Issue 11 Date 2018-05-28 HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2019. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://e.huawei.com Issue 11 (2018-05-28) Copyright Huawei Technologies Co., Ltd. i
Contents Contents 1 Concepts... 1 1.1 What Is?... 1 1.2 What Are a SYN Flood Attack and an ACK Flood Attack?... 1 1.3 What Is a CC Attack?... 1 1.4 What Is a Slow HTTP Attack?... 2 1.5 What Are a UDP Attack and a TCP Attack?...2 1.6 What Is a Black Hole?... 2 1.7 What Is the Million-level IP Address Blacklist Database?... 2... 3 2.1 What Restrictions Does Have?...3 2.2 What Services Can I Use In?... 3 2.3 How Do I Use?...3 2.4 What Kinds of Attacks Does Defend Against?...4 2.5 Will I Be Promptly Notified When an Attack Is Detected?... 4 2.6 What Service Can I Use When My Service Traffic Is Larger Than the Defense Limit?...4 2.7 What Should I Do If My Service Is Frequently Attacked?... 5 2.8 What Is the Difference Between ELB Defense and EIP Defense?... 5 2.9 What Is the Maximum Protection Bandwidth for Regions in China?...5 2.10 Why Is the Number of Times of Cleaning Different from the Number of Attacks for the Same Instance IP Address?... 5 2.11 Is Enabled by Default?... 6 2.12 Is the Free Protection Capability of 5 Gbit/s for a Region or a Single IP Address?... 6 2.13 Will a Black Hole Be Triggered for My Business According to the Displayed Black Hole Threshold?...6 2.14 How Do I Temporarily Disable?... 6 2.15 Do I Need to Clear the Resources of When I Deregister an Account?... 7 Issue 11 (2018-05-28) Copyright Huawei Technologies Co., Ltd. ii
1 Concepts 1 Concepts 1.1 What Is? The traffic cleaning service ( for short) defends resources (Elastic Cloud Servers (ECSs), Elastic Load Balance (ELB) instances, and Bare Metal Servers (BMSs)) on HUAWEI CLOUD against network- and application-layer distributed denial of service (DDoS) attacks and sends alarms immediately when detecting an attack. In addition, improves the utilization of bandwidth and ensures the stable running of users' services. monitors the service traffic from the Internet to ECSs, ELB instances, and BMSs to detect attack traffic in real time. It then cleans abnormal traffic according to userconfigured defense policies without affecting service running. In addition, monitoring reports are generated, presenting users with clear network security evaluations. 1.2 What Are a SYN Flood Attack and an ACK Flood Attack? A SYN flood attack is a typical denial of service (DoS) attack. Utilizing the loop hole in the Transmission Control Protocol (TCP), the attacker sends a huge number of forged TCP connection requests to the target to exhaust its resources (fully loaded CPU or insufficient memory). Consequently, the target fails to respond to normal connection requests. An ACK flood attack works in a similar mechanism as a SYN flood attack. 1.3 What Is a CC Attack? In a challenge collapsar (CC) attack, the attacker uses a proxy server to generate and send disguised requests to the target host. In addition, the attacker controls other hosts in the Internet and makes them send large numbers of data packets to the target server to exhaust its resources. In the end, the target server stops responding to requests. As you know, when many users access a web page, the page opens slowly. So in a CC attack, the attacker simulates a scenario where a large number of users (a thread represents a user) are accessing pages all the time. Because the accessed pages all require a lot of data operations (consuming many CPU Issue 11 (2018-05-28) Copyright Huawei Technologies Co., Ltd. 1
1 Concepts resources), the CPU usage is kept at the 100% level for a long time until normal access requests are blocked. You can use the CC defense function to control the HTTP request rate. 1.4 What Is a Slow HTTP Attack? Slow HTTP attacks are a variation of CC attacks. Here is how slow HTTP attacks work: The attacker establishes a connection to the target server which allows HTTP access. Then the attacker specifies a large content length and sends packets in an extremely low rate, such as one byte per one to ten seconds. The connection is maintained this way. If the attacker keeps establishing such connections, available connections on the target server are slowly consumed and the server will stop responding to valid requests. 1.5 What Are a UDP Attack and a TCP Attack? Exploiting the interaction characteristics of UDP and TCP, attackers use botnets to send large numbers of various TCP connection packets or UDP packets to exhaust the bandwidth resources of target servers. As a result, the servers become low in processing capability and fail to work properly. 1.6 What Is a Black Hole? A black hole refers to a period of time when external communication to an attacked server is limited. When your server is under a massive-traffic attack, will trigger a carrier's black hole, that is, traffic is discarded on the carrier side and external access requests to the server are blocked, to relieve the traffic pressure on the equipment room. When the attack stops, as detected by the system, the black hole is removed automatically. Because carriers have strict limits on the removal time and frequency of black holes, black holes cannot be manually removed and you have to wait for the system to remove them automatically. 1.7 What Is the Million-level IP Address Blacklist Database? The million-level IP address blacklist database refers to the database of millions of malicious IP addresses collected by experts in the past years. When users' services are attacked by these IP addresses, responds to those attacks first to defend your servers in a timely manner. Issue 11 (2018-05-28) Copyright Huawei Technologies Co., Ltd. 2
2.1 What Restrictions Does Have? cleans up to 5 Gbit/s traffic. automatically limits traffic exceeding 5 Gbit/s. Therefore, loss of normal access traffic can occur. For an application with normal service traffic larger than 5 Gbit/s, you are advised to purchase the Advanced service on HUAWEI CLOUD to improve the defense capacity. 2.2 What Services Can I Use In? supports traffic cleaning only for ECSs, ELB instances, and BMSs on HUAWEI CLOUD. 2.3 How Do I Use? works automatically after you enable defense for IP addresses. Step 1 Log in to the management console. Step 2 Click in the upper left corner of the management console and select the region and project. Step 3 Step 4 Choose Security >. The service management page is displayed. On the Instance List page, enable for the desired instance IP address. Enabling for multiple IP addresses Click the Enable for All Instances button for all instance IP addresses that are not protected. Issue 11 (2018-05-28) Copyright Huawei Technologies Co., Ltd. 3
Enabling for one IP address a. In the row containing the desired IP address, click Enable. b. Click OK in the displayed dialog box. ----End 2.4 What Kinds of Attacks Does Defend Against? helps users cope with traffic attacks with ease. It can precisely identify connection exhaustion and slow-connection attacks and can help users defend against the following attacks: Web server attacks Such as SYN flood, HTTP flood, Challenge Collapsar (CC), and slow-connection attacks Game attacks Such as User Datagram Protocol (UDP) flood, SYN flood, Transmission Control Protocol (TCP), and fragment attacks HTTPS server attacks Such as SSL DoS and DDoS attacks DNS server attacks Such as attacks targeted at vulnerabilities in the Domain Name Server (DNS) protocol stack, DNS reflection attacks, DNS flood attacks, and DNS cache-miss attacks 2.5 Will I Be Promptly Notified When an Attack Is Detected? Yes, if you enable alarm notification. On the console, click the Alarm Notification tab to enable the alarm notification function, which enables you to receive alarms (by SMS or email) if a DDoS attack is detected. 2.6 What Service Can I Use When My Service Traffic Is Larger Than the Defense Limit? For traffic exceeding 5 Gbit/s, use Advanced on HUAWEI CLOUD, which provides larger protection bandwidth and higher reliability than. Advanced can defend against various large-traffic attacks, so that your services can run stably against DDoS threats from the black market, malicious competitors, and hackers. Issue 11 (2018-05-28) Copyright Huawei Technologies Co., Ltd. 4
2.7 What Should I Do If My Service Is Frequently Attacked? In addition to using, you can perform the following actions to improve network security: Install system patches in a timely manner. Regularly back up important system information (such as system configuration). Set complicated passwords for accounts that have high privileges (such as administrator accounts) to reduce risks of being attacked. Regularly check the physical environment of your system and disable unnecessary network services. Make and improve border protection policies to defend against threats from outside your network. Regularly check your system configuration and check daily security logs to discover and handle security risks promptly. Use security devices (such as firewalls) to enhance your network security. Configure security rules on those devices to filter fake data packets. Require your network service provider to control routing access and limit the overall bandwidth. 2.8 What Is the Difference Between ELB Defense and EIP Defense? EIP defense indicates defense for EIPs bound to ECSs or BMSs. ELB defense indicates defense for EIPs bound to ELB instances. To, they are both defense for EIPs against DDoS attacks. 2.9 What Is the Maximum Protection Bandwidth for Regions in China? The maximum defense capability for one instance IP address (EIP) is 5 Gbit/s. The maximum defense capability is 5 Gbit/s for all regions in China. 2.10 Why Is the Number of Times of Cleaning Different from the Number of Attacks for the Same Instance IP Address? Cleaning is triggered automatically when an attack is detected on an IP address. The cleaning lasts for a while. (Only attack traffic is cleaned, and users' services will not be affected.) If, during the cleaning, another attack is detected on the same IP address, the attack will be cleaned together with the previous attack. Consequently, the number of attacks increases by one while the number of times of cleaning does not. Issue 11 (2018-05-28) Copyright Huawei Technologies Co., Ltd. 5
2.11 Is Enabled by Default? Yes. The default protection policy is used. To modify this setting, see Configuring an Anti- DDoS Protection Policy. NOTE Once enabled, cannot be disabled. If it is not needed temporarily, perform How Do I Temporarily Disable?. 2.12 Is the Free Protection Capability of 5 Gbit/s for a Region or a Single IP Address? A single IP address. 2.13 Will a Black Hole Be Triggered for My Business According to the Displayed Black Hole Threshold? Currently, the black hole threshold, duration, and security reputation score displayed are only for demonstration purposes. Your business will not be dragged into a black hole based on the displayed threshold, which means you still get a free protection bandwidth of 5 Gbit/s. 2.14 How Do I Temporarily Disable? Procedure You can set the traffic cleaning threshold to 1000 Mbit/s, a value so large that your IP address instances get almost no protection from. NOTE This value is suitable for temporary disabling of protection for commissioning or other special purposes. You are advised not to use it for a long time. Step 1 Log in to the management console. Step 2 Click in the upper left corner of the management console and select the region and project. Step 3 Step 4 Choose Security >. The service management page is displayed. In the instance list, locate the desired instance and click Settings in the Operation column. Step 5 In the dialog box that is displayed, set Protection Settings to Manual and Traffic Cleaning Threshold to 1,000 Mbps. Issue 11 (2018-05-28) Copyright Huawei Technologies Co., Ltd. 6
Step 6 Click OK. ----End 2.15 Do I Need to Clear the Resources of When I Deregister an Account? No. does not consume your resources. This service is enabled by default at no additional charge. Therefore you do not need to clear the resources upon deregistration. Issue 11 (2018-05-28) Copyright Huawei Technologies Co., Ltd. 7