ATIC MGMT

HUAWEI ATIC Management Center
V500R001
Configuration Guide
Contents
1. Safety Information...............................................................................................................................7
2. Initial configuration of the management center......................................................................................8
2.1. Logging In to the ATIC Management center.....................................................................................8
2.2. Customizing a Homepage.................................................................................................................9
2.3 Adding Devices................................................................................................................................10
2.3.1 Creating an Anti-DDoS..............................................................................................................10
2.3.2 Creating an SAS.........................................................................................................................14
2.3.3. Creating an Syslog-linkage Device............................................................................................16
2.4. Configuring a Collector...............................................................................................................18
2.4.1 Adding a Collector.....................................................................................................................20
2.4.2 Associating the Collector with the devices...............................................................................21
2.5. Configuring the Defense Group......................................................................................................22
3. Configuring Defense Policies.................................................................................................................26
3.1. Configuring the Zone......................................................................................................................26
3.1.1 Adding a Zone...............................................................................................................................27
3.1.2. Importing Zones in a Batch......................................................................................................32
3.2. Configuring the Zone-based Defense Policy...................................................................................33
3.2.1 Configuring a Defense Mode....................................................................................................37
3.2.2. Configuring a Filter..................................................................................................................40
3.2.2.1 Creating a Filter.....................................................................................................................42
3.2.2.2 Associating a Zone with a Filter.............................................................................................48
3.2.3 Configuring a Location Blocking Policy......................................................................................49
3.2.4. Creating a Service and a Defense Policy..................................................................................50
3.2.4.1. Overview...............................................................................................................................53
3.2.4.2 Configuring a Service Learning Task.......................................................................................54
3.2.4.3. Applying Service Learning Results.........................................................................................56
3.2.5. Adjusting a Threshold (by Baseline Learning)..........................................................................57
3.2.5.1. Description............................................................................................................................58
3.2.5.2 Configuring a Baseline Learning Task.....................................................................................59
3.2.5.3 Applying Baseline Learning Results........................................................................................62
3.2.6. Configuring the Zone-based Defense Policy............................................................................63
3.2.6.1. TCP Defense Policy................................................................................................................63
3.2.6.2. UDP Defense Policy...............................................................................................................68
3.2.6.3. ICMP Defense Policy.............................................................................................................69
5.2.6.4 Other Defense Policy.............................................................................................................69
3.2.6.5 DNS Defense Policy................................................................................................................70
3.2.6.6 SIP Defense Policy..................................................................................................................73
3.2.6.7 HTTP Defense Policy..............................................................................................................73
3.2.6.8 HTTPS Defense Policy............................................................................................................78
3.2.6.9. Top N Study..........................................................................................................................80
3.2.7. Configuring Global Defense Policies (ATIC)..............................................................................85
3.2.7.1. Configuring Basic Attack Defense.........................................................................................85
3.2.7.2. Blacklist and Whitelist...........................................................................................................88
3.2.8. Creating User-defined IP Locations..........................................................................................89
3.2.9. Library Files..............................................................................................................................89
3.2.10. Configuring Policy Templates.................................................................................................91
3.2.11. Cloud Cleaning.......................................................................................................................93
3.2.12 Deploying the Defense Policy.................................................................................................96
3.2.13 Saving Configurations.............................................................................................................97
4. Configuring Traffic Diversion.................................................................................................................98
4.1. Configuring Mirroring.................................................................................................................98
4.2. Configuring Traffic Diversion.........................................................................................................100
4.2.1. Configuring Policy-based Route Diversion.............................................................................100
4.2.2 Configuring BGP Traffic Diversion (CLI)...................................................................................103
4.2.3 Configuring BGP Traffic Diversion (ATIC).................................................................................110
4.3. Configuring Traffic Injection..........................................................................................................114
4.3.1 Layer-2 Injection.....................................................................................................................114
4.3.2. Configuring Static Route Injection.........................................................................................117
4.3.3. Configuring UNR Route Injection...........................................................................................120
4.3.4. Configuring Policy-Based Route Injection..............................................................................124
4.3.5 Configuring GRE Traffic Injection............................................................................................129
4.3.6 Configuring MPLS LPS Traffic Injection....................................................................................133
4.3.7 Configuring MPLS VPN Traffic Injection..................................................................................137
4.4 Configuring the Loop Check Function............................................................................................143
4.5. Configuring Blackhole Traffic Diversion........................................................................................144
5. Attack Response and Source Tracing...................................................................................................146
5.1. Viewing the Status of a Zone and Anti-DDoS Alarms....................................................................146
5.2 Handling Abnormal Events............................................................................................................146
5.3. Packet Capture.............................................................................................................................147
5.3.1 Packet Capture, Analysis and Report......................................................................................147
5.3.2 Configuring Packet Capture Length........................................................................................151
5.3.3 Managing Packet Capture Task...............................................................................................152
5.3.4 Managing Packet Capture File................................................................................................165
5.3.4.1 Viewing Anomaly or Attack Events......................................................................................166
5.3.4.2 Tracing Attack Sources Through a Packet Capture File........................................................167
5.3.4.4 Extracting Fingerprints from a Packet Capture File..............................................................170
5.3.4.5 Downloading a Packet Capture File.....................................................................................171
6. Report..................................................................................................................................................173
6.1 Overview........................................................................................................................................173
6.2. Traffic Analysis..............................................................................................................................173
6.2.1 Data Overview........................................................................................................................173
6.2.2. Traffic Comparison.................................................................................................................176
6.2.3. Traffic Top N..........................................................................................................................178
6.2.4. Application Traffic..................................................................................................................184
6.2.5. Protocol Traffic Distribution...................................................................................................187
6.2.6. Number of TCP Connections..................................................................................................190
6.2.7. Board Traffic..........................................................................................................................193
6.2.8. IP Location Top N...................................................................................................................195
6.2.9. IP Location Traffic..................................................................................................................197
6.3. Anomaly/Attack Analysis..............................................................................................................200
6.3.1 Anomaly/Attack Details..........................................................................................................200
6.3.2 Anomaly/Attack Top N............................................................................................................202
6.3.3. Attack Top N..........................................................................................................................206
6.3.4. Distribution of Anomaly/Attack Types...................................................................................208
6.3.5. Packet Discarding Trend........................................................................................................210
6.4. DNS Analysis.................................................................................................................................212
6.4.1. Top N Request Trend.............................................................................................................213
6.4.2. Top N Response Trend...........................................................................................................215
6.4.3. Cache Request Trend.............................................................................................................218
6.4.4. Request Category Trend........................................................................................................220
6.4.5. Resolution Success Ratio........................................................................................................223
6.4.6. Abnormal Packet Analysis......................................................................................................225
6.5. HTTP(S) Analysis...........................................................................................................................228
6.5.1. Top N HTTP Request Sources by Traffic.................................................................................228
6.5.2. Top N HTTPS Request Sources by Traffic...............................................................................231
6.5.3. Top N Requested URl.............................................................................................................234
6.5.4. Top N Requested Host...........................................................................................................236
6.6. Comprehensive Report.................................................................................................................238
6.6.1. Querying Comprehensive Reports.........................................................................................238
6.6.2. Managing Scheduled Task......................................................................................................242
6.6.2.1. Creating a Scheduled Task..................................................................................................243
6.6.3. Downloading Report..............................................................................................................246
6.7. Report Customization...................................................................................................................246
6.7.1. Customizing Report-Related Information..............................................................................246
6.7.2. Configuring IP Description.....................................................................................................247
7. System Management...........................................................................................................................249
7.1. Configuring the System Administrators........................................................................................249
7.1.1. Introduction to System Administrators..................................................................................249
7.1.2. Managing Administrators......................................................................................................250
5.1.2.1. Creating an Administrator..................................................................................................251
7.1.2.2. Modifying an Administrator Group.....................................................................................255
7.1.3. Managing Administrator Groups...........................................................................................256
7.1.3.1. Creating an Administrator Group........................................................................................257
7.1.3.2. Modifying an Administrator Group.....................................................................................257
----End..............................................................................................................................................258
7.1.4. Managing Online Administrators...........................................................................................258
7.1.5. Configuring the System Security Policy..................................................................................259
7.1.6. Configuring the Authentication Server..................................................................................262
7.2. System Maintenance....................................................................................................................264
7.2.1. Performance Monitoring.......................................................................................................264
7.2.2 Dumping the Operation Logs..................................................................................................266
7.2.3. Dumping the Alarms..............................................................................................................269
7.2.4. Maintaining Anti-DDoS Data..................................................................................................271
7.2.5. Backing Up and Restoring Configuration Files.......................................................................274
7.2.5.1. Backing Up a Configuration File..........................................................................................274
7.2.5.2. Restoring a Configuration File.............................................................................................275
7.3. Log Management..........................................................................................................................277
7.3.1. Introduction to Log Management..........................................................................................277
7.3.2. Searching for an Operation Log.............................................................................................279
----End..............................................................................................................................................280
7.3.3. Querying Device Operation Logs............................................................................................281
7.3.4. Querying Syslog Interworking Logs........................................................................................281
7.4. Notification Server........................................................................................................................282
7.4.1. Mail Server.............................................................................................................................282
7.4.2. SMS Server.............................................................................................................................285
7.4.3. Syslog Server..........................................................................................................................286
1. Safety Information
Observe the safety information to ensure the normal operating of the ATIC.
Hardware Operations
 It is recommended to configure an independent uninterrupted power supply (UPS) for the ATIC
server, protecting the hardware, system, and data from unexpected power failure. If the ATIC server
is not configured with the UPS, the administrator must properly close the ATIC process, database,
and power one by one before the power cut after receiving the notice for upcoming power cut.
 To shut down the ATIC server, you must follow the proper shutdown method in all situations. It is
forbidden to switch off the hardware power directly to shut down the ATIC server; otherwise, the
system recovery failure will be caused.
 It is recommended to check the network communication every day according to the daily
maintenance items to protect the network communication from disruption.
 It is forbidden to remove the network cable from the server at will when the ATIC is running. If you
really need to remove the network cable, stop the ATIC service first.
Software Operations
 Do not install unnecessary software on the ATIC server.
 Do not use the ATIC server to browse Web pages. Do not set unnecessary sharing directory.
Ensure that the permissions on the sharing directory are specified.
 Do not connect other computers to the network where the ATIC server resides to avoid IP
address conflict and virus infection.
 Set the properties of the OS, database, and ATIC passwords by level, and assign the passwords
to the maintenance owner only. Only the maintenance owner has the administrator password.
Passwords should be strictly managed with clear properties.
 Check and test the ATIC periodically according to the maintenance item list and make a record
of the check. After you discover a problem, handle it in time. For the problems that cannot be
solved, contact the local office or customer service center in time to solve them.
ATIC Operations
 It is forbidden to change the system time when the ATIC is running. Set the system time before
you install the ATIC. Shut down the ATIC server before you change the system time. Restart the
ATIC server after the system time is changed. Do not set the system clock of the server ahead;
otherwise, data mess will be caused.
 To log in to Windows, you must use the user name that was used to install the ATIC. Do not
change the user name for logging in to Windows.
 During the use of the ATIC, ensure that data on the NE and that on the ATIC are consistent.
 Back up database periodically to minimize the system loss when errors occur.
 It is recommended to synchronize NE data to the ATIC and query the latest NE data before you
set parameters.
 The ATIC will display a message for dangerous operations. Please notice such warnings.
 Do not set the NE to a language except Chinese and English; otherwise, the search results will be
displayed as garbles on the ATIC interface.
2. Initial configuration of the management

center
Initial configurations are basic configurations of anti-DDoS services in the ATIC management center,
which covers adding anti-DDoS devices, adding collectors, binding anti-DDoS devices and collectors, and
creating defense groups for identifying anti-DDoS devices .
2.1. Logging In to the ATIC Management center

The section describes how to log in to the ATIC Management center.
Prerequisites
The installation of the ATIC Management center server software is complete.
Context
Upon the first login, use the default super administrator account admin and password Admin@123.
Procedure
Step 1: Open the Web browser.
The ATIC Management center supports Internet Explorer 8.0, Firefox 3.6, and the Firefox
browser of later versions.
Step 2: Enter https://server IP address: port (the port can be omitted if port 443 is used.) in the
address bar and press Enter.
Step 3: Select a language on the login page and enter the correct user name, password, and
verification code.
The default user name is admin and its password is Admin@123.
Step 4: Click Log In.
Step 5: The system prompts that Initial login. Please change your password. on the Web page. Enter
a new password and confirm it. Then click OK.
Step 6: Click OK in the Succeeded dialog box.
----End
2.2. Customizing a Homepage
By customizing a homepage, you can place real-time interface traffic comparison, zone traffic
comparison, and alarm monitoring on the homepage.
Context
The administrator can query only customized content.
Procedure
Step 1: On the ATIC Management center homepage, click .
Step 2: Click .
Step 3: On the Create Homepage Customization Profile page, select the content to be customized,
set given conditions, and click OK.
The customized content is displayed on the homepage.
Note: A maximum of 12 items can be displayed on the homepage.
Interface traffic and Zone traffic are refreshed every 10 seconds, and every 70 seconds
respectively. The homepage displays only several latest alarms.
Step 4: Drag the customized content to a proper position and click to save the current
layout.
----End
2.3 Adding Devices
A device must be added before you can perform other operations.
2.3.1 Creating an Anti-DDoS
After the communication between the ATIC Management center and the Anti-DDoS is established
through SNMP, you can add the Anti-DDoS.
Prerequisites
 The IP address segments of the Anti-DDoS devices are known.
 The communication has been set up between the ATIC Management center server and the Anti-
DDoS devices.
Procedure
Step 1: Choose Defense > Network Settings > Devices.
Step 2: Click .
Step 3: In the Basic Information group box, set the name and IP address of an Anti-DDoS
device and set Device Type to Anti-DDoS.
Step 4: Set Telnet parameters.
 When you select Telnet, the ATIC Management center uses port 23 for accessing
Anti-DDoS devices through Telnet by default. In this case, enter the name and
password of a Telnet user for authentication.
 When you select STelnet, the ATIC Management center uses port 22 for accessing
Anti-DDoS devices through STelnet by default. In this case, enter the name and
password of an STelnet user for authentication.
Step 5: Set SNMP parameters.
 When you select SNMPv1 and SNMPv2c, set read and write community names.

Read community indicates the name of a read-only community and the default value
is public. Write community indicates the name of a write-only community and the
default value is private.
 When you select SNMPv3, see parameter settings as shown in Table 2-1.
The Username, Environment name, Environment engine ID, Data encryption
protocol, Data encryption password, Authentication protocol, Authentication
password parameters are available only when the type is SNMPv3.
Table 2-1 SNMPv3 template parameters

Parameter Description Recommended
Value
Username User name used for accessing the Anti- -

DDoS device.
Environment Name of the environment engine. This parameter

name value is the same
as the
environment
name on the Anti-
DDoS device or
blank.
Environment Unique identifier of an SNMP engine. Same as the

engine ID This ID is used together with the environment
environment name to determine an engine ID on the
environment that uniquely identifies an Anti-DDoS device.
SNMP entity. The SNMP message packet
is processed only when the environments
of the sender terminal and the recipient
terminal are the same; otherwise, the
SNMP message packet will be discarded.
Authentication Protocol used for verifying messages. You can select the
protocol The parameter value can be authentication
the HMACMD5 or HMACSHA protocol or protocol as
no protocol. If required.
the HMACMD5 or HMACSHA protocol is 1. HMACMD5
selected, you need to set the converts the
authentication password. character
string in any
order based on
the hash
algorithm and
produces a
128-bit
message
digest, in
integer format.
2. HMACSHA
Value
possesses
higher security
than
HMACMD5.
HMACSHA
produces a
160-bit
message digest
for the binary
messages not
longer than
264 bits.
Authentication If the authentication protocol is used -

password when verifying messages, you need to set
the authentication password.
Data encryption Encryption protocol used when You can select the
protocol encapsulating data. encryption
The parameter value can be protocol as
the DES or AES encryption protocol or no required.
encryption. If the DES or AES encryption 1. DES: It indicates
protocol is selected, you need to set the the Data
encryption password. Encryption
Standard
(DES), which is
an
international
encryption
algorithm with
the key length
of 56
characters.
2. AES: It indicates
the Advanced
Encryption
Standard (AES).
There are
three types of
key lengths of
128
characters..
Value
Data encryption If the encryption algorithm is used when -

password encapsulating data, you need to set the
data encryption password.
Step 6 Click OK to add an Anti-DDoS device.

After successfully added, the Anti-DDoS device is displayed on the Devices page and a default Zone
associated with the Anti-DDoS device is automatically generated on the Zone List page. The default Zone
is saved using the Basic-10M policy template.
----End
Result
Each Anti-DDoS device is automatically synchronized once it is added. If synchronization fails, rectify the
fault as prompted and synchronize Anti-DDoS devices manually with the ATIC Management center.
Follow-up Procedure
If only one collector is available, the new Anti-DDoS devices are automatically associated with the
collector. If multiple collectors are available, associate Anti-DDoS devices with the given collector.
2.3.2. Creating an SAS
When the SIG1000E /9280E serves as a detecting device, add the Service Analysis Server (SAS) to the
ATIC Management center. To enable the ATIC Management center to synchronize Zones on
the SIG1000E/9280E, configure the SIG1000E/ 9280E database of the SAS on the ATIC Management
center. Ensure that the configured database is the same as the SIG1000E/9280E database on the SAS.
Prerequisites
Before you create an SAS, ensure that the following are available:
1. IP addresses of devices
2. SIG1000E/9280E database on the SAS
3. IP connectivity between the ATIC management center and the device
Context
The Service Analysis Server (SAS) is the service processing center of the SIG1000E/9280E system. It is
responsible for receiving and analyzing service information reported by the SRS, and saving the
information to the database. ATIC Management center needs to synchronize the Zone on the
SIG1000E/9280E device using the SAS database.
Procedure
Step 2: Click .
Step 3: In the Basic Information group box, set the name and IP address of a device and select SIG
SAS for Device Type.
Step 4: Configure the parameters. For details, see Table 2-2,
Table 2-2 configuring the database information of the SAS
Parameter Description Value
Database Indicates the The configured database must be the same

IP Address database as the SIG1000E/9280E database on the
information SAS.
Database of the SAS.
username
Database
password
Areas to The Zones You can select all areas or specify some of
Be on the the areas.
Synchroni SIG1000E/92  All: Indicates all the
zed 80E device in configured areas

the selected on the
areas are to SIG1000E/9280E
be device. If the
synchronized number of areas
to the ATIC configured on the
Managemen SIG1000E/9280E
t center. device increases,
the number of
synchronized areas
increases
accordingly.
 Specified areas:
Indicates that only
the Zone in
specified areas on
the
SIG1000E/9280E
device are to be
synchronized.

Step 5: Click OK.
----End
2.3.3. Creating an Syslog-linkage Device
When the Syslog-linkage devices act as a detecting device, add the Syslog-linkage Device to the ATIC
Management center.
Prerequisites
Before you create a Syslog-linkage Device, ensure that the following are available:
 IP addresses of devices
 IP connectivity between the ATIC management center and the device
Context
The Syslog-linkage Device analyzes traffic and sends logs to the ATIC Management center. After
analyzing anomaly logs reported by the Syslog-linkage device, the ATIC Management center generates a
traffic diversion task and delivers it to the cleaning device in the same defense group.
Procedure
Step 2: Click .
Step 3: In the Basic Information group box, set the name and IP address of an

device and select Syslog-linkage Device for Device Type.
Step 4: Click OK.
----End
2.4. Configuring a Collector
The management center is comprised of ATIC server and collectors. The
collectors collect, parse, summarize, and store traffic and logs from anti-DDoS
devices. Therefore, collectors need to be added to the ATIC during the
configuration of anti-DDoS services. You can view the performance data of the
added anti-DDoS collectors, modify the collectors, or delete them.
Choose Defense > Network Settings > Collectors, and manage collectors.
Create
Click to add a collector in the ATIC Management center. For
details, see 2.4.1 Adding a Collector.
Associate Click of a collector and bind the collector to one or more anti-DDoS
Device devices. For details, see 2.4.2 Associating the Collector with the devices.
Modify Click of the collector to be modified to change the collector

parameters.
NOTE
The collector in Down state cannot be modified.
Delete 1. Delete one collector:

Click in the Operation column to delete the corresponding
collector.
2. Delete collectors in batches:
Select the check boxes of multiple collector names and
click above the list to delete the selected collectors.
Select the check box on the title bar and click above the
list to delete all collectors.
NOTE
Collectors being associated with the device cannot be deleted.
View 1. Click the name of the collector to be viewed for collector

configurations.
2. Click Close to close the dialog box.
State Indicates the connection state between the ATIC server and the
collector.
1. Indicates that the collector is online. That is, the ATIC server and
collector are connected and the collector service has been started.
2. Indicates that the collector is offline. The possible causes are:
the IP address of the collector is changed, the ATIC server fails to
connect to the collector, and the collector service is not started.
Device Indicates the number of devices bound to the collector.

Quantity
CPU, Indicates performance data including information about CPUs, memory,

Memory, and disks of collectors.
Disk
Information

2.4.1 Adding a Collector
After the centralized installation is complete, the ATIC Management center automatically creates a collector.
You must manually create collectors during the distributed installation.
Procedure
Step 1: Choose Defense > Network Settings > Collectors.
Step 2: On the Collectors page, click .

Step 3: On the Create Collector page, select Anti-DDoS from the Collector Type drop-down
list.
Step 4: Set other parameters of the collector. For details, see Table 2-3.
Table 2-3 Collector parameters
Name Indicates the collector The name contains a maximum of 32

name. characters including letters, digits,
underscores (_), and hyphens (-). It
must start with a letter or an
underscore (_).
IP Address Indicates the IP address of The IP address is routable to the IP

the collector. addresses of the FTP server and log
server.
This parameter cannot be changed
during collector modification.
Encryption Key Indicates the key content. Before configuring a packet capture
task, configure an encryption key for
packet capture logs.
When the collector is associated with
an anti-DDoS device, deliver the key to
the anti-DDoS device.

Step 5: Optional: On the Create Collector page, click Test.
1. If the system displays Succeeded in connecting the collector. Perform Step 6.
2. If the system displays Failed to connect the collector Possible causes: The IP
address of the collector is incorrect, or the collector is not started, or the
connectivity error occurs. The ATIC Management center and collector cannot be
normally connected. Perform the check according to the displayed cause .
Step 6: On the Create Collector page, click OK.

After the collector is successfully added, the system displays the Collectors page.
----End
Follow-up Procedure
You can view, modify, or delete a collector by referring to 2.4 configuring a Collector.
2.4.2 Associating the Collector with the devices

Devices can send logs and captured packets to the anti-DDoS collector after being associated for
future analysis. When only one anti-DDoS collector is available, the collector is automatically
associated with devices. When multiple anti-DDoS collectors exist, associate them with devices
manually. You are advised to associate each collector with one device.
Prerequisites
1. The device and anti-DDoS collector are routable to each other.
2. Devices have be added. For details on how to add devices, see 2.3 Adding Devices.
3. The anti-DDoS collector has been added. For details on how to add the anti-DDoS collector, see 2.4.1
adding a Collector.
Procedure
Step 1: Choose Defense > Network Settings > Collectors.
Step 2: On the Collectors page, click of the anti-DDoS collector.
The connection status of the collector is Online.
Step 3: On the Associated Devices interface, click .
Step 4: On the Select Device page, select the check box of the device to be
associated.
Step 5: Click OK.
The device associated with the collector is displayed in associated devices.
----End
2.5. Configuring the Defense Group

A defense group identifies the collection and networking of anti-DDoS devices. If an Anti-DDoS is
deployed in off-line mode, traffic diversion can be implemented only after the detecting device and
cleaning device are added to the same defense group.
Defense Group Overview

 The detecting device and cleaning device can be added to a defense group. In a defense group, the
detecting device reports anomaly traffic to the ATIC Management center, and the ATIC Management
center delivers a traffic diversion task to the cleaning device. Then the cleaning device performs
traffic diversion and cleaning.
 Cleaning Device Linkage: When multiple cleaning devices are added into a defense group and any
cleaning device in the group detects attack traffic, the cleaning device interworks with others to
divert and clean attack traffic.
 When two or more detecting devices exist on the network, add them into a defense group and
select a working mode: load redundancy or load sharing.
If a detecting device not in any defense group detects abnormal traffic, the device will divert the
traffic to cleaning devices that do not belong to any defense group.
Management Operation
Choose Defense > Network Settings > Defense Group, and manage defense groups.
Create
Click to create a defense group. For details, see Creating a
Defense Group.
Modify Click of the defense group to be modified to modify the defense group.
Delete 1.Delete one defense group:

Click in the Operation column to delete the corresponding defense
group.
2. Delete defense groups in batches:
Select the check boxes of multiple defense groups and click

above the list to delete the selected defense groups.
Select the check box on the title bar and click above the list to
delete all defense groups.
View 1. Click the name of the defense group to be viewed for its basic
information and device information.
Creating a Defense Group

Devices that serve as cleaning devices or detecting devices have been discovered and synchronized.
Step 1: Choose Defense > Network Settings > Defense Group.
Step 2: On the Defense Group List page, click .
Step 3: Set the basic parameters of the defense group. For details, see Table 2-4.
Table 2-4 Defense group parameters
Name Indicates The collector name contains a maximum of 64 characters.

the name It cannot contain any spaces or characters such as "'", "|",
of the "\", ",", "<", ">", "&", ";", """, and "%". The value cannot
defense be null.
group.
Cleaning When the -

Device cleaning
Linkage device
linkage is
enabled
and any
cleaning
device in
the defense
group
detects
attack
traffic, the
cleaning
device
interworks
with other
devices to
clean
attack
traffic.
Detecting Indicates If two or more detecting devices are adopted for

Mode the collaboration, you need to select the value of this
detecting parameter. In other cases, skip this item.
mode The following detecting modes are available:
when two
or more  Load Sharing
detecting In load sharing mode, all detecting devices detect
devices traffic collectively. This mode applies to heavy traffic
work scenarios and poses high requirements on device
together. performance. Reports cover the total traffic of all
detecting devices.
 Load Redundancy
In load redundancy mode, detecting devices detect
the same traffic (by mirroring or optical splitting),
improving detection reliability. Reports cover the
traffic of only one of the detecting devices.
Description Indicates The value contains a maximum of 255 characters.

remarks
information
for
identifying
a defense
group.
Step 4: Select devices to be added to the defense group.
1. In the Select Device group box, click .
2. On the Select Device page that is displayed, select the check box of a device and click OK.
After successfully added, the device is displayed in the device list on the Create Defense
Group page.
1. Each device can be added to only one defense group.
2. In the device list, you can select an device and click to delete the device; you can
select the check box on the title bar and click to delete all devices.
Step 5: On the Create Defense Group page, click OK.
----End
3. Configuring Defense Policies
3.1. Configuring the Zone
Before you configure an anti-DDoS policy traffic security policy, add Zones to be protected by anti-DDoS
devices. The ATIC Management center provides refined and differentiated filtering and protection for
different Zones.
Choose Defense > Policy Settings > Zone, and manage Zones.
Create
Click to add a Zone. For details, see 3.1.1 Adding a Zone.
Modify Click of the Zone to be modified, and modify the Zone. For the
parameter description, see 3.1.1 Adding a Zone.
Delete NOTICE
Once the Zone is deleted, all the services, policies, packet-capturing tasks,
diversion tasks, baseline-learning tasks, and service-learning tasks under
the Zone will be deleted, and the Zone will be undeployed from all
associated devices. Perform this operation with caution.
1. Select the check boxes of multiple Zone accounts and click

above the list to delete the selected collectors.
2. Select the check box on the title bar and click above the list to
delete all Zones.
Export
1. Select one or more Zones and click .
2. On the File Download page, click Open to view the Zone list or
click Save to save the list to the local.
Export
All 1. Click .
2. On the File Download page, click Open to view the Zone list or
click Save to save the list to the local.
Import Click to import Zones in a batch. For details, see 3.1.2 Importing
Zones in a Batch.
NOTE
SIG Zones are VICs synchronized from the SIG1000E/9280E and cannot be
imported..
View 1. Click the account or name of the Zone to be viewed for its basic
information and IP address.
Search 1. Basic search
On the upper right of the page, enter the account/name of the Zone to
be searched for and click . The Zone that meets search
conditions are displayed on the page.
2. Advanced search
1. Click Advanced Search.
2. In the advanced search area that is displayed, set search conditions
such as Account/Name, Type, or IP Address, and then click Search.
3.1.1 Adding a Zone
IP addresses protected by anti-DDoS devices are identified and grouped by adding a Zone. Then
Zone-specific policies can be configured to achieve differentiated and hierarchical defense.
Prerequisites
To add a Zone and associate it with devices, ensure that devices associated with the Zone have been
discovered by the ATIC Management center.
Context
The Zones are classified into user-defined Zones, default Zones, and SIG1000E/9280E Zones.
 User-Defined Zones
To protect specific IP addresses/address segments, the administrator can manually create user-defined
Zones and add the IP addresses/address segments to the user-defined Zones. The anti-DDoS device uses
defense policies to provide refined defense for traffic of these IP addresses/address segments.
The type of such Zones is User-Defined.
 Default Zones
One default Zone is automatically added when you add an anti-DDoS device. Each anti-DDoS device can
be associated with only one default Zone, which does not have any given IP address. Refined defense
can be implemented by the anti-DDoS device on the destination IP addresses except those in User-
Defined Zones.
The type of such Zones is Default.

 Zones Synchronized from the SIG1000E/9280E.
After the SIG1000E/9280E is added, the system automatically synchronizes Zones from the
SIG1000E/9280E system to protect them. The administrator cannot change the basic information and IP
addresses of Zones of this type, but can select cleaning devices for Zones of this type, and apply the
policies configured for the Zones to the traffic destined for corresponding IP addresses/address
segments for refined defense.
The type of such Zones is SIG1000E/9280E Zone.
If a network is large or covers multiple areas and each administrator needs to manage one part of the
network, you can create multiple Zones and authorize each administrator the permission of managing
the corresponding Zone.
Procedure
Step 1: Choose Defense > Policy Settings > Zone.
Step 2: On the Zone List page, click .
Step 3: Set the basic parameters of the Zone. For details, see Table 3-1.
Table 3-1 Zone Basic Information
Account Indicates the The Zone account consists of letters, digits, and
Zone account. underscores (_) and must start with a letter. It can
neither be any illegitimate characters such
as null and default nor start with sig. It is case
insensitive. Its length cannot exceed 32 characters.
This parameter cannot be changed during Zone

modification.
Type Indicates the The value can be User-Defined or Default.

Zone type. This parameter cannot be changed during Zone
modification.
Name Indicates the The Zone name contains a maximum of 64

Zone name, as a characters. It cannot contain spaces or any of the
supplement of following characters: | \ , < > / : " % * ? & =

Zone account The value cannot be null.
for query
convenience.
Contact, Indicates the -

Phone, basic
Mobile information of
Phone, the contact
Post Code, person.
Email,
Address
Description Indicates the Its length cannot exceed 255 characters.

detailed
description on
the Zone.

Step 4: Set the IP address of the user-defined Zone.

This operation can be performed only when a user-defined Zone is added.
1. On the Create Zone page, click the IP Address tab.
2. Click .
3. Create IP addresses. For details on the parameters, see Table 3-2.
Both IPv4 and IPv6 addresses are applicable.
Table 3-2 Creating IP addresses

Paramete Description Value
r
IP Type Indicates the IP 1. Regular: The IP address belongs to this Zone.

address type. 2. Exclude: The IP address does not belong to this
Zone.
For example, if a Zone is a subnet except one IP

address, you can configure a subnet whose IP Type is
set to regular and an IP address whose IP Type is set
to exclude.
Create Indicates the 1. IP address +Mask: The IP address and mask are
Mode mode of entered to create IP addresses.
creating IP 2. IP address segment: The start and end IP addresses
addresses. are entered to create IP addresses.

4. Click OK.
The new IP address is displayed in the IP Address list.
 The IP addresses of different Zones must be mutually exclusive.
 In the IP Address list, you can select an IP address and click to delete the IP
address; you can select the check box on the title bar and click to delete all IP
addresses.
Step 5: Click the Devices tab to associate devices with the Zone. Select the check box of a device and
click OK. When the Zone is a Service Inspection Gateway (SIG1000E/9280E), the
SIG1000E/9280E is automatically added to the associated device list. To divert the
traffic destined for a Zone to a specific VPN instance of the device, select the VPN
instance in the VPN column.
Step 6: Click the Policy tab to configure a defense policy and traffic diversion.
1. Select a defense policy template.
You can use the default defense policy template or create a defense policy template.
2. Select Packet Capture Task. Then the cleaning device captures the packets discarded due
to attacks upon the Zone. This assists in analyzing attack events.
3. Optional: Create a static traffic diversion task.
In the Traffic Diversion Task List group box, click to create IP addresses whose
traffic is to be diverted.
After a static traffic diversion task is delivered, all traffic destined for the IP address is
diverted to the cleaning device.
When you specify certain IP addresses or IP address segments for traffic diversion in a
protected IP address segment, split the IP address segment and select the subnet after
splitting.
a. Click of the IP address to be split.
b. On the Splitting Setting page, enter the mask splitting length and click Split.
The mask splitting length ranges from 1+number of mask bits to 8+number of mask
bits. For example, the mask of a protected IP address segment is 255.255.0. That is, the
number of mask bits is 16. In this case, the mask splitting length ranges from 17 to 24.
c. Selects subnet IP addresses after splitting.
d. Click OK.
e. Select a subnet IP address after splitting on the Create Traffic Diversion

Task page.
Step 7: Click OK to complete the Zone adding on ATIC Management center. Click Deploy to
deploy the Zone configuration to devices.
----End
Follow-up Procedure
You can view, modify, or delete a Zone by referring to Configuring the Zone.
3.1.2. Importing Zones in a Batch

Importing Zones in a batch improves the efficiency of adding Zones. You can fill in a file based on
the template and import the file to the ATIC Management center.
Procedure
Step 2: Click .
Step 3: On the Import Zone page, click to download the template to the local.
Step 4: Fill in all parameters on the template. For parameter settings, see 3.1.1 adding a Zone.
Step 5: Import the file to the ATIC Management center.
1. On the Import Zone page, click Browse....
2. Select the local file for import and click OK.
Zone information of the imported file is displayed in the Zone list.
----End
Follow-up Procedure
You can export Zones, see Configuring the Zone.
3.2. Configuring the Zone-based Defense Policy

After you create a Zone, configure a defense policy specifically for the Zone so that attack traffic
can be blocked. When the Zone identifies abnormal traffic or is under attack, you can refer to
the defense status information on the Versatile Security Manager (VSM) graphical user interface
(GUI) to handle anomalies or attacks.
Choose Defense > Policy Settings > Zone. On the page that is displayed, you can manage the
defense policies of the Zone. For details, see Table 3-3 and Table 3-4.
Table 3-3 managing the defense policies of the Zone
Action Description
Configure
Click of the Zone. For details, see 3.2.1 Configuring a Defense
defense
Mode, 3.2.2 Configuring a Filter, and 3.2.6 Configuring the Zone-based
policies
Defense Policy.
Deploy Policies configured for a Zone take effect only after they are deployed
on associated devices.
Select the check box of a Zone and click . For details, 3.2.12
Deploying the Defense Policy.
Undeploy Remove the policy configurations of a Zone from associated devices,

but keep the configurations on the ATIC Management center.
Action Description
Select the check box of a Zone and click .
Handle When a Zone identifies abnormal traffic or is under

anomalies or attack, State is Abnormal or Attacked. Click the state value of
attack events the State column of the Zone and perform appropriate operations.
For details, see 5.2 Handling Abnormal Events.
Table 3-4 Parameters of Zone policies
Parameter Description
Zone Indicates the Zone name defined when you create the Zone. For
details, see 3.1.1 Adding a Zone.
Type Indicates the type of Zone.
Device Indicates the detecting or cleaning device that provides anti-DDoS

Name services for the Zone.
Service Indicates the state of the Zone-associated devices that perform service
Learning learning on traffic.
Click the state value to configure the service learning task or view
service learning results. For details, see 3.2.4.2 Configuring a Service
Learning Task.
Baseline Indicates the state of the Zone-associated devices that perform

Learning baseline learning on traffic.
Click the state value to configure the baseline learning task or view
baseline learning results. For details, see 3.2.5 Adjusting a Threshold
(by Baseline Learning).
State Indicates the state of Zone traffic.
1. Normal: The Zone traffic is normal or the Zone is not associated with
any Anti-DDoS.
2. Abnormal: The Zone traffic does not comply with the normal model.
That is, the traffic exceeds the threshold specified in the defense
policy.
3. Attacked: After traffic anomalies are detected on the cleaning device

and the defense mechanism is enabled, the cleaning device starts to
discard packets and the packet drop probability is higher than the
specified value.
If State of the Zone is Abnormal or Attacked, and Defense State is Not

defended or Part Defended, click the state value in the State column.
You can view the abnormal events and handle them. For details,
see 5.2 Handling Abnormal Events.
Defense Indicates the state that the cleaning device processes anomaly or
State attack traffic for the Zone.
1. --: The Zone traffic is normal and no defense mechanism is required.
2. Automatically Defended: The defense mechanism is automatically

enabled for abnormal traffic.
3. Not defended: The Zone traffic is abnormal, but the defense

mechanism is not enabled for abnormal traffic. You need to
manually enable the defense mechanism.
4. Part Defended: The defense mechanism is manually enabled for

part of abnormal traffic.
5. Defended: The defense mechanism is manually enabled for all

abnormal traffic.

defended or Part Defended, click the state value in the State column.
You can view the abnormal events and handle them. For details,
see 5.2 Handling Abnormal Events.
Diversion Determines whether Zone traffic is diverted to the cleaning device.

State 1. In diverting: The traffic that is forwarded to the Zone is being
2. Partial Diversion: The traffic that is forwarded to some IP addresses

of the Zone is being diverted to the cleaning device.
3. Not diverted: The traffic that is forwarded to the Zone has not been
4. Confirmed Divert: The NFA2000 reports detected abnormal traffic to

the ATIC Management center, which generates a traffic diversion
task. The task is delivered to the cleaning device after the
administrator confirms it. Confirmed Divert is displayed only when
the NFA2000 serves as a detecting device.
On the anti-DDoS network in off-line deployment, when one of the

following statuses occurs, click the corresponding diversion state to
check whether a traffic diversion task is created for the Zone or the
traffic diversion task is enabled on the Traffic Diversion Task List tab
page. For details, see 4.2.3 Configuring BGP Traffic Diversion (ATIC).
1. The diversion state of the Zone is Not diverted and the Zone state
is Abnormal.
2. The diversion state of the Zone is Partial Diversion and the Zone

state is Abnormal.
3. The diversions status of the Zone is Confirmed Divert and the Zone

status is Normal.
Deploymen Indicates the state whether the Zone policy is deployed on devices. The
t State value can be Undeployed, Deploy Succeed, Part Deployed, or Deploy
Failed.
If Deployment is Deploy Failed, click Deploy Failed to view details on

policy deployment and undeployment on the Zone-associated devices.
If Deployment is Part Deployed, click Part Deployed to view the new

policies that are not deployed on the Zone-associated devices.
3.2.1 Configuring a Defense Mode

A defense mode covers the traffic diversion mode, defense mode, cleaning bandwidth, traffic limiting for
a single IP address, and device association.
Prerequisites
A Zone has been created. For details, see 3.1 configuring the Zone.
Procedure
Step 2: Click of the Zone. The following page is displayed.
Step 3: Configure basic policies. Table 3-5 lists the basic policy parameters.
Table 3-5 Parameters of defense modes
Traffic Indicates the 1. Automatic Perform: The detecting device reports the
Diversion mode in anomaly to the ATIC Management center. Then the
Mode which the ATIC Management center automatically generates a
detecting heartbeat interfaces and the active task and delivers
device the task to the cleaning device.
diverts 2. Manual Perform: The detecting device reports the
anomaly detected traffic anomaly to the ATIC Management
traffic of the center. The ATIC Management center generates a
Zone to the traffic diversion task automatically and does not
cleaning deliver the task to the cleaning device until manual
device. confirmation by the administrator.
After the Zone state turns to normal, the ATIC

Management center automatically delivers the task of
canceling traffic diversion to the cleaning device to stop
traffic diversion.
NOTE
In addition to manual and automatic traffic diversion,

you can configure a static traffic diversion task to
divert traffic to the cleaning device no matter whether
the traffic is normal or not. For details, see 4.2.3
Configuring BGP Traffic Diversion (ATIC).
Defense Indicates the 1. Automatic Perform: After abnormal traffic is detected,
Mode defense the cleaning device generates an anomaly event and
mode of the automatically enables the defense mechanism.
cleaning 2. Manual Perform: After abnormal traffic is detected,
device after the cleaning device generates an anomaly event. The
abnormal administrator needs to determine whether to enable
traffic is the defense mechanism. For details, see 5.1 Viewing
detected. the Status of a Zone and Anti-DDoS Alarms.
Currently, the following types of attacks

support Manual Perform defense: SYN flood, SYN-
ACK flood, ACK flood, TCP connection flood, TCP
abnormal flood, TCP frag flood, UDP flood, UDP frag
flood, RST flood, DNS reply flood, DNS request flood,
domain name hijacking, HTTP flood, HTTPS flood, SIP
flood, Other flood, and URI behavior monitoring.
When Traffic Diversion Mode is set to Manual Perform,

select only Automatic Perform for Defense Mode.
Dynamic During the 1. Automatic: The dynamic blacklist entry automatically

Blacklist
Mode defense, takes effect after generated.
detected 2. Close: No dynamic blacklist entry is generated during
illegitimate the defense.
source IP
addresses
are
dynamically
blacklisted.
Cleaning Limits the This function is used by the carrier to provide value-
Bandwidt traffic on added services.
h which Zone-
based attack
defense is
implemente
d below the
threshold.
Excess
packets are
directly
discarded.
Traffic Limits traffic When network bandwidths are limited, you are advised
Limiting of a single IP to enable this function to avoid network congestion.
for Single address of Statistics on the traffic are collected starting from Layer-
IP Address the Zone 2 packet headers, which exclude the packet length at the
below the physical layer. Therefore, the actual traffic volume is
threshold. slightly greater than the specified value.
Excess
packets are
directly
discarded.
Apply an If an IPSec 1.Botnets, Trojan horses, and worms

IPSec policy is 2. C&C Domain
policy. applied,
3. Web Injection
packet
4. DoS Tools
filtering is
triggered.

Step 4: Click OK.
----End
Follow-up Procedure
Basic policies configured for the Zone take effect only after deployed on associated
devices. For details, see 3.2.12 deploying the Defense Policy.
3.2.2. Configuring a Filter
This section describes how to configure a filter, which is employed by the cleaning device to perform
static filtering over the traffic destined for the Zone.
Filter Category
The Anti-DDoS provides IP, TCP, UDP, HTTP, DNS, ICMP, and SIP filters. For details, see Table 3-6.
The IP filter can process all types of IP packets whereas other filters can only process the packets of their
own types. For example, the HTTP filter can process only HTTP packets.
You can configure a maximum of 128 filters on one anti-DDoS device.
Table 3-6 Seven filters
Filter Filtering Condition
IP filter Source IP address, destination IP address, packet length, TTL, fingerprint,

protocol, DSCP, and fragment type
TCP filter Source IP address, destination IP address, packet length, TTL, fingerprint,
DSCP, fragment type, TCP flag bit, source port, and destination port
UDP filter Source IP address, destination IP address, packet length, TTL, fingerprint,
DSCP, fragment type, source port, and destination port
ICMP Source IP address, destination IP address, packet length, TTL, fingerprint,

filter DSCP, and fragment type
HTTP Source IP address, destination IP address, packet length, TTL, fingerprint,

filter DSCP, fragment type, TCP flag bit, source port, HTTP field (including
opcode, cookie, host, and referer), and URI
DNS filter Source IP address, destination IP address, packet length, TTL, fingerprint,
DSCP, fragment type, source port, DNS QR (query and reply), and DNS
field (including the domain and type)
Filter Filtering Condition
SIP filter Source IP address, destination IP address, packet length, TTL, fingerprint,
DSCP, fragment type, source port, caller and callee
Filter Template
The ATIC Management center provides 10 common filter templates. You can use any of them as
required.
DNS_Amplification DNS amplification attack
Chargen_Amplification Chargen amplification attack
SNMP_Amplification SNMP amplification attack
TFTP_Amplification TFTP amplification attack
NTP_Amplification NTP amplification attack
NetBIOS_Amplification NetBIOS amplification attack
SSDP_Amplification_Attack SSDP amplification attack
QOTD_Amplification QOTD amplification attack
Quake_Network_Protocol Quake amplification attack
Steam_Protocol_Amplification Stream amplification attack
You can edit or delete templates as required.
Filter Matching Sequence

Packets match filters in the list from top to bottom. The matching stops only after the packets match any
action defined in the filter.
Operation
Choose Defense > Policy Settings > Filter, and config the filter.
Create
Click to create a filter. For details, see 3.2.2.1 Creating a
Filter.
Modify
Click in the Operation column and modify the filter in the Modify
Filter dialog box.
Delete
Select the check box for the filter and click .
Search Enter part of a filter name or the full name in Name and click
.
3.2.2.1 Creating a Filter
Seven types of filters are available for static filtering based on the user-defined
keyword and action for matched packets.
Procedure
Step 1: Choose Defense > Policy Settings > Filter.
Step 2: Click .
Step 3: On the Basic Information tab page, configure basic information about the
filter. Table 3-7 lists parameters and Table 3-8 lists keywords.
Table 3-7 Basic information about the filter
Name Indicates the name -

of a filter.
Protocol Indicates a protocol -

type.
Operation Indicates an action 1. Discarding: Discards the packets that match

for matched the keyword.
packets. 2. Discard + Blacklist: Discards the packets that
match the keyword and blacklists their source
IP addresses.
3. Permitting: Permits only the packets that

match the keyword.
4. Pass + Whitelist: Permits the packets that

match the keyword and whitelists their source
IP addresses.
5. Rate Limiting: Limits the rate of packets that

match the keyword below Threshold.
6. Source detection: performs source detection

when packets match the specified keyword.
Threshold This parameter is -

required
when Operation is
set to Rate
Limiting.

Click the Keyword tab and configure keywords.
Table 3-8 Keyword content
Keyword Descripti Value

on
source-ip IP address Indicates You can configure a

the maximum of 1000
mask source IP source IP addresses
address on each filter and
and that of 20,000
subnet source IP addresses
mask of on each cleaning
a packet. device.
Both
IPv4 and
IPv6
addresse
s are
supporte
on
d.
destination-ip IP address Indicates You can configure a
the maximum of 100
mask destinati destination IP
on IP addresses on each
address filter and that of
and 2000 destination IP
subnet addresses on each
mask of cleaning device.
a packet.
Both
IPv4 and
IPv6
addresse
s are
supporte
d.
packet-length min Indicates You can configure a

the maximum of 32
max packet packet lengths for
length each filter. Any
range. packet matches the
filter only if one
specified packet
length is hit.
ttl ttl Indicates You can configure a

the Time maximum of 32 TTL
To Live values for each filter.
(TTL) of a
packet.
fingerprint offset Indicates For example,

the when Content is set
number to 1234afee, Offset t
of offset o 20, and Check
bytes Depth to 8, and the
starting data content from
from the the 21th byte to the
first bit 32th byte
of the matches 1234afee,
packet the packet matches
data. the fingerprint.
on
content Indicates The formula is "32 =

the 20 + 4 (fingerprint
fingerpri length) + 8 (check
nt depth)".
content. A fingerprint
depth Indicates contains 4 to 16
the bytes and can be a
depth character string or a
that group of
determin hexadecimal
es the numbers. The
range of default format is a
fingerpri character string. If
nt the hexadecimal
matchin format is used, each
g. byte contains two
hexadecimal
numbers and
a \x must be added
before the start
byte.
You can configure a
maximum of 10
fingerprints for each
filter, and a
maximum of 4 parts
for each fingerprint.
You can configure a
maximum of 512
parts for each
device.
protocol protocol Indicates You can configure a

the maximum of 32
protocol packet protocols for
type of a each filter.
packet.
dscp/fragment dscp/fragment Indicates You can configure a

the field maximum of 32
of an IP DSCPs for each filter
packet. and 5 fragments for
each filter.
tcp-flag TCP flag Indicates You can configure a

on
the flag maximum of 16 TCP

bit of a flags for each filter.
TCP
packet.
destination-port start port Indicates You can configure a

the maximum of 32
end port range of destination ports for
the each filter.
destinati
on ports
of
packets.
source-port start port Indicates You can configure a

the maximum of 32
end port source source ports for
port each filter.
range.
opcode/cookie/host/refer opcode/cookie/host/refere Indicates 1. ASCII characters

e/user-agent r/user-agent the field and hexadecimal
of an characters are
HTTP supported.
packet. 2. Each character
string contains a
maximum of 64
bytes.
3. You can configure
a maximum of
128 opcode
keywords or a
maximum of 512
cookie/host/refer
er/user-agent
keywords for
each device.
uri URI Indicates You can configure a

the type maximum of 512 URI
of an keywords for each
HTTP HTTP filter, and a
request maximum of 512 for
packet. each device.
qr qr Indicates Both DNS query and

on
the type DNS reply types are

of a DNS available.
packet.
domain domain Indicates 1. include: indicates

the a fuzzy match.
domain DSN packets are
field of a matched only if
DNS the domain field
packet. contains the
matched content.
2. equal: indicates
an exact match.
Packets are
matched only if
the domain field
is the same as the
matched content.
You can configure a
maximum of 512
domain keywords
for each HTTP filter,
and a maximum of
512 for each device.
type type Indicates You can configure a

the type maximum of 10 type
field of a keywords for each
DNS DNS filter.
packet.
caller/callee Caller/Callee Indicates You can configure a

the field maximum of 512
of a SIP Caller/Callee
packet. keywords for each
SIP filter, and a
maximum of 512 for
each device.
Step 4: Bind a Zone to the filter.

1. Click the Associated Zone tab.
2. Click , select a Zone, and click OK.
Only the Zones whose Deployment State is Deploy Succeed are displayed on the

page. Ensure that the Zone to be bound has been deployed.
Two modes are available for binding a Zone to a filter. For details, see 3.2.2.2
Associating a Zone with a Filter.
Step 5 Click Deploy.
1. When the Zone is associated with the filter and you click Deploy, the filter is
deployed on the Anti-DDoS and configurations take effect.
2. When only the filter is created and you click Deploy, filter configurations are saved
on the ATIC Management center. They take effect only after the filter is
associated with the Zone and is deployed again.
----End
3.2.2.2 Associating a Zone with a Filter

You can use either of the following methods to associate a Zone with a filter .
Method 1: Associating a Filter on the Zone Page

Step 2: Click of the Zone.

Step 3: Click the Filter tab.
Step 4: Click .
Step 5: Select the filter to be associated and click OK.
The filter takes effect only after the Zone is deployed.
----End
Method 2: Associating a Zone on the Filter Page

Step 1: Choose Defense > Policy Settings > Filter.
Step 2 : Click of Operation to modify the filter.
Step 3: Click the Associated Zone tab.
Step 4: Click , select a Zone, and click OK.
Only the Zones whose Deployment State is Deploy Succeed are displayed on the

page. Check whether the Zone to be associated is successfully deployed.
Step 5: Click Deploy to deploy the filter to the Anti-DDoS.
----End
3.2.3 Configuring a Location Blocking Policy

A location blocking policy can block traffic from a specific country or region.
Prerequisites
The latest IP location database file has been loaded. For details, see 3.2.9 Library Files.
Context
Many Internet attacks are launched by attackers by controlling botnet hosts that may locate in a specific
region. The location blocking policy blocks traffic by region to effectively block attacks from a specific region.
Public IPv4 addresses have been divided by country in the IP location database file. If the IP location division
granularities in the IP location database file cannot meet requirements, you can create user-defined IP
locations. For details, see 3.2.8 Creating User-defined IP Locations.
Procedure
Step 3: Choose Blocked Location tab, click and select the location from

which traffic will be blocked.
Step 4: Click OK.
----End
3.2.4. Creating a Service and a Defense Policy

To provide the service-specific refined defense for servers or major services in the Zone or the defense
for TCP, UDP, and HTTP ephemeral ports, you can create a service.
Prerequisites
The basic policies of the Zone have been configured. For details, see 3.2.1 configuring a Defense Mode.
Context
During traffic cleaning, the cleaning device first matches services by destination IP address, service type,
and destination port. After successful matching, detection and defense are performed according to
service-specific defense policies. Otherwise, detection and defense are performed on default defense
policies by protocol type.
Only traffic limiting can be configured for certain devices in the defense policy of services. In this
case, detection and defense are performed on the traffic of services according to the default
defense policy. The procedure is as follows: When cleaning traffic, the cleaning device first matches
services by service type and destination IP address. After successful matching, the cleaning device
matches the default defense policy by protocol type for detecting and defense. Then the cleaning
device limits traffic according to the traffic limiting policy of services.
Service learning can be used to configure TCP and UDP services. For details, see 3.2.4.2 Configuring a
Service Learning Task.
Procedure
Step 3: On the Defense Policy tab page, click .
Step 4: On the Basic Information tab page, configure the basic information of the
service. Table 3-9 shows parameters.
Table 3-9 Parameters of services
Name Indicates the name of the service. -
Device Selects an device to be associated -

Name with the service in the Zone.
Protocol Indicates the type of the service. -
Protocol ID Indicates the protocol ID of the The protocol IDs of TCP, UDP, and
service. GRE are 6, 17, nd 47 respectively.
This parameter is required only

when Service Type is set
to Other.
IP Address Indicates the destination IP The IP address needs to be

address to be protected. defined in the Zone. For details,
see 3.1.1 Adding a Zone.
Destination Indicates the destination port to The value can be a port number
Port be protected. or port range, such as 1024-1030.
The destination port of HTTPS is

443 and that of TCP_DNS and
UDP_DNS is 53. The ports cannot
be changed.
Description Indicates the description of a The value contains a maximum of

service. 64 characters including letters,
digits, and special characters
except question marks (?). It does
not support any Chinese
characters.
Step 5: Configure defense policies for services.
1. Click all tabs and configure defense policies for services. For parameters, see 3.2.6
Configuring the Zone-based Defense Policy.
You are advised to enable baseline learning to configure the thresholds of

defense policies. For details, see 3.2.5 Adjusting a Threshold (by Baseline
Learning).
2. Click Import Policy Template to import service policy configurations in the service

policy template.
Step 6: Optional: Click Export Policy Template to save current service policy

configurations as a template for future use.
For details on how to manage policy templates globally, see 3.2.10 Configuring Policy
Templates.
Step 7: Click OK.
----End
Example
A server is deployed in a Zone to provide HTTP services by port 8080. To protect this
server, the configuration roadmap of a defense policy is as follows:
1. Configure the defense policies default defense policy. Considering possible

Telnet and ping operations, limit the traffic of the TCP and ICMP services and
block the UDP service and other services to prevent network congestion.
2. Create a HTTP service with destination port 8080 and IP address used by the
server to provide HTTP services. The service provides refined defense for HTTP
services.
Follow-up Procedure
1. Services configured for the Zone take effect only after deployed on devices. For details, see 3.2.12
Deploying the Defense Policy.
2. You are advised to enable baseline learning to adjust the threshold configurations of service
policies. For details, see 3.2.5 Adjusting a Threshold (by Baseline Learning).
3.2.4.1. Overview
Service learning and dynamic baseline learning. In service learning, the system learns the service model
(protocol type and port number of the traffic destined for the Zone) of the Zone to enable a proper
attack defense policy.
The Anti-DDoS provides Zones with differentiated defense policies.
When multiple ports are enabled for the Zone and refined defense is required for a certain port, you
need to adopt service-based defense to learn about the traffic model and identify Zone services, thereby
providing defense policies for given services in the Zone.
With service learning, the Anti-DDoS can identify the services of the Zone and figure out TCP and UDP
services whose traffic hits the threshold, including the protocol type, port, IP address, and specific traffic
value. In this way, the device obtains the service list of the Zone.
In service learning, the Anti-DDoS learns statistics on inbound traffic, regardless of normal or abnormal
traffic. Therefore, service learning needs to be enabled when Zone traffic is normal. During the learning,
if the Zone is abnormal or under attacks, you need to terminate the current service learning task and
recover it until Zone traffic resumes normal.
3.2.4.2 Configuring a Service Learning Task
You can configure a service learning task to learn TCP or UDP services that hit the traffic threshold within
the specified duration, and select the manual or automatic application of learning results. If the
automatic application is adopted, top N services with heaviest traffic on devices associated with the
Zone can be added to the Zone automatically.
Prerequisites
 The user-defined Zones have been added and IP addresses have been configured. For details,
 The basic policies of the Zone have been configured and deployed on the associated devices.
For details, see 3.2.1 Configuring a Defense Mode.
 Devices associated with the Zone have been bound to collectors. For details, see 2.4.2
Associating the Collector with the devices.
Context
To ensure accurate learning results, enable the service learning task when traffic of the Zone is normal.
Procedure
Step 2: Click the Zone's state in the Service Learning column.
Step 3: Configure a service learning task. For parameters, see Table 3-10.
Table 3-10 Parameters of configuring a service learning task
Start Time Indicates the time devices The start time must be later than
associated with the Zone start the time at which service learning
service learning. is enabled.
End Time Indicates the time devices The end time must be later than
associated with the Zone stop the start time.
service learning.
Traffic If traffic of the TCP or UDP service -

Threshold of an IP address exceeds the

threshold, add the service to
learning results.
Confirmation Determines whether to If Automatic confirmation is

Method automatically add service learning configured, select top N services
results to the service list of the with heaviest traffic in Automatic
Zone. confirmation top N for automatic
confirmation.

Step 4: Click Start to enable the service learning task of the Zone.
After service learning is enabled, learning status is displayed as Learning is in progress. You can
click Stop to stop the service learning task.
Before you modify the parameters of the learning task, stop service learning first.
----End
Result
 With enabled service learning, if the traffic of a service in the Zone exceeds Traffic Threshold, the
service is displayed in service learning results.
The format of the service name is service type-port number. The traffic volume reaches the upper limit
of the service traffic.
 If the confirmation mode of service learning is Automatic confirmation, the system automatically
adds services in the learning results to the service policy of the Zone, including service names, types,
ports, IP addresses, and associated devices. If services of the same type and port exist on the device
associated with the service policy of the Zone, add learnt IP addresses to existing services.
Choose System > Log Management > System Logs. You can view log information about whether
the automatic confirmation of service learning results succeeds. If the automatic confirmation
succeeds, perform the following operations to view the services confirmed to the service policy.
a. Choose Defense > Policy Settings > Zone.
b. Click of the Zone.

c. On the Service tab page, you can view the services.
Click of each service to modify the basic information and configure defense policies of
the service. For parameters of the defense policies, see 3.2.6 Configuring the Zone-based
Defense Policy.
Follow-up Procedure
1. When the confirmation mode of service learning is Automatic confirmation,

service learning results are automatically applied to the defense policy of the
Zone. The settings take effect after they are deployed on devices. For details,
see 3.2.12 Deploying the Defense Policy.
2 When the confirmation mode of service learning is Manual confirmation, confirm

service learning results manually. For details, see 3.2.4.3 Applying Service
Learning Results.
3.2.4.3. Applying Service Learning Results

You must perform this operation when the confirmation mode of service learning is Manual confirmation.
Prerequisites
The service learning task has been enabled. For details, 3.2.4.2 Configuring a Service Learning Task.
Context
Service learning results contain service names, types, ports, IP addresses, associated devices, and traffic.
During the confirmation of service learning results, the system checks whether services of the same type
and port exist on the associated device in the service policy of the Zone, and performs corresponding
processing.
1. If such services exist, add learnt IP addresses to the services.
2. If no such service exists, add services to the policy of the Zone, including service names,
types, ports, IP addresses, and associated devices.
Procedure
Step 2: Click the Zone's state in the Service Learning column.
Step 3: In the Service Learning Result List group box, select the check box of a service
and click Apply.
----End
Result
1. Choose Defense > Policy Settings > Zone.
2. Click of the Zone.
3. On the Service tab page, you can view applied service learning results.
Click of each service to modify the basic information and configure defense
policies of the service. For parameters of the defense policies, see 3.2.6
configuring the Zone-based Defense Policy.
Follow-up Procedure
After service learning results are applied to the Zone, configurations take effect only after
deployed on devices. For details, see 3.2.12 deploying the Defense Policy.
3.2.5. Adjusting a Threshold (by Baseline Learning)

You can configure baseline learning to learn the traffic baseline values of the Zone to adjust
defense thresholds in the defense policy .
3.2.5.1. Description
Dynamic baseline learning provides references for configuring the defense threshold.
The defense policy refers to setting a proper threshold for the traffic volume of a protocol. When the
traffic on the live network exceeds the threshold, the system identifies that an anomaly occurs and
triggers the corresponding attack defense.
Before configuring the defense policy, you may be assailed by two doubts:
1. What types of attack defense need to be enabled?

2. How to set a proper threshold?
The ATIC system supports diversified types of attack defense. You can enable corresponding attack
defense if desired, but not all defense functions. When services on the network are unknown, you can
learn about services on the network by using service learning, and then determine whether to enable
attack defense.
During defense policy configurations, the system prompts you to set defense thresholds for policies.
When the number of the packets of a type destined for the Zone hits the threshold, the system enables
defense against such packets. Because improper configurations may affect normal services, you are
advised to learn the dynamic baseline and set a proper defense threshold according to the learning
result.
Dynamic Baseline Learning

In attack detection, the detection device collects statistics on traffic and then compares the traffic with
the pre-defined threshold. If the traffic hits the threshold, the device considers that an anomaly occurs
and reports the anomaly to the ATIC. Therefore, attack judgment is subject to the specified threshold;
however, different networks have diversified applications, each of which is equipped with its actual
bandwidth.
1. If the threshold is set to a smaller value, the system enables attack defense even if no attack occurs.
2. If the threshold is set to a larger value, the system cannot enable attack defense in a timely manner.
Therefore, before you configure the threshold, learn about the basic traffic model first.
In dynamic baseline learning, the system learns peak traffic at an interval in the normal network
environment and presents the data in curve to the administrator by using the ATIC.
You are advised to deliver the learning result as the defense threshold, after dynamic baseline learning is
complete. The threshold must be set to a value higher than normal peak traffic.
The dynamic baseline can be learned repeatedly to cope with the changes of network traffic models.
3.2.5.2 Configuring a Baseline Learning Task

You can configure baseline learning to obtain the baseline values of the services of the Zone by learning
cycle and generate learning results based on the learning task.
Prerequisites
1. The basic policies of the Zone have been configured and deployed on the associated devices.
For details, see 3.2.1 configuring a Defense Mode.
2. Devices associated with the Zone have been bound to collectors. For details, see 2.4.2
associating the Collector with the devices.
Context
Current Threshold indicates the current threshold of a policy; Baseline indicates the traffic
volume learned using baseline learning; Suggestion indicates the recommended threshold
calculated based on the current threshold and baseline. The recommended threshold changes
to the current threshold once being delivered to the device. The recommended threshold is
calculated as follows:
When the defense threshold is configured: recommended threshold = current threshold x
current threshold weight + (baseline value x tolerance value) x (1 - current threshold weight)
When the defense threshold is not configured: recommended threshold = baseline value x
tolerance value
 Baseline packet rate < 5000 pps, baseline bandwidth < 20 Mbit/s, or baseline
connection count < 5000: tolerance value = 200%
 5000 pps ≤ baseline packet rate < 30,000 pps, 20 Mbit/s ≤ baseline bandwidth < 100
Mbit/s, or 5000 ≤ baseline connection count < 30,000: tolerance value = 180%
 30,000 pps ≤ baseline packet rate < 100,000 pps, 100 Mbit/s ≤ baseline bandwidth < 300
Mbit/s, or 30,000 ≤ baseline connection count < 100,000: tolerance value = 160%
 100,000 pps ≤ baseline packet rate < 300,000 pps, 300 Mbit/s ≤ baseline bandwidth < 1
Gbit/s, or 100,000 ≤ baseline connection count < 300,000: tolerance value = 140%
 300,000 pps ≤ baseline packet rate < 12,000,000 pps, 1 Gbit/s ≤ baseline bandwidth <
10 Gbit/s, or 300,000 ≤ baseline connection count < 12,000,000: tolerance value = 120%
False positive occurs due to the threshold that is too low. Therefore, set the packet rate, bandwidth
value, and connection count to 500 pps, 5 Mbit/s, and 500 respectively, when their recommended
values are smaller than given values.
If only one detecting device is in the same defense group, the baseline learning result of the cleaning
device is the same as that of the detecting device. If multiple detecting devices are available, the
baseline learning result of the cleaning device is the same as the maximum learning result of each
detecting device.
Procedure
Step 2: Click the Zone's state in the Baseline Learning column.

Step 3: Configure a baseline learning task. For parameters, see Table 3-11.
Table 3-11 Parameters of configuring a baseline learning task
Learning Cycle After the baseline learning task is started, baseline learning
results are refreshed every five minutes and are applied to
the defense policy only after a learning cycle is completes.
Start Time Indicates the start time of the current cycle for baseline
learning.
Current Threshold Indicates the proportion of the current value to all

Weight recommended values in this calculation.
Take effect 1. After Take effect automatically and Always Effective are

automatically selected, the system automatically applies baseline
learning results to defense policies after the learning
period ends, regardless of the learning results.
2.After Take effect automatically and Effective When the

Suggestion Value Is Larger Than the Current Value are
selected, the system automatically applies baseline
learning results to defense policies after the learning
period ends if the recommended value is greater than the
current value.
3. If Take effect automatically is not selected, baseline

learning results do not take effect automatically. Manual
intervention is required.

Step 4: Click Startup to enable the baseline learning task of the Zone.
If a service is created, the traffic that matches the service is separately learned, and
the traffic that does not match the service are to be learned as a whole. The learning
results are applied to the defense policies of the created service and the default
defense policies. If no service is created, all traffic is learned as a whole and the
learning result is applied to the default defense policy.
After baseline learning is enabled, click Stop to stop baseline learning.
To modify the parameters of the learning task, stop baseline learning first.
----End
Result
1. Before the first learning cycle ends, service traffic learning result from the start
time to the current time is displayed. After the first learning period elapses,
service traffic learning result of the last learning cycle is displayed.
After you click in the Operation column, you can view the traffic trend chart
of baseline learning and change the Current Threshold value.
2. After Take effect automatically and Always Effective are selected in a baseline

learning task, the system automatically applies the recommended values to
defense policies after the baseline learning period ends.
The baseline learning result takes effect only after the corresponding defense item is enabled in
defense policies.
Follow-up Procedure
 When the confirmation mode of baseline learning is automatic, service traffic learning result
is automatically applied to the defense policy of the Zone and deployed on devices.
 When the automatic confirmation mode is not selected for baseline learning, service traffic
learning result needs to be confirmed manually. For details, see 3.2.5.3 Applying Baseline
Learning Results.
3.2.5.3 Applying Baseline Learning Results
When automatic validation is not adopted by the baseline learning task, you must apply baseline
learning results manually.
Prerequisites
The baseline learning task has been enabled. For details, 3.2.5.2 configuring a Baseline Learning Task.
Procedure
Step 2: Click the Zone's state in the Baseline Learning column.
Step 3: In the Dynamic Baseline Result group box, select the check box of a service
and click Apply Suggestion to apply the recommended value in baseline learning
results to service policies.
After you click in the Operation column, you can change the Current

Threshold value.
----End
3.2.6. Configuring the Zone-based Defense Policy

After basic policies are configured, a basic attack defense policy is automatically generated on the
devices associated with the Zone. You need to configure the attack defense policy based on live network
traffic.
Prerequisites
The defense mode of the Zone has been configured. For details, see 3.2.1 configuring a Defense Mode.
Procedure

Step 3: On the Defense Policy tab, click in the Operation column of the default defense
policy starting with basic.
The name of the default defense policy consists of basic and the IP address of the
associated device. For example, if the IP address of the device is 128.18.60.36, the name
of the default defense policy is basic_128_18_60_36.
Step 4: Configure defense policies for protocols.
----End
3.2.6.1. TCP Defense Policy

The defense policies for TCP services cover block, traffic limiting, and defense.
 Block
-Discards all TCP packets.
 Traffic Limiting
− TCP Traffic Limiting: Limits traffic of all TCP packets destined for an IP address
below Threshold.
− TCP Fragment Rate Limiting: Limits traffic of all TCP fragments destined
for an IP address below Threshold.
The Threshold is specified based on actual network bandwidths.
 Defense
− TCP Abnormal Defense
Check the flag bits (URG, ACK, PSH, RST, SYN, and FIN) of each TCP packet. If
any flag bit is invalid, the TCP packet is considered abnormal. When the rate
of TCP abnormal packets exceeds the Threshold value, all TCP packets are
discarded.
− TCP Basic Defense
Use the source authentication mode to defend against TCP attack

traffic. Table 3-12 shows parameters.
It is recommended that you configure link status detection to defend against the
SYN-ACK flood, ACK flood, TCP fragment, and FIN/RST flood attacks in the
scenario where the incoming and outgoing paths of packets are consistent.
Table 3-12 Parameters of configuring basic TCP defense
SYN Threshold If the rate of SYN packets You are advised to

Flood exceeds Threshold, the perform configurations
Attack device reports anomaly through baseline
Defense events to the ATIC learning. For details,
Management center and see 3.2.5.2 Configuring a
start defense. Baseline Learning Task.
ACK Threshold If the rate of ACK packets When ACK flood attacks
Flood exceeds Threshold, the are detected, the system
Attack device reports anomaly permits the first packet
Defense events to the ATIC for session establishment
Management center and before session check and
start defense. discards subsequent
packets.
Perform configurations
through baseline
learning. For details,
see 3.2.5.2 Configuring a
Baseline Learning Task.
TCP Threshold If the rate of TCP fragments Perform configurations

Fragmen exceeds Threshold, the through baseline
t Attack device reports anomaly learning. For details,
Defense events to the ATIC see 3.2.5.2 Configuring a
Management center and Baseline Learning Task.
start defense.
FIN/RST Threshold If the rate of FIN/RST Perform configurations

Flood packets exceeds Threshold, through baseline
Attack the device reports anomaly learning. For details,
Defense events to the ATIC see 3.2.5.2 Configuring a
Management center and Baseline Learning Task.
start defense.
Source IP Rate Limiting In this mode, rate limiting is Permanent Limiting: In all
TCP- Threshold implemented on the real cases, this function limits
Ratio source IP addresses that the rate of all packets
Anomaly succeed in session check. except the ACK packets
Limiting below Rate Limiting
Threshold.
− TCP Connection Flood Attack Defense

For parameters, see Table 3-13.
Table 3-13 Parameters of configuring defense against connection flood attacks
Concurren Threshold When the number of the You are

t concurrent TCP advised to
connection connections of a perform
check by destination IP address configuration
destinatio exceeds Threshold, start s through
n IP defense against baseline
address connection flood learning. For
attacks. After the details,
defense is started, start see 3.2.5.2
checking source IP Configuring a
addresses. Baseline
Learning
New Threshold When the number of the Task.
connection new TCP connections
rate check per second of a
by destination IP address
destinatio exceeds Threshold, start
n IP defense against
address connection flood
attacks. After the
defense is started, start
checking source IP
addresses.
New Check Cycle, Threshold After defense against -

connection connection flood attacks
rate check is enabled, if the
by source number of the TCP
IP address connections initiated by
a source IP address
within Check
Cycle exceeds Threshold
, the source IP address is
regarded as the attack
source and is reported
to the ATIC
Management center.
Connectio Threshold After defense against -

n Number connection flood attacks
Check for is enabled, if the
Source IP number of the
Address concurrent TCP
connections of a source
IP address
exceeds Threshold, the
source IP address is
to the ATIC
Management center.
Abnormal Abnormal connection threshold, Within Check Cycle, if -

Session Check Cycle the number of the
Check abnormal TCP session
connections of a source
IP address
exceeds Abnormal
connection threshold,
the source IP address is
to the ATIC
Management center.
Null Minimum Within Check Cycle, if -

connection packets per the number of the
check connection, packets of a TCP
Check Cycle connection is lower
than Minimum packets
per connection, the
connection is regarded
as an anomaly one.
Retransmissio Retransmissio If the number of the -

n session n Packet retransmission packets
check Number of a connection
Threshold exceeds Retransmission
Packet Number
Threshold, the
as an anomaly one.
Sockstress TCP Window If the number of the -

Size Threshold retransmission packets
of a connection
exceeds TCP Window
Size Threshold, the
as an anomaly one.
3.2.6.2. UDP Defense Policy

The defense policies for UDP services cover block, traffic limiting, and defense.
 Block
-Discards all UDP packets.
Limits traffic to defend against attacks when UDP attack packets without
features.
− UDP Traffic Limiting: Limits traffic of all UDP packets destined for an IP
address below Threshold.
− UDP Fragment Rate Limiting Threshold: Limits traffic of all UDP fragments
destined for an IP address below Threshold.
 Defense
Table 3-14 Configuring UDP attack defense
Parameter Description Recommended Value
UDP Flood Threshold When the rate The default value is 50 Mbit/s.
Fingerprin of UDP packets
t Attack reaches the
Defense alert threshold,
UDP fingerprint
learning and
payload check
are enabled,
and the UDP
packets
matching a
specified
fingerprint or
payload are
discarded.
UDP Threshold When the rate The default value is 50 Mbit/s.

Fragment of UDP You are advised to set Bandwidth
Attack fragments Threshold based on baseline learning.
Defense reaches the For details, see 3.2.5.2 Configuring a
alert threshold, Baseline Learning Task.
UDP fragment
fingerprint
learning and
payload check
are enabled,
and the UDP
fragments
matching a
specified
fingerprint or
payload are
discarded.
3.2.6.3. ICMP Defense Policy

The defense policies for ICMP services cover block, and traffic limiting.
 Block
-Discards all ICMP packets.
Limits ICMP traffic destined for an IP address below Threshold.
5.2.6.4 Other Defense Policy

The defense policies cover block and traffic limiting for services except the TCP, UDP,
ICMP, DNS, SIP, HTTP, and HTTPS services.
 Block
-Discards all packets of services except the TCP, UDP, ICMP, DNS, SIP, HTTP, and
HTTPS services.
-Limits the outbound traffic of the services except the TCP, UDP, ICMP, DNS, SIP,
HTTP, and HTTPS services of a destination IP address below Threshold.
 Defense
After fingerprint learning is enabled, the packets that match the learned
fingerprint, except those of TCP, UDP, ICMP, DNS, SIP, HTTP, and HTTPS, are
discarded.
3.2.6.5 DNS Defense Policy

The defense policies for DNS services transmitted over UDP cover block, traffic
limiting, and defense. This section describes the defense policies for DNS services.
The Anti-DDoS identifies well-known protocols by port number. Non-DNS

services with port 53 may be identified as DNS services and therefore be
discarded when matching specific policies. Therefore, do not use well-known
ports for other services.
 Block
-Discards all UDP DNS packets.
 Rate Limiting
− Rate Limiting on Request Packets With the DNS requested flood defense
enabled, perform traffic limiting on the source IP address to limit traffic of
DNS request packets below Rate Limiting Threshold. When traffic of DNS
request packets exceeds the threshold, the detecting device reports
anomaly events to the ATIC Management center. Then the cleaning device
discards excess DNS request packets.
− Rate Limiting on Reply Packets With the DNS reply flood defense,
perform traffic limiting on the source IP address to limit traffic of DNS reply
packets below Rate Limiting Threshold. When traffic of DNS reply packets
exceeds the threshold, the detecting device reports anomaly events to the
ATIC Management center. Then the cleaning device discards excess DNS
reply packets.
 Defense
− Unique Configuration Item of the Cache Server
Table 3-15 Unique configuration items of the cache server
DNS Defense Indicates that the cleaning  TCP Authentication: Source
Request Mode device defends against DNS authentication is used for
Flood request flood attacks. defense. During source
Attack authentication, the cleaning

Defens device triggers the client to
e send DNS request packets
over TCP. This consumes the
TCP connection resources of
the DNS cache server to a
certain extent.
 Passive: Validity
authentication is performed
on the client that does not
support the sending of DNS
requests in TCP packets.
Threshold If the rate of DNS request You are advised to perform

packets exceeds Threshold, the configurations through baseline
device reports anomaly events learning. For details, see 6.2.5.2
to the ATIC Management center Configuring a Baseline Learning
and starts defense. Task.
− Unique Configuration Items of the Authorization Server

Table 3-16 Unique configuration items of the authorization server
DNS Defense Indicates that the cleaning 1. Passive: Validity

Request Mode device defends against DNS authentication is
Flood request flood attacks. performed on the client
Attack that does not support the
Defens sending of DNS requests in
e TCP packets.
2. CNAME: Validity
authentication is
performed on the client
that supports the sending
of DNS requests in TCP
packets.
Threshold If the rate of DNS request You are advised to perform

packets exceeds Threshold, the configurations through baseline
device reports anomaly events learning. For details, see 3.2.5.2
to the ATIC Management center Configuring a Baseline Learning
and starts defense. Task.

− DNS Reply Flood Attack Defense
If the rate of DNS reply packets exceeds Threshold, the cleaning device defends against
forged source attacks.
− Detection of the requests for NXDomain
If the proportion of unknown domain name requests within one second exceeds the
threshold, the detecting device reports an anomaly event to the ATIC Management center.
At this time, you are advised to configure an anomaly packet capture task and extract
fingerprints from the packet capture file. The specific unknown domain name can be
extracted and added to the Rate Limiting on Request Packets of Specified Domain
Name list so that traffic rate limiting can be performed on the request packets of the
unknown domain name.
If this function is enabled, you must run the anti-ddos server-flow-statistic enable command on

the inbound interface to enable the upstream traffic analysis function.
− Packet malformed
After the validity check on packets is enabled, the cleaning device checks DNS packet
formats and discards non-standard packets.
− DNS request packet length limiting
Enable the limiting on the DNS request packet length to limit the length of DNS request
packets below Threshold. When the length of DNS request packets exceeds the threshold,
the detecting device reports anomaly events to the ATIC Management center. Then the
cleaning device discards overlong DNS request packets.
− DNS reply packet length limiting
Enable the limiting on the DNS reply packet length to limit the length of DNS reply packets
below Threshold. When the length of DNS reply packets exceeds the threshold, the
detecting device reports anomaly events to the ATIC Management center. Then the
cleaning device discards overlong DNS reply packets.
3.2.6.6 SIP Defense Policy

The defense policies for SIP services.
The Anti-DDoS identifies well-known protocols by port number. Non-SIP services
with port 5060 may be identified as SIP services and therefore be discarded
when matching specific policies. Therefore, do not use well-known ports for
other services.
− Source detection
When defense is enabled and the rate of SIP packets exceeds Threshold,

the device reports anomaly events to the ATIC Management center and
starts defense against SIP packets based on the destination IP address.
− Rate Limiting of Source IP Address
Anti-DDoS always enables source IP address-based rate limiting over SIP

packets.
You are advised to configure Threshold (pps) based on baseline learning. For

details, see 3.2.5.2 Configuring a Baseline Learning Task.
3.2.6.7 HTTP Defense Policy

The defense policies for HTTP services cover block, traffic limiting, and defense.
The Anti-DDoS identifies well-known protocols by port number. Non-HTTP

services with port 80 may be identified as HTTP services and therefore be
 Block
Discards all HTTP packets.
Limits HTTP traffic destined for an IP address below Threshold. Excess packets

are discarded.
 Defense
− HTTP attack defense
 When Statistics Based on Source IP Address is enabled and the rate of HTTP

packets destined for the Zone is greater than Threshold or Request
Threshold, the system enables source IP address-based statistics, and
reports anomalies to the ATIC Management center. When the rate of HTTP
packets from the IP address is larger than Threshold or Request Threshold,
the source authentication of HTTP packets is enabled.
The source-based defense mode can be 302 Redirect or Verify Code.
 When Statistics Based on Source IP Address is disabled and the rate of

HTTP packets destined for the Zone is larger than Threshold or Request
Threshold, the system reports anomalies to the ATIC Management center.
If the defense mode of the Zone is automatic, the system starts defense
automatically. If the defense mode is manual, the administrator needs to
confirm and start the defense manually. For details on how to configure the
defense mode, see 3.2.1 Configuring a Defense Mode.
You are advised to specify the Threshold or Request Threshold through

baseline learning. For details, see 3.2.5.2 Configuring a Baseline Learning
Task.
Request Threshold indicates that the device collects statistics on all HTTP

packets, including SYN, SYN-ACK, and ACK packets of TCP
connections. Threshold indicates that the device collects statistics on the HTTP
packets (such as GET and POST packets) except SYN, SYN-ACK, and ACK packets.
As long as the traffic volume reaches one of the thresholds, the defense is
triggered.
− HTTP Source Authentication Defense
Table 3-17 Parameters of configuring HTTP source authentication

Defense Mode Indicates the defense 1. 302 Redirect: If the requested

mode that the cleaning web page is not on the same
device defends against server as the embedded
HTTP attack sources. resource and an anomaly occurs
on the server where the
embedded resource resides,
enable 302 redirection on the
server where the embedded
resource resides to detect
whether the source is a real
browser. 302 redirect source
authentication does not affect
customer experience.
2.Verify Code: This mode detects
whether HTTP access is initiated
by a real user and requires a
verification code. When botnet
attacks are launched, the
attackers cannot enter the
verification code and hence are
effectively defended against.
However, user experience is
affected.
If the client of the HTTP service
is a set-top box, select the 302
Redirect defense mode because
the set-top box cannot enter any
verification codes.
Proxy Detection Check whether HTTP You are advised to enable proxy
requests are sent through detection if any HTTP proxy exists.
the proxy.
If yes, the system obtains
the real IP address from
HTTP packets for defense.
The defense against
attacks with real IP
addresses ensures that
normal requests are
properly processed and
attack traffic is discarded.
Verification Code When you set Defense -

Caption Settings Mode to Verify Code, the
Anti-DDoS automatically
pushes a verification code
page, on which you can

set the verification code
caption.
SYN Threshold If the rate of HTTP packets -

Rate whose source IP addresses
Limiting succeed in source
authentication
device takes limiting.
Limits the number of
connections.
ACK Threshold If the rate of HTTP packets -

Rate whose source IP addresses
Limiting succeed in source
authentication
device takes limiting.
Limits the rate of HTTP get
packets.
− HTTP Fingerprint Learning
Within the learning cycle, the number of requests with the same fingerprint
and from the same source IP address exceeds Matching Counts, the source
IP address is regarded as an attack source and is reported to the ATIC
Management center. If the dynamic blacklist mode of the Zone is not Close,
the ATIC Management center automatically adds the IP addresses of attack
sources to the dynamic blacklist. For details on how to configure the
dynamic blacklist mode, see 3.2.1 Configuring a Defense Mode.
− HTTP low-rate connection attack defense
If the number of HTTP concurrent connections per second exceeds the

given value, the device checks the HTTP packets. If any of the following
situations occurs, the protected network is under HTTP low-rate connection
attacks. The device reports the source IP address of the attack packets to
the ATIC Management center. If the dynamic blacklist of the Zone is
not Disable, the system automatically adds the IP address of attack packets
to the dynamic blacklist and terminates the connection between this IP
address and the HTTP server.
 The total length of consecutive HTTP post packets exceeds the given value,
but the HTTP payload length is less than the given value.
 The headers of consecutive HTTP get/post packets do not have any end
flags.
Table 3-18 Configuring HTTP low-rate connection attack defense
Number of concurrent Check the number of HTTP concurrent connections per

connections second. If the count exceeds the given value, the system
checks each HTTP packet.
Total packet length If either of the following situations occurs, the system is
under HTTP low-rate connection attacks.
Packet number
 The total length of consecutive HTTP post packets exceeds
Payload length the given value, but the HTTP payload length is less than
the given value.
 The headers of consecutive HTTP get/post packets do not
have any end flags.
− Destination IP-based URI Behavior Monitoring
Table 3-19 Parameters of configuring destination IP-based URI behavior monitoring
Destination Detection Within the Interval, if the ratio of You are advised to

IP-based Threshold the Closely monitored URI access counts configure Detection
URI (to a destination IP address) to the total Threshold based on
Behavior access counts exceeds Detection baseline learning.
Monitoring Threshold, the URI behavior monitoring For details,
is enabled on source IP addresses. see 3.2.5.2
Configuring a
Baseline Learning
Task.
Source IP- Defense Within the Interval, the ratio of –

based URI Threshold the Closely monitored URI access counts
Behavior of a source IP address to the total access
Monitoring counts exceeds Defense Threshold, the
source IP address is regarded as an
attack source and is reported to the ATIC
Management center. If the dynamic
blacklist mode of the Zone is not Close,
the ATIC Management center
automatically adds the IP addresses of
attack sources to the dynamic blacklist.
For details on how to configure the
dynamic blacklist mode, see 3.2.1
Configuring a Defense Mode.
Closely monitored URI Closely monitor URIs when URI behavior –

monitoring is used for defending against
HTTP flood attacks.
3.2.6.8 HTTPS Defense Policy

The defense policies for HTTPS services cover block, traffic limiting, and defense.
The Anti-DDoS identifies well-known protocols by port number. Non-HTTPS

services with port 443 may be identified as HTTPS services and therefore be
 Block
Discards all HTTPS packets.
Limits HTTPS traffic destined for an IP address below Threshold.
 Defense
− HTTPS Source Authentication Defense
 When Statistics Based on Source IP Address is enabled and the rate of

HTTPS packets destined for the Zone is greater than Threshold, the system
enables source IP address-based statistics, and reports anomalies to the
ATIC Management center. When the rate of HTTPS packets from the IP
address is larger than Threshold, the source authentication of HTTPS
packets is enabled.
The source-based defense mode is Enhanced.
 When Statistics Based on Source IP Address is disabled and the rate of

HTTPS packets destined for the Zone is larger than Threshold, the system
reports anomalies to the ATIC Management center.
If the defense mode of the Zone is automatic, the system starts defense
automatically. If the defense mode is manual, the administrator needs to
confirm and start the defense manually. For details on how to configure the
defense mode, see 3.2.1 Configuring a Defense Mode.
You are advised to specify the Threshold through baseline learning. For

details, see 3.2.5.2 Configuring a Baseline Learning Task.
After defense against anomaly events is enabled, the cleaning device uses the
source authentication mode for defense.
 The source IP address that fails authentication is regarded as the attack

source and is reported to the ATIC Management center. If the dynamic
blacklist mode of the Zone is not Close, the ATIC Management center
automatically adds the IP addresses of attack sources to the dynamic
blacklist. For details on how to configure the dynamic blacklist mode,
see 3.2.1 Configuring a Defense Mode.
 The session is closed after successful authentication. The page needs to be
manually refreshed, which affects user experience.
− SSL Defense
After HTTPS source authentication defense is enabled, if the rate of the

HTTPS packets destined for the specified IP address exceeds Threshold, the
system performs SSL checks on the source IP address of the packets. Within
the interval specified in Renegotiation Interval, if the number of SSL
negotiations between a source IP address and a destination IP address
exceeds Maximum Renegotiation Times, the session in between is marked
as abnormal. Within the interval specified in Abnormal Session Check
Interval, if the number of abnormal sessions exceeds the value specified
in Maximum Number of Abnormal Sessions, the source IP address is
regarded as abnormal and therefore blacklisted.
3.2.6.9. Top N Study
After the top N study function is configured, you can view learning results, which act
as policy parameters for tracing attack sources and confirming cleaning effects.
Top N study adversely affects device performance. Therefore, enable certain top N
study items listed in Table 3-20.
Top N study results are displayed in reports. For details, see 7 Report.
Table 3-20 Top N study
Top N study Description Usage
HTTP HTTP Host Indicates top N host 1. When the Zone is under attack,
learnin fields in the HTTP the learning result can be used
g traffic destined for the for configuring HTTP host
Zone. filtering. For details, see 3.2.2
Top N host fields are Configuring a Filter.
learned from incoming 2. The administrator can learn

HTTP traffic. about the network status based
on the learning result.
HTTP URI Indicates top N URI 1 When the Zone is under attack,
fields in the HTTP the learning result can be used
traffic destined for the for configuring URI monitoring.
Zone. For details, see 3.2.6.7 HTTP
Top N URI fields are Defense Policy.
learned from incoming 2. The administrator can learn

HTTP traffic. about the network status based

Top N HTTP Indicates top N source 1. When the Zone is under attack,
Source IP IP addresses in the you can confirm the cleaning
Addresses HTTP traffic destined effect by comparing top N
(pps/qps) for the Zone. source IP addresses in incoming
Top N source IP traffic with that in legitimate
addresses are learned traffic after cleaning.
from incoming traffic 2.The learning result in most cases

and legitimate traffic is used to compare with top N
after cleaning. source IP addresses in
legitimate HTTP traffic after
cleaning.
HTTPS Top N Indicates top N source 1.When the Zone is under attack,
learning
HTTPS IP addresses in the you can confirm the cleaning
Source IP HTTPS traffic destined effect by comparing top N
Addresses for the Zone. source IP addresses in incoming
(pps) Top N source IP traffic with that in legitimate
addresses are learned traffic after cleaning.
from incoming traffic 2.The learning result in most cases

and legitimate traffic is used to compare with top N
after cleaning. source IP addresses in
legitimate HTTPS traffic after
cleaning.
DNS Top N Indicates top N 1. When the Zone is under attack,
learning
Requested requested domain you can configure rate limiting
Domain names in the traffic over the packets of the
Names destined for the Zone. specified domain name and
Top N requested static cache based on the
domain names are learning result, reducing the

learned from incoming load over the DNS server. For

traffic and legitimate details, see 6.2.6.5 DNS Defense
traffic after cleaning. Policy.
After Dynamic cache is 2. When the Zone is under attack,

configured, the you can confirm the cleaning
cleaning device adds effect by comparing requested
top N domain names domain names in incoming
and IP addresses to traffic with that in legitimate
the dynamic cache. traffic after cleaning.
After that, the cleaning 3. The administrator can learn
device replies to about the network status based
requests for these DNS on the learning result.
domain names to
reduce the load over
the DNS server.
Top N DNS Indicates top N source 1. When the Zone is under attack,
Request IP addresses in the you can configure rate limiting over
Source IP DNS request traffic the request packets of the
Addresses destined for the Zone. specified source IP address. For
(pps) Top N source IP details, see 3.2.6.5 DNS Defense
addresses are learned Policy.
from incoming traffic 1.When the Zone is under attack,

and legitimate traffic you can confirm the cleaning
after cleaning. effect by comparing top N
source IP addresses in incoming
traffic with that in legitimate
traffic after cleaning.
2.The administrator can learn

about the network status based
Top N DNS Indicates top N source 1.When the Zone is under attack,
Response IP addresses in the you can configure rate limiting over
Source IP DNS reply traffic the reply packets of the specified
Addresses destined for the Zone. source IP address. For details,
(pps) Top N source IP see 6.2.6.5 DNS Defense Policy.
addresses are learned 2. When the Zone is under attack,

from incoming traffic you can confirm the cleaning
and legitimate traffic effect by comparing top N
after cleaning. source IP addresses in incoming
traffic with that in legitimate
traffic after cleaning.
3. The administrator can learn

about the network status based
TCP Top N TCP Indicates top N source The administrator can configure
learning
Source IP IP addresses with most the threshold for Connection
Addresses new connections in Number Check for Source IP
(New the TCP traffic Address based on the learning
Connection) destined for the Zone. result. For details, see 3.2.6.1 TCP
Top N source IP Defense Policy.
addresses are learned

from incoming TCP
traffic.
3.2.6.10. Global Defense Policy for Non-Zone

The defense policy protects IP addresses except those of the user-defined and default Zones.
 Rate Limiting Threshold for Non-Zone IP Address
Limits traffic of service packets destined for an IP address below corresponding thresholds.
Excess packets are directly discarded.
Total indicates that traffic of a single IP address is limited below the threshold.
 Non-Zone IP Address Reporting Threshold
If the packet rate of a protocol exceeds the threshold, the device reports anomaly events to
the ATIC Management center and start defense.
3.2.6.11 First-Packet Discarding
The anti-DDoS device provides first-packet checks for SYN, TCP, UDP, ICMP, and DNS packets.
Some attack packets frequently change source IP addresses or ports. You can enable first-packet
discarding to block such traffic. You can enable first-packet discarding to work with source
authentication to defend against flood attacks from forged sources.
#sec_config_ddos_0064/tab01 lists the parameters of first-packet discarding.
Protocol Description
SYN Supports the configuration of the upper and lower

limits of the interval for discarding the first
TCP packets. If the actual interval is lower than the
DNS lower limit or higher than the upper limit, the
packet is considered as the first packet and is
discarded. If the actual interval is between the
configured lower and upper limits, the packet is a
follow-up packet and is permitted.
UDP Supports the configuration of only the lower limit

of the interval for discarding the first packets. If
ICMP the actual interval is lower than the lower limit,
the packet is considered as the first packet and is
discarded.
Configure first-packet discarding only for the protocols supporting packet retransmission.
Otherwise, normal services will be affected.
3.2.7. Configuring Global Defense Policies (ATIC)
This section describes how to configure global defense policies on the ATIC.
3.2.7.1. Configuring Basic Attack Defense

Basic attacks are traditional single-packet Denial of Service (DoS) attacks. The basic attack
defense mainly defends against scanning and sniffing attacks, malformed packet attacks, and
special packet attacks. By default, basic attack defense is disabled. You can determine whether
to enable attack defense functions according to actual services on the network.
Context
This configuration is available only on anti-DDoS devices.
Procedure
Step 1: Choose Defense > Policy Settings > Global Policy.
Step 2: Click in the Operation column.
Step 3: In the Basic Attack Defense group box, select the check box of an attack type
and enable the attack defense function. For parameters, see Table 3-21.
If Large ICMP Packet or Large UDP Packet is selected, the packet length needs to be
specified. The Anti-DDoS discards the ICMP or UDP packet whose length exceeds the
value.
Table 3-21 Configuring basic attack defense
Fraggle After the Fraggle attack defense is enabled, the Anti-DDoS detects
received UDP packets. If the destination port number of packets is 7 or
19, the Anti-DDoS discards the packets and logs the attack.
ICMP After the ICMP redirection packet attack defense is enabled, the Anti-
Redirection DDoS discards ICMP redirection packets and logs the attack.
Packet
ICMP After the ICMP unreachable packet attack defense is enabled, the Anti-
Unreachable DDoS discards ICMP unreachable packets and logs the attack.
Packet
WinNuke After the WinNuke attack defense is enabled, the Anti-DDoS discards
packets whose destination port is 139, URG tag is set to 1, and URG
pointer is not null, and logs the attack.
In addition, when ICMP fragments are received, the device considers
that a WinNuke attack occurs and hence discards the fragments, and
then logs the attack.
Land After the Land attack (loopback attack) defense is enabled, the Anti-
DDoS checks whether the source and destination addresses of TCP
packets are the same, or the source address of TCP packets is a loopback
one. If the source and destination addresses are the same, the Anti-
DDoS discards the packets and logs the attack.
Ping of Death After the Ping of Death attack defense is enabled, the Anti-DDoS checks
whether the packet size is larger than 65,535 bytes. If a packet is larger
than 65,535 bytes, the Anti-DDoS discards the packet and logs the
attack.
IP Packet with After the IP packet with route record option attack defense is enabled,
Route Record the Anti-DDoS checks whether the IP route record option is specified in
Option the received packet. If the IP route record option is specified, the device
discards the packet and logs the attack.
Smurf After the Smurf attack defense is enabled, the Anti-DDoS checks
whether the destination IP address of ICMP request packets is the
broadcast address of category A, B, or C. If the destination IP address is
the broadcast address of category A, B, or C, the device discards the
packet and logs the attack.
IP Packet with After the IP packet with source route option attack defense is enabled,
Source Route the Anti-DDoS checks whether the IP source route option is specified in
Option the received packet. If the IP source route option is specified, the device
NOTE
In the IP routing technology, the transmission path of an IP packet is determined
by the routers on the network according to the destination address of the packet.
Nevertheless, a method is also provided for the packet sender to determine the
packet transmission path, that is, the source route option. This option means
allowing the source site to specify a route to the destination and replace the
routes specified by intermediate routers. The source route option is generally
used for fault diagnosis of network paths and temporary transmission of some
special services. The IP source route option may be utilized by malicious attackers
to probe the network structure because it neglects the intermediate forwarding
processes through various devices along the packet transmission path, regardless
of the working status of forwarding interfaces.
TCP Flag Bit After the TCP flag bit attack defense is enabled, the Anti-DDoS checks
the flag bits (URG, ACK, PSH, RST, SYN, and FIN) of each TCP packet. In
either of the following cases, the device discards the packet and logs the
attack.
All flag bits are set to 1.
All flag bits are set to 0.
Both the SYN bit and the FIN bit are set to 1.
Both the SYN bit and the RST bit are set to 1.
The FIN bit is set to 1 and the ACK bit to 0.
TearDrop After the TearDrop attack defense is enabled, the Anti-DDoS analyzes
received fragments and checks whether the packet offset is correct. If
the packet offset is incorrect, the device discards the packet and logs the
attack.
Large ICMP After the large ICMP packet attack defense is enabled, the Anti-DDoS
Packet discards the ICMP packet whose length exceeds the threshold and logs
the attack.
IP Packet with After the IP packet with timestamp option attack defense is enabled, the
Timestamp Anti-DDoS checks whether the IP timestamp option is specified in the
Option received packet. If the IP timestamp option is specified, the device
Tracert After the Tracert packet attack defense is enabled, the anti-DDoS
discards timeout ICMP or UDP packets and destination port unreachable
packets, and logs the attack.
Large UDP After the large UDP packet attack defense is enabled, the Anti-DDoS
Packet discards the UDP packet whose length exceeds the threshold and logs
the attack.
Step 4: Click Confirm.
Step 5: Click to deliver configurations to the device.
Step 6: In the Deploy dialog box, display the deployment progress. After the
deployment is complete, the dialog box is closed automatically.
 If the deployment succeeds, Deployment of the Zone is displayed as Deploy

Succeed.
 If the deployment fails, Deployment of the device is displayed as Deploy
Failed.
Move the pointer to Deploy Failed to view details on the failure in deploying the
basic attack defense on the device.
----End
Follow-up Procedure
Choose Defense > Policy Settings > Global Policy, select the check box of the device and
click to save configurations to the configuration file of the device to

avoid data loss.
3.2.7.2. Blacklist and Whitelist
This section describes how to configure the blacklist and whitelist functions in the ATIC
management center.
Procedure
Step 2: Click in the Operation column.
Step 3: On the Blacklist or Whitelist tab, click , enter an IP address to

configure a global blacklist or whitelist.
Step 4: Click Confirm. The configured blacklist or whitelist entry is displayed in the

group box.
Step 5: Click Close.
Step 6: Click to deploy the configuration to the AntiD
DoS.
----End
3.2.8. Creating User-defined IP Locations
If the IP location division granularities in the IP location database file cannot meet requirements, you can
create user-defined IP locations.
Procedure
Step 1: Choose Defense > Public Settings > IP Location User-Defined.
Step 2: Click .
Step 3: Configure user-defined IP locations. Describes the configuration parameters.
Table 3-22 Configuring user-defined IP locations
Name User-defined IP location name, which cannot be the same as that of

any location in the IP location database file
Description Description of a user-defined IP location, which helps the

administrator to identify the location
IP Address IP addresses in a user-defined IP location

Step 4: Click OK.
----End
3.2.9. Library Files
This section describes how to load and update the botnet, Trojan horse, and worm library file, malicious
URL library file, IP reputation library file, and IP location library file.
Configuring the FTP Server

Before managing library files, configure FTP.
1. Choose Defense > Network Settings > Devices
2. Click in the Operation column on the right of a device to access the Modify

Management Protocol window.
3. Click the FTP tab to complete the SFTP configuration.
The SFTP user name and password must be pre-set on the device and the same as
those configured on the ATIC management center.
SFTP is more secure than FTP. To secure data transmission, use SFTP to transfer files.
Management Operations
Choose Defense > Public Settings > Library File. Manage IP address descriptions.
Deploy Click to deploy the selected library file to the device.
Import 1. Click .
2. In the Import window, click Browse..., select the library file, and
click OK.
The botnet, Trojan horse, and worm library file name must be in
the IPS_H*.zip format. The IP location library file name must be in
the location_sdb*.zip format. The IP reputation library file name must
be in the IPRPU_H*.zip format. And the malicious URL library file must
be in the CNC_H*.zip format.
Imported library files are displayed in the library file list.
Export
1. Select a library file and click .
2. In the displayed File Download window, click Save to save the file
locally or click Open to view the file.
Delete 1. Delete one IP address description:
Click in the Operation column on the right of an IP address
description to delete the description.
2. Delete IP address descriptions in batches:
Select the check boxes of multiple IP address descriptions and
click above the list to delete the selected IP address
descriptions.
Select the check box on the title bar and click above the
list to delete all IP address descriptions.
NOTE
Only Undeployed library files can be directly deleted. If a library file has been
successfully or partially deployed, it cannot be deleted. To delete a deployed library
file, load another library file of the same type. The newly loaded library file overwrites
the deployed one and is in Undeployed state. Then, you can delete this file.
Synchroniz
e Click .
Download the latest library file from the secure cloud center to the ATIC
management center.
Ensure that the secure cloud center and ATIC management center are
reachable.
NOTE
The ATIC management center supports automatic database file synchronization and
automatically updates the database file in 4 a.m. every day. After the update is
complete, both the new and old database files exist in the database file list. The ATIC
supports a maximum of 40 database files. If there are more than 40 database files,
the synchronization fails. You need to manually delete old database files.

3.2.10. Configuring Policy Templates
A policy template defines the defense policies of various types for an device model to facilitate policy
configurations.
Choose Defense > Policy Settings > Policy Template.
The ATIC Management center provides 4 common policy templates. Among them, Web defense
templates (WEB Server), DNS cache defense templates, (DNS Caching Server), DNS authorization
defense templates, (DNS Authoritative Server), and basic defense templates, (General Server). You can
use any of them as required.
 Templates for Web defense protect the Web server. You are advised to use templates of this
type if HTTP or HTTPS servers are deployed on the live network.
 Templates for DNS cache defense protect the DNS cache server. You are advised to use
templates of this type if DNS cache servers are deployed on the live network.
 Templates for DNS authorization defense protect the DNS authorization server. You are advised
to use templates of this type if DNS authorization servers are deployed on the live network.
 Templates for basic defense protect TCP, UDP, and ICMP services on the network. You are
advised to templates of this type if no DNS or Web server is deployed on the live network .
Managing Policy Templates

Action Description
Create
Click to create a policy template manually. For details,
see Creating a Policy Template.
NOTE
You can save policy configurations as a template.
Modify
Click in the Operation column and then the Basic Information page
in the Modify Policy Template dialog box to change the template name
and modify remarks. Click the tab of each defense policy to modify the
defense policy. For parameters, see 3.2.6 Configuring the Zone-based
Defense Policy.
Associate a Click to associate the policy template with the Zone. For details,
Zone see Associating a Zone.
Delete
Select the check box of a policy template and click .
Action Description
Query Enter part of a template name or the template name in Template name
template
and click .
Creating a Policy Template

1. Choose Defense > Policy Settings > Policy Template.
2. Click .
3. On the Basic Information tab page, configure basic information of the policy

template.
Device Type and Protocol define device model and protocol to which this template

can be applied.
If a protocol type is specified, the created policy template applies to service policies;
if not, the created policy template applies to Zone-based policies.
4. Click the tab of each defense policy and configure the defense policy. For
parameters, see 3.2.6 Configuring the Zone-based Defense Policy.
5. Click OK.
Associating a Zone
Two methods are available for configuring the policy for the Zone with the policy
template:
Import the policy template during the policy configuration.
Associate the policy template with the Zone.
1. Choose Defense > Policy Settings > Policy Template.
2. Click of the policy template.
3. On the Associated Zone page, click .
4. On the Select Zone page, select the Zone to be associated and click OK.

5. On the Associated Zone page, click OK.
3.2.11. Cloud Cleaning
Cloud cleaning ensures the availability of the entire network by connecting to the cloud cleaning
service provider for upstream traffic cleaning based on alarm policy settings in case of network
faults caused by massive attack traffic.
Before you configure cloud cleaning, ensure that you have contracted the service from the cloud
cleaning service provider.
Configuring Cloud Cleaning Policies

1. Choose Defense > Policy Settings > Cloud Clean
2. Click and specify a cloud cleaning service provider in Configure.
Operation Parameter Description
Cloud Clean Service Provider Two cloud cleaning service providers

Configure are available:
1. CTCC
2.HW
Cleaning mode 1. Auto: When traffic exceeds the

threshold, a cloud cleaning policy is
automatically generated and
implemented.
2. Manual: When traffic exceeds the
threshold, a cloud cleaning policy is
generated but not automatically
implemented. You need to manually
implement the cloud cleaning policy.
IP abnormal state Top N traffic statistics are collected

based on the status of IP addresses.
1. Exception/Attack: Top N traffic
statistics are collected based on
abnormal/attack IP addresses.
2. All: Top N traffic statistics are
collected based on all IP addresses.
Single IP traffic Top N traffic statistics are collected if

threshold the incoming traffic to the destination
Operation Parameter Description
IP address reaches the threshold.
IP inflow TOPN Set the top N value.

Single device flow Device The cloud cleaning service is triggered
threshold set when the incoming traffic reaches the
Threshold configured threshold.
Parameter settings Defense action Supported only by HW

1. Clean
2. Block
Default plugging policy Supported only by CTCC

Once an attack occurs, the
corresponding cloud cleaning policy is
implemented.
1.Plugging the whole network
2.Plug the other operators
3.Plugging foreign operators
4.Plug other operators (only telecom
network access)
Automatic releasing Set the aging time of the cloud

time cleaning service.
URL Set the cloud service address provided

by the ISP.
Access key CTCC: Set the public key that the cloud
service provider provides for users.
HW: Set the user name that the cloud
service provider provides for users.
Access private key Set the cloud service password.
3. Click OK.
4. After the configuration is complete, if the incoming traffic exceeds the

threshold, the cloud cleaning policy is automatically triggered.
You can also manually implement the cloud cleaning policy by selecting the
check box of the cloud cleaning policy in Cloud Clean Policy List and
clicking above the list.

Adding Static Cloud Cleaning Policies
1. You can click in Cloud Clean Policy List to manually add static cloud
cleaning policies.
Service provider You need to select a cloud service

provider in Configure when manually
adding cloud cleaning policies.
IP/Mask Set the destination IP address and subnet

mask to which the cloud cleaning policy is
applied.
1.If Defense Action is set to Clean, you
can enter an IP address segment with
a 24-bit mask.
2.If Defense Action is set to Block, you
must enter a single IP address with a
32-bit mask.
Defense Action Supported only by HW

1. Clean
2.Block
Range of Defense Supported only by CTCC

1.Plugging the whole network
2.Plug the other operators
3.Plugging foreign operators
4.Plug other operators (only telecom
network access)
Automatic unlock time Set the aging time of the cloud cleaning
service.
Manually added cloud cleaning policies cannot be automatically cleared. You

need to manually delete them from the Cloud Clean Policy List.
2. Click OK.
3.2.12 Deploying the Defense Policy

The deployment operation enables configuration data on the ATIC Management center to be delivered
to devices. Defense policies configured for the Zone take effect only after deployed on devices.
Prerequisites
The basic policies of the Zone have been configured. For details, see 3.2.1 Configuring a Defense
Mode.
Context
The SIG does not support policy deployment. By synchronizing data from the ATIC Management
center periodically, the SIG automatically obtains the configuration data.
ATIC Management center supports incremental deployment. If Deployment State of a Zone is

in Undeployed or Part Deployed state, a defense policy in the system is not delivered to
devices. You need to deliver the defense policy.
Procedure
Step 2: Select the check box of the Zone and click .
Step 3: In the Information dialog box, click OK to display the deployment progress.

After the deployment is complete, the dialog box is closed automatically.
 If the deployment succeeds, Deployment State of the Zone is displayed

as Deploy Succeed.
 If the deployment fails, Deployment State of the Zone is displayed
as Deploy Failed.
Click Deploy Failed to view details about deployment failures on devices

associated with the Zone.
----End
3.2.13 Saving Configurations
After a policy is configured, you can save configurations through the CLI or ATIC Management center.
Saving Configurations through the CLI
Step 1 Run the save [ cfg-filename ] command in the user view to save current
configurations.
If cfg-filename is not specified, the current configuration file directly overwrites the
default startup one.
----End
Saving Configurations through the ATIC Management center

Step 2: Select the check box of the Anti-DDoS and click .
Step 3: In the OK dialog box, click OK. The saving progress is displayed. After the saving
is complete, the dialog box is automatically closed.
----End
4. Configuring Traffic Diversion

4.1. Configuring Mirroring
When the detecting device is in off-line mode, to detect traffic, you need to configure optical
splitting or mirroring to copy traffic to the detecting device.
In optical splitting mode, you need to only deploy an optical splitter.
Mirroring, packets received or sent by a port (mirroring port) are copied to a specified port
(observing port) and then are issued to the detecting device. By analyzing packets captured by
the detecting device, you can learn data transmitted over the mirroring port.
As shown in Figure 4-1, the detecting device is directly connected to GE1/0/1 on Router1, which
uses interfaces as mirroring and observing ports. Inbound traffic of GE1/0/0 is copied to GE1/0/1
through the port mirroring, and then is issued to the detecting device for analysis.
Mirroring and traffic-diversion routers can be the same router or different ones.
Figure 4-1 Mirroring
This mode applies to enterprise networks because of low costs and no extra device or
component; however, this mode requires CLI configurations on the router.
To enable traffic copying in mirroring mode, only configure CLIs related to port
mirroring on the router. The following uses Huawei NE80E as an example for
describing how to configure port mirroring on the router.
Step 1: Configure the local observing port.
1. Run the system-view command to access the system view.
2. Run the interface interface-type interface-number command to access the

interface view.
This interface serves as the local observing port. Such interfaces involve the GE
interface and its subinterfaces, the Eth-Trunk interface and its subinterfaces, the
POS interface, and the IP-Trunk interface, for example, Router1 GE1/0/1 shown
in Figure 4-1.
3. Run the port-observing observe-index observe-index command to configure a

local observing port.
When the physical port serves as the observing port, the index number of the
observing port must be identical with the slot number of the LPU where the
interface resides. When the logical interface serves as the observing port, the
index number cannot be used by another observing port.
4. Run the quit command to return to the system view.
Step 2: Configure the observing port for the mirroring of the entire LPU.
1. Run the slot slot-id command to access the slot view.
2. Run the mirror to observe-index observe-index command to configure the

observing port for the mirroring of the LPU.
After the command is configured, the observing port of the index serves as that
for the mirroring of the entire LPU. When mirroring is enabled on an interface of
the LPU, packets are mirrored to this observing port. Such an observing port can
be configured on either the local LPU or another LPU.
Step 3: Configure port mirroring.
1. Run the interface interface-type interface-number command to access the

interface view.
This interface serves as the local mirroring port. Such interfaces involve the GE
interface and its subinterfaces, the POS interface, FR interface, serial interface,
and MP-Group interface, for example, Router1 GE1/0/0 shown in Figure 7-1.
2. Run the port-mirroring inbound [ cpu-packet ] command to observe the

inbound traffic of the local mirroring port.
----End
4.2. Configuring Traffic Diversion
When the cleaning device is in off-line mode, you can configure traffic diversion to divert the traffic
destined for the given IP address to the cleaning device for defense or traffic analysis.
4.2.1. Configuring Policy-based Route Diversion
A policy-based route is configured on the router to divert the traffic meeting conditions to the cleaning
device. The policy-based route needs to be configured only on the traffic-diversion router, not on the
cleaning device.
Implementation Mechanism
A policy-based route is generally applicable to static traffic-diversion. As shown in Figure 4-2, a traffic-
diversion channel is established between GE1/0/1 on Router1 and GE2/0/1 (cleaning interface) on the
cleaning device. Apply a policy-based route to inbound interface GE1/0/0 on Router1. In this way, the
packets meeting conditions are forwarded to the cleaning device through GE1/0/1, instead of the
routing table. Therefore, traffic destined for the Zone is forcibly diverted.
Figure 4-2 Policy-based route diversion

Configuring the Cleaning Device

In policy-based route injection, you need to configure a policy-based route only for GE1/0/0 on Router1.
Configuring the Router

The following uses Huawei NE80E as an example for describing how to configure
Router1 for traffic diversion through the policy-based route.
As shown in Figure 4-2, configure a policy-based route for inbound traffic GE1/0/0 on
Router1.
2. Configure the ACL to define the data flow matching the policy-based route.
3. Run the following commands to define a traffic classifier.
a. Run the traffic classifier classifier-name command in the system view to

define a traffic classifier and access the traffic classifier view.
classifier-name specifies the name of a traffic classifier. It is a string of 1 to

31 characters, case sensitive.
b. Run the if-match [ ipv6 ] acl { acl-number | name acl-name } command to

define an ACL rule.
acl-number specifies the number of the ACL. The value is an integer.
For IPv4 packets, the value ranges from 2000 to 4099.
 A value ranging from 2000 to 3999 indicates a basic or an advanced ACL.
 A value ranging from 4000 to 4099 indicates an ACL based on the Layer-2
Ethernet frame header.
 A value ranging from 2000 to 2999 indicates a basic ACL.
 A value ranging from 3000 to 3999 indicates an advanced ACL.
acl-name specifies the name of a naming ACL. The value is a string of 1 to
32 case-sensitive characters and cannot contain a space. It must start with a
letter from a to z or A to Z, and can be a combination of letters, digits,
hyphens (-), or underscores (_).
4. Run the following commands to define a traffic behavior and set an action
accordingly.
a. Run the traffic behavior behavior-name command in the system view to
define a traffic behavior and access the traffic behavior view.
behavior-name: specifies the name of a traffic behavior. The value is a string
of 1 to 31 characters.
b. Run the redirect ip-nexthop ip-address [ interface interface-type
interface-number ] command to redirect to the next hop.
ip-address specifies the IP address of the redirected next hop.
interface-type interface-number specifies the type and number of the
outbound interface. The number is in the slot number/card number/port
number format.
5. Run the following commands to define a traffic policy and specify a behavior
for the classifier in the policy.
a. Run the traffic policy policy-name command in the system view to define
a traffic policy and access the policy view.
policy-name: specifies the name of a traffic policy. The value is a string of 1
to 31 characters.
b. Run the classifier classifier-name behavior behavior-
name [ precedence precedence ] command to specify a behavior for the
traffic classifier in the policy.
classifier-name specifies the name of a traffic classifier. It must be already
defined.
behavior-name specifies the name of a traffic behavior. It must be already
defined.
precedence indicates the priority of the associated traffic classifier and
behavior. The value is an integer ranging from 1 to 255. The smaller
the precedence value, the higher the priority. The associated traffic classifier
and behavior are preferentially processed. If precedence is not specified,
the system searches for associations by configuration sequence.
6. Run the following commands to apply the policy-based route to the interface.
a. Run the interface interface-type interface-number commands in the
system view to access the interface view.
b. Run the traffic policy policy-name inbound command to apply the policy-
based route.
inbound applies the traffic policy to the inbound direction.
4.2.2 Configuring BGP Traffic Diversion (CLI)
This section describes how to configure BGP traffic diversion.
As shown in Figure 4-3, a traffic-diversion channel is established between GE1/0/1 on
Router1 and GE2/0/1 of the cleaning device, on which GE2/0/1 serves as the cleaning
interface and GE2/0/2 as the traffic-injection interface. After a traffic-diversion task is
configured, a 32-bit static host route is generated on the cleaning device. In this case,
configure BGP on both the cleaning device and the Router1 to import the UNR route
to BGP. Then BGP advertises the UNR route to Router1.
Figure 4-3 BGP traffic diversion
The following uses automatic traffic diversion and Zone 1.1.1.1/32 as an example for
illustrating the implementation mechanism of BGP traffic diversion:
1. When the traffic destined for Zone 1.1.1.1/32 becomes abnormal, the ATIC
Management center automatically delivers a traffic-diversion task to the
cleaning device. Subsequently, a 32-bit static host route is generated on the
cleaning device. The destination IP address of the UNR route is 1.1.1.1/32 and
the next hop is GE1/0/2 on Router1 directly connected to the traffic-diversion
interface on the cleaning device.
2. A BGP peer is established between GE2/0/1 on the cleaning device and
GE1/0/1 on Router1. The cleaning device advertises the generated UNR route to
Router1 through BGP.
3. After a UNR route reaches Router1, the destination IP address is still

1.1.1.1/32 but the outbound interface points to GE2/0/1 on the cleaning device.
4. After receiving packets destined for 1.1.1.1/32, Router1 searches the routing
table to send packets to the GE2/0/1 interface on the cleaning device by using
its GE1/0/1 according to the longest mask match to implement traffic diversion.
In the previous mechanism, the 32-bit static host route on the cleaning device takes
effect only if configured through the CLI and ATIC Management center. Perform the
following:
1. Run the firewall ddos bgp-next-hop { ip-address | ipv6 ipv6-address }

command on the cleaning device to configure the next-hop address, that is, the
IP of GE1/0/2 on Router1 directly connected to the traffic-injection interface on
the cleaning device, for generating a route.
2. On the ATIC Management center GUI, select a traffic-diversion mode for the
Zone to dynamically generate a traffic-diversion task. For details, see 3.2.1
Configuring a Defense Mode. Alternatively, create a static traffic-diversion task.
For details, see 4.2.3 Configuring BGP Traffic Diversion (ATIC).
After the generated traffic-diversion task is delivered to the cleaning device, the
system displays the corresponding command, that is, firewall ddos traffic-
diversion [ vpn-instance vpn-instance-name ] ip ip-address [ mask | mask-
length ] [ ip-link name ] or firewall ddos traffic-diversion [ vpn6-instance vpn6-
instance-name ] ipv6 ipv6-address [ mask-length ].
After previous two steps are complete, a UNR route is generated on the cleaning
device. For example, the automatic traffic-diversion mode is configured for Zone
1.1.1.1/32 in the ATIC Management center and the firewall ddos bgp-next-hop
2.2.2.2 command is configured on the cleaning device. When the detecting device
detects abnormal upon 1.1.1.1/32, a UNR route with destination IP address
1.1.1.1/32 and next hop 2.2.2.2 is generated on the cleaning device.
The generated UNR route delivers the traffic injection function. With this UNR route,
the cleaned traffic is injected to GE1/0/2 on Router1. To avoid loops, that is, the
cleaned traffic is sent to the cleaning device through Router1, configure a policy-
based route on GE1/0/2. With the policy-based route, traffic is sent to downstream
Router2 and then the Zone.
In certain scenarios such as multiple traffic-diversion links, you need to filter the UNR
route generated by the cleaning device to prevent the route from being delivered to
the FIB and interfering with injected traffic. Meanwhile, configure other traffic-
injection policy to inject the traffic to the original link.
Run the following command on the cleaning device to filter the UNR route:
[sysname] firewall ddos bgp-next-hop fib-filter [ ipv6 ]
Determine whether to configure this command according to the actual deployment:
1. When static traffic injection is adopted, and the cleaning device forwards traffic to
the access router based on the generated UNR route, do not configure the
command.
2. When static route traffic injection is adopted, to prevent the generated UNR route
from affecting static route forwarding, configure the command.
3. When GRE traffic injection is adopted, to prevent the generated UNR route from
affecting GRE forwarding, configure the command.
4.When MPLS LSP traffic injection is adopted, to prevent the generated UNR route
from affecting MPLS forwarding, configure the command.
5. When MPLS VPN traffic injection is adopted, to prevent the generated UNR route
from affecting MPLS forwarding, configure the command.
6. When multiple traffic-injection links exist and the cleaning device learns the route
to the Zone through routing protocols such as OSPF, to prevent the generated
UNR route from affecting OSPF forwarding, configure the command.

Perform the following on the cleaning device to implement BGP traffic diversion:
1. Run the system-view command in the user view to access the system view.
2. Run the firewall ddos bgp-next-hop { ip-address | ipv6 ipv6-address }

command to configure the next-hop address for dynamically generating a route.
ip-address specifies the next-hop address of the traffic-injection interface on the

cleaning device, that is, the IP address of the router interface directly connected
to the traffic-injection interface on the cleaning device, not that of the interface
on the cleaning device.
The cleaning device can be configured with only one next-hop address. If this
command is configured for multiple times, the new IP address will overwrite the
existing one.
3. (Optional) Run the firewall ddos bgp-next-hop fib-filter [ ipv6 ] command to

perform FIB filtering over the generated UNR route.
After this command is configured, the dynamically generated UNR route cannot
be delivered to the FIB.
4. (Optional) Run the following commands to configure the BGP group attribute.
Configure the BGP group attribute according to the networking. In normal cases,
to avoid loops, you are advised to configure the filtering policy.
a. Run the route-policy route-policy-
name { permit | deny } node node command in the system view to create a
routing policy and access the policy view.
b. Run the apply community no-advertise command to advertise no

matched route to any peers.
c. Run the quit command to return to the system view.

d. Run the bgp { as-number-plain | as-number-dot } command to enable
BGP (by specifying the local AS number) and access the BGP view.
as-number specifies an AS number. The value ranges from 1 to 65,535.
e. Run the ipv4-family unicast command to access the IPv4 unicast address

family view.
f. Run the peer { ipv4-address | group-name } advertise-
community command to advertise the standard group attribute to the peer
or peer group.
g. Run the peer { ipv4-address | group-name } route-policy route-policy-
name export command to configure a routing policy in the outbound
direction.
5. Run the following commands to configure BGP to advertise the dynamically

generated route.
a. Run the bgp { as-number-plain | as-number-dot } command to access the

BGP view.
b. (Optional) Run the ipv4-family vpn-instance vpn-instance-

name command to access the BGP-VPN instance view.
When the MPLS VPN traffic-injection mode is adopted and the cleaning
device serves as a PE, you need to bind a VPN instance to the traffic-
diversion interface. In BGP traffic-diversion mode, configure the BGP peer in
the BGP-VPN instance view.
c. Run the peer ip-address as-number as-number command to set an IP

address for the BGP peer and the number of the AS to which the BGP peer
belongs.
The specified as-number must be the same as the local AS number.
ipv4-address specifies the IP address of the interface directly connected to

the BGP peer, that is, that of GE1/0/1 directly connected Router1.
d. Run the import-route unr [ med med | route-policy route-policy-

name ] * command to configure BGP to import the UNR route.
After this command is configured, the system imports the generated UNR
route to BGP and advertises the route to the router through BGP,
implementing traffic diversion.
Task Example
As shown in Figure 4-4, the detecting device and cleaning device are deployed on the
network in off-line mode to detect and clean the traffic destined for the Zone. BGP
traffic diversion is configured on the cleaning device. When identifying anomalies, the
detecting device reports exception logs to the ATIC management center, who then
automatically delivers a traffic-diversion policy to the cleaning device to divert all
traffic to the cleaning device. Consequently, the cleaning device cleans diverted
traffic and injects normal traffic to the original link.
Figure 4-4 Example for configuring BGP traffic diversion

Assume that a Zone is at 2.2.2.0/24. When the traffic destined for 2.2.2.2/32 is abnormal,
perform the following to automatically divert such traffic to the cleaning device for
cleaning:
1. On the cleaning device, configure the next-hop address for dynamically
generating a route.
<sysname> system-view
[sysname] firewall ddos bgp-next-hop 7.7.2.2
7.7.2.2 indicates the IP address of GE1/0/2 on the router directly connected to

the traffic-injection interface on the cleaning device.
2. In the ATIC Management center, Choose Defense > Policy Settings > Zone and

set the IP address of the Zone to 2.2.2.0/24.
3. In the ATIC Management center, Choose Defense > Policy Settings > Zone and

set the traffic-diversion mode for the Zone to Automatic.
4. When the traffic destined for Zone 2.2.2.2/32 becomes abnormal, the ATIC
management center automatically delivers a traffic-diversion task to the
cleaning device. Then the cleaning device generates a UNR route with next hop
7.7.2.2 to 2.2.2.2 and delivers the route to the FIB. Cleaned traffic is forwarded
to GE1/0/2 on Router1 after matching the entry.
When you employ the MPLS or GRE traffic-diversion mode, run the firewall ddos
bgp-next-hop fib-filter command to disable the generated UNR route from
being delivered to the FIB, ensuring in-service MPLS or GRE forwarding.
5. Configure the BGP community attribute and advertise the dynamically

generated route.
[sysname] route-policy 1 permit node 1

[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit
[sysname] bgp 100
[sysname-bgp] peer 7.7.1.2 as-number 100
[sysname-bgp] import-route unr
[sysname-bgp] ipv4-family unicast
[sysname-bgp-af-ipv4] peer 7.7.1.2 route-policy 1 export
[sysname-bgp-af-ipv4] peer 7.7.1.2 advertise-community
[sysname-bgp-af-ipv4] quit
[sysname-bgp] quit
After previous configurations are complete, the system imports the generated
UNR route to BGP and advertises the route to Router1 through BGP,
implementing traffic diversion.

The following uses Huawei NE80E as an example for describing the BGP-related
configurations of the router. Perform the following on Router1 to perform BGP traffic
diversion, together with the cleaning device.
2. Run the bgp as-number command to access the BGP view.
3. Run the peer ipv4-address as-number as-number command to set an IP

address for the BGP peer and the number of the AS to which the BGP peer
belongs.
The specified as-number AS number can be EBGP or IBGP.
ipv4-address specifies the IP address of the interface directly connected to the

BGP peer, that is, that of GE2/0/1 on the cleaning device.
4.2.3 Configuring BGP Traffic Diversion (ATIC)
Traffic diversion tasks can be divided into static traffic diversion tasks, manual traffic diversion tasks, and
automatic traffic diversion tasks. The static traffic diversion task needs to be created by the
administrator, and the manual and automatic traffic diversion tasks are dynamically generated by the
system.
Traffic Diversion Tasks Overview

The categories of traffic diversion tasks are as follows:
1. Static traffic diversion task
No matter whether the detecting device detects any anomalies or not,
the ATIC Management center generates a static traffic diversion task for
the IP address/IP address segment of the Zone and delivers the task to
the cleaning device.
The static traffic diversion task needs to be created by the administrator.
For details, see Creating a Static Traffic Diversion Task.
2 Manual traffic diversion task
When the detecting device detects an anomaly, the ATIC Management

center generates a manual traffic diversion task. The task is not delivered
to the cleaning device until it is manually enabled by the administrator.
After the anomaly or attack ends, the system cancels traffic diversion
automatically.
Manual traffic diversion task is dynamically generated by the system, and

is one kind of the dynamic traffic diversion task. If Traffic Diversion
Mode is set to Manual during the defense policy configuration, the
system dynamically generates manual traffic diversion tasks. For details
on how to configure the traffic diversion mode, see 3.2.1 Configuring a
Defense Mode.
3. Automatic traffic diversion task
When the detecting device detects an anomaly, the ATIC Management

center generates an automatic traffic diversion task and directly delivers
the task to the cleaning device. After the anomaly or attack ends, the
system cancels traffic diversion automatically. No administrator
intervention is required.
Automatic traffic diversion task is dynamically generated by the system,

and is the other kind of the dynamic traffic diversion task. If Traffic
Diversion Mode is set to Automatic during the defense policy
configuration, the system dynamically generates automatic traffic
diversion tasks. For details on how to configure the traffic diversion
mode, see 3.2.1 configuring a Defense Mode.
After the traffic diversion task is delivered to the cleaning device, the firewall
ddos traffic-diversion [ vpn-instance vpn-instance-name ] ip ip-
address [ mask | mask-length ] command is generated on the cleaning device.
This command works with other commands to realize BGP traffic diversion.
After the anomaly or attack ends, the diversion persists for a while before it is
automatically canceled to ensure that the anomaly or attack traffic is
thoroughly cleaned. For how to set the persistence time for traffic diversion,
see 7.2.4 Maintaining Anti-DDoS Data.
Management Operation
Choose Defense > Policy Settings > Traffic Diversion, manage traffic diversion tasks.
Create
Click to create a static traffic diversion task in the ATIC
Management center. For details, see Creating a Static Traffic Diversion Task.
Delete Select the check box of the traffic diversion task to be deleted and
click to delete the task.
Enable The traffic diversion task in the enabled state is delivered to the cleaning
device. Only the traffic diversion task delivered to the cleaning device takes
effect. Perform the following operations:
Select the check box of the traffic diversion task to be enabled and
click .
Disable The traffic diversion task in the disabled state does not take effect. Perform
the following operations:
Select the check box of the traffic diversion task to be disabled and
click .
Search 1.Basic Search

In the search area, select Device and Zone as search conditions, and
then click .
2. Advanced Search
2. In the advanced search area that is displayed, set search
conditions such as Device, Zone, IP Address, Start Time, End
Time, Mode, Status, or Detail and then click Search.

You can Choose Defense > Policy Settings > Zone and click the corresponding diversion state of the
Zone in the Diversion State column to manage the diversion tasks of the Zone on the Traffic
Diversion Task List tab page
Creating a Static Traffic Diversion Task

Step 1: Choose Defense > Policy Settings > Traffic Diversion.
Step 2: On the Traffic Diversion Task List page, click .
Step 3: In Cleaning Device, select an device to perform traffic cleaning.
Step 4: Click corresponding to Zone. On the Select Zone page, select the option

button of the account of a Zone and click OK.
Step 5: Configure the IP address for traffic diversion. After a static traffic diversion task
is delivered, all traffic destined for the IP address is diverted to the cleaning device
for cleaning.
 If the IP address for traffic diversion is in a user-defined Zone but you do not know
the actual IP address or IP address segment, select Select IP Address in Input
Mode. Then select the IPv4 address or IPv6 address for traffic diversion.
If you need to specify certain IP addresses or IP address segments for traffic

diversion in a protected IP address segment, you can split the IP address
segment and select the subnet after splitting.
a. Click of the IP address to be split.
b. Enter the mask splitting length on the Splitting Setting page and

click Split.
The mask splitting length of an IP address segment ranges from 1+number

of mask bits to 8+number of mask bits. For example, the mask of a
protected IP address segment is 255.255.0.0. That is, the number of mask
bits is 16. In this case, the mask splitting length ranges from 17 to 24.
d. Click OK.
e. On the Create Traffic Diversion Task page, select subnet IP addresses
after splitting.
 If the IP address for traffic diversion is in a default Zone or you know the actual IP
address or IP address segment in a user-defined Zone, select Enter IP
Address in Input Mode. Then enter the actual IP address and subnet mask.
If you need to specify certain IP addresses or IP address segments for traffic

diversion in a protected IP address segment, you can split the IP address
segment and select the subnet after splitting.
a. Select Split IP Address Segment.
b. Enter the mask splitting length in Mask splitting length and click Split.
The mask splitting length of an IP address segment ranges from 1+number

of mask bits to 8+number of mask bits. For example, the mask of a
protected IP address segment is 255.255.0.0. That is, the number of mask bits
is 16. In this case, the mask splitting length ranges from 17 to 24.
Step 6: Optional: Select Automatic Enabling. The static traffic diversion task is

automatically enabled after it is created.
Step 7: On the Create Traffic Diversion Task page, click OK.
After a traffic diversion task is successfully created, the task is displayed on the Traffic
Diversion Task List page.
----End
4.3. Configuring Traffic Injection

When the cleaning device is in off-line mode, you can configure traffic injection to inject cleaned traffic
to the original link and then to the Zone.
4.3.1 Layer-2 Injection
In Layer-2 injection, the cleaning device injects the cleaned traffic to the Zone in Layer 2 mode instead of
routing forwarding.
This function is configured on the Anti-DDoS.
As shown in Figure 4-5, the E1/1 interface on the core switch is directly connected to
interface GE1/0/1 on the cleaning device. The channel between them is for both traffic
diversion and traffic injection. Two VLANs such as VLAN1 and VLAN2 are created on the
switch. Two subinterfaces on the cleaning device are associated with VLAN1 and VLAN2 for
traffic diversion and injection respectively. Traffic is diverted to the cleaning device for
cleaning over VLAN1 of the core switch. After cleaning is complete, the cleaning device
requests the MAC address of the Zone by sending an ARP request packet. Then the Zone
replies with an ARP reply packet. Subsequently, the cleaning device injects traffic to the
Zone based on the MAC address over layer 2.
Figure 6-5 Layer 2 injection
Layer 2 injection is applicable to the scenario where only the Layer 2 forwarding device exists between
the core switch and the Zone.
The VLAN function is configured on the cleaning device to forward injected traffic through the
VLAN.
2. Run the interface interface-type interface-number.subinterface-number command to

access the Ethernet sub-interface view.
3. Run the vlan-type dot1q vlan-id command to set the encapsulation type and VLAN ID of

the sub-interface.
By default, a sub-interface is not encapsulated with 802.1Q and is not associated with any
VLAN.
4. Run the ip address ip-address { mask | mask-length } [ sub ] command to set an IP

address for the VLAN interface.
In Layer-2 injection, if subinterfaces are used for traffic injection, anti-DDoS policies are
configured on subinterfaces. If VLANIF interfaces are used for traffic injection, anti-DDoS
policies are configured on corresponding physical interfaces.
Configuring the Core Switch

The following uses Huawei S9300 as an example to describe how to configure the core switch.
2. Run the vlan vlan-id command to create VLANs.
4. Run the interface interface-type interface-number command to access the Ethernet

interface view.
5. Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command to configure

the attribute of the Layer 2 Ethernet interface.
6. Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } & <1-10> | all } command to
configure the VLANs that are permitted by the trunk interface.
8. Run the interface vlanif vlan-id command to create a VLAN interface.
9. Run the ip address ip-address { mask | mask-length } [ sub ] command to set an IP address for the

VLAN interface.
4.3.2. Configuring Static Route Injection
In static route injection, cleaned traffic is injected from the cleaning device to the router along
the static route, and is finally to the Zone.
As shown in Figure 4-6, Router1 is a traffic-diversion router. A traffic-diversion channel is established

between GE1/0/1 on Router1 and GE2/0/1 on the cleaning device. Inbound traffic is diverted to GE2/0/1
on the cleaning device through Router1 GE1/0/1 for cleaning. After the cleaning is complete, the
cleaning device injects the cleaned traffic to GE1/0/2 on Router1 along the static route. Subsequently,
Router1 forwards the traffic to the Zone.
In practice, the traffic-injection router can be either Router1 or another downstream router (such as
Router2).
Figure 4-6 static route injection

Router1 learns the UNR route advertised by the cleaning device and uses the cleaning device as
the next hop of the route to the Zone. In this way, after cleaned traffic is injected to Router1,
Router1 forwards the traffic to the cleaning device according to the routing table. This arises a
loop. To avoid such a loop, configure a policy-based route on inbound interface GE1/0/2 of
Router1 to send injected traffic to downstream Router2 for forwarding.
As the simplest traffic injection mode, static route injection is generally applicable to the
scenario where only one traffic-injection link exists.

Run the ip route-sratic ip-address { mask | mask-length } { nexthop-address | interface-type interface-
number [ nexthop-address ] } [ preference preference ] [ description text ] command to configure a static
route.
ip-address specifies the destination IP address of a static route, that is, the Zone whose traffic is to be
diverted.
mask specifies the mask of an IP address, in dotted decimal notation. mask-length specifies the mask

length.
preference specifies the priority of a static routing protocol. The value ranges from 1 to 255, with 60 as
the default value.
nexthop-address specifies the next-hop address of a static route, that is, Router1 GE1/0/2 directly
connected to the traffic-injection interface on the cleaning device.

The following uses Huawei NE80E as an example for describing how to configure the policy-
based route on the traffic-injection router. Routers of each version have different
configurations. The following configuration is used only as an example for reference.

a. Run the traffic classifier classifier-name command in the system view to define a
traffic classifier and access the traffic classifier view.
classifier-name specifies the name of a traffic classifier. It is a string of 1 to 31

characters, case sensitive.
b. Run the if-match [ ipv6 ] acl { acl-number | name acl-name } command to define

an ACL rule.
1. A value ranging from 2000 to 3999 indicates a basic or an advanced ACL.
2. A value ranging from 4000 to 4099 indicates an ACL based on the Layer-2
Ethernet frame header.
1. A value ranging from 2000 to 2999 indicates a basic ACL.
2.A value ranging from 3000 to 3999 indicates an advanced ACL.
acl-name specifies the name of a naming ACL. The value is a string of 1 to 32 case-

sensitive characters and cannot contain a space. It must start with a letter from a to
z or A to Z, and can be a combination of letters, digits, hyphens (-), or underscores
(_).
4. Run the following commands to define a traffic behavior and set an action accordingly.
a. Run the traffic behavior behavior-name command in the system view to define a

traffic behavior and access the traffic behavior view.
behavior-name: specifies the name of a traffic behavior. The value is a string of 1 to

31 characters.
b. Run the redirect ip-nexthop ip-address [ interface interface-type interface-

number ] command to redirect to the next hop.
interface-type interface-number specifies the type and number of the outbound

interface. The number is in the slot number/card number/port number format.
5. Run the following commands to define a traffic policy and specify a behavior for the
classifier in the policy.
a. Run the traffic policy policy-name command in the system view to define a traffic

policy and access the policy view.
policy-name: specifies the name of a traffic policy. The value is a string of 1 to 31

characters.
b. Run the classifier classifier-name behavior behavior-
name [ precedence precedence ] command to specify a behavior for the traffic
classifier in the policy.
classifier-name specifies the name of a traffic classifier. It must be already defined .
behavior-name specifies the name of a traffic behavior. It must be already defined.
precedence indicates the priority of the associated traffic classifier and behavior.

The value is an integer ranging from 1 to 255. The smaller the precedence value, the
higher the priority. The associated traffic classifier and behavior are preferentially
processed. If precedence is not specified, the system searches for associations by
configuration sequence.
a. Run the interface interface-type interface-number commands in the system view

to access the interface view.
The interface indicates inbound interface GE1/0/2 on traffic-injection Router1, as

shown in Figure 4-6.
b. Run the traffic-policy policy-name inbound command to apply the policy-based

route.inbound applies the traffic policy to the inbound direction.
4.3.3. Configuring UNR Route Injection
In UNR route injection, cleaned traffic is injected from the cleaning device to the router along the UNR
route, and is finally to the Zone.

on the cleaning device through Router1 GE1/0/1 for cleaning. After the cleaning is complete, the
cleaning device injects the cleaned traffic to GE1/0/2 on Router1 along the UNR route. Subsequently,
Router1 forwards the traffic to the Zone.
Router2).
Figure 4-7 UNR route injection
In BGP traffic diversion, Router1 learns the UNR route advertised by the cleaning device and uses the
cleaning device as the next hop of the route to the Zone. In this way, after cleaned traffic is injected to
Router1, Router1 forwards the traffic to the cleaning device according to the routing table. This arises a
loop. To avoid such a loop, configure a policy-based route on inbound interface GE1/0/2 of Router1 to
send injected traffic to downstream Router2 for forwarding.
When BGP traffic diversion is employed, you need to only specify an IP address for the Zone whose
traffic is to be diverted on the ATIC Management center. Then the setting is delivered to the cleaning
device. In this way, a UNR route is automatically generated on the cleaning device. For details on the
implementation mechanism, see47.2.2 Configuring BGP Traffic Diversion (CLI). 4.2.3 Configuring BGP
Traffic Diversion (ATIC) shows the configuration procedure.

The following uses Huawei NE80E as an example for describing how to configure the policy-based route
on the traffic-injection router. Routers of each version have different configurations. The following
configuration is used only as an example for reference.
a. Run the traffic classifier classifier-name command in the system view to define a traffic

classifier and access the traffic classifier view.
classifier-name specifies the name of a traffic classifier. It is a string of 1 to 31 characters, case

sensitive.
b. Run the if-match [ ipv6 ] acl { acl-number | name acl-name } command to define an ACL rule.
 A value ranging from 4000 to 4099 indicates an ACL based on the Layer-2 Ethernet frame
header.
acl-name specifies the name of a naming ACL. The value is a string of 1 to 32 case-sensitive

characters and cannot contain a space. It must start with a letter from a to z or A to Z, and can
be a combination of letters, digits, hyphens (-), or underscores (_).
a. Run the traffic behavior behavior-name command in the system view to define a traffic

behavior and access the traffic behavior view.
behavior-name: specifies the name of a traffic behavior. The value is a string of 1 to 31
characters.
b. Run the redirect ip-nexthop ip-address [ interface interface-type interface-number ]

command to redirect to the next hop.
interface-type interface-number specifies the type and number of the outbound interface. The
number is in the slot number/card number/port number format.
5. Run the following commands to define a traffic policy and specify a behavior for the classifier in
the policy.
a. Run the traffic policy policy-name command in the system view to define a traffic policy and
access the policy view.
policy-name: specifies the name of a traffic policy. The value is a string of 1 to 31 characters.
b. Run the classifier classifier-name behavior behavior-name [ precedence precedence ]
command to specify a behavior for the traffic classifier in the policy.
classifier-name specifies the name of a traffic classifier. It must be already defined.
precedence indicates the priority of the associated traffic classifier and behavior. The value is
an integer ranging from 1 to 255. The smaller the precedence value, the higher the priority. The
associated traffic classifier and behavior are preferentially processed. If precedence is not
specified, the system searches for associations by configuration sequence.
a. Run the interface interface-type interface-number commands in the system view to access

the interface view.
The interface indicates inbound interface GE1/0/2 on traffic-injection Router1, as shown

in Figure 4-7.
b. Run the traffic-policy policy-name inbound command to apply the policy-based route.

4.3.4. Configuring Policy-Based Route Injection
In policy-based route injection, a policy-based route is configured respectively on the cleaning device
and router, so that cleaned traffic is injected to the Zone along different links.

on the cleaning device through Router1 GE1/0/1 for cleaning. After the cleaning is complete, normal
traffic is injected to the original link through the policy-based route.
 In BGP traffic diversion, Router1 learns the UNR route advertised by the cleaning device and uses the
cleaning device as the next hop of the route to the Zone. In this way, after cleaned traffic is injected
to Router1, Router1 forwards the traffic to the cleaning device according to the routing table. This
arises a loop. To avoid such a loop, configure a policy-based route on inbound interface GE1/0/2 of
Router1 to send injected traffic to downstream Router2 or Router3 for forwarding.
Assume that the traffic is diverted to the cleaning device through BGP. The procedure is as follows:
a. Apply the policy-based route to inbound interface GE2/0/1 on the cleaning device to inject
the traffic of different Zones to Router1 GE1/0/2 and GE1/0/3 respectively.
b. Apply the policy-based route to inbound interfaces GE1/0/2 and GE1/0/3 on Router1 to
inject traffic to downstream Router2 or Router3, and finally to the Zone1 or Zone2.
 In policy-based route diversion, no loop exists between Router1 and the cleaning device. Therefore,
you need to only apply the policy-based route to the cleaning device.
Assume that the traffic is diverted to the cleaning device through the policy-based route. The
procedure is as follows:
a. Apply the policy-based route to inbound interface GE2/0/1 on the cleaning device to inject
the traffic of different Zones to different interfaces on Router1.
b. The injected traffic is sent to Router2 or Router3 according to the routing table after
reaching Router1. Subsequently, the traffic is issued to the Zone.
Router2).
Figure 4-8 Policy-based route injection
As a common traffic-injection mode, policy-based route injection is generally applicable to multiple

injected interfaces. This mode is recommended for simple configurations. However, you need to
manually modify the configuration of the policy-based route in the event of topology changes. When
changes are huge and Zone IP addresses are scattered, massive policy-based routes are required. This
demands mass manpower as well as deteriorates system performance. On this basis, you are advised to
configure MPLS traffic injection, not policy-based route injection.

The following describes how to configure a policy-based route on the cleaning device to inject traffic to
different interfaces on Router1 through the policy-based route.
2. In the system view, create a PBR policy and access its view.
policy-based-route
3. Create a PBR rule and access its view.
rule name rule-name
4. Set the matching conditions of the PBR rule. Either the source security zone or incoming interface
must be specified as the matching condition. If you specify both, the latest configuration overwrites
the previous configuration. The source IP address, destination IP address, service type, application
type, and user are optional. You can select them as required.
Matching Condition Command
Source security zone or incoming source-zone zone-name&<1-6>

interface ingress-interface { interface-type
interface-number }&<1-6>
NOTE
Apart from physical interfaces, the Anti-
DDoS supports four types of logical
interface as the incoming interface,
namely, the VLANIF interface, Ethernet
subinterface, Eth-Trunk interface, and
loopback interface.
1. When the incoming interface is set to
the VLANIF interface, PBR is
implemented on the specified VLAN.
the Ethernet subinterface, PBR is
implemented on the traffic of the
specified subinterface.
the Eth-Trunk interface, PBR is
implemented on the traffic from the
specified Eth-Trunk link.
Source IP address source-address { address-set address-

set-name &<1-6> | ipv4-address [ ipv4-
mask-length | mask mask-address ]
| ipv6-address ipv6-prefix-
length | range { ipv4-start-address ipv4-
end-address | ipv6-start-address ipv6-
end-address } | mac-address&<1-6>
| isp isp-name | domain-setdomain-set-
name &<1-6> | any }
Destination IP address destination-address { address-set addres

s-set-name &<1-6> | ipv4-address [ ipv4-
mask-length | mask mask-address ]
Matching Condition Command
| ipv6-address ipv6-prefix-
length | range { ipv4-start-address ipv4-
end-address | ipv6-start-address ipv6-
end-address } | mac-address&<1-6>
| isp isp-name | domain-setdomain-set-
name &<1-6> | any }
Service type service { service-name&<1-6> | any }
Application type application { application-name &<1-6>

| any }
5. Configure the action for packets matching the conditions.
action { pbr { egress-interface interface-type interface-number &<1–2> [ next-hop ip-

address &<1–2> ] | next-hop ip-address &<1–2> | vpn-instance vpn-instance-name } | no-pbr }
NO PBR applies to certain scenarios. For example, to implement PBR on subnet 10.1.1.0/24 except
10.1.1.2, configure a rule with a higher priority to implement NO PBR on 10.1.1.2 first and then
another rule with a lower priority to implement PBR on subnet 10.1.1.0/24.
6. Optional: Enable PBR to interwork with IP-link or BFD and enable the Anti-DDoS to determine the
validity of PBR based on IP-link or BFD status.
track { ip-link link-id | bfd-session bfd-session-id }
A PBR rule can interwork with either IP-link or BFD.
 Before you enable PBR to interwork with IP-link, create IP links.
 Before you enable PBR to interwork with BFD, create BFD sessions.
If IP-link or BFD is configured and detects that the next hop is unreachable, the Anti-DDoS forwards
the packet based on the route table.

The following uses Huawei NE80E as an example for describing how to configure the policy-based route
on the router to inject traffic respectively to Router2 and Router3.
a. Run the traffic classifier classifier-name command in the system view to define a traffic

classifier and access the traffic classifier view.
classifier-name specifies the name of a traffic classifier. It is a string of 1 to 31 characters, case

sensitive.
b. Run the if-match [ ipv6 ] acl { acl-number | name acl-name } command to define an ACL rule.
 A value ranging from 4000 to 4099 indicates an ACL based on the Layer-2 Ethernet frame
header.
acl-name specifies the name of a naming ACL. The value is a string of 1 to 32 case-sensitive

characters and cannot contain a space. It must start with a letter from a to z or A to Z, and can
be a combination of letters, digits, hyphens (-), or underscores (_).
a. Run the traffic behavior behavior-name command in the system view to define a traffic

behavior and access the traffic behavior view.
behavior-name: specifies the name of a traffic behavior. The value is a string of 1 to 31

characters.
b. Run the redirect ip-nexthop ip-address [ interface interface-type interface-number ]

command to redirect to the next hop.

interface-type interface-number specifies the type and number of the outbound interface. The
number is in the slot number/card number/port number format.
5. Run the following commands to define a traffic policy and specify a behavior for the classifier in
the policy.
a. Run the traffic policy policy-name command in the system view to define a traffic policy and
access the policy view.
policy-name: specifies the name of a traffic policy. The value is a string of 1 to 31 characters.
b. Run the classifier classifier-name behavior behavior-name [ precedence precedence ]
command to specify a behavior for the traffic classifier in the policy.
classifier-name specifies the name of a traffic classifier. It must be already defined.
precedence indicates the priority of the associated traffic classifier and behavior. The value is
an integer ranging from 1 to 255. The smaller the precedence value, the higher the priority. The
associated traffic classifier and behavior are preferentially processed. If precedence is not
specified, the system searches for the association according to the configured sequence.
a. Run the interface interface-type interface-number commands in the system view to access

the interface view.
Interfaces indicate inbound interface GE1/0/2 and GE1/0/3 on traffic-injection Router1, as

shown in Figure 7-8.
b. Run the traffic-policy policy-name inbound command to apply the policy-based route.
4.3.5 Configuring GRE Traffic Injection
In GRE traffic injection, a tunnel is established between the cleaning device and the traffic-injection
router to directly issue the traffic to the router and finally to the Zone.
through Router1 GE1/0/1 for cleaning.
Router2 is a traffic-injection router. A GRE tunnel is established between the cleaning device and
Router2. Tunnel interfaces are created on them respectively, and the source and destination IP
addresses of tunnel interfaces are specified. The source IP address of the tunnel interface is the IP
address of the actual interface for sending packets, and the destination IP address is the IP address of
the actual interface for receiving packets. Cleaned traffic is forwarded to Router2 over the GRE tunnel
and is finally to the Zone.
The source IP address and destination IP address must be routable.
In practice, the traffic-injection router can be either Router2 or another downstream router.
Figure 6-9 GRE traffic injection
In the BGP traffic-diversion scenario, GRE traffic injection directly issues injected traffic to the
downstream router that cannot learn the traffic-diversion route, avoiding loops.
Because GRE traffic injection demands the router to be equipped with GRE and basic route forwarding
functions, it is applicable to the scenario where few traffic-injection routers are available. In the scenario
where multiple GRE tunnels need to be established between the cleaning device and traffic-injection
routers, you are advised to configure dynamic route injection, because configuring static routes are
complex.
1. Traffic injection is applied unidirectionally to post-cleaning traffic. Therefore, it does not support
the TCP proxy.
2. When you configure GRE injection, do not configure the keepalive command at both ends of the
tunnel.

The following describes how to configure a GRE tunnel on the cleaning device to issue cleaned traffic to
the traffic-injection router over the GRE tunnel.
2. Run the interface tunnel tunnel-number command to create a tunnel interface and access the

tunnel interface view.
3. Run the tunnel-protocol gre command to set the encapsulation mode of the tunnel interface to
GRE.
4. Run the source { interface-type interface-number | source-ip-address } command to set the

source IP address of the tunnel interface.
The value can be the name or IP address of an interface. If the interface name is employed, the
value can be GigabitEthernet, POS, Eth-Trunk, or IP-Trunk.
If the interface IP address is specified, it can be either the IP address of the traffic-injection interface
or the loopback address of the cleaning device.
5. Run the destination dest-ip-address command to set the destination IP address of the tunnel

interface.
The destination IP address of the tunnel interface must be different from its source IP address.
The specified destination IP address is the IP address of the interface on Router2.

6. Run the ip address ip-address { mask | mask-length } command to set the IP address of the
tunnel interface.
The IP address of the tunnel interface can be specified as any IP address. When the route that
marks packets forwarded by the tunnel interface is generated through the dynamic routing
protocol, the IP addresses of the interfaces at both ends of the GRE tunnel must reside on the same
network segment.
7. Run the firewall zone [ name ] zone-name command in the system view to access the security

zone view.
8. Run the add interface tunnel tunnel-number command to add the tunnel interface to the security

zone.
The tunnel interface can be added to any security zone. When the tunnel interface and the
interface to which the source IP address belongs are not in the same security zone, configure
interzone packet filtering to enable communication between two security zones.
9. Run the following command to configure policy-based routing (PBR).
policy-based-route
rule name rule-name
ingress-interface { interface-type interface-number }
destination-address { ipv4-address [ ipv4-mask-length | mask mask-address ] | ipv6-address ipv6-
prefix-length }
action pbr egress-interface interface-type interface-number
Configure PBR on the cleaning device and sent the diversion traffic to the tunnel interface for
forwarding. In this way, cleaned traffic can enter the GRE tunnel and be forwarded to the correct
GRE tunnel destination.

The following uses Huawei NE80E as an example for describing how to configure the router in GRE traffic
injection.
2. Run the interface tunnel tunnel-number command to create a tunnel interface and access the

tunnel interface view.
3. Run the tunnel-protocol gre command to set the encapsulation mode of the tunnel interface to
GRE.
4. Run the source { source-ip-address | loopback interface-number } command to set the source IP

address of the tunnel interface or source interface.
5. Run the destination dest-ip-address command to set the destination IP address of the tunnel

interface.
The destination IP address of the tunnel interface must be different from its source IP address.
The specified destination IP address can be the IP address or loopback address of the traffic-
injection interface on the cleaning device.
6. Run the ip address ip-address { mask | mask-length } command to set the IP address of the

tunnel interface.
The IP address of the tunnel interface can be specified as any IP address. When the route that
marks packets forwarded by the tunnel interface is generated through the dynamic routing
protocol, the IP addresses of the interfaces at both ends of the GRE tunnel must reside on the same
network segment.
4.3.6 Configuring MPLS LPS Traffic Injection
In Multiprotocol Label Switching (MPLS) Label Switched Path (LSP) traffic injection, MPLS LSP is
established between the cleaning device and the traffic-injection router. Thereby, cleaned traffic is
tagged with single-layer labels and is finally forwarded to the Zone.

MPLS and LDP are configured respectively on the cleaning device, Router1, and Router2, MPLS labels are
tagged, and MPLS LSP is established. In this regard, cleaned traffic is tagged with single-layer labels on
the cleaning device, and is injected to the original link based on the pre-defined LSP. This avoids the
traffic-diversion route advertised by the cleaning device.
Figure 6-10 MPLS LSP traffic injection
In the BGP traffic-diversion scenario, MPLS LSP traffic injection can evade the traffic-diversion route to
directly issue injected traffic to the downstream router that cannot learn the traffic-diversion route,
avoiding loops.
As typical dynamic traffic injection, MPLS LSP traffic injection delivers flexible applications and sound
scalability, but demands MPLS supported by routers .

Step 1 Set the IP address of the interface on the cleaning device and loopback address serving as
the LSR ID. Use OSPF to notify the network segment connected to each interface and
the host route of the LSR ID.
Step 2 Configure basic MPLS functions.
2. Run the mpls lsr-id lsr-id command to set an LSR ID.
lsr-id specifies an LSR ID, in dotted decimal notation. It is used for identifying an
LSR.
Setting the LSR ID is the premise of configuring other MPLS commands.
No default LSR ID is available. You are advised to use the IP address of the
loopback interface of the LSR as the LSR ID.
To modify the specified LSR ID, run the undo mpls command in the system view
to delete all MPLS configurations.
3. Run the mpls command to enable global MPLS and access the MPLS view.
5. Run the mpls ldp command to enable global LDP and access the MPLS-LDP
view.
7. Run the interface interface-type { interface-number | interface-
number.subinterface-number } command to access the interface view.
The interface type can be 10GE, GigabitEthernet, POS, Eth-Trunk, IP-Trunk, or
the subinterface of 10GE, GigabitEthernet, or Eth-Trunk. However, it cannot be
GigabitEthernet 0/0/0 on the MPU.
The interface indicates the traffic-injection interface on the cleaning device.
8. Run the mpls command to enable interface-based MPLS.
9. Run the mpls ldp command to enable interface-based LDP.
Step 3 Configure a policy for establishing an LSP.
1. Run the mpls command to access the MPLS view.
2. Run the lsp-trigger all command to configure a policy for establishing an LSP.
----End
Configuring Router1
The following uses Huawei NE80E as an example for describing how to configure Router1 in MPLS LSP
traffic injection.
Step 1 Set the IP address of the Router1 interface and loopback address serving as
LSR.
view.
Interfaces indicate inbound interface GE1/0/2 and outbound interface GE1/0/3.
----End
Configuring Router2
Router2 in MPLS LSP traffic injection.

LSR.
view.
The interface indicates the inbound interface GE1/0/1 of injected traffic.
Step 3 Configure a policy for establishing an LSP.
1. Run the mpls command to access the MPLS view.
2. Run the lsp-trigger all command to configure a policy for establishing an LSP.
----End
4.3.7 Configuring MPLS VPN Traffic Injection
In MPLS VPN traffic injection, a Layer-3 MPLS VPN is established between the cleaning device and the
traffic-injection router. Thereby, cleaned traffic is injected to the original link and is finally sent to the
Zone.

A Layer-3 MPLS VPN is established between the cleaning device and Router2. The cleaning device acts as
an ingress Provider Edge (PE) device, Router1 as a P device, and Router2 as an egress PE device. Cleaned
traffic is injected through GE2/0/2 to GE1/0/1 on Router2 along the dynamically established Label
Switched Path (LSP). Cleaned traffic is tagged with two layers of labels and outer labels are stripped after
the traffic passes through Router1. Then Router2 searches the corresponding private routing table
based on inner private labels to forward the traffic to the Zone.
Figure 4-11 MPLS VPN traffic injection
In the BGP traffic-diversion scenario, MPLS VPN traffic injection directly issues injected traffic to the
downstream router that cannot learn the traffic-diversion route, avoiding loops.
As typical dynamic traffic injection, MPLS VPN traffic injection delivers flexible applications and sound
scalability, but demands MPLS supported by routers.

Step 1 Set the IP address of the interface on the cleaning device and loopback
address serving as the LSR ID. Use OSPF to notify the network segment connected to
each interface and the host route of the LSR ID.
LSR.
view.
The interface indicates GE2/0/2 on the cleaning device.
Step 3 Configure a VPN instance.
1. Run the ip vpn-instance vpn-instance-name vpn-instance-name command to
create a VPN instance and access the corresponding view.
2. Run the route-distinguisher route-distinguishercommand to configure the RD
of the VPN instance.
The VPN instance takes effect only after specified with a RD. Before setting the
RD, you cannot configure any parameters except for the description.
3. Run the vpn-target vpn-target &<1-8> [ both | export-
extcommunity | import-extcommunity ] command to create a VPN-target
extended community for the VPN instance.
VPN Target is the attribute of the extended BGP community. VPN Target controls
the receiving and advertising of VPN routes. You can configure a maximum of
eight VPN targets at a time by running the vpn-target command. A VPN instance
can be configured with a maximum of 16 VPN targets.
The interface indicates GE2/0/1 on the cleaning device.
5. Run the ip binding vpn-instance vpn-instance-name command to bind the
interface to the VPN instance.

After the ip binding vpn-instance command is configured, Layer-3 features such as
the specified IP address and routing protocol are deleted on the interface. Re-
configure them if desired.
6. Run the ip address ip-address { mask | mask-length } [ sub ] command to set
the IP address of the interface.
Step 4 Configure MP-IBGP between PE devices.
1. Run the interface loopback number command to create a loopback interface.
The value of number ranges from 0 to 1023.
the IP address of the loopback interface.
as-number specifies an AS number. The value ranges from 1 to 65,535.
5. Run the peer peer-address as-number as-number command to set the remote
PE device to the peer.
peer-address specifies the IP address of the peer.
6. Run the peer peer-address connect-interface loopback interface-
number command to specify an interface for establishing the TCP connection.
The MP-IBGP peer must be established between PE devices through the the 32-
bit IP address of the loopback interface. This avoids route failure due to route
aggregation. The route to the loopback interface is advertised to the peer PE
device by using IGP on the MPLS backbone network.
7. Run the ipv4-family vpnv4 [ unicast ] command to access the BGP-VPNv4
subaddress family view.
8. Run the peer peer-address enable command to enable VPN-IPv4 route
exchange.
Step 5 Configure a route between the PE device and the Customer Edge (CE) device.
In practice, configure EBGP, static route, RIP, or OSPF between the PE device and the
CE device.
----End
Configuring Router1
Router1 in MPLS VPN traffic injection.
LSR.
view.
Interfaces indicate inbound interface GE1/0/2 and outbound interface GE1/0/3.
----End
Configuring Router2
Router2 in MPLS VPN traffic injection.
LSR.
view.
The interface indicates the inbound interface GE1/0/1 of injected traffic.
Step 3 Configure a VPN instance.
1. Run the ip vpn-instance vpn-instance-name command to create a VPN
instance and access the corresponding view.
2. Run the route-distinguisher route-distinguishercommand to configure the RD
of the VPN instance.
The VPN instance takes effect only after specified with a RD. Before setting the
RD, you cannot configure any parameters except for the description.
3. Run the vpn-target vpn-target &<1-8> [ both | export-
extcommunity | import-extcommunity ] command to create a VPN-target
extended community for the VPN instance.
VPN Target is the attribute of the extended BGP community. VPN Target controls
the receiving and advertising of VPN routes. You can configure a maximum of
eight VPN targets at a time by running the vpn-target command. A VPN instance
can be configured with a maximum of 16 VPN targets.
The interface indicates that through which Router2 connects to the Zone
network, that is, Router2 GE1/0/2 shown in Figure 7-11.
5. Run the ip binding vpn-instance vpn-instance-name command to bind the
interface to the VPN instance.

After the ip binding vpn-instance command is configured, Layer-3 features such as the specified IP
address and routing protocol are deleted on the interface. Re-configure them if desired.
Step 4 Configure MP-IBGP between PE devices.
1. Run the interface loopback number command to create a loopback interface.
The value of number ranges from 0 to 1023.
the IP address of the loopback interface.
5. Run the peer peer-address as-number as-number command to set the remote
PE device to the peer.
6. Run the peer peer-address connect-interface loopback interface-
number command to specify an interface for establishing the TCP connection.
The MP-IBGP peer must be established between PE devices through the the 32-
bit IP address of the loopback interface. This avoids route failure due to route
aggregation. The route to the loopback interface is advertised to the peer PE
device by using IGP on the MPLS backbone network.
7. Run the ipv4-family vpnv4 [ unicast ] command to access the BGP-VPNv4
subaddress family view.
8. Run the peer peer-address enable command to enable VPN-IPv4 route
exchange.
Step 5 Configure a route between the PE device and the CE device.
In practice, configure EBGP, static route, RIP, or OSPF between the PE device and the
CE device.
----End
4.4 Configuring the Loop Check Function

After policies for traffic diversion and injection are configured and before traffic is diverted, enable the
loop check function on the cleaning device to check the route for traffic diversion and injection.
Context
To configure traffic diversion and injection, modify the original route on the network first. In the
complex network environment, if the route is incorrectly configured, the loop occurs and therefore
normal services are adversely affected. To identify the route fault in a timely manner, you are advised to
run the following command to enable the loop check function in practice.
After the function is enabled, the system automatically checks whether received packets are repetitive.
If yes, the loop occurs. After loop counts reach a value, the system automatically cancels the traffic-
diversion route to the destination IP address.
By default, the function is disabled.
Procedure
Step 1 Run the system-view command in the user view to access the system view.
Step 2 Run the anti-ddos loop-check [ match-time match-times ] command to configure the
loop check function.
Parameter match-time specifies match times for loop packets. When the match times
exceeds the match-time value, the system cancels the traffic-diversion route. The default
match times is 4, that is, the system cancels the traffic-diversion route when loop packets
match for the fifth times.
After the check is complete, run the undo anti-ddos loop-check command to disable the
loop check function.
----End
4.5. Configuring Blackhole Traffic Diversion

This section describes how to configure blackhole traffic diversion to defend against flood attacks.
Context
You can configure blackhole traffic diversion for the blackhole router to divert the traffic flood destined
to specific IP addresses to a blackhole IP address. In this way, the flood traffic will not occupy the
inbound bandwidth of the cleaning device, and the services of other customers are ensured. After you
enable blackhole traffic diversion, the blackhole router discards all traffic destined to the specified IP
address. Exercise caution when you use this function.
Blackhole traffic diversion can work in either of the following modes:
1. Static blackhole traffic diversion
When the volume of traffic to a specific IP address is oversized, you can enable static blackhole
traffic diversion to discard traffic destined to this IP address.
2. Dynamic blackhole traffic diversion
After you enable dynamic blackhole traffic diversion, the ATIC management center automatically
delivers a blackhole traffic diversion policy if the traffic destined to a specific IP address exceeds the
specified threshold.
Procedure
1. Configure static blackhole traffic diversion.
a. Choose Defense > Policy Settings > Black Hole Traffic Diversion.
b. On the Black Hole Traffic Diversion page, click .
c. Select a cleaning device and enter an IP address.
All traffic destined to the specified IP address is discarded.
Blackhole traffic diversion is specific to single IPv4 or IPv6 addresses, not to network segments.
d. Optional: Select Automatically enable.
e. Click OK.
2. Configure dynamic blackhole traffic diversion.
a. Choose Defense > Policy Settings > Black Hole Traffic Diversion.
b. On the Black Hole Traffic Diversion page, click .
c. Select Enable Dynamic Blackhole Divert and enter a threshold and timeout time.
Threshold: When the traffic destined to the specified IP address reaches the threshold, the
device enables dynamic blackhole traffic diversion.
Timeout: When dynamic blackhole traffic diversion runs for the specified period of time, the
device automatically disables dynamic blackhole traffic diversion.
d. Click OK.
----End
5. Attack Response and Source Tracing
5.1. Viewing the Status of a Zone and Anti-DDoS Alarms
After services are configured, you can view the status of a Zone and anti-DDoS alarms to monitor anti-
DDoS services.
Procedure
1. Check the status of a Zone.
a. Choose Defense > Policy Settings > Zone.
b. Check the status of a Zone and perform corresponding operations.
For details on the status of the Zone, see 3.2.6 Configuring the Zone-based Defense
Policy.
2. View anti-DDoS alarms.
a. Choose Alarms > Alarm Management > Current Alarms.
b. View anti-DDoS alarms and repair the anti-DDoS services according to repair
suggestions.
----End
5.2 Handling Abnormal Events

If State of the Zone is Abnormal or Attacked, and Defense State is Not defended or Part Defended, you
need to enable defense manually.
Context
The system automatically enables the defense mechanism against certain attacks such as those on DNS
rate limiting by source IP address or domain name even if Defense Mode of a Zone is set to Manual.
Procedure
Step 1 Choose Defense > Policy Settings > Zone.
Step 2 Check the values in the State and Defense State columns.
defended or Part Defended, perform the following operations to handle abnormal
events. Otherwise, no operation is required.
Step 3 Click the state value of the State column.
Step 4 On the Abnormal Events tab page, search abnormal events on the detecting
device and cleaning device of the Zone.
Step 5 Select the event (of the cleaning device) whose Defense
Status is Undefended and click , enable the defense mechanism of the
cleaning device against abnormal events.
Only the cleaning device can handle abnormal events.
----End
5.3. Packet Capture
Packet Capture
5.3.1 Packet Capture, Analysis and Report
The ATIC management center delivers packet capture, analysis, and report for subsequent maintenance.
Packet capture is used to capture network traffic and locate network faults; analysis is used to analyze
network traffic and attack logs; a report is used to periodically summarize Zone traffic and attack logs if
desired.
Packet Capture
In packet capture, the Anti-DDoS captures packets according to the packet capture task delivered by the
management center. Then the device encapsulates captured packets in a fixed format and sends them
to the anti-DDoS collector for resolution.
In actual applications, packet capture is mainly used to analyze and locate network problems. Different
packet capture types are applicable to diversified application scenarios:
1. ACL-based packet capture
When the Anti-DDoS does not detect attacks, and packet loss occurs on the protected network or
access fails, you can adopt ACL-based packet capture to identify packet types and thereby analyze
defense failure.
2. Global packet capture

A global packet capture task captures discarded packets, including those discarded due to non-anti-
DDoS policies such as malformed packet check and packet filtering. In so doing, causes for service
interruption are exploited.
3. Zone attack matched packet capture
The Anti-DDoS captures the packets discarded by attacks upon the Zone. This assists in analyzing
attack events.
4. Zone anomaly matched packet capture
The Anti-DDoS captures the abnormal packets of different types. This assists in analyzing abnormal
events.
After the packet-capture task is complete, the captured packets are saved in the packet-capture file.
With the packet-capture file, you can view attack events, trace attack sources, parse attack packets, and
extract fingerprints for locating attacks, and obtaining features and details on attackers, so that proper
defense policies can be configured. The packet-capture file can also be downloaded to the local for
other operations.
1. Viewing attack events
By viewing abnormal or attack events associated with the packet-capture file, you can analyze their
details.
2. Attack source tracing
You can obtain information about attack sources by using attack source tracing. Additionally, the
system adds suspicious source IP addresses to the static blacklist to effectively defend against
attacks.
3. Packet parsing
You can obtain details on each packet by using packet parsing.
4. Fingerprint extracting
With fingerprint extracting, the system extracts the features of abnormal or attack packets.
Additionally, the system adds extracted fingerprints to the Zone fingerprint list as the reference of
traffic cleaning.
5. Packet-capture file download
The packet-capture file can be downloaded to the local for future operations .
Analysis
The ATIC management center provides several types of analysis, traffic analysis,
anomaly/attack analysis, DNS analysis, HTTP analysis, SIP analysis, and Botnets/Trojan
horses/Worms Analysis. Thereby, the administrator can comprehensively learn about
network data in a timely manner and export the analysis result.
Figure 5-1 shows the analysis diagram.
Figure 5-1 Analysis diagram

Report
The ATIC management center comes with both the system report and the Zone report, and supports
diversified reports. The system provides scheduled report generating and downloading functions for
comprehensive reports. This minimizes labor investment and facilitates periodical network status
monitoring and further query.
Figure 5-2 shows the comprehensive report.
Figure 5-2 Diagram of a report

5.3.2 Configuring Packet Capture Length
The packet capture length is the length of each packet captured by the Anti-DDoS. Each Anti-DDoS is
configured with only one packet capture length, which applies to all capture tasks on the Anti-DDoS.
Prerequisites
You have configured the Encryption Key of Packet Capture.
1. Choose Defense > Network Settings > Collectors.
2. Create the Collector, and configure
Encryption Key
Before configuring a packet capture task, configure a key for encrypting packet capture logs. The Anti-
DDoS uses this key to encrypt packet capture logs and then sends the logs to the ATIC management
center. The ATIC management center uses this key to decrypt the logs and process them. If the key is
deleted, no packet is captured even though a packet capture task has been configured.
Procedure
Step 1 Choose Defense > Policy Settings > Global Policy
Step 2 Click in the Operation column.
Step 3 Choose one method from Configure Packet Capture Length.
Step 4 Click Deploy to deliver configurations to the device.
Step 5 In the Deploy dialog box, display the deployment progress. After the
deployment is complete, the dialog box closes automatically.
1. If the deployment succeeds, Deployment of the Zone is displayed as Deploy
Succeed.
2. If the deployment fails, Deployment of the device is displayed as Deploy Failed.
----End
Follow-up Procedure
Choose Defense > Policy Settings > Global Policy, select the check box of the device and
click to save configurations to the configuration file of the device to

avoid data loss.
5.3.3 Managing Packet Capture Task
The ATIC Management center provides the packet capture function by delivering packet capture
tasks such as the ACL-based, global, attack event-based, and anomaly-based packet capture
tasks to Anti-DDoS. According to the packet capture tasks, anti-DDoS devices capture packets,
generate packet capture files, and save the files to the anti-DDoS collector for future analysis.
Choose Defense > Policy Settings > Packet Capture, and manage packet capture tasks:
Create
Click to create a packet capture task in the ATIC Management
center. For details, see 5.3.3.1 Creating an ACL Matched Packet Capture
Task, 5.3.3.2 Creating a Global Defense Packet Capture Task, 5.3.3.2 Creating
a Global Defense Packet Capture Task and 5.3.3.4 Creating an Anomaly-
based Packet Capture Task.
Enable Select the check box of the packet capture task to be enabled and
click . The system delivers commands to the Anti-DDoS to
implement the packet capture task.
NOTE
If the packet capture type is Zone Attack Matched or Zone Anomaly Matched, the
packet capture task can be enabled only after policies are successfully deployed on the
Zone of the task.
Disable Select the check box of the packet capture task to be disabled and
click . The ATIC Management center delivers commands to the
Anti-DDoS to cancel the packet capture task.
Delete  Delete one packet capture task:

Click in the Operation column to delete the corresponding packet
capture task.
 Delete tasks in batches:
Select the check boxes of multiple packet capture tasks and
click above the list to delete the selected tasks.
delete all the displayed packet capture tasks.
View 1. Click the name of the packet capture task to be viewed for details on the
task.
Search  Basic search
In the basic search area, select Device and State as search conditions, and
then click .
 Advanced search
such as Device, State, Zone, Type or Task Name, and then
click Search.
5.3.3.1 Creating an ACL Matched Packet Capture Task

An ACL-based packet capture task captures packets that pass through the Anti-DDoS and match
an ACL. Generally, ACL-based packet capture is applied to capturing packet traffic when no
attack is launched. In this way, it extracts the features of normal traffic and employs them as
comparison conditions. Alternatively, when packet loss or access failure occurs due to defense
failure such as no attack detecting, you are advised to adopt the ACL-based packet capture to
determine the type of attack packets for analyzing defense failures. After a packet capture
operation is complete, the ACL packet capture becomes in Disable state. Enable this task upon
the next packet capture operation.
Prerequisites
1. Service configurations are comp
2. The packet capture length was configured. For details, see 3.3.2 Configuring Packet Capture Length.
3. Ensure that ACL 3999 on the Anti-DDoS is not used.
Procedure
Step 1 Choose Defense > Policy Settings > Packet Capture.
Step 2 On the Packet Capture Task page, click .

Step 3 On the Create Packet Capture Task page, select ACL Matched from the Type drop-down
list.
Step 4 Set other basic parameters. For details, see Table 5-1.
Table 5-1 creating a packet capture task
Parameter Description Reference Value
Task Name Indicates the packet capture task name. The name cannot be
empty or null.
Characters, such as
apostrophes ('), vertical
bars (|), backslashes (\),
commas (,), less than
(<), greater than (>),
ampersands (&),
semicolons (;), inch
marks ("), and percents

(%) cannot be included.
Sampling Indicates the ratio of the number of packets The default value
Ratio complying with packet capture conditions to is 1024:1. In this value,
that of captured packets. the device captures one
packet from 1024
packets that match
packet capture
conditions.
Captured  If the packet capture type is Global Defense The default value
Packet Matched or ACL Matched, the value is the is 1000.
sum of packets captured by the device.
When the number of captured packets
hits Captured Packet and a packet capture
operation is complete, the packet capture
task becomes in Disable state.
 If packets are captured on the basis of Zone
Attack Matched and Zone Anomaly
Matched, the number of captured packets
is the number of packets (of the same
attack or anomaly) captured by each CPU.
For example, a device has four
CPUs, Captured Packet is set to 1000. If an
attack with ACK and UDP flood attack
packets is launched, the packet capture
result is as follows:
− 4 x
1000 ACK flood attack packets are
captured and four packet capture files
are generated.
− 4 x
1000 UDP flood attack packets are
are generated.
After the packet capture operation is
complete, the packet capture task is
in Enable state. Capture packets upon the
next attack.
Automatically  Disable This parameter is

extract  Enable available only
fingerprint when Type is set
to Zone Anomaly
Matched.

Step 5 Add an ACL rule.
1. In the ACL Rule group box, click .
2. Set parameters. For details, see Table 5-2.
Table 5-2 Adding an ACL rule
Protocol Indicates the protocol type of packets.
Source IP Indicates the source IP address of packets.
Source IP Indicates the source IP address mask.

address The mask is represented by dotted decimal notation. In practice, the
mask masks are compared in binary mode. The number of 1 in the mask
indicates the bit to be reserved and compared in an IP address and the
number of 0 indicates the bit to be ignored. For example, if the source IP
address needs to be matched, the matching value is 192.168.1.100, and
the mask is 255.255.255.0, packets whose source IP addresses start
with 192.168.1meet matching rules.
Source Port This item is required when TCP or UDP is selected for Protocol Type.
Destination Indicates the destination IP address of packets.

IP
Destination Indicates the destination IP address mask.

IP address
mask
Destination This item is required when TCP or UDP is selected for Protocol Type.

Port

3. Click OK.
The Create Packet Capture Task page is displayed.
Step 6 Click Next.
Step 7 Click , click Detection/Cleaning Device to add network elements, and click OK.
Step 8 On the Create Packet Capture Task page, click Finish.
The Packet Capture page is displayed. The packet capture task is displayed in the list.
Step 9 Select the check box of a packet capture task and click to enable the task.
Only one ACL-based packet capture task can be enabled on an Anti-DDoS within a period of time.
----End
Follow-up Procedure
You can disable, view, or delete a packet capture task by referring to 3.3.3 Managing
Packet Capture Task.
5.3.3.2 Creating a Global Defense Packet Capture Task

A global defense packet capture task captures discarded packets, including those discarded by non-anti-
DDoS policies such as malformed packet check and packet filtering. In so doing, causes for service
interruption are exploited. After a packet capture operation is complete, the global discarding packet
capture becomes in Disable state. Enable this task upon the next packet capture operation.
Prerequisites
 Service configurations are complete.
 The packet capture length was configured. For details, see 8.3.2 Configuring Packet
Capture Length.
Context
The detecting device detects traffic, but does not process the traffic. Only the cleaning
device can discard packets. Therefore, when you create a global discarding packet
capture task, Device can be only the cleaning device.
Procedure

Step 3 On the Create Packet Capture Task page, select Global Defense Matched from
the Type drop-down list.
Table 7-3 Creating a packet capture task
empty or null.
Characters, such as
ampersands (&),
packet from 1024
packets that match
packet capture
conditions.

− 4 x
are generated.
− 4 x
are generated.
next attack.

to Zone Anomaly
Matched.

Step 5 Click Next.

Step 7 On the Create Packet Capture Task page, click OK.
The Packet Capture Task page is displayed, with the packet capture task in the list.
Only one global packet capture task can be enabled on an Anti-DDoS within a period of time.
----End
Follow-up Procedure
5.3.3.3 Creating a Zone Attacked Packet Capture Task

A Zone attack packet capture task captures packets discarded when the Zone is attacked
for analyzing attack events. The packet capture counting of the task is based on the attack
type. After a packet capture operation is complete, the packet capture task is
in Enable state. Packets are captured upon the next attack.
Prerequisites
 Thepacket capture length was configured. For details, see 8.3.2 Configuring Packet
Capture Length.
 Policies are successfully deployed on the Zone.
Context
Only the cleaning device discards packets when a Zone is under attack. Therefore, when
you create a Zone attacked packet capture task, Device can be only the cleaning device.
Procedure

Step 3 On the Create Packet Capture Task page, select Zone Attack Matched from
empty or null.
Characters, such as
ampersands (&),
packet from 1024

packets that match
packet capture
conditions.
− 4 x
are generated.
− 4 x
are generated.
next attack.

to Zone Anomaly
Matched.

Step 5 Click Next.
Step 6 Click . Select a Zone from the Zone list and click OK to add the Zone.
Step 7 Click Next.
Only one attack event-based packet capture task can be enabled for each Zone within a period of
time.
----End
Follow-up Procedure
7.3.3.4 Creating an Anomaly-based Packet Capture Task

An anomaly-based packet capture task captures anomaly packets of various types for
analyzing anomalies. The packet capture counting of the task is based on the anomaly
type. After a packet capture operation is complete, the packet capture task is
in Enable state. Packets are captured upon the next anomaly.
Prerequisites
 The packet capture length was configured. For details, see 8.3.2 Configuring Packet
Capture Length.
 Policies are successfully deployed on the Zone.
Procedure

Step 3 On the Create Packet Capture Task page, select Zone Anomaly Matched from
empty or null.
Characters, such as
ampersands (&),
packet from 1024
packets that match
packet capture
conditions.

− 4 x
are generated.
− 4 x
are generated.
next attack.

to Zone Anomaly
Matched.

After automatic fingerprint extraction is enabled and packets are captured, the ATIC
management center automatically extracts fingerprints, creates a fingerprint filter, and
delivers the fingerprints to all cleaning devices bound to the Zone. The conditions for
extracting fingerprints are as follows:
Fingerprint Fit Rate Indicates the matching ratio The value is an integer
before extracting ranging from 1 to 100, in
fingerprints. percentage.
Minimum Length Of Indicates the minimum The value is an integer

Fingerprint fingerprint length. ranging from 8 to 32.
Excluded Keyword Indicates the keywords of -

legitimate services to be
excluded in fingerprint
learning.

When the packet number of pcap files has reached the number specification, fingerprint
will be extracted. Each time only one fingerprint, which has the highest hit rate, can be
extracted.
Fingerprint will be deployed as fingerprint filter to associated device. Fingerprint filter can
be manually deleted.
If the filter number has reached the upper limit, no more fingerprint filter will be created.
Step 5 Click Next.
Step 6 Click . Select a Zone from the Zone list and click OK to add the Zone.
Step 7 Click Next.

Only one anomaly-based packet capture task can be enabled for each Zone within a period of time.
----End
Follow-up Procedure
5.3.4 Managing Packet Capture File
The ATIC Management center captures packets that meet conditions in the packet
capture task, and save them into a packet capture file. The packet capture file can be
used by the administrator to view attack events, trace attack sources, parse attack
packets, and extract fingerprints for obtaining features and details on attackers, so that
suitable defense policies can be configured. The packet capture file can also be
downloaded to the local for other operations.
Choose Defense > Policy Settings > Packet Capture, click the Packet Capture File tab, and
manage packet capture files:
View Click of a packet capture file in the Operation column to view attack or

Event anomaly events. For details, see 8.3.4.1 Viewing Anomaly or Attack Events.
Trace Click of a packet capture file in the Operation column to trace attack

Source sources. For details, see 8.3.4.2 Tracing Attack Sources Through a Packet
Capture File.
Parse
Click of a packet capture file in the Operation column to parse captured
Packet
packets. For details, see 8.3.4.3 Parsing Packets in a Packet Capture File.
Extract
Click of a packet capture file in the Operation column to extract
Fingerprin
fingerprints. For details, see 8.3.4.4 Extracting Fingerprints from a Packet
t
Capture File.
Download Click of a packet capture file in the Operation column to download the

file. For details, see 8.3.4.5 Downloading a Packet Capture File.
View Click Task Name of a packet capture file to view information about the
Packet packet capture task that generates the file.
Capture
Task
Delete  Delete one packet capture file:
Click in the Operation column to delete the corresponding packet
capture file.
 Delete files in batches:
Select the check boxes of multiple packet capture files and
click above the list to delete the selected files.
delete all the displayed packet capture files.
Search  Basic search

In the basic search area, select Task Name and File Name as search
conditions, and then click .
 Advanced search
such as Start Time, End Time, Packet Capture Type, File State, Task
Name, and File Name, and then click Search.
5.3.4.1 Viewing Anomaly or Attack Events
For a packet capture file of Zone Attack Matched or Zone Anomaly Matched, you can
view related anomaly or attack events for further analysis.
Prerequisites
The packet capture task of Zone Attack Matched or Zone Anomaly Matched has been
created and enabled.
Procedure
Step 2 Click the Packet Capture File tab.
Step 3 Click of a packet capture file in the Operation column.

Step 4 On the View Correlated Events page, view related anomaly or attack events. For
parameter settings, see Table 8-6.
Table 7-6 Viewing attack events
IP Address Indicates the destination IP address under attack.

Zone Name Indicates the name of the Zone to which the destination IP address
under attack belongs.
Start Time of an Indicates the start time of an anomaly.

Anomaly
Attack Start Indicates the start time of an attack.

Time
End Time Indicates the end time of an abnormal one if the associated event is
an abnormal event. Otherwise, this field indicates the end time of an
attack.
State Indicates the current state of an attack.
Type Indicates the attack type.
Number of Indicates the number of packets sent during attacks.

Attack Packets

Step 5 Click Close. Return to the Packet Capture File page.
----End
5.3.4.2 Tracing Attack Sources Through a Packet Capture File
For the packet capture files of Global Defense Matched, Zone Attack Matched or Zone
Anomaly Matched, you can obtain attack sources by tracing a packet capture file.
Suspicious IP address can also be blacklisted for effective attack defense.
Prerequisites
The packet capture task of Global Defense Matched, Zone Attack Matched or Zone
Anomaly Matched has been created and enabled.
Procedure
Step 3 Click of a packet capture file in the Operation column to trace attack sources.
Step 4 On the Trace Source page, view the result of attack source tracing. For parameter
settings, see Table 8-7.
Table 7-7 Attack source tracing parameters
Number of Indicates the number of packets sent during attacks.

Packets
Number of Indicates the number of the source IP addresses of attackers.

Source IP
Addresses
Source IP Indicates the source IP address of the attacker.

Address
Protocol Type Indicates the protocol type of attack packets.
Destination Port Indicates the destination port of attack packets.
Attack Times Indicate the number of attacks launched by the attacker.

Step 5 Optional: Select one or more check boxes of attack records and click Add Items to
Blacklist. Suspicious IP addresses are displayed in the blacklist of this Zone. The blacklist
entries take effect after deployment on NEs. For details on the deployment process,
see 6.2.12 Deploying the Defense Policy.
Blacklist is enabled for Zones. Attack sources are traced for packets captured after Zone Attack
Matched and Zone Anomaly Matched are enabled. Then the attack sources can be blacklisted.
----End
7.3.4.3 Parsing Packets in a Packet Capture File

Packet parsing can be performed on all packet capture files to obtain details on the
packets.
Prerequisites
A packet capture task has been created and enabled.
Procedure
Step 3 Click of a packet capture file in the Operation column to parse captured packets.
Step 4 On the Packet Parsing page, you can view details on each packet, including the sending
time, source IP address, destination IP address, protocol type of the packet.
Step 5 Click each packet parsing record, the details are displayed in the group boxes in the
middle or below.

----End
5.3.4.4 Extracting Fingerprints from a Packet Capture File
For the packet capture files of Zone Attack Matched or Zone Anomaly Matched, you can
obtain the features of anomalies or attacks by extracting fingerprints. The fingerprints
can be added to the Zone fingerprint list as the reference of traffic cleaning.
Prerequisites
The packet capture task of Zone Attack Matched or Zone Anomaly Matched has been
created and enabled.
Procedure
Step 3 Click of a packet capture file in the Operation column to extract fingerprints.

The fingerprint of the packet capture file is extracted and displayed in Fingerprint List on
the left area.
Step 4 Optional: Extract reference fingerprints.

Reference fingerprints are extracted from normal packets when no anomaly or attack
occurs.
1. Click Select File on the right area of the page.
2. On the Packet Capture File page that is displayed, select a packet capture file of the
same device as the reference file and click OK.
The fingerprint of the reference file is extracted and displayed in Fingerprint List on
the right area.
Step 5 Optional: In the fingerprint list on the left, select the fingerprint to be added, and then
click Add the Fingerprint on the lower part of the page. The fingerprint is displayed in the
protocol fingerprint list of a Zone. For details on the protocol types of fingerprints,
see 6.2.6 Configuring the Zone-based Defense Policy. Fingerprints take effect only after
deployed on the device. For details on the deployment process, see 6.2.12 Deploying the
Defense Policy.
----End
5.3.4.5 Downloading a Packet Capture File
The packet capture file can be downloaded to the local for future operations.
Procedure
Step 2 Click the Packet Capture Task tab.
Step 3 Click of a packet capture file in the Operation column.

Step 4 On the download page that is displayed, open or save the file.
----End
6. Report
6.1 Overview
Reports are used to analyze network traffic and attack logs and summarize system and Zone traffic
information and attack logs periodically.
The ATIC management center provides four types of analysis: traffic analysis, abnormality/attack
analysis, DNS analysis, and HTTP(S) Analysis. This analysis helps the administrator comprehensively learn
about network data in real time. The ATIC management center also provides system and Zone reports in
diversified forms. The reports can be generated periodically. This function is labor-saving and facilitates
network status monitoring and query.
6.2. Traffic Analysis
Traffic analysis analyzes network traffic from all aspects.
6.2.1 Data Overview
Function
Data overview of traffic analysis displays various reports for analyzing traffic in a centralized
manner. This function collects traffic statistics of all devices or the specified device in different
time range granularities. You can use Data Overview to view the following types of reports:
1. Traffic Comparison
Collects statistics on the inbound traffic, outbound traffic, and attack traffic and compares
the three types of traffic. For details, see 6.2.2 Traffic Comparison.
2. Incoming Traffic Distribution
-Displays the distribution of inbound traffic by protocol.
3. Zone Traffic Top 10
Collects statistics on the traffic destined to Zones and displays data of the top N Zones. For
details, see 6.2.3 Traffic Top N.
4. IP Traffic Top 10
Collects statistics on the traffic to each IP address and displays data of the top N IP
addresses. For details, see 6.2.3 Traffic Top N.
Parameter
Table 6-1 Query parameters of data overview
Device Select a device from the drop-down list. Total Cleaning and Total

Detecting are described as follows:
1.Total (Cleaning):
Indicates that traffic on all cleaning devices is queried.
2. Total (Detecting):
− If two or more detecting devices in a defense group work
in Load Redundancy mode, the maximum traffic volume in
the defense group is queried and the sum of traffic volumes
among defense groups is queried.
− If two or more detecting devices in each defense group
work in Load Balancing mode, the sum of traffic volumes
within each defense group and among defense groups is
queried.
Time Click to select the start time and end time of statistics. Or you
can change the time values in corresponding text boxes.
The end time should be later than the start time and the interval
cannot be longer than one year.
1. If the query interval is longer than or equal to seven days and
shorter than one year, statistics are collected daily.
2. If the query interval is longer than or equal to one day and
shorter than seven days, statistics are collected hourly.
3. If the query interval is shorter than one day, statistics are
collected every five minutes.

Example
Data overview is displayed in Figure 6-1.
Figure 6-1 Data overview
Procedure
Step 1: Choose Report > Report > Traffic Analysis.
Step 2: Click the Data Overview tab.
Step 3: Set query parameters.
Step 4: Click Search.
Reports that meet the query conditions are displayed.
Step 5: Optional: Open or save the query results as files, or send queried reports to the
specified email address.
1. Click to open or save the query results as PDF files. A

maximum of 10,000 entries can be displayed.
2. Click to open or save the query results as EXCEL files. A
3. Click to enter a recipient mail address and select an attachment

format. Then click OK.
----End
6.2.2. Traffic Comparison
Function
The traffic comparison report displays traffic comparisons and changes of an Anti-DDoS, Zone, or IP
address within a period of time. If the device is an anti-DDoS cleaning device, you can view the incoming,
and outgoing traffic. If the device is an anti-DDoS detecting device, you can view the detected traffic.
Parameter
Table 6-2 Query parameters of traffic comparison

1.Total (Cleaning):
2.Total (Detecting):
in Load Redundancy mode, the maximum traffic volume in
the defense group is queried and the sum of traffic volumes
work in Load Balancing mode, the sum of traffic volumes
queried.
Zone Click , select a Zone on the Zone page that is displayed, and then

click OK.
IP Address Enter the destination IP address. Both IPv4 and IPv6 addresses are
applicable. Traffic destined for the IP address is queried.
Protocol Select a protocol type from the drop-down list.

1. If the query interval is longer than or equal to seven days
and shorter than one year, statistics are collected daily.
Statistics Select a mode for collecting statistics.

1. Average Value: indicates the average value of traffic within
the specified time segment.
2. Peak Value: indicates the maximum value of traffic within
the specified time segment. The peak value can be selected
only when a device is selected.
Unit Select a traffic measurement unit. The unit can be pps or kbit/s. The
default unit is pps.
Example
If the device is set to Total (Cleaning), traffic comparison within a period of time is
displayed in Figure 6-2.
Figure 6-2 Traffic comparison

Procedure
Step 2: Click the Traffic Comparison tab.
The traffic comparison result that meets query conditions is displayed.

3. Click to open or save the query results as CSV files. All data
except figures can be displayed.

----End
6.2.3. Traffic Top N
Function
The ATIC management center collects statistics on Incoming Traffic or Attack

Traffic in the specified interval and ranks the top N traffic. From the top N statistics,
you can view the top N Zones, services, or IP addresses with the largest volumes of
inbound or attack traffic.
1.IP Traffic Top N
Ranks traffic by destination IP address. If traffic anomalies occur, you can view IP
Traffic Top N to learn about the IP addresses with the largest volumes of
inbound or attack traffic.
2. Zone Traffic Top N
Ranks traffic by Zone. If traffic anomalies occur, you can view Zone Traffic Top
N to learn about the Zones with the largest volumes of inbound or attack traffic.
3. Service Traffic Top N
Ranks traffic by service. If traffic anomalies occur, you can view Service Traffic
Top N to learn about the services with the largest volumes of inbound or attack
traffic.
Parameter
Table 6-3 shows parameters when Report Type is set to Zone Traffic Top N. Table 6-4 shows
parameters when Report Type is set to Service Traffic Top N. Table 6-5 shows parameters
when Report Type is set to IP Traffic Top N.
Table 6-3 Query parameters of Zone Traffic Top N

1.Total (Cleaning):
in Load Redundancy mode, the maximum traffic volume in the
defense group is queried and the sum of traffic volumes among
defense groups is queried.
− If two or more detecting devices in each defense group work
in Load Balancing mode, the sum of traffic volumes within each
defense group and among defense groups is queried.
Protocol Select the protocol type to be queried.
Time Click to select the start time and end time of statistics. Or you can
change the time values in corresponding text boxes.
2. If the query interval is shorter than seven days, statistics are
collected hourly.
Type Select a traffic type. The traffic types are Incoming Traffic and Attack

Traffic.
Incoming Traffic or Attack Traffic can be selected for anti-DDoS
cleaning devices, and only Incoming Traffic can be selected for anti-

DDoS detecting devices.

1. Average Value: indicates the average value of inbound traffic
or attack traffic within the specified time segment.
2. Peak Value: indicates the maximum value of inbound traffic
or attack traffic within the specified time segment. The peak
value can be selected only when a device is selected.
Top N Enter the value of N.
Table 6-4 Query parameters of Service Traffic Top N

1. Total (Cleaning):

click OK.
collected hourly.

Traffic.
Table 6-5 Query parameters of IP Traffic Top N

1.Total (Cleaning):
2, Total (Detecting):

click OK.
Service Select a service or service group from the drop-down list.

The value of Protocol is subject to Service. If a service is selected
for Service, the value of Protocol must correspond to the service..
Protocol Select the protocol type to be queried.
collected hourly.
Traffic.
Example
If the device is set to Total (Cleaning), traffic type to Attack Traffic, statistical method
to Average Value, and protocol type to Total, top N Zones by traffic within a period
of time are displayed in Figure 6-3.
Figure 6-3 Top N Zones by attack traffic

Procedure
Step 2: Click the Traffic Top N tab.
The status of the top N Zone traffic of corresponding query conditions is displayed.
If a Zone has been deleted, the Zone name is displayed as Unknown Zone.
Step 5 Optional: Open or save the query results as files, or send queried reports to
the specified email address.


----End
6.2.4. Application Traffic
Function
If application traffic anomalies or attacks occur, you can view the Application Traffic report to learn
about application traffic information. The ATIC management center collects statistics on application-
layer protocol traffic and user-defined service traffic and provides Traffic Comparison and Traffic
Distribution reports. The supported application-layer protocols include HTTP, HTTPS, UDP_DNS, and SIP.
1. Traffic Comparison
Compares the Incoming Traffic, Outgoing Traffic, and Attack Traffic of specified Zones in different

time range granularities in the report. You can compare the traffic information of different
applications based on service types.
You can use Traffic Comparison to view the Zones or destination IP addresses under attacks,
comparison of inbound and outbound traffic, as well as the volume of attack traffic.
2. Traffic Distribution
Displays the service distribution of IncomingTraffic and Attack Traffic of the specified Zones in

different time range granularities in the report.
You can use Traffic Distribution to view the protocol distribution of specific Zones or destination IP
addresses to determine whether to enable attack defense for a certain type of traffic.
Parameter
To query comparison between incoming and outgoing application traffic, set Report Type to Traffic
Comparison. (For parameters, see Table 6-6.) To query traffic distribution of all types of applications,
set Report Type to Traffic Distribution. (For parameters, see Table 6-7.)
Table 6-6 Parameters for querying traffic comparison

Device Select an device from the drop-down list.

click OK.
Service Services comprise user-defined services and application-layer

protocol (including HTTP, HTTPS, UDP_DNS, and SIP) services.
1. If the query interval is longer than or equal to seven days
and shorter than one year, statistics are collected daily.

Unit Select a traffic measurement unit. The unit can be pps qps,

or kbit/s. The default unit is pps. qps takes effect only for HTTP
traffic.
Table 6-7 Parameters for querying traffic distribution

click OK.
IP Address Enter a destination IP address, for which the traffic is destined.
The end time must be later than the start time and the interval
1.If the query interval is longer than or equal to seven days and
Type Select a traffic type.
1. Incoming traffic: queries the distribution of all types of
applications in incoming traffic.
2. Attack traffic: queries the distribution of all types of
applications in attack traffic.

Example
Figure 6-4 Comparison between incoming and outgoing application traffic

Procedure
Step 2; Click the Application Traffic tab.
Step 5: Optional: Open or save the query results as files, or send queried reports to


----End
6.2.5. Protocol Traffic Distribution
Function
The protocol traffic distribution chart shows the proportion of the TCP, UDP, ICMP, and other traffic. You
can view the distribution of the inbound and outbound traffic of the cleaning device, and the
distribution of the detected traffic of the detecting device.
Parameter
Table 6-8 Query parameters of protocol traffic distribution


defense group is queried and the sum of traffic volumes
in Load Balancing mode, the sum of traffic volumes within
each defense group and among defense groups is queried.

click OK.
2. If the query interval is longer than or equal to one day and shorter
than seven days, statistics are collected hourly.
3. If the query interval is shorter than one day, statistics are collected
every five minutes.
Example
If the device is set to Total (Cleaning) and the Zone to Total, traffic distribution within
a period of time is displayed in Figure 6-5.
Figure 6-5 Protocol traffic distribution

Procedure
Step 2: Click the Protocol Traffic Distribution tab.
Step 3: Set query parameters. For details, see Table 6-8.
Traffic distribution that meets query conditions is displayed.
1.Click to open or save the query results as PDF files. A



----End
6.2.6. Number of TCP Connections
Prerequisites
You can view the number of new TCP connections by source IP address only after Top N TCP Source IP
Addresses by New Connection is enabled.
Function
Number of TCP connections provides visibility into the number of new TCP connections and number of
concurrent TCP connections by destination IP address, and number of new connections by source IP
address with the most connections. In normal cases, observe and record the number of new
connections and that of concurrent connections of services in the report. If the number of new
connections or the number of concurrent connections is greater than the normal value, capture packets
for analyzing anomalies or attacks.
Parameter
When Type is set to Destination IP Address, you can view the number of new connections and
concurrent connections by destination IP address. For parameters, see Table 6-9. When Type is set
to Source IP Address, you can view the number of new TCP connections by source IP address with the
most connections within the given time segment. For parameters, see Table 6-10.
Table 6-9 Parameters for querying the connection number by destination IP address
Device Select a cleaning device from the drop-down list. The Total

(Cleaning)indicates the number of connections on all cleaning
devices.

click OK.
Type Select Destination IP Address.
applicable. The number of connections to the IP address is queried.

every five minutes.

1. Average Value: Indicates the average number of new connections
within a period of time or concurrent connections.
2. Peak Value: Indicates the maximum number of new connections or
concurrent connections within a period of time. The peak value
can be selected only when a device is selected.
Table 6-10 Parameters for querying the connection number by source IP address
NE Select a cleaning device from the drop-down list. The Total

(Cleaning)indicates the number of connections on all cleaning
devices.

click OK.
Type Select Source IP Address.
every five minutes.

Example
If the Device is set to Total (Cleaning), Zone to Total, service to TCP, and statistical method to Average
Value, the number of connections within a period of time is displayed in Figure 6-6.
Figure 6-6 Number of new connections and concurrent connections by destination IP address
Procedure
Step 2: Click the Number of TCP Connections tab.
Step 3
The number of connections that meet the query conditions is displayed.
The queried number of TCP connections is the number of session connections

after the TCP three-way handshake.



----End
6.2.7. Board Traffic
Function
Board Traffic displays the traffic of the SPUs on a device.
Parameter
Table 6-11 Query parameters of Board Traffic
Protocol Select a protocol type from the drop-down list.
Example
If the device is set to bj (Cleaning) and the protocol to UDP, board traffic within a period of time is
displayed in Figure 6-7.
Figure 6-7 Board traffic
Procedure
Step 1:Choose Report > Report > Traffic Analysis.
Step 2: Click the Board Traffic tab.
Step 3: Set query parameters. For details, see Table 6-11.
The board traffic result that meets query conditions is displayed.
Step 5: Optional: Open or save the query results as files, or send queried reports to



----End
6.2.8. IP Location Top N
Function
The IP Location Top N report provides visibility into the Top N IP locations that have the maximum
volume of incoming or attack traffic.
Do not add user-defined IP locations to or delete them from an anti-DDoS device. Otherwise, the IP
Location Top N report on the ATIC is inaccurate.
Parameter
Table 6-12 Query parameters of IP Location Top N

1.Total (Cleaning):

click OK.
2. if the query interval is shorter than one day, statistics are collected
every five minutes.

Traffic.
Example
If the device is set to Total (Cleaning), zone to Total, traffic type to Incoming Traffic, top N IP locations
that have the maximum incoming traffic in a specific period will be displayed, as shown in Figure 6-8.
Figure 6-8 IP Location Top N
Procedure
Step 1: Choose Report > Report > Traffic Analysis
Step 2: Click the IP Location Top N tab.
The status of the top N IP locations that match the query conditions is displayed.
 Click to open or save the query results as PDF files. A

 Click to open or save the query results as EXCEL files. A

 Click to open or save the query results as CSV files. All data
 Click to enter a recipient mail address and select an attachment

----End
6.2.9. IP Location Traffic
Function
This report provides visibility into the incoming or attack traffic of a specific IP location.
Do not add user-defined IP locations to or delete them from an anti-DDoS device. Otherwise, the IP
Location Top N report on the ATIC is inaccurate.
Parameter
Table 6-13 Query parameters of IP location traffic


Example Detecting are described as follows:
1.Total (Cleaning):
If the device is set
to Total
(Cleaning), zone − If two or more detecting devices in a defense group work
to Total, traffic in Load Redundancy mode, the maximum traffic volume in the
type to Incoming defense groups is queried.
Traffic, the − If two or more detecting devices in each defense group work
incoming traffic in Load Balancing mode, the sum of traffic volumes within each
of a specific IP
location in a
click OK.
specific period is
Location Click . In Location that is displayed, select an IP location and
displayed, as click OK.
shown in Figure
6-9. change the time values in corresponding text boxes.
3.If the query interval is shorter than one day, statistics are collected
every five minutes.

Traffic.
Figure 6-9 Incoming traffic of a specific IP traffic
Procedure
Step 1: Choose Report > Report > Traffic Analysis
Step 2: Click the IP Location Traffic tab.
Step 4 : Click Search.
Information about IP location traffic that matches the query conditions is displayed.
 Click to open or save the query results as PDF files. A maximum of
10,000 entries can be displayed.
 Click to open or save the query results as EXCEL files. A maximum of
 Click to open or save the query results as CSV files. All data except
figures can be displayed.
 Click to enter a recipient mail address and select an attachment format.
Then click OK.
----End
6.3. Anomaly/Attack Analysis

Anomaly/attack analysis analyzes various aspects of anomalies and attacks on the network.
6.3.1 Anomaly/Attack Details
Function
The anomaly/attack details records basic information about all anomalies and attacks, and you can
locate anomaly or attack events.
Parameter
Table 6-14 Query parameters of Anomaly/Attack details

Example
Anomaly/attack details that meet the query conditions are displayed, as shown in Figure 6-10.
Figure 6-10 Anomaly/attack Details
Figure 6-11 Anomaly/attack Logs Details
Procedure
Step 1: Choose Report > Report > Anomaly/Attack Analysis.
Step 2: Click the Anomaly/Attack Details tab.
Step 5: On the Anomaly/Attack Details page, click to view details on anomaly/attack
logs.
1. Click to view packet capture files associated with anomaly or attack events.
You can trace attack sources, resolve packets based on the packet capture files,
and download the files to obtain the details on and features of the attacker. In
this way, you can work out proper defense policies..
You cannot view the packet capture files associated with certain anomaly or
attack events.
2. Click to view details on an attack.


----End
6.3.2 Anomaly/Attack Top N
Function
Zone anomaly/attack top N sorts top N Zones by number or duration of anomalies/attacks.
Parameter
Table 6-15 Query parameters of Zone Anomaly/Attack Top N

1.Total (Cleaning):
Indicates that attack traffic on all cleaning devices is queried.
in Load Redundancy mode, the maximum anomaly traffic
volume in the defense group is queried and the sum of

anomaly traffic volumes among defense groups is queried.
in Load Balancing mode, the sum of anomaly traffic volumes
queried.
Table 6-16 Query parameters of Service Anomaly/Attack Top N
1.Total (Cleaning):
− If two or more detecting devices in a defense group work in Load
Redundancy mode, the maximum anomaly traffic volume in the
defense group is queried and the sum of anomaly traffic volumes
− If two or more detecting devices in each defense group work in Load
Balancing mode, the sum of anomaly traffic volumes within each
Zone Click , select a Zone on the Zone page that is displayed, and then click OK.
Time Click to select the start time and end time of statistics. Or you can change
the time values in corresponding text boxes.
The end time should be later than the start time and the interval cannot be
longer than one year.
Table 6-17 Query parameters of IP Anomaly/Attack Top N


1.Total (Cleaning):
queried.

click OK.
The end time should be later than the start time and the interval cannot
be longer than one year.
Example
If the Device is Total (Cleaning), Figure 6-12 shows top N Zones by anomalies or attacks within a
period of time.
Figure 6-12 Top N Zones by anomaly/attack

Note:
1.In the left figure, top N Zones by the times of attacks are displayed.
2. In the right figure, top N Zones by the duration of attacks are displayed.
Procedure
Step 1 Choose Report > Report > Anomaly/Attack Analysis.
Step 2 Click the Anomaly/Attack Top N tab.
Step 3 Set query parameters.
Step 4 Click Search.
Top N Zones by anomalies or attacks that meet the query conditions are displayed.
Then click OK.
----End
6.3.3. Attack Top N
Function
Attacks Top N sorts attack events by top N number of attack packets or top N duration of attacks, and
displays corresponding details.
Parameter
Table 6-18 Query parameters of Attacks Top N
Device Selects a cleaning device from the drop-down list. Total

(Cleaning)indicates that attacks on all cleaning devices are queried.

click OK.
Top N Enters the value of N.
Example
If the Device is set to Total (Cleaning), top N attack events within a period of time are displayed in Figure
6-13.
Figure 6-13 Attacks Top N

 The upper chart displays top N attack events by attack packet quantity.
 The lower chart displays top N attack events by attack duration.
Procedure
Step 2 Click the Attack Top N tab.
Top N attacks that meet the query conditions are displayed.


----End
6.3.4. Distribution of Anomaly/Attack Types
Function
In the anomaly/attack type distribution chart, you can view the proportions of various anomaly/attack
types.
Parameter
Table 6-19 Query parameters of Anomaly/Attack Type Distribution

1.Total (Cleaning):
queried.

click OK.

For details about service configuration, see 3.2.4 Creating a Service
and a Defense Policy.
applicable. The anomaly/attack traffic destined for the IP address is
queried.

Example
If the Device is set to Total (Cleaning) and the Zone to test, the distribution of anomaly/attack types
within a period of time is displayed in Figure 6-14.
Figure 6-14 Anomaly/attack type distribution (for cleaning devices)
 In the left figure, the distribution chart of attack types is displayed by times.
 In the right figure, the distribution chart of attack types is displayed by packet
quantity.

If the device is set to total (Detecting) and the Zone to test, Figure 6-15 shows anomaly/attack type
distribution within a period of time.
Figure 6-15 Anomaly/attack type distribution (for detecting devices)
NOTE:
The distribution chart of anomaly types is displayed by number of anomalies/attacks.

Procedure
Step 2 Click the Distribution of Anomaly/Attack Types tab.
The distribution of anomalies/attacks that meet the query conditions is displayed.
Then click OK.
----End
6.3.5. Packet Discarding Trend
Function
The packet discarding trend helps you learn about the traffic trend of various packets discarded by the
cleaning device.
Parameter
Table 6-20 Query parameters of Packet Discarding Trend
Device Selects a cleaning device from the drop-down list. Total

(Cleaning)indicates that the sum of traffic volumes on all cleaning
devices are queried.

click OK.

applicable. The anomaly/attack log of traffic destined for the IP
address of the Zone is queried.
Example
If the Device is set to Total (Cleaning), the packet discarding trends within a period of time are displayed
in Figure 6-16.
Figure 6-16 Packet Discarding Trend
This chart is an overlay discarding packets chart. Through the chart, you can view the total numbers of
discarding packets at a point in time and traffic change trends of various discarding packets.
 Spoofing packets: packets discarded because of forged source attacks

 Dynamic_filter packets: packets discarded because of dynamic signatures
 User_defined_filter packets: packets discarded because of static filtering policies such as
signatures, ACLs, blacklist entries, and host filtering policies
 Client_attacks packets: packets discarded because of attacks that use the attacker's IP address
to establish TCP connections
 Malformed_connections packets: packets discarded because of the FIN flood, DNS cache
poisoning, or DNS reflection attacks
 Malformed packets: packets discarded because of malformed packet attacks
 Overflow packets: packets discarded because of the configured traffic limiting or rate limiting
policies
 Other packets: other discarded packets
Procedure
Step 2 Click the Packet Discarding Trend tab.
The trend chart of packet discarding meeting query conditions is displayed.



----End
6.4. DNS Analysis
DNS analysis analyzes DNS services on the network in all aspects.
6.4.1. Top N Request Trend
Prerequisites
Top N Requested Domain Names and Top N DNS Source IP Addresses by Request Traffic Rate are
enabled. For details, see 6.2.6.9 Top N Study.
Function
The top N DNS request trend displays top N requested domain names or top N source IP addresses by
DNS request traffic rate in incoming traffic, outgoing traffic, or detecting traffic.
For top N requests, you can perform the following operations:
 Add top N domain names to the DNS cache to improve the response rate and reduce burdens on the
DNS server.
 Limit the packet rates of top N domain names.
 Limit the packet rates of top N source IP addresses.
For details, see 6.2.6.5 DNS Defense Policy.
Parameter
Table 8-21 Parameters for querying Top N Request Trend
Paramete Description
r

Indicates that DNS traffic on all cleaning devices is queried.
in Load Redundancy mode, the maximum DNS traffic volume
in the defense group is queried and the sum of DNS traffic
volumes among defense groups is queried.
work in Load Balancing mode, the sum of DNS traffic
volumes within each defense group and among defense
groups is queried.
Paramete Description
r
click OK.
 If the query interval is longer than or equal to seven days and
 If the query interval is longer than or equal to one day and
 If the query interval is shorter than one day, statistics are
Type Select the top N types to be queried.
1. Domain Name Request: indicates the trend of top N domain names
that are mostly requested.
2. Source IP Address Request: indicates the trend of top N source IP
addresses that request the DNS server most.
Example
If the Device is set to Total (Cleaning), traffic type to Domain Name Request, and statistical method
to Current Top N, top N trend analysis results with a period of time are displayed in Figure 6-17.
Figure 6-17 Request top N trend

Procedure
Step 1 Choose Report > Report > DNS Analysis.
Step 2 Click the Top N Request Trend tab.
Top N trend analysis results are displayed.
1.Click to open or save the query results as PDF files. A


----End
6.4.2. Top N Response Trend
Prerequisites
Top N DNS Source IP Addresses by Response Traffic Rate is enabled. For details, see 3.2.6.9 Top
N Study.
Function
The top N response trend diagram provides visibility into top N source IP addresses in DNS response
traffic.
You can limit the rate of DNS response packets by top N DNS source IP addresses. For details, see 3.2.6.5
DNS Defense Policy.
Parameter
Table 6-22 Parameters for querying the top N response trend

in Load Redundancy mode, the maximum DNS traffic volume
in the defense group is queried and the sum of DNS traffic
work in Load Balancing mode, the sum of DNS traffic volumes
queried.

click OK.

Example
If the Device is set to Total (Cleaning), traffic type to Average Top N, the top N response trend within a
given time segment is displayed, as shown in Figure 6-18.
Figure 6-18 Top N response trends
Procedure
Step 2 Click the Top N Response Trend tab.
Top N trend analysis results that meet search conditions are displayed.


----End
6.4.3. Cache Request Trend
Prerequisites
The DNS static cache function has been enabled and configured. For details, see 3.2.6.5
DNS Defense Policy.
Function
The DNS cache request trend collects statistics on external requests for domain names in
the DNS cache. If domain names in the DNS cache are seldom requested, replace them
with domain names that are frequently requested.
Parameter
Table 8-23 Query parameters of Cache Request Trend
Device Select a cleaning device from the drop-down list. The Total

(Cleaning)indicates that traffic on all cleaning devices is queried.

click OK.

For details about service configuration, see 6.2.4 Creating a Service and a
Defense Policy.

The end time should be later than the start time and the interval cannot
be longer than one year.
 If the query interval is longer than or equal to seven days and shorter
than one year, statistics are collected daily.
 If the query interval is longer than or equal to one day and shorter than
seven days, statistics are collected hourly.
 If the query interval is shorter than one day, statistics are collected
every five minutes.
Example
If the Device is set to Total (Cleaning) and the Zone to Total, Figure 9-19 shows the
analysis results of the cache request trend within a period of time.
Figure 8-19 Cache request trend
Procedure
Step 2 Click the Cache Request Trend tab.
The analysis results of the cache request trend are displayed.



4.Click to enter a recipient mail address and select an attachment

----End
6.4.4. Request Category Trend
Prerequisites
The DNS statistics item has been enabled. For details, see 3.2.6.5 DNS Defense Policy.
Function
The request category trend collects statistics on DNS request packets and displays various DNS request
curves. This function allows you to monitor DNS traffic distribution on the live network.
Parameter
Table 6-24 Query parameters of Request Category Trend

in Load Redundancy mode, the maximum DNS traffic volume in
the defense group is queried and the sum of DNS traffic
in Load Balancing mode, the sum of DNS traffic volumes within
click OK.

applicable. The DNS traffic destined for the IP address is queried.
every five minutes.
Type Select the DNS type of the request category trend to be viewed.
1. Total Traffic: Indicates the sum of TCP traffic and UDP traffic.
2. TCP
3. UDP
Example
If the Device is set to Total (Cleaning) and the Zone to Total, the trend analysis results of DNS within a
period of time are displayed in Figure 6-20.
Figure 6-20 Trend analysis
Procedure
Step 2 Click the Request Category Trend tab.

Trend analysis results of DNS are displayed.
Then click OK.
----End
6.4.5. Resolution Success Ratio
Prerequisites
The outgoing and incoming paths of the DNS request and reply packets must be the same. Otherwise,
the resolution success ratio stays zero all the time.
You must run the anti-ddos server-flow-statistic enable command on the inbound interface to enable
the upstream traffic analysis function.
Function
The successful resolution ratio is the ratio of the rate of responses from the DNS server to the rate of
requests for DNS services. When the DNS server is not attacked, observe and record the normal value of
the successful resolution ratio. If you find that the successful resolution ratio is strikingly lower than the
normal value, capture packets and check whether the DNS server is being attacked.
Parameter
Table 6-25 Query parameters of Resolution Success Ratio


click OK.
applicable. DNS traffic destined for the IP address is queried.
every five minutes.
Example
If the Device is set to total (Cleaning) and the Zone to Total, the success resolution ratio within a period
of time is displayed in Figure 6-21.
Figure 6-21 Success resolution ratio
 The request rate indicates the rate of requests for DNS services from the extranet.
 The
response rate indicates the rate of responses by the DNS server to the external requests for
DNS services.
Procedure
Step 2 Click the Resolution Success Ratio tab.
The success resolution ratio that meets query conditions is displayed.




----End
6.4.6. Abnormal Packet Analysis
Function
The anomaly packet analysis chart displays the traffic status of normal and anomaly DNS request
packets.
Parameter
Table 6-26 Query parameters of Abnormal Packet Analysis


click OK.

applicable. The DNS traffic destined for the IP address is queried.
every five minutes.
Example
If the Device is set to Total (Cleaning) and the Zone to Total, the analysis of the normal and anomaly
packets within a period of time is displayed in Figure 6-22.
Figure 6-22 Anomaly packet analysis

Procedure
Step 2 Click the Abnormal Packet Analysis tab.
The analysis of the normal and anomaly packets that meet the query conditions is
displayed.



----End
6.5. HTTP(S) Analysis

HTTP(S) analysis provides visibility into HTTP services and HTTPS services on the network.
6.5.1. Top N HTTP Request Sources by Traffic
Prerequisites
Top N HTTP Source IP Addresses by Traffic Rate is enabled. For details, see 3.2.6.9 Top N Study.
Function
Top N HTTP request sources by traffic display top N source IP addresses in HTTP incoming, outgoing, or
detecting traffic.
Parameter
Table 6-27 Parameters for querying top N HTTP request sources by traffic

Indicates that HTTP traffic on all cleaning devices is queried.
in Load Redundancy mode, the maximum HTTP traffic
volume in the defense group is queried and the sum of HTTP
traffic volumes among defense groups is queried.
work in Load Balancing mode, the sum of HTTP traffic
groups is queried.

click OK.
Unit Select pps or qps.

Example
If the Device is set to Total (Cleaning) and traffic type to Average Top N, top N HTTP request sources by
incoming and outgoing traffic within a given time segment is displayed, as shown in Figure 6-23.
Figure 6-23 Top N HTTP request sources by incoming traffic
Figure 6-24 Top N HTTP request sources by outgoing traffic

Procedure
Step 1 Choose Report > Report > HTTP(S) Analysis.
Step 2 Click the Top N HTTP Request Sources by Traffic tab.
Top N HTTP request sources that meet search conditions are displayed.


----End
6.5.2. Top N HTTPS Request Sources by Traffic
Prerequisites
Top N HTTPS Source IP Addresses by Traffic Rate is enabled. For details, see 3.2.6.9 Top N Study.
Function
Top N HTTPS request sources by traffic display top N source IP addresses in HTTPS incoming, outgoing,
or detecting traffic.
Parameter
Table 8-28 Parameters for querying top N HTTPS request sources by traffic

groups is queried.

click OK.
Example
If the Device is set to Total (Cleaning) and traffic type to Average Top N, top N HTTPS request sources by
incoming traffic within a given time segment is displayed, as shown in Figure 6-25, top N HTTPS request
sources by outgoing traffic within a given time segment is displayed, as shown in Figure 6-26.
Figure 6-25 Top N HTTPS request sources by incoming traffic
Figure 6-26 Top N HTTPS request sources by outgoing traffic

Procedure
Step 2 Click the Top N HTTPS Request Sources by Traffic tab.
Top N HTTPS request sources that meet search conditions are displayed.


----End
6.5.3. Top N Requested URl

Prerequisites
HTTP URI Top N is enabled. For details, see 3.2.6.9 Top N Study.
Function
Top N HTTP URIs display top N URI fields in the HTTP traffic destined for the Zone.
Parameter
Table 6-29 Parameters for querying top N HTTP URIs

groups is queried.

click OK.

Example
If the Device is set to Total (Cleaning) and traffic type to Average Top N, top N HTTP URIs within a given
time segment is displayed, as shown in Figure 6-27.
Figure 6-27 Top N Requested URl
Procedure
Step 2 Click the Top N Requested URl tab.
Top N HTTP URIs that meet search conditions are displayed.



----End
6.5.4. Top N Requested Host
Prerequisites
HTTP Host Top N is enabled. For details, see 3.2.6.9 Top N Study.
Function
Top N HTTP host fields display those in the HTTP traffic destined for the Zone.
Parameter
Table 6-30 Parameters for querying top N HTTP host fields

groups is queried.

click OK.

2.If the query interval is longer than or equal to one day and shorter
Example
If the Device is set to Total (Cleaning) and traffic type to Average Top N, top N HTTP host fields within a
given time segment is displayed, as shown in Figure 6-28.
Figure 6-28 Top N Requested Host
Procedure
Step 2 Click the Top N Requested Host tab.

Top N HTTP host fields that meet search conditions are displayed.



----End
6.6. Comprehensive Report
6.6.1. Querying Comprehensive Reports
You can query comprehensive reports that summarize various reports by Device or Zone.
Procedure
1. Query Device-based system reports.
a. Choose Report > Comprehensive Report > Comprehensive Report.
b. Click the System Report tab.
c. Set system report parameters. For details, see Table 6-31.
Table 6-31 System report parameters

Device Select a device from the drop- -

down list. Total
Cleaning and Total Detecting are
described as follows:
Indicates that traffic on all
cleaning devices is queried.
− If two or more detecting
devices in a defense group
work in Load
Redundancymode, the
maximum traffic volume in
the defense group is
queried and the sum of
traffic volumes among
devices in each defense
group work in Load
Balancingmode, the sum of
traffic volumes within each
defense group and among
Compariso Determines whether to display  Not display the cycle

n the cycle comparison figure. comparison figure: queries the
The Attack Comparison figure is data within the given time
added to the Display the cycle segment.
comparison figure report. The  Display the cycle comparison
figure shows the attack count figure: queries the data within
comparison between two the cycle type to which the
consecutive cycles. selected time point belongs.
Cycle type Queries the data between two For example, if you set Cycle
consecutive cycles. Typeto Week and 2012–08–07,
When you set Cycle the data within the week to which
Comparison to Display the cycle August 7, 2012 belongs.
comparison figure, configure this The Attack Comparison chart
item. displays the attack count
comparison between the week to
which August 7, 2012 belongs and
the last week.
Time Click to select the start time -

and end time of statistics. Or you
can change the time values in
corresponding text boxes.
The end time should be later than
the start time and the interval
When you set Cycle
Comparison to Not display the
cycle comparison figure,
configure this item.
Report Indicates the report format. The -

Format format can be PDF, HTML,
or EXCEL.
Report Indicates the report contents. -

Type
d. Click OK. On the file download page that is displayed, open or save the
system report.
If you need to reset the parameter, click reset.
2. Query Zone reports.
a. Choose Report > Comprehensive Report > Comprehensive Report.
b. Click the Zone Report tab.
c. Set Zone report parameters. For details, see Table 6-32.
Table 6-32 Zone report parameters
Zone Click , select a Zone on -

the Zonepage that is displayed,
and then click OK.
Device Select a device from the drop- -

down list. Total Cleaning and Total
Detecting are described as
follows:
Indicates that traffic on all
cleaning devices is queried.
devices in a defense group
work in Load
Redundancymode, the
maximum traffic volume in
the defense group is
queried and the sum of
traffic volumes among
devices in each defense
group work in Load
Balancingmode, the sum of
traffic volumes within each
defense group and among
Comparison Determines whether to display the  Not display the cycle

cycle comparison figure. comparison figure: queries the
The Attack Comparison figure is data within the given time
added to the Display the cycle segment.
comparison figure report. The  Display the cycle comparison
figure shows the attack count figure: queries the data within
comparison between two the cycle type to which the
consecutive cycles. selected time point belongs.
Cycle type Queries the data between two For example, if you set Cycle
consecutive cycles. Typeto Week and 2012–08–07,
When you set Cycle the data within the week to which
Comparison to Display the cycle August 7, 2012 belongs.
comparison figure, configure this The Attack Comparison chart
item. displays the attack count
comparison between the week to
which August 7, 2012 belongs and
the last week.
Time Click to select the start time -
and end time of statistics. Or you
can change the time values in
corresponding text boxes.
The end time should be later than
the start time and the interval
When you set Cycle
Comparison to Not display the

cycle comparison figure, configure
this item.
Report Indicates the report format. The -

Format format can be PDF, HTML,
or EXCEL.
Report Indicates the report contents. -

Type
d. Click OK. On the file download page that is displayed, open or save the
Zone report.
If you need to reset the parameter, click Reset.
----End
6.6.2. Managing Scheduled Task
Through scheduled task creation, the system periodically generates reports and sends the reports to the
specified email box. For the created scheduled task, you can change its status, delete it, or query the
task result.
Choose Report > Comprehensive Report > Scheduled Task, and manage scheduled tasks:
Create
Click to create a scheduled task. For details, see 6.6.2.1
Creating a Scheduled Task.
Modify Click of a scheduled task to modify it. For the parameters,
see 6.6.2.1 Creating a Scheduled Task.
State The scheduled task can be in the Enabled, Suspended,

or Expired state.
1. Enabled: Indicates that the system automatically performs the
scheduled task when the scheduled time approaches.
2. Suspended: Indicates that the system does not perform the
scheduled task when the scheduled time approaches.
Click or to change the status of the tasks that

are Suspended to Enabled.
3. Expired: When the scheduled time of the task exceeds Life Cycle,
this task expires and the system does not perform the task any
longer.
Enable
Click of the task in the Suspended state to switch it
to Enable.
Disable
Click of the task in the Enabled state to switch it
to Suspended.
Result 1. Click of a task.

2. On the Result page, you can view the execution time and report
status of a task.
1. Click of a report. You can download the generated report.
2. Click of a report. You can delete the generated report.
Search Select Plan or State, or enter Name. Then click . The

scheduled tasks meeting search conditions are displayed in the list.
Fuzzy search is supported.
Delete 1. Delete one task: Click of a task in the Operation column to

delete the task.
2. Delete tasks in batches: Select the check boxes of multiple tasks and
click on the upper right of the page to delete the
selected tasks.
6.6.2.1. Creating a Scheduled Task
A scheduled task is the task that generates reports periodically within the specified life cycle. It helps the
user query synthesis reports and sends the reports to the specified email box periodically.
Prerequisites
When you need to use the mailbox to receive the reports, you must complete the configuration of the
mail server in the ATIC Management center. For details, see 7.4.1 Mail Server.
Procedure
Step 1 Choose Report > Comprehensive Report > Scheduled Task.
Step 2 On the Scheduled Task List page, click to create a scheduled task.
Step 3 Configure scheduled task information. For details, see Table 6-33.
Table 6-33 Creating a scheduled task
Parameter Description Setting
Name Identifies the name of a It cannot contain any

task for easy search. spaces or characters such
as "'", "|", "\", ",", "<", ">",
"&", ";", """, and "%". The
value contains a maximum
of 32 characters and
cannot start with null.
Plan Indicates the execution For example, if you set the
period of the task. life cycle from 2010-12-8
00:00:00 to 2011-12-8
Run Time Indicates the execution time
23:59:59, and
of the task.
the Plan time for the task
Life Cycle Indicates the validity period to 00:00 on the 8th day of
Parameter Description Setting
of a task. The task becomes

invalid when it expires.
each month, the system

generates reports 00:00 on the
8th day of each month from
Report Format Indicates the format for You need to select at least
exporting the report. one format.
Multiple formats are
available.
Description Indicates the description of Its length cannot exceed 255

a task. characters.
Searched data of system reports and Zone reports is as follows:
 If the task is performed daily, data of the last day is obtained.

 If the task is performed weekly, data of the last week is obtained.
 If the task is performed monthly, data of the last month is obtained.
 If the task is performed yearly, data of the last year is obtained.
Step 4: Click OK.
Step 5 : Configure task contents, that is, reports periodically generated.
You need to select at least one of the system report and Zone report.
 Select the system report.
Click the System Report tab, select the Device and report types to be queried, and fill in the email
address.
The generated system reports will be sent to the email address.
 Select the Zone report.
Click the Zone Report tab, select the Device and report types to be queried, and fill in the email
address.
The generated Zone reports will be sent to the email address. Before selecting Send to a user-
defined email box, ensure that an Email address has configured for Zone objects. For details,
Step 6 Click ok.
----End
Follow-up Procedure
You can view or download reports generated by the scheduled task by performing 6.6.3 Downloading
Report.
6.6.3. Downloading Report
You can view, and download reports generated by scheduled tasks, and also perform management
operations such as searching, and deleting reports.
Choose Report > Comprehensive Report > Report Download, and manage generated reports.
Download Click of a report in the Operation column to view, and

download the report.
Search Enter the name of the report to be searched for in the Report

Namedialog box and click . Reports meeting search
conditions are displayed in the list.
Fuzzy search is supported.
Delete 1. Delete one report: Click of a report in the Operation column to

delete the report.
2. Delete tasks in batches: Select the check boxes of multiple reports
and click on the upper left of the page to delete the
selected reports.
6.7. Report Customization
6.7.1. Customizing Report-Related Information
You can customize the carrier name and logo.

Procedure
Step 1 Choose Report > Report Customization > Report Customization.
Step 2 Specify the carrier name and select the logo image file in Report
Customization. Then click OK.
After the configuration, the customized carrier name and logo are printed in all
reports.
----End
6.7.2. Configuring IP Description
Configuring IP description provides visibility into the description of IP addresses in the IP description
report for easy management.
Operation
Choose Report > Report Customization > IP Address Description to manage IP description.
Create
Click to create an IP description. For details, see Creating an IP
Description.
Modify Click of the IP description to be modified.
Delete 1. Delete an IP description:

Click in the Operation column to delete an IP description.
2. Delete IP descriptions in batches:
Select the check boxes of multiple IP descriptions and click

above the list to delete the selected IP descriptions.
delete all IP descriptions.
Import 1. Click .
2. On the Import IP Address Description Entry page, click to download
a template to the local host, and enter parameters, and save the
template.
3. On the Import IP Address Description Entry page, click Browse..., select
the existing template, and click OK.
Imported IP descriptions are displayed in the IP description list.
Export
1. Select one or multiple IP descriptions and click .
2. On the File Download page, click Open to view the IP description list or
click Save to save the list to the local host.
Export
All 1. Click .
2. On the File Download page, click Open to view the IP description list or
click Save to save the list to the local host.
Search Enter the IP address or description of the IP description to be queried and
click to display the IP descriptions matching given conditions.
Creating an IP Description
Step 1 Choose Report > Report Customization > IP Address Description.
Step 2 On the IP Address Description page, click .
Step 3 Enter an IP address and its description and click OK.

The description is a string of not more than 255 characters.
After an IP description is created, both the IP address and the description are
displayed in the report.
----End
7. System Management
7.1. Configuring the System Administrators
Configuring the system administrators helps guarantee the ATIC Management center and data security
more effectively.
7.1.1. Introduction to System Administrators
Configuring the system administrators can implement the configuration of system security policy,
permission/domain-specific management of the ATIC Management center, restriction to the IP
addresses that access the ATIC Management center, and can monitor and manage online administrators
in real time.
The system security policy contains the password policy, session timeout duration, and login policy.
 The password policy defines the minimum length and complexity of the passwords of the
system administrators.
 The session timeout duration refers to the period in which the session between the system
administrator and the ATIC Management center has been interrupted because of timeout. Any
operations of the system administrator on the ATIC Management center will clear the session
timeout duration and restart the time counting.
If the system administrator performs no operation within the timeout duration after logging in to
the ATIC Management center, the current session will be interrupted because of timeout. When the
system administrator wants to perform operations on the ATIC Management center again, the
system administrator needs to re-log in to the ATIC Management center.
 The login policy defines whether the system will be locked after the password has been entered
incorrectly for a certain consecutive times within 10 minutes and when the system will be
unlocked automatically if the system is locked.
The permission/domain management of the ATIC Management center and the restriction to the IP
addresses that access the ATIC Management center are implemented by configuring the administrator
groups and administrators as follows:
 The administrator groups are collections of the operation permissions. You can assign an
administrator group to administrator so that the administrator can have the permission on this
administrator group. The ATIC Management center provides three default administrator
groups, namely the administrator, operator, and auditor groups.
 The system provides the default administrator admin. The default administrator has all
operation permission and can manage all resources. In addition, the default administrator
cannot be modified. You can create a new administrator and select an administrator group and
resources for this administrator to implement the permission/domain-specific management of
the ATIC Management center.
 You can select the IP address segments that can access the ATIC Management center for an
administrator to implement the restriction of IP addresses that access the ATIC Management
center.
7.1.2. Managing Administrators
The system provides one default administrator admin. The default administrator has all permissions, can
manage all resources, and can log in the ATIC Management center from any IP addresses. To implement
permission/domain-specific management of the ATIC Management center, you can create
administrators and modify, lock, unlock, or delete them.
Choose System > System Administrators > Administrators, and manage the administrators.
Create
Click to create an administrator. For details about this
operation, see 7.1.2.1 Creating an Administrator.
Modify Click corresponding to the administrator to modify its authentication

mode, password, description, associated administrator group, managed
resources, and allowed IP address segment. For details about this
operation, see 7.1.2.2 Modifying an Administrator Group.
Lock To restrict the login of an administrator to the ATIC Management center,
select the administrator and click to lock the administrator. After
the administrator is locked, its status becomes Locked. You can restrict
only the next login of the current administrator.
NOTE
The current administrator has the permission to lock an administrator.
The default administrator admin cannot be locked manually.
Unlock
Select the locked administrator and click to unlock the
administrator.
NOTE
The current administrator has the permission to unlock an
administrator.
Delete
Select one or more administrators and click to delete the
selected administrators.
NOTE
1. The current administrator has the permission to delete an
administrator.
2. An online administrator and the default administrator admin cannot
be deleted.
View Click the user name of an administrator to view its description, associated
administrator group, managed resources, and allowed IP address
segment.
Status A created administrator is in the Unlocked state by default. The

administrator will be in the Locked state in the following situations and
cannot log in to the ATIC Management center.
1. According to the configured system security policy, the ATIC
Management center can automatically lock a user, and the user is
unlocked automatically when the specified time is reached or is
manually unlocked by the default administrator admin or another
administrator who has the unlock permission. For details about this
situation, see 7.1.5 Configuring the System Security Policy.
2. The default administrator admin or another administrator who has the
lock permission can manually lock an illegal user. The user that is
manually locked can only be unlocked manually by The default
administrator adminor another administrator who has the unlock
permission.
5.1.2.1. Creating an Administrator
When you need to perform the permission/domain specific management of the ATIC Management
center, you can select an administrator group to obtain the permission on this administrator group,
select the resources, and set the IP address segment that can log in the ATIC Management center.
Context
Only the default administrator admin can perform one-click alarm clearing, configuration restoration, all
deployment and public configurations.
Procedure
Step 1 Choose System > System Administrators > Administrators.
Step 2 Click .
Step 3 Set the parameters of the new administrator, as described in Table 7-1.
Table 7-1 Parameters of the new administrator
Username User name for logging in to -

the ATIC Management
center. After an
administrator is created,
its user name cannot be
changed.
Authentication Mode for authenticating 1. Password authentication is a local

Mode the login of a system authentication mode that the user
administrator to the ATIC name and password are directly
Management center. specified on the ATIC Management

center server.
Advantages of the password
authentication: high speed, and low
operation expenditure.
Disadvantages of the password
authentication: low security, and
storage capacity restricted by the
ATIC Management center server
hardware conditions.
2.RADIUS authentication means that
the user information is configured
on the Remote Authentication Dial
In User Service (RADIUS) server,
and the ATIC Management center
communicates with the RADIUS
server as the client and it performs
the remote authentication through
the RADIUS protocol.
Advantages of the RADIUS
authentication: High security and
reliability when the third-party
server is used for authentication
because it supports the resending
mechanism and standby server
mechanism. Disadvantages of the
RADIUS authentication: High
operation expenditure as it requires
the deployment of the RADIUS
server.
NOTE
When RADIUS authentication is
adopted, you need to configure the
RADIUS server. For details, see 7.1.6
Configuring the Authentication
Server.
Password Password for logging in to The password must contain no less

the ATIC Management than eight characters and must
center when the password contain letters, digits, and special
authentication is used. characters at the same time by default.
A specific password is subject to the
password policy configured in the
system security policy. For details
about the specific requirements,
see 7.1.5 Configuring the System

Security Policy.
Confirm Enter the password again. The parameter value must be the
password The two passwords must same as that in Password.
be identical.
Description Brief description of the -

administrator, helping
identifying the
administrator.
Step 4 Configure the permissions, resources, and allowed IP address segment for the
administrator.
By default, the administrator has no associated administrator group and no

resources, and can access the ATIC Management center from any IP addresses.
You must specify an administrator group to the administrator, and select the
resources and IP address segment as required.
 Click the Select Administrator Group tab, and select an administrator group

for the administrator.
When multiple administrator groups are selected, the permission of the

administrator is the permission collection of all the selected administrator
groups.
 Click the Select Resource tab, and select manageable resources according

to Resource Type.
 Click the Select Login Network Segment tab. Perform the following
operations to configure the IP address segment list and then select one
allowed IP address segment for the administrator.
− Click , set Start IP address, End IP address, and Description, and

click OK.
− Select an IP address segment, click to modify Start IP
address, End IP address, and Description, and then click OK.
− Select the IP address segment to be deleted and click to

delete it.
Step 5 Click OK.
The newly created administrator is displayed in Administrators.
----End
Follow-up Procedure
When RADIUS authentication is adopted for the administrator, you need to configure the RADIUS server.
For details, see 7.1.6 Configuring the Authentication Server.
7.1.2.2. Modifying an Administrator Group
The current administrator can modify the description and permission set of a non-default administrator
group as required. When the administrator group has associated users, the permissions of these users
will also be modified after the administrator group permission is modified. The modification of user
permissions takes effect upon the next login.
Context
The three default administrator groups administrator, operator, and auditor are not allowed to modify.
Procedure
Step 1 Choose System > System Administrators > Administrators.
Step 2 Click corresponding to the administrator group to be modified.

Step 3 On the Modify Administrator page, change the basic information about the
administrator. Table 7-1 lists the parameters.
Step 4 Change the administrator's permission, manageable resources, and IP address
segments allowed to log in to the ATIC management center.
1 Click the Select Administrator Group tab and select the required administrator
group in the administrator group list.
When you select multiple administrator groups, the permission of the
administrator is the union of all selected administrator groups.
2. Click the Select Resource tab and select the manageable resources.
3. Click the Select Login Network Segment tab and select the IP address segment
from which the administrator is allowed to log in to the ATIC management
center.

After an administrator's permission is modified, the permission takes effect only after the administrator
re-logs in. However, the manageable resources take effect immediately after being modified without
requiring administrator re-login.
Step 5: Click OK.
----End
7.1.3. Managing Administrator Groups
Different administrator groups have different permission sets. You need to select the owning
administrator group for the administrator to be created, so that the administrator can obtain the
permissions on this administrator group. The ATIC Management center provides three default
administrator groups, namely the administrator, operator, and auditor groups. These three default
administrator groups are not allowed to modify or delete.
Choose System > System Administrators > Administrator Groups , and manage the administrator

groups.
Create
Click to create an administrator group. For details about
this operation, see 7.1.3.1 Creating an Administrator Group.
Modify Click corresponding to the administrator group to modify its

description and permission set. For details about this operation,
see 7.1.3.2 Modifying an Administrator Group.
When the administrator group has associated administrators, the
permissions of these administrators will also be modified after the
administrator group permission is modified. The modification of
administrator permissions takes effect upon the next login.
Delete
Select one or more administrator groups, and click to
delete the selected administrator groups.
An administrator group can be deleted only when it has no
associated administrator.
View Click the name of the administrator group, and view its description
and permission set.
Associated Click the number of administrators associated with an administrator

Administrator group to view the information about these associated
s administrators.
7.1.3.1. Creating an Administrator Group
The system provides three default administrator groups, namely, the administrator, operator,

and auditor groups. When the permissions of the default administrator groups cannot meet the
permission assignment requirements, the current administrator can create a new administrator group as
required.
Procedure
Step 1 7.1.3.2 Modifying an Administrator Group.
Step 2 Click .
Step 3 Configure the basic information and permission set for the new administrator
group.
Enter the name and information about the administrator group

in Name and Description respectively. Select a permission in the Permission
Set navigation tree.
Step 4 Click OK.
----End
7.1.3.2. Modifying an Administrator Group
The current administrator can modify the description and permission set of a non-default administrator
group as required. When the administrator group has associated users, the permissions of these users
will also be modified after the administrator group permission is modified. The modification of user
permissions takes effect upon the next login.
Context
The three default administrator groups administrator, operator, and auditor are not allowed to modify.
Procedure
Step 1 Choose System > System Administrators > Administrator Groups .
Step 2 Click corresponding to the administrator group to be modified.
Step 3 Modify the description or permission set of the administrator group on

the Modify Administrator Group page.
Enter information about the administrator group in Description, and select a

permission in the Permission Set navigation tree.
Step 4 Click OK.
----End
7.1.4. Managing Online Administrators
To prevent the login of an illegal administrator to the ATIC Management center, you can monitor the
online administrators in real time and forcibly log off the illegal administrators.
Prerequisites
1. To view the online administrators, the current administrator must have the permission to view the
online administrators.
2. To forcibly log off an online administrator, the current administrator must have the permission to
forcibly log off an online administrator.
Context
Session is the connection set up between the browser and the server. One administrator can generate
multiple sessions. The forcible logoff operation is applicable to only the administrator that generates the
session concerned. For example, administrator user logs in to the same server from clients A and B and
generates sessions a and b. When you forcibly log off the administrator user that generates session a,
the administrator user that generates session b will not be affected.
Procedure
Step 1 Choose System > System Administrators > Online Administrator .
Step 2 Do as follows to view the online administrators and their login information on
the Online Administrators page.
1. Click in the upper right corner of the page. The latest online administrators
and their login information are displayed.
2. To forcibly log off an online administrator, select the administrator and
click . In the displayed confirmation dialog box, click OK.
----End
7.1.5. Configuring the System Security Policy
The system security policy contains the password policy, login policy, and session timeout duration.
Configuring the system security policy can improve the system security.
Procedure
Step 1 Choose System > System Administrators > Security Policy .
Step 2 Click .
Step 3 Set the security policy parameters on the Modify Security Policy page, as
described in Table 7-2.
Table 7-2 Security policy parameters
Minimum Minimum length of the password, Default value: 8

length avoiding too short passwords. characters.
You are not advised to
set Minimum
length to 1 characters.
Otherwise, the
password is easy to
crack.
Complexity Complexity of the password, avoiding Default value: must

too simple passwords. contain letters, digits,
and special characters
at the same time.
Do not
set Complexity to No
limit. Otherwise, the
password is easy to
crack.
Set a validity Indicates the validity period of the This function is disabled
period for the administrator password. Password by default.
password validity period setting forces the You are advised to
administrator to change the password enable this function.
before the period ends. Otherwise, the
password is easy to
crack.
Useful-life Indicates the validity period of the Default value: 60.

(days) administrator password, in days. You are advised to
change the password
periodically. Otherwise,
the password is easy to
crack.
Timeout If the online user performs no operation Default value: 30.

(minutes) within this timeout duration, the system
will display the message of timeout
upon the next operation. In this case,
click OK to return to the login page.
Allow Multiple administrators are allowed to Default value: Disabled.

Intercurrent log in at the same time.
Login
Incorrect After the incorrect password lock is Default value: Enabled.

password lock enabled, the administrator will be
locked when its password is entered
incorrectly more than Allowed
attempts times within 10 minutes.
Allowed Times allowed for consecutively Default value: 5.

attempts entering incorrect passwords. When the
number of error times reaches the
specified value, the ATIC Management
center automatically locks the account.
NOTE
After the administrator is locked, it
can be manually unlocked by the
default administrator admin or
another administrator who has the
unlock permission, or automatically
unlocked after the lock time is up.
After the incorrect password lock is
enabled, you can set this parameter.
Lock mode Indicates the handling mode of the Default value: 3.

system if the number of failed login
attempts reaches the upper limit. The
available modes are Lock
permanently and Lock (minutes).
Lock If this item is specified, the system -

permanently permanently locks out the account if the
number of failed login attempts reaches
the upper limit. In such a case, the
account can be unlocked only by
another administrator.
Lock (minutes) Period of the administrator being Default value: 3.

locked. When the lock time is up, the For example, because
administrator is automatically unlocked. the
1. This parameter is only valid for the administrator testenters
automatic lock. If the administrator is incorrect passwords for
locked manually, it can only be more than Allowed
unlocked manually. attempts times, the
2. After the incorrect password lock is administrator is locked
enabled, you can set this parameter. automatically. If Lock
(minutes) is set 3, the
administrator will be
unlocked automatically
three minutes later.
Step 4 Click OK.
----End
7.1.6. Configuring the Authentication Server
The authentication server needs to be correctly configured if administrator authentication uses the
Remote Authentication Dial-In User Service (RADIUS).
Prerequisites
An authentication server is available.
Procedure
Step 1 Choose System > System Administrators > Authentication Server.
Step 2 Click .
Step 3 On the Modify RADIUS Server page, set RADIUS server parameters that are
listed in Table 7-3.
Table 7-3 Configuring the RADIUS server
Auth mode Mode for the RADIUS server 1.PAP: uses a plain text password and
to authenticate requires two-way handshakes.
administrators. Compared with CHAP
authentication, it is superior in
authentication efficiencies but
inferior in security.
2. CHAP: uses a cipher text password
and requires three-way
handshakes.
Compared with PAP
authentication, it is superior in
security but inferior in
authentication efficiencies.
Main and spare RAIDIUS servers need

to use the same authentication
method.
Main IP IP address of the main -

address RADIUS server.
Spare IP IP address of the spare -

address RADIUS server.
Port Port of the RADIUS server. Main and spare RAIDUS servers need
to use the same port.
Shared key Encrypts RADIUS To authenticate the identities of

authentication packets to involved parties, the shared key must
safeguard authentication be the same as the key configured on
information during transfer. the RADIUS server.
Main and spare RAIDIUS servers need
to use the same shared key.
Step 4 Click OK.
----End
7.2. System Maintenance
This section describes the configurations of performance monitoring, operation log dumping, anti-DDoS data
maintenance, and system backup.
7.2.1. Performance Monitoring
Monitoring the system performance means monitoring the server and database information. You can
monitor system performance by setting usage thresholds for all items of the server, to discover and
rectify anomalies as soon as possible and optimize system operating .
Procedure
Step 1 Choose System > System Maintenance > Performance Monitoring.
Step 2 Set the usage thresholds for the server.
1. Click in the Threshold Settings group box.

2. The Modify Threshold page is displayed. Set the usage thresholds for the
server on this page. Table 7-4 lists the default thresholds.
Table 9-4 Default thresholds
Parameter Default Threshold
CPU usage threshold 90%
Memory usage threshold 90%
Disk usage threshold 90%
Database usage threshold 90%
3. Click OK.
Return to the System Performance page when the threshold is modified

successfully.
Step 3 Monitor the server and database performance on the System

Performance group box, as shown in Table 7-5.
The system collects the server and database performance data periodically.
Table 7-5 Monitoring the server and database performance
CPU If the CPU usage has exceeded the threshold for three consecutive
times, the ATIC Management center generates an alarm. When the CPU
usage becomes lower than the threshold, the alarm is cleared
automatically.
The red line represents the threshold.
Memory If the memory usage has exceeded the threshold for three consecutive
times, the ATIC Management center generates an alarm. When the
memory usage becomes lower than the threshold, the alarm is cleared
automatically.
The red line represents the threshold.
Disk If the disk usage exceeds the threshold, the ATIC Management center
generates an alarm. When the disk usage becomes lower than the
threshold, the alarm is cleared automatically.
Database The MySQL database capacity will grow automatically with the data
amount. In this case, you should check whether the used capacity is too
large. Insufficient remaining disk spaces of the database will cause the
improper operating of the database and ATIC Management center.

----End
7.2.2 Dumping the Operation Logs
After you set the period for dumping operation logs, the system will automatically dump the operation
logs from the ATIC Management center to the specified directory on the ATIC Management center
server according to the specified period and reduce the recording times of the database and improve
the ATIC Management center operating efficiency.
Context
The dumped operation logs are saved to the Installation directory/Runtime/ LegoRuntime/
datastorage/ sysoptlog path on the ATIC Management center server. You can set the dumping period
for the logs and the number of recent days in which logs are reserved. For example, if the log dumping
period is set to 30 days, the logs in the recent 90 days are set to reserve, and the dumping is set to start
at 02:00:00, the ATIC Management center dumps the operation logs generated 90 days ago, the
database deletes the dumped logs and reserves only operations logs in the recent 90 days, and the ATIC
Management center performs the next dumping 30 days after the last dumping.
Procedure
Step 1 Choose System > System Maintenance > Log Dump.
Step 2 Click in the Modify Dump Parameter area.

Step 3 Set the log dumping parameters, as described in Table 7-6.
Table 7-6 Log dumping parameters
Dumped schedule Time at which the ATIC Default value: 02:00:00.

Management center
automatically dumps
operation logs.
The dumping time is
usually specified to a point
in time the ATIC
Management center is
idle, for example,
02:00:00.
Dump period (days) Period after which the Default value: 30 days.
ATIC Management center If the dumping period is
starts to dump logs. specified to 30 days, the
ATIC Management center
dumps logs once every 30
days.
Reserve recent data Logs that were generated Default value: 90 days.
records (days) in the recent days are

reserved. By default, the ATIC
Management center
dumps the records
generated 90 days ago, the
database deletes them.
File format Format of the dumping -

file.
Language Language of the dumping Default value: English.

file.
If the dump language is
English, the dumped
operation logs will be
recorded in English.

Step 4 Click OK.
----End
Result
When the specified dumping period and dumping time reaches, the ATIC Management center
automatically dumps the operation logs to the Installation directory/Runtime/
LegoRuntime/datastorage/sysoptlogpath on the ATIC Management center server. The dumped logs will
not be displayed in System Logs but stored in the specified directory. To view the dumped logs, you can
download the dumped logs in a file on the client and open the file in the text editing tool.
Follow-up Procedure
1. You can view the dumping records in the Historical Dumps area.
2. (Optional) You can click the compression package of the dumped logs to save the logs to the
specified path on the client.
3. (Optional) You can select the dumped logs that do not need to reserve and click to
delete the logs from the ATIC Management center server .
7.2.3. Dumping the Alarms
When the number of past alarms stored in the ATIC Management center database exceeds the threshold, the
ATIC Management center performance will be affected or the ATIC Management center will break down
even. Dumping the alarms dumps the events and the past alarms in a file to the specified folder, reducing the
burden of the ATIC Management center and improving the ATIC Management center performance. The alarm
dump function enables the ATIC Management center to dump the events and historical alarm data in the
database as files to the specified folder, which improves the ATIC Management center operating
performance.
Context
The ATIC Management center dumps the alarms stored in the database to the File dump path displayed
on the interface according to the specified dumping period. You can set the dumping period for the
alarms and the number of recent days in which alarms are reserved. For example, if the log dumping
period is set to 30 days, the alarms in the recent 90 days are set to reserve, and the dumping is set to
start at 02:00:00, the ATIC Management center dumps the alarms generated 90 days ago, the database
deletes the dumped alarms and reserves only alarms in the recent 90 days, and the ATIC Management
center performs the next dumping 30 days after the last dumping.
Procedure
Step 1 Choose System > System Maintenance > Alarm Dump.
Step 2 Click in the Dump Settings area.

Step 3 Set the alarm dump parameters, as described in Table 7-7.
Table 7-7 Setting the alarm dump parameters
Dumped schedule Time when the ATIC Default value: 02:00:00.

Management center starts The dumping time is in the
to dump alarms format of HH:MM:SS.
automatically.
The dumping time is
usually specified to a point
in time the ATIC
idle.
Dump period (days) Period after which the Default value: 30 days.
ATIC Management center If the dumping period is
starts to dump alarms. specified to 30 days, the
ATIC Management center
dumps alarms once every
30 days.
Reserve recent data Alarms that were Default value: 90 days.

records (days) generated in the recent X By default, the ATIC
days are reserved. Management center
dumps the records
generated 90 days ago, the
database deletes them.
File format Format of the dumping -.

file.
Language Language of the dumping Default value: English.

file.

Step 4 Click OK.
----End
Result
When the specified dumping period and dumping time reaches, the ATIC Management center
automatically dumps the alarms to the File dump path displayed on the interface. The dumped alarms
will not be displayed in Past Alarms but stored in the specified directory. To view the dumped alarms,
you can download the dumped alarms in a file on the client and open the file in the text editing tool.
Follow-up Procedure
1. You can view the dumping records in the Historical Dumps area.
2. (Optional) You can click the compression package of the dumped alarms to save the alarms to the
specified path on the client.
3. (Optional) You can select the dumped alarms that do not need to reserve and click to delete
the dumped alarms from the ATIC Management center server.
7.2.4. Maintaining Anti-DDoS Data
This section describes how to maintain anti-DDoS data by setting appropriate data reservation duration
to ensure high resource usage.
Procedure
Step 1 Choose System > System Maintenance > Anti-DDoS Data Maintenance.
Step 2 On the Anti-DDoS Data Maintenance page, click .

Step 3 On the Modify Anti-DDoS Data Maintenance Settings page, set parameters by referring
to Table 7-8.
Table 7-8 Parameters of maintaining anti-DDoS data
Original data Indicates the reservation duration of The default value is

(days) original data in the database of the anti- 30.
DDoS collector.
Hourly summary Indicates the reservation duration of The default value is

data (months) hourly summary data in the database of 12.
the anti-DDoS collector.
Daily summary Indicates the reservation duration of The default value is

data (years) daily summary data in the database of 1.
the anti-DDoS collector.
Traffic diversion Indicates the reservation duration of The default value is

log (days) traffic diversion logs in the database of 90.

the cleaning device.
Device logs (days) Indicates the duration for the ATIC The default value is
Management center server to retain the 30.
operation logs in the database.
Scheduled daily Indicates the reservation duration of The default value is

reports (days) daily reports generated by a scheduled 60.
task in the database and hard disk of the
ATIC Management center server.
Scheduled weekly Indicates the reservation duration of The default value is

reports (months) weekly reports generated by a 6.
scheduled task in the database and hard
disk of the ATIC Management center
server.
Scheduled monthly Indicates the reservation duration of The default value is

reports (years) monthly reports generated by a 1.
scheduled task in the database and hard
disk of the ATIC Management center
server.
Scheduled yearly Indicates the reservation duration of The default value is

reports (years) yearly reports generated by a scheduled 5.
task in the database and hard disk of the
ATIC Management center server.
Delay for Canceling For dynamic diversion tasks (including The default value is
Traffic Diversion both the automatic and manual ones), 300.
(seconds) after the anomaly or attack ends, the In normal cases, you
diversion persists for a while before it is are advised to use
automatically canceled to ensure that the default value. If
the anomaly or attack traffic is the anti-DDoS
thoroughly cleaned. collector cannot
receive the logs
about the anomalies
from the cleaning
device, the delay can
be extended.
The number of Indicates the number of pagesize for The default value is
pagesize ATIC Management center. 10.

Step 4 Click OK.
----End
7.2.5. Backing Up and Restoring Configuration Files
This section describes how to back up system configurations periodically for timely troubleshooting.
7.2.5.1. Backing Up a Configuration File
The current system configuration needs to be backed up periodically.
Context
ATIC management center can support the configuration backup and some status information backup.

Ensure that other administrators are offline during the database backup. Otherwise, operating the
database by them may interrupt the backup.
Choose System > System Administrators > Online Administrator to check whether other

administrators are online.
Procedure
Step 1 Choose System > System Maintenance > System Backup.
Step 2 Click .
Step 3 On the Back Up Current Configuration File page, enter the description and
click OK to back up the current system configuration.
The system automatically generates a configuration file name, consisting of the

database name and backup time. The description illustrates the configuration file in
detail.
Step 4 In the dialog box that is displayed, click OK.
----End
7.2.5.2. Restoring a Configuration File
Restoring configurations consist of restoring configurations on the ATIC Management center and those
on the anti-DDoS device.
Context
ATIC management center can only be restored by the configuration file with the same version.
If the configuration of Zones or sysnames is different from that before restoration, the admin must
check and reallocate management permissions of these Zones or sysnames. Otherwise, other
administrators cannot manage the restored configuration.
Procedure
Step 1 Choose System > System Maintenance > System Backup.
Step 2 Click and terminate services on the ATIC management center as

prompted. Then click OK to start restoring the configuration file.
Step 3 When the configuration file is restored, click OK and close the dialog box.
Step 4 Re-log in to the ATIC Management center. Choose System > System

Maintenance > System Backup to check whether restored configurations are correct.
1. If yes, confirm the restoration.
Click OK. Please continue with the following steps to make sure that ATIC
Management center and anti-DDoS device is consistent after configuration is
restored.
a. Choose System > System Maintenance > System Backup.
b. Click .
2. If no, roll back the configurations.
a. Choose System > System Maintenance > System Backup. The Check
System Status page is displayed.
b. In the Check System Status dialog box, click Roll Back Configuration to roll back
system configurations.
c. Re-log in to the ATIC Management center to confirm rollback.
----End
Follow-up Procedure
Confirm configurations no matter whether restoring or rolling back them succeeds.
1. Choose System > System Maintenance > System Backup. The Check System

Status page is displayed.
2. In the Check System Status dialog box, click The restoration succeeded.

7.3. Log Management
You can query system operation logs, device operation logs, and syslog interworking
logs.
Search Set the conditions and click Search to search for the desired logs. For
details about this operation, see 7.3.2 Searching for an Operation
Log, 10.3.3 Querying Device Operation Logs, and 7.3.4 Querying Syslog
Interworking Logs.
Export
Select the logs to save to the local computer and click . In the
displayed dialog box, select a path for saving the operation log file, enter a
name for the file or use the default file name, and click Save to save the
selected logs to the specified local path.
NOTE
If the Internet Explorer executes the default security policy, the To help
protect you security, Internet Explorer blocked this site from
downloading file from to your computer message is displayed upon an
export operation. In this case, right-click the message, and
choose Download File from the shortcut menu. After the interface is
refreshed, export the event information again.
Export
all Click . In the displayed dialog box, select a path for saving the
operation log file, enter a name for the file or use the default file name,
and click Save to save all the logs to the specified local path.
7.3.1. Introduction to Log Management
Log management includes managing system operation logs, device operation logs, and syslog
interworking logs.
System Operation Log

All operations that are actively initiated by ATIC Management center users and will affect the database
are logged. Those operations that do not affect the database, such as viewing, searching, and refreshing
are not logged. The ATIC Management center provides the function of browsing operation logs and
filtering logs by log level, administrator, log category, operation results, and log start and end time. Logs
also help learn about users' operations. For example, you can view the operations that are performed by
a user on the ATIC Management center.
The system controls the access of logs. A super administrator has all rights. A common administrator
with assigned rights can only access its own operation logs. A common administrator without assigned
right cannot access any operation log.
Periodically dumping operation logs stores the logs recorded in the database to the Installation
directory/Runtime/LegoRuntime/datastorage/sysoptlog path on the ATIC Management center server.
You can download the dumped operation logs on the client and view them locally. In addition, you can
delete the logs that are no longer needed from the ATIC Management center server, reducing the
recording times of the database and ensuring sufficient database spaces.
The operation log level identifies the criticality of a log. The operation log level can be danger, minor,
warning, or info from the most critical to the least critical. Table 7-9 defines the different levels of logs.
Table 7-9 Log levels
Level Definition
Danger Refers to the operations that make the whole system or function modules
faulty or unavailable.
Warning Refers to the normal operations that performed in the system or on

function modules.
Minor Refers to the operations that may cause data inconsistency in system or
on function modules.
Info Refers to the operations that performed to access data in system or on

function modules.
The device operation log records information about all command lines delivered by the Anti-DDoS.
1. The ATIC management center allows you to view device operation logs and filter the logs based on
the logging start time, end time, device IP address, terminal IP address, VTY interface, user name,
VRF, and command line.
Device operation logs can be used to monitor the device or locate faults.
2. Device operation logs take up large database space and cannot be exported or dumped. You can
specify a period of time on the Anti-DDoS Data Maintenance page to regularly delete the reserved
device operation logs. The device operation logs are retained for 90 days by default.
Syslog Interworking Log

Syslog interworking logs record information about the logs that the Netflow device sends to the ATIC
management center.
7.3.2. Searching for an Operation Log
You can set the conditions to search for the desired operation logs.
Procedure
Step 1 Choose System > Log Management > System Logs.
Step 2 Set the conditions for searching for operation logs.
1. You can select Search to use the basic search method. Table 7-10 describes the
parameters of the basic search conditions.
Table 7-10 Parameters of the basic search conditions
Level Level of an operation log. -

The log level can
be Danger, Warning, Minor,
or Info.
Result Result of an operation log. -

The result can
be Succeeded or Failed.

2. You can select Advanced Search to use the advanced search method. Table 7-
11 describes the parameters of the advanced search conditions.
Table 7-11 Parameters of the advanced search conditions
Level Level of an operation log. -

The log level can
be Danger, Warning, Minor
, or Info.
Administrator Administrator that performs You can click to select

the operation. the administrator as
Administrator System does required in the Select
not actually exist. The Administrator dialog box.
operations performed by
administrator System are
scheduled operations or
those triggered by other
operations in the
background.
Type Category of an operation You can click to select

log. the owning functional
The logs are categorized module of an operation
based on the function of a log in the Select
component. For example, Operation Type dialog
the log of creating a box.
collection rule task belongs
to the performance
management category.
Result Result of an operation log. -

The result can
be Succeeded or Failed.
Occurred at Start and end time of an -

operation.
The start time cannot be
later than the end time.
You can click Reset to clear all the specified parameter values.
----End
7.3.3. Querying Device Operation Logs
You can query the device operations conducted by the users logging in to the Anti-DDoS.
Procedure
Step 1 Choose System > Log Management > Device Logs.
Step 2 Query device operation logs by using the basic search or advanced search.
1. Basic search
Enter the device IP address or Command to be queried and click to

display the logs matching given conditions.
2. Advanced search
a. Click Advanced Search.
b. In the Advanced Search group box, set search conditions and
click Search. For the parameters of search conditions, see Table 7-12.
Table 7-12 Device operation log search conditions

Start Time Indicates the time when the ATIC management center
receives logs.
End Time
Device IP Indicates the IP address of the Anti-DDoS.
Terminal IP Indicates the IP address of the terminal logging in to

the Anti-DDoS.
User Indicates the user name for logging in to the Anti-

DDoS.
Command Indicate the command executed on the Anti-DDoS.
----End
7.3.4. Querying Syslog Interworking Logs
This section describes how to set the conditions for querying syslog interworking logs.
Procedure
Step 1 Choose System > Log Management > Syslog-linkage Log.
Step 2 Set the conditions for querying syslog interworking logs.
1. When you select Search, set the log query conditions based on the parameter
description in Table 7-13.
Table 7-13 Description of the parameters for querying syslog interworking logs

Detail Enter a syslog keyword for the matching.
2. When you select Search, set the log query conditions based on the parameter
description in Table 7-14.
Table 7-14 Description of the parameters for advanced query of syslog interworking logs
Start Time Enter the time when the ATIC

management center starts to receive
End Time logs.
Device IP Enter the IP address of the syslog device.
Detail Enter a syslog keyword for the matching.

----End
7.4. Notification Server
7.4.1. Mail Server
You can configure the mail server to send the information to the specified email address.
Prerequisites
When a mail server is configured, ensure that the SMTP/POP3 function is enabled for sender accounts
registered on the server.
Context
The proxy server supports only the SOCKS 5 proxy when you configure the basic information for the mail
server.
The SOCKS protocol enables the client/server application programs in the TCP and UDP domains to
conveniently and securely use the network firewall. The proxy server that uses the SOCKS protocol is
called the SOCKS server and is a universal proxy server. The SOCKS proxy is usually used in the email and
is bound to port 1080 on the proxy server. If the SOCKS proxy service requires identity authentication,
you need to apply to the network administrator for a user name and password.
Procedure
Step 1 Choose System > Notification Server > Email Server.
Step 2 Configure the basic information for the mail server.
1. In the Email Server area, click .
2. Configure the basic information for the mail server, as described in Table 10-
15.
Table 9-15 Mail server parameters
SMTP server IP address or domain -

name of the SMTP server
that is responsible for
sending the notification
mail.
Server port Port number of the SMTP Default value: 25.

server.
Sender email Email addresses that The email address can

sends the notification mail contain only 1 to 32
messages. characters.
Test email Email address used to The email address can

verify that the contain only 1 to 32
communication between characters.
the ATIC Management
center server and mail
server is normal.
Username User name that is used to You can enter the user
access the SMTP server. name registered on the
This parameter is required SMTP mail server or
only when SMTP server obtained from the provider
identity authentication is of the mail server.
selected.
Password Password that is used to -

access the SMTP server.
This parameter is required
only when SMTP server
identity authentication is
selected.
Proxy server IP address IP address of the proxy -

server.
only when Proxy server is
selected.
Proxy server Port Port number of the proxy Default value: 1080.
server.
only when Proxy server is
selected.
Email Signature - -
SMTP= Simple Mail Transfer Protocol

Note:
After the parameters are specified, you can click Test to check whether the
testing email box can receive the testing message.
1. If yes, the communication between the ATIC Management center server and
the mail server is normal.
2. If no, an error message will be displayed. Handle the exception according to
the message.
3. Click OK.
----End
7.4.2. SMS Server
This section describes how to configure the SMS server.
Procedure
Step 1 Choose System > Notification Server > SMS Server.
Step 2 In the SMS Server area, click .
Set the SMS server parameters, as described in Table 7-16.
Table 7-16 SMS modem parameters
Serial port identifier Identifier of the ATIC -

Management center
server serial port through
which the ATIC
connected with the SMS
modem.
Set this parameter
according to actual
condition. For example, if
the ATIC Management
center server is connected
with the SMS modem
through serial port COM of
the ATIC Management
center server, set this
parameter to COM.
Baud usage Baud usage used by the -

SMS modem.
Set the Baud usage
according to the actual
condition.
Country code Code of the country in [For example]

which the customer site is  Country code of China: 86.
located.
 Country code of USA: 1.
 Country code of UK: 44.
Test phone number Mobile phone number that -

is used to verify that the
communication between
the ATIC Management
center server and SMS
modem is normal.
Unicom provider Customized configuration -

of the Unicom SMS server

Note: You can click Test to check whether the testing mobile phone can receive
the testing message.
1. If yes, the communication between the ATIC Management center server and
the SMS modem is normal.
2. If no, an error message will be displayed. Handle the exception according to
the message.
Step 3 Click OK.
Step 4 Select Unicom Provider and click to customize alarm SMSs for

China Unicom.
----End
7.4.3. Syslog Server
This section describes how to configure the log server.
Procedure
Step 1 Choose System > Notification Server > Syslog Server .
Step 2 Set basic information of the log server.
1. Click in the Email Server area.

2. Set basic parameters of the log server. For details, see Table 7-17.
Table 7-17 Description of log server parameters

Server IP IP address of the log server. -
Server port Port of the log server. The default value is 514.
Transmit syslog Type and level of logs to be -

type transmitted.
----End

ATIC MGMT

Uploaded by

Copyright:

Available Formats

ATIC MGMT

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ATIC MGMT

Uploaded by

Copyright:

Available Formats

HUAWEI ATIC Management Center

2. Initial configuration of the management

2.1. Logging In to the ATIC Management center

Step 1: On the ATIC Management center homepage, click .

Note: A maximum of 12 items can be displayed on the homepage.

Step 4: Set Telnet parameters.

Step 5: Set SNMP parameters.

 When you select SNMPv1 and SNMPv2c, set read and write community names.

Table 2-1 SNMPv3 template parameters

Username User name used for accessing the Anti- -

Environment Name of the environment engine. This parameter

Environment Unique identifier of an SNMP engine. Same as the

Authentication If the authentication protocol is used -

Data encryption If the encryption algorithm is used when -

Step 6 Click OK to add an Anti-DDoS device.

2. SIG1000E/9280E database on the SAS

Table 2-2 configuring the database information of the SAS

Parameter Description Value

Database Indicates the The configured database must be the same

zed 80E device in configured areas

2.3.3. Creating an Syslog-linkage Device

Step 2: Click .

Step 3: In the Basic Information group box, set the name and IP address of an

Modify Click of the collector to be modified to change the collector

Delete 1. Delete one collector:

View 1. Click the name of the collector to be viewed for collector

Device Indicates the number of devices bound to the collector.

CPU, Indicates performance data including information about CPUs, memory,

Step 2: On the Collectors page, click .

Table 2-3 Collector parameters

Parameter Description Value

Name Indicates the collector The name contains a maximum of 32

IP Address Indicates the IP address of The IP address is routable to the IP

1. If the system displays Succeeded in connecting the collector. Perform Step 6.

Step 6: On the Create Collector page, click OK.

2.4.2 Associating the Collector with the devices

Step 2: On the Collectors page, click of the anti-DDoS collector.

The connection status of the collector is Online.

Step 3: On the Associated Devices interface, click .

The device associated with the collector is displayed in associated devices.

2.5. Configuring the Defense Group

Defense Group Overview

Delete 1.Delete one defense group:

Select the check boxes of multiple defense groups and click

Creating a Defense Group

Step 1: Choose Defense > Network Settings > Defense Group.

Step 2: On the Defense Group List page, click .

Table 2-4 Defense group parameters

Parameter Description Value

Name Indicates The collector name contains a maximum of 64 characters.

Cleaning When the -

Detecting Indicates If two or more detecting devices are adopted for

Description Indicates The value contains a maximum of 255 characters.

Step 4: Select devices to be added to the defense group.

1. In the Select Device group box, click .

1. Each device can be added to only one defense group.

Step 5: On the Create Defense Group page, click OK.

Choose Defense > Policy Settings > Zone, and manage Zones.

1. Select the check boxes of multiple Zone accounts and click