Configuring a Defense Mode

Procedure

1. Choose Defense > Policy Settings > Zone.
2. Click of the Zone. The following page is displayed.
3. Configure basic policies. Table 1 lists the basic policy parameters.

   Table 1 Parameters of defense modes

   Parameter	Description	Value
   Max. bandwidth	Indicates the total bandwidth of all IP addresses in the Zone.	You can enable the function of limiting the incoming traffic rate if it exceeds the configured maximum bandwidth. As the calculation base of incoming traffic of the alarm policies for user-defined Zones. (Inbound traffic = Protected bandwidth x Percentage).
   Filter discard threshold	After the filter function applies to a Zone, if the traffic matching the filter exceeds the alarm threshold, the AntiDDoS discards excess packets.	The value ranges from 1 to 80000000.
   Traffic diversion mode	Indicates the mode in which the traffic diversion task diverts traffic to the cleaning device after the detecting device detects traffic anomaly for the Zone.	Automatic: The detecting device reports the anomaly to the ATIC Management center. Then the ATIC Management center automatically generates a traffic diversion task automatically and delivers the task to the cleaning device. Manual confirmation: The detecting device reports the detected traffic anomaly to the ATIC Management center. The ATIC Management center generates a traffic diversion task automatically and does not deliver the task to the cleaning device until manual confirmation by the administrator. After the Zone state turns to normal, the ATIC Management center automatically delivers the task of canceling traffic diversion to the cleaning device to stop traffic diversion. NOTE: In addition to manual and automatic traffic diversion, you can configure a static traffic diversion task to divert traffic to the cleaning device no matter whether the traffic is normal or not. For details, see Configuring BGP Traffic Diversion (ATIC).
   Defense mode	Indicates the defense mode of the cleaning device after abnormal traffic is detected.	Automatic: After abnormal traffic is detected, the cleaning device generates an anomaly event and automatically enables the defense mechanism. Manual confirmation : After abnormal traffic is detected, the cleaning device generates an anomaly event. The administrator needs to determine whether to enable the defense mechanism. For details, see Viewing the Status of a Zone and Anti-DDoS Alarms. Currently, the following types of attacks support Manual confirmation defense: SYN flood, SYN-ACK flood, ACK flood, TCP connection flood, TCP Malformed Flood, TCP frag flood, UDP flood, UDP frag flood, RST flood, DNS reply flood, DNS request flood, domain name hijacking, HTTP flood, HTTPS flood, SIP flood, Other flood, and URI behavior monitoring. When Traffic diversion mode is set to Manual confirmation, select only Automatic for Defense mode.
   Blackhole mode	During the defense process, if the inbound traffic exceeds the blackhole threshold, a blackhole task is automatically generated, and a blackhole route is delivered to the cleaning device.	Automatic Perform:After the clearing device detecting abnormal traffic,abnormal event is generated,and the defense is initiated automatically. Manual Confirm:Atter the clearing device detecting abnormal traffic,abnormal event is generated.Administrator needs to decide whether to initiate defense.
   Blackhole event reporting (RESTful)	After detecting a traffic anomaly, the cleaning device reports the anomaly to the RESTful interface and notifies the RESTful server of the anomaly.	Enable: After detecting abnormal traffic, the cleaning device generates a blac khole and reports the black hole IP address using RESTful. Disable: After detecting abnormal traffic, the cleaning device generates a black hole but does not report the black hole IP address.
   Dynamic blacklist mode	During the defense, detected illegitimate source IP addresses are dynamically blacklisted.	Automatic: The dynamic blacklist entry automatically takes effect after generated. Close: No dynamic blacklist entry is generated during the defense.
   Traffic limiting by destination IP address	Limits traffic of a single IP address of the Zone below the threshold. Excess packets are directly discarded.	When network bandwidths are limited, you are advised to enable this function to avoid network congestion. Statistics on the traffic are collected starting from Layer-2 packet headers, which excludes the packet length at the physical layer. Therefore, the actual traffic volume is slightly greater than the specified value.
   IP reputation	The current IP reputation database is a set of zombie hosts' IP addresses, and the AntiDDoS filters out the packets sent by these zombie hosts.	After the IP reputation function is enabled and the traffic reaches the threshold, the AntiDDoS matches the source IP address of a packet against the IP reputation database. If a match is found, the AntiDDoS discards the packet.
   New session limiting	Limits the number of new sessions to the destination IP address per second below the specified Threshold.	Threshold ranges from 1 to 400000.
   Second-level Blackhole	After you enable the second-level blackhole function, the device collects incoming traffic statistics every second. Once the incoming traffic exceeds the blackhole threshold, the device acts according to the blackhole mode in the global configuration.	Blackhole Threshold ranges from 1 to 10000000. Blackhole Type: Routing Blackhole or LPU blackhole.
   Anti-malware	After the corresponding security policy is enabled, packet filtering is triggered.	-
   Domain audit	After domain name audit is enabled and deployed, this function takes effect to prevent access to unauthorized domain names.	Before configuring this option, configure the domain name whitelist in the global configuration. For details, see Domain Name Audit.

4. Click OK.