Configuring a Defense Mode

Procedure

1. Choose Defense > Policy Settings > Zone.
2. Click of the Zone. The following page is displayed.
3. Configure basic policies. Table 1 lists the basic policy parameters.

   Table 1 Parameters of defense modes

   Parameter	Description	Value
   Maximum bandwidth	Indicates the total bandwidth of all IP addresses in the Zone.	You can enable the function of limiting the incoming traffic rate if it exceeds the configured maximum bandwidth. As the calculation base of incoming traffic of the alarm policies for user-defined Zones. (Inbound traffic = Protected bandwidth x Percentage).
   Filter discard threshold	After the filter function applies to a Zone, if the traffic matching the filter exceeds the alarm threshold, the AntiDDoS or AntiDDoS1820-N discards excess packets.	The value ranges from 1 to 80000000.
   Traffic diversion mode	Indicates the mode in which the traffic diversion task diverts traffic to the cleaning device after the detecting device detects traffic anomaly for the Zone.	Automatic: The detecting device reports the anomaly to the ATIC Management center. Then the ATIC Management center automatically generates a traffic diversion task automatically and delivers the task to the cleaning device. Manual confirmation: The detecting device reports the detected traffic anomaly to the ATIC Management center. The ATIC Management center generates a traffic diversion task automatically and does not deliver the task to the cleaning device until manual confirmation by the administrator. After the Zone state turns to normal, the ATIC Management center automatically delivers the task of canceling traffic diversion to the cleaning device to stop traffic diversion. NOTE: In addition to manual and automatic traffic diversion, you can configure a static traffic diversion task to divert traffic to the cleaning device no matter whether the traffic is normal or not. For details, see Managing Traffic Diversion Tasks (ATIC).
   Defense mode	Indicates the defense mode of the cleaning device after abnormal traffic is detected.	Automatic Perform: After abnormal traffic is detected, the cleaning device generates an anomaly event and automatically enables the defense mechanism. Manual Perform: After abnormal traffic is detected, the cleaning device generates an anomaly event. The administrator needs to determine whether to enable the defense mechanism. For details, see Viewing the Status of a Zone and Anti-DDoS Alarms. Currently, the following types of attacks support Manual Perform defense: SYN flood, SYN-ACK flood, ACK flood, TCP connection flood, TCP Malformed flood, TCP frag flood, UDP flood, UDP frag flood, RST flood, DNS reply flood, DNS Query Flood, domain name hijacking, HTTP flood, HTTPS flood, SIP flood, Other flood, and URI behavior monitoring. When Traffic Diversion Mode is set to Manual Perform, select only Automatic Perform for Defense Mode.
   Black hole mode	During the defense process, if the inbound traffic exceeds the blackhole threshold, a blackhole task is automatically generated, and a blackhole route is delivered to the cleaning device.	Automatic: After abnormal traffic is detected, the cleaning device generates a blackhole task and enables the blackhole function. Manual confirmation: After abnormal traffic is detected, the cleaning device generates a blackhole task. The administrator needs to determine whether to enable the blackhole function.
   Black Hole Reporting(RESTful)	After detecting a traffic anomaly, the cleaning device reports the anomaly to the RESTful interface and notifies the RESTful server of the anomaly.	Enabled: After detecting abnormal traffic, the cleaning device generates a blackhole and reports the black hole IP address using RESTful. Close: After detecting abnormal traffic, the cleaning device generates a black hole but does not report the black hole IP address.
   Dynamic blacklist mode	During the defense, detected illegitimate source IP addresses are dynamically blacklisted.	Automatic: The dynamic blacklist entry automatically takes effect after generated. Close: No dynamic blacklist entry is generated during the defense.
   Traffic limiting by destination IP address	Limits traffic of a single IP address of the Zone below the threshold. Excess packets are directly discarded.	When network bandwidths are limited, you are advised to enable this function to avoid network congestion. Statistics on the traffic are collected starting from Layer-2 packet headers, which excludes the packet length at the physical layer. Therefore, the actual traffic volume is slightly greater than the specified value.
   IP reputation	The current IP reputation database is a set of zombie hosts' IP addresses, and the AntiDDoS filters out the packets sent by these zombie hosts.	After the IP reputation function is enabled and the traffic reaches the threshold, the AntiDDoS matches the source IP address of a packet against the IP reputation database based on the reputation level and service type. If a match is found, the AntiDDoS discards the packet. Set Gray-Reputation Service Type based on the actual service. Currently, the following service types are supported: Website, Mobile APP, Application of PC, Application of IoT, and API Services. NOTE: The AntiDDoS1820-N does not support IP reputation. IP reputation takes effect only after global IP reputation is enabled.
   New session limiting	Limits the number of new sessions to the destination IP address per second below the specified Threshold.	Threshold ranges from 1 to 400000.
   Second-Level Blackhole	After you enable the second-level blackhole function, the device collects incoming traffic statistics every second. Once the incoming traffic exceeds the blackhole threshold, the device acts according to the blackhole mode in the global configuration.	The blackhole threshold ranges from 1 to 10000000. The blackhole type can be Routing Blackhole, LPU blackhole, or Blackhole API.
   Domain audit	After domain name audit is enabled and deployed, this function takes effect to prevent access to unauthorized domain names.	Before configuring this option, configure the domain name whitelist in the global configuration. For details, see Domain Name Audit.

4. Click OK.