Hardware Requirements
The USG6510E/6510E-POE/6530E do not support SYN flood/UDP flood/ICMP flood/DNS flood/HTTP flood/HTTPS flood/SIP flood attack defense.
Only the USG6510E/6510E-POE/6530E does not support the IP reputation function.
License Requirements
The attack defense function is not license-controlled.
Impact of Attack Defense on the Device
- The impact of traffic statistics enabled using the anti-ddos flow-statistic enable command on an interface on the CPU usage is related to the volume of traffic on the interface. If the interface does not have traffic, the CPU usage will not increase. If all interfaces have traffic statistics enabled and every interface has traffic, the CPU usage increases 30% to 40%. The specific increase value is related to the volume of traffic on the interfaces. For example, the CPU usage is 60% before the traffic statistics function is enabled. After this function is enabled, if the CPU usage increases 30%, the CPU usage becomes 78% (60% + 60% x 0.3).
- The impact of enabling traffic statistics on device performance (device throughput) depends on interface traffic. Therefore, to minimize the impact of enabling traffic statistics on device performance, you are advised to run the anti-ddos destination-ip alert-rate alert-rate command to set the alarm threshold that triggers the anti-DDoS process. Traffic destined for an IP address enters the anti-DDoS process only when the rate of traffic destined for this address exceeds the alarm threshold.
Limitations and Precautions in Bypass Detection Mode
- In bypass detection mode, the FW does not support source detection.
- When the FW works in bypass detection mode, the FW only detects traffic. When detecting a traffic anomaly, it only generates traffic anomaly logs and does not forward or process the traffic.
- If the FW works in bypass detection mode and has anti-DDoS configured, the ddos-mode detect-only command must be used to configure FW to detect traffic but not clean it.
Limitations and Precautions in Transparent Mode
If the FW works in bypass detection mode, IP spoofing attack defense cannot be configured.
Limitations and Precautions on the Use of Dynamic Traffic Limiting for Flood Attacks
The dynamic traffic limiting function is triggered based on traffic statistics on the CPU. If the dynamic traffic limiting function fails to properly take effect, it is possible that the hardware fast forwarding function is enabled, which enables attack traffic to be fast-forwarded without being processed by the CPU. In this case, disable the hardware fast forwarding function or configure hardware fast forwarding filtering conditions to ensure that attack traffic is processed by the CPU instead of being fast-forwarded.
Other Limitations and Precautions
- The FW supports both IPv4 and IPv6 anti-DDoS.
- The single-IPv4 packet attacks that the FW can defend against cover all types of single-packet attacks. The single-IPv6 packet attacks that the FW can defend against cover only IP address spoofing attacks and IPv6 extension header attacks.
- The IP reputation function supports only IPv4 packet filtering, not IPv6 packet filtering.
- After the anti-ddos syn-flood tcp-proxy [ alert-rate alert-rate | max-rate max-rate ] command is used to enable TCP proxy against SYN flood, as the FW will change the TCP packet window size to control the E2E traffic rate, the traffic transmission rate may decrease, and user Internet access is slowed down. In this case, TCP source authentication is recommended to defend against SYN flood attacks.
- TCP proxy against SYN flood applies only to the scenario in which packet forward and return paths are consistent. If not, TCP proxy will fail. TCP source authentication is recommended to defend against SYN flood attacks. This mechanism applies even if the packet forward and return paths are inconsistent.
- TCP source authentication against SYN flood is implemented based on TCP source detection packets. If the network has devices that discard source detection packets, do not use this function.
- HTTP flood source authentication is commonly used to defend against HTTP flood attacks. If the client is an STB or in a specified mobile network, verification codes cannot be entered to the client. Therefore, enhanced source authentication does not apply to scenarios where STBs are used for VOD or specified mobile networks. Instead, the 302 redirect mode is preferred.
- If the FW is deployed behind a NAT device, there is much traffic from one source address but to different destination addresses. In this scenario, do not enable IP sweep attack defense.
- If the FW is deployed behind a NAT device, there is much traffic from one source address but to different destination addresses. In this scenario, do not enable port scan attack defense.
- For better UDP flood fingerprint defense effects, limit the rate of UDP traffic.