Configuring Anti-DDoS

The FW implements the global defense against various DDoS attacks, such as SYN flood attacks, UDP flood attacks, ICMP flood attacks, HTTP flood attacks, HTTPS flood attacks, DNS flood attacks, and SIP flood attacks.

Context

Enable traffic statistics on the bound interface upon the configuration of anti-DDoS to distinguish normal traffic from attacks. Anti-DDoS applies only to the bound interface. Therefore, you are advised to specify the interface that connects the FW to the Internet as the bound interface.

When you configure the global anti-DDoS function, enable the threshold learning function to set a proper threshold. In the case of device replacement, use the threshold configured on the original device.

If the live network traffic is unknown, use the default values of attack defense parameters and then adjust them by using the threshold learning function as required.

Procedure

Enable threshold learning for global anti-DDoS.

Choose Policy > Security Protection > Attack Defense > Anti-DDoS.
Set the Anti-DDoS mode to Detect Only or Detect and Clean.
Use either of the following ways to specify the bound interface that connects the FW to the Internet:
- Double-click the interface to be bound in Unbound Interface. Then the interface is displayed in Bound Interface.
- Click the interface to be bound in Unbound Interface. Then click to add it to Bound Interface.
Do not configure this function when the FW is deployed in-line.
Optional: Configure the FW to interwork with the ATIC server.
1. Choose Policy > Security Policy > Attack Defense > Anti-DDoS.
2. Select the check box of ATIC association and enter the IP addresses of the device and ATIC server.
After the FW is configured to interwork with the ATIC server, the FW sends logs about abnormal traffic to the ATIC server.

In a scenario where the FW is deployed in in-line mode, the traffic diversion policy is configured for the ATIC, and traffic diversion is implemented, if the FW stops reporting anomaly logs due to the failure in receiving traffic, traffic switchover occurs, and traffic cannot be cleaned.

Click Set Learning Parameters on the DDoS tab to configure threshold learning parameters.

Parameter	Description
Learning	Select Enable to enable the threshold learning function.
Learning Duration	The learning duration can be specified in minutes, hours or days. You are advised to set the learning duration in days to ensure that the FW can learn the traffic of an entire day.
Learning Mode	Specify the learning mode. One-off learning: The FW learns the threshold for only once. Periodic Learning: The FW learns the threshold periodically to ensure that the learning result is up to date.
Learning Interval	The threshold learning interval refers to the interval between the end time of a learning period and the start time of the next learning period. This item is available only when the Learning Mode is set to Periodic Learning. The learning interval can be specified in minutes or days.
Automatic Application	Select Enable to enable the FW to automatically apply the learning results. If you deselect Enable, the system only learns the threshold but does not apply the learning results. NOTE: Learning the traffic trend within an entire day usually takes more than a day. You are advised to enable Automatic Application, so that the FW automatically applies the learning results.
Learning Tolerance	Threshold learning result = Learned threshold × (1 + Tolerance value) The unit of learning tolerance is percentage.

Click OK.
After threshold learning is enabled, Learning Status is displayed in Set Learning Parameters. You can learn about the status of threshold learning.
Select Enable next to the attack types to enable corresponding defense functions. Do not change the default threshold for each defense function.
- If you have enabled Automatic Application for threshold learning, the FW automatically applies the learning threshold, replacing the manually specified one and the default value after the learning process ends.
- For SYN flood attacks, after enabling Source detection, you can enable the First packet discarding function to reduce the replying amount and save performance. Packets within the retransmission time range are considered as retransmitted packets and directly permitted. They enter the source detection process when the rate of retransmitted packets reaches the alarm threshold. The packets received after the retransmission duration, however, are considered the first packets and then directly discarded.
- The FW uses Source detection and CNAME redirection to defend against DNS request flood attacks.
  If the DNS server is a cache server, use Source Detection.
  If the DNS server is an authoritative server, use CNAME redirection.
- The FW uses Basic source detection, 302 redirection and Advanced source detection to defend against HTTP flood attacks.
  If the attack source is a proxy server or the attack source has certain browser functions, the basic mode fails to defend. You must select Advanced source detection
  If the client of HTTP services is a set-top box, select 302 redirection or Basic source detection because the set-top box cannot enter any verification codes.
  
  302 redirection is preferred.
Click Apply.
If you do not enable Automatic Application for threshold learning, manually apply the learning results or set the threshold based on the learning result. In normal cases, set a threshold a little bit higher than the learned threshold.

If Learning Status is Stopped, you can learn about the learning results specific to each type of attacks.
- Click Apply Learning Status to manually apply the learning results and replace the manually specified one and the default value. Then click OK.
- Set the threshold in Threshold specific to each attack type. Then click Apply.

Manually set the learning threshold for anti-DDoS.
1. Choose Policy > Security Protection > Attack Defense > Anti-DDoS.
2. Use either of the following ways to specify the bound interface that connects the FW to the Internet:
  - Double-click the interface to be bound in Available. Then the interface is displayed in Selected.
  - Click the interface to be bound in Available. Then click to add it to Selected.
3. Optional: Configure the FW to interwork with the ATIC server.
  1. Choose Policy > Security Policy > Attack Defense > Anti-DDoS.
  2. Select the check box of ATIC Association and enter the IP address of the ATIC server.
  After the FW is configured to interwork with the ATIC server, the FW sends logs about abnormal traffic to the ATIC server.
4. Select Enable next to the attack types and set appropriate threshold for each of them in Threshold.
  - For SYN flood attacks, after enabling Source detection, you can enable the First packet discarding function to reduce the replying amount and save performance. Packets within the retransmission time range are considered as retransmitted packets and directly permitted. They enter the source detection process when the rate of retransmitted packets reaches the alarm threshold. The packets received after the retransmission duration, however, are considered the first packets and then directly discarded.
  - The FW uses Source detection and CNAME redirection to defend against DNS request flood attacks.
    If the DNS server is a cache server, use Source Detection.
    If the DNS server is an authoritative server, use CNAME redirection.
  - The FW uses Basic source detection, 302 redirection and Advanced source detection to defend against HTTP flood attacks.
    If the attack source is a proxy server or the attack source has certain browser functions, the basic mode fails to defend. You must select Advanced source detection
    If the client of HTTP services is a set-top box, select 302 redirection or Basic source detection because the set-top box cannot enter any verification codes.
    
    302 redirection is preferred.
5. Click Apply.

Follow-up Procedure

After the configuration is complete, the FW logs detected attacks and outputs threat reports. Choose Monitor > Log > Threat Log to view threat logs. Choose Monitor > Report > Threat Report to view threat reports.

If Defense Mode is set to Detect Only, the FW outputs threat logs when an attack starts and ends. If Defense Mode is set to Detect and Clean, the FW outputs logs at the interval specified in the firewall defend log-time command.