Configuring a Zone Defense Policy (AntiDDoS1820-N/Netflow Detection)

After the basic policy is configured, a basic defense policy is automatically generated on each associated device of the Zone to detect inbound traffic.

Context

The AntiDDoS1820-N outbound defense policy is used to detect the following types of attack traffic. When the rate or bandwidth of the attack traffic exceeds the preset threshold, the AntiDDoS1820-N reports an anomaly event to the ATIC.

  • TCP SYN Flood attack

    Attackers send SYN packets with forged source addresses to hosts. The hosts reply with SYN-ACK packets to the source addresses, but will not receive any ACK packets. As a result, the hosts keep many half-open connections until the connections time out. These half-open connections can exhaust host resources so that the hosts cannot establish normal TCP connections.

  • TCP Fragment Flood attack

    TCP fragments seldom occur in normal network traffic. If the number of TCP fragments increases on the network, DDoS attacks may occur. Attackers send large numbers of TCP fragments to the targets, which brings the following adverse impacts:

    • The large numbers of TCP fragments consume bandwidth resources. As a result, the targets respond slowly or even fail to respond.
    • After receiving large numbers of TCP fragments, network devices or servers reassemble the fragments. As a result, the performance of network devices or servers deteriorates, and even they fail to work properly.

  • UDP Flood attack

    Attackers use botnets to send a large number of oversized UDP packets at a high rate to target servers, which brings the following adverse impacts:

    • The UDP fragment flood attacks exhaust network bandwidth resources or even congest links.
    • The large numbers of UDP attack packets with changing source IP addresses or ports compromise the performance of session-based forwarding devices or even crash the network to cause denial of service.
    • If the UDP service port of the target server receives attack packets, the server consumes computing resources to verify the attack packets, affecting the processing of legitimate services.

  • UDP Fragment Flood attack

    Attackers send large numbers of UDP fragments to the targets, which brings the following adverse impacts:

    • The UDP fragment flood attacks exhaust network bandwidth resources or even congest links.
    • The performance of network devices capable of packet reassembly severely deteriorates.
    • The large numbers of UDP fragments with changing source IP addresses or ports compromise the performance of session-based forwarding devices or even crash the network to cause denial of service.
    • If the UDP service port of the target server receives attack packets, the server consumes computing resources to verify the attack packets, causing the server to respond slowly or fail to respond to legitimate services.

  • ICMP Flood attack

    Attackers send mass ICMP packets to the target in a short period of time, exhausting session resources on network devices. If the attackers send oversized packets over a network link, the network link may be congested.

Procedure

  1. Choose Defense > Policy Settings > Zone.
  2. Click of the Zone.
  3. On the Outbound Defense Policy tab, click in the Operation column corresponding to the default defense policies starting with basic.
  4. Configure an outbound traffic detection policy for each protocol type.

    Table 1 Outbound traffic detection policy

    Parameter

    Description

    Recommended Value

    Tcp Syn Flood Detect

    PacketRate Threshold

    When the rate or bandwidth of SYN packets exceeds the preset threshold, an anomaly event is reported to the ATIC.

    You are advised to set these thresholds based on baseline learning. For details, see Configuring a Baseline Learning Task.

    Bandwidth Threshold

    Tcp Fragment Flood Detect

    PacketRate Threshold

    When the rate or bandwidth of TCP fragments exceeds the preset threshold, an anomaly event is reported to the ATIC.

    You are advised to set these thresholds based on baseline learning. For details, see Configuring a Baseline Learning Task.

    Bandwidth Threshold

    UDP Flood Detect

    PacketRate Threshold

    When the rate or bandwidth of UDP packets exceeds the preset threshold, an anomaly event is reported to the ATIC.

    You are advised to set these thresholds based on baseline learning. For details, see Configuring a Baseline Learning Task.

    Bandwidth Threshold

    UDP Fragment Flood Detect

    PacketRate Threshold

    When the rate or bandwidth of UDP fragments exceeds the preset threshold, an anomaly event is reported to the ATIC.

    You are advised to set these thresholds based on baseline learning. For details, see Configuring a Baseline Learning Task.

    Bandwidth Threshold

    ICMP Flood Detect

    PacketRate Threshold

    When the rate or bandwidth of ICMP packets exceeds the preset threshold, an anomaly event is reported to the ATIC.

    You are advised to set these thresholds based on baseline learning. For details, see Configuring a Baseline Learning Task.

    Bandwidth Threshold

Parent topic: Configuring the Zone-based Defense Policy
Copyright © Huawei Technologies Co., Ltd.