Upload
doanh
View
220
Download
0
Embed Size (px)
Citation preview
Huawei Traffic Cleaning Solution
Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
Trademark Notice
General Disclaimer
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.Other trademarks, product, service and company names mentioned are the property of their respective owners.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
1.1 Introduction
T h e m o d e r n w o r l d i s w i t n e s s i n g
exponential growth of network attacks.
For example, in 2010 alone the rate of
distributed denial-of-service (DDoS) traffic
attacks on bandwidth was 100 Gbit/s,
a 1000% increase compared with that
in 2005. These emerging attacks target
specific application-layer protocols, such
as HTTP, HTTPS, SIP, and DNS. These new
malicious attacks render conventional
flow devices ineffective. Consequently,
customers are faced with the following
problems:
How to withstand massive flooding and •
application-layer attacks while securing the
network
How to maximize investments on DDoS •
defense while reducing maintenance costs
Based on long-accumulated security
technologies and deep understanding
on customer requirements, Huawei has
devised a traffic cleaning solution able
to secure customers' networks while
simplifying their management needs. The
solution is specifically tailored for:
Large and medium-sized enterprises•
Internet data centers (IDCs)•
Internet serv ice prov iders ( ISPs , •
including web portals, game service
providers, and DNS service providers)
1.2 Solution
The Huawei traffic cleaning solution can
be divided into three centers, as shown in
the following figure.
ManagementCenter
Traffic Cleaning Solution
Cleaning Center
Detecting Center
Internet
Intranet
Botnet
Traffic Cleaning Solution
Detecting center•
Acting like the "eyes" of the solution, the
detecting center monitors traffic based
on certain detection policies and reports
abnormalities to the management center.
Cleaning center•
Acting like the "heart" of the solution,
the cleaning center receives instructions
from the management center and cleans
abnormal traffic based on traffic diversion
policies.
Management center•
Acting like the "brain" of the solution, the
management center formulates detecting
and cleaning policies, controls detecting
and cleaning devices, and generates attack
reports and cleaning logs.
1.3 Hardware
The following figure shows detecting and
cleaning devices involved in the solution.
The E1000E provides a gigabit-level cleaning capacity to secure services for small- and medium-sized
enterprises (SMEs).
The following table lists two models of the E1000E.
E1000E-I E1000E-D
Detecting device Cleaning device
160G
6G
20G detecting board
10G detecting board
6G detecting board
6G cleaning board
E1000E-I (detecting device)
E1000E-I (detecting device) E1000E-D (cleaning device)
Security protection for small- and medium-sized enterprises.
Security protection for IDCs/ large- and medium-sized enterprises
E1000E-D (cleaning device)
10G cleaning boardE8080E E8016E
20G cleaning board
Huaw
ei Traffic Cleaning Solution
1
>> >
>> >H
uawei Traffic C
leaning Solution
2
6G/10G 20G
1.4 Features
1 . 4 . 1 I n d u s t r y ’ s H i g h e s t Performance to Secure the Network
High Performance•
With an industry-leading processing
capacity of 160 Gbit/s per chassis, the
solution can withstand large-scale attacks.
Advanced architecture•
Built on the network processor (NP), multi-
core CPU, and distributed architecture, the
detecting and cleaning centers provide
linear capacity expansion capability to
overcome bottlenecks in processing
performance.
High capacity•
The so lut ion prov ides f ine-gra ined
protect ion for 2000 VIP customers
and 10,000 IP addresses and provides
coarse-grained protection for 1 million IP
addresses.
Highest Detection Rate•
With DPI technology and a solid 7-layer
defense structure, the solut ion can
efficiently prevent various attacks from
occurring.
Deep Packet Inspection (DPI)•
Unl ike convent ional Netf low-based
devices, Huawei’s detecting devices
use DPI technology to analyze every byte
inside packets, and use the 7-layer defense
structure to effectively identify attack
types, including traffic, application-layer,
scanning and snooping, and malformed
packet attacks.
An E8000E service board, coupled with a distributed E8000E series chassis, provides a cleaning
capacity of 160 Gbit/s.
The following table lists two models of the E8000E.
Whitelist
Blacklist
UDP Flood
ICMP Flood
DNS Flood
Attack traffic
Legitimate traffic
Static filtering
Session-based
cleaning
Behavioranalysis
Traffic shaping
ForwardingMalformed packet filtering
Transport layer source
validity authentication
Source validity authentication
SYN Flood
ACK Flood
SYN-ACK Flood
TCP Fragment Flood
HTTP Flood
HTTPS Flood
DNS Query Flood
DNS Reply Flood
SIP Flood
CC attack
UDP Flood
Avoid congestion to the
targetConnection exhaustion
attack
DNS cache poisoning
DNS reflection attack
Slow connection attack
Retransmission attack
Slow start attack
LAND attack
Fraggle attack
Winnuke
Ping of Death
Tear Drop
Invalid TCP flag attack
Super large ICMP attack
Dynamic analysis
IPv6 attack defense•
The solution supports IPv6/IPv4 dual stack
to defend against IPv4 and IPv6 attacks
simultaneously, secure the IPv4-to-IPv6
transition, and reduce transition costs.
Quick Attack Response•
The solution detects and cleans abnormal
traffic within seconds to ensure service
continuity.
Fast detection•
Convent ional f low-based detect ing
devices analyze network-wide router logs,
which takes long time to detect attacks.
Huawei’s detecting devices use the DPI
technology to capture attack characteristics
in real time and detect attacks within
seconds.
Quick response•
The synchronization of sessions and
detection results between detecting and
cleaning centers enables the solution to
respond to attacks within seconds (less
than 10 seconds).
High Reliability•
Reliable platform•
Hardware platform: –
1+1 main processing engines √
3+1 switching boards √
Key component (power module and √
fan) redundancy
Core router-class service stability √
Versatile Routing Platform (VRP): –
Independent modules with little √
impact on each other
4 million devices on live networks √
Reliable system•
The solution ensures 500,000 hours of
mean time between failures (MTBF) and
99.9999% reliability through:
Inter-board load balancing –
Cross-board interface binding –
Two-node cluster hot backup –
1.4.2 Industry’s Easiest Solution to Simplify the Management
Easy Management and Low OPEX•
Graphical management•
T h e s o l u t i o n p r o v i d e s a f l e x i b l e
graphical user interface which simplifies
configuration and maintenance and
reduces operating expenses (OPEX).
Flexible evidence collection methods•
For security audit, the solution collects
evidences in either of the following ways:
Packet capture based on access –
control lists (ACLs)
Automatic packet capture based on –
the types of attack events
Centralized management•
The so lu t ion manages d i s t r i bu ted
per iphera l dev ices in a centra l i zed
and simplified mode, which decreases
management servers and significantly
reduces maintenance costs.
Easy Expansion and Low Expansion •
Cost
Software license upgrade•
The E1000E supports software license
upgrades to expand the cleaning capacity
without adding hardware, which thereby
greatly reduces costs.
Smooth upgrade•
The E1000E supports smooth capacity
expansion.
Linear expansion•
The E1000E supports a maximum of eight
service boards per chassis. Users can add
service boards to expand the capacity.
The expansion mode improves investment
efficiency and reduces capacity expansion
Huaw
ei Traffic Cleaning Solution
3
>> >
>> >H
uawei Traffic C
leaning Solution
4
costs.
Cost-saving•
Traffic detecting and cleaning devices
share the same chassis, which effectively
saves on customers' investment.
1.5 Application Scenarios
1.5.1 IDC Security
Customer Challenges•
The service-rich IDC with egress bandwidth
is vulnerable to flooding attacks and
application-layer attacks.
Solution Benefits•
Provides a processing capacity –
of 160 Gbit/s per chassis and quick
response (within seconds).
Withstands over 30 types of DDoS –
attacks, including e.g. :
UDP Flood attacks √
CC attacks √
HTTP Flood attacks √
HTTPS Flood attacks √
DNS attacks √
Slow attacks √
1.5.2 Web Portal or Game Server Security
Customer Challenges•
Web portals or game servers with egress
bandwidth are vulnerable to flooding
attacks and application-layer attacks.
Solution Benefits•
Provides a processing capacity –
of 160 Gbit/s per chassis and quick
response (within seconds).
Withstands over 30 types of DDoS –
Botnet
Normal traffic
DDoS traffic
Service area 3
Hosted serverHosted server
Hosted server
Service area 2
Service area 1
Normalnetwork Internet
DDoS cleaning center
1.5.3 Enterprise Network Egress Security
Customer Challenges•
Large and medium-sized enterprises build
networks or rent links (about 10 GB) to
enable office automation (OA) and internal
communication, which is vulnerable to
DDoS attacks.
Solution Benefits•
Withstands over 30 types of DDoS attacks,
particularly those attacks aimed at OA
networks, including:
UDP Flood attacks –
HTTP Flood attacks –
TCP Flood attacks –
The following figure shows the anti-DDoS
network of an enterprise.
attacks, including e.g. :
UDP Flood attacks √
CC attacks √
HTTP Flood attacks √
Slow link attacks √
TCP retransmission attacks √
The following figure shows the anti-DDoS
network of a web portal or game website.
Botnet
Normal traffic
Normal traffic
Mail server zone
Game server zone
Web server zone
DDoS traffic
Normalnetwork
DDoS cleaningcenter
Carrier 1
Carrier 2
Huaw
ei Traffic Cleaning Solution
5
>> >
>> >H
uawei Traffic C
leaning Solution
6
1.5.4 Online Service Security
Customer Challenges•
Online services are vulnerable to DDoS
attacks. These attacks severely compromise
a service provider’s customer base,
financial security, and reputation.
Solution Benefits•
Withstands over 30 types of DDoS attacks,
particularly those attacks aimed at online
transaction systems, including:
HTTP Flood attacks –
HTTPS Flood attacks –
CC attacks –
Slow link attacks –
DNS attacks (DNS Query and Reply –
Flood)
The following figure shows the anti-DDoS
network of online services.
Carrier 1 Carrier 2
Detecting Center
Cleaning Center
firewall
Office areaLiving area 1.5.5 DNS Security
Customer Challenges•
DNS servers, a vital part of the Internet
infrastructure, are often subject to DDoS
attacks, which brings serious consequences
onto its customers whom have shown
vested interests in securing their DNS
services.
Solution Benefits•
Withstands over 30 types of DDoS –
attacks, particularly those attacks aimed
at DNS services, including:
DNS attacks (DNS Query and Reply √
Flood)
DNS cache poisoning √
UDP Flood attacks √
Provides the Top N DNS cache –
function to alleviate the DNS server's
pressure in coping with attacks.
The following figure shows the anti-DDoS
network of a DNS sever.
Botnet
Normal traffic
Normal traffic
Normal traffic
Trust zone
DMZ
DDoS traffic
DDoS defense
DDoS trafficNormalnetwork
Normalnetwork
firewall
Botnet
Normal traffic
DDoS traffic
Normalnetwork
DDoS Cleaning Center
Management Center
Internet
DNS Server
Huaw
ei Traffic Cleaning Solution
7
>> >
>> >H
uawei Traffic C
leaning Solution
8
1.6 Product Specifications
Model E1000E-I/D
Number of slots For a 1 U device:
4 pairs of GE optical/electrical (mutually exclusive) interfaces √
2 USB 2.0 interfaces √
Detecting and cleaning capacity 4G
Protected destination IP addresses Protected targets: 400 √
IP addresses (fine-grained protection): 2048 √
Preventable DDoS attacks
(Applicable to IPv4, IPv6, and IPv4-
IPv6 networks)
Traffic-type attacks
SYN Flood √
ACK Flood √
SYN-ACK Flood √
FIN/RST Flood √
IP Fragment Flood √
UDP Flood √
ICMP Flood √
Smurf attack √
Application-layer attacks
Connection Flood √
DNS Query Flood √
DNS Reply Flood √
DNS cache poisoning √
HTTP Get /Post Flood √
CC attack √
SIP Flood √
HTTPS Flood √
Scanning and snooping attacks
Port scanning √
Address scanning √
Tracert packet √
IP source routing option attack √
IP timestamp option attack √
IP routing record option attack √
Malformed packet attacks
IP Spoofing √
LAND attack √
Fraggle attack √
Winnuke √
Ping of Death √
Tear Drop √
IP Option control √
IP fragment control packet √
Invalid TCP flag attack √
Super large ICMP control packet √
ICMP redirect packet √
ICMP unreachable packet √
Reliability Dual power modules and fans
Interface board type 2 expansion slots that support 4*FE RJ45 connectors and 2*GE Combo
connectors
Dimensions (W x D x H) 436 x 560 x 44.2 mm
Weight 10 kg
Power 100 W
Mean time between failures (MTBF) 37.54 years
Model Eudemon8080E Eudemon8160E
Number of slots 8 slots, a maximum of 4 detecting/
cleaning boards and 4 interface boards
16 slots, a maximum of 8 detecting/
cleaning boards and 8 interface boards
Detecting and cleaning capacity 80G 160G
Protected IP addresses Protected targets: 2000
IP addresses (fine-grained protection): 10,000
IP addresses (coarse-grained protection): 1 million
Preventable DDoS attacks
(Applicable to IPv4, IPv6, and
IPv4-IPv6 networks)
Traffic-type attacks
SYN Flood √
ACK Flood √
SYN-ACK Flood √
FIN/RST Flood √
IP Fragment Flood √
UDP Flood √
ICMP Flood √
Smurf attack √
Application-layer attacks
Connection Flood √
DNS Query Flood √
DNS Reply Flood √
HTTP Get /Post Flood √
CC attack √
SIP Flood √
HTTPS Flood √
Scanning and snooping attacks
Port scanning √
Address scanning √
Tracert packet √
IP source routing option attack √
IP timestamp option attack √
IP routing record option attack √
Malformed packet attacks
IP Spoofing √
LAND attack √
Fraggle attack √
Winnuke √
Ping of Death √
Tear Drop √
IP Option control √
IP fragment control packet √
Invalid TCP flag attack √
Super large ICMP control packet √
ICMP redirect packet √
ICMP unreachable packet √
Reliability Module/Component hot swap, two-node cluster hot backup, link aggregation, and
1+1 main processing engines
Interface board type Ethernet interface
card
1 x 10GE, 12 x 1G (optical/electrical)
P O S i n t e r f a c e
card
1 x 10G
Maximum interfaces Ethernet interface 8 x 12 x 1GE, 8 x
10GE
16 x 12 x 1GE, 16 x 10GE
POS interface 8 x 10G 16 x 10G
Huaw
ei Traffic Cleaning Solution
9
>> >
>> >H
uawei Traffic C
leaning Solution
10
Model Traffic cleaning service board
Detecting capacity (max.) 20 Gbit/s
Cleaning capacity (max.) 20 Gbit/s
Response delay ≤ 10 seconds
DDoS Attack Defense
Defense against attacks based on protection targets Supported
SYN Flood defense Supported
SYN-ACK Flood defense Supported
ACK Flood defense Supported
HTTP Flood defense Supported
HTTPS Flood defense Supported
DNS Request Flood defense Supported
DNS Reply Flood defense Supported
SIP Flood defense Supported
RST Flood/FIN Flood defense Supported
UDP Flood defense Supported
IP Fragment Flood defense Supported
Non-TCP/UDP/ICMP protocol packet flood defense Supported
CC attack defense Supported
Connection flood defense Supported
Model Eudemon8080E Eudemon8160E
Dimensions (W x D x H) 442 x 669 x 886 mm 442 x 669 x 1600 mm
Weight 100 kg 150 kg
Power 700 W 900 W
MTBF 57 years 57 years
1.7 Order Information
Model Description
E1000E-I/D
SU4Z1ADGD E1000E anti-DDoS cleaning host, AC, 2G license
HS universal security platform software
SU4Z2ADGD E1000E anti-DDoS cleaning host, DC, 2G license
HS universal security platform software
SU4Z1ADGI E1000E anti-DDoS detecting host, AC
HS universal security platform software
SU4Z2ADGI E1000E anti-DDoS detecting host, DC
HS universal security platform software
FWEM0004FE02 4-port 100 M Ethernet electrical interface module (RJ45)
FWBM12GE 2-port 1000 M Ethernet electrical interface module (RJ45 and SFP)
LSU4ADGD01 License used to expand the anti-DDoS cleaning capacity of the E1000E to 4G
HS universal security platform software
ATIC3-WINDOWS Software suite, ATIC management system installation package, DVD
E8000E Anti-DDoS
E8080E-BUNDLE-AC Eudemon8080E AC:
1 chassis, 2 power modules, 2 SRUs, 2 switch boards, 4 1G memory modules, 4 CF cards
E8080E-BUNDLE-DC Eudemon8080E DC:
1 chassis, 2 power modules, 2 SRUs, 2 switch boards, 4 1G memory modules, 4 CF cards
Traffic statistics and limit Supported
Global packet capture Supported
attack event packet capture Supported
Abnormal event packet capture Supported
Static fingerprint Supported
Global feature filtering Supported
Attack logs Supported
Abnormal logs Supported
Huaw
ei Traffic Cleaning Solution
11
>> >
>> >H
uawei Traffic C
leaning Solution
12
Model Description
FWCD10GDDD01 Service processing unit, 10G detecting capacity
HS universal security platform software
FWCD10GDDC01 Service processing unit, 10G cleaning capacity
HS universal security platform software
FWCD20GDDD01 Service processing unit, 20G detecting capacity
HS universal security platform software
FWCD20GDDC01 Service processing unit, 20G cleaning capacity
HS universal security platform software
FWCD10GDDU01 Plug-in board used to expand the anti-DDoS detecting capacity from 10G to 20G
FWCD10GDCU01 Plug-in board used to expand the anti-DDoS cleaning capacity from 10G to 20G
FWC2LPUKD1 Flexible card line processing unit (LPUF-21, two sub-slots)
FWC2L1XX01 1-port 10GBase WAN/LAN-XFP flexible sub-card
FWC2EBGF01 12-port 100/1000Base-X-SFP flexible sub-card
FWC2EBGE01 12-port 10/100/1000Base-TX-RJ45 flexible sub-card
FWC2P1XXBZ0 1-port OC-192c/STM-64c POS-XFP flexible sub-card
FWCS00NOFA00 DDoS management center, a collection of functions for non-carrier customers
FWCS00DOFA00 DDoS management center, a collection of functions for carriers
FWCS00LCOP00 Data collector
FWCS00BMOD00 DDoS management center-basic modules
FWCS00STAT00 DDoS management center-statistical report management
FWCS00ALAM00 DDoS management center-alarm management
FWCS00PCAM00 DDoS management center-packet capture analysis management
FWCS00SLHQ00 DDoS management center-self-service query
FWCS05DMCL00 DDoS management center license (to add 5 control devices)
FWCS10DMCL00 DDoS management center license (to add 10 control devices)
FWCS25DMCL00 DDoS management center license (to add 25 control devices)
FWCS50DMCL00 DDoS management center license (to add 50 control devices)
Huaw
ei Traffic Cleaning Solution
13
>> >
>> >H
uawei Traffic C
leaning Solution
14