Traffic diversion tasks can be divided into static traffic diversion tasks, manual traffic diversion tasks, and automatic traffic diversion tasks. The static traffic diversion task needs to be created by the administrator, and the manual and automatic traffic diversion tasks are dynamically generated by the system.
Traffic Diversion Tasks Overview
The categories of traffic diversion tasks are as follows:
Static traffic diversion task
No matter whether the detecting device detects any anomalies or not, the ATIC Management center generates a static traffic diversion task for the IP address/IP address segment of the Zone and delivers the task to the cleaning device.
The static traffic diversion task needs to be created by the administrator. For details, see Creating a Static Traffic Diversion Task (Inbound).
Manual traffic diversion task
When the detecting device detects an anomaly, the ATIC Management center generates a manual traffic diversion task. The task is not delivered to the cleaning device until it is manually enabled by the administrator. After the anomaly or attack ends, the system cancels traffic diversion automatically.
Manual traffic diversion task is dynamically generated by the system, and is one kind of the dynamic traffic diversion task. If Traffic Diversion Mode is set to Manual during the defense policy configuration, the system dynamically generates manual traffic diversion tasks. For details on how to configure the traffic diversion mode, see Configuring a Defense Mode.
Automatic traffic diversion task
When the detecting device detects an anomaly, the ATIC Management center generates an automatic traffic diversion task and directly delivers the task to the cleaning device. After the anomaly or attack ends, the system cancels traffic diversion automatically. No administrator intervention is required.
Automatic traffic diversion task is dynamically generated by the system, and is the other kind of the dynamic traffic diversion task. If Traffic Diversion Mode is set to Automatic during the defense policy configuration, the system dynamically generates automatic traffic diversion tasks. For details on how to configure the traffic diversion mode, see Configuring a Defense Mode.
After the traffic diversion task is delivered to the cleaning device, the firewall ddos traffic-diversion [ vpn-instance vpn-instance-name ] ip ip-address [ mask | mask-length ] command is generated on the cleaning device. This command works with other commands to realize BGP traffic diversion.
After the anomaly or attack ends, the diversion persists for a while before it is automatically canceled to ensure that the anomaly or attack traffic is thoroughly cleaned. For how to set the persistence time for traffic diversion, see Service Data Maintenance.
NOTE: The ATIC can concurrently process a maximum of 10,000 new traffic diversion tasks. Excess traffic diversion tasks are directly discarded. The ATIC processes one traffic diversion task each second.
Do not configure a low defense threshold. Otherwise, a great number of anomalies will be reported to the ATIC, and the number of traffic diversion tasks will increase. Once such a condition occurs, you are advised to increase the defense threshold and apply the threshold to the Zone. After the Zone status restores normal, restart the ATIC service and manually delete the traffic diversion tasks that are created because of incorrect configuration.
The static traffic diversion task is prior to the dynamic traffic diversion. If a static traffic diversion task has been created for a destination IP address, the ATIC does not automatically create, enable, disable, or delete any dynamic traffic diversion task for the address.
In the configuration of automatic traffic diversion tasks, if the device already has manual traffic diversion tasks generated, delete these tasks first.
Management Operation
Choose , manage traffic diversion tasks.
| Create | Click  to create a static traffic diversion task in the ATIC Management center. For details, see Creating a Static Traffic Diversion Task (Inbound). |
| Delete | Select the check box of the traffic diversion task to be deleted and click |
| Enable | The traffic diversion task in the enabled state is delivered to the cleaning device. Only the traffic diversion task delivered to the cleaning device takes effect. Perform the following operations: Select the check box of the traffic
diversion task to be enabled and click |
| Disable | The traffic diversion task in the disabled state does not take effect. Perform the following operations: Select the check box of the traffic diversion task to be disabled and click |
| Search |
|
NOTE: You can Choose and click the corresponding diversion status of the Zone in the Diversion Status column to manage the diversion tasks of the Zone on the Traffic Diversion Task List tab page
Creating a Static Traffic Diversion Task (Inbound)
- Choose .
- On the Inbound Traffic Diversion Task page, click .
- In Cleaning device, select an device to perform traffic cleaning.
- Click
corresponding to Zone. On the Select Zone page, select the option button of the account of a Zone and click OK. - Configure the IP address for traffic diversion. After a static traffic diversion task is delivered, all traffic destined for the IP address is diverted to the cleaning device for cleaning.
If the IP address for traffic diversion is in a user-defined Zone but you do not know the actual IP address or IP address segment, select Select IP address in Input mode. Then select the IPv4 address or IPv6 address for traffic diversion.
If you need to specify certain IP addresses or IP address segments for traffic diversion in a protected IP address segment, you can split the IP address segment and select the subnet after splitting.
- Click
of the IP address to be split. Enter the mask splitting length on the Splitting Setting page and click Split.
The mask splitting length of an IP address segment ranges from 1+number of mask bits to 8+number of mask bits. For example, the mask of a protected IP address segment is 255.255.0.0. That is, the number of mask bits is 16. In this case, the mask splitting length ranges from 17 to 24.
Selects subnet IP addresses after splitting.
Click OK.
On the Create Intbound Traffic Diversion Task page, select subnet IP addresses after splitting.
- Click
If the IP address for traffic diversion is in a default Zone or you know the actual IP address or IP address segment in a user-defined Zone, select Enter IP address in Input mode. Then enter the actual IP address and subnet mask.
If you need to specify certain IP addresses or IP address segments for traffic diversion in a protected IP address segment, you can split the IP address segment and select the subnet after splitting.
- Select Split IP address segment.
Enter the mask splitting length in Mask Splitting Length and click Split.
The mask splitting length of an IP address segment ranges from 1+number of mask bits to 8+number of mask bits. For example, the mask of a protected IP address segment is 255.255.0.0. That is, the number of mask bits is 16. In this case, the mask splitting length ranges from 17 to 24.
Selects subnet IP addresses after splitting.
- Optional: Select Enable automatically. The static traffic diversion task is automatically enabled after it is created.
- On the Create Intbound Traffic Diversion Task page, click OK.
After a traffic diversion task is successfully created, the task is displayed on the Inbound Traffic Diversion Task page.
Creating a Static Traffic Diversion Task (Outbound)
- Choose .
- On the Outbound Traffic Diversion Task page, click .
- In Drainage device, select an device.
- Select ALL, TCP, UDP or ICMP in Protocol.
- Set the Source IP. After a static traffic diversion task is delivered, all traffic from this source IP address is diverted.
- Optional: Set the Source Port, Destination IP or Destination Port.
- Set action to Block, Traffic Limiting, or Redirect.
- On the Create Outbound Traffic Diversion Task page, click OK.
After a traffic diversion task is successfully created, the task is displayed on the Outbound Traffic Diversion Task page.