Configuring a Defense Mode

Procedure

1. Choose Defense > Policy Settings > Zone.
2. Click of the Zone. The following page is displayed.
3. Configure basic policies. Table 1 lists the basic policy parameters.

   Table 1 Parameters of defense modes

   Parameter	Description	Value
   Maximum Bandwidth	Indicates the total bandwidth of all IP addresses in the Zone.	You can enable the function of limiting the incoming traffic rate if it exceeds the configured maximum bandwidth.
   Traffic Diversion Mode	Indicates the mode in which the detecting device diverts anomaly traffic of the Zone to the cleaning device.	Automatic Perform: The detecting device reports the anomaly to the ATIC Management center. Then the ATIC Management center automatically generates a heartbeat interfaces and the active task and delivers the task to the cleaning device. Manual Perform: The detecting device reports the detected traffic anomaly to the ATIC Management center. The ATIC Management center generates a traffic diversion task automatically and does not deliver the task to the cleaning device until manual confirmation by the administrator. After the Zone state turns to normal, the ATIC Management center automatically delivers the task of canceling traffic diversion to the cleaning device to stop traffic diversion. NOTE: In addition to manual and automatic traffic diversion, you can configure a static traffic diversion task to divert traffic to the cleaning device no matter whether the traffic is normal or not. For details, see Configuring BGP Traffic Diversion (ATIC).
   Defense Mode	Indicates the defense mode of the cleaning device after abnormal traffic is detected.	Automatic Perform: After abnormal traffic is detected, the cleaning device generates an anomaly event and automatically enables the defense mechanism. Manual Perform: After abnormal traffic is detected, the cleaning device generates an anomaly event. The administrator needs to determine whether to enable the defense mechanism. For details, see Viewing the Status of a Zone and Anti-DDoS Alarms. Currently, the following types of attacks support Manual Perform defense: SYN flood, SYN-ACK flood, ACK flood, TCP connection flood, TCP abnormal flood, TCP frag flood, UDP flood, UDP frag flood, RST flood, DNS reply flood, DNS request flood, domain name hijacking, HTTP flood, HTTPS flood, SIP flood, Other flood, and URI behavior monitoring. When Traffic Diversion Mode is set to Manual Perform, select only Automatic Perform for Defense Mode.
   Dynamic Blacklist Mode	During the defense, detected illegitimate source IP addresses are dynamically blacklisted.	Automatic: The dynamic blacklist entry automatically takes effect after generated. Close: No dynamic blacklist entry is generated during the defense.
   Filter Discard Threshold	After the filter function applies to a Zone, if the traffic matching the filter exceeds the alarm threshold, the AntiDDoS discards excess packets.	The value ranges from 1 to 80000000.
   Traffic Limiting for Single IP Address	Limits traffic of a single IP address of the Zone below the threshold. Excess packets are directly discarded.	When network bandwidths are limited, you are advised to enable this function to avoid network congestion. Statistics on the traffic are collected starting from Layer-2 packet headers, which excludes the packet length at the physical layer. Therefore, the actual traffic volume is slightly greater than the specified value.
   Anti-Malware	If an IPSec policy is applied,packet filtering is triggered.	-
   IP-Reputation	The current IP reputation database is a set of zombie hosts' IP addresses, and the AntiDDoS filters out the packets sent by these zombie hosts.	After the IP reputation function is enabled and the traffic reaches the threshold, the AntiDDoS matches the source IP address of a packet against the IP reputation database. If a match is found, the AntiDDoS discards the packet.

4. Click OK.