Cloud cleaning ensures the availability of the entire network by connecting to the cloud cleaning service provider for upstream traffic cleaning based on alarm policy settings in case of network faults caused by massive attack traffic.
Before you configure cloud cleaning, ensure that you have contracted the service from the cloud cleaning service provider.
In cloud mitigation scenarios, traffic diversion policies can only be manually canceled; traffic diversion policies dynamically generated can only be canceled automatically, regardless of the automatic or manual mode.
In cloud mitigation scenarios, to prevent route jitter, the system takes a comparatively long time to cancel a traffic diversion policy. If you see on the cloud mitigation portal that traffic diversion for cloud mitigation is not completed one hour after the attack stops (a hold-off period is set for canceling traffic diversion for cloud mitigation by default), contact Huawei technical support.
Configuring Cloud Cleaning Policies
- Choose
Click
and
specify a cloud cleaning service provider in Configure.Operation Parameter Description Cloud Clean Configure Service provider - Cloud Mitigation Alliance
- None
Cleaning mode - Auto: When traffic exceeds the threshold, a cloud cleaning policy is automatically generated and implemented.
- Manual: When traffic exceeds the threshold, a cloud cleaning policy is generated but not automatically implemented. You need to manually implement the cloud cleaning policy.
IP state Top N traffic statistics are collected based on the status of IP addresses.
- Abnormal/Attack: Top N traffic statistics are collected based on abnormal/attack IP addresses.
- All: Top N traffic statistics are collected based on all IP addresses.
Single IP incoming traffic threshold Top N traffic statistics are collected if the incoming traffic to the destination IP address reaches the threshold. Incoming traffic TOPN Set the top N value. IP white list Cloud cleaning is not implemented for whitelisted IP addresses. Single Device Threshold Device The cloud cleaning service is triggered when the incoming traffic reaches the configured threshold. Threshold Parameter Settings Defense action Supported only by Cloud Mitigation Alliance
- Clean
- Block
Cancel delay duration Interval between the time at which canceling the cloud mitigation task is confirmed and the time at which canceling the task is actually started. URL Set the cloud service address provided by the ISP. Auth Account Set the user name that the cloud service provider provides for users.
Auth key Set the cloud service password. The passwords including letters, digits (0 to 9), and special characters (such as !, #, $, and %). You must change the passwords periodically.
- Click OK.
After the configuration is complete, if the incoming traffic exceeds the threshold, the cloud cleaning policy is automatically triggered.
You can also manually implement the cloud cleaning policy by selecting the check box of the cloud cleaning policy in Cloud Clean Policy List and clicking
above the list.
Adding Static Cloud Cleaning Policies
You can click
in Cloud Clean Policy List to manually add static cloud cleaning
policies. Parameter Description Service provider Cloud Mitigation Alliance
IP/Mask Set the destination IP address and subnet mask to which the cloud cleaning policy is applied.
- If Defense action is set to Clean, you can enter an IP address segment with a 24-bit mask.
- If Defense action is set to Block, you must enter a single IP address with a 32-bit mask.
Defense action - Clean
- Block
Manually added cloud cleaning policies cannot be automatically cleared. You need to manually delete them from the Cloud Clean Policy List.
- Click OK.
Set Protected IP Address
You can click
in Set Protected IP Addres.Parameter Description IP/Mask IP address protected by the Cloud Mitigation Alliance. When the Cloud Mitigation Alliance service, the Mask range of 16-24.
Traffic Injection Device You can select more than one traffic injection device.
- Click OK.