Example for Configuring Collaborative Defense Between the Local Cleaning Center and HUAWEI CLOUD Advanced Anti-DDoS (Through the NAT Server)

When there is heavy traffic on the network and DDoS attacks are beyond the local cleaning capability, you can configure collaborative defense between the local cleaning center and HUAWEI CLOUD Advanced Anti-DDoS to schedule heavy attack traffic to the HUAWEI CLOUD Advanced Anti-DDoS cleaning center for service protection.

HUAWEI CLOUD Advanced Anti-DDoS Specifications

Item	Description
Line	China Telecom, China Unicom, or China Mobile. NOTE: China Mobile and China Unicom do not support users outside China. Currently, only China Telecom supports users outside China.
Latency	Intelligent DNS scheduling is performed based on areas and equipment rooms. After the scheduling, the service access latency increases by less than 50 ms.
A single anti-DDoS device	Each anti-DDoS device can monitor a maximum of five IP addresses protected by advanced anti-DDoS defense. Each HUAWEI CLOUD account can have one concurrent IP address used for advanced anti-DDoS scheduling and cleaning services. NOTE: The first attacked IP address is scheduled first. If IP traffic reaches the scheduling threshold, extra IP traffic cannot be scheduled. A maximum of 50 scheduling operations are allowed in a year. The domain names of the protected servers must be filed in the ICP of the Ministry of Industry and Information Technology. An IP address can provide a maximum of 20 service ports.
Service types supported by advanced anti-DDoS	Canonical name (CNAME) scheduling for mail servers and portal websites accessed through NAT Server. Portal websites, email servers, and enterprise applications that provide services based on domain names.
Advanced anti-DDoS service restriction	The NAT gateway IP address, DNS server IP address, and CDN IP scheduling protection are not supported.

Networking Requirements

If the amount of attack traffic does not reach the switchover threshold (within the capability of the local cleaning center), the traffic is sent to the local cleaning center for attack defense. After the cleaning is complete, the local cleaning center returns the normal service traffic to the primary IP address of the protected server.
If the amount of attack traffic reaches the switchover threshold (beyond the capability of the local cleaning center), the traffic is scheduled to HUAWEI CLOUD Advanced Anti-DDoS cleaning center for attack defense.
After the cleaning is complete, HUAWEI CLOUD Advanced Anti-DDoS cleaning center returns the normal service traffic to the secondary IP address of the protected server, implementing collaborative defense against DDoS attacks on- and off-premise clouds.

Prerequisites

You have purchased the HUAWEI CLOUD Advanced Anti-DDoS function and obtained the corresponding license.

Service Planning

The intermixed device is named AntiDDoS.
The ATIC management center is applied.

Table 1 describes the IP address planning for the management center and Zone.

**Table 1** IP address planning
Device Name	IP Address	Port	Region	Description
Management center	10.1.5.2/24	-	-	Set the management center IP address. NOTE: The ATIC needs to communicate with HUAWEI CLOUD Advanced Anti-DDoS. Therefore, the ATIC must be reachable to the public network.
Protected server	Primary IP address: 10.2.2.2	80;443	North China	Set the domain name of the Zone to www.addtest.com.
Protected server	Secondary IP address: 10.3.3.3	80;443	North China	Set the domain name of the Zone to www.addtest.com.

Procedure

Load the license.

<sysname> system-view
[sysname] license active License.dat

Register a HUAWEI CLOUD account.
1. Log in to the HUAWEI CLOUD website at https://www.huaweicloud.com/.
2. Click Register. On the HUAWEI CLOUD Account Registration page, set parameters as prompted.
3. Click Register.
Log in to the ATIC management center and create a Zone. For details, see Adding a Zone.
1. On the IP Address tab page in the Create Zone dialog box, set IP addresses.
2. On the Devices tab page, add an AntiDDoS device.
3. Click Deployed. The deployment status changes to Deployment and the Zone is created.
(Optional) Adjust the threshold for the incoming traffic of the Zone based on the alarm severity. The value of Threshold (Mbit/s) must be greater than the value of Incoming traffic (Mbit/s) for the critical alarm severity.

Configure identity authentication for HUAWEI CLOUD Advanced Anti-DDoS.

Choose Defense > Policy Settings > Cloud Clean > Huawei Cloud Advanced Anti-DDoS.
On the Huawei Cloud Advanced Anti-DDoS page, click Identity Authentication for Advanced Anti-DDoS.

In the Huawei Cloud Advanced Anti-DDoS Defense Authentication dialog box, configure authentication information.

Parameter	Recommended Value
Login URL	The default value is https://iam.cn-north-1.myhuaweicloud.com/v3/auth/tokens. For HUAWEI CLOUD users registered before 00:00:00 on September 6, 2019, enter https://iam.cn-north-1.myhuaweicloud.com/v3/auth/tokens. For HUAWEI CLOUD users registered after 00:00:00 on September 6, 2019, enter https://iam.cn-north-4.myhuaweicloud.com/v3/auth/tokens.
User	Registered HUAWEI CLOUD account NOTICE: If you change the user name in the Huawei Cloud Advanced Anti-DDoS dialog box, the existing advanced anti-DDoS configuration becomes invalid. Therefore, if you want to switch to another account, manually delete the existing advanced anti-DDoS configuration and reconfigure the advanced anti-DDoS policy for the new account.
Password	Password of the registered HUAWEI CLOUD account
Domain name	Registered HUAWEI CLOUD account
Project Name	For HUAWEI CLOUD users registered before 00:00:00 on September 6, 2019, enter cn-north-1. For HUAWEI CLOUD users registered after 00:00:00 on September 6, 2019, enter cn-north-4.
Advanced Anti-DDoS URL	https://aad.myhuaweicloud.com/
HUAWEI CLOUD Certificate	Select a certificate from the drop-down list box. NOTE: Before setting this parameter, manually download and create a HUAWEI CLOUD certificate. For details, see Certificate Management. When Login URL is set to https://iam.cn-north-1.myhuaweicloud.com/v3/auth/tokens, download the HUAWEI CLOUD certificate at https://iam.cn-north-1.myhuaweicloud.com/. When Login URL is set to https://iam.cn-north-4.myhuaweicloud.com/v3/auth/tokens, download HUAWEI CLOUD certificate at https://iam.cn-north-4.myhuaweicloud.com/.
Advanced Anti-DDoS Certificate	Select a certificate from the drop-down list box. NOTE: Before setting this parameter, manually download and create an advanced Anti-DDoS certificate. For details, see Certificate Management. To download an Advanced Anti-DDoS certificate, visit https://aad.myhuaweicloud.com/.

Click OK.

Configure advanced anti-DDoS.

Choose Defense > Policy Settings > Cloud Clean > Huawei Cloud Advanced Anti-DDoS.

Click Create. In the Add Advanced Anti-DDoS Configuration dialog box, configure basic information.

Parameter	Description
Defense IP	Enter the destination IP address. Only IPv4 addresses are supported.
Name	Enter a company name.
Domain	Enter the protected domain.
Region	Select a region from the drop-down list.
Defense IP Line	Select a line from the drop-down list. Currently, the following lines are supported: china_unicom, china_mobile, china_telecom, and BGP.
TCP Port	Enter a port number. If you enter multiple port numbers, separate them using commas (,). A maximum of 20 port numbers are supported. The port number ranges from 1 to 65535.
UDP Port	Enter a port number. If you enter multiple port numbers, separate them using commas (,). A maximum of 20 port numbers are supported. The port number ranges from 1 to 65535.
Backup IP	Enter the destination IP address in IPv4 format.
Switching Threshold	When the incoming traffic of the device reaches the configured threshold, the system switches to the HUAWEI CLOUD Advanced Anti-DDoS. The default value is 1000 Mbit/s. The value ranges from 1 to 200,000.
Switch to Advanced Anti-DDoS	Manual: The administrator can manually switch the HUAWEI CLOUD Advanced Anti-DDoS back to ATIC-based defense. Automatic: When the traffic exceeds the threshold, the system automatically switches to HUAWEI CLOUD Advanced Anti-DDoS.
Switch back to ATIC-based defense	Manual: The administrator can manually switch the HUAWEI CLOUD Advanced Anti-DDoS back to ATIC-based defense. NOTE: After the attack stops, you are advised to switch back to ATIC-based defense.
DNS Quick Refresh	This item is displayed when Identity Authentication for Advanced Anti-DDoS is configured for the purchased HUAWEI CLOUD Advanced Anti-DDoS device. Manual: After the defense mode is switched to the HUAWEI CLOUD Advanced Anti-DDoS, click DNS Quick Refresh for manual update. Automatic: After the defense mode is switched to the HUAWEI CLOUD Advanced Anti-DDoS, fast DNS update is performed automatically.
Device Name	Select a device from the drop-down list.
Expiration Date	This item is displayed after you select the device where the HUAWEI CLOUD Advanced Anti-DDoS service is enabled. The value is automatically set to the expiration date of the HUAWEI CLOUD Advanced Anti-DDoS service license.

Click OK.

Obtain the advanced anti-DDoS CNAME and change the A record to the CNAME on the DNS server.

If the CNAME conflicts with an existing A record on the DNS server, delete the record and add the CNAME again.
1. Choose Defense > Policy Settings > Cloud Clean > Huawei Cloud Advanced Anti-DDoS.
2. Copy the CNAME.
3. Contact the DNS provider and add a record set. Change the DNS A record in the domain name to a CNAME.
(Optional) Configure DamDDoS to implement the second-level blackhole function.
1. DamDDoS is provided by a third party. To configure the second-level blackhole function, you need to purchase DamDDoS from China Telecom.
2. If this operation is not performed and the attack does not stop, the attack traffic will be forwarded to the defense IP address and traffic congestion occurs on the ingress of the local network bandwidth.
View the report.
1. Choose Report > Report > Traffic Analysis.
2. Click the Huawei Advanced Anti-DDoS Traffic tab, and set parameters.
  
  Table 2 Setting parameters
  Parameter
  
  Description
  
  Defense IP
  
  IP address to be protected, for example, 10.2.2.2.
  
  Time
  
  Start time and end time of configuration query.
3. Click Search. Figure 1 shows the traffic report.
  
  Figure 1 Incoming traffic and attack traffic of the specific defense IP address

**Table 2** Setting parameters
Parameter	Description
Defense IP	IP address to be protected, for example, 10.2.2.2.
Time	Start time and end time of configuration query.

Switching to HUAWEI CLOUD Advanced Anti-DDoS

Manual switching

You can manually switch traffic from the local cleaning center to HUAWEI CLOUD Advanced Anti-DDoS no matter whether Switch to Advanced Anti-DDoS is set to Automatic or Manual.
1. Choose Defense > Policy Settings > Cloud Clean > Huawei Cloud Advanced Anti-DDoS.
2. Select the check box on the left of Defense IP and click Enable Advanced Anti-DDoS. In the dialog box that is displayed, click OK. The local cleaning center is manually switched to HUAWEI CLOUD Advanced Anti-DDoS.
Automatic switching
1. Choose Defense > Policy Settings > Cloud Clean > Huawei Cloud Advanced Anti-DDoS.
2. Click in the Operation column on the right. In the Edit Advanced Anti-DDoS Config dialog box, set Switch to Advanced Anti-DDoS to Automatic.
3. Click OK. When the attack traffic reaches the value of Switching Threshold, the local cleaning center automatically switches to HUAWEI CLOUD Advanced Anti-DDoS cleaning center.

Switching Back to ATIC-based Defense

Manual switching

No matter whether Switch back to ATIC-based defense is set to Automatic or Manual, you can manually switch traffic back from HUAWEI CLOUD Advanced Anti-DDoS cleaning center to the local cleaning center when the ATIC report shows that the attack stops.
1. Choose Defense > Policy Settings > Cloud Clean > Huawei Cloud Advanced Anti-DDoS.
2. Select the target IP address and click Disable Advanced Anti-DDoS. In the dialog box that is displayed, click OK. Advanced anti-DDoS is manually switched back to ATIC-based defense.
Automatic switching
1. Choose Defense > Policy Settings > Cloud Clean > Huawei Cloud Advanced Anti-DDoS.
2. Click in the Operation column on the right. In the Edit Advanced Anti-DDoS Config dialog box, set Switch back to ATIC-based defense to Automatic.
3. Click OK. When the attack traffic falls below the value of Switching Threshold for 24 hours, the traffic is automatically switched back to the local cleaning center.

Restoring the Advanced Anti-DDoS Configuration

When the HUAWEI CLOUD Advanced Anti-DDoS service license is restored and becomes available again, if you want to use the previous protection group configuration, you can use the Restore Advanced Anti-DDoS Configuration function to ask the HUAWEI CLOUD Advanced Anti-DDoS service to restore the advanced anti-DDoS defense of this protection group.

Choose Defense > Policy Settings > Cloud Clean > Huawei Cloud Advance Anti-DDoS
Select the protection group for service restoration, and click Restore Advanced Anti-DDoS Configuration. In the dialog box that is displayed, click OK.

Verifying the Configuration

After the configuration is complete, perform the following steps to verify the configuration:

If the current defense mode is ATIC-based defense:

Log in to the defense domain name http://www.addtest.com/ for a test. The login is successful.
Manually switch the defense mode to HUAWEI CLOUD Advanced Anti-DDoS.
After the switchover, log in to http://www.addtest.com/ for a test. The login is successful.

If the current defense mode is HUAWEI CLOUD advanced anti-DDoS:

Log in to the defense domain name http://www.addtest.com/ for a test. The login is successful.
Manually switch the defense mode back to ATIC-based defense.
After the switchover, log in to http://www.addtest.com/ for a test. The login is successful.