Anti-DDoS Workflow of the FW

This section illustrates the anti-DDoS workflow of the FW.

The anti-DDoS workflow of the FW is illustrated as follows:

1. Enable the collection of traffic statistics.

   Because various types of packets are used in DDoS attacks, to distinguish normal traffic from the attack traffic, you need to enable the collection of traffic statistics on the FW. Based on the collected statistics, the system checks whether the volume of attack traffic exceeds the threshold.

   The FW bind certain interfaces for collecting the statistics on the traffic destined for these interfaces. The FW mainly protects intranet servers from Internet attacks. Therefore, the interfaces to be bound must be the internal Ethernet interfaces of the FW.

2. Set thresholds for the defense against attack traffic.

   You need to set thresholds for various types of attack traffic. Once the volume of a certain type of traffic exceeds the specified threshold, the FW regards the traffic as DDoS attack traffic and takes corresponding measures to defend against it. In another word, the FW implements attack defense only when the volume of certain traffic exceeds the specified threshold. Therefore, the setting of the threshold impacts the actual defense.

   You can manually set the threshold or refer to the threshold learning result if threshold learning is enabled on the FW. For details on the setting of the threshold, see Defense Threshold.

3. The FW automatically starts the defense against detected attacks.

   Once the volume of the traffic destined for a specific destination address exceeds the specified threshold, the system automatically starts the defense. The FW uses multiple technologies in defending against different DDoS attacks, as listed in Table 1.

   Table 1 Technologies employed in defending against DDoS attacks

   Technology	Mechanism	Applicable Attack Types
   Source detection	The FW detects the source IP addresses of the request packets. If the IP addresses are real, the packets are forwarded.	SYN Flood, HTTP Flood, HTTPS Flood, DNS Request Flood, DNS Reply Flood, and SIP Flood
   Fingerprint	The FW learns about the characteristics of detected attack packets and saves them as fingerprints. Once a packet matches a fingerprint, the packet is discarded.	UDP Flood and UDP Fragment Flood
   Traffic limiting	Once the volume of any traffic exceeds the specified threshold, the follow-up packets are discarded.	ICMP Flood and UDP Flood

4. The FW implements the specified action to the traffic.

   Normal traffic is permitted, whereas attack traffic is discarded and corresponding threat logs are generated.

   

   If the FW works in bypass detection mode, it generates a traffic anomaly log after detecting abnormal traffic, but does not discard or limit the rate of the traffic.