HUAWEI Anti-DDoS V500R001 Configuration Examples 01 PDF

HUAWEI Anti-DDoS
V500R001
Configuration Examples
Issue
01
Date
2015-07-20
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2015-07-20)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
HUAWEI Anti-DDoS
Contents
Contents
1 Configuration Examples for System Deployment..................................................................1
1.1 Example for Configuring Interconnection Between the AntiDDoS8000 and ATIC (Out-of-Path Deployment of an
Intermixed Device)...............................................................................................................................................................2
1.2 Example for Configuring Interconnection Between the AntiDDoS8000s and ATIC (In-Path Deployment of Active and
Standby Devices)..................................................................................................................................................................8
2 Configuration Examples for Traffic Diversion and Injection............................................17

2.1 Example for PBR Diversion and Static Route Injection..............................................................................................18
2.2 Example for PBR Diversion and PBR Injection..........................................................................................................20
2.3 Example for BGP Diversion and Layer-2 Injection.....................................................................................................23
2.4 Example for BGP Diversion and UNR Route Injection...............................................................................................27
2.5 Example for BGP Diversion and PBR Injection..........................................................................................................30
2.6 Example for BGP Diversion and GRE Injection..........................................................................................................34
2.7 Example for BGP Diversion and MPLS VPN Injection..............................................................................................38
2.8 Example for BGP Diversion and MPLS LSP Injection...............................................................................................44
2.9 Example for Cleaning Blackhole Routes (Configuring the Router to Discard Packets)..............................................49
3 Configuration Examples for Comprehensive Scenarios......................................................53

3.1 Scenario 1: MAN Attack Defense................................................................................................................................54
3.1.1 Scenario Description..................................................................................................................................................54
3.1.2 Typical Networking...................................................................................................................................................55
3.1.3 Data Planning............................................................................................................................................................56
3.1.4 Configuration Procedure............................................................................................................................................61
3.1.5 Configuration Scripts.................................................................................................................................................70
3.1.6 Commissioning..........................................................................................................................................................72
3.2 Scenario 2: Data Center Security Protection................................................................................................................73
3.2.1 Scenario Description..................................................................................................................................................73
3.2.2 Typical Networking...................................................................................................................................................75
3.2.3 Data Planning............................................................................................................................................................76
3.2.4 Configuration Procedure............................................................................................................................................80
3.2.5 Configuration Scripts.................................................................................................................................................95
3.2.6 Commissioning..........................................................................................................................................................98
Issue 01 (2015-07-20)

ii
HUAWEI Anti-DDoS
1 Configuration Examples for System Deployment
Configuration Examples for System

Deployment
About This Chapter

This section provides an example for configuring system deployment.
1.1 Example for Configuring Interconnection Between the AntiDDoS8000 and ATIC (Out-ofPath Deployment of an Intermixed Device)
1.2 Example for Configuring Interconnection Between the AntiDDoS8000s and ATIC (In-Path
Deployment of Active and Standby Devices)
Issue 01 (2015-07-20)

HUAWEI Anti-DDoS
1.1 Example for Configuring Interconnection Between the

AntiDDoS8000 and ATIC (Out-of-Path Deployment of an
Intermixed Device)
Networking Requirements
As shown in Figure 1-1, the intermixed device is deployed at the network node in off-line mode
to detect and clean downstream traffic destined for the Zone. It copies traffic on the link to the
detecting interface in optical splitting mode to detect traffic in real time, and notifies the ATIC
management center upon anomalies. The ATIC management center delivers a traffic-diversion
task to the cleaning SPU, so that traffic is diverted to the cleaning interface. After cleaned, normal
traffic is injected to the original link for further forwarding through the traffic-injection interface.
GigabitEthernet 2/0/1 on the cleaning device is used for receiving optically split traffic. Traffic
passing through the interface is sent to the detecting SPU for analysis. GigabitEthernet 1/0/1 is
used for receiving diverted traffic. The cleaning SPU cleans the traffic received by
GigabitEthernet 1/0/1. After cleaned, traffic is injected to the router for forwarding through
subinterface GigabitEthernet 1/0/1.100.
Issue 01 (2015-07-20)

HUAWEI Anti-DDoS
Figure 1-1 Networking diagram of the intermixed device in off-line mode
Optical
splitter
GE2/0/1
Router
GE1/0/1
GE3/0/0
10.1.5.1/24
GE1/0/1.100
Intermixed
device
ATIC management
center
10.1.5.2/24
Optically split traffic

Pre-cleaning traffic
Post-cleaning traffic
Zone
Zone
This example mainly describes how to configure the intermixed device and ATIC management
center deployed on the network. Details on how to configure traffic diversion and injection, and
defense policies are omitted.
For details on the example for configuring traffic diversion and injection, see Traffic Diversion
and Injection Configuration Examples.
Service Planning
l
The intermixed device is named AntiDDoS.
The ATIC management center is deployed in centralized mode. That is, both the anti-DDoS
collector and the ATIC server are deployed on the same server.
Table 1-1 shows the IP addresses of the intermixed device and ATIC management center.
Issue 01 (2015-07-20)

HUAWEI Anti-DDoS
Table 1-1 IP addresses

Device Name
Interface
IP Address
Description
Intermixed device
GigabitEthernet
2/0/1
Indicates a
detecting interface.
It is used for
receiving optically
split traffic on the
link and the IP
address is not
required.
GigabitEthernet
1/0/1
10.1.2.1/24
Indicates a cleaning
interface.
It is an inbound
interface for
diverted traffic. The
intermixed device
applies diversified
defense policies to
the incoming traffic
of the interface, and
analyzes and cleans
the traffic.
GigabitEthernet
1/0/1.100
10.1.3.1/24
Indicates a trafficinjection interface.

Cleaned traffic is
injected to the
original link
through the
interface.
Issue 01 (2015-07-20)

HUAWEI Anti-DDoS
Device Name
Interface
IP Address
Description
GigabitEthernet
3/0/0
10.1.5.1/24
Indicates an
interface through
which the cleaning
device
communicates with
the ATIC
management
center.
The intermixed
device sends logs or
captured packets to
the anti-DDoS
collector in the
ATIC management
center for further
analysis and
processing.
The IP address of
the interface and
that of the ATIC
management center
must be reachable.
In this example,
they reside on the
same network
segment.
ATIC management
center
10.1.5.2/24
Indicates the IP
address of the ATIC
management
center.
Configuration Roadmap
Perform the following on the intermixed device:
1.
Log in to the intermixed device by using the console port for the first time to upgrade the
software version.
2.
Load the license.
3.
Set IP addresses for interfaces, add the interfaces to security zones, and configure interzone
packet filtering.
4.
Change the default user name and password, and configure Telnet.
5.
Configure SNMP, so that the ATIC management center can obtain the status of the
intermixed device.
6.
Configure detecting and cleaning interfaces and enable traffic statistical collection on them.
7.
Specify detecting and cleaning SPUs and restart the SPUs.
Issue 01 (2015-07-20)

HUAWEI Anti-DDoS
8.
Save the configuration.
Perform the following in the ATIC management center:

1.
Log in to the ATIC management center for the first time.
2.
Creating an Anti-DDoS device.
3.
4.
Configure proper defense policies.
Configuring the Intermixed Device

Step 1 Log in to the intermixed device by using the console port for the first time. The default user
name and password are admin and Admin@123.
You can view version information by running the display version command. Upgrade the
software version to the latest. For details, refer to the Upgrade Instructions.
Step 2 Load the license.
<AntiDDoS> system-view
[AntiDDoS] license active lic_antiddos8000_20150430.dat
Step 3 Specify detecting and cleaning SPU subcards.

[AntiDDoS] firewall ddos clean-spu slot 3 card 0
[AntiDDoS] firewall ddos detect-spu slot 3 card 1
Step 4 Change the default user name and password, and configure Telnet.
Set the authentication mode of the VTY administrator page to AAA and disconnection period
for idle administrators to 5 minutes (10 minutes by default).
NOTE
Compared with STelnet, Telnet is insecure. Therefore, STelnet is recommended. This example uses Telnet
to describe the configuration procedure.
[AntiDDoS] telnet server enable
[AntiDDoS] user-interface vty 0 4
[AntiDDoS-ui-vty0-4] authentication-mode aaa
[AntiDDoS-ui-vty0-4] user privilege level 3
[AntiDDoS-ui-vty0-4] idle-timeout 5
[AntiDDoS-ui-vty0-4] quit
[AntiDDoS] aaa
[AntiDDoS-aaa] manager-user atic
[AntiDDoS-aaa-manager-user-atic] password
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type telnet
[AntiDDoS-aaa-manager-user-atic] quit
[AntiDDoS-aaa] bind manager-user vtyadmin role system-admin
Step 5 Optional: Configure automatic lockout upon administrator login failures.

By default, if an administrator fails to log in for consecutive 3 times, the administrator account
will be locked for 30 minutes. In this example, the administrator account will be locked for 10
minutes upon 2 login failures.
[AntiDDoS-aaa] lock-authentication enable
[AntiDDoS-aaa] lock-authentication failed-count 2
[AntiDDoS-aaa] lock-authentication timeout 10
Issue 01 (2015-07-20)

HUAWEI Anti-DDoS
Step 6 Set the IP addresses of interfaces and add the interfaces to security zones (omitted).
Step 7 Enable default interzone packet filtering.
[AntiDDoS] security-policy
[AntiDDoS-policy-security] rule name ddos1
[AntiDDoS-policy-security-rule-ddos1] source-zone any
[AntiDDoS-policy-security-rule-ddos1] destination-zone any
[AntiDDoS-policy-security-rule-ddos1] action permit
[AntiDDoS-policy-security-rule-ddos1] quit
[AntiDDoS-policy-security] quit
Step 8 Configure SNMP.

NOTE
Compared with SNMPv3, SNMPv2c is insecure. Therefore, SNMPv3 is recommended. This example uses
SNMPv2c to describe the configuration procedure.
[AntiDDoS] snmp-agent sys-info version v2c
[AntiDDoS] snmp-agent community read public@123
[AntiDDoS] snmp-agent community write private@123
Step 9 Configure the detecting interface.

[AntiDDoS] interface GigabitEthernet 2/0/1
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos detect enable
[AntiDDoS-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[AntiDDoS-GigabitEthernet2/0/1] quit
Step 10 Configure the cleaning interface.

[AntiDDoS-GigabitEthernet1/0/1] anti-ddos clean enable
Step 11 Save the configuration.

<AntiDDoS> save
----End
Configuring the ATIC Management Center

Step 1 Log in to the ATIC management center for the first time.
1.
Enter https://10.1.5.2 in the address bar of the Internet Explorer and press Enter to access
the ATIC management center.
2.
Enter the user name, password, and verification code on the login page. The user name is
atic, and the password is Admin@123. Click Log In.
3.
Change the initial password upon the first login.
Step 2 Create an anti-DDoS device.

1.
Choose Defense > Network Settings > Devices.
2.
Click
Issue 01 (2015-07-20)

HUAWEI Anti-DDoS
Figure 1-2 Create an anti-DDoS device.
3.
Click OK. The anti-DDoS device is added to the NE list.

1.
Choose Defense > Policy Settings > Global Policy.
2.
Select the check box of the cleaning device and click
Step 4 Configure a defense policy (omitted).

----End
1.2 Example for Configuring Interconnection Between the

AntiDDoS8000s and ATIC (In-Path Deployment of Active
and Standby Devices)
As shown in Figure 1-3, two cleaning devices are deployed in in-path mode and work in active/
standby mode to detect and clean the traffic destined for the Zone. Both upstream and
downstream service interfaces on the cleaning devices connect to switches. Based on the defense
policy delivered by the ATIC management center, the cleaning devices detect and clean network
Issue 01 (2015-07-20)

HUAWEI Anti-DDoS
traffic, and report traffic and attack logs to the ATIC management center. In so doing, various
reports are generated for query.
Figure 1-3 Networking diagram of the cleaning devices in in-path mode
ATIC management center

VRRP group 1
GE1/0/1
1.1.1.1/24
VRRP group 3
GE3/0/0
AntiDDoS_A
GE1/0/3
2.2.2.1/24
GE3/0/0
GE3/0/3
5.1.1.3/24
GE3/0/3
5.1.1.4/24
VRRP group 2
GE1/0/1
1.1.1.2/24
AntiDDoS_B
GE1/0/3
2.2.2.2/24
Traffic before cleaning

Traffic after cleaning
Zone
Service link
Backup link
This example mainly describes how to configure the cleaning devices and ATIC management
center deployed on the network. Details on how to configure defense policies are omitted.
Issue 01 (2015-07-20)

HUAWEI Anti-DDoS
Service Planning
l
The cleaning device names are AntiDDoS_A and AntiDDoS_B.
The ATIC management center is deployed in centralized mode. That is, the anti-DDoS
collector and management server are deployed on one physical server.
The service interfaces on the cleaning devices work at Layer 3. Enable VRRP on upstream
and downstream switches. Use GigabitEthernet 3/0/0s to communicate with the ATIC
management center.
Table 1-2 lists the IP addresses of the cleaning devices and ATIC management center.
Table 1-2 Planning for the IP addresses of interfaces on devices
Device
Interface
IP Address
Description
Cleaning
device A
GigabitEthernet
1/0/1
1.1.1.1/24
Indicates a service
interface.
It serves as an outbound
interface for downstream
traffic and connects to the
Zone network.
GigabitEthernet
1/0/3
2.2.2.1/24
Indicates a service
interface, also named
cleaning interface.
It serves as an inbound
Internet.
GigabitEthernet
3/0/0
10.1.5.3/24
Indicates an interface
through which a cleaning
device communicates with
the ATIC management
center.
The cleaning device sends
logs or captured packets to
the anti-DDoS collector in
the ATIC management
center for further analysis
and processing.
The IP address of this
interface and the IP address
of the ATIC management
center must be reachable. In
this example, the two IP
addresses are in the same
network segment.
GigabitEthernet
3/0/3
Issue 01 (2015-07-20)
5.1.1.2/24

Indicates a heartbeat
interface.
10
HUAWEI Anti-DDoS
Device
Interface
IP Address
Description
Cleaning
device B
GigabitEthernet
1/0/1
1.1.1.2/24
Indicates a service
interface.
It serves as an outbound
Zone network.
GigabitEthernet
1/0/3
2.2.2.2/24
Indicates a service
interface, also named
cleaning interface.
It serves as an inbound
Internet.
GigabitEthernet
3/0/0
10.1.5.4/24
Indicates an interface
through which a cleaning
device communicates with
the ATIC management
center.
The cleaning device sends
logs or captured packets to
the anti-DDoS collector in
the ATIC management
center for further analysis
and processing.
interface and the IP address
of the ATIC management
center must be reachable. In
this example, the two IP
addresses are in the same
network segment.
GigabitEthernet
3/0/3
5.1.1.3/24
Indicates a heartbeat
interface.
Management
center
10.1.5.2/24
Indicates the IP address of

the ATIC management
center.
Zone
2.2.2.0/24
Indicates the IP address

segment of the Zone.
Table 1-3 lists the VRRP virtual IP addresses planned for the cleaning devices.
NOTE
The anti-DDoS solution supports only active/standby hot standby, not load balancing hot standby. In
addition, only the active/standby backup using VRRP is supported.
Issue 01 (2015-07-20)

11
HUAWEI Anti-DDoS
Table 1-3 Planning for VRRP virtual IP addresses

VRRP Group
Member
Interface
Virtual IP
Address
Description
VRRP group 1
Cleaning device
A:
GigabitEthernet
1/0/1
1.1.1.10/24
These service interfaces

connect to an upstream
switch.
2.2.2.10/24
These service interfaces

connect to a downstream
switch.
10.1.5.1/24
These interfaces connect to

the ATIC management
center.
Cleaning device
B:
GigabitEthernet
1/0/1
VRRP group 2
Cleaning device
A:
GigabitEthernet
1/0/3
Cleaning device
B:
GigabitEthernet
1/0/3
VRRP group 3
Cleaning device
A:
GigabitEthernet
3/0/0
Cleaning device
B:
GigabitEthernet
3/0/0
Do as follows on the two cleaning devices:
1.
Log in to each cleaning device through the console port for the first time and upgrade the
software version.
2.
Load the license.
3.
Configure STelnet.
4.
Configure interfaces, add them to security zones, and enable default packet filtering.
5.
Configure SNMP, so that the ATIC management center can obtain the status of each
cleaning device.
6.
Configure cleaning interfaces and enable traffic statistics on the interfaces.
7.
Specify the cleaning SPU subcard.
8.
Configure hot standby.
9.
Do as follows on the ATIC management center:

Issue 01 (2015-07-20)

12
HUAWEI Anti-DDoS
1.
2.
Create anti-DDoS devices.
3.
4.
Configure a defense policy.
Configuring Cleaning Device A

Step 1 Log in to the cleaning device through the console port for the first time. The default user name
and password are admin and Admin@123.
You can view version information by running the display version command. Upgrade the
software version to the latest. For details, see Upgrade Guide.
Step 3 Specify the cleaning SPU subcard.

Step 4 Create a user name, set a password, and configure Telnet.

[AntiDDoS-ui-vty0-4] protocol inbound ssh
[AntiDDoS] aaa
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type ssh
[AntiDDoS-aaa-manager-user-atic] level 15
[AntiDDoS-aaa] quit
[AntiDDoS] rsa local-key-pair create
The key name will be: AntiDDoS_Host
The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 1024 bits may cause security risks.
The generation of a key longer than 512 bits may take several minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
[AntiDDoS] stelnet server enable
[AntiDDoS] ssh user atic
[AntiDDoS] ssh user atic authentication-type password
[AntiDDoS] ssh user atic service-type stelnet
Step 5 Set interface IP addresses and add the interfaces to security zones (omitted).
NOTE
Issue 01 (2015-07-20)

13
HUAWEI Anti-DDoS
[AntiDDoS_A] snmp-agent sys-info version v2c

[AntiDDoS_A] snmp-agent community read public@123
[AntiDDoS_A] snmp-agent community write private@123
Step 7 Specify GigabitEthernet 1/0/1 as a cleaning interface and enable traffic statistics on the interface.
[AntiDDoS_A] interface GigabitEthernet 1/0/1
[AntiDDoS_A-GigabitEthernet1/0/1] anti-ddos clean enable
[AntiDDoS_A-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
[AntiDDoS_A-GigabitEthernet1/0/1] quit
Step 8 Configure a VRRP group.

# Configure VRRP group 1 on the upstream service interface GigabitEthernet 1/0/1 and set its
state to Active. Note that if the IP address of this interface and the VRRP virtual IP address are
in different network segments, you must specify a mask for the VRRP virtual IP address.
[AntiDDoS_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.10 24 active
# Configure VRRP group 2 on the downstream service interface GigabitEthernet 1/0/3 and set
its state to Active.
[AntiDDoS_A-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 2.2.2.10 active
# Configure VRRP group 3 on the interface connecting to the ATIC management center and set
its state to Active.
NOTE
You must add the interfaces connecting the anti-DDoS devices to the ATIC management center to a VRRP
group and set a virtual IP address for the VRRP group, so that the interfaces use this virtual IP address to
communicate with the ATIC management center.
[AntiDDoS_A-GigabitEthernet3/0/0] vrrp vrid 3 virtual-ip 10.1.5.1 active
Step 9 Configure the source IP address for sending logs.

[AntiDDoS_A] info-center loghost source 10.1.5.1
NOTE
In hot standby networking, you must set the source IP address for the anti-DDoS devices to send logs to
the VRRP virtual IP address, so that the ATIC management center can parse the operation logs of the antiDDoS devices.
Step 10 Specify a heartbeat interface and enable hot standby.

[AntiDDoS_A] hrp interface GigabitEthernet 3/0/3 remote 5.1.1.2
[AntiDDoS_A] hrp enable
Step 11 Enable default interzone packet filtering.

Create a security policy on AntiDDoS_A. After hot standby starts to work properly, the security
policy configured on AntiDDoS_A will be automatically backed up to AntiDDoS_B.
HRP_M[AntiDDoS_A] security-policy
HRP_M[AntiDDoS_A-policy-security] rule name ddos1
HRP_M[AntiDDoS_A-policy-security-rule-ddos1] source-zone any
HRP_M[AntiDDoS_A-policy-security-rule-ddos1] destination-zone any
HRP_M[AntiDDoS_A-policy-security-rule-ddos1] action permit
HRP_M[AntiDDoS_A-policy-security-rule-ddos1] quit
HRP_M[AntiDDoS_A-policy-security] quit

Issue 01 (2015-07-20)

14
HUAWEI Anti-DDoS
HRP_M<AntiDDoS_A> save
----End
Configuring Cleaning Device B

Step 1 Configure hot standby on AntiDDoS_B.
# The configuration on AntiDDoS_B is similar to that on AntiDDoS_A except that:
1.
The IP addresses of interfaces on AntiDDoS_B are different from those of interfaces on

AntiDDoS_A.
2.
The state of the VRRP groups of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3 on
AntiDDoS_B must be set to Standby.
----End

1.
2.
admin, and the password is Admin@123. Click Log In.
3.
Step 2 Create anti-DDoS devices.

1.
2.
Click
Issue 01 (2015-07-20)

15
HUAWEI Anti-DDoS
Figure 1-4 Create anti-DDoS devices.
3.
Click OK. The anti-DDoS devices are added to the NE list.

1.
Choose Defense > Policy Settings > Global Policy.
2.
Select the check box of the active cleaning device and click
.
Step 4 Configure a defense policy (omitted).

----End
Issue 01 (2015-07-20)

16
HUAWEI Anti-DDoS
2 Configuration Examples for Traffic Diversion and Injection
Configuration Examples for Traffic

Diversion and Injection
About This Chapter

This section provides an example for configuring traffic diversion and injection.
2.1 Example for PBR Diversion and Static Route Injection
2.2 Example for PBR Diversion and PBR Injection
2.3 Example for BGP Diversion and Layer-2 Injection
2.4 Example for BGP Diversion and UNR Route Injection
2.5 Example for BGP Diversion and PBR Injection
2.6 Example for BGP Diversion and GRE Injection
2.7 Example for BGP Diversion and MPLS VPN Injection
2.8 Example for BGP Diversion and MPLS LSP Injection
2.9 Example for Cleaning Blackhole Routes (Configuring the Router to Discard Packets)
Issue 01 (2015-07-20)

17
HUAWEI Anti-DDoS
2.1 Example for PBR Diversion and Static Route Injection

As shown in Figure 2-1, the cleaning device connects to core router Router1 in off-line mode
to detect and clean the traffic destined for the Zone. In off-line mode, downstream traffic destined
for the Zone is diverted to the cleaning device for detecting and cleaning through PBR in real
time. After cleaned, normal traffic is injected to Router1 through the static route. After that,
Router1 forwards the normal traffic to Router2 and finally to the Zone.
Figure 2-1 Networking diagram of PBR diversion and static route injection
GE1/0/0
10.1.1.1/24
GE1/0/1
10.1.2.1/24
GE2/0/1
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Cleaning
device
ATIC
Management center
Router2
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
To meet networking requirements, plan related services as follows:
l
In BGP traffic diversion mode, the cleaning device diverts traffic destined for Zone
1.1.1.1/32 in real time, regardless of attacks.
A traffic-diversion channel is established between Router1 GE1/0/1 and GE2/0/1 on the

cleaning device, and a traffic-injection channel is established between Router1 GE1/0/2
and GE2/0/2 on the cleaning device. The cleaning device diverts the specified traffic by
using GE1/0/1 and injects cleaned traffic to the original link by using GE2/0/1. Table
2-1 shows the IP addresses of the interfaces.
Issue 01 (2015-07-20)

18
HUAWEI Anti-DDoS

Device Name
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
GE1/0/0
10.1.1.1/24
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Router1
Router2
1.
Configure a PBR on Router1 GE1/0/0 to divert Zone traffic by using GE1/0/1,

implementing traffic diversion.
2.
Enable traffic statistical collection on the cleaning interface of the cleaning device.
3.
Configure a static route on the cleaning device to point the next hop of the packet with
destination IP address 1.1.1.1/32 to 10.1.3.1/32. Then configure a PBR on Router1 GE1/0/2
to issue injected traffic to Router2, implementing traffic injection.
4.
Configure a default route on the cleaning device. The outbound interface points to cleaning
interface GE2/0/1 for searching for the reverse route.
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure the PBR on
Router1.
Step 1 Set IP addresses for interfaces on Router1. (Omitted)
Step 2 Configure a PBR on Router1 GE1/0/0 for traffic diversion.
# Define a traffic classifier.
[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip destination 1.1.1.1 0
[Router1-acl-adv-3001] quit
[Router1] traffic classifier class1
[Router1-classifier-class1] if-match acl 3001
[Router1-classifier-class1] quit
# Configure a traffic behavior and an action for forwarding packets.

[Router1] traffic behavior behavior1
[Router1-behavior-behavior1] redirect ip-nexthop 10.1.2.2 interface
GigabitEthernet 1/0/1
[Router1-behavior-behavior1] quit
# Define a traffic policy and specify an action for the classifier in the policy.
Issue 01 (2015-07-20)

19
HUAWEI Anti-DDoS
[Router1] traffic policy policy1

[Router1-trafficpolicy-policy1] classifier class1 behavior behavior1
[Router1-trafficpolicy-policy1] quit
# Apply the PBR to the interface.

[Router1] interface GigabitEthernet 1/0/0
[Router1-GigabitEthernet1/0/0] traffic-policy policy1 inbound
[Router1-GigabitEthernet1/0/0] quit
Step 3 Configure a PBR on Router1 GE1/0/2 for traffic injection.


----End
Configuring the Cleaning Device

Step 1 Set IP addresses for interfaces on the cleaning device, add the interfaces to security zones, and
configure interzone packet filtering. (Omitted)
Step 2 Enable traffic statistical collection on the cleaning interface of the cleaning device.
[sysname] interface GigabitEthernet 2/0/1
[sysname-GigabitEthernet2/0/1] anti-ddos flow-statistic enable
[sysname-GigabitEthernet2/0/1] quit
Step 3 Configure a static route on the cleaning device for traffic injection.
[sysname] ip route-static 1.1.1.1 32 10.1.3.1
Step 4 Configure a default route for searching for the reverse route.
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
2.2 Example for PBR Diversion and PBR Injection

for the Zone is diverted to the cleaning device for detecting and cleaning through PBR in real
time. After cleaned, normal traffic is injected to Router1 through PBR. After that, Router1
forwards the normal traffic to Router2 and finally to the Zone.
Issue 01 (2015-07-20)

20
HUAWEI Anti-DDoS
Figure 2-2 Networking diagram of PBR diversion and PBR injection
GE1/0/0
10.1.1.1/24
GE1/0/1
10.1.2.1/24
GE2/0/1
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Cleaning
device
ATIC
Management center
Router2
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
l

Device Name
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
GE1/0/0
10.1.1.1/24
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
Router1
Issue 01 (2015-07-20)

21
HUAWEI Anti-DDoS
Device Name
Router2
Interface
IP Address
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
1.
Configure a PBR on Router1 GE1/0/0 to divert Zone traffic by using GE1/0/1,

implementing traffic diversion.
2.
3.
Configure a PBR on GE2/0/1 of the cleaning device to inject incoming traffic to Router1
by using GE2/0/2, implementing traffic injection.
4.
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure the PBR on
Router1.
Step 2 Configure a PBR on Router1 GE1/0/0 for traffic diversion.
[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip destination 1.1.1.1 0


----End
Issue 01 (2015-07-20)

22
HUAWEI Anti-DDoS

Step 3 Configure the PBR on GE2/0/1 of the cleaning device for traffic injection.
[sysname] policy-based-route
[sysname-policy-pbr] rule name huizhu
[sysname-policy-pbr-rule-huizhu] ingress-interface GigabitEthernet 2/0/1
[sysname-policy-pbr-rule-huizhu] action pbr egress-interface GigabitEthernet 2/0/2
next-hop 10.1.3.1
[sysname-policy-pbr-rule-huizhu] quit
[sysname-policy-pbr] quit
----End
2.3 Example for BGP Diversion and Layer-2 Injection

As shown in Figure 2-3, the cleaning device connects to Layer-3 switch Switch1 in off-line
mode to detect and clean the traffic destined for the Zone. GE2/0/1 on the cleaning device is
directly connected to Switch1 GE1/0/1. Interfaces work at Layer 3 and subinterfaces serve for
traffic diversion and injection. In off-line mode, downstream traffic destined for the Zone is
diverted to the cleaning device for detecting and cleaning through BGP diversion in real time.
After cleaning is complete, the cleaning device requests the MAC address of the Zone by sending
an ARP request packet. Then the Zone replies with an ARP reply packet. Subsequently, the
cleaning device injects traffic to the Zone by using the Layer-2 switch based on the MAC address.
Issue 01 (2015-07-20)

23
HUAWEI Anti-DDoS
Figure 2-3 Networking diagram of BGP diversion and Layer-2 injection
Switch1
GE1/0/1
VLAN10
GE2/0/1.10
10.1.2.2/24
VLAN20
GE2/0/1.20
10.1.3.2/24
GE1/0/2
VLAN20
Cleaning
device
ATIC
Management center
Switch2
Switch1
VLANIF 10: 10.1.2.1/24

VLANIF 20: 10.1.3.1/24
Diverted traffic
Injected traffic
Zone
10.1.3.10/24
Service Planning
l
The Zone is 10.1.3.10/24.
Subinterfaces GE2/0/1.10 and GE2/0/1.20 on the cleaning device serve for traffic diversion
and injection respectively.
Create VLAN10 and VLAN20 on Switch1. Configure Switch1 GE1/0/1 as a Trunk

interface to allow packets over VLAN10 and VLAN20 through, and Switch1 GE1/0/2 as
a Trunk interface to allow packets over VLAN20 through. Table 2-3 shows the IP addresses
of the interfaces.
Device Name
Interface
IP Address
Cleaning device
GE2/0/1.10
10.1.2.2/24
GE2/0/1.20
10.1.3.2/24
VLANIF 10
10.1.2.1/24
VLANIF 20
10.1.3.1/24
Switch1
Issue 01 (2015-07-20)

24
HUAWEI Anti-DDoS
1.
2.
Create VLAN10 and VLAN20 on Switch1, configure interface attributes, and associate
them with VLANs. Then set the IP address of the Vlanif interface.
3.
Associate subinterface GE2/0/1.10 on the cleaning device with VLNA10 and subinterface
GE2/0/1.20 with VLAN20.
4.
Establish a BGP peer between VLANIF10 interface on Switch1 and GE2/0/1.10 on the
cleaning device. Configure BGP on both Switch1 and the cleaning device, import the UNR
route to the cleaning device into BGP, and advertise the route to Switch1.
5.
To perform Layer-2 injection, enable FIB filtering over the 32-bit UNR route to the cleaning
device to prevent the UNR route from being delivered to the FIB. In this way, normal traffic
injection is safeguarded.
6.
Configure a community attribute on the cleaning device. In this way, Switch1 does not
notify other peers of the BGP route advertised by the cleaning device to avoid loops.
7.
Enable traffic statistical collection on cleaning interface GE2/0/1.10.
8.
interface GE2/0/1.10 for searching for the reverse route.
9.
After traffic diversion and injection are configured, enable the loop check function to check
the route.

Step 2 Configure subinterfaces on the cleaning device and associate them with VLAN IDs.
# Set the IP address of subinterface GE2/0/1.10 on the cleaning device and associate GE2/0/1.10
with VLAN10.
<sysname> system-view
[sysname] interface GigabitEthernet 2/0/1.10
[sysname-GigabitEthernet2/0/1.10] vlan-type dot1q 10
[sysname-GigabitEthernet2/0/1.10] ip address 10.1.2.2 24
[sysname-GigabitEthernet2/0/1.10] quit
# Set the IP address of subinterface GE2/0/1.20 on the cleaning device and associate GE2/0/1.20
with VLAN20.
[sysname-GigabitEthernet2/0/1.20] vlan-type dot1q 20
[sysname-GigabitEthernet2/0/1.20] ip address 10.1.3.2 24
Step 3 On the cleaning device, set the next-hop address for dynamically generating a route.
[sysname] firewall ddos bgp-next-hop 10.1.2.1
Step 4 Filter over the 32-bit UNR route according to the FIB.
[sysname] firewall ddos bgp-next-hop fib-filter
Issue 01 (2015-07-20)

25
HUAWEI Anti-DDoS
Step 5 In the ATIC management center, Choose Defense > Policy Settings > Traffic Diversion, create
a traffic-diversion task, and set the IP address to be protected to 10.1.3.10 and subnet mask to
255.255.255.255. Then click OK.
After previous configurations are complete, the cleaning device generates a 32-bit UNR route
with next hop 10.1.3.1 to 10.1.3.10.
Step 6 Configure BGP and the community attribute on the cleaning device.
[sysname] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[sysname] route-policy 1 permit node 1
[sysname-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 10.1.2.1 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit
After previous configurations are complete, the UNR route generated on the cleaning device is
imported to BGP and is advertised to Switch1 through BGP. In this manner, after receiving the
traffic destined for 10.1.3.10/24, Switch1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match.
[sysname-GigabitEthernet2/0/1.10] anti-ddos flow-statistic enable
[sysname] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1.10 10.1.2.1
----End
Configuring Switch1
The following uses Huawei S9300 as an example to describe how to configure Switch1.
Step 1 Create VLANs.
<switch1> system-view
[switch1] vlan 10
[switch1-vlan10] quit
[switch1] vlan 20
[switch1-vlan20] quit
Step 2 Configure interface attributes and associate them with VLANs.

<switch1> system-view
[switch1] interface gigabitethernet
[switch1-GigabitEthernet1/0/1] port
[switch1-GigabitEthernet1/0/1] quit
[switch1] interface gigabitethernet
[switch1-GigabitEthernet1/0/2] quit
1/0/1
link-type trunk
trunk allow-pass vlan 10 20
1/0/2
link-type trunk
trunk allow-pass vlan 20
Step 3 Set IP addresses for Vlanif interfaces.

[switch1] interface vlanif 10
[switch1-Vlanif10] ip address 10.1.2.1 24
Issue 01 (2015-07-20)

26
HUAWEI Anti-DDoS
[switch1-Vlanif10] quit
[switch1] interface vlanif 20
[switch1-Vlanif20] ip address 10.1.3.1 24
[switch1-Vlanif20] quit
Step 4 Configure BGP.

[switch1] bgp 100
[switch1-bgp] peer 10.1.2.2 as-number 100
[switch1-bgp] quit
----End
2.4 Example for BGP Diversion and UNR Route Injection

for the Zone is diverted to the cleaning device for detecting and cleaning through BGP diversion
in real time. After cleaned, normal traffic is injected to Router1 through the UNR route. After
that, Router1 forwards the normal traffic to Router2 and finally to the Zone.
Figure 2-4 Networking diagram of BGP diversion and UNR route injection
GE1/0/1
10.1.2.1/24
GE2/0/1
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
Cleaning
device
GE1/0/1
10.1.5.2/24
ATIC Management
center
Router2
Diverted traffic
Zone
1.1.1.1/32
Injected traffic
Service Planning
Issue 01 (2015-07-20)

27
HUAWEI Anti-DDoS

Device Name
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Router1
Router2
1.
In the ATIC management center, set the IP address of the Zone whose traffic is to be
diverted.
2.
3.
Establish a BGP peer between Router1 GE1/0/1 and GE2/0/1 on the cleaning device.
Configure BGP on both Router1 and the cleaning device, import the UNR route to the
cleaning device into BGP, and advertise the route to Router1.
4.
Configure a community attribute on the cleaning device. In this way, Router1 does not
5.
Configure the PBR on Router1 GE1/0/2 to send injected traffic to downstream device
Router2. Subsequently, Router2 takes over the task to forward the traffic to the Zone.
6.
7.
the route.

Issue 01 (2015-07-20)

28
HUAWEI Anti-DDoS
255.255.255.255. Then click OK.
with next hop 10.1.3.1 to 1.1.1.1 and delivers the route to the FIB. You can run the display ip
routing-table command to display the following output:
[sysname] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
1.1.1.1/32
---- More ----
Proto
Direct
Pre
0
Cost
0
Flags NextHop
D
10.1.3.1
Interface
GigabitEthernet2/0/2
[sysname] bgp 100
[sysname-bgp] quit
imported to BGP and is advertised to Router1 through BGP. In this manner, after receiving the
traffic destined for 1.1.1.1/32, Router1 searches the routing table to preferentially forward the
traffic to the cleaning device by using GE1/0/1 according to the longest mask match. After
cleaning is complete, the cleaning device injects the cleaned traffic to Router1 through GE2/0/2
along the UNR route.
The UNR route generated in step 3 is used for traffic diversion on Router1 as well as traffic
injection on the cleaning device. Therefore, traffic injection does not require configuration on
the cleaning device.
[sysname] ip route-UNR 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and PBR
on Router1.
Issue 01 (2015-07-20)

29
HUAWEI Anti-DDoS
Step 2 Configure BGP for Router1.

[Router1] bgp 100
[Router1-bgp] peer 10.1.2.2 as-number 100
[Router1-bgp] quit
Step 3 Configure a PBR on Router1 GE1/0/2.

[Router1] acl 3001
[Router1-acl-adv-3001] rule permit ip


----End
2.5 Example for BGP Diversion and PBR Injection

in real time. After cleaned, normal traffic is injected to Router1 through PBR. After that, Router1
forwards the normal traffic to Router2 and finally to the Zone.
Issue 01 (2015-07-20)

30
HUAWEI Anti-DDoS
Figure 2-5 Networking diagram of BGP diversion and PBR injection
GE1/0/1
10.1.2.1/24
GE2/0/1
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
Cleaning
device
GE1/0/1
10.1.5.2/24
ATIC Management
center
Router2
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
l

Device Name
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
GE1/0/3
10.1.5.1/24
Router1
Issue 01 (2015-07-20)

31
HUAWEI Anti-DDoS
Device Name
Interface
IP Address
Router2
GE1/0/1
10.1.5.2/24
1.
diverted.
2.
3.
4.
To perform PBR injection, enable FIB filtering over the 32-bit UNR route to the cleaning
5.
6.
Configure the PBR on Router1 GE1/0/2 to send injected traffic to downstream device
Router2. Subsequently, Router2 takes over the task to forward the traffic to the Zone.
7.
8.
the route.

255.255.255.255. Then click OK.
with next hop 10.1.3.1 to 1.1.1.1.
[sysname] bgp 100
Issue 01 (2015-07-20)

32
HUAWEI Anti-DDoS

[sysname-bgp] quit
Step 7 Configure the PBR on GE2/0/1 of the cleaning device for traffic injection.
[sysname-policy-pbr] rule name huizhu
[sysname-policy-pbr-rule-huizhu] ingress-interface GigabitEthernet 2/0/1
[sysname-policy-pbr-rule-huizhu] action pbr egress-interface GigabitEthernet 2/0/2
10.1.3.1
[sysname-policy-pbr-rule-huizhu] quit
----End
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and PBR
on Router1.
[Router1] bgp 100
[Router1-bgp] quit
Step 3 Configure a PBR on Router1 GE1/0/2.

[Router1] acl 3001

Issue 01 (2015-07-20)

33
HUAWEI Anti-DDoS


----End
2.6 Example for BGP Diversion and GRE Injection

in real time. After cleaned, normal traffic is injected to Router2 through GRE. After that, Router2
forwards the normal traffic to the Zone.
Figure 2-6 Networking diagram of BGP diversion and GRE injection
GE1/0/1
10.1.2.1/24
loopback
GE2/0/1 2.2.2.2/32
10.1.2.2/24
GE1/0/2
10.1.3.1/24
GE2/0/2
10.1.3.2/24
Router1
GE1/0/3
10.1.5.1/24
ne
GE1/0/1
10.1.5.2/24
un
ET
ATIC
Cleaning
Management
center
device
GR
Router2
loopback
3.3.3.3/32
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
Issue 01 (2015-07-20)

34
HUAWEI Anti-DDoS

cleaning device, and a GRE injection channel is established between the cleaning device
and Router2. Their loopback addresses act as source and destination addresses respectively.
The cleaning device diverts the specified traffic by using GE1/0/1 and injects cleaned traffic
over the GRE tunnel. Table 2-6 shows the IP addresses of the interfaces.
Device Name
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/2
10.1.3.2/24
Tunnel interface
10.1.1.1/24
Loopback interface
2.2.2.2/32
GE1/0/1
10.1.2.1/24
GE1/0/2
10.1.3.1/24
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Tunnel interface
10.1.1.2/24
Loopback interface
3.3.3.3/32
Router1
Router2
1.
1.1.1.1/32 in real time.
2.
3.
4.
To perform GRE injection, enable FIB filtering over the 32-bit UNR route to the cleaning
5.
6.
Set loopback addresses for the cleaning device and Router2.
7.
Create GRE tunnels on both the cleaning device and Router2, and set source and destination
addresses for the GRE tunnel. The loopback addresses of the cleaning device and Router2
act as the source and destination addresses of the tunnel respectively. Ensure that the
cleaning device and Router2 are routable.
Issue 01 (2015-07-20)

35
HUAWEI Anti-DDoS
8.
9.
the route.
NOTE
When you configure GRE injection, do not configure the keepalive command at both ends of the tunnel.

Step 2 Configure GRE on the cleaning device.
# Create a tunnel interface, and set both source and destination IP addresses for it.
[sysname] interface Tunnel 1
[sysname-Tunnel1] tunnel-protocol gre
[sysname-Tunnel1] ip address 10.1.1.1 255.255.255.0
[sysname-Tunnel1] source 2.2.2.2
[sysname-Tunnel1] destination 3.3.3.3
[sysname-Tunnel1] quit
# Add the tunnel interface to the security zone. Ensure that the security zone where the tunnel
interface resides is the same as that where source interface GE2/0/2 resides.
[sysname] firewall zone trust
[sysname-zone-trust] add interface Tunnel 1
[sysname-zone-trust] quit
# Configure a pbr route to divert traffic to the tunnel interface.

[sysname-policy-pbr] rule name
[sysname-policy-pbr-rule-gre1]
gre1
ingress-interface GigabitEthernet 2/0/1
destination-address 1.1.1.1 32
action pbr egress-interface Tunnel 1
quit
255.255.255.255. Then click OK.
with next hop 10.1.3.1 to 1.1.1.1.
[sysname] ip ip-prefix
[sysname] route-policy
[sysname-route-policy]
Issue 01 (2015-07-20)
EXPORT-TO-DDoS index 10 permit 0.0.0.0 32

1 permit node 1
if-match ip-prefix EXPORT-TO-DDoS
apply community no-advertise
quit

36
HUAWEI Anti-DDoS
[sysname] bgp 100

[sysname-bgp] quit
Step 8 Set a loopback address for the cleaning device.

[sysname] interface loopback 1
[sysname-LoopBack1] ip address 2.2.2.2 32
[sysname-LoopBack1] quit
Step 9 Configure OSPF to notify the network segment connected to each interface.
[sysname] ospf 1
[sysname-ospf-1] area 0
[sysname-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[sysname-ospf-1-area-0.0.0.0] quit
[sysname-ospf-1] quit
----End
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP on Router1.
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[Router1-ospf-1-area-0.0.0.0] quit
[Router1-ospf-1] quit

[Router1] bgp 100
[Router1-bgp] quit
----End
Configuring Router2
The following uses Huawei NE80E as an example to describe how to configure GRE on Router2.
Issue 01 (2015-07-20)

37
HUAWEI Anti-DDoS
Step 1 Set the interface IP address of Router2. (Omitted)

Step 2 Set a loopback address for Router2.
<Router2> set board-type slot 1 tunnel
<Router2> system-view
[Router2] interface loopback 1
[Router2-LoopBack1] ip address 3.3.3.3 32
[Router2-LoopBack1] target-board 1
[Router2-LoopBack1] binding tunnel gre
[Router2-LoopBack1] quit
Step 3 # Create a tunnel interface, and set both source and destination IP addresses for it.
# Create a tunnel interface, and set both source and destination IP addresses for it.
[Router2] interface Tunnel 1
[Router2-Tunnel1] tunnel-protocol gre
[Router2-Tunnel1] ip address 10.1.1.2 255.255.255.0
[Router2-Tunnel1] source 3.3.3.3
[Router2-Tunnel1] destination 2.2.2.2
[Router2-Tunnel1] quit
[Router2] ospf 1
[Router2-ospf-1-area-0.0.0.0]
network 10.1.5.0 0.0.0.255

network 1.1.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
quit
----End
2.7 Example for BGP Diversion and MPLS VPN Injection

in real time. After cleaned, normal traffic is injected to Router2 through MPLS VPN. After that,
Router2 forwards the normal traffic to the Zone. Only one interface on the cleaning device is
directly connected to the router. The interface serves traffic diversion and the subinterface serves
traffic injection.
Issue 01 (2015-07-20)

38
HUAWEI Anti-DDoS
Figure 2-7 Networking diagram of BGP diversion and MPLS VPN injection
loopback
5.5.5.5/32
GE1/0/1
10.1.2.1/24
loopback
2.2.2.2/32
GE2/0/1
10.1.2.2/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1.100 GE2/0/1.100
10.1.3.1/24 10.1.3.2/24 Cleaning
device
ATIC
Management center
GE1/0/1
10.1.5.2/24
Router2
loopback
3.3.3.3/32
GE1/0/2
1.1.1.2/24
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
l
Router1 GE1/0/1 is directly connected to GE2/0/1 on the cleaning device. An MPLS VPN
traffic-injection tunnel is established between the cleaning device and Router2, and their
loopback addresses act as LSR IDs. The cleaning device diverts the specified traffic by
using GE1/0/1 and injects cleaned traffic over the MPLS VPN tunnel. Table 2-7 shows the
IP addresses of the interfaces.
Device Name
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/1.100
10.1.3.2/24
Loopback interface
2.2.2.2/32
GE1/0/1
10.1.2.1/24
GE1/0/1.100
10.1.3.1/24
Router1
Issue 01 (2015-07-20)

39
HUAWEI Anti-DDoS
Device Name
Router2
Interface
IP Address
GE1/0/3
10.1.5.1/24
Loopback interface
5.5.5.5/32
GE1/0/1
10.1.5.2/24
GE1/0/2
1.1.1.2/24
Loopback interface
3.3.3.3/32
1.
diverted.
2.
3.
4.
To perform MPLS VPN injection, enable FIB filtering over the 32-bit UNR route to the
cleaning device to prevent the UNR route from being delivered to the FIB. In this way,
normal traffic injection is safeguarded.
5.
6.
Set loopback addresses for the cleaning device, Router1, and Router2.
7.
Configure MPLS respectively on the cleaning device, Router1, and Router2, and configure
VPN instances on the cleaning device and Router2 to enable injected traffic to be forwarded
to Router2 through MPLS VPN.
8.
9.
the route.

Step 4 Create a VPN instance and configure BGP and the community attribute on the cleaning device.
[sysname] ip vpn-instance ddos
[sysname-vpn-instance-ddos] ipv4-family
[sysname-vpn-instance-ddos-af-ipv4] route-distinguisher 1:1
[sysname-vpn-instance-ddos-af-ipv4] vpn-target 1:1 import-extcommunity
Issue 01 (2015-07-20)

40
HUAWEI Anti-DDoS
[sysname-vpn-instance-ddos-af-ipv4] quit
[sysname-vpn-instance-ddos] quit
[sysname] ip ip-prefix ipx index 10 permit 3.3.3.3 32
[sysname] route-policy 1 deny node 1
[sysname-route-policy] if-match ip next-hop ip-prefix ipx
[sysname] bgp 200
[sysname-bgp] ipv4-family vpn-instance ddos
[sysname-bgp-ddos] import-route unr
[sysname-bgp-ddos] peer 10.1.2.1 as-number 100
[sysname-bgp-ddos] peer 10.1.2.1 route-policy 1 export
[sysname-bgp-ddos] peer 10.1.2.1 advertise-community
[sysname-bgp-ddos] quit
[sysname-bgp] quit
255.255.255.255. Then click OK.
NOTE
In this scenario, after creating a Zone and adding devices, you must bind the Zone to the VPN instance of the
cleaning device.
with next hop 10.1.3.1 to 1.1.1.1.
The UNR route generated on the cleaning device is imported to BGP and is advertised to Router1
through BGP. In this manner, after receiving the traffic destined for 1.1.1.1/32, Router1 searches
the routing table to preferentially forward the traffic to the cleaning device by using GE1/0/1
according to the longest mask match.

Step 8 Configure MPLS on the cleaning device for traffic injection.

# Configure basic MPLS functions.
[sysname] mpls lsr-id 2.2.2.2
[sysname] mpls
[sysname-mpls] quit
[sysname] mpls ldp
[sysname-ldp] quit
[sysname-GigabitEthernet2/0/1.100] mpls
[sysname-GigabitEthernet2/0/1.100] mpls ldp
# Bind it to the interface.

[sysname-GigabitEthernet2/0/1] ip binding vpn-instance ddos
Issue 01 (2015-07-20)

41
HUAWEI Anti-DDoS
[sysname-GigabitEthernet2/0/1] ip address 10.1.2.2 255.255.255.0

# Add the interface GigabitEthernet 2/0/1 to security zones.

[sysname] firewall zone trust
[sysname-zone-trust] add interface GigabitEthernet 2/0/1
[sysname-zone-trust] quit
# Configure MP-IBGP between the cleaning device and Router 2 to broadcast the VPNv4 route
between devices.
[sysname] bgp 200
[sysname-bgp] peer 3.3.3.3 connect-interface LoopBack 1
[sysname-bgp] ipv4-family vpnv4
[sysname-bgp-af-vpnv4] peer 3.3.3.3 enable
[sysname-bgp-af-vpnv4] quit
[sysname-bgp] quit
# Configure a policy for establishing an LSP.

[sysname] mpls
[sysname-mpls] lsp-trigger all
[sysname-mpls] quit
Step 9 Configure OSPF to notify the network segment connected to each interface and the host route
of the LSR ID.
[sysname] ospf 1
[sysname] ip route-static vpn-instance ddos 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
----End
Configuring Router1
The following uses Huawei NE80E as an example to describe how to configure BGP and MPLS
on Router1.
[Router1] bgp 100
[Router1-bgp] quit

Step 4 Configure MPLS.

[Router1] mpls lsr-id 5.5.5.5
[Router1] mpls
Issue 01 (2015-07-20)

42
HUAWEI Anti-DDoS
[Router1-mpls] quit
[Router1] mpls ldp
[Router1-ldp] quit
[Router1] interface GigabitEthernet 1/0/1.100
[Router1-GigabitEthernet1/0/1.100] mpls
[Router1-GigabitEthernet1/0/1.100] mpls ldp
[Router1-GigabitEthernet1/0/1.100] quit
[Router1-GigabitEthernet1/0/3] mpls
[Router1-GigabitEthernet1/0/3] mpls ldp
of the LSR ID.
[Router1] ospf 1
network 10.1.3.0 0.0.0.255

network 10.1.5.0 0.0.0.255
network 5.5.5.5 0.0.0.0
quit
----End
Configuring Router2
on Router2.

[Router2] mpls
[Router2-mpls] quit
[Router2] mpls ldp
[Router2-ldp] quit
# Create a VPN instance and bind it to the interface.

[Router2] ip vpn-instance ddos
[Router2-vpn-instance-ddos] route-distinguisher 1:1
[Router2-vpn-instance-ddos] vpn-target 1:1 export-extcommunity
[Router2-vpn-instance-ddos] vpn-target 1:1 import-extcommunity
[Router2-vpn-instance-ddos] quit
[Router2-GigabitEthernet1/0/2] ip binding vpn-instance ddos
[Router2-GigabitEthernet1/0/2] ip address 1.1.1.2 255.255.255.0
# Configure MP-IBGP between the cleaning device and Router 2 to broadcast the VPNv4 route
between devices.
Issue 01 (2015-07-20)

43
HUAWEI Anti-DDoS
[Router2] bgp 200

[Router2-bgp] peer 2.2.2.2 connect-interface LoopBack 1
[Router2-bgp] ipv4-family vpnv4
[Router2-bgp-af-vpnv4] peer 2.2.2.2 enable
[Router2-bgp-af-vpnv4] quit
[Router2-bgp] quit
# Advertise the Zone IP by BGP.

[Router2] bgp 200
[Router2-bgp] ipv4-family vpn-instance ddos
[Router2-bgp-ddos] network 1.1.1.0 255.255.255.0
[Router2-bgp-ddos] quit
[Router2-bgp] quit
# Configure a static route.

[Router2] ip route-static vpn-instance ddos 0.0.0.0 0.0.0.0 10.1.5.1 public

[Router2] mpls
[Router2-mpls] lsp-trigger all
[Router2-mpls] quit
of the LSR ID.
[Router2] ospf 1
----End
2.8 Example for BGP Diversion and MPLS LSP Injection

in real time. After cleaned, normal traffic is injected to Router2 through MPLS LSP. After that,
Router2 forwards the normal traffic to the Zone. Only one interface on the cleaning device is
directly connected to the router. The interface serves traffic diversion and the subinterface serves
traffic injection.
Issue 01 (2015-07-20)

44
HUAWEI Anti-DDoS
Figure 2-8 Networking diagram of BGP diversion and MPLS LSP injection
loopback
5.5.5.5/32
GE1/0/1
10.1.2.1/24
loopback
2.2.2.2/32
GE2/0/1
10.1.2.2/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1.100 GE2/0/1.100
10.1.3.1/24 10.1.3.2/24 Cleaning
ATIC
device Management center
GE1/0/1
10.1.5.2/24
Router2
loopback
3.3.3.3/32
Diverted traffic
Injected traffic
Zone
1.1.1.1/32
Service Planning
l
Router1 GE1/0/1 is directly connected to GE2/0/1 on the cleaning device. An MPLS trafficinjection tunnel is established between the cleaning device and Router2, and their loopback
addresses act as LSR IDs. The cleaning device diverts the specified traffic by using GE1/0/1
and injects cleaned traffic over the MPLS tunnel. Table 2-8 shows the IP addresses of the
interfaces.
Device Name
Interface
IP Address
Cleaning device
GE2/0/1
10.1.2.2/24
GE2/0/1.100
10.1.3.2/24
Loopback interface
2.2.2.2/32
GE1/0/1
10.1.2.1/24
GE1/0/1.100
10.1.3.1/24
Router1
Issue 01 (2015-07-20)

45
HUAWEI Anti-DDoS
Device Name
Router2
Interface
IP Address
GE1/0/3
10.1.5.1/24
Loopback interface
5.5.5.5/32
GE1/0/1
10.1.5.2/24
Loopback interface
3.3.3.3/32
1.
diverted.
2.
3.
4.
To perform MPLS LSP injection, enable FIB filtering over the 32-bit UNR route to the
cleaning device to prevent the UNR route from being delivered to the FIB. In this way,
normal traffic injection is safeguarded.
5.
6.
Set loopback addresses for the cleaning device, Router1, and Router2.
7.
Configure MPLS respectively on the cleaning device, Router1, and Router2 to enable
injected traffic to be forwarded to Router2 through MPLS. Ensure that the cleaning device
and Router2 are routable.
8.
9.
the route.

255.255.255.255. Then click OK.
with next hop 10.1.3.1 to 1.1.1.1.
Issue 01 (2015-07-20)

46
HUAWEI Anti-DDoS
[sysname] bgp 100
[sysname-bgp] quit


[sysname] mpls lsr-id 2.2.2.2
[sysname] mpls
[sysname-mpls] quit
[sysname] mpls ldp
[sysname-ldp] quit
[sysname-GigabitEthernet2/0/1.100] mpls
[sysname-GigabitEthernet2/0/1.100] mpls ldp

[sysname] mpls
[sysname-mpls] lsp-trigger all
[sysname-mpls] quit
of the LSR ID.
[sysname] ospf 1
----End
Issue 01 (2015-07-20)

47
HUAWEI Anti-DDoS
Configuring Router1
on Router1.
[Router1] bgp 100
[Router1-bgp] quit


[Router1] mpls
[Router1-mpls] quit
[Router1] mpls ldp
[Router1-ldp] quit
of the LSR ID.
[Router1] ospf 1
network 10.1.3.0 0.0.0.255

network 10.1.5.0 0.0.0.255
network 5.5.5.5 0.0.0.0
quit
----End
Configuring Router2
The following uses Huawei NE80E as an example to describe how to configure MPLS on
Router2.

Issue 01 (2015-07-20)

48
HUAWEI Anti-DDoS

[Router2] mpls
[Router2-mpls] quit
[Router2] mpls ldp
[Router2-ldp] quit

[Router2] mpls
[Router2-mpls] quit
of the LSR ID.
[Router2] ospf 1
network 10.1.5.0 0.0.0.255

network 1.1.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
quit
----End
2.9 Example for Cleaning Blackhole Routes (Configuring

the Router to Discard Packets)
As shown in Figure 2-9, the detecting device detects that IP address 2.2.2.2/24 is under heavytraffic attack, which severely congests the inbound bandwidths of the cleaning device. To protect
other Zones against attacks, the blackhole router discards all traffic destined for IP address
2.2.2.2/24.
Issue 01 (2015-07-20)

49
HUAWEI Anti-DDoS
Figure 2-9 Configuring blackhole traffic diversion
Detecting device
Optical splitter
GE1/0/1
7.7.1.3/24
Blackhole
router
GE2/0/1
7.7.1.1/24
Traffic-diversion
router

Cleaning device
Detecting traffic
Discarded traffic due to blackhole
traffic diversion
Pre-cleaning traffic
Zone
2.2.2.0/24
Post-cleaning traffic
Implementation Mechanism
Routers are logically categorized as the traffic-diversion router and blackhole router. The trafficdiversion router diverts traffic to the cleaning device whereas the blackhole router discards all
traffic destined for an IP address. The blackhole router and traffic-diversion router can be the
same router or different routers.
1.
Set IP address 2.2.2.2/24 for blackhole traffic diversion in the ATIC management center.
A static route destined for 2.2.2.2/24 and with the NULL0 egress is generated on the
cleaning device.
2.
Configure a routing policy on the cleaning device to enable the route with the NULL0
egress to point to 3.3.3.3. Then import this route into BGP and advertise the BGP route to
the blackhole router.
3.3.3.3 indicates the destination IP address of the blackhole route. Both the route advertised
by the cleaning device and the blackhole route on the blackhole router are merged for
blackhole traffic diversion. The destination IP address can be any unreachable IP address.
3.
Configure blackhole route ip route-static 3.3.3.3 255.255.255.255 NULL0 on the

blackhole router. Then stack up another BGP route destined for 2.2.2.2/24 and with next
hop 3.3.3.3/24 to generate a route to 2.2.2.2/24 and with next-hop egress NULL0 for
blackhole traffic diversion.

Step 1 Choose Defense > Policy Settings > Black Hole Traffic Diversion.
Issue 01 (2015-07-20)

50
HUAWEI Anti-DDoS
Step 2 On the Black Hole Traffic Diversion Management page, click
Step 3 Select a cleaning NE and enter its IP address.

The traffic destined for the IP address is discarded.
Blackhole traffic diversion applies to traffic diversion by IPv4 or IPv6 address, not by network
segment.
Step 4 Optional: If you select Automatic Enabling, blackhole traffic diversion is automatically
delivered to the cleaning device once being created.
If you deselect Automatic Enabling, blackhole traffic diversion is delivered to the cleaning
device only after you enable the function.
Step 5 Click OK.
After blackhole traffic diversion is enabled, a static route with the NULL0 egress to 2.2.2.2 is
generated on the cleaning device.
----End
Configuring the Blackhole Router

The following uses Huawei NE80E as an example for configuring a router.
Step 1 Run the system-view command to access the system view.
Step 2 Configure a BGP community attribute.
[sysname] bgp 200
[sysname-bgp] quit
Step 3 Configure a blackhole route.

[sysname] ip route-static 3.3.3.3 255.255.255.255 NULL0
3.3.3.3 indicates the destination IP address of the blackhole route. Both the route advertised by
the cleaning device and the blackhole route on the blackhole router are merged for blackhole
traffic diversion. The destination IP address can be any IP address.
----End
Issue 01 (2015-07-20)

51
HUAWEI Anti-DDoS

Step 1 In the user view, run the system-view command to access the system view.
Step 2 Configure routing policy blackhole.
[sysname] route-policy
blackhole permit node 1

if-match interface NULL0
apply ip-address next-hop 3.3.3.3
quit
3.3.3.3 indicates the destination IP address of the blackhole route. A blackhole route is generated
after the route matching the routing policy is advertised to the blackhole router.
After blackhole traffic diversion is enabled on the ATIC management center, a static route with
the NULL0 egress to 2.2.2.2 is generated on the cleaning device. After routing policy
blackhole is matched, a new static route to 2.2.2.2 and with next hop 3.3.3.3 is generated.
NOTE
When you configure a blackhole route, set the node to a smaller value than those of other traffic diversion policies
for it to be preferentially matched.
Step 3 Configure the BGP community attribute and advertise the dynamically generated route.
[sysname] bgp
[sysname-bgp]
[sysname-bgp]
[sysname-bgp]
[sysname-bgp]
200
peer 7.7.1.3 as-number 200
peer 7.7.1.3 route-policy blackhole export
import-route static
quit
A static route to 2.2.2.2 and with next hop 3.3.3.3 is advertised to the blackhole router through
BGP and is stacked up with blackhole route ip route-static 3.3.3.3 255.255.255.255 NULL0.
In this manner, a route with the NULL0 egress as the next-hop interface to 2.2.2.2 is generated
for blackhole traffic diversion.
----End
Issue 01 (2015-07-20)

52
HUAWEI Anti-DDoS
3 Configuration Examples for Comprehensive Scenarios
Configuration Examples for Comprehensive

Scenarios
About This Chapter

3.1 Scenario 1: MAN Attack Defense
3.2 Scenario 2: Data Center Security Protection
Issue 01 (2015-07-20)

53
HUAWEI Anti-DDoS
3.1 Scenario 1: MAN Attack Defense

3.1.1 Scenario Description
A metropolitan area network (MAN) provides a platform on which comprehensive services of
a city are transmitted. MANs often apply to large and medium-sized cities. The MANs provide
common and public network architecture and allow data, voice, images, and videos to be
effectively transmitted at high speeds, meeting changeable Internet application requirements.
Normal
hosts
Normal
networks
Backbone
network
MAN
MAN
MAN
A MAN carries heavy traffic of various types and is vulnerable to attacks. The following aspects
must be considered for attack defense planning based on MAN traffic characteristics.
Planning Roadmap
1.
Deployment mode
An anti-DDoS device is often associated with a Netflow device in off-line mode. The antiDDoS device cleans traffic, while the Netflow device detects traffic. Only the Netflow
device produced by Genienrm is supported.
As Netflow devices have been deployed in most MANs, associating a cleaning device with
an existing Netflow device reduces expenditure. In addition, Netflow devices are sample
Issue 01 (2015-07-20)

54
HUAWEI Anti-DDoS
detection devices coping with heavy traffic attacks on MANs, and there is no high
performance requirement for such devices.
Anti-DDoS devices can also serve as detecting devices. Compared with Netflow devices,
anti-DDoS devices that check each packet provide more refined detection and also require
more expenditure.
2.
Performance choice
Plan the interface specifications based on the customer link bandwidth. The highest subcard
processing performance of an SPU is 80 Gbit/s. As DDoS attack defense is performanceconsuming, you must reserve enough cleaning and detection resources.
3.
Defense policy
Policies are configured on MANs to guarantee bandwidth and prevent link congestion.
When configuring defense policies, you must first identify the destination IP addresses to
which traffic is preferentially protected, add such destination IP addresses to user-defined
Zones, and configure defense policies based on the user-defined Zones. The default Zone
defense policies apply to unidentified destination IP addresses. Defense policies vary with
Zones.
Tenants of a carrier can be added to user-defined Zones, for which differentiated defense
policies are configured.
4.
Traffic diversion mode

The injection mode mainly relies on the customer live network environment. The MPLS
LSP injection mode is used in most cases. As a carrier usually has many downlinks, next
hops must be separately specified for destination IP addresses in a policy. If the destination
IP addresses are discontinuous, the configuration is complicated. In this case, the MPLS
LSP injection mode is efficient. You only need to enable MPLS LSP tunnels on directly
connected interfaces.
5.

The ATIC consists of the management center server and collector, which can be deployed
in either of the following modes:
l Centralized deployment: The ATIC management center server and collector are
deployed on the same physical server.
l Distributed deployment: The ATIC management center server and collector are
deployed in different physical servers. Multiple collectors can share one ATIC
management center server. One server can manage a maximum of 20 collectors.
An anti-DDoS collector can process the anti-DDoS service logs of about 50,000 IP
addresses. You can select the ATIC deployment mode based on the number of IP addresses
added to Zones.
3.1.2 Typical Networking

On the network shown in Figure 3-1, a cleaning device is attached to the core router Router1
to clean traffic destined for the Zone. After cleaning traffic, the cleaning device injects normal
traffic back to the original link in MPLS LSP injection mode. Router2 then forwards the traffic
to the Zone.
The cleaning device is directly connected to Router1 only through one interface. Traffic is
diverted to the cleaning device through the main interface, while injected back through a
subinterface. The traffic can also be injected back through another interface if there are enough
interfaces.
Issue 01 (2015-07-20)

55
HUAWEI Anti-DDoS
Figure 3-1 Typical networking on a MAN

Legitimate PC
Legitimate PC
Botnet
Router1
Cleaning device
Backbone
Network
Netflow
ATIC
Management
center
Router2
Regional
Network
Regional
Network
Attacked target
Legitimate traffic
Attack traffic
Netflow traffic
Management traffic
3.1.3 Data Planning

Table 3-1 and Figure 3-2 show the IP addresses planned for the cleaning device and ATIC
management center.
Issue 01 (2015-07-20)

56
HUAWEI Anti-DDoS
Table 3-1 IP address planning

Device Name
Interface
IP Address
Description
Cleaning device
GE2/0/1
10.1.2.2/24
Cleaning interface.
Interface through
which traffic enters
The cleaning device
applies defense
policies to, analyzes,
and cleans the
incoming traffic.
GE2/0/1.100
10.1.3.2/24
Injection interface.
Interface through
which normal traffic
goes back to the
original link after
traffic cleaning.
GE3/0/0
10.1.6.1/24
Interface through
which the cleaning
device
communicates with
the ATIC
management center.
The cleaning device
sends logs or
captured packets to
the anti-DDoS
collector in the ATIC
management center
for further analysis
and processing.
interface and the IP
address of the ATIC
management center
must be reachable. In
this example, the two
IP addresses are in
the same network
segment.
NOTE
The interface must be
on an LPU.
Loopback interface
Issue 01 (2015-07-20)
2.2.2.2/32

Interface used for

MPLS LSP injection.
57
HUAWEI Anti-DDoS
Device Name
Interface
IP Address
Description
Management center
10.1.6.2/24
The management
center must be
reachable to the
cleaning device.
Router1
GE1/0/1
10.1.2.1/24
Interface through
traffic is diverted to
GE1/0/1.100
10.1.3.1/24
Interface through
which traffic is
injected back to the
original link.
GE1/0/3
10.1.5.1/24
Interface through
which Router1 is
directly connected to
Router2.
Loopback interface
5.5.5.5/32
Interface used for

MPLS LSP injection.
Loopback interface
3.3.3.3/32
Interface used for

MPLS LSP injection.
GE1/0/1
10.1.5.2/24
Interface through
which Router2 is
Router1.
GE1/0/3
10.1.7.2/24
Interface which is
reachable to the
Netflow device.
Router2
Issue 01 (2015-07-20)

58
HUAWEI Anti-DDoS
Figure 3-2 IP address planning
Loopback
5.5.5.5/32
GE1/0/1
10.1.2.1/24
Router1
GE1/0/3
10.1.5.1/24
GE1/0/1
10.1.5.2/24
Loopback
2.2.2.2/32
GE2/0/1
GE3/0/0
10.1.2.2/24
10.1.6.1/24
GE1/0/1.100 GE2/0/1.100
10.1.3.1/24
10.1.3.2/24 Cleaning
device
GE1/0/3
10.1.7.2/24
Eth0
10.1.7.1/24
Router2
Loopback
3.3.3.3/32
GE1/0/2
1.1.1.2/24
NetFlow
Diverted traffic
Zone
1.1.1.1/32
Injected traffic
Netflow traffic
Management traffic
The Netflow device must be produced by Genienrm and running a version released later
than January 1, 2014.
Traffic is diverted from Router1's GE1/0/1 to the cleaning device's GE2/0/1.
Traffic is injected back from the cleaning device's GE2/0/1.100 to Router1's GE1/0/1.100.
The cleaning device is an AntiDDoS.
Do as follows on the cleaning device:
1.
Load the license.
2.
Specify the service subcard type.
3.
Assign IP addresses to interfaces, add the interfaces to security zones, and enable interzone
default packet filtering.
4.
Create a user name, set a password, and configure Telnet.
5.
Configure SNMP, so that the ATIC management center can obtain the status of the cleaning
device.
6.
Configure the cleaning interface and enable traffic statistics on the interface.
7.
Configure traffic diversion and injection.
Issue 01 (2015-07-20)

59
HUAWEI Anti-DDoS
8.

1.
2.
Create an anti-DDoS device.
3.
Configure defense policies.
4.
In addition, configure the routers. This example provides router configurations for reference,
and the configurations may need to be adjusted according to the actual router model in a live
network.
Defense Supported by the Genienrm Netflow Device

As the Genienrm Netflow device is a third-party device, the attack types listed in Table 3-2 are
only for your reference. For actual use, refer to the features supported by the latest Genienrm
Netflow version.
Table 3-2 Attacks that the Genienrm Netflow device can defend against
Issue 01 (2015-07-20)
Attack Type
Description
Host Total Traffic
The amount of traffic arriving at a host

exceeds a preset threshold.
UDP Flood
The number of sent UDP packets exceeds a

preset threshold.
TCP RST Flood
The number of sent TCP RST packets

Land Attack
Spoofed TCP SYN packets (connection

initiation) with the target host's IP address are
sent to an open port as both source and
destination.
ICMP Misuse
The number of sent ICMP packets exceeds a

preset threshold.
UDP Fragment
Too many UDP fragments are sent.
TCP Fragment
Too many TCP fragments are sent.
TCP Flag Null or Misuse
The TCP flags of packets are Null or Misuse.
IP Protocol Null
IP packets with an empty protocol field are

sent to a target host.
TCP SYN Flood
The number of sent SYN Flood packets

User-Defined Attack
The Genienrm Netflow device supports userdefined attack types with specified protocol
types and port numbers.

60
HUAWEI Anti-DDoS
3.1.4 Configuration Procedure


Step 3 Configure Telnet.

Set the authentication mode of the VTY administrator page to AAA and disconnection period
for idle administrators to 5 minutes (10 minutes by default).
NOTE
This example uses Telnet as an example to describe the configuration procedure. Compared with STelnet,
Telnet is insecure. Therefore, STelnet is recommended.
[AntiDDoS] telnet server enable
[AntiDDoS-ui-vty0-4] idle-timeout 5
[AntiDDoS] aaa
Enter Password:
Confirm Password:
[AntiDDoS-aaa-manager-user-atic] service-type telnet
Step 4 Set the IP addresses of interfaces and add the interfaces to security zones.
# Assign IP addresses to interfaces.
[AntiDDoS-GigabitEthernet2/0/1] ip address 10.1.2.2 24
[AntiDDoS] interface GigabitEthernet 2/0/1.100
[AntiDDoS-GigabitEthernet2/0/1.100] ip address 10.1.3.2 24
[AntiDDoS-GigabitEthernet2/0/1.100] vlan-type dot1q 100
[AntiDDoS-GigabitEthernet2/0/1.100] quit
# Add the interfaces to security zones.

[AntiDDoS] firewall zone trust
[AntiDDoS-zone-trust] add interface GigabitEthernet 2/0/1
[AntiDDoS-zone-trust] add interface GigabitEthernet 2/0/1.100
[AntiDDoS-zone-trust] quit
Step 5 Enable interzone default packet filtering.

Issue 01 (2015-07-20)

61
HUAWEI Anti-DDoS
[AntiDDoS-policy-security-rule-ddos1]
source-zone any
destination-zone any
action permit
quit

NOTE
SNMPv2c as an example to describe the configuration procedure.

Step 8 On the cleaning device, configure the next-hop address used for a dynamically generated route.
[AntiDDoS] firewall ddos bgp-next-hop 10.1.3.1
Step 9 Configure FIB filtering for the generated 32-bit UNR.

[AntiDDoS] firewall ddos bgp-next-hop fib-filter
Step 10 Configure the BGP function and community attribute on the cleaning device.
[AntiDDoS] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[AntiDDoS] route-policy 1 permit node 1
[AntiDDoS-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[AntiDDoS-route-policy] apply community no-advertise
[AntiDDoS-route-policy] quit
[AntiDDoS] bgp 100
[AntiDDoS-bgp] peer 10.1.2.1 as-number 100
[AntiDDoS-bgp] import-route unr
[AntiDDoS-bgp] ipv4-family unicast
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[AntiDDoS-bgp-af-ipv4] quit
[AntiDDoS-bgp] quit
After the configuration is complete, the UNR generated on the cleaning device will be imported
to BGP and then advertised to Router1 through BGP. In this manner, when Router1 receives
traffic defined for 1.1.1.1/32, it searches the routing table, matches the route according to the
longest mask, and forwards the traffic to the cleaning device through GE1/0/1.
Step 11 Enable traffic statistics on the cleaning interface of the cleaning device.
Step 12 Set the loopback address for the cleaning device.

[AntiDDoS] interface loopback 1
[AntiDDoS-LoopBack1] ip address 2.2.2.2 32
[AntiDDoS-LoopBack1] quit

[AntiDDoS] mpls lsr-id 2.2.2.2
[AntiDDoS] mpls
Issue 01 (2015-07-20)

62
HUAWEI Anti-DDoS
[AntiDDoS-mpls] quit
[AntiDDoS] mpls ldp
[AntiDDoS-ldp] quit
[AntiDDoS] interface GigabitEthernet 2/0/1.100
[AntiDDoS-GigabitEthernet2/0/1.100] mpls
[AntiDDoS-GigabitEthernet2/0/1.100] mpls ldp
[AntiDDoS-GigabitEthernet2/0/1.100] quit
# Configure an LSP triggering policy.

NOTE
The lsp-trigger configuration must be subject to the IP address for which an LSP will be established.
[AntiDDoS] mpls
[AntiDDoS-mpls] lsp-trigger all
[AntiDDoS-mpls] quit
Step 14 Configure OSPF to advertise the interface-connected network segment and LSR ID host route.
[AntiDDoS] ospf 1
[AntiDDoS-ospf-1] area 0
[AntiDDoS-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[AntiDDoS-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[AntiDDoS-ospf-1-area-0.0.0.0] quit
[AntiDDoS-ospf-1] quit
Step 15 Configure a default route for reverse route searching.

[AntiDDoS] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1
Step 16 Configure interconnection with the ATIC management center.

[AntiDDoS] firewall ddos log-local-ip 10.1.6.1
[AntiDDoS] firewall ddos log-server-ip 10.1.6.2

<AntiDDoS> save
----End

1.
2.
3.

1.
2.
Click
Issue 01 (2015-07-20)

63
HUAWEI Anti-DDoS
3.
Click OK. The anti-DDoS device is added to the NE list.
Step 3 Create a Netflow device.

1.
2.
Click
Issue 01 (2015-07-20)

64
HUAWEI Anti-DDoS
Figure 3-4 Creating a Netflow device
3.
Click OK. The Netflow device is added to the NE list.
Step 4 Configure defense policies.

When configuring defense policies, you must first identify the destination IP addresses to which
traffic is preferentially protected, add such destination IP addresses to user-defined Zones, and
configure defense policies based on the user-defined Zones. The default Zone defense policies
apply to unidentified destination IP addresses. The following part uses default Zone defense
policies as an example to describe the configuration procedure.
corresponding to the default Zone.
1.
Choose Defense > Policy Settings > Zone. Click
2.
in the Operation column corresponding to the default

On the Defense Policy tab, click
defense policies starting with basic.
3.
Configure a default TCP defense policy.
Issue 01 (2015-07-20)

65
HUAWEI Anti-DDoS
4.
Configure a default UDP defense policy.
5.
Configure a default ICMP defense policy.
Issue 01 (2015-07-20)

66
HUAWEI Anti-DDoS
6.
Configure a default DNS defense policy.
7.
Configure a default HTTP defense policy.
Issue 01 (2015-07-20)

67
HUAWEI Anti-DDoS
Step 5 Deploy the defense policies and save the configuration.

1.
Choose Defense > Policy Settings > Zone, select the check box of a Zone, and click
.
2.
Click OK. The deployment progress is displayed, and the progress bar is automatically
closed after the deployment is complete.
3.
Choose Defense > Policy Settings > Global Policy, select the check box of the
AntiDDoS, and click
4.
Click OK. The saving progress is displayed, and the progress bar is automatically closed
after the configuration is saved.
----End
Configuring Router1
This part uses Huawei NE80E as an example to describe BGP and MPLS configurations on the
router. The router configuration varies with software versions. The following configuration is
only an example for reference.
Step 1 Assign IP addresses to interfaces on Router1 (omitted).
Step 2 Configure the BGP function.
[Router1] bgp 100
[Router1-bgp] quit
Step 3 Configure the loopback address for Router1.

Issue 01 (2015-07-20)

68
HUAWEI Anti-DDoS

[Router1] mpls
[Router1-mpls] quit
[Router1] mpls ldp
[Router1-ldp] quit
[Router1] ospf 1
network 10.1.3.0 0.0.0.255

network 10.1.5.0 0.0.0.255
network 5.5.5.5 0.0.0.0
quit
----End
Configuring Router2
This part uses Huawei NE80E as an example to describe the MPLS configuration on the router.
Step 2 Configure the loopback address for Router2.

[Router2] mpls
[Router2-mpls] quit
[Router2] mpls ldp
[Router2-ldp] quit
# Configure an LSP triggering policy.

[Router2] mpls
[Router2-mpls] quit
[Router2] ospf 1
Issue 01 (2015-07-20)

69
HUAWEI Anti-DDoS

Step 5 Router2 sends Netflow logs to the Genienrm Netflow device. Configure Netflow on Router2.
# Configure a sampling ratio. The value must be the same as that configured on the Genienrm
Netflow device.
[Router2] ip netstream sampler fix-packets 1000 inbound
# Set a source address for NetStream output packets.

[Router2] ip netstream export source 10.1.7.2
# Set the destination address and port number for NetStream output packets, that is, the address
of the Genienrm Netflow device.
[Router2] ip netstream export host 10.1.7.1 9900
# Configure the TCP-flag statistics function for the original flow.

[Router2] ip netstream tcp-flag enable
# Set an aging time for the NetStream original flow.

[Router2] ip netstream timeout active 1
# Specify an LPU as the NetStream board. For an NE40E, every interface supports NetStream,
and therefore no dedicated service board is required.
[Router2] slot 1
[Router2-slot-1] ip netstream sampler to slot self
# Enable NetStream for incoming traffic on the LPU.

[Router2] interface GigabitEthernet1/0/3
[Router2-GigabitEthernet1/0/1] ip netstream inbound
----End
3.1.5 Configuration Scripts

Configuration script of the cleaning device:
#
sysname AntiDDoS
#
securitypolicy
rule name
ddos1
action
permit
#
snmp-agent
snmp-agent community read cipher %^%#{nd*BS2cw*LrJZYehT4Wlck;/!`T}";7
snmp-agent community write cipher %^%#}Kf,W'WU`8O%L+Gd.MsF8yat7-Gh|EF,U^2LmL&6x&
{8W$S7oBXQUY.$voYBfPWX1qvD,"'pB[W\LG7O%^%#
snmp-agent sys-info version
v2c
Issue 01 (2015-07-20)

70
HUAWEI Anti-DDoS
snmp-agent trap enable

#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
idle-timeout 5
#
manager-user
atic
password cipher @%@%lejNT_n+a+xqBl2)^M!6#qAGJCchPP']P$Q*Q9#d_AgEqAJ#@%@
%
service-type terminal
telnet
level 15
#
firewall ddos clean-spu slot 3 card 0
#
mpls lsr-id 2.2.2.2
mpls ldp
mpls
lsp-trigger all
#
interface GigabitEthernet2/0/1
undo shutdown
ip address 10.1.2.2 255.255.255.0
anti-ddos clean enable
anti-ddos flow-statistic enable
#
interface GigabitEthernet2/0/1.100
vlan-type dot1q 100
ip address 10.1.3.2 24
mpls
mpls ldp
#
ip address 10.1.6.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet2/0/1
add interface GigabitEthernet2/0/1.100
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
#
ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
route-policy 1 permit node 1
#
bgp
100
Issue 01 (2015-07-20)

71
HUAWEI Anti-DDoS
peer 10.1.2.1 as-number

100
#
ipv4-family
unicast
undo
synchronization
import-route
unr
peer 10.1.2.1
enable
peer 10.1.2.1 route-policy 1
export
peer 10.1.2.1 advertisecommunity
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ip route-static 0.0.0.0 GigabitEthernet2/0/1 10.1.2.1
#
firewall ddos bgp-next-hop fib-filter
firewall ddos bgp-next-hop 10.1.3.1
#
firewall ddos log-local-ip 10.1.6.1
firewall ddos log-server-ip 10.1.6.2
#
DDoS attack defense policies are delivered by the ATIC management center. For details about
enabled defense policies, see the ATIC management center configuration.
3.1.6 Commissioning
After the configuration is complete, you can do as follows to commission the result:
1.
Perform ping tests using test IP addresses. The ping tests succeed.
2.
Create a static traffic diversion task.
3.
Initiate ping tests to destination IP addresses.

l If the ping tests succeed, run the display firewall session table command to view
session entries. If the ping session table exists, traffic injection succeeds.
l If the ping tests fail:
Issue 01 (2015-07-20)
a.
Initiate a tracert test on the client to identify the packet discard point.
b.
If the router discards packets, check the route through which the injected traffic is
forwarded.

72
HUAWEI Anti-DDoS
c.
If the cleaning device discards packets, run the display firewall statistic system
discarded command to view the number of discarded packets and packet
discarding causes, and contact R&D engineers for support.
4.
Construct attack traffic (SYN flood traffic is used as an example) and configure a
corresponding defense policy.
5.
Choose Report > Report > Traffic Analysis and view the ATIC traffic comparison report.
l If the traffic curve is normal, logs are properly transmitted between the ATIC
management center and the device, and reports can be correctly exported.
l If the query result is empty, perform troubleshooting according to HUAWEI AntiDDoS
Maintenance Guide.
3.2 Scenario 2: Data Center Security Protection

3.2.1 Scenario Description
An Internet Data Center (IDC) is a part of basic network resources. It provides large-scale, highquality, secure, and reliable data transmission services and high-speed access services for
Internet content providers, enterprises, media, and each types of websites. The IDC provides
DNS servers, web servers, game servers, and other services. In recent years, more and more
Internet-initiated DDoS attacks target IDCs. As a result, important servers are attacked; data
center link bandwidth is occupied; videos and games are compromised by application-layer
attacks.
Issue 01 (2015-07-20)

73
HUAWEI Anti-DDoS
The following aspects must be considered for attack defense planning based on IDC traffic
characteristics.
Planning Roadmap
1.
Deployment mode
The detecting and cleaning devices are associated and deployed in off-line mode, and traffic
is dynamically diverted.
If traffic is statically diverted, the attack on one customer's service may affect other
customers' services. As traffic cleaning is performance-consuming, if the cleaning device
receives other customers' services when cleaning the service traffic of an attacked customer,
the normal services of other customers are affected once the cleaning device is overloaded.
If traffic is dynamically diverted, only attack traffic is diverted to the cleaning device. In
this manner, normal services are not affected even if the cleaning device is overloaded.
2.
Performance choice
Plan the interface specifications based on the customer link bandwidth. The highest subcard
processing performance of an SPU is 80 Gbit/s. As DDoS attack defense is performanceconsuming, you must reserve enough cleaning and detection resources.
3.
Issue 01 (2015-07-20)
Defense policy
74
HUAWEI Anti-DDoS
First, you must identify defense objects, create Zones accordingly, and configure defense
policies for the Zones. Use default Zone defense policies to protect unidentified objects.
For example, an IDC network has three web servers, two DNS servers, and five game
servers. You can create a Zone for each server. That is, 10 Zones are created. Configure a
specific defense policy for each type of server. For example, configure an HTTP defense
policy for web servers, DNS defense policy for DNS servers, and UDP/TCP defense policy
for game servers.
However, the configuration of 10 servers is complicated. If services are almost the same
on a type of server, you can configure only three Zones for the three types of servers, add
the IP addresses to the corresponding Zones (multiple IP addresses or network segments
can be added to each Zone), and configure a defense policy for each Zone. In this manner,
you need to configure only three defense policies.
After the configuration is complete, key objects are protected. For other network resources
in the IDC, apply the default Zone defense policies.
4.
Traffic diversion mode

The cleaning device is attached to the router. BGP-based traffic diversion and PBR-based
traffic injection are used.
5.

The ATIC consists of the management center server and collector, which can be deployed
in either of the following modes:
l Centralized deployment: The ATIC management center server and collector are
deployed on the same physical server.
l Distributed deployment: The ATIC management center server and collector are
deployed in different physical servers. Multiple collectors can share one ATIC
management center server. One server can manage a maximum of 20 collectors.
An anti-DDoS collector can process the anti-DDoS service logs of about 50,000 IP
addresses. You can select the ATIC deployment mode based on the number of IP addresses
added to Zones.
3.2.2 Typical Networking

On the network shown in Figure 3-5, a cleaning device is attached to the core router to detect
and clean the traffic destined for the Zone. The traffic must be diverted to the cleaning device
using BGP in real time. After traffic is cleaned, normal traffic is injected back to the original
link through PBR and finally forwarded to the Zone.
Issue 01 (2015-07-20)

75
HUAWEI Anti-DDoS
Figure 3-5 Typical networking for an IDC

Legitimate network
Legitimate network
Botnet
Detecting device
Cleaning device ATIC management

center
Firewall
Switch
Switch
E-banking
center
Credit card
center
Legitimate traffic
Attacked target
Attack traffic
Split traffic
Management traffic
3.2.3 Data Planning

Table 3-3 and Figure 3-6 show the IP addresses planned for the detecting device, cleaning
device, and ATIC management center.
Table 3-3 IP address planning
Issue 01 (2015-07-20)
Device Name
Interface
IP Address
Description
Detecting device
GE2/0/1
Detecting interface.

76
HUAWEI Anti-DDoS
Device Name
Interface
IP Address
Description
GE3/0/0
10.1.6.3/24
Interface through
which the cleaning
device
communicates with
the ATIC
management center.
The detecting device
sends logs or
captured packets to
the anti-DDoS
management center
and processing.
address of the ATIC
management center
IP addresses are in
the same network
segment.
NOTE
on an LPU.
Cleaning device
GE2/0/1
10.1.2.2/24
Cleaning interface.
Interface through
which traffic enters
The cleaning device
applies defense
policies to, analyzes,
and cleans the
incoming traffic.
GE2/0/2
10.1.3.2/24
Injection interface.
Interface through
which normal traffic
goes back to the
original link after
traffic cleaning.
Issue 01 (2015-07-20)

77
HUAWEI Anti-DDoS
Device Name
Interface
IP Address
Description
GE3/0/0
10.1.6.1/24
Interface through
which the cleaning
device
communicates with
the ATIC
management center.
The cleaning device
sends logs or
captured packets to
the anti-DDoS
management center
and processing.
address of the ATIC
management center
IP addresses are in
the same network
segment.
NOTE
on an LPU.
Management center
10.1.6.2/24
The management
center must be
reachable to the
cleaning device.
Router1
GE1/0/1
10.1.2.1/24
Interface through
traffic is diverted to
GE1/0/2
10.1.3.1/24
Interface through
which traffic is
injected back to the
original link.
GE1/0/3
10.1.5.1/24
Interface through
which Router1 is
Router2.
GE1/0/1
10.1.5.2/24
Interface through
which Router2 is
Router1.
Router2
Issue 01 (2015-07-20)

78
HUAWEI Anti-DDoS
Figure 3-6 IP address planning
Detecting
device GE3/0/0
10.1.6.3/24
GE2/0/1
GE1/0/1
10.1.2.1/24 10.1.2.2/24
Router1
GE3/0/0
GE2/0/2
GE1/0/2
10.1.6.1/24
10.1.3.2/24
Cleaning
10.1.3.1/24
device
Normal traffic
Router2
Attack traffic
Split traffic
Management traffic
Zone
Traffic is diverted from Router1's GE1/0/1 to the cleaning device's GE2/0/1.
Traffic is injected back from the cleaning device's GE2/0/2 to Router1's GE1/0/2.
The cleaning device is an AntiDDoS.
Do as follows on the detecting device:
1.
Load the license.
2.
3.
default packet filtering. The detecting interface does not need IP addresses.
4.
Configure the management interface.
5.
Configure STelnet.
6.
Configure SNMP, so that the ATIC management center can obtain the status of the detecting
device.
7.
Configure the detecting interface and enable traffic statistics on the interface.
Issue 01 (2015-07-20)

79
HUAWEI Anti-DDoS
8.
Do as follows on the cleaning device:

1.
Load the license.
2.
3.
default packet filtering.
4.
Configure STelnet.
5.
Configure SNMP, so that the ATIC management center can obtain the status of the cleaning
device.
6.
Configure the cleaning interface and enable traffic statistics on the interface.
7.
Configure traffic diversion and injection.
8.

1.
2.
Create an anti-DDoS device.
3.
Configure defense policies.
4.
5.
Configure traffic baseline learning and adjust defense thresholds.
In addition, configure the router. This example provides router configurations for reference, and
the configurations may need to be adjusted according to the actual router model in a live network.
3.2.4 Configuration Procedure

Configuring the Detecting Device
[AntiDDoS] license active lic_detect_20150430.dat
Step 2 Specify the detecting SPU subcard.

Step 3 Configure STelnet.

[AntiDDoS] aaa
Enter Password:
Confirm Password:
[AntiDDoS-aaa] quit
Issue 01 (2015-07-20)

80
HUAWEI Anti-DDoS

Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
[AntiDDoS-GigabitEthernet3/0/0] anti-ddos detect-device manage-port enable


[AntiDDoS-policy-security-rule-ddos1] source-zone any
[AntiDDoS-policy-security-rule-ddos1] destination-zone any
[AntiDDoS-policy-security-rule-ddos1] action permit
[AntiDDoS-policy-security-rule-ddos1] quit

NOTE
Step 7 Configure the detecting interface.

[AntiDDoS-GigabitEthernet2/0/1] anti-ddos detect enable


<AntiDDoS> save
----End
Issue 01 (2015-07-20)

81
HUAWEI Anti-DDoS

[AntiDDoS] license active lic_clean_20150430.dat

Step 3 Configure STelnet.

[AntiDDoS] aaa
Enter Password:
Confirm Password:
[AntiDDoS-aaa] quit
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++


Issue 01 (2015-07-20)

82
HUAWEI Anti-DDoS
source-zone any
destination-zone any
action permit
quit

NOTE

Step 8 On the cleaning device, configure the next-hop address used for a dynamically generated route.
[AntiDDoS] firewall ddos bgp-next-hop 10.1.3.1
Step 9 Configure FIB filtering for the generated 32-bit UNR.

[AntiDDoS] firewall ddos bgp-next-hop fib-filter
Step 10 Configure the BGP function and community attribute on the cleaning device.
[AntiDDoS] ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
[AntiDDoS] route-policy 1 permit node 1
[AntiDDoS-route-policy] if-match ip-prefix EXPORT-TO-DDoS
[AntiDDoS-route-policy] apply community no-advertise
[AntiDDoS-route-policy] quit
[AntiDDoS] bgp 100
[AntiDDoS-bgp] peer 10.1.2.1 as-number 100
[AntiDDoS-bgp] import-route unr
[AntiDDoS-bgp] ipv4-family unicast
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 route-policy 1 export
[AntiDDoS-bgp-af-ipv4] peer 10.1.2.1 advertise-community
[AntiDDoS-bgp-af-ipv4] quit
[AntiDDoS-bgp] quit
After the configuration is complete, the UNR generated on the cleaning device will be imported
to BGP and then advertised to Router1 through BGP. In this manner, when Router1 receives
traffic defined for 1.1.1.1/32, it searches the routing table, matches the route according to the
longest mask, and forwards the traffic to the cleaning device through GE1/0/1.
Step 11 Enable traffic statistics on the cleaning interface of the cleaning device.
Step 12 Configure PBR on GE2/0/1 of the cleaning device for traffic injection.
[AntiDDoS] policy-based-route
[AntiDDoS-policy-pbr] rule name huizhu
[AntiDDoS-policy-pbr-rule-huizhu] ingress-interface GigabitEthernet 2/0/1
[AntiDDoS-policy-pbr-rule-huizhu] action pbr egress-interface GigabitEthernet
2/0/2 10.1.3.1
[AntiDDoS-policy-pbr-rule-huizhu] quit
[AntiDDoS-policy-pbr] quit
Step 13 Configure a default route for reverse route searching.

Issue 01 (2015-07-20)

83
HUAWEI Anti-DDoS
[AntiDDoS] ip route-static 0.0.0.0 0 GigabitEthernet 2/0/1 10.1.2.1


<AntiDDoS> save
----End

1.
2.
3.

1.
2.
Click
Create a detecting device and a cleaning device and add the devices to the NE list.
Issue 01 (2015-07-20)

84
HUAWEI Anti-DDoS
Issue 01 (2015-07-20)

85
HUAWEI Anti-DDoS
3.
Click OK. The detecting device and cleaning device are added to the NE list.
Step 3 Choose Defense > Policy Settings > Zone, create user-defined Zones, and configure basic
information about the Zones.
When adding NEs, select both the detecting device and cleaning device.
The Zone IP address is the IP address of the server to be protected. A Zone is created for each
type of server. For example, create gameZone for game servers, webZone for web servers, and
dnsZone for DNS servers.
Step 4 Configure a defense policy for game servers.
corresponding to gameZone.
1.
2.

defense policy starting with basic.
3.
Configure the defense policy.
Issue 01 (2015-07-20)

86
HUAWEI Anti-DDoS
Issue 01 (2015-07-20)

87
HUAWEI Anti-DDoS
Issue 01 (2015-07-20)

88
HUAWEI Anti-DDoS
Step 5 Configure a defense policy for web servers.

1.
corresponding to webZone.
2.

3.

As web servers have a little UDP traffic, you can directly limit the UDP traffic rate.
Issue 01 (2015-07-20)

89
HUAWEI Anti-DDoS
Issue 01 (2015-07-20)

90
HUAWEI Anti-DDoS
Step 6 Configure a defense policy for DNS servers.

1.
corresponding to dnsZone.
2.

3.

To protect DNS servers, you must determine the DNS server type. DNS authorization
servers are deployed in most cases, and you can enable the active defense mode. If the
server type is unidentified, enable the passive defense mode.
Issue 01 (2015-07-20)

91
HUAWEI Anti-DDoS
Issue 01 (2015-07-20)

92
HUAWEI Anti-DDoS
Step 7 Deploy the defense policies and save the configuration.

1.
Choose Defense > Policy Settings > Zone, select the check box of a Zone, and click
.
2.
Click OK. The deployment progress is displayed, and the progress bar is automatically
closed after the deployment is complete.
3.
Choose Defense > Policy Settings > Global Policy, select the check box of the
AntiDDoS, and click
4.
Click OK. The saving progress is displayed, and the progress bar is automatically closed
after the configuration is saved.
Step 8 Choose Defense > Policy Settings > Zone. Click a specific state in the Baseline Learning
column to enable the baseline learning function.
Baseline learning takes effect as long as traffic passes through the device, and no additional
policy is required.
Issue 01 (2015-07-20)

93
HUAWEI Anti-DDoS
Step 9 Adjust thresholds.

If many alarms are generated after baseline learning data is applied, you need to adjust thresholds
or other related parameter values:
l Change the sampling ratio to 0. That is, the device counts every packet. If a large sample
ratio is set, when a little traffic passes through the device, the statistical value is probably
inaccurate. Generally, if the total traffic rate is less than 1 Gbit/s, the sampling ratio can be
set to 0.
l View top N traffic of a Zone (without attacks), identify the IP address with the heaviest traffic,
and query protocol-based traffic comparison based on this IP address (set the statistical mode
to peak value and the time range to one week). Set the defense threshold to twice of the peak
value of each traffic type. If a traffic peak value is small (for example, 50 pps), using the
default threshold is recommended.
----End
Configuring Router1
This part uses Huawei NE80E as an example to describe BGP and PBR configurations on the
router. The router configuration varies with software versions. The following configuration is
only an example for reference.
Step 2 Configure the BGP function.
[Router1] bgp 100
[Router1-bgp] quit
Step 3 Configure PBR on GE1/0/2.

[Router1] acl 3001
Issue 01 (2015-07-20)

94
HUAWEI Anti-DDoS

# Configure a traffic behavior and set a packet forwarding action.

# Define a traffic policy and specify the traffic behavior for the traffic classifier in the policy.
# Apply the policy to the interface.

----End
3.2.5 Configuration Scripts

Configuration script of the detecting device:
#
sysname AntiDDoS
#
securitypolicy
rule name
ddos1
action
permit
#
snmp-agent
snmp-agent community read cipher %^%#{nd*BS2cw*LrJZYehT4Wlck;/!`T}";7
v2c
#
protocol inbound ssh
#
manager-user
atic
%
service-type
ssh
level 15
#
Issue 01 (2015-07-20)

95
HUAWEI Anti-DDoS
rsa local-key-pair create

stelnet server enable
ssh user atic
ssh user atic authentication-type password
ssh user atic service-type stelnet
#
firewall ddos detect-spu slot 3 card 0
firewall ddos detect-spu slot 3 card 1
#
anti-ddos detect enable
#
ip address 10.1.6.3 255.255.255.0
anti-ddos detect-device manage-port enable
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
#
Configuration script of the cleaning device:

#
sysname AntiDDoS
#
securitypolicy
rule name
ddos1
action
permit
#
snmp-agent
snmp-agent community read cipher %^%#{nd*BS2cw*LrJZYehT4Wlck;/!`T}";7snmp-agent
community read cipher %^%#{nd*BS2cw*LrJZYehT4Wlck;/!`T}";7
all
#
protocol inbound ssh
#
manager-user
atic
Issue 01 (2015-07-20)

96
HUAWEI Anti-DDoS

%
service-type
ssh
level 15
#
rsa local-key-pair create
stelnet server enable
ssh user atic
ssh user atic authentication-type password
ssh user atic service-type stelnet
#
#
undo shutdown
ip address 10.1.2.2 255.255.255.0
anti-ddos clean enable
#
vlan-type dot1q 100
ip address 10.1.3.2 24
mpls
mpls ldp
#
ip address 10.1.6.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
ip ip-prefix EXPORT-TO-DDoS index 10 permit 0.0.0.0 32
route-policy 1 permit node 1
#
bgp
100
peer 10.1.2.1 as-number
100
#
ipv4-family
unicast
Issue 01 (2015-07-20)

97
HUAWEI Anti-DDoS
undo
synchronization
import-route
unr
peer 10.1.2.1
enable
peer 10.1.2.1 route-policy 1
export
peer 10.1.2.1 advertisecommunity
#
policy-basedroute
rule name
huizhu
ingress-interface
GigabitEthernet2/0/1
action pbr egress-interface GigabitEthernet2/0/2 10.1.3.1
#
ip route-static 0.0.0.0 GigabitEthernet2/0/1 10.1.2.1
#
firewall ddos bgp-next-hop fib-filter
firewall ddos bgp-next-hop 10.1.3.1
#
#
DDoS attack defense policies are delivered by the ATIC management center. For details about
enabled defense policies, see the ATIC management center configuration.
3.2.6 Commissioning
After the configuration is complete, you can do as follows to commission the result:
1.
Perform ping tests using test IP addresses. The ping tests succeed.
2.
Create a static traffic diversion task.
3.
Initiate ping tests to destination IP addresses.

l If the ping tests succeed, run the display firewall session table command to view
session entries. If the ping session table exists, traffic injection succeeds.
l If the ping tests fail:
4.
Issue 01 (2015-07-20)
a.
Initiate a tracert test on the client to identify the packet discard point.
b.
If the router discards packets, check the route through which the injected traffic is
forwarded.
c.
If the cleaning device discards packets, run the display firewall statistic system
discarded command to view the number of discarded packets and packet
discarding causes, and contact R&D engineers for support.
Construct attack traffic (SYN flood traffic is used as an example) and configure a
corresponding defense policy.
98
HUAWEI Anti-DDoS
5.
Choose Report > Report > Traffic Analysis and view the ATIC traffic comparison report.
l If the traffic curve is normal, logs are properly transmitted between the ATIC
management center and the device, and reports can be correctly exported.
l If the query result is empty, perform troubleshooting according to HUAWEI AntiDDoS
Maintenance Guide.
Issue 01 (2015-07-20)

99

HUAWEI Anti-DDoS V500R001 Configuration Examples 01 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

HUAWEI Anti-DDoS V500R001 Configuration Examples 01 PDF

Transféré par

Droits d'auteur :

Formats disponibles

HUAWEI Anti-DDoS

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential

2 Configuration Examples for Traffic Diversion and Injection............................................17

3 Configuration Examples for Comprehensive Scenarios......................................................53

Huawei Proprietary and Confidential

1 Configuration Examples for System Deployment

Configuration Examples for System

About This Chapter

Huawei Proprietary and Confidential

1 Configuration Examples for System Deployment

1.1 Example for Configuring Interconnection Between the

Huawei Proprietary and Confidential

1 Configuration Examples for System Deployment

Figure 1-1 Networking diagram of the intermixed device in off-line mode

Optically split traffic

The intermixed device is named AntiDDoS.

Huawei Proprietary and Confidential

1 Configuration Examples for System Deployment

Table 1-1 IP addresses

Indicates a trafficinjection interface.

Huawei Proprietary and Confidential

1 Configuration Examples for System Deployment

Load the license.

Specify detecting and cleaning SPUs and restart the SPUs.

Huawei Proprietary and Confidential

1 Configuration Examples for System Deployment

Save the configuration.

Perform the following in the ATIC management center:

Log in to the ATIC management center for the first time.

Creating an Anti-DDoS device.

Save the configuration.

Configure proper defense policies.

Configuring the Intermixed Device

Step 3 Specify detecting and cleaning SPU subcards.

Step 5 Optional: Configure automatic lockout upon administrator login failures.

Huawei Proprietary and Confidential

1 Configuration Examples for System Deployment

Step 8 Configure SNMP.

Step 9 Configure the detecting interface.

Step 10 Configure the cleaning interface.

Step 11 Save the configuration.

Configuring the ATIC Management Center

Change the initial password upon the first login.

Step 2 Create an anti-DDoS device.

Choose Defense > Network Settings > Devices.

Huawei Proprietary and Confidential

1 Configuration Examples for System Deployment

Figure 1-2 Create an anti-DDoS device.

Click OK. The anti-DDoS device is added to the NE list.

Step 3 Save the configuration.

Choose Defense > Policy Settings > Global Policy.

Select the check box of the cleaning device and click

Step 4 Configure a defense policy (omitted).

1.2 Example for Configuring Interconnection Between the

Huawei Proprietary and Confidential

1 Configuration Examples for System Deployment

ATIC management center

Traffic before cleaning