compromise

a service provider’s customer base,

financial security, and reputation.


Withstands over 30 types of DDoS attacks,

particularly those attacks aimed at online

transaction systems, including:

HTTP Flood attacks –

HTTPS Flood attacks –

CC attacks –

Slow link attacks –

DNS attacks (DNS Query and Reply –

Flood)


network of online services.

Carrier 1 Carrier 2

Detecting Center

Cleaning Center

firewall

Office areaLiving area 1.5.5 DNS Security


DNS servers, a vital part of the Internet

infrastructure, are often subject to DDoS

attacks, which brings serious consequences

onto its customers whom have shown

vested interests in securing their DNS

services.



attacks, particularly those attacks aimed

at DNS services, including:

DNS attacks (DNS Query and Reply √

Flood)

DNS cache poisoning √


Provides the Top N DNS cache –

function to alleviate the DNS server's

pressure in coping with attacks.


network of a DNS sever.

Botnet

Normal traffic

Normal traffic

Normal traffic

Trust zone

DMZ

DDoS traffic

DDoS defense

DDoS trafficNormalnetwork

Normalnetwork

firewall

Botnet

Normal traffic

DDoS traffic

Normalnetwork

DDoS Cleaning Center

Management Center

Internet

DNS Server

Huaw


7

>> >

>> >H

uawei Traffic C

leaning Solution

8

1.6 Product Specifications

Model E1000E-I/D

Number of slots For a 1 U device:

4 pairs of GE optical/electrical (mutually exclusive) interfaces √

2 USB 2.0 interfaces √

Detecting and cleaning capacity 4G

Protected destination IP addresses Protected targets: 400 √

IP addresses (fine-grained protection): 2048 √

Preventable DDoS attacks

(Applicable to IPv4, IPv6, and IPv4-

IPv6 networks)

Traffic-type attacks

SYN Flood √

ACK Flood √

SYN-ACK Flood √

FIN/RST Flood √

IP Fragment Flood √

UDP Flood √

ICMP Flood √

Smurf attack √

Application-layer attacks

Connection Flood √

DNS Query Flood √

DNS Reply Flood √

DNS cache poisoning √

HTTP Get /Post Flood √

CC attack √

SIP Flood √

HTTPS Flood √

Scanning and snooping attacks

Port scanning √

Address scanning √

Tracert packet √

IP source routing option attack √

IP timestamp option attack √

IP routing record option attack √

Malformed packet attacks

IP Spoofing √

LAND attack √

Fraggle attack √

Winnuke √

Ping of Death √

Tear Drop √

IP Option control √

IP fragment control packet √

Invalid TCP flag attack √

Super large ICMP control packet √

ICMP redirect packet √

ICMP unreachable packet √

Reliability Dual power modules and fans

Interface board type 2 expansion slots that support 4*FE RJ45 connectors and 2*GE Combo

connectors

Dimensions (W x D x H) 436 x 560 x 44.2 mm

Weight 10 kg

Power 100 W

Mean time between failures (MTBF) 37.54 years

Model Eudemon8080E Eudemon8160E

Number of slots 8 slots, a maximum of 4 detecting/

cleaning boards and 4 interface boards

16 slots, a maximum of 8 detecting/

cleaning boards and 8 interface boards

Detecting and cleaning capacity 80G 160G

Protected IP addresses Protected targets: 2000

IP addresses (fine-grained protection): 10,000

IP addresses (coarse-grained protection): 1 million

Preventable DDoS attacks

(Applicable to IPv4, IPv6, and

IPv4-IPv6 networks)

Traffic-type attacks

SYN Flood √

ACK Flood √

SYN-ACK Flood √

FIN/RST Flood √

IP Fragment Flood √

UDP Flood √

ICMP Flood √

Smurf attack √

Application-layer attacks

Connection Flood √

DNS Query Flood √

DNS Reply Flood √

HTTP Get /Post Flood √

CC attack √

SIP Flood √

HTTPS Flood √

Scanning and snooping attacks

Port scanning √

Address scanning √

Tracert packet √

IP source routing option attack √

IP timestamp option attack √

IP routing record option attack √

Malformed packet attacks

IP Spoofing √

LAND attack √

Fraggle attack √

Winnuke √

Ping of Death √

Tear Drop √

IP Option control √

IP fragment control packet √

Invalid TCP flag attack √

Super large ICMP control packet √

ICMP redirect packet √

ICMP unreachable packet √

Reliability Module/Component hot swap, two-node cluster hot backup, link aggregation, and

1+1 main processing engines

Interface board type Ethernet interface

card

1 x 10GE, 12 x 1G (optical/electrical)

P O S i n t e r f a c e

card

1 x 10G

Maximum interfaces Ethernet interface 8 x 12 x 1GE, 8 x

10GE

16 x 12 x 1GE, 16 x 10GE

POS interface 8 x 10G 16 x 10G

Huaw


9

>> >

>> >H

uawei Traffic C

leaning Solution

10

Model Traffic cleaning service board

Detecting capacity (max.) 20 Gbit/s

Cleaning capacity (max.) 20 Gbit/s

Response delay ≤ 10 seconds

DDoS Attack Defense

Defense against attacks based on protection targets Supported

SYN Flood defense Supported

SYN-ACK Flood defense Supported

ACK Flood defense Supported

HTTP Flood defense Supported

HTTPS Flood defense Supported

DNS Request Flood defense Supported

DNS Reply Flood defense Supported

SIP Flood defense Supported

RST Flood/FIN Flood defense Supported

UDP Flood defense Supported

IP Fragment Flood defense Supported

Non-TCP/UDP/ICMP protocol packet flood defense Supported

CC attack defense Supported

Connection flood defense Supported

Model Eudemon8080E Eudemon8160E

Dimensions (W x D x H) 442 x 669 x 886 mm 442 x 669 x 1600 mm

Weight 100 kg 150 kg

Power 700 W 900 W

MTBF 57 years 57 years

1.7 Order Information

Model Description

E1000E-I/D

SU4Z1ADGD E1000E anti-DDoS cleaning host, AC, 2G license

HS universal security platform software

SU4Z2ADGD E1000E anti-DDoS cleaning host, DC, 2G license


SU4Z1ADGI E1000E anti-DDoS detecting host, AC


SU4Z2ADGI E1000E anti-DDoS detecting host, DC


FWEM0004FE02 4-port 100 M Ethernet electrical interface module (RJ45)

FWBM12GE 2-port 1000 M Ethernet electrical interface module (RJ45 and SFP)

LSU4ADGD01 License used to expand the anti-DDoS cleaning capacity of the E1000E to 4G


ATIC3-WINDOWS Software suite, ATIC management system installation package, DVD

E8000E Anti-DDoS

E8080E-BUNDLE-AC Eudemon8080E AC:

1 chassis, 2 power modules, 2 SRUs, 2 switch boards, 4 1G memory modules, 4 CF cards

E8080E-BUNDLE-DC Eudemon8080E DC:

1 chassis, 2 power modules, 2 SRUs, 2 switch boards, 4 1G memory modules, 4 CF cards

Traffic statistics and limit Supported

Global packet capture Supported

attack event packet capture Supported

Abnormal event packet capture Supported

Static fingerprint Supported

Global feature filtering Supported

Attack logs Supported

Abnormal logs Supported

Huaw


11

>> >

>> >H

uawei Traffic C

leaning Solution

12

Model Description

FWCD10GDDD01 Service processing unit, 10G detecting capacity


FWCD10GDDC01 Service processing unit, 10G cleaning capacity


FWCD20GDDD01 Service processing unit, 20G detecting capacity


FWCD20GDDC01 Service processing unit, 20G cleaning capacity


FWCD10GDDU01 Plug-in board used to expand the anti-DDoS detecting capacity from 10G to 20G

FWCD10GDCU01 Plug-in board used to expand the anti-DDoS cleaning capacity from 10G to 20G

FWC2LPUKD1 Flexible card line processing unit (LPUF-21, two sub-slots)

FWC2L1XX01 1-port 10GBase WAN/LAN-XFP flexible sub-card

FWC2EBGF01 12-port 100/1000Base-X-SFP flexible sub-card

FWC2EBGE01 12-port 10/100/1000Base-TX-RJ45 flexible sub-card

FWC2P1XXBZ0 1-port OC-192c/STM-64c POS-XFP flexible sub-card

FWCS00NOFA00 DDoS management center, a collection of functions for non-carrier customers

FWCS00DOFA00 DDoS management center, a collection of functions for carriers

FWCS00LCOP00 Data collector

FWCS00BMOD00 DDoS management center-basic modules

FWCS00STAT00 DDoS management center-statistical report management

FWCS00ALAM00 DDoS management center-alarm management

FWCS00PCAM00 DDoS management center-packet capture analysis management

FWCS00SLHQ00 DDoS management center-self-service query

FWCS05DMCL00 DDoS management center license (to add 5 control devices)




Huaw


13

>> >

>> >H

uawei Traffic C

leaning Solution

14

Documents

Huawei Traffic Cleaning Solutionmarket.huawei.com/hwgg/enterprise/u-channel/pdf/h.pdf · acceptance. Huawei may change the information at any time without notice. ... The Huawei traffic