Configuring Defense Acceleration

After defense acceleration is configured, defense performance can be improved in the case that the usage of a single CPU on an SPU reaches the alarm threshold.

Context

To protect defense performance when the device is attacked and its CPU usage reaches the alarm threshold, enable defense acceleration.

The accelerated defense policy includes two phases:

  1. Accelerated defense policy

    Triggering condition: After defense acceleration is enabled, the CPU usage keeps reaching the alarm threshold.

    Table 1 lists the defense types supported by defense acceleration.

  2. LPU rate limit

    Triggering condition: After defense acceleration and LPU rate limit are enabled, defense acceleration has started, but the CPU usage remains reaching the alarm threshold.

    Configuring the LPU Rate Limit Function (Supported Only by the AntiDDoS8000) lists the configuration of the LPU rate limit.

NOTE:
In BGP traffic diversion scenarios, if you enable the automatic switching from Zone defense to interface defense, add the IP address of the router interface corresponding to the diverting interface on the AntiDDoS device to the whitelist.
Table 1 Defense types supported by defense acceleration
Attack Type Defense Policy Supporting Defense Acceleration Defense Policy Used After Defense Acceleration

SYN flood

SYN flood source authentication in a Zone supports the following switching modes:

  • Basic
  • Advanced
  • First SYN packet check

  • SYN flood advanced source authentication mode

  • First SYN packet check

ACK flood

ACK flood session check in a Zone supports the following switching modes:

  • Basic
  • Strict
  • First TCP packet check

  • Strict mode of ACK flood defense

  • First TCP packet check

FIN/RST flood

FIN/RST flood defense in a Zone

FIN/RST flood defense

TCP abnormal flood

TCP abnormal flood defense in a Zone

TCP abnormal flood defense

TCP fragment flood

TCP fragment flood defense in a Zone

TCP fragment flood defense

HTTP flood

HTTP flood source authentication in a Zone supports the following switching modes:

  • Basic
  • Advanced
  • 302 redirection
  • HTTP first-packet check

  • 302 redirection mode for HTTP flood

  • HTTP first-packet check

HTTPS flood

HTTPS flood defense in a Zone

HTTPS flood defense

UDP flood

  • UDP flood rate limit in a Zone

  • UDP block

  • UDP flood rate limit

  • UDP block

UDP fragment flood

UDP fragment flood rate limit in a Zone

UDP fragment flood rate limit

DNS request flood

DNS request flood source authentication in a Zone supports the following switching modes:

  • Basic
  • Authorization server
  • Passive defense

Passive defense mode for DNS request flood

DNS reply flood

DNS reply flood defense in a Zone

DNS reply flood defense

SIP flood

SIP flood defense in a Zone

SIP flood defense

ICMP flood

ICMP flood rate limit in a Zone

ICMP flood rate limit

Other flood

Other flood rate limit in a Zone

Other flood rate limit

Configuration Procedure

  1. Choose Defense > Policy Settings > Global Policy.
  2. Click in the Operation column.

  3. Set Defense Acceleration to Enable to enable defense acceleration.

    By default, Defense Acceleration is enabled.

Parent topic: Configuring Global Defense Policies
Copyright © Huawei Technologies Co., Ltd.