Executing a Blackhole Policy on the Non-DamDDoS System

Context

The blackhole policies executed on the non-DamDDoS system can be divided into the dynamic blackhole policy and static blackhole policy based on the task generation mode.

When a third-party non-DamDDoS system executes a blackhole policy, you are advised to configure LPU blackhole locally. After the configuration, the ATIC sends a RESTful API notification to the third-party system to execute a blackhole policy on the upstream network. In addition, the LPU blackhole function is enabled locally to form the two-level blackhole defense deployment mode, which enables the device to quickly block the leaked attack traffic if the upstream blackhole policy does not take effect.

Procedure

1. Configure a RESTful server.
   1. Choose System > Notification Server > RESTful Server.
   2. In the RESTful Server area, click .
   3. Set Receiving Black Hole Message URL Configure.
      

      Table 1 Parameters for configuring the URL for receiving blackhole messages

      Parameter	Description
      Message Type	Black hole
      Receiving Black Hole Trigger Message URL	URL used to receive blackhole triggering messages reported by the ATIC.
      Receiving Black Hole Cancel Message URL	URL used to receive blackhole removal messages reported by the ATIC. (This parameter is optional. If the ATIC needs to decapsulate the blackhole policy, this parameter must be configured.) NOTE: When two-level blackhole policies are used, ensure that the blocking durations for the policies are consistent. Otherwise, services will still be affected after one blackhole policy is decapsulated. To ensure that the blocking durations for the two-level blocking policies are consistent and services are not affected after policy decapsulation, perform either of the following methods: The ATIC decapsulates blackhole policies in a unified manner. The blocking duration for the blackhole policy on the upstream network is set to be consistent with Scheduled unblocking time on the ATIC.
      Black Hole Certificate	Certificate used to authenticate received blackhole messages. Select a certificate from the drop-down list box. NOTE: Before configuring this item, create a blackhole certificate on the Certificate Management tab page. For details, see Certificate Management.

   4. Set Login Configuration. (This parameter is optional. This parameter is mandatory only when login authentication is required.) Table 2 lists related parameters.
      

      Table 2 Description of login configuration parameters

      Parameter	Description
      loginURL	URL for login authentication.
      user	Authentication user name for receiving the blackhole information reported by the ATIC device.
      password	Authentication password for receiving the blackhole information reported by the ATIC device. The password must meet the minimum complexity requirements, contain letters, digits, (0-9), and special characters (such as! , #, $, and %), and be changed periodically.
      domain	Authentication parameter special for HUAWEI CLOUD. Leave this parameter empty if it is not involved.
      project	Authentication parameter special for HUAWEI CLOUD. Leave this parameter empty if it is not involved.
      HUAWEI CLOUD certificate	Select huaweicloud_iam.

   5. Click OK.
2. Configure the notification mode of second-level blackhole event.
   1. Choose Defense > Policy Settings > Global Policy.
   2. Click .
   3. In the Attack Defense Configuration dialog box, select Sending Alert To ATIC for Notification Mode Of Second-Level Blackhole Event.

      

   4. Click OK.
   5. Click .
3. Enable the RESTful API.
   1. Choose Defense > Policy Settings > Zone.
   2. Click of the Zone.
   3. In the Defense Policy dialog box, configure a blackhole policy. Table 3 lists related parameters.
      

      Table 3 Blackhole parameter configuration

      Parameter	Description
      Black Hole Reporting(RESTful)	Select Enabled.

   4. Click OK.