Creating an AntiDDoS

Procedure

1. Choose Defense > Network Settings > Devices.
2. Click .

   

3. In the Basic Information group box, set the name and IP address of an AntiDDoS device and set Device Type to AntiDDoS.
   • IP address indicates the management interface IP address for the ATIC to manage the AntiDDoS device. You can no longer change the address after setting it.
   • Log Source IP indicates the interface for the AntiDDoS device to send logs to the ATIC. You can change the log source IP address after setting it.
   • Log Password indicates the encryption key of reported logs. After a device is successfully created, the ATIC delivers the key to the AntiDDoS device.
     

     The password must meet the minimum complexity requirements and must contain letters, digits (0-9), and special characters (such as ! # $ %). The password must be changed periodically.

     For versions earlier than AntiDDoS V500R001C60, only packet capture logs are encrypted. For AntiDDoS V500R001C60, all logs are encrypted.

     When the service CPU of the AntiDDoS device is overloaded, the AntiDDoS device may fail to send service traffic logs, affecting traffic statistics collection.

4. Set Telnet parameters.

   • When you select STelnet, the ATIC uses port 22 for accessing AntiDDoS devices through STelnet by default. In this case, enter the name and password of an STelnet user for authentication. Public Key indicates the public key for device authentication.

     

     The STelnet and SFTP server will authenticate the public key if you provide public key information.

     For data transmission security, you are advised to use the public key.

   • When you select Telnet, the ATIC uses port 23 for accessing AntiDDoS devices through Telnet by default. In this case, enter the name and password of a Telnet user for authentication.
   

   Telnet is an insecure protocol. To ensure data transmission security, you are advised to select STelnet.

5. Set RESTful parameters. For detailed parameter description, see Table 1.

   Table 1 RESTful parameters

   Parameter	Description	Recommended Value
   Restful Enabled	You can set RESTful parameters only after you select Enabled.	-
   Type	Two types are available: HTTPS and HTTP.	HTTP is an insecure protocol. To ensure data transmission security, you are advised to select HTTPS.
   Port	The default HTTPS port number is 8447 and the default HTTP port number is 8448. Manual configuration is supported.	The value is an integer ranging from 1 to 65535.
   Username	AntiDDoS user used for accessing the AntiDDoS.	-
   Password	AntiDDoS password used for accessing the AntiDDoS.	The password must meet the minimum complexity requirements and must contain letters, digits (0-9), and special characters (such as ! # $ %). The password must be changed periodically.
   IP Address	IP address of the service interface on the ATIC server.	-
   Select certificate	Certificate used to authenticate the RESTful interface of a third-party device. Select a certificate from the drop-down list box. NOTE: Before configuring this item, you need to create a RESTful certificate for the third-party device on the Certificate Management tab page. Obtain the device certificate. You can obtain the AntiDDoS8000 certificate local.cer from the cfcard:/pki/public directory. You can obtain the AntiDDoS1800 certificate local.cer from the hda1:/pki/public directory. On the Certificate Management tab page, create a RESTful certificate. For details, see the procedure for creating a certificate on the ATIC in Certificate Management.	-

6. Set SNMP parameters.

   • When you select SNMPv2c, set read and write community names.

     Read community indicates the name of a read-only community. Write community indicates the name of a write-only community.

     

     The community name cannot be empty and must contain at least six characters that must include letters, digits, and special characters.

   • When you select SNMPv3, see parameter settings as shown in Table 2.
     

     • Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended.
     • When you select SNMPv3, do not configure several security levels for the same SNMPv3 user group to prevent authentication bypass vulnerability.
     • The Username, Environment name, Environment engine ID, Data encryption protocol, Data encryption password, Authentication protocol, Authentication password parameters are available only when the type is SNMPv3.

     Table 2 SNMPv3 template parameters

     Parameter	Description	Recommended Value
     Username	User name used for accessing the AntiDDoS device.	-
     Environment name	Name of the environment engine.	This parameter value is the same as the environment name on the AntiDDoS device or blank.
     Environment engine ID	Unique identifier of an SNMP engine. This ID is used together with the environment name to determine an environment that uniquely identifies an SNMP entity. The SNMP message packet is processed only when the environments of the sender terminal and the recipient terminal are the same; otherwise, the SNMP message packet will be discarded.	Same as the environment engine ID on the AntiDDoS device.
     Authentication protocol	Protocol used for verifying messages. The parameter value can be the HMACMD5 or HMACSHA protocol or no protocol. If the HMACMD5 or HMACSHA protocol is selected, you need to set the authentication password. The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.	You can select the authentication protocol as required. HMACMD5 converts the character string in any order based on the hash algorithm and produces a 128-bit message digest, in integer format. HMACSHA is more secure than HMACMD5. It produces 160-bit message digests for messages whose length does not exceed 264 bits. NOTE: Using HMAC-MD5 or no authentication protocol brings security risks. HMAC-SHA is more secure and therefore recommended.
     Authentication password	If the authentication protocol is used when verifying messages, you need to set the authentication password.	The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.
     Data encryption protocol	Encryption protocol used when encapsulating data. The parameter value can be the DES, AES128 or AES256 encryption protocol or no encryption. If the DES, AES128 or AES256 encryption protocol is selected, you need to set the encryption password. The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.	You can select the encryption protocol as required. DES: It indicates the Data Encryption Standard (DES), which is an international encryption algorithm with the key length of 56 characters. AES256: It indicates the Advanced Encryption Standard (AES256). There are three types of key lengths of 128 characters. AES128: It indicates the Advanced Encryption Standard (AES128). NOTE: Using DES or no encryption protocol brings security risks. The more secure AES256 data encryption protocol is recommended for the AntiDDoS1880. Ensure that the ATIC management center and AntiDDoS have the same encryption protocol.
     Data encryption password	If the encryption algorithm is used when encapsulating data, you need to set the data encryption password.	The password shall meet the minimum complexity requirement. That is, the password must contain letters, digits (0 to 9), and special characters (such as ! # $ %). In addition, you shall periodically change the password.

7. Click OK to add an AntiDDoS device. After successfully added, the AntiDDoS device is displayed on the Devices page.