Eudemon8000E Anti-DDoS SPU
HUAWEI TECHNOLOGIES CO., LTD.
Today's network attack varieties and intensities grow exponentially. Distributed Denial of Service (DDoS) attacks in 2010 swallowed 100G bandwidths, experiencing a 1000% increase over 2005. The diversified network attacks based on application-layer protocols such as HTTP, HTTPS, SIP, and DNS have nearly go beyond of flow-based attack detection means. To handle these network attacks, carriers must provide immediate and effective solutions to two challenges:
How to ensure a reliable network against mass attacks and •
application-layer attacks?
How to minimize maintenance expenditure and improve the •
return on investment (ROI) of anti-DDoS measures?
Based on years' technical accumulation in security fields and the deep understanding of carriers' services, Huawei Symantec launches its DDoS Service Processing Unit (SPU). The anti-DDoS SPU supplies the multi-core and multi-threading hardware structure. Each board delivers both 10G and 20G processing capabilities, which enables flexible expansion and smooth upgrade through the subcard. Together with the distributed chassis of the Eudemon8000E series, the anti-DDoS SPU offers 10G to 160G detecting and cleaning performance.
10G SPU 20G SPU
SPU Features
Industry's Highest Processing Performance
High Performance — 160G Anti-DDoS Capability ■
Cutting-edge architecture:
• The detecting center and
cleaning center use innovative network processor+multi-core+distributed architecture to break through performance bottlenecks and allow linear expansion.
Powerful processing capability:
• Huawei anti-DDoS solution
offers a processing capability of up to 160G to protect carriers against network attacks.
Large capacity:
• Huawei anti-DDoS solution can present 2000
Zones with refined protection for 10,000 IP addresses and common protection for 1 million IP addresses.
High Detection Ratio — DPI for Defeating DDoS ■
Deep packet inspection (DPI):
• To accurately detect and
identify DDoS traffic, Huawei anti-DDoS solution introduces a "seven-layer purification" framework, which effectively identifies and protects against a comprehensive spectrum of modern security threats including scanning and sniffing, malformed packet attacks, as well as attacks at traffic and application-layer levels.
Wide-ranging IPv6 defense:
• Huawei anti-DDoS solution
provides all IPv4 defense for IPv6, and supports IPv4 and IPv6 together to enable secure and low-cost transition from IPv4 to IPv6.
Eudemon8000E Anti-DDoS SPU
Dynamic statistical analysis
Bypass Attack traffic Static filtering Malformed packet filtering Special packet control Source validity authentication Session-based cleaning Feature identification filtering Traffic shaping Normal traffic Discard Whitelist Blacklist LAND Fraggle WinNuke Ping of death Teardrop TCP flag Oversized ICMP packets IP option ICMP redirection ICMP unreachable packet Tracert IP source routing option IP timestamp option IP route record option
TCP fragment flood SYN flood SYN-ACK flood HTTP get flood HTTP post flood HTTPS flood DNS query flood DNS reply flood SIP flood UDP flood UDP fragment flood ICMP flood CC HTTP get flood HTTP post flood Traffic shaping Congestion prevention TCP flood UDP flood ICMP flood Connection flood
Rapid Response — Second Latency ■
Second-level detection:
• Flow-based detection is inferior with
a long latency because it needs to analyze large amounts of logs. Comparatively, Huawei anti-DDoS solution employs the DPI technology to capture attack features in real time, detecting attack traffic within seconds.
Second latency:
• The detecting center and cleaning center
synchronize session status with results. The synchronization maintains service continuity while ensuring a rapid response (with 10 seconds) to attacks.
Robust Reliability: 99.9999% ■
Reliable platform:
• Huawei anti-DDoS solution is equipped
with redundant power supplies and fans, as well as 1+1 MPUs and 3+1 SFUs. The parts redundancy ensures a core router-level reliability. In addition, the industry-leading VRP of this solution has 4 million live-network success cases, further improving platform reliability.
System reliability:
• Huawei anti-DDoS solution delivers a mean
time between failures (MTBF) of 500 thousand hours and a system reliability of 99.9999% by leveraging load balanced SPUs and links as well as dual-system hot backup networking.
Flexible Expansion — Smooth Upgrade and
Linear Expansion for Maximized ROI
Smooth upgrade:
■ The anti-DDoS SPU provides smooth upgrade.
The 10G SPU and service subcard are scalable up to the 20G SPU. Linear expansion:
■ The Eudemon8000E comes with a maximum
of eight SPUs, with performance smoothly upgradeable from 10G to 160G. With linear performance, users can select service modules if desired at the initial phase of the project. For further capacity expansion, they only need to add required SPUs, effectively maximizing ROI.
Minimum investment:
■ The anti-DDoS detecting and cleaning
Eudemon8000E Anti-DDoS SPU
Application Scenarios
Security Defense at the MAN Egress
Customer challenges ■
Mass attack traffic swarms from the backbone network into •
the metropolitan area network (MAN), causing link congestion on the MAN. Consequently, carriers have to invest much in bandwidth expansion and user experience may deteriorate. Application-layer attack traffic causes target servers to deny •
services. As a result, users complain a lot and some may quit
subscription, and carriers suffer huge economic loss. Solution strengths
■
Resides at the MAN egress, with 160G cleaning performance •
to prevent link congestion.
Defends against more than 30 types of attacks, including •
Denial of Service (DoS) attacks.
Enables secure transition from IPv4 to IPv6 with powerful IPv6 •
defense.
Secure Operation at the MAN Egress
Customer challenges ■
Mass attack traffic swarms from the backbone network into •
the MAN, causing link congestion on the MAN. Consequently, carriers have to invest much in bandwidth expansion and user experience may deteriorate.
Application-layer attack traffic causes target servers to deny •
services. As a result, users complain a lot and some may quit subscription, and carriers suffer huge economic loss.
How to present Zones with differentiated defense services and
ensure carriers' secure operation? Solution strengths
■
Resides at the MAN egress, with 160G cleaning performance •
to prevent link congestion.
Defends against more than 30 types of attacks, including DoS •
attacks.
Enables secure transition from IPv4 to IPv6 with powerful IPv6 •
defense.
Supports defense policies for up to 2000 virtual groups and •
offers defense, management, and reporting services. 6. Inject cleaned traffic
back to the original link using policy-based routing and MPLS VPN.
4. Notify the cleaning center of attack targets.
3. Identify attack targets and report the detection result. 2. Split and monitor
traffic.
7. Send traffic and attack logs. Protected zone Protected zone Protected zone
Backbone network Monitoring center Cleaning center CSR 10G E8000E ATIC management center MAN 5. Use BGP to advertise route to the host, diverting attack traffic to the cleaning center. 1. Attack traffic flows
from the backbone network to targets, causing target breakdown and MAN congestion.
Congestion Congestion BGP
Eudemon8000E Anti-DDoS SPU
IDC Security Defense
Customer challenges ■
The IDC has heavy egress traffic and processes various services. •
It is vulnerable to mass attacks and application-layer attacks. Solution strengths
■
Delivers a 160G processing capability and rapid response •
within seconds.
Defends against more than 30 types of attacks, including •
the attacks specifically aiming at IDCs such as UDP flood, CC attacks, HTTP flood, HTTPS flood, DNS attacks, and low-rate attacks.
Traffic cleaning
center
Zone C Zone B Zone A Upper-layer network Cleaning device Detecting device ATIC management center Report Report Administrator Pre-cleaning After-cleaningLogging Management Mirroring
Report Servers Anti-DDoS cleaning center Normal network Botnet Normal traffic DDoS attack traffic
Internet Service zone 3 Service zone 1 Service zone 2 Entrusted server Entrusted server Entrusted server
Eudemon8000E Anti-DDoS SPU
SPU Specifications
Model Anti-DDoS SPU
Maximum detecting performance 20G Maximum cleaning performance 20G Response delay <= 10s Anti-DDoS
Zone-based attack defense Y SYN flood attack defense Y SYN-ACK flood attack defense Y ACK flood attack defense Y HTTP flood attack defense Y HTTPS flood attack defense Y DNS request flood attack defense Y DNS reply flood attack defense Y SIP flood attack defense Y RST/FIN flood attack defense Y UDP flood attack defense Y IP fragment flood attack defense Y Non-TCP/UDP/ICMP flood attack defense Y CC attack defense Y Connection flood attack defense Y Traffic statistics and limit rate Y Global packet capture Y Attack event-based packet capture Y Abnormal event-based packet capture Y Static fingerprint Y Global feature filtering Y
Attack log Y
Eudemon8000E Anti-DDoS SPU
Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved. General Disclaimer
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen 518129, P.R. China Tel: +86-755-28780808 Version No.: M3-110019999-20110805-C-1.0 www.huawei.com
