HUAWEI ATIC Management Center V500R001 Configuration Guide 01 PDF

HUAWEI ATIC Management Center
V500R001
Configuration Guide
Issue
01
Date
2015-07-20
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2015-07-20)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

Configuration Guide
Contents
Contents
1 Conventions ................................................................................................................................... 7
2 Safety Information ...................................................................................................................... 11
3 Alarm ............................................................................................................................................. 13
3.1 Managing Alarms........................................................................................................................................................ 13
3.1.1 Managing Current Alarms ....................................................................................................................................... 13
3.1.2 Managing Past Alarms ............................................................................................................................................. 15
3.1.3 Alarm Severity Rule ................................................................................................................................................ 17
3.2 Alarm Notification ...................................................................................................................................................... 17
3.2.1 Managing Remote Notification................................................................................................................................ 18
3.2.1.1 Creating the Remote Notification Rule ................................................................................................................. 18
3.2.1.2 Modifying the Remote Notification Rule ............................................................................................................. 20
3.2.2 Configuring the Sound Notification......................................................................................................................... 21
4 Initial Configuration of the Management Center................................................................. 23

4.1 Logging In to the ATIC Management center .............................................................................................................. 23
4.2 Customizing a Homepage ........................................................................................................................................... 24
4.3 Adding Devices ........................................................................................................................................................... 25
4.3.1 Creating an AntiDDoS ............................................................................................................................................. 25
4.3.2 Creating an SAS ...................................................................................................................................................... 28
4.3.3 Creating an Syslog-linkage Device .......................................................................................................................... 31
4.4 Configuring an Collector ............................................................................................................................................ 32
4.4.1 Adding a Collector ................................................................................................................................................... 33
4.4.2 Associating the Collector with the devices .............................................................................................................. 35
4.5 Configuring the Defense Group .................................................................................................................................. 35
5 Configuring Defense Policies ................................................................................................... 39

5.1 Configuring the Zone .................................................................................................................................................. 39
5.1.1 Adding a Zone.......................................................................................................................................................... 40
5.1.2 Importing Zones in a Batch ..................................................................................................................................... 44
5.2 Configuring the Zone-based Defense Policy .............................................................................................................. 45
5.2.1 Configuring a Defense Mode ................................................................................................................................... 47
5.2.2 Configuring a Filter ................................................................................................................................................. 49
5.2.2.1 Creating a Filter .................................................................................................................................................... 51
Issue 01 (2015-07-20)

ii

Configuration Guide
Contents
5.2.2.2 Associating a Zone with a Filter ........................................................................................................................... 54

5.2.3 Configuring a Location Blocking Policy ................................................................................................................. 55
5.2.4 Creating a Service and a Defense Policy ................................................................................................................. 56
5.2.4.1 Overview .............................................................................................................................................................. 58
5.2.4.2 Configuring a Service Learning Task ................................................................................................................... 59
5.2.4.3 Applying Service Learning Results....................................................................................................................... 60
5.2.5 Adjusting a Threshold (by Baseline Learning) ........................................................................................................ 61
5.2.5.1 Description............................................................................................................................................................ 61
5.2.5.2 Configuring a Baseline Learning Task .................................................................................................................. 62
5.2.5.3 Applying Baseline Learning Results ..................................................................................................................... 65
5.2.6 Configuring the Zone-based Defense Policy ........................................................................................................... 65
5.2.6.1 TCP Defense Policy .............................................................................................................................................. 66
5.2.6.2 UDP Defense Policy ............................................................................................................................................. 69
5.2.6.3 ICMP Defense Policy ........................................................................................................................................... 70
5.2.6.4 Other Defense Policy ............................................................................................................................................ 70
5.2.6.5 DNS Defense Policy ............................................................................................................................................. 70
5.2.6.6 SIP Defense Policy ............................................................................................................................................... 73
5.2.6.7 HTTP Defense Policy ........................................................................................................................................... 73
5.2.6.8 HTTPS Defense Policy ......................................................................................................................................... 76
5.2.6.9 Top N Study .......................................................................................................................................................... 77
5.2.6.10 Global Defense Policy for Non-Zone ................................................................................................................. 79
5.2.6.11 First-Packet Discarding ....................................................................................................................................... 80
5.2.7 Configuring Global Defense Policies (ATIC) .......................................................................................................... 80
5.2.7.1 Configuring Basic Attack Defense ........................................................................................................................ 80
5.2.7.2 Blacklist and Whitelist .......................................................................................................................................... 83
5.2.8 Creating User-defined IP Locations ......................................................................................................................... 83
5.2.9 Library Files............................................................................................................................................................. 84
5.2.10 Configuring Policy Templates ............................................................................................................................... 85
5.2.11 Cloud Cleaning ...................................................................................................................................................... 87
5.2.12 Deploying the Defense Policy ............................................................................................................................... 89
5.2.13 Saving Configurations ........................................................................................................................................... 90
6 Configuring Traffic Diversion ................................................................................................. 91

6.1 Configuring Mirroring ................................................................................................................................................ 91
6.2 Configuring Traffic Diversion .................................................................................................................................... 93
6.2.1 Configuring Policy-based Route Diversion ............................................................................................................. 93
6.2.2 Configuring BGP Traffic Diversion (CLI) ............................................................................................................... 95
6.2.3 Configuring BGP Traffic Diversion (ATIC) .......................................................................................................... 100
6.3 Configuring Traffic Injection .................................................................................................................................... 103
6.3.1 Layer-2 Injection.................................................................................................................................................... 103
6.3.2 Configuring Static Route Injection ........................................................................................................................ 105
6.3.3 Configuring UNR Route Injection ......................................................................................................................... 107
Issue 01 (2015-07-20)

iii

Configuration Guide
Contents
6.3.4 Configuring Policy-Based Route Injection ............................................................................................................ 110

6.3.5 Configuring GRE Traffic Injection ........................................................................................................................ 114
6.3.6 Configuring MPLS LPS Traffic Injection .............................................................................................................. 117
6.3.7 Configuring MPLS VPN Traffic Injection ............................................................................................................. 120
6.4 Configuring the Loop Check Function ..................................................................................................................... 125
6.5 Configuring Blackhole Traffic Diversion ................................................................................................................. 126
7 Attack Response and Source Tracing .................................................................................... 128

7.1 Viewing the Status of a Zone and Anti-DDoS Alarms .............................................................................................. 128
7.2 Handling Abnormal Events ....................................................................................................................................... 129
7.3 Packet Capture .......................................................................................................................................................... 129
7.3.1 Packet Capture, Analysis and Report ..................................................................................................................... 129
7.3.2 Configuring Packet Capture Length ...................................................................................................................... 132
7.3.3 Managing Packet Capture Task.............................................................................................................................. 133
7.3.3.1 Creating an ACL Matched Packet Capture Task ................................................................................................. 134
7.3.3.2 Creating a Global Defense Packet Capture Task ................................................................................................ 137
7.3.3.3 Creating a Zone Attacked Packet Capture Task .................................................................................................. 140
7.3.3.4 Creating an Anomaly-based Packet Capture Task .............................................................................................. 142
7.3.4 Managing Packet Capture File ............................................................................................................................... 145
7.3.4.1 Viewing Anomaly or Attack Events .................................................................................................................... 146
7.3.4.2 Tracing Attack Sources Through a Packet Capture File ..................................................................................... 147
7.3.4.3 Parsing Packets in a Packet Capture File ............................................................................................................ 149
7.3.4.4 Extracting Fingerprints from a Packet Capture File ........................................................................................... 149
7.3.4.5 Downloading a Packet Capture File ................................................................................................................... 151
8 Report .......................................................................................................................................... 152

8.1 Overview .................................................................................................................................................................. 152
8.2 Traffic Analysis ......................................................................................................................................................... 153
8.2.1 Data Overview ....................................................................................................................................................... 153
8.2.2 Traffic Comparison ................................................................................................................................................ 155
8.2.3 Traffic Top N ......................................................................................................................................................... 157
8.2.4 Application Traffic ................................................................................................................................................. 162
8.2.5 Protocol Traffic Distribution .................................................................................................................................. 164
8.2.6 Number of TCP Connections ................................................................................................................................. 166
8.2.7 Board Traffic .......................................................................................................................................................... 169
8.2.8 IP Location Top N .................................................................................................................................................. 171
8.2.9 IP Location Traffic ................................................................................................................................................. 173
8.3 Anomaly/Attack Analysis ......................................................................................................................................... 175
8.3.1 Anomaly/Attack Details ......................................................................................................................................... 175
8.3.2 Anomaly/Attack Top N .......................................................................................................................................... 177
8.3.3 Attack Top N .......................................................................................................................................................... 180
8.3.4 Distribution of Anomaly/Attack Types .................................................................................................................. 182
8.3.5 Packet Discarding Trend ........................................................................................................................................ 184
Issue 01 (2015-07-20)

iv

Configuration Guide
Contents
8.4 DNS Analysis ........................................................................................................................................................... 186

8.4.1 Top N Request Trend ............................................................................................................................................. 186
8.4.2 Top N Response Trend ........................................................................................................................................... 188
8.4.3 Cache Request Trend ............................................................................................................................................. 190
8.4.4 Request Category Trend......................................................................................................................................... 192
8.4.5 Resolution Success Ratio ....................................................................................................................................... 195
8.4.6 Abnormal Packet Analysis ..................................................................................................................................... 197
8.5 HTTP(S) Analysis ..................................................................................................................................................... 199
8.5.1 Top N HTTP Request Sources by Traffic .............................................................................................................. 199
8.5.2 Top N HTTPS Request Sources by Traffic ............................................................................................................ 202
8.5.3 Top N Requested URl ............................................................................................................................................ 204
8.5.4 Top N Requested Host ........................................................................................................................................... 206
8.6 Comprehensive Report ............................................................................................................................................. 208
8.6.1 Querying Comprehensive Reports ......................................................................................................................... 208
8.6.2 Managing Scheduled Task ..................................................................................................................................... 211
8.6.2.1 Creating a Scheduled Task .................................................................................................................................. 212
8.6.3 Downloading Report .............................................................................................................................................. 214
8.7 Report Customization ............................................................................................................................................... 215
8.7.1 Customizing Report-Related Information .............................................................................................................. 215
8.7.2 Configuring IP Description .................................................................................................................................... 215
9 System Management ................................................................................................................ 218

9.1 Configuring the System Administrators .................................................................................................................... 218
9.1.1 Introduction to System Administrators .................................................................................................................. 218
9.1.2 Managing Administrators ...................................................................................................................................... 219
9.1.2.1 Creating an Administrator ................................................................................................................................... 220
9.1.2.2 Modifying an Administrator Group .................................................................................................................... 223
9.1.3 Managing Administrator Groups ........................................................................................................................... 224
9.1.3.1 Creating an Administrator Group........................................................................................................................ 224
9.1.3.2 Modifying an Administrator Group .................................................................................................................... 225
9.1.4 Managing Online Administrators ........................................................................................................................... 225
9.1.5 Configuring the System Security Policy ................................................................................................................ 226
9.1.6 Configuring the Authentication Server .................................................................................................................. 229
9.2 System Maintenance ................................................................................................................................................. 231
9.2.1 Performance Monitoring ........................................................................................................................................ 231
9.2.2 Dumping the Operation Logs ................................................................................................................................ 232
9.2.3 Dumping the Alarms .............................................................................................................................................. 234
9.2.4 Maintaining Anti-DDoS Data ................................................................................................................................ 236
9.2.5 Backing Up and Restoring Configuration Files ..................................................................................................... 238
9.2.5.1 Backing Up a Configuration File ........................................................................................................................ 238
9.2.5.2 Restoring a Configuration File............................................................................................................................ 239
9.3 Log Management ...................................................................................................................................................... 241
Issue 01 (2015-07-20)


Configuration Guide
Contents
9.3.1 Introduction to Log Management .......................................................................................................................... 241

9.3.2 Searching for an Operation Log ............................................................................................................................. 242
9.3.3 Querying Device Operation Logs .......................................................................................................................... 244
9.3.4 Querying Syslog Interworking Logs ...................................................................................................................... 245
9.4 Notification Server .................................................................................................................................................... 245
9.4.1 Mail Server ............................................................................................................................................................ 245
9.4.2 SMS Server ............................................................................................................................................................ 247
9.4.3 Syslog Server ......................................................................................................................................................... 248
Issue 01 (2015-07-20)

vi

Configuration Guide
1 Conventions
Conventions
This describes the conventions of symbol, format and expression methods.
Content Conventions
The purchased products, services and features are stipulated by the contract made between
Huawei Technologies Co., Ltd. and the customer. All or part of the products, services and
features described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and recommendations
in this document are provided "AS IS" without warranties, guarantees or representations of
any kind, either express or implied.
Feature Conventions
The following operations may involve the collection of user communication information.
Huawei does not collect or store the user communication information alone. You are advised
to enable specific functions for the purpose allowed and within the scope defined in local laws
and regulations. In usage, you are obligate to take considerable measures to ensure that user
communication information is fully protected when the information is being used and stored.
Traffic mirrored by port mirroring-capable routers is the basis for traffic statistics and
analysis on a detection device but may involve the collection of user communication
information. You can choose to configure a detection device to discard mirrored traffic
after traffic statistics is collected.
Packet capturing is vital to attack source tracing and attack feature analysis but may
involve the collection of user communication information. The product provides
permission control over such functions. You are advised to clear packet capturing records
after attack source tracing and traffic analysis are complete.
The anti-DDoS collectors collects only traffic logs, not user communication information.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
Issue 01 (2015-07-20)


Configuration Guide
Symbol
1 Conventions
Description
Indicates a hazard with a medium or low level of risk,
which if not avoided, could result in minor or moderate
injury.
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save
time.
Provides additional information to emphasize or
supplement important points of the main text.
General Conventions
The general conventions that may be found in this document are defined as follows.
Convention
Description
Times New Roman
Normal paragraphs are in Times New Roman.
Boldface
Names of files, directories, folders, and users are in

boldface. For example, log in as user root.
Italic
Book titles are in italics.
Courier New
Examples of information displayed on the screen are in

Courier New.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... } *
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
Issue 01 (2015-07-20)


Configuration Guide
1 Conventions
Convention
Description
[ x | y | ... ] *
Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n

times.
A line starting with the # sign is comments.
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Buttons, menus, parameters, tabs, window, and dialog titles

are in boldface. For example, click OK.
>
Multi-level menus are in boldface and separated by the ">"

signs. For example, choose File > Create > Folder.
Keyboard Operations
The keyboard operations that may be found in this document are defined as follows.
Format
Description
Key
Press the key. For example, press Enter and press Tab.
Key 1+Key 2
Press the keys concurrently. For example, pressing

Ctrl+Alt+A means the three keys should be pressed
concurrently.
Key 1, Key 2
Press the keys in turn. For example, pressing Alt, A means

the two keys should be pressed in turn.
Mouse Operations
The mouse operations that may be found in this document are defined as follows.
Action
Description
Click
Select and release the primary mouse button without

moving the pointer.
Double-click
Press the primary mouse button twice continuously and

quickly without moving the pointer.
Drag
Press and hold the primary mouse button and move the
Issue 01 (2015-07-20)


Configuration Guide
Action
1 Conventions
Description
pointer to a certain position.
Issue 01 (2015-07-20)

10

Configuration Guide
2 Safety Information
Safety Information
Observe the safety information to ensure the normal operating of the ATIC.
Hardware Operations
It is recommended to configure an independent uninterrupted power supply (UPS) for

the ATIC server, protecting the hardware, system, and data from unexpected power
failure. If the ATIC server is not configured with the UPS, the administrator must
properly close the ATIC process, database, and power one by one before the power cut
after receiving the notice for upcoming power cut.
To shut down the ATIC server, you must follow the proper shutdown method in all
situations. It is forbidden to switch off the hardware power directly to shut down the
ATIC server; otherwise, the system recovery failure will be caused.
It is recommended to check the network communication every day according to the daily
maintenance items to protect the network communication from disruption.
It is forbidden to remove the network cable from the server at will when the ATIC is
running. If you really need to remove the network cable, stop the ATIC service first.
Software Operations
Do not install unnecessary software on the ATIC server.
Do not use the ATIC server to browse Web pages. Do not set unnecessary sharing
directory. Ensure that the permissions on the sharing directory is specified.
Do not connect other computers to the network where the ATIC server resides to avoid IP
address conflict and virus infection.
Set the properties of the OS, database, and ATIC passwords by level, and assign the
passwords to the maintenance owner only. Only the maintenance owner has the
administrator password. Passwords should be strictly managed with clear properties.
Check and test the ATIC periodically according to the maintenance item list and make a
record of the check. After you discover a problem, handle it in time. For the problems
that cannot be solved, contact the local office or customer service center in time to solve
them.
ATIC Operations
Issue 01 (2015-07-20)
It is forbidden to change the system time when the ATIC is running. Set the system time
before you install the ATIC.

11

Configuration Guide
2 Safety Information
Shut down the ATIC server before you change the system time. Restart the ATIC sever
after the system time is changed. Do not set the system clock of the server ahead;
otherwise, data mess will be caused.
To log in to Windows, you must use the user name that was used to install the ATIC. Do
no change the user name for logging in to Windows.
During the use of the ATIC, ensure that data on the NE and that on the ATIC are
consistent.
Back up database periodically to minimize the system loss when errors occur.
It is recommended to synchronize NE data to the ATIC and query the latest NE data
before you set parameters.
The ATIC will display a message for dangerous operations. Please notice such warnings.
Do not set the NE to a language except Chinese and English; otherwise, the search
results will be displayed as garbles on the ATIC interface.
Issue 01 (2015-07-20)

12

Configuration Guide
3 Alarm
Alarm
About This Chapter

4.1 Managing Alarms
You can use the alarm confirmation mechanism to verify that the current alarm is handled in
time. In addition, you can add alarm maintenance experiences to each alarm, facilitating
system maintenance and sharing experiences.
4.2 Alarm Notification
This section describes the settings of remote and voice notifications.
3.1 Managing Alarms

You can use the alarm confirmation mechanism to verify that the current alarm is handled in
time. In addition, you can add alarm maintenance experiences to each alarm, facilitating
system maintenance and sharing experiences.
3.1.1 Managing Current Alarms

The current alarms contain all the uncleared and alarms. You can use the alarm confirmation
mechanism to verify that the current alarm is handled in time. You can also export the alarms
as files from the alarm database.
Procedure
Step 1 Choose Alarms > Alarm Management > Current Alarms.
Step 2 Managing current alarms includes the following operations:
Confirm
The confirmed state indicates that the alarm is handled. According to the alarm
confirmation status, you can distinguish unhandled alarms from handled alarms, and
handle the unhandled alarms in time.
a.
Select one or more alarms whose Confirmed status is Unconfirmed.
b.
Click
The confirmation dialog box is displayed.
Issue 01 (2015-07-20)

13

Configuration Guide
c.
3 Alarm
Click OK.
The ATIC Management center changes the status of the specified alarm to
Confirmed after receiving the instruction for confirming the alarm. Meanwhile, the
ATIC Management center records the confirmation person and time, refreshes all
the alarm displaying windows on the client, and updates the data in the alarm
database.
Cancel confirmation
Cancel the confirmation of a confirmed alarm.
a.
Select one or more alarms whose Confirmed status is Confirmed.
b.
Click

c.
Click OK. The status of the selected alarms is changed to Unconfirmed.
Clear
In some special situations, for example, the communication between the ATIC
Management center and a device disrupts, the cleared alarms reported from the device
may be lost. Once this situation appears, these alarms will not be cleared automatically if
the device does not support the function of alarm verification. To solve this problem, the
ATIC Management center supports the ability to manually clear the alarms. In other
words, manually change the uncleared state of the alarms to cleared.
a.
Select one or more alarms whose Confirmed status is Confirmed.
b.
Click

c.
Click OK.
All the selected alarms are removed from the current alarm list to the past alarm list.
The ATIC Management center records the clearance person and time, refreshes all
the alarm displaying windows on the client, and updates the data in the alarm
database.
Export
Export some important alarms in a file, helping the administrator to locate and analyze
problems.
a.
Select one or more alarms.
b.
Click
The File Download dialog box is displayed.

c.
Click Save.
The Save As dialog box is displayed.
d.
Select a path for saving the alarm file, enter a name for the file or use the default
file name, and click Save.
The selected alarms are exported to the specified local path.
Export all
Export all the current alarms in a file, helping the administrator to locate and analyze
problems.
a.
Click
Issue 01 (2015-07-20)

14

Configuration Guide
b.
3 Alarm
Click Save.
c.
All the current alarms are exported to the specified local path.
Refresh
The refresh policy can be Refresh every 15 seconds, Refresh every 30 seconds,
Refresh every 60 seconds, or Stop Refresh.
Refresh every 30 seconds is selected by default. This means that the ATIC Management
center server performs a round robin every 30 seconds. Once a new alarm occurs, the
ATIC Management center will refresh it to the current alarm list.
Search
Set the conditions to search for the desired alarms. The search method can be the basic
search or advanced search.
When you select Search, you can search for alarms by alarm severity.
When you select Advanced Search, you can search for alarms by alarm severity,
alarm type, confirmation status, alarm source, and alarm occurrence time.
You can click Reset to clear all the specified parameter values.
View
You can click the name of an alarm to view its details.

i.
Click the name of an alarm.

The page showing the details about the alarm is displayed.
ii.
View the basic information and modification suggestions of the alarm.
You can click the times of an alarm to view the occurrence time, confirmed status
and time, clearance status and time, and notification type of the alarm.
According to the alarm notification type, you can know whether the alarm is a new
alarm, manual clear or automatic clear.
----End
3.1.2 Managing Past Alarms

The past alarms include all cleared alarms. You can export one, more, or all past alarms.
Procedure
Step 1 Choose Alarms > Alarm Management > Past Alarms.
Step 2 Managing past alarms includes the following operations:
Export
Export some important alarms in a file, helping the administrator to locate and analyze
problems.
Issue 01 (2015-07-20)

15

Configuration Guide
3 Alarm
If the Internet Explorer executes the default security policy, the To help protect you security, Internet
Explorer blocked this site from downloading file from to your computer message is displayed upon
an export operation. In this case, right-click the message, and choose Download File from the shortcut
menu. After the interface is refreshed, export the event information again.
a.
Select one or more alarms.
b.
Click

c.
Click Save.
d.
The selected alarms are exported to the specified local path.
Export all
Export all the past alarms in a file, helping the administrator to locate and analyze
problems.
a.
Click

b.
Click Save.
c.
All the past alarms are exported to the specified local path.
Search
Set the conditions to search for the desired alarms. The search method can be the basic
search or advanced search.
When you select Search, you can search for alarms by alarm severity.
When you select Advanced Search, you can search for alarms by alarm severity,
confirmation status, alarm source, and alarm occurrence time.
View
You can click the name of an alarm to view its details.

i.
Click the name of an alarm.

The page showing the details about the alarm is displayed.
ii.
View the basic information and modification suggestions of the alarm.
You can click the times of an alarm to view the occurrence time, confirmation status
and time, clearance status and time, and notification type of the alarm.
According to the alarm notification type, you can know whether the alarm is a new
alarm, manual clear or automatic clear.
----End
Issue 01 (2015-07-20)

16

Configuration Guide
3 Alarm
3.1.3 Alarm Severity Rule

The anti-DDoS device can automatically specify severity levels for the alarms triggered by
DDoS attacks or anomalies based on the configured rules.
Context
The anti-DDoS device provides four severity levels for the alarms:
Critical
Major
Minor
Warning
Alarm severity may change during DDoS attacks. As the attack traffic volume increases or
decreases, alarms in the ATIC management center need to record the highest level and current
level.
Procedure
Step 1 Choose Alarms > Alarm Management > Alarm Severity Rule.
Step 2 In the Alarm Severity Rule area, click
Step 3 For the parameters of user-defined alarm severity rules, see Table 4-1.
Table 3-1 Parameters of user-defined alarm severity rules
Parameter
Description
Incoming Traffic (Mbps)
Incoming traffic bandwidth per second
Incoming Traffic (pps)
Incoming packets per second
Concurrent Connections
Number of concurrent connections
New Connections
Number of new connections per second
Duration
Attack or anomaly duration
Action
Create The Diversion Task
Do Not Create The Diversion Task
----End
3.2 Alarm Notification

This section describes the settings of remote and voice notifications.
Issue 01 (2015-07-20)

17

Configuration Guide
3 Alarm
3.2.1 Managing Remote Notification

The ATIC Management center provides remote alarm notification methods by email. This
enables that the maintenance personnel can learn about the device alarms anytime.
Choose Alarms > Alarm Notification > Remote Notification to manage the remote alarm
notification.
Create
Click
to create the remote alarm notification rule. For details about
this operation, see 4.2.1.1 Creating the Remote Notification Rule.
Modify
Click the name of a remote notification rule. The page shows the details about
the remote notification rule is displayed. Click
on this page to
modify the basic information, notification target, resource information, and alarm
information about the notification rule. For details about this operation, see
4.2.1.2 Modifying the Remote Notification Rule.
Enable
Select one or more remote notification rules that are in the Disabled state, and
click
to enable the selected remote notification rules.
After the remote notification rules are enabled, the alarm information will be sent
to the specified email addresses.
Disable
Select one or more remote notification rules that are in the Enabled state, and
click
to disable the selected remote notification rules.
After the remote notification rules are disabled, the alarm information will not be
sent to the specified email addresses.
Search
Enter the full or partial name of a remote notification rule or resource and click
. The remote notification rules that meet the search condition will be
displayed in the Remote Notifications.
If no remote notification rule meets the search conditions, the Remote
Notifications will be empty.
Delete
Select one or more remote notification rule and click

selected remote notification rules.
to delete the
NOTE
Deleting the notification rules cannot be undone. Perform this operation with caution.
3.2.1.1 Creating the Remote Notification Rule

After you create and enable the remote alarm notification, the alarm information will be sent
to the maintenance personnel's email address in emails. This enables the maintenance
personnel to learn about the network status in time.
Context
You can use the configured mail or SMS server to send the alarm information to the specified
email address to learn about the device status in time. For details about how to configure the
notification server, see 10.4 Notification Server.
Issue 01 (2015-07-20)

18

Configuration Guide
3 Alarm
Procedure
Step 1 Choose Alarms > Alarm Notification > Remote Notification.
Step 2 Click
Step 3 Set the parameters of the remote alarm notification rule, as described in Table 4-2.
Table 3-2 Setting the parameters of the remote alarm notification rule
Parameter
Description
Recommended Value
Name
Name of the remote alarm

notification.
The name can contain only 1 to 32 letters,

Chinese characters, digits, hyphens, or
underscores and must start with a letter,
Chinese character, or underscore.
Status
Indicates whether the

remote alarm notification
is enabled.
Select Enable or Disable.
When you do not need to

use the remote alarm
notification, you can set
this parameter to Disable.
You can click
to enable the remote alarm
notification again later.
Start time
Time when the remote

notification starts to take
effect.
Click
to select the start time. Click OK or
double-click the selected time.
The start time of the

remote notification cannot
be later than the end time.
End time
Time when the validity of

remote notification ends.
Click
to select the end time. Click OK or
double-click the selected time.
The end time of the remote

notification cannot be
earlier than the start time.
Sending
language
Set language of the remote

alarm notification.
The remote alarm notification can be in

Simple Chinese or English.
Sending
contents
Set contents of the remote

alarm notification.
Optional fields include Severity, Name, Type,

Source, Occurred at, Clear Status,
Description, and Location message.
Description
Brief description about the

remote alarm notification
rule, helping the
maintenance personnel
learn about the rule without
viewing the rule details.
Description contains a maximum of 128

characters.
Issue 01 (2015-07-20)

19

Configuration Guide
3 Alarm
Step 4 Click Next. Select the type of resource on which the remote alarm notification will be applied
from the resource tree on the left, and select the resource from the resource list on the right.
Only one type can be selected. In the resources list on the right, you can search for the desired
resources by name or IP address.
Such resources are alarm sources. For example, if Zone is selected for resources, the remote notification
function must be applied to alarms generated by the anti-DDoS component of the ATIC Management
center. if AntiDDoS is selected for resources, the remote notification function must be applied to alarms
generated by the AntiDDoS. If Management System is selected for resources, the remote notification
function must be applied to alarms generated by the ATIC Management center system itself.
Step 5 Click Next. Select the alarm to send for the remote notification.
You can search for the desired alarms by setting the alarm severity level (critical, major, minor,
or info). Then, select the specific alarms to send. For example, you can set Critical for the
alarm severity level to search for all the critical alarms of the device, and select the specific
alarm to send.
Step 6 Click Next. Select the sending mode, and add the mobile phone number or email address for
receiving remote notification messages.
You can click

to add a mobile phone number or email address, or
to delete an
existing one. You can set relevant information about the mobile phone number or email
address to be added.
Either the mobile phone number or the email address must be specified.
A maximum of 10 mobile phone numbers or email addresses can be added at a time. The
mobile phone number or email address must be unique.
Step 7 Click Finish.

----End
Result
If the notification server parameters are pre-specified, the recipient email box will
receive the alarm once the specified alarm occurs after the remote notification is created
successfully.
If the remote notification rule is expired, then the state of the rule in the list is Expired.
3.2.1.2 Modifying the Remote Notification Rule

Modifying the remote alarm notification enables you to reset the basic information,
notification target, alarm device, and alarm information about the remote notification.
Context
You cannot modify the remote notification rule in Expired state.
Procedure
Step 1 Choose Alarms > Alarm Notification > Remote Notification.
Step 2 Click the name of a remote notification.
Issue 01 (2015-07-20)

20

Configuration Guide
3 Alarm
Step 3 Modify the basic information about the remote notification.

1.
Click
in the Basic Information area.
2.
Modify the information except the name.

For details about how to set the remote notification parameters, see 4.2.1.1 Creating the
Remote Notification Rule.
3.
Click OK.
Step 4 (Optional) Modify the notification target.

1.
Click
in the Notification Target area.
2.
Select the sending mode, and add the email address for receiving the alarm information.
3.
Click OK.
Step 5 (Optional) Select the alarm devices.

You can do as follows to re-select the alarm devices.
Click
Select the devices that do not need the remote alarm notification and click
to delete the selected devices from the resource list.
in the Resources area to select the alarm devices.
You can also enter the full or partial name of a device and click
the devices that you want to delete.
to search for
Step 6 (Optional) Select the alarms to send.

You can do as follows to re-select the alarms to send.
Click
Select the alarms that do not need to send and click

alarms from the alarm list.
in the Notify Alarms area to select the alarms to send.

to delete the selected
You can also select the security from the drop-down box and click
for the alarms that you want to delete.
to search
----End
3.2.2 Configuring the Sound Notification

You can set different sounds for alarms at different levels. When the ATIC Management
center receives an alarm, the client host sound box plays the audio notification for the highest
level and Uncleared and Unconfirmed alarms.
Context
The alarm severity level can be critical, major, minor, or warning. The sound can be a
Normal or a Cyclic for different alarm severity levels.
If the sound type is set Normal, the system plays the audio notification per thirty
seconds for the highest level and Uncleared and Unconfirmed alarms. If the sound type
is set Cyclic, the system plays cyclic audio notifications for the Uncleared and
Unconfirmed alarms. It is recommended to set Cyclic for critical and major alarms in
Issue 01 (2015-07-20)

21

Configuration Guide
3 Alarm
case that the maintenance personnel is not on site temporarily and cannot hear the alarm
sound.
You can click Restore Defaults to set the alarm sound to the default value. The sound
notification is enabled for the Critical alarms by default.
There will be no sound notification for the alarms occurring on the masked resources or
the confirmed alarms.
It is not recommended to disable the sound notification for all levels of alarms, avoiding
the delayed handling of alarms.
Procedure
Step 1 Choose Alarms > Alarm Notification > Audible Notification.
Step 2 Click
Step 3 Select an alarm severity level on the Modify Alarm Sound page to enable the sound
notification for this alarm severity level.
Step 4 Select a sound warning type from the Type drop-down list box.
You can click

to test the sound of the selected sound file. When the sound type is set Cyclic, the
audio stops after the system plays cyclic audio for 7 seconds.
Step 5 Click OK.

You can click Restore Defaults to set the alarm sound to the default value.
----End
Follow-up Procedure
You can click
in the upper right corner of the ATIC Management center interface to
enable or disable the mute function.
Issue 01 (2015-07-20)

22

Configuration Guide
4 Initial Configuration of the Management Center
Initial Configuration of the Management

Center
About This Chapter

Initial configurations are basic configurations of anti-DDoS services in the ATIC management
center, covering adding anti-DDoS devices, adding collectors, binding anti-DDoS devices and
collectors, and creating defense groups for identifying anti-DDoS devices.
5.1 Logging In to the ATIC Management center
The section describes how to log in to the ATIC Management center.
5.2 Customizing a Homepage
By customizing a homepage, you can place real-time interface traffic comparison, Zone traffic
comparison, and alarm monitoring on the homepage.
5.3 Adding Devices
An device must be added before you can perform other operations.
5.4 Configuring an Collector
The management center is comprised of ATIC server and collectors. The collectors collect,
parse, summarize, and store traffic and logs from anti-DDoS devices. Therefore, collectors
need to be added to the ATIC during the configuration of anti-DDoS services. You can view
the performance data of the added anti-DDoS collectors, modify the collectors, or delete
them.
5.5 Configuring the Defense Group
A defense group identifies the collection and networking of anti-DDoS devices. If an
AntiDDoS is deployed in off-line mode, traffic diversion can be implemented only after the
detecting device and cleaning device are added to the same defense group.
4.1 Logging In to the ATIC Management center

The section describes how to log in to the ATIC Management center.
Issue 01 (2015-07-20)

23

Configuration Guide
Prerequisites
The installation of the ATIC Management center server software is complete. For details, see
Installation Guide.
Context
Upon the first login, use the default super administrator account admin and password
Admin@123.
Procedure
Step 1 Open the Web browser.
The ATIC Management center supports Internet Explorer 8.0, Firefox 3.6, and the Firefox
browser of later versions.
Step 2 Enter https://server IP address:port (the port can be omitted if port 443 is used.) in the
address bar and press Enter.
Step 3 Select a language on the login page and enter the correct user name, password, and
verification code.
The default user name is admin and its password is Admin@123.
Step 4 Click Log In.
Step 5 The system prompts that Initial login.Please change your password. on the Web page. Enter
a new password and confirm it. Then click OK.
Step 6 Click OK in the Succeeded dialog box.
----End
4.2 Customizing a Homepage

By customizing a homepage, you can place real-time interface traffic comparison, Zone traffic
comparison, and alarm monitoring on the homepage.
Context
The administrator can query only customized content.
Procedure
Step 1 On the ATIC Management center homepage, click
Step 2 Click
Step 3 On the Create Homepage Customization Profile page, select the content to be customized,
set given conditions, and click OK.
The customized content is displayed on the homepage.
Issue 01 (2015-07-20)

24

Configuration Guide
A maximum of 12 items can be displayed on the homepage.

Interface traffic and Zone traffic are refreshed every 10 seconds, and every 70 seconds respectively.
The homepage displays only several latest alarms.
Step 4 Drag the customized content to a proper position and click

current layout.
to save the
----End
4.3 Adding Devices

An device must be added before you can perform other operations.
4.3.1 Creating an AntiDDoS

After the communication between the ATIC Management center and the AntiDDoS is
established through SNMP, you can add the AntiDDoS.
Prerequisites
The IP address segments of the AntiDDoS devices are known.
The communication has been set up between the ATIC Management center server and
the AntiDDoS devices.
Procedure
Step 1 Choose Defense > Network Settings > Devices.
Step 2 Click
Issue 01 (2015-07-20)

25

Configuration Guide
Step 3 In the Basic Information group box, set the name and IP address of an AntiDDoS device and
set Device Type to AntiDDoS.
Step 4 Set Telnet parameters.
When you select Telnet, the ATIC Management center uses port 23 for accessing
AntiDDoS devices through Telnet by default. In this case, enter the name and password
of a Telnet user for authentication.
When you select STelnet, the ATIC Management center uses port 22 for accessing
AntiDDoS devices through STelnet by default. In this case, enter the name and password
of an STelnet user for authentication.
Step 5 Set SNMP parameters.
When you select SNMPv1 and SNMPv2c, set read and write community names.
Read community indicates the name of a read-only community and the default value is
public. Write community indicates the name of a write-only community and the default
value is private.
Issue 01 (2015-07-20)

26

Configuration Guide
When you select SNMPv3, see parameter settings as shown in Table 5-1.
The Username, Environment name, Environment engine ID, Data encryption protocol, Data
encryption password, Authentication protocol, Authentication password parameters are available
only when the type is SNMPv3.
Table 4-1 SNMPv3 template parameters

Parameter
Description
Recommended Value
Username
User name used for

accessing the AntiDDoS
device.
Environment name
Name of the environment

engine.
This parameter value is the

same as the environment
name on the AntiDDoS
device or blank.
Environment engine ID
Unique identifier of an
SNMP engine. This ID is
used together with the
environment name to
determine an environment
that uniquely identifies an
SNMP entity. The SNMP
message packet is processed
only when the environments
of the sender terminal and
the recipient terminal are the
same; otherwise, the SNMP
message packet will be
discarded.
Same as the environment

engine ID on the AntiDDoS
device.
Authentication protocol
Protocol used for verifying

messages.
You can select the

authentication protocol as
required.
The parameter value can be

the HMACMD5 or
HMACSHA protocol or no
protocol. If the HMACMD5
or HMACSHA protocol is
selected, you need to set the
authentication password.
Authentication password
Issue 01 (2015-07-20)
If the authentication
protocol is used when
verifying messages, you
need to set the

HMACMD5 converts
the character string in
any order based on the
hash algorithm and
produces a 128-bit
message digest, in
integer format.
HMACSHA possesses
higher security than
HMACMD5.
HMACSHA produces a
160-bit message digest
for the binary messages
not longer than 264 bits.
27

Configuration Guide
Parameter
Description
Recommended Value
authentication password.
Data encryption protocol
Encryption protocol used

when encapsulating data.
The parameter value can be
the DES or AES encryption
protocol or no encryption. If
the DES or AES encryption
protocol is selected, you
need to set the encryption
password.
Data encryption password
If the encryption algorithm

is used when encapsulating
data, you need to set the
data encryption password.
You can select the

encryption protocol as
required.
DES: It indicates the

Data Encryption
Standard (DES), which
is an international
encryption algorithm
with the key length of 56
characters.
AES: It indicates the

Advanced Encryption
Standard (AES). There
are three types of key
lengths of 128
characters..
Step 6 Click OK to add an AntiDDoS device.

After successfully added, the AntiDDoS device is displayed on the Devices page and a default
Zone associated with the AntiDDoS device is automatically generated on the Zone List page.
The default Zone is saved using the Basic-10M policy template.
----End
Result
Each AntiDDoS device is automatically synchronized once it is added. If synchronization fails,
rectify the fault as prompted and synchronize AntiDDoS devices manually with the ATIC
Management center.
Follow-up Procedure
If only one collector is available, the new AntiDDoS devices are automatically associated
with the collector. If multiple collectors are available, associate AntiDDoS devices with the
given collector.
4.3.2 Creating an SAS

When the SIG1000E/9280E serves as a detecting device, add the Service Analysis Server
(SAS) to the ATIC Management center. To enable the ATIC Management center to
synchronize Zones on the SIG1000E/9280E, configure the SIG1000E/9280E database of the
SAS on the ATIC Management center. Ensure that the configured database is the same as the
SIG1000E/9280E database on the SAS.
Issue 01 (2015-07-20)

28

Configuration Guide
Prerequisites
Before you create an SAS, ensure that the following are available:
IP addresses of devices
SIG1000E/9280E database on the SAS
IP connectivity between the ATIC management center and the device
Context
The Service Analyse Server (SAS) is the service processing center of the SIG1000E/9280E
system. It is responsible for receiving and analyzing service information reported by the SRS,
and saving the information to the database. ATIC Management center needs to synchronize
the Zone on the SIG1000E/9280E device using the SAS database.
Procedure
Step 2 Click
Step 3 In the Basic Information group box, set the name and IP address of an device and select SIG
SAS for Device Type.
Issue 01 (2015-07-20)

29

Configuration Guide
Step 4
Configure the parameters. For details, see Table 5-2,

Table 4-2 Configuring the database information of the SAS
Parameter
Description
Value
Database IP
Address
Indicates the database

information of the SAS.
The configured database must be the same

as the SIG1000E/9280E database on the
SAS.
The Zones on the

SIG1000E/9280E device in
the selected areas are to be
synchronized to the ATIC
You can select all areas or specify some of

the areas.
Database
username
Database
password
Areas to Be
Synchronized
Issue 01 (2015-07-20)
All: Indicates all the configured areas

on the SIG1000E/9280E device. If the

30

Configuration Guide
Parameter
Description
Value
Management center.
number of areas configured on the

SIG1000E/9280E device increases, the
number of synchronized areas
increases accordingly.
Specified areas: Indicates that only the

Zone in specified areas on the
SIG1000E/9280E device are to be
synchronized.
Step 5 Click OK.

----End
4.3.3 Creating an Syslog-linkage Device

When the Syslog-linkage Devices as a detecting device, add the Syslog-linkage Device to the
ATIC Management center.
Prerequisites
Before you create an Syslog-linkage Device, ensure that the following are available:
IP addresses of devices
IP connectivity between the ATIC management center and the device
Context
The Syslog-linkage Device analyzes traffic and sends logs to the ATIC Management center.
After analyzing anomaly logs reported by the Syslog-linkage Device, the ATIC Management
center generates a traffic diversion task and delivers it to the cleaning device in the same
defense group.
Procedure
Step 2 Click
Step 3 In the Basic Information group box, set the name and IP address of an device and select
Syslog-linkage Device for Device Type.
Issue 01 (2015-07-20)

31

Configuration Guide
Step 4 Click OK.

----End
4.4 Configuring an Collector

The management center is comprised of ATIC server and collectors. The collectors collect,
parse, summarize, and store traffic and logs from anti-DDoS devices. Therefore, collectors
need to be added to the ATIC during the configuration of anti-DDoS services. You can view
the performance data of the added anti-DDoS collectors, modify the collectors, or delete
them.
Choose Defense > Network Settings > Collectors, and manage collectors.
Create
Click
Issue 01 (2015-07-20)
to add a collector in the ATIC Management center. For

32

Configuration Guide
details, see 5.4.1 Adding a Collector.

Associate
Device
Click
of an collector and bind the collector to one or more anti-DDoS
devices. For details, see 5.4.2 Associating the Collector with the devices.
Modify
Click
of the collector to be modified to change the collector parameters.
NOTE
The collector in Down state cannot be modified.
Delete
Delete one collector:

Click
in the Operation column to delete the corresponding collector.
Delete collectors in batches:

Select the check boxes of multiple collector names and click
above the list to delete the selected collectors.
Select the check box on the title bar and click
to delete all collectors.
above the list
NOTE
Collectors being associated with the device cannot be deleted.
View
1. Click the name of the collector to be viewed for collector configurations.

2. Click Close to close the dialog box.
State
Indicates the connection state between the ATIC server and the collector.
indicates that the collector is online. That is, the ATIC server and
collector are connected and the collector service has been started.
indicates that the collector is offline. The possible causes are: the IP
address of the collector is changed, the ATIC server fails to connect to the
collector, and the collector service is not started.
Device
Quantity
Indicates the number of devices bound to the collector.
CPU,
Memory,
Disk
Informatio
n
Indicates performance data including information about CPUs, memory, and

disks of collectors.
4.4.1 Adding a Collector

After the centralized installation is complete, the ATIC Management center automatically
creates a collector. You must manually create collectors during the distributed installation.
Procedure
Step 1 Choose Defense > Network Settings > Collectors.
Step 2 On the Collectors page, click
Issue 01 (2015-07-20)

33

Configuration Guide
Step 3 On the Create Collector page, select Anti-DDoS from the Collector Type drop-down list.
Step 4 Set other parameters of the collector. For details, see Table 5-3.
Table 4-3 Collector parameters
Parameter
Description
Value
Name
Indicates the collector name.
The name contains a maximum of 32

characters including letters, digits,
underscores (_), and hyphens (-). It
must start with a letter or an
underscore (_).
IP Address
Indicates the IP address of

the collector.
The IP address is routable to the IP

addresses of the FTP server and log
server.
This parameter cannot be changed
during collector modification.
Encryption Key
Indicates the key content.
Before configuring a packet capture

task, configure an encryption key for
packet capture logs.
When the collector is associated with
an anti-DDoS device, deliver the key
to the anti-DDoS device.
Step 5 Optional: On the Create Collector page, click Test.
If the system displays Succeeded in connecting the collector., perform Step 6.
If the system displays Failed to connect the collector Possible causes: The IP address
of the collector is incorrect, or the collector is not started, or the connectivity error
occurs., the ATIC Management center and collector cannot be normally connected.
Perform the check according to the displayed cause.
Step 6 On the Create Collector page, click OK.

After the collector is successfully added, the system displays the Collectors page.
Issue 01 (2015-07-20)

34

Configuration Guide
----End
Follow-up Procedure
You can view, modify, or delete a collector by referring to 5.4 Configuring an Collector.
4.4.2 Associating the Collector with the devices

Devices can send logs and captured packets to the anti-DDoS collector after being associated
for future analysis. When only one anti-DDoS collector is available, the collector is
automatically associated with devices. When multiple anti-DDoS collectors exist, associate
them with devices manually. You are advised to associate each collector with one device.
Prerequisites
The device and anti-DDoS collector are routable to each other.
Devices have be added. For details on how to add devices, see 5.3 Adding Devices.
The anti-DDoS collector has been added. For details on how to add the anti-DDoS
collector, see 5.4.1 Adding a Collector.
Procedure
Step 1 Choose Defense > Network Settings > Collectors.
Step 2 On the Collectors page, click
of the anti-DDoS collector.
The connection status of the collector is Online.

Step 3 On the Associated Devices interface, click
Step 4 On the Select Device page, select the check box of the device to be associated.
Step 5 Click OK.
The device associated with the collector is displayed in Associated devices.
----End
4.5 Configuring the Defense Group

A defense group identifies the collection and networking of anti-DDoS devices. If an
AntiDDoS is deployed in off-line mode, traffic diversion can be implemented only after the
detecting device and cleaning device are added to the same defense group.
Defense Group Overview
Issue 01 (2015-07-20)
The detecting device and cleaning device can be added to a defense group. In a defense
group, the detecting device reports anomaly traffic to the ATIC Management center, and

35

Configuration Guide
the ATIC Management center delivers a traffic diversion task to the cleaning device.
Then the cleaning device performs traffic diversion and cleaning.
Cleaning Device Linkage: When multiple cleaning devices are added into a defense
group and any cleaning device in the group detects attack traffic, the cleaning device
interworks with others to divert and clean attack traffic.
When two or more detecting devices exist on the network, add them into a defense group
and select a working mode, load redundancy or load sharing.
If a detecting device not in any defense group detects abnormal traffic, the device will divert the traffic
to cleaning devices that do not belong to any defense group.
Management Operation
Choose Defense > Network Settings > Defense Group, and manage defense groups.
Creat
e
Modi
fy
Delet
e
Click
Group.
Click
of the defense group to be modified to modify the defense group.
Delete one defense group:

Click
to create a defense group. For details, see Creating a Defense
in the Operation column to delete the corresponding defense group.
Delete defense groups in batches:

Select the check boxes of multiple defense groups and click
the list to delete the selected defense groups.
delete all defense groups.
View
above
above the list to
1. Click the name of the defense group to be viewed for its basic information and
device information.
Creating a Defense Group

Devices that serve as cleaning devices or detecting devices have been discovered and
synchronized.
Step 1 Choose Defense > Network Settings > Defense Group.
Step 2 On the Defense Group List page, click
Step 3 Set the basic parameters of the defense group. For details, see Table 5-4.
Table 4-4 Defense group parameters
Param
eter
Issue 01 (2015-07-20)
Description
Value

36

Configuration Guide
Param
eter
Description
Value
Name
Indicates the
name of the
defense
group.
The collector name contains a maximum of 64 characters. It

cannot contain any spaces or characters such as "'", "|", "\", ",",
"<", ">", "&", ";", """, and "%". The value cannot be null.
Cleanin
g
Device
Linkag
e
When the
cleaning
device
linkage is
enabled and
any cleaning
device in the
defense group
detects attack
traffic, the
cleaning
device
interworks
with other
devices to
clean attack
traffic.
Detecti
ng
Mode
Indicates the
detecting
mode when
two or more
detecting
devices work
together.
If two or more detecting devices are adopted for collaboration,

you need to select the value of this parameter. In other cases,
skip this item.
The following detecting modes are available:
Load Sharing
In load sharing mode, all detecting devices detect traffic
collectively. This mode applies to heavy traffic scenarios
and poses high requirements on device performance.
Reports cover the total traffic of all detecting devices.
Load Redundancy
In load redundancy mode, detecting devices detect the same
traffic (by mirroring or optical splitting), improving
detection reliability. Reports cover the traffic of only one of
the detecting devices.
Descrip
tion
Indicates
remarks
information
for
identifying a
defense
group.
The value contains a maximum of 255 characters.
Step 4 Select devices to be added to the defense group.

1.
Issue 01 (2015-07-20)
In the Select Device group box, click

37

Configuration Guide
2.
On the Select Device page that is displayed, select the check box of an device and click
OK.
After successfully added, the device is displayed in the device list on the Create Defense
Group page.
Each device can be added to only one defense group.
In the device list, you can select an device and click

select the check box on the title bar and click
to delete the device; you can

to delete all devices.
Step 5 On the Create Defense Group page, click OK.

----End
Issue 01 (2015-07-20)

38

Configuration Guide
5 Configuring Defense Policies
Configuring Defense Policies
About This Chapter

6.1 Configuring the Zone
Before you configure an anti-DDoS policytraffic security policy, add Zones to be protected by
anti-DDoS devices. The ATIC Management center provides refined and differentiated filtering
and protection for different Zones.
6.2 Configuring the Zone-based Defense Policy
After you create a Zone, configure a defense policy specifically for the Zone so that attack
traffic can be blocked. When the Zone identifies abnormal traffic or is under attack, you can
refer to the defense status information on the Versatile Security Manager (VSM) graphical
user interface (GUI) to handle anomalies or attacks.
5.1 Configuring the Zone

Before you configure an anti-DDoS policytraffic security policy, add Zones to be protected by
anti-DDoS devices. The ATIC Management center provides refined and differentiated filtering
and protection for different Zones.
Choose Defense > Policy Settings > Zone, and manage Zones.
Creat
e
Click
Modi
fy
Click
of the Zone to be modified, and modify the Zone. For the parameter
description, see 6.1.1 Adding a Zone.
Delet
e
NOTICE
Once the Zone is deleted, all the services, policies, packet-capturing tasks, diversion tasks,
baseline-learning tasks, and service-learning tasks under the Zone will be deleted, and the
Zone will be undeployed from all associated devices. Perform this operation with caution.
Issue 01 (2015-07-20)
to add a Zone. For details, see 6.1.1 Adding a Zone.
Select the check boxes of multiple Zone accounts and click

the list to delete the selected collectors.

delete all Zones.

above
above the list to
39

Configuration Guide
Expo
rt
Expo
rt All
Impo
rt
1. Select one or more Zones and click

.
2. On the File Download page, click Open to view the Zone list or click Save to
save the list to the local.
1. Click
.
2. On the File Download page, click Open to view the Zone list or click Save to
save the list to the local.
Click
to import Zones in a batch. For details, see 6.1.2 Importing
Zones in a Batch.
NOTE
SIG Zones are VICs synchronized from the SIG1000E/9280E and cannot be imported..
View
1. Click the account or name of the Zone to be viewed for its basic information
and IP address.
Searc
h
Basic search
On the upper right of the page, enter the account/name of the Zone to be
searched for and click
displayed on the page.
. The Zone that meets search conditions are
Advanced search
1. Click Advanced Search.
2. In the advanced search area that is displayed, set search conditions such as
Account/Name, Type, or IP Address, and then click Search.
5.1.1 Adding a Zone

IP addresses protected by anti-DDoS devices are identified and grouped by adding a Zone.
Then Zone-specific policies can be configured to achieve differentiated and hierarchical
defense.
Prerequisites
To add a Zone and associate it with devices, ensure that devices associated with the Zone have
been discovered by the ATIC Management center.
Context
The Zones are classified into user-defined Zones, default Zones, and SIG1000E/9280E Zones.
User-Defined Zones
To protect specific IP addresses/address segments, the administrator can manually create
user-defined Zones and add the IP addresses/address segments to the user-defined Zones.
The anti-DDoS device uses defense policies to provide refined defense for traffic of
these IP addresses/address segments.
The type of such Zones is User-Defined.
Issue 01 (2015-07-20)
Default Zones

40

Configuration Guide
One default Zone is automatically added when you add an anti-DDoS device. Each
anti-DDoS device can be associated with only one default Zone, which does not have
any given IP address. Refined defense can be implemented by the anti-DDoS device on
the destination IP addresses except those in User-Defined Zones.
The type of such Zones is Default.
Zones Synchronized from the SIG1000E/9280E.

After the SIG1000E/9280E is added, the system automatically synchronizes Zones from
the SIG1000E/9280E system to protect them. The administrator cannot change the basic
information and IP addresses of Zones of this type, but can select cleaning devices for
Zones of this type, and apply the policies configured for the Zones to the traffic destined
for corresponding IP addresses/address segments for refined defense.
The type of such Zones is SIG1000E/9280E Zone.
If a network is large or covers multiple areas and each administrator needs to manage one part
of the network, you can create multiple Zones and authorize each administrator the
permission of managing the corresponding Zone.
Procedure
Step 1 Choose Defense > Policy Settings > Zone.
Step 2 On the Zone List page, click
Step 3 Set the basic parameters of the Zone. For details, see Table 6-1.
Table 5-1 Zone Basic Information
Para
meter
Description
Value
Accou
nt
Indicates the Zone

account.
The Zone account consists of letters, digits, and

underscores (_) and must start with a letter. It can neither
be any illegitimate characters such as null and default nor
start with sig. It is case insensitive. Its length cannot
exceed 32 characters.
This parameter cannot be changed during Zone
modification.
Type
Name
Conta
ct,
Phone
,
Mobil
e
Issue 01 (2015-07-20)
Indicates the Zone

type.
The value can be User-Defined or Default.
Indicates the Zone

name, as a
supplement of Zone
account for query
convenience.
The Zone name contains a maximum of 64 characters. It

cannot contain spaces or any of the following characters: |
\,<>/:"%*?&=
Indicates the basic

information of the
contact person.
This parameter cannot be changed during Zone

modification.
The value cannot be null.

41

Configuration Guide
Para
meter
Description
Value
Indicates the
detailed description
on the Zone.
Its length cannot exceed 255 characters.
Phone
, Post
Code,
Email
,
Addre
ss
Descri
ption
Step 4 Set the IP address of the user-defined Zone.

This operation can be performed only when a user-defined Zone is added.
1.
On the Create Zone page, click the IP Address tab.
2.
Click
3.
Create IP addresses. For details on the parameters, see Table 6-2.
Both IPv4 and IPv6 addresses are applicable.
Table 5-2 Creating IP addresses

Para
meter
Description
Value
IP
Indicates the IP
Issue 01 (2015-07-20)
regular: The IP address belongs to this Zone.

42

Configuration Guide
Para
meter
Description
Value
Type
address type.
exclude: The IP address does not belong to this Zone.
For example, if a Zone is a subnet except one IP address,

you can configure a subnet whose IP Type is set to
regular and an IP address whose IP Type is set to
exclude.
Create
Mode
4.
Indicates the mode

of creating IP
addresses.
IP address+Mask: The IP address and mask are

entered to create IP addresses.
IP address segment: The start and end IP addresses

are entered to create IP addresses.
Click OK.
The new IP address is displayed in the IP Address list.
The IP addresses of different Zones must be mutually exclusive.
In the IP Address list, you can select an IP address and click

you can select the check box on the title bar and click
to delete the IP address;

to delete all IP addresses.
Step 5 Click the Devices tab to associate devices with the Zone. Select the check box of an device
and click OK.
When the Zone is a Service Inspection Gateway (SIG1000E/9280E), the SIG1000E/9280E is
automatically added to the associated device list.
To divert the traffic destined for a Zone to a specific VPN instance of the device, select the
VPN instance in the VPN column.
Step 6 Click the Policy tab to configure a defense policy and traffic diversion.
1.
Select a defense policy template.

You can use the default defense policy template or create a defense policy template. For
details, see 6.2.10 Configuring Policy Templates.
2.
Select Packet Capture Task. Then the cleaning device captures the packets discarded
due to attacks upon the Zone. This assists in analyzing attack events.
3.
Optional: Create a static traffic diversion task.

In the Traffic Diversion Task List group box, click
whose traffic is to be diverted.
to create IP addresses
After a static traffic diversion task is delivered, all traffic destined for the IP address is
diverted to the cleaning device.
When you specify certain IP addresses or IP address segments for traffic diversion in a
protected IP address segment, split the IP address segment and select the subnet after
splitting.
Issue 01 (2015-07-20)
a.
Click
of the IP address to be split.
b.
On the Splitting Setting page, enter the mask splitting length and click Split.

43

Configuration Guide
The mask splitting length ranges from 1+number of mask bits to 8+number of mask
bits. For example, the mask of a protected IP address segment is 255.255.0.0. That
is, the number of mask bits is 16. In this case, the mask splitting length ranges from
17 to 24.
c.
Selects subnet IP addresses after splitting.
d.
Click OK.
e.
Select a subnet IP address after splitting on the Create Traffic Diversion Task
page.
Step 7 Click OK to complete the Zone adding on ATIC Management center. Click Deploy to deploy
the Zone configuration to devices.
----End
Follow-up Procedure
You can view, modify, or delete a Zone by referring to 6.1 Configuring the Zone.
5.1.2 Importing Zones in a Batch

Importing Zones in a batch improves the efficiency of adding Zones. You can fill in a file
based on the template and import the file to the ATIC Management center.
Procedure
Step 2 Click
Step 3 On the Import Zone page, click
to download the template to the local.
Step 4 Fill in all parameters on the template. For parameter settings, see 6.1.1 Adding a Zone.
Step 5 Import the file to the ATIC Management center.
1.
On the Import Zone page, click Browse....
2.
Select the local file for import and click OK.

Zone information of the imported file is displayed in the Zone list.
----End
Issue 01 (2015-07-20)

44

Configuration Guide
Follow-up Procedure
You can export Zones, see 6.1 Configuring the Zone.
5.2 Configuring the Zone-based Defense Policy

After you create a Zone, configure a defense policy specifically for the Zone so that attack
traffic can be blocked. When the Zone identifies abnormal traffic or is under attack, you can
refer to the defense status information on the Versatile Security Manager (VSM) graphical
user interface (GUI) to handle anomalies or attacks.
Choose Defense > Policy Settings > Zone. On the page that is displayed, you can manage the
defense policies of the Zone. For details, see Table 6-3 and Table 6-4.
Table 5-3 Managing the defense policies of the Zone
Action
Description
Configure
defense
policies
Click
of the Zone. For details, see 6.2.1 Configuring a Defense
Mode, 6.2.2 Configuring a Filter, and 6.2.6 Configuring the Zone-based
Defense Policy.
Policies configured for a Zone take effect only after they are deployed on
associated devices.
Deploy
Select the check box of a Zone and click

Deploying the Defense Policy.
. For details, 6.2.12
Remove the policy configurations of a Zone from associated devices, but

keep the configurations on the ATIC Management center.
Undeploy
Select the check box of a Zone and click

Handle
anomalies or
attack events
When a Zone identifies abnormal traffic or is under attack, State is

Abnormal or Attacked. Click the state value of the State column of the
Zone and perform appropriate operations. For details, see 8.2 Handling
Abnormal Events.
Table 5-4 Parameters of Zone policies

Param
eter
Description
Zone
Indicates the Zone name defined when you create the Zone. For details, see 6.1.1
Adding a Zone.
Type
Indicates the type of Zone.
Device
Name
Indicates the detecting or cleaning device that provides anti-DDoS services for
the Zone.
Service
Learnin
Indicates the state of the Zone-associated devices that perform service learning
on traffic.
Issue 01 (2015-07-20)

45

Configuration Guide
Param
eter
Description
Click the state value to configure the service learning task or view service
learning results. For details, see 6.2.4.2 Configuring a Service Learning Task.
Baselin
e
Learnin
g
Indicates the state of the Zone-associated devices that perform baseline learning
on traffic.
State
Indicates the state of Zone traffic.
Click the state value to configure the baseline learning task or view baseline
learning results. For details, see 6.2.5 Adjusting a Threshold (by Baseline
Learning).
Normal: The Zone traffic is normal or the Zone is not associated with any
AntiDDoS.
Abnormal: The Zone traffic does not comply with the normal model. That
is, the traffic exceeds the threshold specified in the defense policy.
Attacked: After traffic anomalies are detected on the cleaning device and the
defense mechanism is enabled, the cleaning device starts to discard packets
and the packet drop probability is higher than the specified value.
If State of the Zone is Abnormal or Attacked, and Defense State is Not

defended or Part Defended, click the state value in the State column. You can
view the abnormal events and handle them. For details, see 8.2 Handling
Abnormal Events.
Defense
State
Indicates the state that the cleaning device processes anomaly or attack traffic
for the Zone.
--: The Zone traffic is normal and no defense mechanism is required.
Automatically Defended: The defense mechanism is automatically enabled

for abnormal traffic.
Not defended: The Zone traffic is abnormal, but the defense mechanism is
not enabled for abnormal traffic. You need to manually enable the defense
mechanism.
Part Defended: The defense mechanism is manually enabled for part of

abnormal traffic.
Defended: The defense mechanism is manually enabled for all abnormal

traffic.
If State of the Zone is Abnormal or Attacked, and Defense State is Not

defended or Part Defended, click the state value in the State column. You can
view the abnormal events and handle them. For details, see 8.2 Handling
Abnormal Events.
Diversi
on State
Issue 01 (2015-07-20)
Determines whether Zone traffic is diverted to the cleaning device.
In diverting: The traffic that is forwarded to the Zone is being diverted to

the cleaning device.
Partial Diversion: The traffic that is forwarded to some IP addresses of the

Zone is being diverted to the cleaning device.
Not diverted: The traffic that is forwarded to the Zone has not been diverted
to the cleaning device.
Confirmed Divert: The NFA2000 reports detected abnormal traffic to the

ATIC Management center, which generates a traffic diversion task. The task

46

Configuration Guide
Param
eter
Description
is delivered to the cleaning device after the administrator confirms it.
Confirmed Divert is displayed only when the NFA2000 serves as a
detecting device.
On the anti-DDoS network in off-line deployment, when one of the following
status occurs, click the corresponding diversion state to check whether a traffic
diversion task is created for the Zone or the traffic diversion task is enabled on
the Traffic Diversion Task List tab page. For details, see 7.2.3 Configuring
BGP Traffic Diversion (ATIC).
Deploy
ment
State
The diversion state of the Zone is Not diverted and the Zone state is
Abnormal.
The diversion state of the Zone is Partial Diversion and the Zone state is
Abnormal.
The diversions status of the Zone is Confirmed Divert and the Zone status is
Normal.
Indicates the state whether the Zone policy is deployed on devices. The value
can be Undeployed, Deploy Succeed, Part Deployed, or Deploy Failed.
If Deployment is Deploy Failed, click Deploy Failed to view details on policy
deployment and undeployment on the Zone-associated devices.
If Deployment is Part Deployed, click Part Deployed to view the new policies
that are not deployed on the Zone-associated devices.
5.2.1 Configuring a Defense Mode

A defense mode covers the traffic diversion mode, defense mode, cleaning bandwidth, traffic
limiting for a single IP address, and device association.
Prerequisites
A Zone has been created. For details, see 6.1 Configuring the Zone.
Procedure
Step 2 Click
of the Zone. The following page is displayed.
Step 3 Configure basic policies. Table 6-5 lists the basic policy parameters.
Table 5-5 Parameters of defense modes
Para
mete
r
Description
Value
Traffi
c
Diver
Indicates the
mode in
which the
Issue 01 (2015-07-20)
Automatic Perform: The detecting device reports the anomaly

to the ATIC Management center. Then the ATIC Management
center automatically generates a heartbeat interfaces and the

47

Configuration Guide
Para
mete
r
Description
sion
Mode
detecting
device diverts
anomaly
traffic of the
Zone to the
cleaning
device.
Value
active task and delivers the task to the cleaning device.
Manual Perform: The detecting device reports the detected

traffic anomaly to the ATIC Management center. The ATIC
Management center generates a traffic diversion task
automatically and does not deliver the task to the cleaning
device until manual confirmation by the administrator.
After the Zone state turns to normal, the ATIC Management

center automatically delivers the task of canceling traffic diversion
to the cleaning device to stop traffic diversion.
NOTE
In addition to manual and automatic traffic diversion, you can configure a
static traffic diversion task to divert traffic to the cleaning device no matter
whether the traffic is normal or not. For details, see 7.2.3 Configuring BGP
Traffic Diversion (ATIC).
Defe
nse
Mode
Indicates the
defense mode
of the
cleaning
device after
abnormal
traffic is
detected.
Automatic Perform: After abnormal traffic is detected, the

cleaning device generates an anomaly event and automatically
enables the defense mechanism.
Manual Perform: After abnormal traffic is detected, the

cleaning device generates an anomaly event. The administrator
needs to determine whether to enable the defense mechanism.
For details, see 8.1 Viewing the Status of a Zone and
Anti-DDoS Alarms.
Currently, the following types of attacks support Manual
Perform defense: SYN flood, SYN-ACK flood, ACK flood,
TCP connection flood, TCP abnormal flood, TCP frag flood,
UDP flood, UDP frag flood, RST flood, DNS reply flood,
DNS request flood, domain name hijacking, HTTP flood,
HTTPS flood, SIP flood, Other flood, and URI behavior
monitoring.
When Traffic Diversion Mode is set to Manual Perform, select

only Automatic Perform for Defense Mode.
Dyna
mic
Black
list
Mode
During the
defense,
detected
illegitimate
source IP
addresses are
dynamically
blacklisted.
Automatic: The dynamic blacklist entry automatically takes

effect after generated.
Close: No dynamic blacklist entry is generated during the

defense.
Clean
ing
Band
width
Limits the
traffic on
which
Zone-based
attack
defense is
implemented
below the
This function is used by the carrier to provide value-added

services.
Issue 01 (2015-07-20)

48

Configuration Guide
Para
mete
r
Description
Value
threshold.
Excess
packets are
directly
discarded.
Traffi
c
Limit
ing
for
Singl
e IP
Addr
ess
Limits traffic
of a single IP
address of the
Zone below
the threshold.
Excess
packets are
directly
discarded.
When network bandwidths are limited, you are advised to enable

this function to avoid network congestion.
Appl
y an
IPSec
polic
y.
If an IPSec
policy is
applied,
packet
filtering is
triggered.
Botnets, Trojan horses, and worms
C&C Domain
Web Injection
DoS Tools
Statistics on the traffic are collected starting from Layer-2 packet

headers, which excludes the packet length at the physical layer.
Therefore, the actual traffic volume is slightly greater than the
specified value.
Step 4 Click OK.

----End
Follow-up Procedure
Basic policies configured for the Zone take effect only after deployed on associated devices.
For details, see 6.2.12 Deploying the Defense Policy.
5.2.2 Configuring a Filter

This section describes how to configure a filter, which is employed by the cleaning device to
perform static filtering over the traffic destined for the Zone.
Filter Category
The AntiDDoS provides IP, TCP, UDP, HTTP, DNS, ICMP, and SIP filters. For details, see
Table 6-6.
The IP filter can process all types of IP packets whereas other filters can only process the
packets of their own types. For example, the HTTP filter can process only HTTP packets.
You can configure a maximum of 128 filters on one anti-DDoS device.
Table 5-6 Seven filters
Filter
Issue 01 (2015-07-20)
Filtering Condition

49

Configuration Guide
Filter
Filtering Condition
IP filter
Source IP address, destination IP address, packet length, TTL, fingerprint,

protocol, DSCP, and fragment type
TCP filter

DSCP, fragment type, TCP flag bit, source port, and destination port
UDP filter

DSCP, fragment type, source port, and destination port
ICMP
filter

DSCP, and fragment type
HTTP
filter

DSCP, fragment type, TCP flag bit, source port, HTTP field (including
opcode, cookie, host, and referer), and URI
DNS filter

DSCP, fragment type, source port, DNS QR (query and reply), and DNS field
(including the domain and type)
SIP filter

DSCP, fragment type, source port, caller and callee
Filter Template
The ATIC Management center provides 10 common filter templates. You can use any of them
as required.
DNS_Amplification
DNS amplification attack
Chargen_Amplification
Chargen amplification attack
SNMP_Amplification
SNMP amplification attack
TFTP_Amplification
TFTP amplification attack
NTP_Amplification
NTP amplification attack
NetBIOS_Amplification
NetBIOS amplification attack
SSDP_Amplification_Attack
SSDP amplification attack
QOTD_Amplification
QOTD amplification attack
Quake_Network_Protocol
Quake amplification attack
Steam_Protocol_Amplification
Stream amplification attack
You can edit or delete templates as required.
Issue 01 (2015-07-20)

50

Configuration Guide
Filter Matching Sequence

Packets match filters in the list from top to bottom. The matching stops only after the packets
match any action defined in the filter.
Operation
Choose Defense > Policy Settings > Filter, and config the filter.
Create
Click
Filter.
Modify
Delete
Search
to create a filter. For details, see 6.2.2.1 Creating a
Click
in the Operation column and modify the filter in the Modify
Filter dialog box.
Select the check box for the filter and click
Enter part of a filter name or the full name in Name and click
5.2.2.1 Creating a Filter

Seven types of filters are available for static filtering based on the user-defined keyword and
action for matched packets.
Procedure
Step 1 Choose Defense > Policy Settings > Filter.
Step 2 Click
Step 3 On the Basic Information tab page, configure basic information about the filter. Table 6-7
lists parameters and Table 6-8 lists keywords.
Table 5-7 Basic information about the filter
Parameter
Description
Value
Name
Indicates the name of

a filter.
Protocol
Indicates a protocol
type.
Operation
Indicates an action
for matched packets.
Discarding: Discards the packets that match the

keyword.
Discard+Blacklist: Discards the packets that

match the keyword and blacklists their source IP
addresses.
Permitting: Permits only the packets that match

the keyword.
Issue 01 (2015-07-20)

51

Configuration Guide
Parameter
Description
This parameter is
required when
Operation is set to
Rate Limiting.
Threshold
Value
Pass+Whitelist: Permits the packets that match

the keyword and whitelists their source IP
addresses.
Rate Limiting: Limits the rate of packets that

match the keyword below Threshold.
Source detection: performs source detection

when packets match the specified keyword.
Click the Keyword tab and configure keywords.

Table 5-8 Keyword content
Keyword
Description
Value
source
-ip
Indicates the source IP

address and subnet
mask of a packet.
You can configure a maximum of 1000

source IP addresses on each filter and
that of 20,000 source IP addresses on
each cleaning device.
IP address
mask
Both IPv4 and IPv6

addresses are
supported.
destin
ation-i
p
IP address
mask
Indicates the
destination IP address
and subnet mask of a
packet.

destination IP addresses on each filter
and that of 2000 destination IP
addresses on each cleaning device.
Both IPv4 and IPv6

addresses are
supported.
packet
-lengt
h
min
ttl
finger
print
Issue 01 (2015-07-20)
Indicates the packet

length range.

packet lengths for each filter. Any
packet matches the filter only if one
specified packet length is hit.
ttl
Indicates the Time To

Live (TTL) of a
packet.

TTL values for each filter.
offset
Indicates the number

of offset bytes starting
from the first bit of the
packet data.
content
Indicates the
fingerprint content.
For example, when Content is set to

1234afee, Offset to 20, and Check
Depth to 8, and the data content from
the 21th byte to the 32th byte matches
1234afee, the packet matches the
fingerprint.
depth
Indicates the depth that
max
The formula is "32 = 20 + 4 (fingerprint

length) + 8 (check depth)".

52

Configuration Guide
Keyword
Description
Value
determines the range

of fingerprint
matching.
A fingerprint contains 4 to 16 bytes and

can be a character string or a group of
hexadecimal numbers. The default
format is a character string. If the
hexadecimal format is used, each byte
contains two hexadecimal numbers and
a \x must be added before the start byte.
fingerprints for each filter, and a
maximum of 4 parts for each
fingerprint. You can configure a
maximum of 512 parts for each device.
protoc
ol
protocol
Indicates the protocol

type of a packet.

packet protocols for each filter.
dscp/fr
agmen
t
dscp/fragme
nt
Indicates the field of

an IP packet.

DSCPs for each filter and 5 fragments
for each filter.
tcp-fla
g
TCP flag
Indicates the flag bit of

a TCP packet.

TCP flags for each filter.
destin
ationport
start port
Indicates the range of

the destination ports of
packets.

destination ports for each filter.
source
-port
start port
Indicates the source

port range.

source ports for each filter.
opcod
e/cook
ie/host
/refere
/user-a
gent
opcode/cook
ie/host/refere
r/user-agent
Indicates the field of

an HTTP packet.
ASCII characters and hexadecimal

characters are supported.
Each character string contains a

maximum of 64 bytes.
You can configure a maximum of

128 opcode keywords or a
maximum of 512
cookie/host/referer/user-agent
keywords for each device.
uri
URI
Indicates the type of an

HTTP request packet.

URI keywords for each HTTP filter,
and a maximum of 512 for each device.
qr
qr
Indicates the type of a

DNS packet.
Both DNS query and DNS reply types

are available.
domai
n
domain
Indicates the domain

field of a DNS packet.
include: indicates a fuzzy match.

DSN packets are matched only if the
domain field contains the matched
content.
equal: indicates an exact match.

Packets are matched only if the
domain field is the same as the
Issue 01 (2015-07-20)
end port
end port

53

Configuration Guide
Keyword
Description
Value
matched content.
domain keywords for each HTTP filter,
and a maximum of 512 for each device.
type
type
Indicates the type field

of a DNS packet.

type keywords for each DNS filter.
caller/
callee
Caller/Callee
Indicates the field of a

SIP packet.

Caller/Callee keywords for each SIP
filter, and a maximum of 512 for each
device.
Step 4 Bind a Zone to the filter.

1.
Click the Associated Zone tab.
2.
Click
, select a Zone, and click OK.
Only the Zones whose Deployment State is Deploy Succeed are displayed on the page.
Ensure that the Zone to be bound has been deployed.
Two modes are available for binding a Zone to a filter. For details, see 6.2.2.2 Associating a
Zone with a Filter.
Step 5 Click Deploy.
When the Zone is associated with the filter and you click Deploy, the filter is deployed
on the AntiDDoS and configurations take effect.
When only the filter is created and you click Deploy, filter configurations are saved on
the ATIC Management center. They take effect only after the filter is associated with the
Zone and is deployed again.
----End
5.2.2.2 Associating a Zone with a Filter

You can use either of the following methods to associate a Zone with a filter.
Method 1: Associating a Filter on the Zone Page

Step 2 Click
of the Zone.
Step 3 Click the Filter tab.

Step 4 Click
Step 5 Select the filter to be associated and click OK.

The filter takes effect only after the Zone is deployed.
----End
Issue 01 (2015-07-20)

54

Configuration Guide
Method 2: Associating a Zone on the Filter Page

Step 1 Choose Defense > Policy Settings > Filter.
Step 2 Click
of Operation to modify the filter.
Step 3 Click the Associated Zone tab.

Step 4 Click
, select a Zone, and click OK.
Only the Zones whose Deployment State is Deploy Succeed are displayed on the page.
Check whether the Zone to be associated is successfully deployed.
Step 5 Click Deploy to deploy the filter to the AntiDDoS.
----End
5.2.3 Configuring a Location Blocking Policy

A location blocking policy can block traffic from a specific country or region.
Prerequisites
The latest IP location database file has been loaded. For details, see 6.2.9 Library Files.
Context
Many Internet attacks are launched by attackers by controlling botnet hosts that may locate in
a specific region. The location blocking policy blocks traffic by region to effectively block
attacks from a specific region.
Public IPv4 addresses have been divided by country in the IP location database file. If the IP
location division granularities in the IP location database file cannot meet requirements, you
can create user-defined IP locations. For details, see 6.2.8 Creating User-defined IP Locations.
Procedure
Step 2 Click
of the Zone.
Step 3 Choose Blocked Location tab, click

will be blocked.
Issue 01 (2015-07-20)
and select the location from which traffic

55

Configuration Guide
Step 4 Click OK.

----End
5.2.4 Creating a Service and a Defense Policy

To provide the service-specific refined defense for servers or major services in the Zone or the
defense for TCP, UDP, and HTTP ephemeral ports, you can create a service.
Prerequisites
The basic policies of the Zone have been configured. For details, see 6.2.1 Configuring a
Defense Mode.
Context
During traffic cleaning, the cleaning device first matches services by destination IP address,
service type, and destination port. After successful matching, detection and defense are
performed according to service-specific defense policies. Otherwise, detection and defense
are performed on default defense policies by protocol type.
Issue 01 (2015-07-20)

56

Configuration Guide
Only traffic limiting can be configured for certain devices in the defense policy of services. In this case,
detection and defense are performed on the traffic of services according to the default defense policy.
The procedure is as follows: When cleaning traffic, the cleaning device first matches services by service
type and destination IP address. After successful matching, the cleaning device matches the default
defense policy by protocol type for detecting and defense. Then the cleaning device limits traffic
according to the traffic limiting policy of services.
Service learning can be used to configure TCP and UDP services. For details, see 6.2.4.2
Configuring a Service Learning Task.
Procedure
Step 2 Click
of the Zone.
Step 3 On the Defense Policy tab page, click
Step 4 On the Basic Information tab page, configure the basic information of the service. Table 6-9
shows parameters.
Table 5-9 Parameters of services
Parameter
Description
Value
Name
Indicates the name of the service.
Device Name
Selects an device to be associated

with the service in the Zone.
Protocol
Indicates the type of the service.
Protocol ID
Indicates the protocol ID of the

service.
The protocol IDs of TCP, UDP, and

GRE are 6, 17, and 47 respectively.
This parameter is required only

when Service Type is set to Other.
IP Address
Indicates the destination IP address

to be protected.
The IP address needs to be defined

in the Zone. For details, see 6.1.1
Adding a Zone.
Destination
Port
Indicates the destination port to be

protected.
The value can be a port number or

port range, such as 1024-1030.
The destination port of HTTPS is
443 and that of TCP_DNS and
UDP_DNS is 53. The ports cannot
be changed.
Description
Issue 01 (2015-07-20)
Indicates the description of a

service.
The value contains a maximum of

64 characters including letters,
digits, and special characters except
question marks (?). It does not
support any Chinese characters.

57

Configuration Guide
Step 5 Configure defense policies for services.
Click all tabs and configure defense policies for services. For parameters, see 6.2.6
Configuring the Zone-based Defense Policy.
You are advised to enable baseline learning to configure the thresholds of defense
policies. For details, see 6.2.5 Adjusting a Threshold (by Baseline Learning).
Click Import Policy Template to import service policy configurations in the service
policy template.
Step 6 Optional: Click Export Policy Template to save current service policy configurations as a
template for future use.
For details on how to manage policy templates globally, see 6.2.10 Configuring Policy
Templates.
Step 7 Click OK.
----End
Example
A server is deployed in a Zone to provide HTTP services by port 8080. To protect this server,
the configuration roadmap of a defense policy is as follows:
1.
Configure the defense policies default defense policy. Considering possible Telnet and
ping operations, limit the traffic of the TCP and ICMP services and block the UDP
service and other services to prevent network congestion.
2.
Create a HTTP service with destination port 8080 and IP address used by the server to
provide HTTP services. The service provides refined defense for HTTP services.
Follow-up Procedure
1.
Services configured for the Zone take effect only after deployed on devices. For details,
see 6.2.12 Deploying the Defense Policy.
2.
You are advised to enable baseline learning to adjust the threshold configurations of
service policies. For details, see 6.2.5 Adjusting a Threshold (by Baseline Learning).
5.2.4.1 Overview
Service learning and dynamic baseline learning. In service learning, the system learns the
service model (protocol type and port number of the traffic destined for the Zone) of the Zone
to enable a proper attack defense policy.
The AntiDDoS provides Zones with differentiated defense policies.
When multiple ports are enabled for the Zone and refined defense is required for a certain port,
you need to adopt service-based defense to learn about the traffic model and identify Zone
services, thereby providing defense policies for given services in the Zone.
With service learning, the AntiDDoS can identify the services of the Zone and figure out TCP
and UDP services whose traffic hits the threshold, including the protocol type, port, IP address,
and specific traffic value. In this way, the device obtains the service list of the Zone.
In service learning, the AntiDDoS learns statistics on inbound traffic, regardless of normal or
abnormal traffic. Therefore, service learning needs to be enabled when Zone traffic is normal.
During the learning, if the Zone is abnormal or under attacks, you need to terminate the
current service learning task and recover it until Zone traffic resumes normal.
Issue 01 (2015-07-20)

58

Configuration Guide
5.2.4.2 Configuring a Service Learning Task

You can configure a service learning task to learn TCP or UDP services that hit the traffic
threshold within the specified duration, and select the manual or automatic application of
learning results. If the automatic application is adopted, top N services with heaviest traffic on
devices associated with the Zone can be added to the Zone automatically.
Prerequisites
The user-defined Zones have been added and IP addresses have been configured. For
details, see 6.1.1 Adding a Zone.
The basic policies of the Zone have been configured and deployed on the associated
devices. For details, see 6.2.1 Configuring a Defense Mode.
Devices associated with the Zone have been bound to collectors. For details, see 5.4.2
Associating the Collector with the devices.
Context
To ensure accurate learning results, enable the service learning task when traffic of the Zone is
normal.
Procedure
Step 2 Click the Zone's state in the Service Learning column.
Step 3 Configure a service learning task. For parameters, see Table 6-10.
Table 5-10 Parameters of configuring a service learning task
Parameter
Description
Value
Start Time
Indicates the time devices associated

with the Zone start service learning.
The start time must be later than the

time at which service learning is
enabled.
End Time
Indicates the time devices associated

with the Zone stop service learning.
The end time must be later than the

start time.
Traffic
Threshold
If traffic of the TCP or UDP service

of an IP address exceeds the
threshold, add the service to learning
results.
Confirmatio
n Method
Determines whether to
automatically add service learning
results to the service list of the Zone.
If Automatic confirmation is
configured, select top N services
with heaviest traffic in Automatic
confirmation top N for automatic
confirmation.
Step 4 Click Start to enable the service learning task of the Zone.
Issue 01 (2015-07-20)

59

Configuration Guide
After service learning is enabled, Learning status is displayed as Learning is in progress.

You can click Stop to stop the service learning task.
Before you modify the parameters of the learning task, stop service learning first.
----End
Result
With enabled service learning, if the traffic of a service in the Zone exceeds Traffic
Threshold, the service is displayed in service learning results.
The format of the service name is service type-port number. The traffic volume reaches
the upper limit of the service traffic.
If the confirmation mode of service learning is Automatic confirmation, the system

automatically adds services in the learning results to the service policy of the Zone,
including service names, types, ports, IP addresses, and associated devices. If services of
the same type and port exist on the device associated with the service policy of the Zone,
add learnt IP addresses to existing services.
Choose System > Log Management > System Logs. You can view log information
about whether the automatic confirmation of service learning results succeeds. If the
automatic confirmation succeeds, perform the following operations to view the services
confirmed to the service policy.
a.
Choose Defense > Policy Settings > Zone.
b.
Click
c.
On the Service tab page, you can view the services.
of the Zone.
Click
of each service to modify the basic information and configure defense
policies of the service. For parameters of the defense policies, see 6.2.6 Configuring
the Zone-based Defense Policy.
Follow-up Procedure
When the confirmation mode of service learning is Automatic confirmation, service

learning results are automatically applied to the defense policy of the Zone. The settings
take effect after they are deployed on devices. For details, see 6.2.12 Deploying the
Defense Policy.
When the confirmation mode of service learning is Manual confirmation, confirm

service learning results manually. For details, see 6.2.4.3 Applying Service Learning
Results.
5.2.4.3 Applying Service Learning Results

You must perform this operation when the confirmation mode of service learning is Manual
confirmation.
Prerequisites
The service learning task has been enabled. For details, 6.2.4.2 Configuring a Service
Learning Task.
Issue 01 (2015-07-20)

60

Configuration Guide
Context
Service learning results contain service names, types, ports, IP addresses, associated devices,
and traffic. During the confirmation of service learning results, the system checks whether
services of the same type and port exist on the associated device in the service policy of the
Zone, and performs corresponding processing.
1.
If such services exist, add learnt IP addresses to the services.
2.
If no such service exists, add services to the policy of the Zone, including service names,
types, ports, IP addresses, and associated devices.
Procedure
Step 2 Click the Zone's state in the Service Learning column.
Step 3 In the Service Learning Result List group box, select the check box of a service and click
Apply.
----End
Result
1.
2.
Click
3.
On the Service tab page, you can view applied service learning results.
of the Zone.
Click
of each service to modify the basic information and configure defense
policies of the service. For parameters of the defense policies, see 6.2.6 Configuring the
Zone-based Defense Policy.
Follow-up Procedure
After service learning results are applied to the Zone, configurations take effect only after
deployed on devices. For details, see 6.2.12 Deploying the Defense Policy.
5.2.5 Adjusting a Threshold (by Baseline Learning)

You can configure baseline learning to learn the traffic baseline values of the Zone to adjust
defense thresholds in the defense policy.
5.2.5.1 Description
Dynamic baseline learning provides references for configuring the defense threshold.
The defense policy refers to setting a proper threshold for the traffic volume of a protocol.
When the traffic on the live network exceeds the threshold, the system identifies that an
anomaly occurs and triggers the corresponding attack defense.
Before configuring the defense policy, you may be assailed by two doubts:
1.
What types of attack defense need to be enabled?
2.
How to set a proper threshold?
Issue 01 (2015-07-20)

61

Configuration Guide
The ATIC system supports diversified types of attack defense. You can enable corresponding
attack defense if desired, but not all defense functions. When services on the network are
unknown, you can learn about services on the network by using service learning, and then
determine whether to enable attack defense.
During defense policy configurations, the system prompts you to set defense thresholds for
policies. When the number of the packets of a type destined for the Zone hits the threshold,
the system enables defense against such packets. Because improper configurations may affect
normal services, you are advised to learn the dynamic baseline and set a proper defense
threshold according to the learning result.
Dynamic Baseline Learning

In attack detection, the detection device collects statistics on traffic and then compares the
traffic with the pre-defined threshold. If the traffic hits the threshold, the device considers that
an anomaly occurs and reports the anomaly to the ATIC. Therefore, attack judgment is subject
to the specified threshold; however, different networks have diversified applications, each of
which is equipped with its actual bandwidth.
If the threshold is set to a smaller value, the system enables attack defense even if no
attack occurs.
If the threshold is set to a larger value, the system cannot enable attack defense in a
timely manner.
Therefore, before you configure the threshold, learn about the basic traffic model first.
In dynamic baseline learning, the system learns peak traffic at an interval in the normal
network environment and presents the data in curve to the administrator by using the ATIC.
You are advised to deliver the learning result as the defense threshold, after dynamic baseline
learning is complete. The threshold must be set to a value higher than normal peak traffic.
The dynamic baseline can be learned repeatedly to cope with the changes of network traffic
models.
5.2.5.2 Configuring a Baseline Learning Task

You can configure baseline learning to obtain the baseline values of the services of the Zone
by learning cycle and generate learning results based on the learning task.
Prerequisites
The basic policies of the Zone have been configured and deployed on the associated
devices. For details, see 6.2.1 Configuring a Defense Mode.
Devices associated with the Zone have been bound to collectors. For details, see 5.4.2
Associating the Collector with the devices.
Context
Current Threshold indicates the current threshold of a policy; Baseline indicates the traffic
volume learned using baseline learning; Suggestion indicates the recommended threshold
calculated based on the current threshold and baseline. The recommended threshold changes
to the current threshold once being delivered to the device. The recommended threshold is
calculated as follows:
When the defense threshold is configured: recommended threshold = current threshold x
current threshold weight + (baseline value x tolerance value) x (1 - current threshold weight)
Issue 01 (2015-07-20)

62

Configuration Guide
When the defense threshold is not configured: recommended threshold = baseline value x
tolerance value
Baseline packet rate < 5000 pps, baseline bandwidth < 20 Mbit/s, or baseline connection
count < 5000: tolerance value = 200%
5000 pps baseline packet rate < 30,000 pps, 20 Mbit/s baseline bandwidth < 100
Mbit/s, or 5000 baseline connection count < 30,000: tolerance value = 180%
30,000 pps baseline packet rate < 100,000 pps, 100 Mbit/s baseline bandwidth < 300
Mbit/s, or 30,000 baseline connection count < 100,000: tolerance value = 160%
100,000 pps baseline packet rate < 300,000 pps, 300 Mbit/s baseline bandwidth < 1
Gbit/s, or 100,000 baseline connection count < 300,000: tolerance value = 140%
300,000 pps baseline packet rate < 12,000,000 pps, 1 Gbit/s baseline bandwidth < 10
Gbit/s, or 300,000 baseline connection count < 12,000,000: tolerance value = 120%
False positive occurs due to the threshold that is too low. Therefore, set the packet rate,
bandwidth value, and connection count to 500 pps, 5 Mbit/s, and 500 respectively, when their
recommended values are smaller than given values.
If only one detecting device is in the same defense group, the baseline learning result of the
cleaning device is the same as that of the detecting device. If multiple detecting devices are
available, the baseline learning result of the cleaning device is the same as the maximum
learning result of each detecting device.
Procedure
Step 2 Click the Zone's state in the Baseline Learning column.
Step 3 Configure a baseline learning task. For parameters, see Table 6-11.
Table 5-11 Parameters of configuring a baseline learning task
Parameter
Description
Learning Cycle
After the baseline learning task is started, baseline learning

results are refreshed every five minutes and are applied to the
defense policy only after a learning cycle is complete.
Start Time
Indicates the start time of the current cycle for baseline learning.
Current Threshold
Weight
Indicates the proportion of the current value to all recommended

values in this calculation.
Take effect
automatically
Issue 01 (2015-07-20)
After Take effect automatically and Always Effective are

selected, the system automatically applies baseline learning

63

Configuration Guide
Parameter
Description
results to defense policies after the learning period ends,
regardless of the learning results.
After Take effect automatically and Effective When the

Suggestion Value Is Larger Than the Current Value are
selected, the system automatically applies baseline learning
results to defense policies after the learning period ends if the
recommended value is greater than the current value.
If Take effect automatically is not selected, baseline

learning results do not take effect automatically. Manual
intervention is required.
Step 4 Click Startup to enable the baseline learning task of the Zone.
If a service is created, the traffic that matches the service is separately learned, and the traffic
that does not match the service are to be learned as a whole. The learning results are applied
to the defense policies of the created service and the default defense policies. If no service is
created, all traffic is learned as a whole and the learning result is applied to the default defense
policy.
After baseline learning is enabled, click Stop to stop baseline learning.
To modify the parameters of the learning task, stop baseline learning first.
----End
Result
Before the first learning cycle ends, service traffic learning result from the start time to
the current time is displayed. After the first learning period elapses, service traffic
learning result of the last learning cycle is displayed.
After you click
in the Operation column, you can view the traffic trend chart of
baseline learning and change the Current Threshold value.
After Take effect automatically and Always Effective are selected in a baseline
learning task, the system automatically applies the recommended values to defense
policies after the baseline learning period ends.
The baseline learning result takes effect only after the corresponding defense item is enabled in defense
policies.
Follow-up Procedure
When the confirmation mode of baseline learning is automatic, service traffic learning
result is automatically applied to the defense policy of the Zone and deployed on
devices.
When the automatic confirmation mode is not selected for baseline learning, service
traffic learning result needs to be confirmed manually. For details, see 6.2.5.3 Applying
Baseline Learning Results.
Issue 01 (2015-07-20)

64

Configuration Guide
5.2.5.3 Applying Baseline Learning Results

When automatic validation is not adopted by the baseline learning task, you must apply
baseline learning results manually.
Prerequisites
The baseline learning task has been enabled. For details, 6.2.5.2 Configuring a Baseline
Learning Task.
Procedure
Step 2 Click the Zone's state in the Baseline Learning column.
Step 3 In the Dynamic Baseline Result group box, select the check box of a service and click Apply
Suggestion to apply the recommended value in baseline learning results to service policies.
After you click
value.
in the Operation column, you can change the Current Threshold
----End
5.2.6 Configuring the Zone-based Defense Policy

After basic policies are configured, a basic attack defense policy is automatically generated on
the devices associated with the Zone. You need to configure the attack defense policy based
on live network traffic.
Prerequisites
The defense mode of the Zone has been configured. For details, see 6.2.1 Configuring a
Defense Mode.
Procedure
Step 2 Click
of the Zone.
Step 3 On the Defense Policy tab, click

starting with basic.
in the Operation column of the default defense policy
The name of the default defense policy consists of basic and the IP address of the associated
device. For example, if the IP address of the device is 128.18.60.36, the name of the default
defense policy is basic_128_18_60_36.
Step 4 Configure defense policies for protocols.
----End
Issue 01 (2015-07-20)

65

Configuration Guide
5.2.6.1 TCP Defense Policy

The defense policies for TCP services cover block, traffic limiting, and defense.
Block
Discards all TCP packets.
Traffic Limiting
TCP Traffic Limiting: Limits traffic of all TCP packets destined for an IP address
below Threshold.
TCP Fragment Rate Limiting: Limits traffic of all TCP fragments destined for an IP
address below Threshold.
The Threshold is specified based on actual network bandwidths.
Defense
TCP Abnormal Defense

Check the flag bits (URG, ACK, PSH, RST, SYN, and FIN) of each TCP packet. If
any flag bit is invalid, the TCP packet is considered abnormal. When the rate of
TCP abnormal packets exceeds the Threshold value, all TCP packets are discarded.
TCP Basic Defense

Use the source authentication mode to defend against TCP attack traffic. Table 6-12
shows parameters.
It is recommended that you configure link status detection to defend against the SYN-ACK flood, ACK
flood, TCP fragment, and FIN/RST flood attacks in the scenario where the incoming and outgoing paths
of packets are consistent.
Table 5-12 Parameters of configuring basic TCP defense

Parameter
Description
Value
SYN
Flood
Attack
Defense
Threshold
If the rate of SYN packets

exceeds Threshold, the
device reports anomaly events
to the ATIC Management
center and start defense.
You are advised to perform

configurations through
baseline learning. For
details, see 6.2.5.2
Configuring a Baseline
Learning Task.
ACK
Flood
Attack
Defense
Threshold
If the rate of ACK packets

When ACK flood attacks

are detected, the system
permits the first packet for
session establishment
before session check and
discards subsequent
packets.
Perform configurations
through baseline learning.
For details, see 6.2.5.2
Learning Task.
TCP
Fragmen
t Attack
Issue 01 (2015-07-20)
Threshold
If the rate of TCP fragments


66

Configuration Guide
Parameter
Description
Value
Defense

Learning Task.
FIN/RS
T Flood
Attack
Defense
Threshold
If the rate of FIN/RST packets

Learning Task.
Source
IP
TCP-Rat
io
Anomal
y
Limiting
Rate Limiting
Threshold
In this mode, rate limiting is

implemented on the real
source IP addresses that
succeed in session check.
Permanent Limiting: In all

cases, this function limits
the rate of all packets
except the ACK packets
below Rate Limiting
Threshold.
TCP Connection Flood Attack Defense

For parameters, see Table 6-13.
Table 5-13 Parameters of configuring defense against connection flood attacks

Parameter
Description
Value
You are advised to
perform configurations
through baseline
learning. For details,
see 6.2.5.2
Learning Task.
Concurrent
connection
check by
destination
IP address
Threshold
When the number of

the concurrent TCP
connections of a
destination IP address
exceeds Threshold,
start defense against
connection flood
attacks. After the
defense is started, start
checking source IP
addresses.
New
connection
rate check
by
destination
IP address
Threshold
When the number of

the new TCP
connections per second
of a destination IP
address exceeds
Threshold, start
defense against
connection flood
attacks. After the
defense is started, start
checking source IP
addresses.
New
connection
rate check
Check Cycle, Threshold
After defense against

connection flood
attacks is enabled, if
Issue 01 (2015-07-20)

67

Configuration Guide
Parameter
Description
by source
IP address
the number of the TCP

connections initiated
by a source IP address
within Check Cycle
exceeds Threshold,
the source IP address
is regarded as the
attack source and is
reported to the ATIC
Management center.
Value
Connectio
n Number
Check for
Source IP
Address
Threshold
After defense against

connection flood
attacks is enabled, if
the number of the
concurrent TCP
connections of a
source IP address
exceeds Threshold,
is regarded as the
Management center.
Abnormal
Session
Check
Abnormal connection
threshold, Check Cycle
Within Check Cycle,

if the number of the
abnormal TCP session
connections of a
source IP address
exceeds Abnormal
connection threshold,
is regarded as the
Management center.
Null
connection
check
Minimum
packets per
connection,
Check
Cycle
Within Check Cycle,

if the number of the
packets of a TCP
connection is lower
than Minimum
packets per
connection, the
connection is regarded
as an anomaly one.
Retransmis
sion
session
check
Retransmis
sion Packet
Number
Threshold
If the number of the

retransmission packets
of a connection
exceeds
Retransmission
Packet Number
Issue 01 (2015-07-20)

68

Configuration Guide
Parameter
Description
Value
Threshold, the
as an anomaly one.
Sockstress
TCP
Window
Size
Threshold
If the number of the

retransmission packets
of a connection
exceeds TCP Window
Size Threshold, the
as an anomaly one.
5.2.6.2 UDP Defense Policy

The defense policies for UDP services cover block, traffic limiting, and defense.
Block
Discards all UDP packets.
Traffic Limiting
Limits traffic to defend against attacks when UDP attack packets without features.
UDP Traffic Limiting: Limits traffic of all UDP packets destined for an IP address
below Threshold.
UDP Fragment Rate Limiting Threshold: Limits traffic of all UDP fragments
destined for an IP address below Threshold.
Defense
Table 5-14 Configuring UDP attack defense

Parameter
Description
Recommended Value
UDP
Flood
Fingerp
rint
Attack
Defense
Threshold
When the rate of

UDP packets
reaches the alert
threshold, UDP
fingerprint
learning and
payload check
are enabled, and
the UDP packets
matching a
specified
fingerprint or
payload are
discarded.
The default value is 50 Mbit/s.
UDP
Fragme
nt
Threshold
When the rate of

UDP fragments
reaches the alert
The default value is 50 Mbit/s.
Issue 01 (2015-07-20)
You are advised to set Bandwidth

69

Configuration Guide
Parameter
Description
Recommended Value
Attack
Defense
threshold, UDP
fragment
fingerprint
learning and
payload check
are enabled, and
the UDP
fragments
matching a
specified
fingerprint or
payload are
discarded.
Threshold based on baseline learning.

For details, see 6.2.5.2 Configuring a
Baseline Learning Task.
5.2.6.3 ICMP Defense Policy

The defense policies for ICMP services cover block, and traffic limiting.
Block
Discards all ICMP packets.
Traffic Limiting
Limits ICMP traffic destined for an IP address below Threshold.
5.2.6.4 Other Defense Policy

The defense policies cover block and traffic limiting for services except the TCP, UDP, ICMP,
DNS, SIP, HTTP, and HTTPS services.
Block
Discards all packets of services except the TCP, UDP, ICMP, DNS, SIP, HTTP, and
HTTPS services.
Traffic Limiting
Limits the outbound traffic of the services except the TCP, UDP, ICMP, DNS, SIP, HTTP,
and HTTPS services of a destination IP address below Threshold.
Defense
After fingerprint learning is enabled, the packets that match the learned fingerprint,
except those of TCP, UDP, ICMP, DNS, SIP, HTTP, and HTTPS, are discarded.
5.2.6.5 DNS Defense Policy

The defense policies for DNS services transmitted over UDP cover block, traffic limiting, and
defense. This section describes the defense policies for DNS services.
The AntiDDoS identifies well-known protocols by port number. Non-DNS services with port 53 may be
identified as DNS services and therefore be discarded when matching specific policies. Therefore, do not
use well-known ports for other services.
Issue 01 (2015-07-20)

70

Configuration Guide
Block
Discards all UDP DNS packets.
Rate Limiting
Rate Limiting on Request Packets

With the DNS requested flood defense enabled, perform traffic limiting on the
source IP address to limit traffic of DNS request packets below Rate Limiting
Threshold. When traffic of DNS request packets exceeds the threshold, the
detecting device reports anomaly events to the ATIC Management center. Then the
cleaning device discards excess DNS request packets.
Rate Limiting on Reply Packets

With the DNS reply flood defense, perform traffic limiting on the source IP address
to limit traffic of DNS reply packets below Rate Limiting Threshold. When traffic
of DNS reply packets exceeds the threshold, the detecting device reports anomaly
events to the ATIC Management center. Then the cleaning device discards excess
DNS reply packets.
Defense
Unique Configuration Item of the Cache Server

Table 5-15 Unique configuration items of the cache server

Parameter
Description
Value
DNS
Reque
st
Flood
Attack
Defens
e
Indicates that the cleaning device

defends against DNS request flood
attacks.
TCP Authentication: Source

authentication is used for
defense. During source
authentication, the cleaning
device triggers the client to
send DNS request packets over
TCP. This consumes the TCP
connection resources of the
DNS cache server to a certain
extent.
Passive: Validity
authentication is performed on
the client that does not support
the sending of DNS requests in
TCP packets.
Defens
e
Mode
Thresh
old
If the rate of DNS request packets

exceeds Threshold, the device
reports anomaly events to the
ATIC Management center and
starts defense.

configurations through baseline
learning. For details, see 6.2.5.2
Configuring a Baseline Learning
Task.
Unique Configuration Items of the Authorization Server

Issue 01 (2015-07-20)

71

Configuration Guide
Table 5-16 Unique configuration items of the authorization server

Parameter
Description
Value
DNS
Reque
st
Flood
Attack
Defens
e
Indicates that the cleaning device

defends against DNS request flood
attacks.
Passive: Validity
the client that does not support
the sending of DNS requests in
TCP packets.
CNAME: Validity
the client that supports the
sending of DNS requests in
TCP packets.
Defens
e
Mode
Thresh
old
If the rate of DNS request packets

exceeds Threshold, the device
reports anomaly events to the
ATIC Management center and
starts defense.

configurations through baseline
learning. For details, see 6.2.5.2
Configuring a Baseline Learning
Task.
DNS Reply Flood Attack Defense

If the rate of DNS reply packets exceeds Threshold, the cleaning device defends
against forged source attacks.
Detection of the requests for NXDomain

If the proportion of unknown domain name requests within one second exceeds the
threshold, the detecting device reports an anomaly event to the ATIC Management
center. At this time, you are advised to configure an anomaly packet capture task
and extract fingerprints from the packet capture file. The specific unknown domain
name can be extracted and added to the Rate Limiting on Request Packets of
Specified Domain Name list so that traffic rate limiting can be performed on the
request packets of the unknown domain name.
If this function is enabled, you must run the anti-ddos server-flow-statistic enable command on the
inbound interface to enable the upstream traffic analysis function.
Packet malformed
After the validity check on packets is enabled, the cleaning device checks DNS
packet formats and discards non-standard packets.
DNS request packet length limiting

Enable the limiting on the DNS request packet length to limit the length of DNS
request packets below Threshold. When the length of DNS request packets exceeds
the threshold, the detecting device reports anomaly events to the ATIC Management
center. Then the cleaning device discards overlong DNS request packets.
DNS reply packet length limiting

Enable the limiting on the DNS reply packet length to limit the length of DNS reply
packets below Threshold. When the length of DNS reply packets exceeds the
threshold, the detecting device reports anomaly events to the ATIC Management
center. Then the cleaning device discards overlong DNS reply packets.
Issue 01 (2015-07-20)

72

Configuration Guide
5.2.6.6 SIP Defense Policy

The defense policies for SIP services .
The AntiDDoS identifies well-known protocols by port number. Non-SIP services with port 5060 may
be identified as SIP services and therefore be discarded when matching specific policies. Therefore, do
not use well-known ports for other services.
Source detection
When defense is enabled and the rate of SIP packets exceeds Threshold, the device
reports anomaly events to the ATIC Management center and starts defense against
SIP packets based on the destination IP address.
Rate Limiting of Source IP Address

AntiDDoS always enables source IP address-based rate limiting over SIP packets.
You are advised to configure Threshold (pps) based on baseline learning. For details,
see 6.2.5.2 Configuring a Baseline Learning Task.
5.2.6.7 HTTP Defense Policy

The defense policies for HTTP services cover block, traffic limiting, and defense.
The AntiDDoS identifies well-known protocols by port number. Non-HTTP services with port 80 may
be identified as HTTP services and therefore be discarded when matching specific policies. Therefore,
do not use well-known ports for other services.
Block
Discards all HTTP packets.
Traffic Limiting
Limits HTTP traffic destined for an IP address below Threshold. Excess packets are
discarded.
Defense
HTTP attack defense
When Statistics Based on Source IP Address is enabled and the rate of HTTP
packets destined for the Zone is greater than Threshold or Request Threshold,
the system enables source IP address-based statistics, and reports anomalies to
the ATIC Management center. When the rate of HTTP packets from the IP
address is larger than Threshold or Request Threshold, the source
authentication of HTTP packets is enabled.
The source-based defense mode can be 302 Redirect or Verify Code.
When Statistics Based on Source IP Address is disabled and the rate of

HTTP packets destined for the Zone is larger than Threshold or Request
Threshold, the system reports anomalies to the ATIC Management center.
If the defense mode of the Zone is automatic, the system starts defense
automatically. If the defense mode is manual, the administrator needs to confirm
and start the defense manually. For details on how to configure the defense mode,
see 6.2.1 Configuring a Defense Mode.
You are advised to specify the Threshold or Request Threshold through baseline
learning. For details, see 6.2.5.2 Configuring a Baseline Learning Task.
Issue 01 (2015-07-20)

73

Configuration Guide
Request Threshold indicates that the device collects statistics on all HTTP packets, including SYN,
SYN-ACK, and ACK packets of TCP connections. Threshold indicates that the device collects statistics
on the HTTP packets (such as GET and POST packets) except SYN, SYN-ACK, and ACK packets. As
long as the traffic volume reaches one of the thresholds, the defense is triggered.
HTTP Source Authentication Defense

Table 5-17 Parameters of configuring HTTP source authentication

Parameter
Description
Value
Defense Mode
Indicates the defense mode

that the cleaning device
defends against HTTP attack
sources.
302 Redirect: If the requested web

page is not on the same server as the
embedded resource and an anomaly
occurs on the server where the
embedded resource resides, enable
302 redirection on the server where
the embedded resource resides to
detect whether the source is a real
browser. 302 redirect source
authentication does not affect
customer experience.
Verify Code: This mode detects

whether HTTP access is initiated by a
real user and requires a verification
code. When botnet attacks are
launched, the attackers cannot enter
the verification code and hence are
effectively defended against.
However, user experience is affected.
If the client of the HTTP service is a
set-top box, select the 302 Redirect
defense mode because the set-top box
cannot enter any verification codes.
Proxy
Detection
Check whether HTTP

requests are sent through the
proxy.
You are advised to enable proxy

detection if any HTTP proxy exists.
If yes, the system obtains the

real IP address from HTTP
packets for defense. The
defense against attacks with
real IP addresses ensures that
normal requests are properly
processed and attack traffic is
discarded.
Verification
Code Caption
Settings
Issue 01 (2015-07-20)
When you set Defense Mode

to Verify Code, the
AntiDDoS automatically
pushes a verification code
page, on which you can set
the verification code caption.

74

Configuration Guide
Parameter
Description
Value
SYN
Rate
Limiti
ng
If the rate of HTTP packets

whose source IP addresses
succeed in source
authentication exceeds
Threshold, the device takes
limiting.
Thres
hold
Limits the number of

connections.
ACK
Rate
Limiti
ng
Thres
hold
If the rate of HTTP packets

whose source IP addresses
succeed in source
authentication exceeds
Threshold, the device takes
limiting.
Limits the rate of HTTP get

packets.
HTTP Fingerprint Learning

Within the learning cycle, the number of requests with the same fingerprint and
from the same source IP address exceeds Matching Counts, the source IP address
is regarded as an attack source and is reported to the ATIC Management center. If
the dynamic blacklist mode of the Zone is not Close, the ATIC Management center
automatically adds the IP addresses of attack sources to the dynamic blacklist. For
details on how to configure the dynamic blacklist mode, see 6.2.1 Configuring a
Defense Mode.
HTTP low-rate connection attack defense

If the number of HTTP concurrent connections per second exceeds the given value,
the device checks the HTTP packets. If any of the following situations occurs, the
protected network is under HTTP low-rate connection attacks. The device reports
the source IP address of the attack packets to the ATIC Management center. If the
dynamic blacklist of the Zone is not Disable, the system automatically adds the IP
address of attack packets to the dynamic blacklist and terminates the connection
between this IP address and the HTTP server.
The total length of consecutive HTTP post packets exceeds the given value,
but the HTTP payload length is less than the given value.
The headers of consecutive HTTP get/post packets do not have any end flags.

Table 5-18 Configuring HTTP low-rate connection attack defense
Parameter
Description
Number of concurrent
connections
Check the number of HTTP concurrent connections per

second. If the count exceeds the given value, the system
checks each HTTP packet.
Total packet length
If either of the following situations occurs, the system is
Issue 01 (2015-07-20)

75

Configuration Guide
Parameter
Description
Packet number
under HTTP low-rate connection attacks.
The total length of consecutive HTTP post packets

exceeds the given value, but the HTTP payload length is
less than the given value.
The headers of consecutive HTTP get/post packets do not

have any end flags.
Payload length
Destination IP-based URI Behavior Monitoring

Table 5-19 Parameters of configuring destination IP-based URI behavior monitoring

Parameter
Description
Value
Desti
nation
IP-bas
ed
URI
Behav
ior
Monit
oring
Detec
tion
Thres
hold
Within the Interval, if the ratio of the Closely

monitored URI access counts (to a
destination IP address) to the total access
counts exceeds Detection Threshold, the URI
behavior monitoring is enabled on source IP
addresses.
You are advised to

configure Detection
Threshold based on
baseline learning. For
details, see 6.2.5.2
Learning Task.
Sourc
e
IP-bas
ed
URI
Behav
ior
Monit
oring
Defen
se
Thres
hold
Within the Interval, the ratio of the Closely

monitored URI access counts of a source IP
address to the total access counts exceeds
Defense Threshold, the source IP address is
regarded as an attack source and is reported to
the ATIC Management center. If the dynamic
blacklist mode of the Zone is not Close, the
ATIC Management center automatically adds
the IP addresses of attack sources to the
dynamic blacklist. For details on how to
configure the dynamic blacklist mode, see
6.2.1 Configuring a Defense Mode.
Closely monitor URIs when URI behavior

monitoring is used for defending against
HTTP flood attacks.
Closely
monitored URI
5.2.6.8 HTTPS Defense Policy

The defense policies for HTTPS services cover block, traffic limiting, and defense.
The AntiDDoS identifies well-known protocols by port number. Non-HTTPS services with port 443
may be identified as HTTPS services and therefore be discarded when matching specific policies.
Therefore, do not use well-known ports for other services.
Issue 01 (2015-07-20)
Block
76

Configuration Guide
Discards all HTTPS packets.
Traffic Limiting
Limits HTTPS traffic destined for an IP address below Threshold.
Defense
HTTPS Source Authentication Defense
When Statistics Based on Source IP Address is enabled and the rate of

HTTPS packets destined for the Zone is greater than Threshold, the system
enables source IP address-based statistics, and reports anomalies to the ATIC
Management center. When the rate of HTTPS packets from the IP address is
larger than Threshold, the source authentication of HTTPS packets is enabled.
The source-based defense mode is Enhanced.
When Statistics Based on Source IP Address is disabled and the rate of

HTTPS packets destined for the Zone is larger than Threshold, the system
reports anomalies to the ATIC Management center.
If the defense mode of the Zone is automatic, the system starts defense
automatically. If the defense mode is manual, the administrator needs to confirm
and start the defense manually. For details on how to configure the defense mode,
see 6.2.1 Configuring a Defense Mode.
You are advised to specify the Threshold through baseline learning. For details, see
6.2.5.2 Configuring a Baseline Learning Task.
After defense against anomaly events is enabled, the cleaning device uses the source authentication
mode for defense.
The source IP address that fails authentication is regarded as the attack source and is reported to the
ATIC Management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC
Management center automatically adds the IP addresses of attack sources to the dynamic blacklist.
For details on how to configure the dynamic blacklist mode, see 6.2.1 Configuring a Defense Mode.
The session is closed after successful authentication. The page needs to be manually refreshed,
which affects user experience.
SSL Defense
After HTTPS source authentication defense is enabled, if the rate of the HTTPS
packets destined for the specified IP address exceeds Threshold, the system
performs SSL checks on the source IP address of the packets. Within the interval
specified in Renegotiation Interval, if the number of SSL negotiations between a
source IP address and a destination IP address exceeds Maximum Renegotiation
Times, the session in between is marked as abnormal. Within the interval specified
in Abnormal Session Check Interval, if the number of abnormal sessions exceeds
the value specified in Maximum Number of Abnormal Sessions, the source IP
address is regarded as abnormal and therefore blacklisted.
5.2.6.9 Top N Study

After the top N study function is configured, you can view learning results, which act as
policy parameters for tracing attack sources and confirming cleaning effects.
Top N study adversely affects device performance. Therefore, enable certain top N study
items listed in Table 6-20.
Top N study results are displayed in reports. For details, see 9 Report.
Issue 01 (2015-07-20)

77

Configuration Guide
Table 5-20 Top N study

Top N study
Description
Usage
HT
TP
lear
ning
Indicates top N host fields

in the HTTP traffic
destined for the Zone.
When the Zone is under attack, the

learning result can be used for
configuring HTTP host filtering. For
details, see 6.2.2 Configuring a
Filter.
The administrator can learn about

the network status based on the
learning result.
When the Zone is under attack, the

learning result can be used for
configuring URI monitoring. For
details, see 6.2.6.7 HTTP Defense
Policy.

learning result.
When the Zone is under attack, you

can confirm the cleaning effect by
comparing top N source IP
addresses in incoming traffic with
that in legitimate traffic after
cleaning.
The learning result in most cases is

used to compare with top N source
IP addresses in legitimate HTTP
traffic after cleaning.

cleaning.
The learning result in most cases is

used to compare with top N source
IP addresses in legitimate HTTPS

can configure rate limiting over the
packets of the specified domain
name and static cache based on the
learning result, reducing the load
over the DNS server. For details, see
6.2.6.5 DNS Defense Policy.

comparing requested domain names
in incoming traffic with that in
HTTP Host
Top N host fields are

learned from incoming
HTTP traffic.
HTTP URI
Indicates top N URI fields

in the HTTP traffic
destined for the Zone.
Top N URI fields are
learned from incoming
HTTP traffic.
Top N
HTTP
Source IP
Addresses
(pps/qps)
HT
TPS
lear
ning
DN
S
lear
ning
Top N
HTTPS
Source IP
Addresses
(pps)
Top N
Requested
Domain
Names
Indicates top N source IP

addresses in the HTTP
traffic destined for the
Zone.
Top N source IP addresses
are learned from incoming
traffic and legitimate

addresses in the HTTPS
Zone.
Indicates top N requested

domain names in the
Zone.
Top N requested domain
names are learned from
incoming traffic and
legitimate traffic after
cleaning.
After Dynamic cache is
configured, the cleaning
Issue 01 (2015-07-20)

78

Configuration Guide
Top N study
Description
device adds top N domain
names and IP addresses to
the dynamic cache. After
that, the cleaning device
replies to requests for
these DNS domain names
to reduce the load over the
DNS server.
Top N DNS
Request
Source IP
Addresses
(pps)
Top N DNS
Response
Source IP
Addresses
(pps)
TC
P
lear
ning
Top N TCP
Source IP
Addresses
(New
Connection
)

addresses in the DNS
request traffic destined for
the Zone.

addresses in the DNS
reply traffic destined for
the Zone.

addresses with most new
connections in the TCP
Zone.
Usage
legitimate traffic after cleaning.

learning result.

request packets of the specified
source IP address. For details, see
6.2.6.5 DNS Defense Policy.

cleaning.

learning result.

reply packets of the specified source
IP address. For details, see 6.2.6.5
DNS Defense Policy.

cleaning.

learning result.
The administrator can configure the

threshold for Connection Number
Check for Source IP Address based
on the learning result. For details, see
6.2.6.1 TCP Defense Policy.

TCP traffic.
5.2.6.10 Global Defense Policy for Non-Zone

The defense policy protects IP addresses except those of the user-defined and default Zones.
Issue 01 (2015-07-20)

79

Configuration Guide
Rate Limiting Threshold for Non-Zone IP Address

Limits traffic of service packets destined for an IP address below corresponding
thresholds. Excess packets are directly discarded.
Total indicates that traffic of a single IP address is limited below the threshold.
Non-Zone IP Address Reporting Threshold

If the packet rate of a protocol exceeds the threshold, the device reports anomaly events
to the ATIC Management center and start defense.
5.2.6.11 First-Packet Discarding

The anti-DDoS device provides first-packet checks for SYN, TCP, UDP, ICMP, and DNS
packets.
Some attack packets frequently change source IP addresses or ports. You can enable
first-packet discarding to block such traffic. You can enable first-packet discarding to work
with source authentication to defend against flood attacks from forged sources.
#sec_config_ddos_0064/tab01 lists the parameters of first-packet discarding.
Protocol
Description
SYN
Supports the configuration of the upper and lower

limits of the interval for discarding the first
packets. If the actual interval is lower than the
lower limit or higher than the upper limit, the
packet is considered as the first packet and is
discarded. If the actual interval is between the
configured lower and upper limits, the packet is a
follow-up packet and is permitted.
TCP
DNS
UDP
ICMP
Supports the configuration of only the lower limit

of the interval for discarding the first packets. If the
actual interval is lower than the lower limit, the
packet is considered as the first packet and is
discarded.
Configure first-packet discarding only for the protocols supporting packet retransmission.
Otherwise, normal services will be affected.
5.2.7 Configuring Global Defense Policies (ATIC)

This section describes how to configure global defense policies on the ATIC.
5.2.7.1 Configuring Basic Attack Defense

Basic attacks are traditional single-packet Denial of Service (DoS) attacks. The basic attack
defense mainly defends against scanning and sniffing attacks, malformed packet attacks, and
special packet attacks. By default, basic attack defense is disabled. You can determine whether
to enable attack defense functions according to actual services on the network.
Issue 01 (2015-07-20)

80

Configuration Guide
Context
This configuration is available only on anti-DDoS devices.
Procedure
Step 1 Choose Defense > Policy Settings > Global Policy.
Step 2 Click
in the Operation column.
Step 3 In the Basic Attack Defense group box, select the check box of an attack type and enable the
attack defense function. For parameters, see Table 6-21.
If Large ICMP Packet or Large UDP Packet is selected, the packet length needs to be
specified. The AntiDDoS discards the ICMP or UDP packet whose length exceeds the value.
Table 5-21 Configuring basic attack defense
Parameter
Description
Fraggle
After the Fraggle attack defense is enabled, the AntiDDoS detects

received UDP packets. If the destination port number of packets is 7 or
19, the AntiDDoS discards the packets and logs the attack.
ICMP
Redirection
Packet
After the ICMP redirection packet attack defense is enabled, the

AntiDDoS discards ICMP redirection packets and logs the attack.
ICMP
Unreachable
Packet
After the ICMP unreachable packet attack defense is enabled, the

AntiDDoS discards ICMP unreachable packets and logs the attack.
WinNuke
After the WinNuke attack defense is enabled, the AntiDDoS discards

packets whose destination port is 139, URG tag is set to 1, and URG
pointer is not null, and logs the attack.
In addition, when ICMP fragments are received, the device considers that
a WinNuke attack occurs and hence discards the fragments, and then logs
the attack.
Land
After the Land attack (loopback attack) defense is enabled, the AntiDDoS
checks whether the source and destination addresses of TCP packets are
the same, or the source address of TCP packets is a loopback one. If the
source and destination addresses are the same, the AntiDDoS discards the
packets and logs the attack.
Ping of Death
After the Ping of Death attack defense is enabled, the AntiDDoS checks
whether the packet size is larger than 65,535 bytes. If a packet is larger
than 65,535 bytes, the AntiDDoS discards the packet and logs the attack.
IP Packet with
Route Record
Option
After the IP packet with route record option attack defense is enabled, the
AntiDDoS checks whether the IP route record option is specified in the
received packet. If the IP route record option is specified, the device
discards the packet and logs the attack.
Smurf
After the Smurf attack defense is enabled, the AntiDDoS checks whether
the destination IP address of ICMP request packets is the broadcast
address of category A, B, or C. If the destination IP address is the
Issue 01 (2015-07-20)

81

Configuration Guide
Parameter
Description
broadcast address of category A, B, or C, the device discards the packet
and logs the attack.
IP Packet with
Source Route
Option
After the IP packet with source route option attack defense is enabled, the
AntiDDoS checks whether the IP source route option is specified in the
received packet. If the IP source route option is specified, the device
NOTE
In the IP routing technology, the transmission path of an IP packet is determined by
the routers on the network according to the destination address of the packet.
Nevertheless, a method is also provided for the packet sender to determine the
packet transmission path, that is, the source route option. This option means
allowing the source site to specify a route to the destination and replace the routes
specified by intermediate routers. The source route option is generally used for
fault diagnosis of network paths and temporary transmission of some special
services. The IP source route option may be utilized by malicious attackers to probe
the network structure because it neglects the intermediate forwarding processes
through various devices along the packet transmission path, regardless of the
working status of forwarding interfaces.
TCP Flag Bit
After the TCP flag bit attack defense is enabled, the AntiDDoS checks
the flag bits (URG, ACK, PSH, RST, SYN, and FIN) of each TCP
packet. In either of the following cases, the device discards the packet
and logs the attack.
All flag bits are set to 1.
All flag bits are set to 0.
Both the SYN bit and the FIN bit are set to 1.
Both the SYN bit and the RST bit are set to 1.
The FIN bit is set to 1 and the ACK bit to 0.
TearDrop
After the TearDrop attack defense is enabled, the AntiDDoS analyzes

received fragments and checks whether the packet offset is correct. If the
packet offset is incorrect, the device discards the packet and logs the
attack.
Large ICMP
Packet
After the large ICMP packet attack defense is enabled, the AntiDDoS
discards the ICMP packet whose length exceeds the threshold and logs
the attack.
IP Packet with
Timestamp
Option
After the IP packet with timestamp option attack defense is enabled, the
AntiDDoS checks whether the IP timestamp option is specified in the
received packet. If the IP timestamp option is specified, the device
Tracert
After the Tracert packet attack defense is enabled, the anti-DDoS

discards timeout ICMP or UDP packets and destination port unreachable
packets, and logs the attack.
Large UDP
Packet
After the large UDP packet attack defense is enabled, the AntiDDoS
discards the UDP packet whose length exceeds the threshold and logs the
attack.
Step 4 Click Confirm.
Issue 01 (2015-07-20)

82

Configuration Guide
Step 5 Click
to deliver configurations to the device.
Step 6 In the Deploy dialog box, display the deployment progress. After the deployment is complete,
the dialog box is closed automatically.
If the deployment succeeds, Deployment of the Zone is displayed as Deploy Succeed.
If the deployment fails, Deployment of the device is displayed as Deploy Failed.

Move the pointer to Deploy Failed to view details on the failure in deploying the basic
attack defense on the device.
----End
Follow-up Procedure
Choose Defense > Policy Settings > Global Policy, select the check box of the device and
click
device to avoid data loss.
to save configurations to the configuration file of the
5.2.7.2 Blacklist and Whitelist

This section describes how to configure the blacklist and whitelist functions in the ATIC
management center.
Procedure
Step 2 Click
Step 3 On the Blacklist or Whitelist tab, click

blacklist or whitelist.
, enter an IP address to configure a global
Step 4 Click Confirm. The configured blacklist or whitelist entry is displayed in the group box.
Step 5 Click Close.
Step 6 Click
to deploy the configuration to the AntiDDoS.
----End
5.2.8 Creating User-defined IP Locations

If the IP location division granularities in the IP location database file cannot meet
requirements, you can create user-defined IP locations.
Procedure
Step 1 Choose Defense > Public Settings > IP Location User-Defined.
Step 2 Click
Step 3 Configure user-defined IP locations. describes the configuration parameters.
Issue 01 (2015-07-20)

83

Configuration Guide
Table 5-22 Configuring user-defined IP locations

Parameter
Description
Name
User-defined IP location name, which cannot be the same as that of

any location in the IP location database file
Description
Description of a user-defined IP location, which helps the

administrator to identify the location
IP Address
IP addresses in a user-defined IP location
Step 4 Click OK.

----End
5.2.9 Library Files

This section describes how to load and update the botnet, Trojan horse, and worm library file,
malicious URL library file, IP reputation library file, and IP location library file.
Configuring the FTP Server

Before managing library files, configure FTP.
1.
Choose Defense > Network Settings > Devices
2.
Click
in the Operation column on the right of a device to access the Modify
Management Protocol window.
3.
Click the FTP tab to complete the SFTP configuration.

The SFTP user name and password must be pre-set on the device and the same as those
configured on the ATIC management center.
SFTP is more secure than FTP. To secure data transmission, use SFTP to transfer files.
Management Operations
Choose Defense > Public Settings > Library File. Manage IP address descriptions.
Depl
oy
Click
Impo
rt
1. Click
.
2. In the Import window, click Browse..., select the library file, and click OK.
to deploy the selected library file to the device.
The botnet, Trojan horse, and worm library file name must be in the
IPS_H*.zip format. The IP location library file name must be in the
location_sdb*.zip format. The IP reputation library file name must be in the
IPRPU_H*.zip format. And the malicious URL library file must be in the
Issue 01 (2015-07-20)

84

Configuration Guide
CNC_H*.zip format.
Imported library files are displayed in the library file list.
Expo
rt
Delet
e
1. Select a library file and click

.
2. In the displayed File Download window, click Save to save the file locally or
click Open to view the file.
Delete one IP address description:

Click
in the Operation column on the right of an IP address description to
delete the description.
Delete IP address descriptions in batches:

Select the check boxes of multiple IP address descriptions and click
above the list to delete the selected IP address descriptions.
delete all IP address descriptions.
above the list to
NOTE
Only Undeployed library files can be directly deleted. If a library file has been successfully or
partially deployed, it cannot be deleted. To delete a deployed library file, load another library
file of the same type. The newly loaded library file overwrites the deployed one and is in
Undeployed state. Then, you can delete this file.
Sync
hroni
ze
Click
Download the latest library file from the secure cloud center to the ATIC
management center.
Ensure that the secure cloud center and ATIC management center are reachable.
NOTE
The ATIC management center supports automatic database file synchronization and
automatically updates the database file in 4 a.m. every day. After the update is complete, both
the new and old database files exist in the database file list. The ATIC supports a maximum of
40 database files. If there are more than 40 database files, the synchronization fails. You need
to manually delete old database files.
5.2.10 Configuring Policy Templates

A policy template defines the defense policies of various types for an device model to
facilitate policy configurations.
Choose Defense > Policy Settings > Policy Template.
The ATIC Management center provides 4 common policy templates. Among them, Web
defense templates (WEB Server), DNS cache defense templates, (DNS Caching Server), DNS
authorization defense templates, (DNS Authoritative Server), and basic defense templates,
(General Server). You can use any of them as required.
Templates for Web defense protect the Web server. You are advised to use templates of
this type if HTTP or HTTPS servers are deployed on the live network.
Templates for DNS cache defense protect the DNS cache server. You are advised to use
templates of this type if DNS cache servers are deployed on the live network.
Issue 01 (2015-07-20)

85

Configuration Guide
Templates for DNS authorization defense protect the DNS authorization server. You are
advised to use templates of this type if DNS authorization servers are deployed on the
live network.
Templates for basic defense protect TCP, UDP, and ICMP services on the network. You
are advised to templates of this type if no DNS or Web server is deployed on the live
network.
Managing Policy Templates

Action
Description
Create
Click
to create a policy template manually. For details, see
Creating a Policy Template.
NOTE
You can save policy configurations as a template.
Modify
Click
in the Operation column and then the Basic Information
page in the Modify Policy Template dialog box to change the template
name and modify remarks. Click the tab of each defense policy to modify
the defense policy. For parameters, see 6.2.6 Configuring the Zone-based
Defense Policy.
Associate a
Zone
Click
to associate the policy template with the Zone. For details, see
Associating a Zone.
Delete
Select the check box of a policy template and click
Query
template
Enter part of a template name or the template name in Template name

and click
Creating a Policy Template

1.
2.
Click
3.
On the Basic Information tab page, configure basic information of the policy template.
Device Type and Protocol define device model and protocol to which this template can
be applied.
If a protocol type is specified, the created policy template applies to service policies; if not, the created
policy template applies to Zone-based policies.
4.
Click the tab of each defense policy and configure the defense policy. For parameters,
see 6.2.6 Configuring the Zone-based Defense Policy.
5.
Click OK.
Associating a Zone
Two methods are available for configuring the policy for the Zone with the policy template:
Issue 01 (2015-07-20)

86

Configuration Guide
Import the policy template during the policy configuration.

Associate the policy template with the Zone.
1.
2.
Click
3.
On the Associated Zone page, click
4.
On the Select Zone page, select the Zone to be associated and click OK.
5.
On the Associated Zone page, click OK.
of the policy template.

.
5.2.11 Cloud Cleaning

Cloud cleaning ensures the availability of the entire network by connecting to the cloud
cleaning service provider for upstream traffic cleaning based on alarm policy settings in case
of network faults caused by massive attack traffic.
Before you configure cloud cleaning, ensure that you have contracted the service from the
cloud cleaning service provider.
Configuring Cloud Cleaning Policies

1.
Choose Defense > Policy Settings > Cloud Clean
2.
Click
and specify a cloud cleaning service provider in Configure.
Operation
Parameter
Description
Cloud Clean
Configure
Service Provider
Two cloud cleaning service providers are

available:
Cleaning mode
IP abnormal state
Single IP traffic
threshold
Issue 01 (2015-07-20)
CTCC
HW
Auto: When traffic exceeds the

threshold, a cloud cleaning policy is
automatically generated and
implemented.
Manual: When traffic exceeds the

threshold, a cloud cleaning policy is
generated but not automatically
implemented. You need to manually
implement the cloud cleaning policy.
Top N traffic statistics are collected

based on the status of IP addresses.
Exception/Attack: Top N traffic

statistics are collected based on
abnormal/attack IP addresses.
All: Top N traffic statistics are

collected based on all IP addresses.
Top N traffic statistics are collected if

the incoming traffic to the destination IP
address reaches the threshold.

87

Configuration Guide
Operation
Parameter
Description
IP inflow TOPN
Set the top N value.
Single device flow

threshold set
Device
Threshold
The cloud cleaning service is triggered

when the incoming traffic reaches the
configured threshold.
Parameter settings
Defense action
Supported only by HW
Default plugging policy
Clean
Block
Supported only by CTCC

Once an attack occurs, the corresponding
cloud cleaning policy is implemented.
Plugging the whole network
Plug the other operators
Plugging foreign operators
Plug other operators (only telecom

network access)
Automatic releasing
time
Set the aging time of the cloud cleaning

service.
URL
Set the cloud service address provided by

the ISP.
Access key
CTCC: Set the public key that the cloud

service provider provides for users.
HW: Set the user name that the cloud
service provider provides for users.
Access private key
Set the cloud service password.
3.
Click OK.
4.
After the configuration is complete, if the incoming traffic exceeds the threshold, the
cloud cleaning policy is automatically triggered.
You can also manually implement the cloud cleaning policy by selecting the check box
of the cloud cleaning policy in Cloud Clean Policy List and clicking
the list.
above
Adding Static Cloud Cleaning Policies

1.
You can click

cleaning policies.
in Cloud Clean Policy List to manually add static cloud
Parameter
Description
Service provider
You need to select a cloud service provider

in Configure when manually adding cloud
cleaning policies.
Issue 01 (2015-07-20)

88

Configuration Guide
Parameter
Description
IP/Mask
Set the destination IP address and subnet

mask to which the cloud cleaning policy is
applied.
Defense Action
Range of Defense
Automatic unlock time
If Defense Action is set to Clean, you

can enter an IP address segment with a
24-bit mask.
If Defense Action is set to Block, you

must enter a single IP address with a
32-bit mask.
Supported only by HW
Clean
Block
Supported only by CTCC
Plugging the whole network
Plug the other operators
Plugging foreign operators
Plug other operators (only telecom

network access)
Set the aging time of the cloud cleaning

service.
Manually added cloud cleaning policies cannot be automatically cleared. You need to
manually delete them from the Cloud Clean Policy List.
2.
Click OK.
5.2.12 Deploying the Defense Policy

The deployment operation enables configuration data on the ATIC Management center to be
delivered to devices. Defense policies configured for the Zone take effect only after deployed
on devices.
Prerequisites
The basic policies of the Zone have been configured. For details, see 6.2.1 Configuring a
Defense Mode.
Context
The SIG does not support policy deployment. By synchronizing data from the ATIC
Management center periodically, the SIG automatically obtains the configuration data.
ATIC Management center supports incremental deployment. If Deployment State of a Zone
is in Undeployed or Part Deployed state, a defense policy in the system is not delivered to
devices. You need to deliver the defense policy.
Issue 01 (2015-07-20)

89

Configuration Guide
Procedure
Step 2 Select the check box of the Zone and click
Step 3 In the Information dialog box, click OK to display the deployment progress. After the
deployment is complete, the dialog box is closed automatically.
If the deployment succeeds, Deployment State of the Zone is displayed as Deploy

Succeed.
If the deployment fails, Deployment State of the Zone is displayed as Deploy Failed.
Click Deploy Failed to view details about deployment failures on devices associated
with the Zone.
----End
5.2.13 Saving Configurations

After a policy is configured, you can save configurations through the CLI or ATIC
Management center.
Saving Configurations Through the CLI

Step 1 Run the save [ cfg-filename ] command in the user view to save current configurations.
If cfg-filename is not specified, the current configuration file directly overwrites the default
startup one.
----End
Saving Configurations Through the ATIC Management center

Step 2 Select the check box of the AntiDDoS and click
Step 3 In the OK dialog box, click OK. The saving progress is displayed. After the saving is
complete, the dialog box is automatically closed.
----End
Issue 01 (2015-07-20)

90

Configuration Guide
6 Configuring Traffic Diversion
Configuring Traffic Diversion
About This Chapter

7.1 Configuring Mirroring
When the detecting device is in off-line mode, to detect traffic, you need to configure optical
splitting or mirroring to copy traffic to the detecting device.
7.2 Configuring Traffic Diversion
When the cleaning device is in off-line mode, you can configure traffic diversion to divert the
traffic destined for the given IP address to the cleaning device for defense or traffic analysis.
7.3 Configuring Traffic Injection
When the cleaning device is in off-line mode, you can configure traffic injection to inject
cleaned traffic to the original link and then to the Zone.
7.4 Configuring the Loop Check Function
After policies for traffic diversion and injection are configured and before traffic is diverted,
enable the loop check function on the cleaning device to check the route for traffic diversion
and injection.
7.5 Configuring Blackhole Traffic Diversion
This section describes how to configure blackhole traffic diversion to defend against flood
attacks.
6.1 Configuring Mirroring

When the detecting device is in off-line mode, to detect traffic, you need to configure optical
splitting or mirroring to copy traffic to the detecting device.
In optical splitting mode, you need to only deploy an optical splitter.
Mirroring, packets received or sent by a port (mirroring port) are copied to a specified port
(observing port) and then are issued to the detecting device. By analyzing packets captured by
the detecting device, you can learn data transmitted over the mirroring port.
Issue 01 (2015-07-20)

91

Configuration Guide
As shown in Figure 7-1, the detecting device is directly connected to GE1/0/1 on Router1,
which uses interfaces as mirroring and observing ports. Inbound traffic of GE1/0/0 is copied
to GE1/0/1 through the port mirroring, and then is issued to the detecting device for analysis.
Mirroring and traffic-diversion routers can be the same router or different ones.
Figure 6-1 Mirroring
This mode applies to enterprise networks because of low costs and no extra device or
component; however, this mode requires CLI configurations on the router.
To enable traffic copying in mirroring mode, only configure CLIs related to port mirroring on
the router. The following uses Huawei NE80E as an example for describing how to configure
port mirroring on the router.
Step 1 Configure the local observing port.
1.
Run the system-view command to access the system view.
2.
Run the interface interface-type interface-number command to access the interface

view.
This interface serves as the local observing port. Such interfaces involve the GE interface
and its subinterfaces, the Eth-Trunk interface and its subinterfaces, the POS interface,
and the IP-Trunk interface, for example, Router1 GE1/0/1 shown in Figure 7-1.
3.
Issue 01 (2015-07-20)
Run the port-observing observe-index observe-index command to configure a local

observing port.

92

Configuration Guide
When the physical port serves as the observing port, the index number of the observing
port must be identical with the slot number of the LPU where the interface resides. When
the logical interface serves as the observing port, the index number cannot be used by
another observing port.
4.
Run the quit command to return to the system view.
Step 2 Configure the observing port for the mirroring of the entire LPU.
1.
Run the slot slot-id command to access the slot view.
2.
Run the mirror to observe-index observe-index command to configure the observing

port for the mirroring of the LPU.
After the command is configured, the observing port of the index serves as that for the
mirroring of the entire LPU. When mirroring is enabled on an interface of the LPU,
packets are mirrored to this observing port. Such an observing port can be configured on
either the local LPU or another LPU.
3.
Step 3 Configure port mirroring.

1.
Run the interface interface-type interface-number command to access the interface

view.
This interface serves as the local mirroring port. Such interfaces involve the GE interface
and its subinterfaces, the POS interface, FR interface, serial interface, and MP-Group
interface, for example, Router1 GE1/0/0 shown in Figure 7-1.
2.
Run the port-mirroring inbound [ cpu-packet ] command to observe the inbound

traffic of the local mirroring port.
----End
6.2 Configuring Traffic Diversion

When the cleaning device is in off-line mode, you can configure traffic diversion to divert the
traffic destined for the given IP address to the cleaning device for defense or traffic analysis.
6.2.1 Configuring Policy-based Route Diversion

A policy-based route is configured on the router to divert the traffic meeting conditions to the
cleaning device. The policy-based route needs to be configured only on the traffic-diversion
router, not on the cleaning device.
Implementation Mechanism
A policy-based route is generally applicable to static traffic-diversion. As shown in Figure 7-2,
a traffic-diversion channel is established between GE1/0/1 on Router1 and GE2/0/1 (cleaning
interface) on the cleaning device. Apply a policy-based route to inbound interface GE1/0/0 on
Router1. In this way, the packets meeting conditions are forwarded to the cleaning device
through GE1/0/1, instead of the routing table. Therefore, traffic destined for the Zone is
forcibly diverted.
Issue 01 (2015-07-20)

93

Configuration Guide
Figure 6-2 Policy-based route diversion
Configuring the Cleaning Device

In policy-based route injection, you need to configure a policy-based route only for GE1/0/0
on Router1.
Configuring the Router

The following uses Huawei NE80E as an example for describing how to configure Router1
for traffic diversion through the policy-based route.
As shown in Figure 7-2, configure a policy-based route for inbound traffic GE1/0/0 on
Router1.
1.
2.
Configure the ACL to define the data flow matching the policy-based route.
3.
Run the following commands to define a traffic classifier.

a.
Run the traffic classifier classifier-name command in the system view to define a
traffic classifier and access the traffic classifier view.
classifier-name specifies the name of a traffic classifier. It is a string of 1 to 31
characters, case sensitive.
b.
Run the if-match [ ipv6 ] acl { acl-number | name acl-name } command to define
an ACL rule.
acl-number specifies the number of the ACL. The value is an integer.
For IPv4 packets, the value ranges from 2000 to 4099.
Issue 01 (2015-07-20)
A value ranging from 2000 to 3999 indicates a basic or an advanced ACL.

94

Configuration Guide
A value ranging from 4000 to 4099 indicates an ACL based on the Layer-2
Ethernet frame header.
A value ranging from 2000 to 2999 indicates a basic ACL.
A value ranging from 3000 to 3999 indicates an advanced ACL.
acl-name specifies the name of a naming ACL. The value is a string of 1 to 32

case-sensitive characters and cannot contain a space. It must start with a letter from
a to z or A to Z, and can be a combination of letters, digits, hyphens (-), or
underscores (_).
4.
Run the following commands to define a traffic behavior and set an action accordingly.
a.
Run the traffic behavior behavior-name command in the system view to define a
traffic behavior and access the traffic behavior view.
behavior-name: specifies the name of a traffic behavior. The value is a string of 1 to
31 characters.
b.
Run the redirect ip-nexthop ip-address [ interface interface-type

interface-number ] command to redirect to the next hop.
ip-address specifies the IP address of the redirected next hop.
interface-type interface-number specifies the type and number of the outbound
interface. The number is in the slot number/card number/port number format.
5.
Run the following commands to define a traffic policy and specify a behavior for the
classifier in the policy.
a.
Run the traffic policy policy-name command in the system view to define a traffic
policy and access the policy view.
policy-name: specifies the name of a traffic policy. The value is a string of 1 to 31
characters.
b.
Run the classifier classifier-name behavior behavior-name [ precedence

precedence ] command to specify a behavior for the traffic classifier in the policy.
classifier-name specifies the name of a traffic classifier. It must be already defined.
behavior-name specifies the name of a traffic behavior. It must be already defined.
precedence indicates the priority of the associated traffic classifier and behavior.
The value is an integer ranging from 1 to 255. The smaller the precedence value, the
higher the priority. The associated traffic classifier and behavior are preferentially
processed. If precedence is not specified, the system searches for associations by
configuration sequence.
6.
Run the following commands to apply the policy-based route to the interface.
a.
Run the interface interface-type interface-number commands in the system view to

access the interface view.
b.
Run the traffic policy policy-name inbound command to apply the policy-based
route.
inbound applies the traffic policy to the inbound direction.
6.2.2 Configuring BGP Traffic Diversion (CLI)

This section describes how to configure BGP traffic diversion.
Issue 01 (2015-07-20)

95

Configuration Guide
As shown in Figure 7-3, a traffic-diversion channel is established between GE1/0/1 on
Router1 and GE2/0/1 of the cleaning device, on which GE2/0/1 serves as the cleaning
interface and GE2/0/2 as the traffic-injection interface. After a traffic-diversion task is
configured, a 32-bit static host route is generated on the cleaning device. In this case,
configure BGP on both the cleaning device and the Router1 to import the UNR route to BGP.
Then BGP advertises the UNR route to Router1.
Figure 6-3 BGP traffic diversion
The following uses automatic traffic diversion and Zone 1.1.1.1/32 as an example for
illustrating the implementation mechanism of BGP traffic diversion:
1.
When the traffic destined for Zone 1.1.1.1/32 becomes abnormal, the ATIC Management
center automatically delivers a traffic-diversion task to the cleaning device. Subsequently,
a 32-bit static host route is generated on the cleaning device. The destination IP address
of the UNR route is 1.1.1.1/32 and the next hop is GE1/0/2 on Router1 directly
connected to the traffic-diversion interface on the cleaning device.
2.
A BGP peer is established between GE2/0/1 on the cleaning device and GE1/0/1 on
Router1. The cleaning device advertises the generated UNR route to Router1 through
BGP.
3.
After a UNR route reaches Router1, the destination IP address is still 1.1.1.1/32 but the
outbound interface points to GE2/0/1 on the cleaning device.
4.
After receiving packets destined for 1.1.1.1/32, Router1 searches the routing table to
send packets to the GE2/0/1 interface on the cleaning device by using its GE1/0/1
according to the longest mask match to implement traffic diversion.
In the previous mechanism, the 32-bit static host route on the cleaning device takes effect
only if configured through the CLI and ATIC Management center. Perform the following:
Issue 01 (2015-07-20)

96

Configuration Guide
1.
Run the firewall ddos bgp-next-hop { ip-address | ipv6 ipv6-address } command on the
cleaning device to configure the next-hop address, that is, the IP of GE1/0/2 on Router1
directly connected to the traffic-injection interface on the cleaning device, for generating
a route.
2.
On the ATIC Management center GUI, select a traffic-diversion mode for the Zone to
dynamically generate a traffic-diversion task. For details, see 6.2.1 Configuring a
Defense Mode. Alternatively, create a static traffic-diversion task. For details, see 7.2.3
Configuring BGP Traffic Diversion (ATIC).
After the generated traffic-diversion task is delivered to the cleaning device, the system
displays the corresponding command, that is, firewall ddos traffic-diversion
[ vpn-instance vpn-instance-name ] ip ip-address [ mask | mask-length ] [ ip-link name ]
or firewall ddos traffic-diversion [ vpn6-instance vpn6-instance-name ] ipv6
ipv6-address [ mask-length ].
After previous two steps are complete, a UNR route is generated on the cleaning device. For
example, the automatic traffic-diversion mode is configured for Zone 1.1.1.1/32 in the ATIC
Management center and the firewall ddos bgp-next-hop 2.2.2.2 command is configured on
the cleaning device. When the detecting device detects abnormal upon 1.1.1.1/32, a UNR
route with destination IP address 1.1.1.1/32 and next hop 2.2.2.2 is generated on the cleaning
device.
The generated UNR route delivers the traffic injection function. With this UNR route, the
cleaned traffic is injected to GE1/0/2 on Router1. To avoid loops, that is, the cleaned traffic is
sent to the cleaning device through Router1, configure a policy-based route on GE1/0/2. With
the policy-based route, traffic is sent to downstream Router2 and then the Zone.
In certain scenarios such as multiple traffic-diversion links, you need to filter the UNR route
generated by the cleaning device to prevent the route from being delivered to the FIB and
interfering with injected traffic. Meanwhile, configure other traffic-injection policy to inject
the traffic to the original link.
Run the following command on the cleaning device to filter the UNR route:
[sysname] firewall ddos bgp-next-hop fib-filter [ ipv6 ]
Determine whether to configure this command according to the actual deployment:
When static traffic injection is adopted, and the cleaning device forwards traffic to the
access router based on the generated UNR route, do not configure the command.
When static route traffic injection is adopted, to prevent the generated UNR route from
affecting static route forwarding, configure the command.
When GRE traffic injection is adopted, to prevent the generated UNR route from
affecting GRE forwarding, configure the command.
When MPLS LSP traffic injection is adopted, to prevent the generated UNR route from
affecting MPLS forwarding, configure the command.
When MPLS VPN traffic injection is adopted, to prevent the generated UNR route from
affecting MPLS forwarding, configure the command.
When multiple traffic-injection links exist and the cleaning device learns the route to the
Zone through routing protocols such as OSPF, to prevent the generated UNR route from
affecting OSPF forwarding, configure the command.

Perform the following on the cleaning device to implement BGP traffic diversion:
Issue 01 (2015-07-20)

97

Configuration Guide
1.
Run the system-view command in the user view to access the system view.
2.
Run the firewall ddos bgp-next-hop { ip-address | ipv6 ipv6-address } command to

configure the next-hop address for dynamically generating a route.
ip-address specifies the next-hop address of the traffic-injection interface on the cleaning
device, that is, the IP address of the router interface directly connected to the
traffic-injection interface on the cleaning device, not that of the interface on the cleaning
device.
The cleaning device can be configured with only one next-hop address. If this command
is configured for multiple times, the new IP address will overwrite the existing one.
3.
(Optional) Run the firewall ddos bgp-next-hop fib-filter [ ipv6 ] command to perform
FIB filtering over the generated UNR route.
After this command is configured, the dynamically generated UNR route cannot be
delivered to the FIB.
4.
(Optional) Run the following commands to configure the BGP group attribute.
Configure the BGP group attribute according to the networking. In normal cases, to avoid loops, you are
advised to configure the filtering policy.
a.
Run the route-policy route-policy-name { permit | deny } node node command in

the system view to create a routing policy and access the policy view.
b.
Run the apply community no-advertise command to advertise no matched route to

any peers.
c.
d.
Run the bgp { as-number-plain | as-number-dot } command to enable BGP (by

specifying the local AS number) and access the BGP view.
as-number specifies an AS number. The value ranges from 1 to 65,535.
5.
e.
Run the ipv4-family unicast command to access the IPv4 unicast address family
view.
f.
Run the peer { ipv4-address | group-name } advertise-community command to

advertise the standard group attribute to the peer or peer group.
g.
Run the peer { ipv4-address | group-name } route-policy route-policy-name

export command to configure a routing policy in the outbound direction.
Run the following commands to configure BGP to advertise the dynamically generated
route.
a.
Run the bgp { as-number-plain | as-number-dot } command to access the BGP

view.
b.
(Optional) Run the ipv4-family vpn-instance vpn-instance-name command to

access the BGP-VPN instance view.
When the MPLS VPN traffic-injection mode is adopted and the cleaning device
serves as a PE, you need to bind a VPN instance to the traffic-diversion interface. In
BGP traffic-diversion mode, configure the BGP peer in the BGP-VPN instance
view.
c.
Run the peer ip-address as-number as-number command to set an IP address for
the BGP peer and the number of the AS to which the BGP peer belongs.
The specified as-number must be the same as the local AS number.
ipv4-address specifies the IP address of the interface directly connected to the BGP
peer, that is, that of GE1/0/1 directly connected Router1.
d.
Issue 01 (2015-07-20)
Run the import-route unr [ med med | route-policy route-policy-name ] *

command to configure BGP to import the UNR route.
98

Configuration Guide
After this command is configured, the system imports the generated UNR route to
BGP and advertises the route to the router through BGP, implementing traffic
diversion.
Task Example
As shown in Figure 7-4, the detecting device and cleaning device are deployed on the network
in off-line mode to detect and clean the traffic destined for the Zone. BGP traffic diversion is
configured on the cleaning device. When identifying anomalies, the detecting device reports
exception logs to the ATIC management center, who then automatically delivers a
traffic-diversion policy to the cleaning device to divert all traffic to the cleaning device.
Consequently, the cleaning device cleans diverted traffic and injects normal traffic to the
original link.
Figure 6-4 Example for configuring BGP traffic diversion
Assume that a Zone is at 2.2.2.0/24. When the traffic destined for 2.2.2.2/32 is abnormal,
perform the following to automatically divert such traffic to the cleaning device for cleaning:
1.
On the cleaning device, configure the next-hop address for dynamically generating a
route.
<sysname> system-view
[sysname] firewall ddos bgp-next-hop 7.7.2.2
7.7.2.2 indicates the IP address of GE1/0/2 on the router directly connected to the
traffic-injection interface on the cleaning device.
2.
In the ATIC Management center, Choose Defense > Policy Settings > Zone and set the
IP address of the Zone to 2.2.2.0/24.
3.
In the ATIC Management center, Choose Defense > Policy Settings > Zone and set the
traffic-diversion mode for the Zone to Automatic.
Issue 01 (2015-07-20)

99

Configuration Guide
4.
When the traffic destined for Zone 2.2.2.2/32 becomes abnormal, the ATIC management
center automatically delivers a traffic-diversion task to the cleaning device. Then the
cleaning device generates a UNR route with next hop 7.7.2.2 to 2.2.2.2 and delivers the
route to the FIB. Cleaned traffic is forwarded to GE1/0/2 on Router1 after matching the
entry.
When you employ the MPLS or GRE traffic-diversion mode, run the firewall ddos
bgp-next-hop fib-filter command to disable the generated UNR route from being
delivered to the FIB, ensuring in-service MPLS or GRE forwarding.
5.
Configure the BGP community attribute and advertise the dynamically generated route.
[sysname] route-policy 1 permit node 1
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 7.7.1.2 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 7.7.1.2 route-policy 1 export
[sysname-bgp-af-ipv4] peer 7.7.1.2 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit
After previous configurations are complete, the system imports the generated UNR route
to BGP and advertises the route to Router1 through BGP, implementing traffic diversion.

The following uses Huawei NE80E as an example for describing the BGP-related
configurations of the router. Perform the following on Router1 to perform BGP traffic
diversion, together with the cleaning device.
1.
2.
Run the bgp as-number command to access the BGP view.
3.
Run the peer ipv4-address as-number as-number command to set an IP address for the
BGP peer and the number of the AS to which the BGP peer belongs.
The specified as-number AS number can be EBGP or IBGP.
ipv4-address specifies the IP address of the interface directly connected to the BGP peer,
that is, that of GE2/0/1 on the cleaning device.
6.2.3 Configuring BGP Traffic Diversion (ATIC)

Traffic diversion tasks can be divided into static traffic diversion tasks, manual traffic
diversion tasks, and automatic traffic diversion tasks. The static traffic diversion task needs to
be created by the administrator, and the manual and automatic traffic diversion tasks are
dynamically generated by the system.
Traffic Diversion Tasks Overview

The categories of traffic diversion tasks are as follows:
Static traffic diversion task

No matter whether the detecting device detects any anomalies or not, the ATIC
Management center generates a static traffic diversion task for the IP address/IP address
segment of the Zone and delivers the task to the cleaning device.
Issue 01 (2015-07-20)

100

Configuration Guide
The static traffic diversion task needs to be created by the administrator. For details, see
Creating a Static Traffic Diversion Task.
Manual traffic diversion task

When the detecting device detects an anomaly, the ATIC Management center generates a
manual traffic diversion task. The task is not delivered to the cleaning device until it is
manually enabled by the administrator. After the anomaly or attack ends, the system
cancels traffic diversion automatically.
Manual traffic diversion task is dynamically generated by the system, and is one kind of
the dynamic traffic diversion task. If Traffic Diversion Mode is set to Manual during
the defense policy configuration, the system dynamically generates manual traffic
diversion tasks. For details on how to configure the traffic diversion mode, see 6.2.1
Configuring a Defense Mode.
Automatic traffic diversion task

When the detecting device detects an anomaly, the ATIC Management center generates
an automatic traffic diversion task and directly delivers the task to the cleaning device.
After the anomaly or attack ends, the system cancels traffic diversion automatically. No
administrator intervention is required.
Automatic traffic diversion task is dynamically generated by the system, and is the other
kind of the dynamic traffic diversion task. If Traffic Diversion Mode is set to
Automatic during the defense policy configuration, the system dynamically generates
automatic traffic diversion tasks. For details on how to configure the traffic diversion
mode, see 6.2.1 Configuring a Defense Mode.
After the traffic diversion task is delivered to the cleaning device, the firewall ddos
traffic-diversion [ vpn-instance vpn-instance-name ] ip ip-address [ mask | mask-length ]
command is generated on the cleaning device. This command works with other commands to
realize BGP traffic diversion.
After the anomaly or attack ends, the diversion persists for a while before it is automatically
canceled to ensure that the anomaly or attack traffic is thoroughly cleaned. For how to set the
persistence time for traffic diversion, see 10.2.4 Maintaining Anti-DDoS Data.
Management Operation
Choose Defense > Policy Settings > Traffic Diversion, manage traffic diversion tasks.
Create
Click
to create a static traffic diversion task in the ATIC
Management center. For details, see Creating a Static Traffic Diversion Task.
Delete
Select the check box of the traffic diversion task to be deleted and click
to delete the task.
Enable
The traffic diversion task in the enabled state is delivered to the cleaning
device. Only the traffic diversion task delivered to the cleaning device takes
effect. Perform the following operations:
Select the check box of the traffic diversion task to be enabled and click
.
Disable
The traffic diversion task in the disabled state does not take effect. Perform
the following operations:
Select the check box of the traffic diversion task to be disabled and click
Issue 01 (2015-07-20)

101

Configuration Guide
.
Search
Basic Search
In the search area, select Device and Zone as search conditions, and then
click
Advanced Search
2. In the advanced search area that is displayed, set search conditions
such as Device, Zone, IP Address, Start Time, End Time, Mode,
Status, or Detail and then click Search.
You can Choose Defense > Policy Settings > Zone and click the corresponding diversion state of the
Zone in the Diversion State column to manage the diversion tasks of the Zone on the Traffic Diversion
Task List tab page
Creating a Static Traffic Diversion Task

Step 1 Choose Defense > Policy Settings > Traffic Diversion.
Step 2 On the Traffic Diversion Task List page, click
Step 3 In Cleaning Device, select an device to perform traffic cleaning.

Step 4 Click
corresponding to Zone. On the Select Zone page, select the option button of the
account of a Zone and click OK.
Step 5 Configure the IP address for traffic diversion. After a static traffic diversion task is delivered,
all traffic destined for the IP address is diverted to the cleaning device for cleaning.
If the IP address for traffic diversion is in a user-defined Zone but you do not know the
actual IP address or IP address segment, select Select IP Address in Input Mode. Then
select the IPv4 address or IPv6 address for traffic diversion.
If you need to specify certain IP addresses or IP address segments for traffic diversion in
a protected IP address segment, you can split the IP address segment and select the
subnet after splitting.
a.
Click
of the IP address to be split.
b.
Enter the mask splitting length on the Splitting Setting page and click Split.
The mask splitting length of an IP address segment ranges from 1+number of mask
bits to 8+number of mask bits. For example, the mask of a protected IP address
segment is 255.255.0.0. That is, the number of mask bits is 16. In this case, the
mask splitting length ranges from 17 to 24.
Issue 01 (2015-07-20)
c.
d.
Click OK.
e.
On the Create Traffic Diversion Task page, select subnet IP addresses after
splitting.
If the IP address for traffic diversion is in a default Zone or you know the actual IP
address or IP address segment in a user-defined Zone, select Enter IP Address in Input
Mode. Then enter the actual IP address and subnet mask.
102

Configuration Guide
If you need to specify certain IP addresses or IP address segments for traffic diversion in
a protected IP address segment, you can split the IP address segment and select the
subnet after splitting.
a.
Select Split IP Address Segment.
b.
Enter the mask splitting length in Mask splitting length and click Split.
The mask splitting length of an IP address segment ranges from 1+number of mask
bits to 8+number of mask bits. For example, the mask of a protected IP address
segment is 255.255.0.0. That is, the number of mask bits is 16. In this case, the
mask splitting length ranges from 17 to 24.
c.
Step 6 Optional: Select Automatic Enabling. The static traffic diversion task is automatically
enabled after it is created.
Step 7 On the Create Traffic Diversion Task page, click OK.
After a traffic diversion task is successfully created, the task is displayed on the Traffic
Diversion Task List page.
----End
6.3 Configuring Traffic Injection

When the cleaning device is in off-line mode, you can configure traffic injection to inject
cleaned traffic to the original link and then to the Zone.
6.3.1 Layer-2 Injection

In Layer-2 injection, the cleaning device injects the cleaned traffic to the Zone in Layer 2
mode instead of routing forwarding.
This function is configured on the AntiDDoS.
As shown in Figure 7-5, the E1/1 interface on the core switch is directly connected to
interface GE1/0/1 on the cleaning device. The channel between them is for both traffic
diversion and traffic injection. Two VLANs such as VLAN1 and VLAN2 are created on the
switch. Two subinterfaces on the cleaning device are associated with VLAN1 and VLAN2 for
traffic diversion and injection respectively. Traffic is diverted to the cleaning device for
cleaning over VLAN1 of the core switch. After cleaning is complete, the cleaning device
requests the MAC address of the Zone by sending an ARP request packet. Then the Zone
replies with an ARP reply packet. Subsequently, the cleaning device injects traffic to the Zone
based on the MAC address over layer 2.
Issue 01 (2015-07-20)

103

Configuration Guide
Figure 6-5 Layer 2 injection
Layer 2 injection is applicable to the scenario where only the Layer 2 forwarding device exists
between the core switch and the Zone.

The VLAN function is configured on the cleaning device to forward injected traffic through
the VLAN.
1.
2.
Run the interface interface-type interface-number.subinterface-number command to

access the Ethernet sub-interface view.
3.
Run the vlan-type dot1q vlan-id command to set the encapsulation type and VLAN ID
of the sub-interface.
By default, a sub-interface is not encapsulated with 802.1Q and is not associated with
any VLAN.
4.
Run the ip address ip-address { mask | mask-length } [ sub ] command to set an IP

address for the VLAN interface.
In Layer-2 injection, if subinterfaces are used for traffic injection, anti-DDoS policies are configured on
subinterfaces. If VLANIF interfaces are used for traffic injection, anti-DDoS policies are configured on
corresponding physical interfaces.
Configuring the Core Switch

The following uses Huawei S9300 as an example to describe how to configure the core
switch.
1.
2.
Run the vlan vlan-id command to create VLANs.
Issue 01 (2015-07-20)

104

Configuration Guide
3.
4.
Run the interface interface-type interface-number command to access the Ethernet

interface view.
5.
Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command to

configure the attribute of the Layer 2 Ethernet interface.
6.
Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } & <1-10> | all }
command to configure the VLANs that are permitted by the trunk interface.
7.
8.
Run the interface vlanif vlan-id command to create a VLAN interface.
9.
Run the ip address ip-address { mask | mask-length } [ sub ] command to set an IP

address for the VLAN interface.
6.3.2 Configuring Static Route Injection

In static route injection, cleaned traffic is injected from the cleaning device to the router along
the static route, and is finally to the Zone.
As shown in Figure 7-6, Router1 is a traffic-diversion router. A traffic-diversion channel is
established between GE1/0/1 on Router1 and GE2/0/1 on the cleaning device. Inbound traffic
is diverted to GE2/0/1 on the cleaning device through Router1 GE1/0/1 for cleaning. After the
cleaning is complete, the cleaning device injects the cleaned traffic to GE1/0/2 on Router1
along the static route. Subsequently, Router1 forwards the traffic to the Zone.
In practice, the traffic-injection router can be either Router1 or another downstream router
(such as Router2).
Figure 6-6 static route injection
Issue 01 (2015-07-20)

105

Configuration Guide
Router1 learns the UNR route advertised by the cleaning device and uses the cleaning device
as the next hop of the route to the Zone. In this way, after cleaned traffic is injected to Router1,
Router1 forwards the traffic to the cleaning device according to the routing table. This arises a
loop. To avoid such a loop, configure a policy-based route on inbound interface GE1/0/2 of
Router1 to send injected traffic to downstream Router2 for forwarding.
As the simplest traffic injection mode, static route injection is generally applicable to the
scenario where only one traffic-injection link exists.

Run the ip route-sratic ip-address { mask | mask-length } { nexthop-address | interface-type
interface-number [ nexthop-address ] } [ preference preference ] [ description text ]
command to configure a static route.
ip-address specifies the destination IP address of a static route, that is, the Zone whose traffic
is to be diverted.
mask specifies the mask of an IP address, in dotted decimal notation. mask-length specifies
the mask length.
preference specifies the priority of a static routing protocol. The value ranges from 1 to 255,
with 60 as the default value.
nexthop-address specifies the next-hop address of a static route, that is, Router1 GE1/0/2
directly connected to the traffic-injection interface on the cleaning device.

The following uses Huawei NE80E as an example for describing how to configure the
policy-based route on the traffic-injection router. Routers of each version have different
configurations. The following configuration is used only as an example for reference.
1.
2.
3.

a.
b.
an ACL rule.

Issue 01 (2015-07-20)

106

Configuration Guide

underscores (_).
4.
a.
31 characters.
b.

5.
a.
characters.
b.

6.
a.

The interface indicates inbound interface GE1/0/2 on traffic-injection Router1, as
shown in Figure 7-6.
b.
Run the traffic-policy policy-name inbound command to apply the policy-based

route.
6.3.3 Configuring UNR Route Injection

In UNR route injection, cleaned traffic is injected from the cleaning device to the router along
the UNR route, and is finally to the Zone.
Issue 01 (2015-07-20)

107

Configuration Guide
cleaning is complete, the cleaning device injects the cleaned traffic to GE1/0/2 on Router1
along the UNR route. Subsequently, Router1 forwards the traffic to the Zone.
(such as Router2).
Figure 6-7 UNR route injection
In BGP traffic diversion, Router1 learns the UNR route advertised by the cleaning device and
uses the cleaning device as the next hop of the route to the Zone. In this way, after cleaned
traffic is injected to Router1, Router1 forwards the traffic to the cleaning device according to
the routing table. This arises a loop. To avoid such a loop, configure a policy-based route on
inbound interface GE1/0/2 of Router1 to send injected traffic to downstream Router2 for
forwarding.
When BGP traffic diversion is employed, you need to only specify an IP address for the Zone
whose traffic is to be diverted on the ATIC Management center. Then the setting is delivered
to the cleaning device. In this way, a UNR route is automatically generated on the cleaning
device. For details on the implementation mechanism, see 7.2.2 Configuring BGP Traffic
Diversion (CLI). 7.2.3 Configuring BGP Traffic Diversion (ATIC) shows the configuration
procedure.

policy-based route on the traffic-injection router. Routers of each version have different
configurations. The following configuration is used only as an example for reference.
1.
2.
3.

a.
Issue 01 (2015-07-20)

108

Configuration Guide

b.
an ACL rule.

underscores (_).
4.
a.
31 characters.
b.

5.
a.
characters.
b.

6.
a.

The interface indicates inbound interface GE1/0/2 on traffic-injection Router1, as
Issue 01 (2015-07-20)

109

Configuration Guide
b.

route.
6.3.4 Configuring Policy-Based Route Injection

In policy-based route injection, a policy-based route is configured respectively on the cleaning
device and router, so that cleaned traffic is injected to the Zone along different links.
cleaning is complete, normal traffic is injected to the original link through the policy-based
route.
In BGP traffic diversion, Router1 learns the UNR route advertised by the cleaning device
and uses the cleaning device as the next hop of the route to the Zone. In this way, after
cleaned traffic is injected to Router1, Router1 forwards the traffic to the cleaning device
according to the routing table. This arises a loop. To avoid such a loop, configure a
policy-based route on inbound interface GE1/0/2 of Router1 to send injected traffic to
downstream Router2 or Router3 for forwarding.
Assume that the traffic is diverted to the cleaning device through BGP. The procedure is
as follows:
a.
Apply the policy-based route to inbound interface GE2/0/1 on the cleaning device
to inject the traffic of different Zones to Router1 GE1/0/2 and GE1/0/3 respectively.
b.
Apply the policy-based route to inbound interfaces GE1/0/2 and GE1/0/3 on

Router1 to inject traffic to downstream Router2 or Router3, and finally to the Zone1
or Zone2.
In policy-based route diversion, no loop exists between Router1 and the cleaning device.
Therefore, you need to only apply the policy-based route to the cleaning device.
Assume that the traffic is diverted to the cleaning device through the policy-based route.
The procedure is as follows:
a.
Apply the policy-based route to inbound interface GE2/0/1 on the cleaning device
to inject the traffic of different Zones to different interfaces on Router1.
b.
The injected traffic is sent to Router2 or Router3 according to the routing table after
reaching Router1. Subsequently, the traffic is issued to the Zone.
(such as Router2).
Issue 01 (2015-07-20)

110

Configuration Guide
Figure 6-8 Policy-based route injection
As a common traffic-injection mode, policy-based route injection is generally applicable to

multiple injected interfaces. This mode is recommended for simple configurations. However,
you need to manually modify the configuration of the policy-based route in the event of
topology changes. When changes are huge and Zone IP addresses are scattered, massive
policy-based routes are required. This demands mass manpower as well as deteriorates system
performance. On this basis, you are advised to configure MPLS traffic injection, not
policy-based route injection.

The following describes how to configure a policy-based route on the cleaning device to
inject traffic to different interfaces on Router1 through the policy-based route.
1.
2.
In the system view, create a PBR policy and access its view.
policy-based-route
3.
Create a PBR rule and access its view.

rule name rule-name
4.
Set the matching conditions of the PBR rule. Either the source security zone or incoming
interface must be specified as the matching condition. If you specify both, the latest
configuration overwrites the previous configuration. The source IP address, destination
IP address, service type, application type, and user are optional. You can select them as
required.
Matching Condition
Command
Source security zone or incoming interface
source-zone zone-name&<1-6>
ingress-interface { interface-type
Issue 01 (2015-07-20)

111

Configuration Guide
Matching Condition
Command
interface-number }&<1-6>
NOTE
Apart from physical interfaces, the AntiDDoS
supports four types of logical interface as the
incoming interface, namely, the VLANIF
interface, Ethernet subinterface, Eth-Trunk
interface, and loopback interface.
When the incoming interface is set to the

VLANIF interface, PBR is implemented on
the specified VLAN.

Ethernet subinterface, PBR is implemented
on the traffic of the specified subinterface.

Eth-Trunk interface, PBR is implemented on
the traffic from the specified Eth-Trunk link.
Source IP address
source-address { address-set
address-set-name &<1-6> | ipv4-address
[ ipv4-mask-length | mask mask-address ] |
ipv6-address ipv6-prefix-length | range
{ ipv4-start-address ipv4-end-address |
ipv6-start-address ipv6-end-address } |
mac-address &<1-6> | isp isp-name |
domain-set domain-set-name &<1-6> |
any }
Destination IP address
destination-address { address-set
address-set-name &<1-6> | ipv4-address
[ ipv4-mask-length | mask mask-address ] |
ipv6-address ipv6-prefix-length | range
{ ipv4-start-address ipv4-end-address |
ipv6-start-address ipv6-end-address } |
mac-address &<1-6> | isp isp-name |
domain-set domain-set-name &<1-6> |
any }
Service type
service { service-name&<1-6> | any }
Application type
application { application-name &<1-6> |

any }
5.
Configure the action for packets matching the conditions.

action { pbr { egress-interface interface-type interface-number &<12> [ next-hop
ip-address &<12> ] | next-hop ip-address &<12> | vpn-instance vpn-instance-name }
| no-pbr }
NO PBR applies to certain scenarios. For example, to implement PBR on subnet 10.1.1.0/24 except
10.1.1.2, configure a rule with a higher priority to implement NO PBR on 10.1.1.2 first and then another
rule with a lower priority to implement PBR on subnet 10.1.1.0/24.
6.
Issue 01 (2015-07-20)
Optional: Enable PBR to interwork with IP-link or BFD and enable the AntiDDoS to
determine the validity of PBR based on IP-link or BFD status.

112

Configuration Guide
track { ip-link link-id | bfd-session bfd-session-id }

A PBR rule can interwork with either IP-link or BFD.
Before you enable PBR to interwork with IP-link, create IP links.
Before you enable PBR to interwork with BFD, create BFD sessions.
If IP-link or BFD is configured and detects that the next hop is unreachable, the
AntiDDoS forwards the packet based on the route table.

policy-based route on the router to inject traffic respectively to Router2 and Router3.
1.
2.
3.

a.
b.
an ACL rule.

underscores (_).
4.
a.
31 characters.
b.

5.
Issue 01 (2015-07-20)

113

Configuration Guide
a.
characters.
b.

processed. If precedence is not specified, the system searches for the association
according to the configured sequence.
6.
a.

Interfaces indicate inbound interface GE1/0/2 and GE1/0/3 on traffic-injection
Router1, as shown in Figure 7-8.
b.

route.
6.3.5 Configuring GRE Traffic Injection

In GRE traffic injection, a tunnel is established between the cleaning device and the
traffic-injection router to directly issue the traffic to the router and finally to the Zone.
is diverted to GE2/0/1 through Router1 GE1/0/1 for cleaning.
Router2 is a traffic-injection router. A GRE tunnel is established between the cleaning device
and Router2. Tunnel interfaces are created on them respectively, and the source and
destination IP addresses of tunnel interfaces are specified. The source IP address of the tunnel
interface is the IP address of the actual interface for sending packets, and the destination IP
address is the IP address of the actual interface for receiving packets. Cleaned traffic is
forwarded to Router2 over the GRE tunnel and is finally to the Zone.
The source IP address and destination IP address must be routable.
In practice, the traffic-injection router can be either Router2 or another downstream router.
Issue 01 (2015-07-20)

114

Configuration Guide
Figure 6-9 GRE traffic injection
In the BGP traffic-diversion scenario, GRE traffic injection directly issues injected traffic to
the downstream router that cannot learn the traffic-diversion route, avoiding loops.
Because GRE traffic injection demands the router to be equipped with GRE and basic route
forwarding functions, it is applicable to the scenario where few traffic-injection routers are
available. In the scenario where multiple GRE tunnels need to be established between the
cleaning device and traffic-injection routers, you are advised to configure dynamic route
injection, because configuring static routes are complex.
Traffic injection is applied unidirectionally to post-cleaning traffic. Therefore, it does not support the
TCP proxy.
When you configure GRE injection, do not configure the keepalive command at both ends of the
tunnel.

The following describes how to configure a GRE tunnel on the cleaning device to issue
cleaned traffic to the traffic-injection router over the GRE tunnel.
1.
2.
Run the interface tunnel tunnel-number command to create a tunnel interface and
access the tunnel interface view.
3.
Run the tunnel-protocol gre command to set the encapsulation mode of the tunnel
interface to GRE.
4.
Run the source { interface-type interface-number | source-ip-address } command to set

the source IP address of the tunnel interface.
The value can be the name or IP address of an interface. If the interface name is
employed, the value can be GigabitEthernet, POS, Eth-Trunk, or IP-Trunk.
Issue 01 (2015-07-20)

115

Configuration Guide
If the interface IP address is specified, it can be either the IP address of the

traffic-injection interface or the loopback address of the cleaning device.
5.
Run the destination dest-ip-address command to set the destination IP address of the
tunnel interface.
The destination IP address of the tunnel interface must be different from its source IP
address.
The specified destination IP address is the IP address of the interface on Router2.
6.
Run the ip address ip-address { mask | mask-length } command to set the IP address of
the tunnel interface.
The IP address of the tunnel interface can be specified as any IP address. When the route
that marks packets forwarded by the tunnel interface is generated through the dynamic
routing protocol, the IP addresses of the interfaces at both ends of the GRE tunnel must
reside on the same network segment.
7.
Run the firewall zone [ name ] zone-name command in the system view to access the
security zone view.
8.
Run the add interface tunnel tunnel-number command to add the tunnel interface to the
security zone.
The tunnel interface can be added to any security zone. When the tunnel interface and
the interface to which the source IP address belongs are not in the same security zone,
configure interzone packet filtering to enable communication between two security
zones.
9.
Run the following command to configure policy-based routing (PBR).

policy-based-route
rule name rule-name
ingress-interface { interface-type interface-number }
destination-address { ipv4-address [ ipv4-mask-length | mask mask-address ] |
ipv6-address ipv6-prefix-length }
action pbr egress-interface interface-type interface-number
Configure PBR on the cleaning device and sent the diversion traffic to the tunnel
interface for forwarding. In this way, cleaned traffic can enter the GRE tunnel and be
forwarded to the correct GRE tunnel destination.

The following uses Huawei NE80E as an example for describing how to configure the router
in GRE traffic injection.
1.
2.
Run the interface tunnel tunnel-number command to create a tunnel interface and
access the tunnel interface view.
3.
Run the tunnel-protocol gre command to set the encapsulation mode of the tunnel
interface to GRE.
4.
Run the source { source-ip-address | loopback interface-number } command to set the

source IP address of the tunnel interface or source interface.
5.
Run the destination dest-ip-address command to set the destination IP address of the
tunnel interface.
The destination IP address of the tunnel interface must be different from its source IP
address.
The specified destination IP address can be the IP address or loopback address of the
traffic-injection interface on the cleaning device.
Issue 01 (2015-07-20)

116

Configuration Guide
6.
Run the ip address ip-address { mask | mask-length } command to set the IP address of
the tunnel interface.
The IP address of the tunnel interface can be specified as any IP address. When the route
that marks packets forwarded by the tunnel interface is generated through the dynamic
routing protocol, the IP addresses of the interfaces at both ends of the GRE tunnel must
reside on the same network segment.
6.3.6 Configuring MPLS LPS Traffic Injection

In Multiprotocol Label Switching (MPLS) Label Switched Path (LSP) traffic injection, MPLS
LSP is established between the cleaning device and the traffic-injection router. Thereby,
cleaned traffic is tagged with single-layer labels and is finally forwarded to the Zone.
MPLS and LDP are configured respectively on the cleaning device, Router1, and Router2,
MPLS labels are tagged, and MPLS LSP is established. In this regard, cleaned traffic is
tagged with single-layer labels on the cleaning device, and is injected to the original link
based on the pre-defined LSP. This avoids the traffic-diversion route advertised by the
cleaning device.
Figure 6-10 MPLS LSP traffic injection
Issue 01 (2015-07-20)

117

Configuration Guide
In the BGP traffic-diversion scenario, MPLS LSP traffic injection can evade the
traffic-diversion route to directly issue injected traffic to the downstream router that cannot
learn the traffic-diversion route, avoiding loops.
As typical dynamic traffic injection, MPLS LSP traffic injection delivers flexible applications
and sound scalability, but demands MPLS supported by routers.

Step 1 Set the IP address of the interface on the cleaning device and loopback address serving as the
LSR ID. Use OSPF to notify the network segment connected to each interface and the host
route of the LSR ID.
Step 2 Configure basic MPLS functions.
1.
2.
Run the mpls lsr-id lsr-id command to set an LSR ID.

lsr-id specifies an LSR ID, in dotted decimal notation. It is used for identifying an LSR.
Setting the LSR ID is the premise of configuring other MPLS commands.
No default LSR ID is available. You are advised to use the IP address of the loopback
interface of the LSR as the LSR ID.
To modify the specified LSR ID, run the undo mpls command in the system view to
delete all MPLS configurations.
3.
Run the mpls command to enable global MPLS and access the MPLS view.
4.
5.
Run the mpls ldp command to enable global LDP and access the MPLS-LDP view.
6.
7.
Run the interface interface-type { interface-number |

interface-number.subinterface-number } command to access the interface view.
The interface type can be 10GE, GigabitEthernet, POS, Eth-Trunk, IP-Trunk, or the
subinterface of 10GE, GigabitEthernet, or Eth-Trunk. However, it cannot be
GigabitEthernet 0/0/0 on the MPU.
The interface indicates the traffic-injection interface on the cleaning device.
8.
Run the mpls command to enable interface-based MPLS.
9.
Run the mpls ldp command to enable interface-based LDP.
10. Run the quit command to return to the system view.

Step 3 Configure a policy for establishing an LSP.
1.
Run the mpls command to access the MPLS view.
2.
Run the lsp-trigger all command to configure a policy for establishing an LSP.
3.
----End
Configuring Router1
The following uses Huawei NE80E as an example for describing how to configure Router1 in
MPLS LSP traffic injection.
Issue 01 (2015-07-20)

118

Configuration Guide
Step 1 Set the IP address of the Router1 interface and loopback address serving as the LSR ID. Use
OSPF to notify the network segment connected to each interface and the host route of the
LSR ID.
1.
2.

3.
4.
5.
6.
7.

Interfaces indicate inbound interface GE1/0/2 and outbound interface GE1/0/3.
8.
9.

----End
Configuring Router2
MPLS LSP traffic injection.
LSR ID.
1.
2.

3.
4.
5.
Issue 01 (2015-07-20)

119

Configuration Guide
6.
7.

The interface indicates the inbound interface GE1/0/1 of injected traffic.
8.
9.

Step 3 Configure a policy for establishing an LSP.
1.
Run the mpls command to access the MPLS view.
2.
Run the lsp-trigger all command to configure a policy for establishing an LSP.
3.
----End
6.3.7 Configuring MPLS VPN Traffic Injection

In MPLS VPN traffic injection, a Layer-3 MPLS VPN is established between the cleaning
device and the traffic-injection router. Thereby, cleaned traffic is injected to the original link
and is finally sent to the Zone.
A Layer-3 MPLS VPN is established between the cleaning device and Router2. The cleaning
device acts as an ingress Provider Edge (PE) device, Router1 as a P device, and Router2 as an
egress PE device. Cleaned traffic is injected through GE2/0/2 to GE1/0/1 on Router2 along
the dynamically established Label Switched Path (LSP). Cleaned traffic is tagged with two
layers of labels and outer labels are stripped after the traffic passes through Router1. Then
Router2 searches the corresponding private routing table based on inner private labels to
forward the traffic to the Zone.
Issue 01 (2015-07-20)

120

Configuration Guide
Figure 6-11 MPLS VPN traffic injection
In the BGP traffic-diversion scenario, MPLS VPN traffic injection directly issues injected
traffic to the downstream router that cannot learn the traffic-diversion route, avoiding loops.
As typical dynamic traffic injection, MPLS VPN traffic injection delivers flexible applications
and sound scalability, but demands MPLS supported by routers.

Step 1 Set the IP address of the interface on the cleaning device and loopback address serving as the
LSR ID. Use OSPF to notify the network segment connected to each interface and the host
route of the LSR ID.
1.
2.

3.
4.
5.
6.
7.

Issue 01 (2015-07-20)

121

Configuration Guide
The interface indicates GE2/0/2 on the cleaning device.
8.
9.

Step 3 Configure a VPN instance.
1.
Run the ip vpn-instance vpn-instance-name vpn-instance-name command to create a

VPN instance and access the corresponding view.
2.
Run the route-distinguisher route-distinguishercommand to configure the RD of the

VPN instance.
The VPN instance takes effect only after specified with a RD. Before setting the RD, you
cannot configure any parameters except for the description.
3.
Run the vpn-target vpn-target &<1-8> [ both | export-extcommunity |

import-extcommunity ] command to create a VPN-target extended community for the
VPN instance.
VPN Target is the attribute of the extended BGP community. VPN Target controls the
receiving and advertising of VPN routes. You can configure a maximum of eight VPN
targets at a time by running the vpn-target command. A VPN instance can be configured
with a maximum of 16 VPN targets.
4.

The interface indicates GE2/0/1 on the cleaning device.
5.
Run the ip binding vpn-instance vpn-instance-name command to bind the interface to

the VPN instance.
After the ip binding vpn-instance command is configured, Layer-3 features such as the
specified IP address and routing protocol are deleted on the interface. Re-configure them if
desired.
6.
Run the ip address ip-address { mask | mask-length } [ sub ] command to set the IP
address of the interface.
7.
Step 4 Configure MP-IBGP between PE devices.

1.
Run the interface loopback number command to create a loopback interface.

The value of number ranges from 0 to 1023.
2.
address of the loopback interface.
3.
Issue 01 (2015-07-20)

122

Configuration Guide
4.

as-number specifies an AS number. The value ranges from 1 to 65,535.
5.
Run the peer peer-address as-number as-number command to set the remote PE device
to the peer.
peer-address specifies the IP address of the peer.
6.
Run the peer peer-address connect-interface loopback interface-number command to

specify an interface for establishing the TCP connection.
The MP-IBGP peer must be established between PE devices through the the 32-bit IP
address of the loopback interface. This avoids route failure due to route aggregation. The
route to the loopback interface is advertised to the peer PE device by using IGP on the
MPLS backbone network.
7.
Run the ipv4-family vpnv4 [ unicast ] command to access the BGP-VPNv4 subaddress
family view.
8.
Run the peer peer-address enable command to enable VPN-IPv4 route exchange.
Step 5 Configure a route between the PE device and the Customer Edge (CE) device.
In practice, configure EBGP, static route, RIP, or OSPF between the PE device and the CE
device.
----End
Configuring Router1
MPLS VPN traffic injection.
LSR ID.
1.
2.

3.
4.
5.
6.
7.

Interfaces indicate inbound interface GE1/0/2 and outbound interface GE1/0/3.
8.
9.
Issue 01 (2015-07-20)

123

Configuration Guide

----End
Configuring Router2
MPLS VPN traffic injection.
LSR ID.
1.
2.

3.
4.
5.
6.
7.

The interface indicates the inbound interface GE1/0/1 of injected traffic.
8.
9.

Step 3 Configure a VPN instance.
1.
Run the ip vpn-instance vpn-instance-name command to create a VPN instance and

access the corresponding view.
2.
Run the route-distinguisher route-distinguishercommand to configure the RD of the

VPN instance.
The VPN instance takes effect only after specified with a RD. Before setting the RD, you
cannot configure any parameters except for the description.
3.
Run the vpn-target vpn-target &<1-8> [ both | export-extcommunity |

import-extcommunity ] command to create a VPN-target extended community for the
VPN instance.
VPN Target is the attribute of the extended BGP community. VPN Target controls the
receiving and advertising of VPN routes. You can configure a maximum of eight VPN
targets at a time by running the vpn-target command. A VPN instance can be configured
with a maximum of 16 VPN targets.
Issue 01 (2015-07-20)

124

Configuration Guide
4.

The interface indicates that through which Router2 connects to the Zone network, that is,
Router2 GE1/0/2 shown in Figure 7-11.
5.
Run the ip binding vpn-instance vpn-instance-name command to bind the interface to

the VPN instance.
After the ip binding vpn-instance command is configured, Layer-3 features such as the
specified IP address and routing protocol are deleted on the interface. Re-configure them if
desired.
6.
Step 4 Configure MP-IBGP between PE devices.

1.
Run the interface loopback number command to create a loopback interface.

The value of number ranges from 0 to 1023.
2.
address of the loopback interface.
3.
4.
5.
Run the peer peer-address as-number as-number command to set the remote PE device
to the peer.
6.
Run the peer peer-address connect-interface loopback interface-number command to

specify an interface for establishing the TCP connection.
The MP-IBGP peer must be established between PE devices through the the 32-bit IP
address of the loopback interface. This avoids route failure due to route aggregation. The
route to the loopback interface is advertised to the peer PE device by using IGP on the
MPLS backbone network.
7.
Run the ipv4-family vpnv4 [ unicast ] command to access the BGP-VPNv4 subaddress
family view.
8.
Run the peer peer-address enable command to enable VPN-IPv4 route exchange.
Step 5 Configure a route between the PE device and the CE device.

In practice, configure EBGP, static route, RIP, or OSPF between the PE device and the CE
device.
----End
6.4 Configuring the Loop Check Function

After policies for traffic diversion and injection are configured and before traffic is diverted,
enable the loop check function on the cleaning device to check the route for traffic diversion
and injection.
Issue 01 (2015-07-20)

125

Configuration Guide
Context
To configure traffic diversion and injection, modify the original route on the network first. In
the complex network environment, if the route is incorrectly configured, the loop occurs and
therefore normal services are adversely affected. To identify the route fault in a timely manner,
you are advised to run the following command to enable the loop check function in practice.
After the function is enabled, the system automatically checks whether received packets are
repetitive. If yes, the loop occurs. After loop counts reaches a value, the system automatically
cancels the traffic-diversion route to the destination IP address.
By default, the function is disabled.
Procedure
Step 1 Run the system-view command in the user view to access the system view.
Step 2 Run the anti-ddos loop-check [ match-time match-times ] command to configure the loop
check function.
Parameter match-time specifies match times for loop packets. When the match times exceeds
the match-time value, the system cancels the traffic-diversion route. The default match times
is 4, that is, the system cancels the traffic-diversion route when loop packets match for the
fifth times.
After the check is complete, run the undo anti-ddos loop-check command to disable the loop
check function.
----End
6.5 Configuring Blackhole Traffic Diversion

This section describes how to configure blackhole traffic diversion to defend against flood
attacks.
Context
You can configure blackhole traffic diversion for the blackhole router to divert the traffic
flood destined to specific IP addresses to a blackhole IP address. In this way, the flood traffic
will not occupy the inbound bandwidth of the cleaning device, and the services of other
customers are ensured. After you enable blackhole traffic diversion, the blackhole router
discards all traffic destined to the specified IP address. Exercise caution when you use this
function.
Blackhole traffic diversion can work in either of the following modes:
Static blackhole traffic diversion

When the volume of traffic to a specific IP address is oversized, you can enable static
blackhole traffic diversion to discard traffic destined to this IP address.
Dynamic blackhole traffic diversion

After you enable dynamic blackhole traffic diversion, the ATIC management center
automatically delivers a blackhole traffic diversion policy if the traffic destined to a
specific IP address exceeds the specified threshold.
Issue 01 (2015-07-20)

126

Configuration Guide
Procedure
Configure static blackhole traffic diversion.

a. Choose Defense > Policy Settings > Black Hole Traffic Diversion.
b.
On the Black Hole Traffic Diversion page, click
c.
Select a cleaning device and enter an IP address.
All traffic destined to the specified IP address is discarded.

Blackhole traffic diversion is specific to single IPv4 or IPv6 addresses, not to
network segments.
d.
Optional: Select Automatically enable.
e.
Click OK.
Configure dynamic blackhole traffic diversion.

a. Choose Defense > Policy Settings > Black Hole Traffic Diversion.
b.
On the Black Hole Traffic Diversion page, click
c.
Select Enable Dynamic Blackhole Divert and enter a threshold and timeout time.
Threshold: When the traffic destined to the specified IP address reaches the
threshold, the device enables dynamic blackhole traffic diversion.
Timeout: When dynamic blackhole traffic diversion runs for the specified period of
time, the device automatically disables dynamic blackhole traffic diversion.
d.
Click OK.
----End
Issue 01 (2015-07-20)

127

Configuration Guide
7 Attack Response and Source Tracing
Attack Response and Source Tracing
About This Chapter

8.1 Viewing the Status of a Zone and Anti-DDoS Alarms
After services are configured, you can view the status of a Zone and anti-DDoS alarms to
monitor anti-DDoS services.
8.2 Handling Abnormal Events
If State of the Zone is Abnormal or Attacked, and Defense State is Not defended or Part
Defended, you need to enable defense manually.
8.3 Packet Capture
Packet Capture
7.1 Viewing the Status of a Zone and Anti-DDoS Alarms

After services are configured, you can view the status of a Zone and anti-DDoS alarms to
monitor anti-DDoS services.
Procedure
Check the status of a Zone.

a.
b.
Check the status of a Zone and perform corresponding operations.

For details on the status of the Zone, see 6.2.6 Configuring the Zone-based Defense
Policy.
View anti-DDoS alarms.

a.
Choose Alarms > Alarm Management > Current Alarms.
b.
View anti-DDoS alarms and repair the anti-DDoS services according to repair
suggestions.
----End
Issue 01 (2015-07-20)

128

Configuration Guide
7.2 Handling Abnormal Events

Defended, you need to enable defense manually.
Context
The system automatically enables the defense mechanism against certain attacks such as those
on DNS rate limiting by source IP address or domain name even if Defense Mode of a Zone
is set to Manual.
Procedure
Step 2 Check the values in the State and Defense State columns.
Defended, perform the following operations to handle abnormal events. Otherwise, no
operation is required.
Step 3 Click the state value of the State column.
Step 4 On the Abnormal Events tab page, search abnormal events on the detecting device and
cleaning device of the Zone.
Step 5 Select the event (of the cleaning device) whose Defense Status is Undefended and click
, enable the defense mechanism of the cleaning device against abnormal events.
Only the cleaning device can handle abnormal events.
----End
7.3 Packet Capture

Packet Capture
7.3.1 Packet Capture, Analysis and Report

The ATIC management center delivers packet capture, analysis, and report for subsequent
maintenance. Packet capture is used to capture network traffic and locate network faults;
analysis is used to analyze network traffic and attack logs; a report is used to periodically
summarize Zone traffic and attack logs if desired.
Packet Capture
In packet capture, the AntiDDoS captures packets according to the packet capture task
delivered by the management center. Then the device encapsulates captured packets in a fixed
format and sends them to the anti-DDoS collector for resolution.
In actual applications, packet capture is mainly used to analyze and locate network problems.
Different packet capture types are applicable to diversified application scenarios:
Issue 01 (2015-07-20)
ACL-based packet capture

129

Configuration Guide
When the AntiDDoS does not detect attacks, and packet loss occurs on the protected
network or access fails, you can adopt ACL-based packet capture to identify packet types
and thereby analyze defense failure.
Global packet capture

A global packet capture task captures discarded packets, including those discarded due to
non-anti-DDoS policies such as malformed packet check and packet filtering. In so
doing, causes for service interruption are exploited.
Zone attack matched packet capture

The AntiDDoS captures the packets discarded by attacks upon the Zone. This assists in
analyzing attack events.
Zone anomaly matched packet capture

The AntiDDoS captures the abnormal packets of different types. This assists in analyzing
abnormal events.
After the packet-capture task is complete, the captured packets are saved in the packet-capture
file. With the packet-capture file, you can view attack events, trace attack sources, parse
attack packets, and extract fingerprints for locating attacks, and obtaining features and details
on attackers, so that proper defense policies can be configured. The packet-capture file can
also be downloaded to the local for other operations.
Viewing attack events

By viewing abnormal or attack events associated with the packet-capture file, you can
analyze their details.
Attack source tracing

You can obtain information about attack sources by using attack source tracing.
Additionally, the system adds suspicious source IP addresses to the static blacklist to
effectively defend against attacks.
Packet parsing
You can obtain details on each packet by using packet parsing.
Fingerprint extracting
With fingerprint extracting, the system extracts the features of abnormal or attack
packets. Additionally, the system adds extracted fingerprints to the Zone fingerprint list
as the reference of traffic cleaning.
Packet-capture file download

The packet-capture file can be downloaded to the local for future operations.
Analysis
The ATIC management center provides several types of analysis, traffic analysis,
anomaly/attack analysis, DNS analysis, HTTP analysis, SIP analysis, and Botnets/Trojan
horses/Worms Analysis. Thereby, the administrator can comprehensively learn about network
data in a timely manner and export the analysis result.
Figure 8-1 shows the analysis diagram.
Issue 01 (2015-07-20)

130

Configuration Guide
Figure 7-1 Analysis diagram
Report
The ATIC management center comes with both the system report and the Zone report, and
supports diversified reports. The system provides scheduled report generating and
downloading functions for comprehensive reports. This minimizes labor investment and
facilitates periodical network status monitoring and further query.
Figure 8-2 shows the comprehensive report.
Issue 01 (2015-07-20)

131

Configuration Guide
Figure 7-2 Diagram of a report
7.3.2 Configuring Packet Capture Length

The packet capture length is the length of each packet captured by the AntiDDoS. Each
AntiDDoS is configured with only one packet capture length, which applies to all capture
tasks on the AntiDDoS.
Prerequisites
You have configured the Encryption Key of Packet Capture.
1.
Choose Defense > Network Settings > Collectors.
2.
Create the Collector, and configure

Encryption Key
.
Before configuring a packet capture task, configure a key for encrypting packet capture logs.
The AntiDDoS uses this key to encrypt packet capture logs and then sends the logs to the
ATIC management center. The ATIC management center uses this key to decrypt the logs and
process them. If the key is deleted, no packet is captured even though a packet capture task
has been configured.
Procedure
Step 1 Choose Defense > Policy Settings > Global Policy
Step 2 Click
Step 3 Choose one method from Configure Packet Capture Length.

Step 4 Click Deploy to deliver configurations to the device.
Step 5 In the Deploy dialog box, display the deployment progress. After the deployment is complete,
the dialog box closes automatically.
Issue 01 (2015-07-20)

132

Configuration Guide
If the deployment succeeds, Deployment of the Zone is displayed as Deploy Succeed.
If the deployment fails, Deployment of the device is displayed as Deploy Failed.
----End
Follow-up Procedure
Choose Defense > Policy Settings > Global Policy, select the check box of the device and
click
device to avoid data loss.
to save configurations to the configuration file of the
7.3.3 Managing Packet Capture Task

The ATIC Management center provides the packet capture function by delivering packet
capture tasks such as the ACL-based, global, attack event-based, and anomaly-based packet
capture tasks to AntiDDoS. According to the packet capture tasks, anti-DDoS devices capture
packets, generate packet capture files, and save the files to the anti-DDoS collector for future
analysis.
Choose Defense > Policy Settings > Packet Capture, and manage packet capture tasks:
Create
Click
to create a packet capture task in the ATIC Management
center. For details, see 8.3.3.1 Creating an ACL Matched Packet Capture
Task, 8.3.3.2 Creating a Global Defense Packet Capture Task, 8.3.3.2
Creating a Global Defense Packet Capture Task and 8.3.3.4 Creating an
Anomaly-based Packet Capture Task.
Enable
Select the check box of the packet capture task to be enabled and click
. The system delivers commands to the AntiDDoS to implement
the packet capture task.
NOTE
If the packet capture type is Zone Attack Matched or Zone Anomaly Matched, the
packet capture task can be enabled only after policies are successfully deployed on the
Zone of the task.
Disable
Select the check box of the packet capture task to be disabled and click
. The ATIC Management center delivers commands to the
AntiDDoS to cancel the packet capture task.
Delete
Delete one packet capture task:

Click
in the Operation column to delete the corresponding packet
capture task.
Delete tasks in batches:

Select the check boxes of multiple packet capture tasks and click
above the list to delete the selected tasks.
to delete all the displayed packet capture tasks.
View
Issue 01 (2015-07-20)
above the list
1. Click the name of the packet capture task to be viewed for details on the
task.

133

Configuration Guide

Search
Basic search
In the basic search area, select Device and State as search conditions, and
then click
Advanced search
such as Device, State, Zone, Type or Task Name, and then click
Search.
7.3.3.1 Creating an ACL Matched Packet Capture Task

An ACL-based packet capture task captures packets that pass through the AntiDDoS and
match an ACL. Generally, ACL-based packet capture is applied to capturing packet traffic
when no attack is launched. In this way, it extracts the features of normal traffic and employs
them as comparison conditions. Alternatively, when packet loss or access failure occurs due to
defense failure such as no attack detecting, you are advised to adopt the ACL-based packet
capture to determine the type of attack packets for analyzing defense failures. After a packet
capture operation is complete, the ACL packet capture becomes in Disable state. Enable this
task upon the next packet capture operation.
Prerequisites
Service configurations are complete.
The packet capture length was configured. For details, see 8.3.2 Configuring Packet
Capture Length.
Ensure that ACL 3999 on the AntiDDoS is not used.
Procedure
Step 1 Choose Defense > Policy Settings > Packet Capture.
Step 2 On the Packet Capture Task page, click
Step 3 On the Create Packet Capture Task page, select ACL Matched from the Type drop-down
list.
Issue 01 (2015-07-20)

134

Configuration Guide
Step 4 Set other basic parameters. For details, see Table 8-1.
Table 7-1 Creating a packet capture task
Parame
ter
Description
Reference Value
Task
Name
Indicates the packet capture task name.
The name cannot be empty

or null. Characters, such
as apostrophes ('), vertical
bars (|), backslashes (\),
commas (,), less than (<),
greater than (>),
ampersands (&),
semicolons (;), inch marks
("), and percents (%)
cannot be included.
Samplin
g Ratio
Indicates the ratio of the number of packets

complying with packet capture conditions to that
of captured packets.
The default value is

1024:1. In this value, the
device captures one packet
from 1024 packets that
match packet capture
conditions.
Capture
d Packet
The default value is 1000.
If the packet capture type is Global Defense

Matched or ACL Matched, the value is the
sum of packets captured by the device.
When the number of captured packets hits
Captured Packet and a packet capture
operation is complete, the packet capture task
becomes in Disable state.
Issue 01 (2015-07-20)
If packets are captured on the basis of Zone

Attack Matched and Zone Anomaly
Matched, the number of captured packets is

135

Configuration Guide
Parame
ter
Description
Reference Value
the number of packets (of the same attack or

anomaly) captured by each CPU.
For example, a device has four CPUs,
Captured Packet is set to 1000. If an attack
with ACK and UDP flood attack packets is
launched, the packet capture result is as
follows:
4 x 1000 ACK flood attack packets are

captured and four packet capture files are
generated.
4 x 1000 UDP flood attack packets are

generated.
After the packet capture operation is complete,

the packet capture task is in Enable state.
Capture packets upon the next attack.
Automat
ically
extract
fingerpri
nt
Disable
Enable
This parameter is available

only when Type is set to
Zone Anomaly Matched.
Step 5 Add an ACL rule.

1.
In the ACL Rule group box, click
2.
Set parameters. For details, see Table 8-2.
Table 7-2 Adding an ACL rule

Parameter
Description
Protocol
Indicates the protocol type of packets.
Source IP
Indicates the source IP address of packets.
Source IP
address mask
Indicates the source IP address mask.
Issue 01 (2015-07-20)
The mask is represented by dotted decimal notation. In practice, the masks

136

Configuration Guide
Parameter
Description
are compared in binary mode. The number of 1 in the mask indicates the
bit to be reserved and compared in an IP address and the number of 0
indicates the bit to be ignored. For example, if the source IP address needs
to be matched, the matching value is 192.168.1.100, and the mask is
255.255.255.0, packets whose source IP addresses start with 192.168.1
meet matching rules.
Source Port
This item is required when TCP or UDP is selected for Protocol Type.
Destination
IP
Indicates the destination IP address of packets.
Destination
IP address
mask
Indicates the destination IP address mask.
Destination
Port
This item is required when TCP or UDP is selected for Protocol Type.
3.
Click OK.
The Create Packet Capture Task page is displayed.
Step 6 Click Next.

Step 7 Click
, click Detection/Cleaning Device to add network elements, and click OK.
Step 8 On the Create Packet Capture Task page, click Finish.

The Packet Capture page is displayed. The packet capture task is displayed in the list.
Step 9 Select the check box of a packet capture task and click
to enable the task.
Only one ACL-based packet capture task can be enabled on an AntiDDoS within a period of time.
----End
Follow-up Procedure
You can disable, view, or delete a packet capture task by referring to 8.3.3 Managing Packet
Capture Task.
7.3.3.2 Creating a Global Defense Packet Capture Task

A global defense packet capture task captures discarded packets, including those discarded by
non-anti-DDoS policies such as malformed packet check and packet filtering. In so doing,
causes for service interruption are exploited. After a packet capture operation is complete, the
global discarding packet capture becomes in Disable state. Enable this task upon the next
packet capture operation.
Prerequisites
Issue 01 (2015-07-20)

137

Configuration Guide
Capture Length.
Context
The detecting device detects traffic, but does not process the traffic. Only the cleaning device
can discard packets. Therefore, when you create a global discarding packet capture task,
Device can be only the cleaning device.
Procedure
Step 3 On the Create Packet Capture Task page, select Global Defense Matched from the Type
drop-down list.
Parame
ter
Description
Reference Value
Task
Name

greater than (>),
ampersands (&),
cannot be included.
Samplin
g Ratio


conditions.
Capture
d Packet
Issue 01 (2015-07-20)


138

Configuration Guide
Parame
ter
Description
Reference Value


follows:

generated.

generated.

Automat
ically
extract
fingerpri
nt
Disable
Enable

Step 5 Click Next.

Step 6 Click
Step 7 On the Create Packet Capture Task page, click OK.

The Packet Capture Task page is displayed, with the packet capture task in the list.
to enable the task.
Only one global packet capture task can be enabled on an AntiDDoS within a period of time.
----End
Issue 01 (2015-07-20)

139

Configuration Guide
Follow-up Procedure
Capture Task.
7.3.3.3 Creating a Zone Attacked Packet Capture Task

A Zone attack packet capture task captures packets discarded when the Zone is attacked for
analyzing attack events. The packet capture counting of the task is based on the attack type.
After a packet capture operation is complete, the packet capture task is in Enable state.
Packets are captured upon the next attack.
Prerequisites
Capture Length.
Policies are successfully deployed on the Zone.
Context
Only the cleaning device discards packets when a Zone is under attack. Therefore, when you
create a Zone attacked packet capture task, Device can be only the cleaning device.
Procedure
Step 3 On the Create Packet Capture Task page, select Zone Attack Matched from the Type
drop-down list.
Parame
ter
Description
Reference Value
Task
Name

Issue 01 (2015-07-20)

140

Configuration Guide
Parame
ter
Description
Reference Value
greater than (>),
ampersands (&),
cannot be included.
Samplin
g Ratio


conditions.
Capture
d Packet


follows:

generated.

generated.

Automat
ically
extract
fingerpri
nt
Disable
Enable

Step 5 Click Next.

Step 6 Click
Issue 01 (2015-07-20)
. Select a Zone from the Zone list and click OK to add the Zone.

141

Configuration Guide
Step 7 Click Next.

Step 8 Click

to enable the task.
Only one attack event-based packet capture task can be enabled for each Zone within a period of time.
----End
Follow-up Procedure
Capture Task.
7.3.3.4 Creating an Anomaly-based Packet Capture Task

An anomaly-based packet capture task captures anomaly packets of various types for
analyzing anomalies. The packet capture counting of the task is based on the anomaly type.
After a packet capture operation is complete, the packet capture task is in Enable state.
Packets are captured upon the next anomaly.
Prerequisites
Capture Length.
Policies are successfully deployed on the Zone.
Procedure
Step 3 On the Create Packet Capture Task page, select Zone Anomaly Matched from the Type
drop-down list.
Issue 01 (2015-07-20)

142

Configuration Guide
Parame
ter
Description
Reference Value
Task
Name

greater than (>),
ampersands (&),
cannot be included.
Samplin
g Ratio


conditions.
Capture
d Packet


Issue 01 (2015-07-20)

143

Configuration Guide
Parame
ter
Description
Reference Value

follows:

generated.

generated.

Automat
ically
extract
fingerpri
nt
Disable
Enable

After automatic fingerprint extraction is enabled and packets are captured, the ATIC
management center automatically extracts fingerprints, creates a fingerprint filter, and delivers
the fingerprints to all cleaning devices bound to the Zone. The conditions for extracting
fingerprints are as follows:
Parameter
Description
Reference Value
Fingerprint Fit Rate
Indicates the matching ratio

before extracting
fingerprints.
The value is an integer

ranging from 1 to 100, in
percentage.
Minimum Length Of
Fingerprint
Indicates the minimum

fingerprint length.
The value is an integer

ranging from 8 to 32.
Excluded Keyword
Indicates the keywords of

legitimate services to be
excluded in fingerprint
learning.
When the packet number of pcap files has reached the number specification, fingerprint will
be extracted. Each time only one fingerprint, which has the highest hit rate, can be extracted.
Fingerprint will be deployed as fingerprint filter to associated device. Fingerprint filter can be
manually deleted.
If the filter number has reached the upper limit, no more fingerprint filter will be created.
Step 5 Click Next.
Step 6 Click
. Select a Zone from the Zone list and click OK to add the Zone.
Step 7 Click Next.

Issue 01 (2015-07-20)

144

Configuration Guide
Step 8 Click

to enable the task.
Only one anomaly-based packet capture task can be enabled for each Zone within a period of time.
----End
Follow-up Procedure
Capture Task.
7.3.4 Managing Packet Capture File

The ATIC Management center captures packets that meet conditions in the packet capture
task, and save them into a packet capture file. The packet capture file can be used by the
administrator to view attack events, trace attack sources, parse attack packets, and extract
fingerprints for obtaining features and details on attackers, so that suitable defense policies
can be configured. The packet capture file can also be downloaded to the local for other
operations.
Choose Defense > Policy Settings > Packet Capture, click the Packet Capture File tab, and
manage packet capture files:
View
Event
Click
of a packet capture file in the Operation column to view attack or
anomaly events. For details, see 8.3.4.1 Viewing Anomaly or Attack Events.
Trace
Source
Click
of a packet capture file in the Operation column to trace attack
sources. For details, see 8.3.4.2 Tracing Attack Sources Through a Packet
Capture File.
Parse
Packet
Extract
Fingerprin
t
Click
of a packet capture file in the Operation column to parse captured
packets. For details, see 8.3.4.3 Parsing Packets in a Packet Capture File.
Click
of a packet capture file in the Operation column to extract
fingerprints. For details, see 8.3.4.4 Extracting Fingerprints from a Packet
Capture File.
Download
Click
of a packet capture file in the Operation column to download the
file. For details, see 8.3.4.5 Downloading a Packet Capture File.
View
Packet
Capture
Task
Click Task Name of a packet capture file to view information about the
packet capture task that generates the file.
Delete
Delete one packet capture file:

Click
Issue 01 (2015-07-20)
in the Operation column to delete the corresponding packet

145

Configuration Guide
capture file.
Delete files in batches:

Select the check boxes of multiple packet capture files and click
above the list to delete the selected files.
to delete all the displayed packet capture files.
Search
above the list
Basic search
In the basic search area, select Task Name and File Name as search
conditions, and then click
Advanced search
such as Start Time, End Time, Packet Capture Type, File State,
Task Name, and File Name, and then click Search.
7.3.4.1 Viewing Anomaly or Attack Events

For a packet capture file of Zone Attack Matched or Zone Anomaly Matched, you can view
related anomaly or attack events for further analysis.
Prerequisites
The packet capture task of Zone Attack Matched or Zone Anomaly Matched has been
created and enabled.
Procedure
Step 2 Click the Packet Capture File tab.
Step 3 Click
of a packet capture file in the Operation column.
Step 4 On the View Correlated Events page, view related anomaly or attack events. For parameter
settings, see Table 8-6.
Table 7-6 Viewing attack events
Parameter
Description
IP Address
Indicates the destination IP address under attack.
Zone Name
Indicates the name of the Zone to which the destination IP address

under attack belongs.
Start Time of an
Anomaly
Indicates the start time of an anomaly.
Attack Start
Indicates the start time of an attack.
Issue 01 (2015-07-20)

146

Configuration Guide
Parameter
Description
Time
End Time
Indicates the end time of an abnormal one if the associated event is an

abnormal event. Otherwise, this field indicates the end time of an
attack.
State
Indicates the current state of an attack.
Type
Indicates the attack type.
Number of
Attack Packets
Indicates the number of packets sent during attacks.
Step 5 Click Close. Return to the Packet Capture File page.

----End
7.3.4.2 Tracing Attack Sources Through a Packet Capture File

For the packet capture files of Global Defense Matched, Zone Attack Matched or Zone
Anomaly Matched, you can obtain attack sources by tracing a packet capture file. Suspicious
IP address can also be blacklisted for effective attack defense.
Prerequisites
The packet capture task of Global Defense Matched, Zone Attack Matched or Zone
Anomaly Matched has been created and enabled.
Procedure
Step 3 Click
Issue 01 (2015-07-20)
of a packet capture file in the Operation column to trace attack sources.

147

Configuration Guide
Step 4 On the Trace Source page, view the result of attack source tracing. For parameter settings,
see Table 8-7.
Table 7-7 Attack source tracing parameters
Parameter
Description
Number of
Packets
Indicates the number of packets sent during attacks.
Number of
Source IP
Addresses
Indicates the number of the source IP addresses of attackers.
Source IP
Address
Indicates the source IP address of the attacker.
Protocol Type
Indicates the protocol type of attack packets.
Destination Port
Indicates the destination port of attack packets.
Attack Times
Indicate the number of attacks launched by the attacker.
Step 5 Optional: Select one or more check boxes of attack records and click Add Items to Blacklist.
Suspicious IP addresses are displayed in the blacklist of this Zone. The blacklist entries take
effect after deployment on NEs. For details on the deployment process, see 6.2.12 Deploying
the Defense Policy.
Blacklist is enabled for Zones. Attack sources are traced for packets captured after Zone Attack
Matched and Zone Anomaly Matched are enabled. Then the attack sources can be blacklisted.

----End
Issue 01 (2015-07-20)

148

Configuration Guide
7.3.4.3 Parsing Packets in a Packet Capture File

Packet parsing can be performed on all packet capture files to obtain details on the packets.
Prerequisites
A packet capture task has been created and enabled.
Procedure
Step 3 Click
of a packet capture file in the Operation column to parse captured packets.
Step 4 On the Packet Parsing page, you can view details on each packet, including the sending time,
source IP address, destination IP address, protocol type of the packet.
Step 5 Click each packet parsing record, the details are displayed in the group boxes in the middle or
below.

----End
7.3.4.4 Extracting Fingerprints from a Packet Capture File

For the packet capture files of Zone Attack Matched or Zone Anomaly Matched, you can
obtain the features of anomalies or attacks by extracting fingerprints. The fingerprints can be
added to the Zone fingerprint list as the reference of traffic cleaning.
Issue 01 (2015-07-20)

149

Configuration Guide
Prerequisites
The packet capture task of Zone Attack Matched or Zone Anomaly Matched has been
created and enabled.
Procedure
Step 3 Click
of a packet capture file in the Operation column to extract fingerprints.
The fingerprint of the packet capture file is extracted and displayed in Fingerprint List on the
left area.
Step 4 Optional: Extract reference fingerprints.

Reference fingerprints are extracted from normal packets when no anomaly or attack occurs.
1.
Click Select File on the right area of the page.
2.
On the Packet Capture File page that is displayed, select a packet capture file of the
same device as the reference file and click OK.
The fingerprint of the reference file is extracted and displayed in Fingerprint List on the
right area.
Step 5 Optional: In the fingerprint list on the left, select the fingerprint to be added, and then click
Add the Fingerprint on the lower part of the page. The fingerprint is displayed in the
protocol fingerprint list of a Zone. For details on the protocol types of fingerprints, see 6.2.6
Configuring the Zone-based Defense Policy. Fingerprints take effect only after deployed on
the device. For details on the deployment process, see 6.2.12 Deploying the Defense Policy.
----End
Issue 01 (2015-07-20)

150

Configuration Guide
7.3.4.5 Downloading a Packet Capture File

The packet capture file can be downloaded to the local for future operations.
Procedure
Step 2 Click the Packet Capture Task tab.
Step 3 Click
of a packet capture file in the Operation column.
Step 4 On the download page that is displayed, open or save the file.
----End
Issue 01 (2015-07-20)

151

Configuration Guide
8 Report
Report
About This Chapter

9.1 Overview
Reports are used to analyze network traffic and attack logs and summarize system and Zone
traffic information and attack logs periodically.
9.2 Traffic Analysis
Traffic analysis analyzes network traffic from all aspects.
9.3 Anomaly/Attack Analysis
Anomaly/attack analysis analyzes various aspects of anomalies and attacks on the network.
9.4 DNS Analysis
DNS analysis analyzes DNS services on the network in all aspects.
9.5 HTTP(S) Analysis
HTTP(S) analysis provides visibility into HTTP services and HTTPS services on the network.
9.6 Comprehensive Report
9.7 Report Customization
8.1 Overview
Reports are used to analyze network traffic and attack logs and summarize system and Zone
traffic information and attack logs periodically.
The ATIC management center provides four types of analysis: traffic analysis,
abnormality/attack analysis, DNS analysis, and HTTP(S) Analysis. This analysis helps the
administrator comprehensively learn about network data in real time. The ATIC management
center also provides system and Zone reports in diversified forms. The reports can be
generated periodically. This function is labor-saving and facilitates network status monitoring
and query.
Issue 01 (2015-07-20)

152

Configuration Guide
8 Report
8.2 Traffic Analysis

Traffic analysis analyzes network traffic from all aspects.
8.2.1 Data Overview

Function
Data overview of traffic analysis displays various reports for analyzing traffic in a centralized
manner. This function collects traffic statistics of all devices or the specified device in
different time range granularities. You can use Data Overview to view the following types of
reports:
Traffic Comparison
Collects statistics on the inbound traffic, outbound traffic, and attack traffic and
compares the three types of traffic. For details, see 9.2.2 Traffic Comparison.
Incoming Traffic Distribution

Displays the distribution of inbound traffic by protocol.
Zone Traffic Top 10

Collects statistics on the traffic destined to Zones and displays data of the top N Zones.
For details, see 9.2.3 Traffic Top N.
IP Traffic Top 10
Collects statistics on the traffic to each IP address and displays data of the top N IP
addresses. For details, see 9.2.3 Traffic Top N.
Parameter
Table 8-1 Query parameters of data overview
Parameter
Description
Device
Select a device from the drop-down list. Total Cleaning and Total
Detecting are described as follows:
Total (Cleaning):
Indicates that traffic on all cleaning devices is queried.
Time
Total (Detecting):
If two or more detecting devices in a defense group work in Load

Redundancy mode, the maximum traffic volume in the defense
group is queried and the sum of traffic volumes among defense
groups is queried.
If two or more detecting devices in each defense group work in

Load Balancing mode, the sum of traffic volumes within each
defense group and among defense groups is queried.
Click
to select the start time and end time of statistics. Or you can
change the time values in corresponding text boxes.
The end time should be later than the start time and the interval cannot
be longer than one year.
Issue 01 (2015-07-20)
If the query interval is longer than or equal to seven days and shorter

153

Configuration Guide
Parameter
8 Report
Description
than one year, statistics are collected daily.
If the query interval is longer than or equal to one day and shorter
than seven days, statistics are collected hourly.
If the query interval is shorter than one day, statistics are collected
every five minutes.
Example
Data overview is displayed in Figure 9-1.
Figure 8-1 Data overview
Procedure
Step 1 Choose Report > Report > Traffic Analysis.
Step 2 Click the Data Overview tab.
Step 3 Set query parameters.
Step 4 Click Search.
Reports that meet the query conditions are displayed.
Step 5 Optional: Open or save the query results as files, or send queried reports to the specified
email address.
Issue 01 (2015-07-20)
Click
to open or save the query results as PDF files. A maximum
of 10,000 entries can be displayed.

154

Configuration Guide
8 Report
Click
to open or save the query results as EXCEL files. A
maximum of 10,000 entries can be displayed.
Click
Then click OK.
to enter a recipient mail address and select an attachment format.
----End
8.2.2 Traffic Comparison

Function
The traffic comparison report displays traffic comparisons and changes of an AntiDDoS, Zone,
or IP address within a period of time. If the device is an anti-DDoS cleaning device, you can
view the incoming, and outgoing traffic. If the device is an anti-DDoS detecting device, you
can view the detected traffic.
Parameter
Table 8-2 Query parameters of traffic comparison
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):

groups is queried.

Zone
Click
, select a Zone on the Zone page that is displayed, and then
click OK.
IP Address
Enter the destination IP address. Both IPv4 and IPv6 addresses are
applicable. Traffic destined for the IP address is queried.
Protocol
Select a protocol type from the drop-down list.
Time
Click
Issue 01 (2015-07-20)

155

Configuration Guide
Parameter
8 Report
Description
Statistics
Unit
every five minutes.
Select a mode for collecting statistics.
Average Value: indicates the average value of traffic within the

specified time segment.
Peak Value: indicates the maximum value of traffic within the

specified time segment.The peak value can be selected only when a
device is selected.
Select a traffic measurement unit. The unit can be pps or kbit/s. The
default unit is pps.
Example
If the device is set to Total (Cleaning), traffic comparison within a period of time is displayed
in Figure 9-2.
Figure 8-2 Traffic comparison
Procedure
Step 2 Click the Traffic Comparison tab.
The traffic comparison result that meets query conditions is displayed.
email address.
Issue 01 (2015-07-20)

156

Configuration Guide
8 Report
Click
Click
Click
to open or save the query results as CSV files. All data
except figures can be displayed.
Click
Then click OK.
----End
8.2.3 Traffic Top N

Function
The ATIC management center collects statistics on Incoming Traffic or Attack Traffic in the
specified interval and ranks the top N traffic. From the top N statistics, you can view the top
N Zones, services, or IP addresses with the largest volumes of inbound or attack traffic.
IP Traffic Top N
Ranks traffic by destination IP address. If traffic anomalies occur, you can view IP
Traffic Top N to learn about the IP addresses with the largest volumes of inbound or
attack traffic.
Zone Traffic Top N

Ranks traffic by Zone. If traffic anomalies occur, you can view Zone Traffic Top N to
learn about the Zones with the largest volumes of inbound or attack traffic.
Service Traffic Top N

Ranks traffic by service. If traffic anomalies occur, you can view Service Traffic Top N
to learn about the services with the largest volumes of inbound or attack traffic.
Parameter
Table 9-3 shows parameters when Report Type is set to Zone Traffic Top N. Table 9-4
shows parameters when Report Type is set to Service Traffic Top N. Table 9-5 shows
parameters when Report Type is set to IP Traffic Top N.
Table 8-3 Query parameters of Zone Traffic Top N
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):
Issue 01 (2015-07-20)

groups is queried.

157

Configuration Guide
Parameter
8 Report
Description

Protocol
Select the protocol type to be queried.
Time
Click
The end time should be later than the start time and the interval cannot be
longer than one year.
Type
If the query interval is shorter than seven days, statistics are collected
hourly.
Select a traffic type. The traffic types are Incoming Traffic and Attack
Traffic.
Incoming Traffic or Attack Traffic can be selected for anti-DDoS
cleaning devices, and only Incoming Traffic can be selected for
anti-DDoS detecting devices.
Statistics
Average Value: indicates the average value of inbound traffic or attack

traffic within the specified time segment.
Peak Value: indicates the maximum value of inbound traffic or attack

traffic within the specified time segment. The peak value can be
selected only when a device is selected.
Unit
Top N
Enter the value of N.
Table 8-4 Query parameters of Service Traffic Top N

Parameter
Description
Device
Total (Cleaning):
Issue 01 (2015-07-20)
Total (Detecting):

groups is queried.


158

Configuration Guide
8 Report
Parameter
Description
Zone
Click
click OK.
Time
Click
Type
hourly.
Traffic.
Statistics


Unit
Top N
Table 8-5 Query parameters of IP Traffic Top N

Parameter
Description
Device
Total (Cleaning):
Zone
Issue 01 (2015-07-20)
Total (Detecting):

groups is queried.

Click

159

Configuration Guide
Parameter
8 Report
Description
click OK.
Service
Select a service or service group from the drop-down list.

The value of Protocol is subject to Service. If a service is selected for
Service, the value of Protocol must correspond to the service.For details
on how to configure the service, see 6.2.4.2 Configuring a Service
Learning Task.
Protocol
Select the protocol type to be queried.
Time
Click
hourly.
Type
Traffic.
Statistics


Unit
Top N
Example
If the device is set to Total (Cleaning), traffic type to Attack Traffic, statistical method to
Average Value, and protocol type to Total, top N Zones by traffic within a period of time are
displayed in Figure 9-3.
Issue 01 (2015-07-20)

160

Configuration Guide
8 Report
Figure 8-3 Top N Zones by attack traffic
Procedure
Step 2 Click the Traffic Top N tab.
The status of the top N Zone traffic of corresponding query conditions is displayed.
If a Zone has been deleted, the Zone name is displayed as Unknown Zone.
email address.
Click
Click
Click
Click
Then click OK.
----End
Issue 01 (2015-07-20)

161

Configuration Guide
8 Report
8.2.4 Application Traffic

Function
If application traffic anomalies or attacks occur, you can view the Application Traffic report
to learn about application traffic information. The ATIC management center collects statistics
on application-layer protocol traffic and user-defined service traffic and provides Traffic
Comparison and Traffic Distribution reports. The supported application-layer protocols
include HTTP, HTTPS, UDP_DNS, and SIP.
Traffic Comparison
Compares the Incoming Traffic, Outgoing Traffic, and Attack Traffic of specified
Zones in different time range granularities in the report. You can compare the traffic
information of different applications based on service types.
You can use Traffic Comparison to view the Zones or destination IP addresses under
attacks, comparison of inbound and outbound traffic, as well as the volume of attack
traffic.
Traffic Distribution
Displays the service distribution of IncomingTraffic and Attack Traffic of the specified
Zones in different time range granularities in the report.
You can use Traffic Distribution to view the protocol distribution of specific Zones or
destination IP addresses to determine whether to enable attack defense for a certain type
of traffic.
Parameter
To query comparison between incoming and outgoing application traffic, set Report Type to
Traffic Comparison. (For parameters, see Table 9-6.) To query traffic distribution of all types
of applications, set Report Type to Traffic Distribution. (For parameters, see Table 9-7.)
Table 8-6 Parameters for querying traffic comparison
Parameter
Description
Device
Select an device from the drop-down list.
Zone
Click
click OK.
Service
Services comprises user-defined services and application-layer protocol

(including HTTP, HTTPS, UDP_DNS, and SIP) services.
IP Address
Time
Click
Issue 01 (2015-07-20)

162

Configuration Guide
Parameter
8 Report
Description
Statistics
Unit
every five minutes.


Select a traffic measurement unit. The unit can be pps qps, or kbit/s.
The default unit is pps. qps takes effect only for HTTP traffic.
Table 8-7 Parameters for querying traffic distribution

Parameter
Description
Device
Zone
Click
click OK.
IP Address
Enter a destination IP address, for which the traffic is destined.
Time
Click
The end time must be later than the start time and the interval cannot be
Type
Statistics
Unit
Issue 01 (2015-07-20)
every five minutes.
Select a traffic type.
Incoming traffic: queries the distribution of all types of applications

in incoming traffic.
Attack traffic: queries the distribution of all types of applications in

attack traffic.



163

Configuration Guide
8 Report
Example
Figure 8-4 Comparison between incoming and outgoing application traffic
Procedure
Step 2 Click the Application Traffic tab.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.2.5 Protocol Traffic Distribution

Function
The protocol traffic distribution chart shows the proportion of the TCP, UDP, ICMP, and other
traffic. You can view the distribution of the inbound and outbound traffic of the cleaning
device, and the distribution of the detected traffic of the detecting device.
Issue 01 (2015-07-20)

164

Configuration Guide
8 Report
Parameter
Table 8-8 Query parameters of protocol traffic distribution
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):

groups is queried.

Zone
Click
click OK.
IP Address
Time
Click
Unit
every five minutes.
Example
If the device is set to Total (Cleaning) and the Zone to Total, traffic distribution within a
period of time is displayed in Figure 9-5.
Issue 01 (2015-07-20)

165

Configuration Guide
8 Report
Figure 8-5 Protocol traffic distribution
Procedure
Step 2 Click the Protocol Traffic Distribution tab.
Step 3 Set query parameters. For details, see Table 9-8.
Traffic distribution that meets query conditions is displayed.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.2.6 Number of TCP Connections

Prerequisites
You can view the number of new TCP connections by source IP address only after Top N
TCP Source IP Addresses by New Connection is enabled. For details, see 6.2.6.9 Top N
Study.
Issue 01 (2015-07-20)

166

Configuration Guide
8 Report
Function
Number of TCP connections provides visibility into the number of new TCP connections and
number of concurrent TCP connections by destination IP address, and number of new
connections by source IP address with the most connections. In normal cases, observe and
record the number of new connections and that of concurrent connections of services in the
report. If the number of new connections or the number of concurrent connections is greater
than the normal value, capture packets for analyzing anomalies or attacks.
Parameter
When Type is set to Destination IP Address, you can view the number of new connections
and concurrent connections by destination IP address. For parameters, see Table 9-9. When
Type is set to Source IP Address, you can view the number of new TCP connections by
source IP address with the most connections within the given time segment. For parameters,
see Table 9-10.
Table 8-9 Parameters for querying the connection number by destination IP address
Parameter
Description
Device
Select a cleaning device from the drop-down list. The Total (Cleaning)
indicates the number of connections on all cleaning devices.
Zone
Click
click OK.
Service

For details about service configuration, see 6.2.4 Creating a Service and a
Defense Policy.
Type
Select Destination IP Address.
IP Address
applicable. The number of connections to the IP address is queried.
Time
Click
Statistics
Issue 01 (2015-07-20)
If the query interval is longer than or equal to one day and shorter than
seven days, statistics are collected hourly.
every five minutes.
Average Value: Indicates the average number of new connections

within a period of time or concurrent connections.
Peak Value: Indicates the maximum number of new connections or

concurrent connections within a period of time. The peak value can be

167

Configuration Guide
8 Report
Table 8-10 Parameters for querying the connection number by source IP address
Parameter
Description
NE
indicates the number of connections on all cleaning devices.
Zone
Click
click OK.
Type
Select Source IP Address.
Time
Click
every five minutes.
Example
If the Device is set to Total (Cleaning), Zone to Total, service to TCP, and statistical method
to Average Value, the number of connections within a period of time is displayed in Figure
9-6.
Figure 8-6 Number of new connections and concurrent connections by destination IP address
Procedure
Issue 01 (2015-07-20)

168

Configuration Guide
8 Report
Step 2 Click the Number of TCP Connections tab.

Step 3
The number of connections that meet the query conditions is displayed.
The queried number of TCP connections is the number of session connections after the TCP three-way
handshake.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.2.7 Board Traffic

Function
Board Traffic displays the traffic of the SPUs on an device.
Parameter
Table 8-11 Query parameters of Board Traffic
Parameter
Description
Device
Protocol
Select a protocol type from the drop-down list.
Time
Click
Issue 01 (2015-07-20)
every five minutes.

169

Configuration Guide
8 Report
Parameter
Description
Unit
Example
If the device is set to bj (Cleaning) and the protocol to UDP, board traffic within a period of
time is displayed in Figure 9-7.
Figure 8-7 Board traffic
Procedure
Step 2 Click the Board Traffic tab.
Step 3 Set query parameters. For details, see Table 9-11.
The board traffic result that meets query conditions is displayed.
email address.
Click
Click
Click
Then click OK.
----End
Issue 01 (2015-07-20)

170

Configuration Guide
8 Report
8.2.8 IP Location Top N

Function
The IP Location Top N report provides visibility into the Top N IP locations that have the
maximum volume of incoming or attack traffic.
Do not add user-defined IP locations to or delete them from an anti-DDoS device. Otherwise, the IP
Location Top N report on the ATIC is inaccurate.
Parameter
Table 8-12 Query parameters of IP Location Top N
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):

groups is queried.

Zone
Click
click OK.
Time
Click
Type
every five minutes.
Traffic.
Unit
Issue 01 (2015-07-20)

171

Configuration Guide
Parameter
8 Report
Description
Top N
Example
If the device is set to Total (Cleaning), zone to Total, traffic type to Incoming Traffic, top N
IP locations that have the maximum incoming traffic in a specific period will be displayed, as
Figure 8-8 IP Location Top N
Procedure
Step 1 Choose Report > Report > Traffic Analysis
Step 2 Click the IP Location Top N tab.
The status of the top N IP locations that match the query conditions is displayed.
email address.
Issue 01 (2015-07-20)
Click

172

Configuration Guide
8 Report
Click
Click
Click
Then click OK.
----End
8.2.9 IP Location Traffic

Function
This report provides visibility into the incoming or attack traffic of a specific IP location.
Do not add user-defined IP locations to or delete them from an anti-DDoS device. Otherwise, the IP
Location Top N report on the ATIC is inaccurate.
Parameter
Table 8-13 Query parameters of IP location traffic
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):

groups is queried.

Zone
Click
click OK.
Location
Click
OK.
Time
Click
. In Location that is displayed, select an IP location and click
Issue 01 (2015-07-20)

173

Configuration Guide
Parameter
Type
8 Report
Description
every five minutes.
Traffic.
Unit
Example
If the device is set to Total (Cleaning), zone to Total, traffic type to Incoming Traffic, the
incoming traffic of a specific IP location in a specific period is displayed, as shown in Figure
9-9.
Figure 8-9 Incoming traffic of a specific IP traffic
Procedure
Step 1 Choose Report > Report > Traffic Analysis
Step 2 Click the IP Location Traffic tab.
Issue 01 (2015-07-20)

174

Configuration Guide
8 Report
Information about IP location traffic that matches the query conditions is displayed.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.3 Anomaly/Attack Analysis

Anomaly/attack analysis analyzes various aspects of anomalies and attacks on the network.
8.3.1 Anomaly/Attack Details

Function
The anomaly/attack details records basic information about all anomalies and attacks, and you
can locate anomaly or attack events.
Parameter
Table 8-14 Query parameters of Anomaly/Attack details
Parameter
Description
Device
Select an Device from the drop-down list.
Zone
Click
click OK.
Service

For details about service configuration, see 6.2.4 Creating a Service and
a Defense Policy.
IP Address
applicable. The anomaly/attack datails of traffic destined for the IP
address is queried.
Time
Click
Issue 01 (2015-07-20)

175

Configuration Guide
Parameter
8 Report
Description
Type
Select a log type. The type can be Total, Abnormal, or Attack.
Example
Anomaly/attack details that meet the query conditions are displayed, as shown in Figure 9-10.
Figure 8-10 Anomaly/attack Details
Figure 8-11 Anomaly/attack Logs Details
Procedure
Step 1 Choose Report > Report > Anomaly/Attack Analysis.
Step 2 Click the Anomaly/Attack Details tab.
Issue 01 (2015-07-20)

176

Configuration Guide
8 Report
Step 5 On the Anomaly/Attack Details page, click
Click
to view details on anomaly/attack logs.
to view packet capture files associated with anomaly or attack events.
You can trace attack sources, resolve packets based on the packet capture files, and
download the files to obtain the details on and features of the attacker. In this way, you
can work out proper defense policies. For details, see 8.3.4.2 Tracing Attack Sources
Through a Packet Capture File, 8.3.4.3 Parsing Packets in a Packet Capture File, and
8.3.4.5 Downloading a Packet Capture File.
You cannot view the packet capture files associated with certain anomaly or attack
events.
Click
to view details on an attack.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.3.2 Anomaly/Attack Top N

Function
Zone anomaly/attack top N sorts top N Zones by number or duration of anomalies/attacks.
Parameter
Table 8-15 Query parameters of Zone Anomaly/Attack Top N
Parameter
Description
Device
Total (Cleaning):
Indicates that attack traffic on all cleaning devices is queried.
Issue 01 (2015-07-20)
Total (Detecting):

Redundancy mode, the maximum anomaly traffic volume in the
defense group is queried and the sum of anomaly traffic volumes
among defense groups is queried.

Load Balancing mode, the sum of anomaly traffic volumes within

177

Configuration Guide
Parameter
8 Report
Description
each defense group and among defense groups is queried.
Time
Click
Top N
Table 8-16 Query parameters of Service Anomaly/Attack Top N

Parameter
Description
Device
Total (Cleaning):
Total (Detecting):


Zone
Click
click OK.
Time
Click
Top N
Table 8-17 Query parameters of IP Anomaly/Attack Top N

Parameter
Description
Device
Total (Cleaning):
Total (Detecting):
Issue 01 (2015-07-20)


178

Configuration Guide
Parameter
8 Report
Description

Zone
Click
click OK.
Service

Defense Policy.
Time
Click
Top N
Example
If the Device is Total (Cleaning), Figure 9-12 shows top N Zones by anomalies or attacks
within a period of time.
Figure 8-12 Top N Zones by anomaly/attack
In the left figure, top N Zones by the times of attacks are displayed.
In the right figure, top N Zones by the duration of attacks are displayed.
Procedure
Step 2 Click the Anomaly/Attack Top N tab.
Issue 01 (2015-07-20)

179

Configuration Guide
8 Report

Top N Zones by anomalies or attacks that meet the query conditions are displayed.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.3.3 Attack Top N

Function
Attacks Top N sorts attack events by top N number of attack packets or top N duration of
attacks, and displays corresponding details.
Parameter
Table 8-18 Query parameters of Attacks Top N
Parameter
Description
Device
Selects a cleaning device from the drop-down list. Total (Cleaning)

indicates that attacks on all cleaning devices are queried.
Zone
Click
click OK.
Service

Defense Policy.
Time
Click
Top N
Issue 01 (2015-07-20)
Enters the value of N.

180

Configuration Guide
8 Report
Example
If the Device is set to Total (Cleaning), top N attack events within a period of time are
displayed in Figure 9-13.
Figure 8-13 Attacks Top N
The upper chart displays top N attack events by attack packet quantity.
The lower chart displays top N attack events by attack duration.
Procedure
Step 2 Click the Attack Top N tab.
Top N attacks that meet the query conditions are displayed.
email address.
Click
Click
Click
Click
Then click OK.
----End
Issue 01 (2015-07-20)

181

Configuration Guide
8 Report
8.3.4 Distribution of Anomaly/Attack Types

Function
In the anomaly/attack type distribution chart, you can view the proportions of various
anomaly/attack types.
Parameter
Table 8-19 Query parameters of Anomaly/Attack Type Distribution
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):


Load Balancing mode, the sum of anomaly traffic volumes
within each defense group and among defense groups is queried.
Zone
Click
click OK.
Service

a Defense Policy.
IP Address
applicable. The anomaly/attack traffic destined for the IP address is
queried.
Time
Click
Example
If the Device is set to Total (Cleaning) and the Zone to test, the distribution of
anomaly/attack types within a period of time is displayed in Figure 9-14.
Issue 01 (2015-07-20)

182

Configuration Guide
8 Report
Figure 8-14 Anomaly/attack type distribution (for cleaning devices)
In the left figure, the distribution chart of attack types is displayed by times.
In the right figure, the distribution chart of attack types is displayed by packet quantity.
If the device is set to Total (Detecting) and the Zone to test, Figure 9-15 shows
anomaly/attack type distribution within a period of time.
Figure 8-15 Anomaly/attack type distribution (for detecting devices)
The distribution chart of anomaly types is displayed by number of anomalies/attacks.
Procedure
Step 2 Click the Distribution of Anomaly/Attack Types tab.
The distribution of anomalies/attacks that meet the query conditions is displayed.
Issue 01 (2015-07-20)

183

Configuration Guide
8 Report
email address.
Click
Click
Click
Click
Then click OK.
----End
8.3.5 Packet Discarding Trend

Function
The packet discarding trend helps you learn about the traffic trend of various packets
discarded by the cleaning device.
Parameter
Table 8-20 Query parameters of Packet Discarding Trend
Parameter
Description
Device
Selects a cleaning device from the drop-down list. Total (Cleaning)

indicates that the sum of traffic volumes on all cleaning devices are
queried.
Zone
Click
click OK.
Service

a Defense Policy.
IP Address
applicable. The anomaly/attack log of traffic destined for the IP address
of the Zone is queried.
Time
Click
Issue 01 (2015-07-20)

184

Configuration Guide
8 Report
Example
If the Device is set to Total (Cleaning), the packet discarding trend within a period of time
are displayed in Figure 9-16.
Figure 8-16 Packet Discarding Trend
This chart is an overlay discarding packets chart. Through the chart, you can view the total numbers of
discarding packets at a point in time and traffic change trends of various discarding packets.
Spoofing packets: packets discarded because of forged source attacks
Dynamic_filter packets: packets discarded because of dynamic signatures
User_defined_filter packets: packets discarded because of static filtering policies such as signatures,
ACLs, blacklist entries, and host filtering policies
Client_attacks packets: packets discarded because of attacks that use the attacker's IP address to
establish TCP connections
Malformed_connections packets: packets discarded because of the FIN flood, DNS cache poisoning,
or DNS reflection attacks
Malformed packets: packets discarded because of malformed packet attacks
Overflow packets: packets discarded because of the configured traffic limiting or rate limiting
policies
Other packets: other discarded packets
Procedure
Step 2 Click the Packet Discarding Trend tab.
The trend chart of packet discarding meeting query conditions is displayed.
email address.
Issue 01 (2015-07-20)
Click

185

Configuration Guide
8 Report
Click
Click
Then click OK.
----End
8.4 DNS Analysis

DNS analysis analyzes DNS services on the network in all aspects.
8.4.1 Top N Request Trend

Prerequisites
Top N Requested Domain Names and Top N DNS Source IP Addresses by Request
Traffic Rate are enabled. For details, see 6.2.6.9 Top N Study.
Function
The top N DNS request trend displays top N requested domain names or top N source IP
addresses by DNS request traffic rate in incoming traffic, outgoing traffic, or detecting traffic.
For top N requests, you can perform the following operations:
Add top N domain names to the DNS cache to improve the response rate and reduce
burdens on the DNS server.
Limit the packet rates of top N domain names.
Limit the packet rates of top N source IP addresses.
For details, see 6.2.6.5 DNS Defense Policy.
Parameter
Table 8-21 Parameters for querying Top N Request Trend
Parame
ter
Description
Device
Select a device from the drop-down list. Total Cleaning and Total Detecting
are described as follows:
Total (Cleaning):
Indicates that DNS traffic on all cleaning devices is queried.
Issue 01 (2015-07-20)
Total (Detecting):

Redundancy mode, the maximum DNS traffic volume in the defense
group is queried and the sum of DNS traffic volumes among defense
groups is queried.
If two or more detecting devices in each defense group work in Load

Balancing mode, the sum of DNS traffic volumes within each defense

186

Configuration Guide
Parame
ter
8 Report
Description
group and among defense groups is queried.
Zone
Click
Time
Click
to select the start time and end time of statistics. Or you can change
the time values in corresponding text boxes.
, select a Zone on the Zone page that is displayed, and then click OK.
The end time must be later than the start time and the interval cannot be longer
than one year.
Type
If the query interval is longer than or equal to seven days and shorter than
one year, statistics are collected daily.
If the query interval is longer than or equal to one day and shorter than seven
days, statistics are collected hourly.
If the query interval is shorter than one day, statistics are collected every five
minutes.
Select the top N types to be queried.
Domain Name Request: indicates the trend of top N domain names that are
mostly requested.
Source IP Address Request: indicates the trend of top N source IP addresses

that request the DNS server most.
Statistic
s
Top N
Example
If the Device is set to Total (Cleaning), traffic type to Domain Name Request, and statistical
method to Current Top N, top N trend analysis results with a period of time are displayed in
Figure 9-17.
Issue 01 (2015-07-20)

187

Configuration Guide
8 Report
Figure 8-17 Request top N trend
Procedure
Step 1 Choose Report > Report > DNS Analysis.
Step 2 Click the Top N Request Trend tab.
Top N trend analysis results are displayed.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.4.2 Top N Response Trend

Prerequisites
Top N DNS Source IP Addresses by Response Traffic Rate is enabled. For details, see
6.2.6.9 Top N Study.
Issue 01 (2015-07-20)

188

Configuration Guide
8 Report
Function
The top N response trend diagram provides visibility into top N source IP addresses in DNS
response traffic.
You can limit the rate of DNS response packets by top N DNS source IP addresses. For details,
see 6.2.6.5 DNS Defense Policy.
Parameter
Table 8-22 Parameters for querying the top N response trend
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):

Redundancy mode, the maximum DNS traffic volume in the
defense group is queried and the sum of DNS traffic volumes

Load Balancing mode, the sum of DNS traffic volumes within
Zone
Click
click OK.
Time
Click
every five minutes.
Statistics
Top N
Example
If the Device is set to Total (Cleaning), traffic type to Average Top N, the top N response
trend within a given time segment is displayed, as shown in Figure 9-18.
Issue 01 (2015-07-20)

189

Configuration Guide
8 Report
Figure 8-18 Top N response trend
Procedure
Step 2 Click the Top N Response Trend tab.
Top N trend analysis results that meet search conditions are displayed.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.4.3 Cache Request Trend

Prerequisites
The DNS static cache function has been enabled and configured. For details, see 6.2.6.5 DNS
Defense Policy.
Issue 01 (2015-07-20)

190

Configuration Guide
8 Report
Function
The DNS cache request trend collects statistics on external requests for domain names in the
DNS cache. If domain names in the DNS cache are seldom requested, replace them with
domain names that are frequently requested.
Parameter
Table 8-23 Query parameters of Cache Request Trend
Parameter
Description
Device
indicates that traffic on all cleaning devices is queried.
Zone
Click
click OK.
Service

Defense Policy.
Time
Click
every five minutes.
Example
If the Device is set to Total (Cleaning) and the Zone to Total, Figure 9-19 shows the analysis
results of the cache request trend within a period of time.
Issue 01 (2015-07-20)

191

Configuration Guide
8 Report
Figure 8-19 Cache request trend
Procedure
Step 2 Click the Cache Request Trend tab.
The analysis results of the cache request trend are displayed.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.4.4 Request Category Trend

Prerequisites
The DNS statistics item has been enabled. For details, see 6.2.6.5 DNS Defense Policy.
Issue 01 (2015-07-20)

192

Configuration Guide
8 Report
Function
The request category trend collects statistics on DNS request packets and displays various
DNS request curves. This function allows you to monitor DNS traffic distribution on the live
network.
Parameter
Table 8-24 Query parameters of Request Category Trend
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):


Zone
Click
click OK.
Service

Defense Policy.
IP Address
applicable. The DNS traffic destined for the IP address is queried.
Time
Click
Type
Issue 01 (2015-07-20)
every five minutes.
Select the DNS type of the request category trend to be viewed.
Total Traffic: Indicates the sum of TCP traffic and UDP traffic.
TCP
UDP

193

Configuration Guide
8 Report
Example
If the Device is set to Total (Cleaning) and the Zone to Total, the trend analysis results of
DNS within a period of time are displayed in Figure 9-20.
Figure 8-20 Trend analysis
Procedure
Step 2 Click the Request Category Trend tab.
Trend analysis results of DNS are displayed.
email address.
Click
Click
Click
Then click OK.
----End
Issue 01 (2015-07-20)

194

Configuration Guide
8 Report
8.4.5 Resolution Success Ratio

Prerequisites
The outgoing and incoming paths of the DNS request and reply packets must be the same.
Otherwise, the resolution success ratio stays zero all the time.
You must run the anti-ddos server-flow-statistic enable command on the inbound interface
to enable the upstream traffic analysis function.
Function
The successful resolution ratio is the ratio of the rate of responses from the DNS server to the
rate of requests for DNS services. When the DNS server is not attacked, observe and record
the normal value of the successful resolution ratio. If you find that the successful resolution
ratio is strikingly lower than the normal value, capture packets and check whether the DNS
server is being attacked.
Parameter
Table 8-25 Query parameters of Resolution Success Ratio
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):


Zone
Click
click OK.
IP Address
applicable. DNS traffic destined for the IP address is queried.
Time
Click
Issue 01 (2015-07-20)

195

Configuration Guide
Parameter
8 Report
Description
every five minutes.
Example
If the Device is set to Total (Cleaning) and the Zone to Total, the success resolution ratio
within a period of time is displayed in Figure 9-21.
Figure 8-21 Success resolution ratio
The request rate indicates the rate of requests for DNS services from the extranet.
The response rate indicates the rate of responses by the DNS server to the external requests for DNS
services.
Procedure
Step 2 Click the Resolution Success Ratio tab.
The success resolution ratio that meets query conditions is displayed.
email address.
Click
Click
Click
Issue 01 (2015-07-20)

196

Configuration Guide
8 Report
Click
Then click OK.
----End
8.4.6 Abnormal Packet Analysis

Function
The anomaly packet analysis chart displays the traffic status of normal and anomaly DNS
request packets.
Parameter
Table 8-26 Query parameters of Abnormal Packet Analysis
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):


Zone
Click
click OK.
Service

Defense Policy.
IP Address
applicable. The DNS traffic destined for the IP address is queried.
Time
Click
Issue 01 (2015-07-20)

197

Configuration Guide
Parameter
8 Report
Description
every five minutes.
Example
If the Device is set to Total (Cleaning) and the Zone to Total, the analysis of the normal and
anomaly packets within a period of time is displayed in Figure 9-22.
Figure 8-22 Anomaly packet analysis
Procedure
Step 2 Click the Abnormal Packet Analysis tab.
The analysis of the normal and anomaly packets that meet the query conditions is displayed.
email address.
Click
Click
Click
Click
Then click OK.
----End
Issue 01 (2015-07-20)

198

Configuration Guide
8 Report
8.5 HTTP(S) Analysis

HTTP(S) analysis provides visibility into HTTP services and HTTPS services on the network.
8.5.1 Top N HTTP Request Sources by Traffic

Prerequisites
Top N HTTP Source IP Addresses by Traffic Rate is enabled. For details, see 6.2.6.9 Top N
Study.
Function
Top N HTTP request sources by traffic display top N source IP addresses in HTTP incoming,
outgoing, or detecting traffic.
Parameter
Table 8-27 Parameters for querying top N HTTP request sources by traffic
Parameter
Description
Device
Total (Cleaning):
Indicates that HTTP traffic on all cleaning devices is queried.
Total (Detecting):

Redundancy mode, the maximum HTTP traffic volume in the
defense group is queried and the sum of HTTP traffic volumes

Load Balancing mode, the sum of HTTP traffic volumes within
Zone
Click
click OK.
Time
Click
Statistics
Issue 01 (2015-07-20)
every five minutes.

199

Configuration Guide
8 Report
Parameter
Description
Unit
Select pps or qps.
Top N
Example
If the Device is set to Total (Cleaning) and traffic type to Average Top N, top N HTTP
request sources by incoming and outgoing traffic within a given time segment is displayed, as
Figure 8-23 Top N HTTP request sources by incoming traffic
Issue 01 (2015-07-20)

200

Configuration Guide
8 Report
Figure 8-24 Top N HTTP request sources by outgoing traffic
Procedure
Step 1 Choose Report > Report > HTTP(S) Analysis.
Step 2 Click the Top N HTTP Request Sources by Traffic tab.
Top N HTTP request sources that meet search conditions are displayed.
email address.
Click
Click
Click
Click
Then click OK.
Issue 01 (2015-07-20)

201

Configuration Guide
8 Report
----End
8.5.2 Top N HTTPS Request Sources by Traffic

Prerequisites
Top N HTTPS Source IP Addresses by Traffic Rate is enabled. For details, see 6.2.6.9 Top
N Study.
Function
Top N HTTPS request sources by traffic display top N source IP addresses in HTTPS
incoming, outgoing, or detecting traffic.
Parameter
Table 8-28 Parameters for querying top N HTTPS request sources by traffic
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):


Zone
Click
click OK.
Time
Click
every five minutes.
Statistics
Top N
Issue 01 (2015-07-20)

202

Configuration Guide
8 Report
Example
If the Device is set to Total (Cleaning) and traffic type to Average Top N, top N HTTPS
request sources by incoming traffic within a given time segment is displayed, as shown in
Figure 9-25, top N HTTPS request sources by outgoing traffic within a given time segment is
displayed, as shown in Figure 9-26.
Figure 8-25 Top N HTTPS request sources by incoming traffic
Figure 8-26 Top N HTTPS request sources by outgoing traffic
Procedure
Step 2 Click the Top N HTTPS Request Sources by Traffic tab.
Issue 01 (2015-07-20)

203

Configuration Guide
8 Report
Top N HTTPS request sources that meet search conditions are displayed.
email address.
Click
Click
Click
Click
Then click OK.
----End
8.5.3 Top N Requested URl

Prerequisites
HTTP URI Top N is enabled. For details, see 6.2.6.9 Top N Study.
Function
Top N HTTP URIs display top N URI fields in the HTTP traffic destined for the Zone.
Parameter
Table 8-29 Parameters for querying top N HTTP URIs
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):


Zone
Click
click OK.
Time
Click
Issue 01 (2015-07-20)

204

Configuration Guide
Parameter
8 Report
Description
every five minutes.
Statistics
Top N
Example
If the Device is set to Total (Cleaning) and traffic type to Average Top N, top N HTTP URIs
within a given time segment is displayed, as shown in Figure 9-27.
Figure 8-27 Top N Requested URl
Procedure
Step 2 Click the Top N Requested URl tab.
Top N HTTP URIs that meet search conditions are displayed.
email address.
Issue 01 (2015-07-20)

205

Configuration Guide
8 Report
Click
Click
Click
Click
Then click OK.
----End
8.5.4 Top N Requested Host

Prerequisites
HTTP Host Top N is enabled. For details, see 6.2.6.9 Top N Study.
Function
Top N HTTP host fields display those in the HTTP traffic destined for the Zone.
Parameter
Table 8-30 Parameters for querying top N HTTP host fields
Parameter
Description
Device
Total (Cleaning):
Total (Detecting):


Zone
Click
click OK.
Time
Click
Issue 01 (2015-07-20)

206

Configuration Guide
Parameter
8 Report
Description
every five minutes.
Statistics
Top N
Example
If the Device is set to Total (Cleaning) and traffic type to Average Top N, top N HTTP host
fields within a given time segment is displayed, as shown in Figure 9-28.
Figure 8-28 Top N Requested Host
Procedure
Step 2 Click the Top N Requested Host tab.
Top N HTTP host fields that meet search conditions are displayed.
email address.
Issue 01 (2015-07-20)
Click

207

Configuration Guide
8 Report
Click
Click
Click
Then click OK.
----End
8.6 Comprehensive Report

8.6.1 Querying Comprehensive Reports
You can query comprehensive reports that summarize various reports by Device or Zone.
Procedure
Query Device-based system reports.

a.
Choose Report > Comprehensive Report > Comprehensive Report.
b.
Click the System Report tab.
c.
Set system report parameters. For details, see Table 9-31.
Table 8-31 System report parameters

Para
meter
Description
Value
Devic
e
Select a device from the drop-down

list. Total Cleaning and Total
Total (Cleaning):
Indicates that traffic on all cleaning
devices is queried.
Comp
Issue 01 (2015-07-20)
Total (Detecting):
If two or more detecting devices

in a defense group work in Load
Redundancy mode, the
maximum traffic volume in the
defense group is queried and the
sum of traffic volumes among
defense groups is queried.

in each defense group work in
Load Balancing mode, the sum
of traffic volumes within each
defense group and among
Determines whether to display the
Not display the cycle comparison

208

Configuration Guide
Para
meter
Description
arison
cycle comparison figure.

The Attack Comparison figure is
added to the Display the cycle
comparison figure report. The figure
shows the attack count comparison
between two consecutive cycles.
Cycle
type
Queries the data between two

consecutive cycles.
When you set Cycle Comparison to
Display the cycle comparison figure,
configure this item.
Time
Click
to select the start time and
end time of statistics. Or you can
change the time values in
corresponding text boxes.
8 Report
Value
figure: queries the data within the
given time segment.
Display the cycle comparison

cycle type to which the selected
time point belongs.
For example, if you set Cycle Type to

Week and 20120807, the data within
the week to which August 7, 2012
belongs. The Attack Comparison
chart displays the attack count
comparison between the week to which
August 7, 2012 belongs and the last
week.
-
The end time should be later than the

start time and the interval cannot be
figure, configure this item.
Report
Forma
t
Indicates the report format. The format

can be PDF, HTML, or EXCEL.
Report
Type
Indicates the report contents.
d.
Click OK. On the file download page that is displayed, open or save the system
report.
If you need to reset the parameter, click Reset.
Query Zone reports.

a.
Choose Report > Comprehensive Report > Comprehensive Report.
b.
Click the Zone Report tab.
c.
Set Zone report parameters. For details, see Table 9-32.
Table 8-32 Zone report parameters

Para
meter
Description
Value
Zone
Click
, select a Zone on the Zone
page that is displayed, and then click
Issue 01 (2015-07-20)

209

Configuration Guide
Para
meter
8 Report
Description
Value
OK.
Devic
e
Select a device from the drop-down

list. Total Cleaning and Total
Total (Cleaning):
Indicates that traffic on all cleaning
devices is queried.
Comp
arison
Total (Detecting):

in a defense group work in Load
Redundancy mode, the
maximum traffic volume in the
defense group is queried and the
sum of traffic volumes among

in each defense group work in
Load Balancing mode, the sum
of traffic volumes within each
defense group and among
Determines whether to display the

cycle comparison figure.
The Attack Comparison figure is
added to the Display the cycle
comparison figure report. The figure
shows the attack count comparison
between two consecutive cycles.
Cycle
type
Queries the data between two

consecutive cycles.
Display the cycle comparison figure,
configure this item.
Time
Click
to select the start time and
end time of statistics. Or you can
change the time values in
corresponding text boxes.

given time segment.
Display the cycle comparison

cycle type to which the selected
time point belongs.
For example, if you set Cycle Type to

Week and 20120807, the data within
the week to which August 7, 2012
belongs. The Attack Comparison
chart displays the attack count
comparison between the week to which
August 7, 2012 belongs and the last
week.
-
The end time should be later than the

start time and the interval cannot be
figure, configure this item.
Issue 01 (2015-07-20)

210

Configuration Guide
8 Report
Para
meter
Description
Value
Report
Forma
t
Indicates the report format. The format

can be PDF, HTML, or EXCEL.
Report
Type
Indicates the report contents.
d.
Click OK. On the file download page that is displayed, open or save the Zone
report.
If you need to reset the parameter, click Reset.
----End
8.6.2 Managing Scheduled Task

Through scheduled task creation, the system periodically generates reports and send the
reports to the specified email box. For the created scheduled task, you can change its status,
delete it, or query the task result.
Choose Report > Comprehensive Report > Scheduled Task, and manage scheduled tasks:
Create
Click
to create a scheduled task. For details, see 9.6.2.1
Creating a Scheduled Task.
Modify
Click
of a scheduled task to modify it. For the parameters, see 9.6.2.1
Creating a Scheduled Task.
State
The scheduled task can be in the Enabled, Suspended, or Expired state.
Enabled: Indicates that the system automatically performs the

scheduled task when the scheduled time approaches.
Suspended: Indicates that the system does not perform the scheduled
task when the scheduled time approaches.
Click
or
to change the status of the tasks that are
Suspended to Enabled.
Enable
Disable
Result
Issue 01 (2015-07-20)
Expired: When the scheduled time of the task exceeds Life Cycle, this
task expires and the system does not perform the task any longer.
Click
Enable.
Click
Suspended.
of the task in the Suspended state to switch it to
of the task in the Enabled state to switch it to
1. Click
of a task.
2. On the Result page, you can view the execution time and report status
of a task.

211

Configuration Guide
Search
8 Report
Click
Click
of a report. You can download the generated report.

of a report. You can delete the generated report.
Select Plan or State, or enter Name. Then click

. The
scheduled tasks meeting search conditions are displayed in the list.
Fuzzy search is supported.
Delete
Delete one task: Click

the task.
Delete tasks in batches: Select the check boxes of multiple tasks and
click
tasks.
of a task in the Operation column to delete
on the upper right of the page to delete the selected
8.6.2.1 Creating a Scheduled Task

A scheduled task is the task that generates reports periodically within the specified life cycle.
It helps the user query synthesis reports and sends the reports to the specified email box
periodically.
Prerequisites
When you need to use the mailbox to receive the reports, you must complete the configuration
of the mail server in the ATIC Management center. For details, see 10.4.1 Mail Server.
Procedure
Step 1 Choose Report > Comprehensive Report > Scheduled Task.
Step 2 On the Scheduled Task List page, click
Issue 01 (2015-07-20)
to create a scheduled task.

212

Configuration Guide
8 Report
Step 3 Configure scheduled task information. For details, see Table 9-33.
Table 8-33 Creating a scheduled task
Parameter
Description
Setting
Name
Identifies the name of a task

for easy search.
It cannot contain any spaces or

characters such as "'", "|", "\",
",", "<", ">", "&", ";", """, and
"%". The value contains a
maximum of 32 characters and
cannot start with null.
Plan
Indicates the execution period

of the task.
Run Time
Indicates the execution time of

the task.
Life Cycle
Indicates the validity period of

a task. The task becomes
invalid when it expires.
For example, if you set the life

cycle from 2010-12-8 00:00:00
to 2011-12-8 23:59:59, and the
Plan time for the task to 00:00
on the 8th day of each month,
the system generates reports
00:00 on the 8th day of each
month from 2010-12-8
00:00:00 to 2011-12-8
23:59:59.
Report Format
Indicates the format for

exporting the report. Multiple
Issue 01 (2015-07-20)

You need to select at least one

format.
213

Configuration Guide
8 Report
Parameter
Description
Setting
formats are available.

Indicates the description of a
task.
Description
Its length cannot exceed 255

characters.
Searched data of system reports and Zone reports is as follows:
If the task is performed daily, data of the last day is obtained.
If the task is performed weekly, data of the last week is obtained.
If the task is performed monthly, data of the last month is obtained.
If the task is performed yearly, data of the last year is obtained.
Step 4 Click OK.

Step 5 Configure task contents, that is, reports periodically generated.
You need to select at least one of the system report and Zone report.
Select the system report.

Click the System Report tab, select the Device and report types to be queried, and fill in
the email address.
The generated system reports will be sent to the email address.
Select the Zone report.

Click the Zone Report tab, select the Device and report types to be queried, and fill in
the email address.
The generated Zone reports will be sent to the email address. Before selecting Send to a
user-defined email box, ensure that an Email address has configured for Zone objects.
For details, see 6.1.1 Adding a Zone.
Step 6 Click ok.

----End
Follow-up Procedure
You can view or download reports generated by the scheduled task by performing 9.6.3
Downloading Report.
8.6.3 Downloading Report

You can view, and download reports generated by scheduled tasks, and also perform
management operations such as searching, and deleting reports.
Choose Report > Comprehensive Report > Report Download, and manage generated
reports.
Download
Click
of a report in the Operation column to view, and download
the report.
Search
Enter the name of the report to be searched for in the Report Name
Issue 01 (2015-07-20)

214

Configuration Guide
8 Report
dialog box and click

displayed in the list.
. Reports meeting search conditions are
Fuzzy search is supported.

Delete
Delete one report: Click

delete the report.
Delete tasks in batches: Select the check boxes of multiple reports

and click
selected reports.
of a report in the Operation column to
on the upper left of the page to delete the
8.7 Report Customization

8.7.1 Customizing Report-Related Information
You can customize the carrier name and logo.
Procedure
Step 1 Choose Report > Report Customization > Report Customization.
Step 2 Specify the carrier name and select the logo image file in Report Customization. Then click
OK.
After the configuration, the customized carrier name and logo are printed in all reports.
----End
8.7.2 Configuring IP Description

Configuring IP description provides visibility into the description of IP addresses in the IP
description report for easy management.
Operation
Choose Report > Report Customization > IP Address Description to manage IP
description.
Creat
e
Modi
fy
Delet
e
Click
Description.
Click
Issue 01 (2015-07-20)
of the IP description to be modified.
Delete an IP description:
Click
to create an IP description. For details, see Creating an IP
in the Operation column to delete an IP description.
Delete IP descriptions in batches:

215

Configuration Guide
8 Report
Select the check boxes of multiple IP descriptions and click

the list to delete the selected IP descriptions.
delete all IP descriptions.
Impo
rt
1. Click
above
above the list to
2. On the Import IP Address Description Entry page, click

to download a
template to the local host, and enter parameters, and save the template.
3. On the Import IP Address Description Entry page, click Browse..., select the
existing template, and click OK.
Imported IP descriptions are displayed in the IP description list.
Expo
rt
Expo
rt All
Searc
h
1. Select one or multiple IP descriptions and click

.
2. On the File Download page, click Open to view the IP description list or click
Save to save the list to the local host.
1. Click
.
2. On the File Download page, click Open to view the IP description list or click
Save to save the list to the local host.
Enter the IP address or description of the IP description to be queried and click
to display the IP descriptions matching given conditions.
Creating an IP Description
Step 1 Choose Report > Report Customization > IP Address Description.
Step 2 On the IP Address Description page, click
Issue 01 (2015-07-20)

216

Configuration Guide
8 Report
Step 3 Enter an IP address and its description and click OK.

The description is a string of not more than 255 characters.
After an IP description is created, both the IP address and the description are displayed in the
report.
----End
Issue 01 (2015-07-20)

217

Configuration Guide
9 System Management
System Management
About This Chapter

10.1 Configuring the System Administrators
Configuring the system administrators helps guarantee the ATIC Management center and data
security more effectively.
10.2 System Maintenance
This section describes the configurations of performance monitoring, operation log dumping,
antiDDoS data maintenance, and system backup.
10.3 Log Management
You can query system operation logs, device operation logs, and syslog interworking logs.
10.4 Notification Server
9.1 Configuring the System Administrators

Configuring the system administrators helps guarantee the ATIC Management center and data
security more effectively.
9.1.1 Introduction to System Administrators

Configuring the system administrators can implement the configuration of system security
policy, permission/domain-specific management of the ATIC Management center, restriction
to the IP addresses that access the ATIC Management center, and can monitor and manage
online administrators in real time.
The system security policy contains the password policy, session timeout duration, and login
policy.
The password policy defines the minimum length and complexity of the passwords of
the system administrators.
The session timeout duration refers to the period in which the session between the
system administrator and the ATIC Management center has been interrupted because of
timeout. Any operations of the system administrator on the ATIC Management center
will clear the session timeout duration and restart the time counting.
Issue 01 (2015-07-20)

218

Configuration Guide
9 System Management
If the system administrator performs no operation within the timeout duration after
logging in to the ATIC Management center, the current session will be interrupted
because of timeout. When the system administrator wants to perform operations on the
ATIC Management center again, the system administrator needs to re-log in to the ATIC
Management center.
The login policy defines whether the system will be locked after the password has been
entered incorrectly for a certain consecutive times within 10 minutes and when the
system will be unlocked automatically if the system is locked.
The permission/domain management of the ATIC Management center and the restriction to
the IP addresses that access the ATIC Management center are implemented by configuring the
administrator groups and administrators as follows:
The administrator groups are collections of the operation permissions. You can assign an
administrator group to administrator so that the administrator can have the permission on
this administrator group. The ATIC Management center provides three default
administrator groups, namely the administrator, operator, and auditor groups.
The system provides the default administrator admin. The default administrator has all
operation permission and can manage all resources. In addition, the default administrator
cannot be modified. You can create a new administrator and select an administrator
group and resources for this administrator to implement the permission/domain-specific
management of the ATIC Management center.
You can select the IP address segments that can access the ATIC Management center for
an administrator to implement the restriction of IP addresses that access the ATIC
Management center.
9.1.2 Managing Administrators

The system provides one default administrator admin. The default administrator has all
permissions, can manage all resources, and can log in the ATIC Management center from any
IP addresses. To implement permission/domain-specific management of the ATIC
Management center, you can create administrators and modify, lock, unlock, or delete them.
Choose System > System Administrators > Administrators, and manage the administrators.
Create
Click
to create an administrator. For details about this operation,
see 10.1.2.1 Creating an Administrator.
Modify
Click
corresponding to the administrator to modify its authentication
mode, password, description, associated administrator group, managed
resources, and allowed IP address segment. For details about this operation, see
10.1.2.2 Modifying an Administrator Group.
Lock
To restrict the login of an administrator to the ATIC Management center, select

the administrator and click
to lock the administrator. After the
administrator is locked, its status becomes Locked. You can restrict only the
next login of the current administrator.
NOTE
The current administrator has the permission to lock an administrator.
The default administrator admin cannot be locked manually.
Unlock
Issue 01 (2015-07-20)
Select the locked administrator and click

to unlock the
219

Configuration Guide
9 System Management
administrator.
NOTE
The current administrator has the permission to unlock an administrator.
Delete
Select one or more administrators and click

administrators.
to delete the selected
NOTE
The current administrator has the permission to delete an administrator.
An online administrator and the default administrator admin cannot be deleted.
View
Click the user name of an administrator to view its description, associated

administrator group, managed resources, and allowed IP address segment.
Status
A created administrator is in the Unlocked state by default. The administrator

will be in the Locked state in the following situations and cannot log in to the
According to the configured system security policy, the ATIC Management

center can automatically lock a user, and the user is unlocked automatically
when the specified time is reached or is manually unlocked by the default
administrator admin or another administrator who has the unlock
permission. For details about this situation, see 10.1.5 Configuring the
System Security Policy.
The default administrator admin or another administrator who has the lock
permission can manually lock an illegal user. The user that is manually
locked can only be unlocked manually by The default administrator admin
or another administrator who has the unlock permission.
9.1.2.1 Creating an Administrator

When you need to perform the permission/domain specific management of the ATIC
Management center, you can select an administrator group to obtain the permission on this
administrator group, select the resources, and set the IP address segment that can log in the
Context
Only the default administrator admin can perform one-click alarm clearing, configuration
restoration, all deployment and public configurations.
Procedure
Step 1 Choose System > System Administrators > Administrators.
Step 2 Click
Issue 01 (2015-07-20)

220

Configuration Guide
9 System Management
Step 3 Set the parameters of the new administrator, as described in Table 10-1.
Table 9-1 Parameters of the new administrator
Parameter
Description
Value
Username
User name for logging in to

the ATIC Management
center. After an
administrator is created, its
user name cannot be
changed.
Authentication
Mode
Mode for authenticating the

login of a system
administrator to the ATIC
Management center.
Password authentication is a local

authentication mode that the user
name and password are directly
specified on the ATIC Management
center server.
Advantages of the password
authentication: high speed, and low
operation expenditure. Disadvantages
of the password authentication: low
security, and storage capacity
restricted by the ATIC Management
center server hardware conditions.
Issue 01 (2015-07-20)
RADIUS authentication means that

the user information is configured on
the Remote Authentication Dial In
User Service (RADIUS) server, and
the ATIC Management center
communicates with the RADIUS

221

Configuration Guide
Parameter
9 System Management
Description
Value
server as the client and it performs
the remote authentication through the
RADIUS protocol.
Advantages of the RADIUS
authentication: High security and
reliability when the third-party server
is used for authentication because it
supports the resending mechanism
and standby server mechanism.
Disadvantages of the RADIUS
authentication: High operation
expenditure as it requires the
deployment of the RADIUS server.
NOTE
When RADIUS authentication is adopted,
you need to configure the RADIUS server.
For details, see 10.1.6 Configuring the
Authentication Server.
Password
Password for logging in to

the ATIC Management
center when the password
authentication is used.
The password must contain no less than

eight characters and must contain letters,
digits, and special characters at the same
time by default. A specific password is
subject to the password policy
configured in the system security policy.
For details about the specific
requirements, see 10.1.5 Configuring the
System Security Policy.
Confirm
password
Enter the password again.

The two passwords must be
identical.
The parameter value must be the same as

that in Password.
Description
Brief description of the

administrator, helping
identifying the
administrator.
Step 4 Configure the permissions, resources, and allowed IP address segment for the administrator.
By default, the administrator has no associated administrator group and no resources, and can access the
ATIC Management center from any IP addresses. You must specify an administrator group to the
administrator, and select the resources and IP address segment as required.
Click the Select Administrator Group tab, and select an administrator group for the
administrator.
When multiple administrator groups are selected, the permission of the administrator is
the permission collection of all the selected administrator groups.
Issue 01 (2015-07-20)
Click the Select Resource tab, and select manageable resources according to Resource
Type.

222

Configuration Guide
9 System Management
Click the Select Login Network Segment tab. Perform the following operations to
configure the IP address segment list and then select one allowed IP address segment for
the administrator.
Click
OK.
, set Start IP address, End IP address, and Description, and click
Select an IP address segment, click

to modify Start IP address, End IP
address, and Description, and then click OK.
Select the IP address segment to be deleted and click
to delete it.
Step 5 Click OK.

The newly created administrator is displayed in Administrators.
----End
Follow-up Procedure
When RADIUS authentication is adopted for the administrator, you need to configure the
RADIUS server. For details, see 10.1.6 Configuring the Authentication Server.
9.1.2.2 Modifying an Administrator Group

The current administrator can modify the description and permission set of a non-default
administrator group as required. When the administrator group has associated users, the
permissions of these users will also be modified after the administrator group permission is
modified. The modification of user permissions takes effect upon the next login.
Context
The three default administrator groups administrator, operator, and auditor are not allowed
to modify.
Procedure
Step 1 Choose System > System Administrators > Administrators.
Step 2 Click
corresponding to the administrator group to be modified.
Step 3 On the Modify Administrator page, change the basic information about the administrator.
Table 10-1 lists the parameters.
Step 4 Change the administrator's permission, manageable resources, and IP address segments
allowed to log in to the ATIC management center.
Click the Select Administrator Group tab and select the required administrator group in
the administrator group list.
When you select multiple administrator groups, the permission of the administrator is the
union of all selected administrator groups.
Click the Select Resource tab and select the manageable resources.
Click the Select Login Network Segment tab and select the IP address segment from
which the administrator is allowed to log in to the ATIC management center.
Issue 01 (2015-07-20)

223

Configuration Guide
9 System Management
After an administrator's permission is modified, the permission takes effect only after the
administrator re-logs in. However, the manageable resources take effect immediately after
being modified without requiring administrator re-login.
Step 5 Click OK.
----End
9.1.3 Managing Administrator Groups

Different administrator groups have different permission sets. You need to select the owning
administrator group for the administrator to be created, so that the administrator can obtain the
permissions on this administrator group. The ATIC Management center provides three default
administrator groups, namely the administrator, operator, and auditor groups. These three
default administrator groups are not allowed to modify or delete.
Choose System > System Administrators > Administrator Groups , and manage the
administrator groups.
Create
Click
to create an administrator group. For details about this
operation, see 10.1.3.1 Creating an Administrator Group.
Modify
Click
corresponding to the administrator group to modify its description
and permission set. For details about this operation, see 10.1.3.2 Modifying
an Administrator Group.
When the administrator group has associated administrators, the permissions
of these administrators will also be modified after the administrator group
permission is modified. The modification of administrator permissions takes
effect upon the next login.
Delete
Select one or more administrator groups, and click

selected administrator groups.
to delete the
An administrator group can be deleted only when it has no associated

administrator.
View
Click the name of the administrator group, and view its description and
permission set.
Associated
Administra
tors
Click the number of administrators associated with an administrator group to

view the information about these associated administrators.
9.1.3.1 Creating an Administrator Group

The system provides three default administrator groups, namely, the administrator, operator,
and auditor groups. When the permissions of the default administrator groups cannot meet
the permission assignment requirements. The current administrator can create a new
administrator group as required.
Issue 01 (2015-07-20)

224

Configuration Guide
9 System Management
Procedure
Step 1 10.1.3.2 Modifying an Administrator Group.
Step 2 Click
Step 3 Configure the basic information and permission set for the new administrator group.
Enter the name and information about the administrator group in Name and Description
respectively. Select a permission in the Permission Set navigation tree.
Step 4 Click OK.
----End
9.1.3.2 Modifying an Administrator Group

The current administrator can modify the description and permission set of a non-default
administrator group as required. When the administrator group has associated users, the
permissions of these users will also be modified after the administrator group permission is
modified. The modification of user permissions takes effect upon the next login.
Context
The three default administrator groups administrator, operator, and auditor are not allowed
to modify.
Procedure
Step 1 Choose System > System Administrators > Administrator Groups .
Step 2 Click
corresponding to the administrator group to be modified.
Step 3 Modify the description or permission set of the administrator group on the Modify
Administrator Group page.
Enter information about the administrator group in Description, and select a permission in the
Permission Set navigation tree.
Step 4 Click OK.
----End
9.1.4 Managing Online Administrators

To prevent the login of an illegal administrator to the ATIC Management center, you can
monitor the online administrators in real time and forcibly log off the illegal administrators.
Prerequisites
To view the online administrators, the current administrator must have the permission to
view the online administrators.
To forcibly log off an online administrator, the current administrator must have the
permission to forcibly log off an online administrator.
Issue 01 (2015-07-20)

225

Configuration Guide
9 System Management
Context
Session is the connection set up between the browser and the server. One administrator can
generate multiple sessions. The forcible logoff operation is applicable to only the
administrator that generates the session concerned. For example, administrator user logs in to
the same server from clients A and B and generates sessions a and b. When you forcibly log
off the administrator user that generates session a, the administrator user that generates
session b will not be affected.
Procedure
Step 1 Choose System > System Administrators > Online Administrator .
Step 2 Do as follows to view the online administrators and their login information on the Online
Administrators page.
Click
in the upper right corner of the page. The latest online administrators and
their login information are displayed.
To forcibly log off an online administrator, select the administrator and click
. In the displayed confirmation dialog box, click OK.
----End
9.1.5 Configuring the System Security Policy

The system security policy contains the password policy, login policy, and session timeout
duration. Configuring the system security policy can improve the system security.
Procedure
Step 1 Choose System > System Administrators > Security Policy .
Step 2 Click
Issue 01 (2015-07-20)

226

Configuration Guide
9 System Management
Step 3 Set the security policy parameters on the Modify Security Policy page, as described in Table
10-2.
Table 9-2 Security policy parameters
Parameter
Description
Value
Minimum length
Minimum length of the password, avoiding

too short passwords.
Default value: 8
characters.
You are not advised
to set Minimum
length to 1
characters.
Otherwise, the
password is easy to
crack.
Complexity
Complexity of the password, avoiding too

simple passwords.
Default value: must

contain letters, digits,
and special
characters at the
same time.
Do not set
Complexity to No
limit. Otherwise, the
password is easy to
Issue 01 (2015-07-20)

227

Configuration Guide
Parameter
9 System Management
Description
Value
crack.
Set a validity
period for the
password
Indicates the validity period of the

administrator password. Password validity
period setting forces the administrator to
change the password before the period ends.
This function is
disabled by default.
Useful-life (days)
Indicates the validity period of the

administrator password, in days.
Default value: 60.
Timeout (minutes)
If the online user performs no operation

within this timeout duration, the system will
display the message of timeout upon the next
operation. In this case, click OK to return to
the login page.
Default value: 30.
Allow Intercurrent
Login
Multiple administrators are allowed to log in

at the same time.
Default value:
Disabled.
Incorrect password
lock
After the incorrect password lock is enabled,

the administrator will be locked when its
password is entered incorrectly more than
Allowed attempts times within 10 minutes.
Default value:
Enabled.
Allowed attempts
Times allowed for consecutively entering

incorrect passwords. When the number of
error times reaches the specified value, the
ATIC Management center automatically
locks the account.
Default value: 5.
You are advised to

enable this function.
Otherwise, the
password is easy to
crack.
You are advised to

change the password
periodically.
Otherwise, the
password is easy to
crack.
NOTE
After the administrator is locked, it can be
manually unlocked by the default administrator
admin or another administrator who has the
unlock permission, or automatically unlocked
after the lock time is up.
After the incorrect password lock is enabled,

you can set this parameter.
Lock mode
Indicates the handling mode of the system if

the number of failed login attempts reaches
the upper limit. The available modes are
Lock permanently and Lock (minutes).
Default value: 3.
Lock permanently
If this item is specified, the system

permanently locks out the account if the
number of failed login attempts reaches the
upper limit. In such a case, the account can
Issue 01 (2015-07-20)

228

Configuration Guide
9 System Management
Parameter
Description
Value
be unlocked only by another administrator.

Period of the administrator being locked.
When the lock time is up, the administrator
is automatically unlocked.
Lock (minutes)
This parameter is only valid for the

automatic lock. If the administrator is
locked manually, it can only be unlocked
manually.
After the incorrect password lock is

enabled, you can set this parameter.
Default value: 3.
For example, because
the administrator test
enters incorrect
passwords for more
than Allowed
attempts times, the
administrator is
locked automatically.
If Lock (minutes) is
set 3, the
administrator will be
unlocked
automatically three
minutes later.
Step 4 Click OK.

----End
9.1.6 Configuring the Authentication Server

The authentication server needs to be correctly configured if administrator authentication uses
the Remote Authentication Dial-In User Service (RADIUS).
Prerequisites
An authentication server is available.
Procedure
Step 1 Choose System > System Administrators > Authentication Server.
Step 2 Click
Issue 01 (2015-07-20)

229

Configuration Guide
9 System Management
Step 3 On the Modify RADIUS Server page, set RADIUS server parameters that are listed in Table
10-3.
Table 9-3 Configuring the RADIUS server
Parameter
Description
Value
Auth mode
Mode for the RADIUS server

to authenticate administrators.
PAP: uses a plain text password and

requires two-way handshakes.
Compared with CHAP
authentication, it is superior in
authentication efficiencies but
inferior in security.
CHAP: uses a cipher text password

and requires three-way handshakes.
Compared with PAP authentication,
it is superior in security but inferior
in authentication efficiencies.
Main and spare RAIDIUS servers need

to use the same authentication method.
Main IP
address
IP address of the main

RADIUS server.
Spare IP
address
IP address of the spare

RADIUS server.
Port
Port of the RADIUS server.
Main and spare RAIDUS servers need to

use the same port.
Shared key
Encrypts RADIUS
authentication packets to
safeguard authentication
information during transfer.
To authenticate the identities of involved

parties, the shared key must be the same
as the key configured on the RADIUS
server.
Issue 01 (2015-07-20)

230

Configuration Guide
Parameter
9 System Management
Description
Value
Main and spare RAIDIUS servers need
to use the same shared key.
Step 4 Click OK.

----End
9.2 System Maintenance

This section describes the configurations of performance monitoring, operation log dumping,
antiDDoS data maintenance, and system backup.
9.2.1 Performance Monitoring

Monitoring the system performance means monitoring the server and database information.
You can monitor system performance by setting usage thresholds for all items of the server, to
discover and rectify anomalies as soon as possible and optimize system operating.
Procedure
Step 1 Choose System > System Maintenance > Performance Monitoring.
Step 2 Set the usage thresholds for the server.
1.
Click
in the Threshold Settings group box.
2.
The Modify Threshold page is displayed. Set the usage thresholds for the server on this
page.Table 10-4 lists the default thresholds.
Table 9-4 Default thresholds

Parameter
Default Threshold
CPU usage threshold
90%
Memory usage threshold
90%
Disk usage threshold
90%
Database usage threshold
90%
3.
Click OK.
Return to the System Performance page when the threshold is modified successfully.
Step 3 Monitor the server and database performance on the System Performance group box, as
shown in Table 10-5.
The system collects the server and database performance data periodically.
Issue 01 (2015-07-20)

231

Configuration Guide
9 System Management
Table 9-5 Monitoring the server and database performance

Parameter
Description
CPU
If the CPU usage has exceeded the threshold for three consecutive times, the
ATIC Management center generates an alarm. When the CPU usage
becomes lower than the threshold, the alarm is cleared automatically.
The red line represents the threshold.
Memory
If the memory usage has exceeded the threshold for three consecutive times,
the ATIC Management center generates an alarm. When the memory usage
becomes lower than the threshold, the alarm is cleared automatically.
The red line represents the threshold.
Disk
If the disk usage exceeds the threshold, the ATIC Management center
generates an alarm. When the disk usage becomes lower than the threshold,
the alarm is cleared automatically.
Database
The MySQL database capacity will grow automatically with the data
amount. In this case, you should check whether the used capacity is too
large. Insufficient remaining disk spaces of the database will cause the
improper operating of the database and ATIC Management center.
----End
9.2.2 Dumping the Operation Logs

After you set the period for dumping operation logs, the system will automatically dump the
operation logs from the ATIC Management center to the specified directory on the ATIC
Management center server according to the specified period and reduce the recording times of
the database and improve the ATIC Management center operating efficiency.
Context
The dumped operation logs are saved to the Installation
directory/Runtime/LegoRuntime/datastorage/sysoptlog path on the ATIC Management
center server. You can set the dumping period for the logs and the number of recent days in
which logs are reserved. For example, if the log dumping period is set to 30 days, the logs in
the recent 90 days are set to reserve, and the dumping is set to start at 02:00:00, the ATIC
Management center dumps the operation logs generated 90 days ago, the database deletes the
dumped logs and reserves only operations logs in the recent 90 days, and the ATIC
Management center performs the next dumping 30 days after the last dumping.
Procedure
Step 1 Choose System > System Maintenance > Log Dump.
Step 2 Click
Issue 01 (2015-07-20)
in the Modify Dump Parameter area.

232

Configuration Guide
9 System Management
Step 3 Set the log dumping parameters, as described in Table 10-6.

Table 9-6 Log dumping parameters
Parameter
Description
Recommended Value
Dumped schedule
Time at which the ATIC

Management center
automatically dumps
operation logs.
Default value: 02:00:00.
The dumping time is usually

specified to a point in time
the ATIC Management
center is idle, for example,
02:00:00.
Dump period (days)
Reserve recent data records

(days)
Issue 01 (2015-07-20)
Period after which the ATIC

Management center starts to
dump logs.
Default value: 30 days.
Logs that were generated in

the recent days are reserved.

If the dumping period is

specified to 30 days, the
ATIC Management center
dumps logs once every 30
days.
By default, the ATIC

Management center dumps
the records generated 90
days ago, the database
deletes them.
233

Configuration Guide
9 System Management
Parameter
Description
Recommended Value
File format
Format of the dumping file.
Language
Language of the dumping

file.
Default value: English.
If the dump language is

English, the dumped
operation logs will be
recorded in English.
Step 4 Click OK.

----End
Result
When the specified dumping period and dumping time reaches, the ATIC Management center
automatically dumps the operation logs to the Installation
directory/Runtime/LegoRuntime/datastorage/sysoptlog path on the ATIC Management
center server. The dumped logs will not be displayed in System Logs but stored in the
specified directory. To view the dumped logs, you can download the dumped logs in a file on
the client and open the file in the text editing tool.
Follow-up Procedure
1.
You can view the dumping records in the Historical Dumps area.
2.
(Optional) You can click the compression package of the dumped logs to save the logs to
the specified path on the client.
3.
(Optional) You can select the dumped logs that do not need to reserve and click
to delete the logs from the ATIC Management center server.
9.2.3 Dumping the Alarms

When the number of past alarms stored in the ATIC Management center database exceeds the
threshold, the ATIC Management center performance will be affected or the ATIC
Management center will break down even. Dumping the alarms dumps the events and the past
alarms in a file to the specified folder, reducing the burden of the ATIC Management center
and improving the ATIC Management center performance. The alarm dump function enables
the ATIC Management center to dump the events and historical alarm data in the database as
files to the specified folder, which improves the ATIC Management center operating
performance.
Context
The ATIC Management center dumps the alarms stored in the database to the File dump path
displayed on the interface according to the specified dumping period. You can set the
dumping period for the alarms and the number of recent days in which alarms are reserved.
For example, if the log dumping period is set to 30 days, the alarms in the recent 90 days are
set to reserve, and the dumping is set to start at 02:00:00, the ATIC Management center dumps
the alarms generated 90 days ago, the database deletes the dumped alarms and reserves only
Issue 01 (2015-07-20)

234

Configuration Guide
9 System Management
alarms in the recent 90 days, and the ATIC Management center performs the next dumping 30
days after the last dumping.
Procedure
Step 1 Choose System > System Maintenance > Alarm Dump.
Step 2 Click
in the Dump Settings area.
Step 3 Set the alarm dump parameters, as described in Table 10-7.

Table 9-7 Setting the alarm dump parameters
Parameter
Description
Recommended Value
Dumped schedule
Time when the ATIC

dump alarms automatically.
Default value: 02:00:00.

The dumping time is in the
format of HH:MM:SS.
The dumping time is usually

specified to a point in time
the ATIC Management
center is idle.
Dump period (days)
Reserve recent data records

(days)
Issue 01 (2015-07-20)
Period after which the ATIC

dump alarms.
Alarms that were generated

in the recent X days are
reserved.

If the dumping period is

specified to 30 days, the
dumps alarms once every 30
days.
By default, the ATIC

Management center dumps
235

Configuration Guide
Parameter
9 System Management
Description
Recommended Value
the records generated 90
days ago, the database
deletes them.
File format
Format of the dumping file.
-.
Language
Language of the dumping

file.
Default value: English.
Step 4 Click OK.

----End
Result
When the specified dumping period and dumping time reaches, the ATIC Management center
automatically dumps the alarms to the File dump path displayed on the interface. The
dumped alarms will not be displayed in Past Alarms but stored in the specified directory. To
view the dumped alarms, you can download the dumped alarms in a file on the client and
open the file in the text editing tool.
Follow-up Procedure
1.
You can view the dumping records in the Historical Dumps area.
2.
(Optional) You can click the compression package of the dumped alarms to save the
alarms to the specified path on the client.
3.
(Optional) You can select the dumped alarms that do not need to reserve and click
to delete the dumped alarms from the ATIC Management center server.
9.2.4 Maintaining Anti-DDoS Data

This section describes how to maintain anti-DDoS data by setting appropriate data reservation
duration to ensure high resource usage.
Procedure
Step 1 Choose System > System Maintenance > Anti-DDoS Data Maintenance.
Step 2 On the Anti-DDoS Data Maintenance page, click
Issue 01 (2015-07-20)

236

Configuration Guide
9 System Management
Step 3 On the Modify Anti-DDoS Data Maintenance Settings page, set parameters by referring to
Table 10-8.
Table 9-8 Parameters of maintaining anti-DDoS data
Parameter
Description
Value
Original data (days)
Indicates the reservation duration of

original data in the database of the
anti-DDoS collector.

30.
Hourly summary
data (months)
Indicates the reservation duration of hourly

summary data in the database of the

12.
Daily summary data

(years)
Indicates the reservation duration of daily

summary data in the database of the
Traffic diversion
log (days)
Indicates the reservation duration of traffic

diversion logs in the database of the
cleaning device.

90.
Device logs (days)
Indicates the duration for the ATIC

Management center server to retain the
operation logs in the database.

30.
Scheduled daily
reports (days)
Indicates the reservation duration of daily

reports generated by a scheduled task in
the database and hard disk of the ATIC

60.
Issue 01 (2015-07-20)

237

Configuration Guide
Parameter
9 System Management
Description
Value
Management center server.

Scheduled weekly
reports (months)

weekly reports generated by a scheduled
task in the database and hard disk of the
ATIC Management center server.
Scheduled monthly
reports (years)

monthly reports generated by a scheduled
task in the database and hard disk of the
ATIC Management center server.
Scheduled yearly
reports (years)
Indicates the reservation duration of yearly

reports generated by a scheduled task in
the database and hard disk of the ATIC
Management center server.
Delay for Canceling

Traffic Diversion
(seconds)
For dynamic diversion tasks (including

both the automatic and manual ones), after
the anomaly or attack ends, the diversion
persists for a while before it is
automatically canceled to ensure that the
anomaly or attack traffic is thoroughly
cleaned.

300.
The number of
pagesize
Indicates the number of pagesize for ATIC

Management center.

10.
In normal cases, you

are advised to use the
default value. If the
anti-DDoS collector
cannot receive the
logs about the
anomalies from the
cleaning device, the
delay can be
extended.
Step 4 Click OK.

----End
9.2.5 Backing Up and Restoring Configuration Files

This section describes how to back up system configurations periodically for timely
troubleshooting.
9.2.5.1 Backing Up a Configuration File

The current system configuration needs to be backed up periodically.
Context
ATIC management center can support the configuration backup and some status information
backup.
Issue 01 (2015-07-20)

238

Configuration Guide
9 System Management
Ensure that other administrators are offline during the database backup. Otherwise, operating
the database by them may interrupt the backup.
Choose System > System Administrators > Online Administrator to check whether other
administrators are online.
Procedure
Step 1 Choose System > System Maintenance > System Backup.
Step 2 Click
Step 3 On the Back Up Current Configuration File page, enter the description and click OK to
back up the current system configuration.
The system automatically generates a configuration file name, consisting of the database
name and backup time. The description illustrates the configuration file in detail.
Step 4 In the dialog box that is displayed, click OK.
----End
9.2.5.2 Restoring a Configuration File

Restoring configurations consist of restoring configurations on the ATIC Management center
and those on the anti-DDoS device.
Context
ATIC management center can only be restored by the configuration file with the same version.
If the configuration of Zones or sysnames is different from that before restoration, the admin
must check and reallocate management permissions of these Zones or sysnames. Otherwise,
other administrators cannot manage the restored configuration.
Procedure
Step 1 Choose System > System Maintenance > System Backup.
Step 2 Click
and terminate services on the ATIC management center as prompted.
Then click OK to start restoring the configuration file.
Step 3 When the configuration file is restored, click OK and close the dialog box.
Step 4 Re-log in to the ATIC Management center. Choose System > System Maintenance >
System Backup to check whether restored configurations are correct.
Issue 01 (2015-07-20)
If yes, confirm the restoration.

239

Configuration Guide
9 System Management
Click OK. Please continue with the following steps to make sure that ATIC Management
center and anti-DDoS device is consistent after configuration is restored.
a.
Choose System > System Maintenance > System Backup.
b.
Click
If no, roll back the configurations.

a.
Choose System > System Maintenance > System Backup. The Check System
Status page is displayed.
b.
In the Check System Status dialog box, click Roll Back Configuration to roll
back system configurations.
c.
Re-log in to the ATIC Management center to confirm rollback.
----End
Follow-up Procedure
Confirm configurations no matter whether restoring or rolling back them succeeds.
1.
Choose System > System Maintenance > System Backup. The Check System Status
page is displayed.
2.
In the Check System Status dialog box, click The restoration succeeded..
Issue 01 (2015-07-20)

240

Configuration Guide
9 System Management
9.3 Log Management

You can query system operation logs, device operation logs, and syslog interworking logs.
Search
Export
Set the conditions and click Search to search for the desired logs. For details
about this operation, see 10.3.2 Searching for an Operation Log, 10.3.3
Querying Device Operation Logs, and 10.3.4 Querying Syslog Interworking
Logs.
Select the logs to save to the local computer and click
. In the
displayed dialog box, select a path for saving the operation log file, enter a
name for the file or use the default file name, and click Save to save the
selected logs to the specified local path.
NOTE
If the Internet Explorer executes the default security policy, the To help protect you
security, Internet Explorer blocked this site from downloading file from to your
computer message is displayed upon an export operation. In this case, right-click the
message, and choose Download File from the shortcut menu. After the interface is
refreshed, export the event information again.
Export
all
Click
. In the displayed dialog box, select a path for saving the
operation log file, enter a name for the file or use the default file name, and
click Save to save all the logs to the specified local path.
9.3.1 Introduction to Log Management

Log management includes managing system operation logs, device operation logs, and syslog
interworking logs.
System Operation Log

All operations that are actively initiated by ATIC Management center users and will affect the
database are logged. Those operations that do not affect the database such as viewing,
searching, and refreshing are not logged. The ATIC Management center provides the function
of browsing operation logs and filtering logs by log level, administrator, log category,
operation results, and log start and end time. Logs also help learn about users' operations. For
example, you can view the operations that are performed by a user on the ATIC Management
center.
The system controls the access of logs. A super administrator has all rights. A common
administrator with assigned right can only access its own operation logs. A common
administrator without assigned right cannot access any operation log.
Periodically dumping operation logs stores the logs recorded in the database to the
Installation directory/Runtime/LegoRuntime/datastorage/sysoptlog path on the ATIC
Management center server. You can download the dumped operation logs on the client and
view them locally. In addition, you can delete the logs that are no longer needed from the
ATIC Management center server, reducing the recording times of the database and ensuring
sufficient database spaces.
Issue 01 (2015-07-20)

241

Configuration Guide
9 System Management
The operation log level identifies the criticality of a log. The operation log level can be danger,
minor, warning, or info from the most critical to the least critical. Table 10-9 defines the
different levels of logs.
Table 9-9 Log levels
Level
Definition
Danger
Refers to the operations that make the whole system or function modules faulty
or unavailable.
Warning
Refers to the normal operations that performed in the system or on function

modules.
Minor
Refers to the operations that may cause data inconsistency in system or on

function modules.
Info
Refers to the operations that performed to access data in system or on function

modules.
Device Operation Log

The device operation log records information about all command lines delivered by the
AntiDDoS.
The ATIC management center allows you to view device operation logs and filter the
logs based on the logging start time, end time, device IP address, terminal IP address,
VTY interface, user name, VRF, and command line.
Device operation logs can be used to monitor the device or locate faults.
Device operation logs take up large database space and cannot be exported or dumped.
You can specify a period of time on the Anti-DDoS Data Maintenance page to
regularly delete the reserved device operation logs. The device operation logs are
retained for 90 days by default.
Syslog Interworking Log

Syslog interworking logs record information about the logs that the Netflow device sends to
the ATIC management center.
9.3.2 Searching for an Operation Log

You can set the conditions to search for the desired operation logs.
Procedure
Step 1 Choose System > Log Management > System Logs.
Step 2 Set the conditions for searching for operation logs.
Issue 01 (2015-07-20)
You can select Search to use the basic search method. Table 10-10 describes the
parameters of the basic search conditions.

242

Configuration Guide
9 System Management
Table 9-10 Parameters of the basic search conditions

Parameter
Description
Recommended Value
Level
Level of an operation log.
The log level can be

Danger, Warning, Minor,
or Info.
Result
Result of an operation log.
The result can be Succeeded

or Failed.
You can select Advanced Search to use the advanced search method. Table 10-11
describes the parameters of the advanced search conditions.
Table 9-11 Parameters of the advanced search conditions

Parameter
Description
Recommended Value
Level
Level of an operation log.
The log level can be

Danger, Warning, Minor,
or Info.
Administrator
Administrator that performs

the operation.
Administrator System does
not actually exist. The
operations performed by
administrator System are
scheduled operations or
those triggered by other
operations in the
background.
Type
Category of an operation
log.
The logs are categorized
based on the function of a
component. For example,
the log of creating a
collection rule task belongs
to the performance
management category.
Result
Result of an operation log.
You can click

to select
the administrator as required
in the Select Administrator
dialog box.
You can click

to select
the owning functional
module of an operation log
in the Select Operation
Type dialog box.
The result can be Succeeded

or Failed.
Occurred at
Start and end time of an

operation.
The start time cannot be
Issue 01 (2015-07-20)

243

Configuration Guide
Parameter
9 System Management
Description
Recommended Value
later than the end time.

The operation logs that meet the search conditions are displayed in the system log list. If no
log meets the search conditions, the system log list will be empty.
----End
9.3.3 Querying Device Operation Logs

You can query the device operations conducted by the users logging in to the AntiDDoS.
Procedure
Step 1 Choose System > Log Management > Device Logs.
Step 2 Query device operation logs by using the basic search or advanced search.
Basic search
Enter the device IP address or Command to be queried and click
the logs matching given conditions.
to display
Advanced search
a.
Click Advanced Search.
b.
In the Advanced Search group box, set search conditions and click Search. For the
parameters of search conditions, see Table 10-12.
Table 9-12 Device operation log search conditions

Parameter
Description
Start Time
Indicates the time when the ATIC management center

receives logs.
End Time
Device IP
Indicates the IP address of the AntiDDoS.
Terminal IP
Indicates the IP address of the terminal logging in to the

AntiDDoS.
User
Indicates the user name for logging in to the AntiDDoS.
Command
Indicate the command executed on the AntiDDoS.
----End
Issue 01 (2015-07-20)

244

Configuration Guide
9 System Management
9.3.4 Querying Syslog Interworking Logs

This section describes how to set the conditions for querying syslog interworking logs.
Procedure
Step 1 Choose System > Log Management > Syslog-linkage Log.
Step 2 Set the conditions for querying syslog interworking logs.
When you select Search, set the log query conditions based on the parameter description
in Table 10-13.
Table 9-13 Description of the parameters for querying syslog interworking logs
Parameter
Description
Detail
Enter a syslog keyword for the matching.
When you select Search, set the log query conditions based on the parameter description
in Table 10-14.
Table 9-14 Description of the parameters for advanced query of syslog interworking logs
Parameter
Description
Start Time
Enter the time when the ATIC management

center starts to receive logs.
End Time
Device IP
Enter the IP address of the syslog device.
Detail
Enter a syslog keyword for the matching.
----End
9.4 Notification Server

9.4.1 Mail Server
You can configure the mail server to send the information to the specified email address.
Prerequisites
When a mail server is configured, ensure that the SMTP/POP3 function is enabled for sender
accounts registered on the server.
Issue 01 (2015-07-20)

245

Configuration Guide
9 System Management
Context
The proxy server supports only the SOCKS 5 proxy when you configure the basic information
for the mail server.
The SOCKS protocol enables the client/server application programs in the TCP and UDP
domains to conveniently and securely use the network firewall. The proxy server that uses the
SOCKS protocol is called the SOCKS server and is a universal proxy server. The SOCKS
proxy is usually used in the email and is bound to port 1080 on the proxy server. If the
SOCKS proxy service requires identity authentication, you need to apply to the network
administrator for a user name and password.
Procedure
Step 1 Choose System > Notification Server > Email Server.
Step 2 Configure the basic information for the mail server.
1.
In the Email Server area, click
2.
Configure the basic information for the mail server, as described in Table 10-15.
Table 9-15 Mail server parameters

Parameter
Description
Recommended Value
SMTP server
IP address or domain name

of the SMTP server that is
responsible for sending the
notification mail.
Server port
Port number of the SMTP

server.
Default value: 25.
Sender email
Email addresses that sends

the notification mail
messages.
The email address can

contain only 1 to 32
characters.
Test email
Email address used to verify

that the communication
between the ATIC
Management center server
and mail server is normal.
The email address can

contain only 1 to 32
characters.
Username
User name that is used to

access the SMTP server.
You can enter the user name

registered on the SMTP mail
server or obtained from the
provider of the mail server.
This parameter is required

only when SMTP server
identity authentication is
selected.
Password
Password that is used to

access the SMTP server.

only when SMTP server
identity authentication is
selected.
Issue 01 (2015-07-20)

246

Configuration Guide
9 System Management
Parameter
Description
Recommended Value
Proxy server IP address
IP address of the proxy

server.

only when Proxy server is
selected.
Proxy server Port
Port number of the proxy

server.
Default value: 1080.

only when Proxy server is
selected.
Email Signature
SMTP= Simple Mail Transfer Protocol
After the parameters are specified, you can click Test to check whether the testing email box can receive
the testing message.
3.
If yes, the communication between the ATIC Management center server and the mail server is
normal .
If no, an error message will be displayed. Handle the exception according to the message.
Click OK.
----End
9.4.2 SMS Server

This section describes how to configure the SMS server.
Procedure
Step 1 Choose System > Notification Server > SMS Server.
Step 2 In the SMS Server area, click
Set the SMS server parameters, as described in Table 10-16.

Table 9-16 SMS modem parameters
Parameter
Description
Recommended Value
Serial port identifier
Identifier of the ATIC

Management center server
serial port through which the
ATIC Management center is
connected with the SMS
modem.
Set this parameter according

to actual condition. For
Issue 01 (2015-07-20)

247

Configuration Guide
Parameter
9 System Management
Description
Recommended Value
example, if the ATIC

Management center server is
connected with the SMS
modem through serial port
COM of the ATIC
Management center server,
set this parameter to COM.
Baud usage used by the
SMS modem.
Baud usage
Set the Baud usage

according to the actual
condition.
Code of the country in
which the customer site is
located.
Country code
[For example]
Country code of China:

86.
Country code of USA: 1.
Country code of UK: 44.
Test phone number
Mobile phone number that is

used to verify that the
communication between the
server and SMS modem is
normal.
Unicom provider
Customized configuration of
the Unicom SMS server
You can click Test to check whether the testing mobile phone can receive the testing message.
If yes, the communication between the ATIC Management center server and the SMS modem is
normal.
If no, an error message will be displayed. Handle the exception according to the message.
Step 3 Click OK.

Step 4 Select Unicom Provider and click
to customize alarm SMSs for China Unicom.
----End
9.4.3 Syslog Server

This section describes how to configure the log server.
Procedure
Step 1 Choose System > Notification Server > Syslog Server .
Step 2 Set basic information of the log server.
Issue 01 (2015-07-20)

248

Configuration Guide
9 System Management
1.
Click
in the Email Server area.
2.
Set basic parameters of the log server. For details, see Table 10-17.
Table 9-17 Description of log server parameters

Parameter
Description
Recommended Value
Server IP
IP address of the log server.
Server port
Port of the log server.
Transmit syslog type
Type and level of logs to be

transmitted.
----End
Issue 01 (2015-07-20)

249

HUAWEI ATIC Management Center V500R001 Configuration Guide 01 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

HUAWEI ATIC Management Center V500R001 Configuration Guide 01 PDF

Загружено:

Авторское право:

Доступные форматы

HUAWEI ATIC Management Center

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential