ZTE Anti-DDoS Solution

Overview

　　Since the Internet is increasingly being used to conduct business and even to provide many critical services, the loss in a DDoS attack may be disastrous. Many users including ISPs, enterprises, and government institutions are threatened by DDoS attacks. What’s worse, numerous and destructive DDoS attacks might occur in the future as a result of the development of more powerful attack tools.

　　The ZTE Anti-DDoS solution provides complete protection against all types of DDoS attacks, even those that have never been seen before. Featuring active mitigation capabilities that rapidly detect attacks and separate malicious traffic from legitimate traffic, the ZTE solution delivers a rapid DDoS response that is measured in seconds, not hours. Easily deployed adjacent to critical routers and switches, the ZTE solution offers a scalable option that eliminates any single points of failure and does not impact the performance or reliability of the existing network components.

ZTE Anti-DDoS Solution

　　Based on its deep understanding of network attack and protection in many years, ZTE has made great efforts to develop the ZTE Anti-DDoS solution, which contains three modules: abnormal traffic analysis (ZXSEC US Detector or Detector) and abnormal traffic cleaning (ZXSEC US Protector or Protector) and integrated management center (ZXSEC iManager). Detector can conduct real-time correlation analysis to the traffic of different network nodes and notify Protector when locating the source of abnormal traffic to lead and filter the abnormal traffic. The system finishes traffic analysis, abnormal traffic lead, DDoS attack filtering, P2P identification and control, abnormal traffic bandwidth constraint, etc. of the whole network through the coordinated work of Detector and Protector, helps user know about the network operation in real time, detects any problem in the network timely and responds to abnormal behavior automatically so as to eliminate the damage of abnormal traffic rapidly, and ZXSEC iManager complete equipment monitoring, log analysis and audit, reporting and other functions.

Figure1　　 cleaning principle

　　ZTE Anti-DDoS solution supports two deployment modes: Transparent mode and bypass mode (bypass dual arm and bypass single arm), as shown in the figure below：

　　Figure2　　 Transparent mode

　　Figure3　　 Bypass mode

　　　  Transparent mode

　　In transparent mode，Protector is connected to backbone network. The abnormal traffic will be detected and discarded by Protector when they go through it. Or Protector will co-work with Detector (the traffic detection device) which is used to detect the attack traffic and report the results to Protector connected with backbone network link, Protector will clean the attack traffic.

　　Bypass Dual Arm mode

　　Protector is connected with two neighboring backbone network routers——One router leads abnormal traffic and then re-injects the cleaned traffic from the other link to the other router.. This deployment needs the cooperation with Detector. After discovering the attack traffic against the target through sampling and analysis, Detector deployed over backbone network sends the results to Protector. Protector will send divert routing to the router at the upper end, which will send the abnormal traffic to Protector for filtering and then re-inject the cleaned traffic to the router at the lower end.

　　Bypass Single Arm mode

　　In single arm mode，Protector is connected with backbone network router and the router is responsible for leading abnormal traffic. The cleaned traffic will be re-injected into the router through the same interface. The mode requires to cooperate with Detector which is deployed to the backbone network to detect the attack traffic against the target through sampling and analysis and then report the results to Protector，Protector sends divert routing to the router and leads the abnormal traffic to Protector for filtering, then re-inject the cleaned traffic to the router.

Features

　　Accurate Detection and Recognition

　　ZTE Anti-DDoS developed specific-purpose algorithms to recognize different DDoS attacks according to probability statistics and through different filtering modules, including Anti-proofing, Protocol Behavior Pattern Analysis, Customized Application Prevention, User Behavior Analysis, Dynamic Fingerprint Recognition, and Rate Limiting, thus to pick out malicious DDoS traffic from the normal accurately.

　　Powerful Prevention Capability

　　Supporting by unique algorithms developed by ZTE, the Anti-DDoS system delivers high performance in prevention against various attacks, such as SYN Flood, UDP Flood, UDP DNS Query Flood, Stream Flood, and ACK Flood DDoS. This system also has good prevention capability to more dangerous application-layer DDoS attacks like HTTP Get Flood, online game attack, video and audio service attacks.

　　Powerful cleaning Capability

　　It’s the only equipment can cleaning 20G DDoS attacks by Single device. It can be expanded to 640G or even higher processing power enough to meet the future requirements by using cluster deployment and creative 2-level load-sharing technology.

　　Flexible Deployment

　　As a result of customer network environment and scale different, ZTE Anti-DDoS solution also includes a variety of product forms and deployment, including different ways such as tandem, tandem clusters, bypass and bypass clusters, different types of network deployment and protocol support allows the system to adapt to a variety of complex network environments.

　　Rich Report

　　Management center achieve equipment and services centralized management, and provide users with specific report about service, attack, cleaning and other security incidents, help the user real-time intuitive understanding of current and historical service status.