Product Advantages

  • Great Capability

    Defend your servers against a wide range of network and transport layer DDoS attacks with globally distributed scrubbing centers that provide Tbit/s protection capacity.

    Defend your servers against a wide range of network and transport layer DDoS attacks with globally distributed scrubbing centers that provide Tbit/s protection capacity.

  • Instantaneous Response

    Efficiently detect and rapidly respond to DDoS attacks before your services are impacted.

    Efficiently detect and rapidly respond to DDoS attacks before your services are impacted.

  • High Reliability

    Enjoy always-on protection, and tune your protection settings based on the detected attacks.

    Enjoy always-on protection, and tune your protection settings based on the detected attacks.

  • 24/7 Support

    Keep your services up and running with the always available and experienced DDoS mitigation staff.

    Keep your services up and running with the always available and experienced DDoS mitigation staff.

Application Scenarios

Website Browsing

Painpoints

Website access is slow or blocked due to DDoS and CC attacks, resulting in the loss of users and low sales volumes.

Advantages

  • Application Layer Defense

    AAD blocks unauthorized HTTP traffic that does not comply with HTTP protocol specifications or fails to pass through the DPI engine.

  • Web Security Defense

    AAD protects web and mobile applications, and APIs from common threats such as OWASP Top 10.

  • Quick Access

    Static content is cached to edge nodes. Automatically accessing the nearest cache greatly improves website access speeds.

Related Services
Gaming

Painpoints

DDoS attacks affect the gaming experience, causing loss of revenue and driving off gamers, who have little tolerance for anything less that top performance because milliseconds of delay are often the difference between victory and defeat.

Advantages

  • Deep Packet Inspection

    Attacks such as SYN floods that exploit vulnerabilities in TCP or IP protocols can be detected in advance by filtering out malformed packets and application layer traffic.

  • Adaptive Filtering

    Big data threat analysis, baseline traffic statistics, and exception identification are used to protect against zero-day attacks.

  • CC Attack Defense

    Instantaneous response to attacks and user identity authentication are used to further identify normal from attack traffic for precise defense.

Related Services

Introduction to DDoS Attacks

Common DDoS attacks

DoS attacks are also called flood attacks. They intend to exhaust the network or system resources on the target computer, causing service interruption or suspension. Consequently, legitimate users fail to access network services. A DDoS attack involves multiple compromised computers controlled by an attacker flooding the targeted server with superfluous requests. Table 1 describes the common DDoS attacks.

Table 1 Common DDoS attacks

Attack Type
Description
Example

Network layer attack

Occupies the network bandwidth with volumetric traffic, causing your service to be unable to respond to legitimate access requests.

NTP flood attack

Transport layer DDoS attack

Occupies the connection resources of the server, resulting in denial of services.

SYN flood, ACK flood, and ICMP flood attacks.

Session layer attack

Occupies SSL session resources of the server, resulting in denial of services.

SSL slow connection attack

Application layer attack

Occupies the application processing resources of the server and consumes its processing performance, resulting in denial of services.

HTTP GET flood attack and HTTP POST flood attack

How Can I Report to the Network Monitoring Department When a DDoS Attack Occurs?

Reporting Process

1. You need to report to the local network monitoring department as soon as DDoS attacks occur and provide related information as required.

2. The network monitoring department determines whether your case can be filed and performs relevant network monitoring process.

NOTE: For details about the standards of filing a case, contact the local network monitoring department.

3. After your case is officially filed, Huawei Cloud will cooperate with the network monitoring department to provide attack evidence.

What Evidence Can Huawei Cloud Provide?

After your case is filed in the network monitoring department, Huawei Cloud will provide the following assistance:

Huawei Cloud will provide responsible personnel in the network monitoring department with traffic logs and attack information about your services on Huawei Cloud.

NOTE: Because the data will be used as legal evidence, it cannot be provided to you directly. You can view information about the attack traffic on the HUAWEI CLOUD management console.

HUAWEI CLOUD cannot analyze traffic logs and attack information, or identify the attacker.

NOTE: Because HUAWEI CLOUD is not a judge, it is impossible to judge who is guilty. Nor does it have law enforcement rights, who can conduct a case investigation. HUAWEI CLOUD can only serve as an evidence provider and witness.

HUAWEI CLOUD will respond to the network monitoring department in a timely manner and assist their work.

In case of security attacks, you are advised to actively request the network police to file your case and conduct investigation by referring to the standards for case filing of the local network monitoring department.

View information about attack traffic:

You can view traffic statistics and attack events on the HUAWEI CLOUD management console.

Black Hole Threshold of Cloud Native Anti-DDoS Basic

CNAD Basic (Anti-DDoS) is enabled by default to protect your resources against DDoS attacks.

Black Hole Threshold

The black hole threshold refers to the basic attack mitigation capability provided by HUAWEI CLOUD. When the scale of attack exceeds the threshold, HUAWEI CLOUD executes a black hole policy to block the IP address.

Anti-DDoS provides 2 Gbit/s of defense against DDoS attacks for common users for free. Anti-DDoS can provide up to 5 Gbit/s of defense (depending on the available bandwidth of Huawei Cloud) against DDoS attacks.

Scrubbing Principle

HUAWEI CLOUD monitors service traffic in real time. Once an attack is detected, it diverts service traffic to the HUAWEI CLOUD Anti-DDoS scrubbing system, which identifies the traffic from that IP address, discards the attack traffic, and forwards legitimate traffic to the target IP address, thus reducing damage on the server.

Security

  • Shared Responsibilities

    Huawei guarantees that its commitment to cyber security will never be outweighed by the consideration of commercial interests. 

    Huawei guarantees that its commitment to cyber security will never be outweighed by the consideration of commercial interests. 

  • Identity Authentication and Control

    No matter whether you access the Anti-DDoS service through the console or calling APIs, you are required to provide the identity credential and verify the identity validity. 

    No matter whether you access the Anti-DDoS service through the console or calling APIs, you are required to provide the identity credential and verify the identity validity. 

  • Audit and Logging

    Cloud Trace Service (CTS) keeps track of user activities and resource changes on your cloud resources. It helps you collect, store, and query operational records for security analysis, audit and compliance, and fault location.

    Cloud Trace Service (CTS) keeps track of user activities and resource changes on your cloud resources. It helps you collect, store, and query operational records for security analysis, audit and compliance, and fault location.

  • Data Protection

    To prevent data leakage, Anti-DDoS does not store your sensitive user data. It encrypts your data during transmission.

    To prevent data leakage, Anti-DDoS does not store your sensitive user data. It encrypts your data during transmission.

  • Service Resilience

    Huawei Cloud data centers are deployed around the world. All data centers are running properly. Data centers in two cities are deployed as disaster recovery center for each other.

    Huawei Cloud data centers are deployed around the world. All data centers are running properly. Data centers in two cities are deployed as disaster recovery center for each other.

  • Certificates

    Huawei Cloud services and platforms have obtained various security and compliance certifications from authoritative organizations, such as International Organization for Standardization (ISO).

    Huawei Cloud services and platforms have obtained various security and compliance certifications from authoritative organizations, such as International Organization for Standardization (ISO).

FAQ

FAQ

  • How Will Anti-DDoS Be Triggered to Scrub Traffic?

    Anti-DDoS scrubs traffic when detecting that the incoming traffic of an IP address exceeds the traffic cleaning threshold.

    1. When the service traffic reaches this threshold, Anti-DDoS intercepts only attack traffic.
    2. If the service traffic does not reach the threshold, Anti-DDoS will not intercept the traffic, regardless of whether it is attack traffic.

    You can adjust the traffic cleaning threshold based on the actual service bandwidth. For details, see section "Configuring an Anti-DDoS Protection Policy".

  • What Data Can Be Provided by Anti-DDoS?

    You can view the monitoring report of a public IP address, including the current protection status, protection settings, and the traffic and anomalies within the last 24 hours.

    You can view an interception report on protection statistics, including the traffic cleaning frequency, cleaned traffic amount, weekly top 10 attacked ECSs, load balancers, or BMSs, and total number of intercepted attacks of all public IP addresses of a user.

    You can enable alarm notification for Anti-DDoS so that you can receive notifications in a timely manner if a public IP address is attacked. If you do not enable this function, you have to log in to the management console to view alarms.

  • Is Anti-DDoS Enabled by Default?

    Yes. It is enabled by default and uses the default protection policy. To modify this setting, see section "Configuring an Anti-DDoS Protection Policy".

    NOTE: Once enabled, Anti-DDoS cannot be disabled.

  • How Can I Adjust the Block Threshold?

    Anti-DDoS provides a maximum of 500 Mbit/s protection capacity free of charge (depending on the available bandwidth of HUAWEI CLOUD). Traffic that exceeds 500 Mbit/s will be routed to a black hole. For applications threatened by attack traffic larger than 500 Mbit/s, it is a better choice to purchase the Advanced Anti-DDoS service on HUAWEI CLOUD to expand protection capacity.

  • Why Is the Access from the Internet Abnormal?

    HUAWEI CLOUD Anti-DDoS will trigger a black hole to block access from the Internet within a time period when detecting an ECS is under volumetric flood attacks.

    Anti-DDoS provides a 2 Gbit/s DDoS mitigation capacity for free, and its maximum mitigation capacity can reach 5 Gbit/s (depending on the available bandwidth of HUAWEI CLOUD). Traffic that exceeds 5 Gbit/s will be routed to a black hole. For applications threatened by attack traffic larger than 5 Gbit/s, it is a better choice to purchase the Advanced Anti-DDoS service on HUAWEI CLOUD to expand protection capacity.

  • How Do I Connect My Service System to AAD?

    If your system provides services through a domain name, you need to modify the DNS configuration to resolve the domain name to the CNAME record provided by HUAWEI CLOUD.

    If your system provides services through an IP address, change the IP address to a high-defense IP address.

  • Why Is Error 504 Displayed When I Access a Website After AAD Is Configured?

    Symptom

    When a user visits a website with AAD configured, error code 504 is displayed after a long period of wait time.

    Possible Causes

    It takes a long period of time for the website to process some POST requests, and the time required exceeds the connection timeout threshold of AAD. As a result, AAD proactively drops the connection.

    The default TCP connection timeout is 900s.

    The default HTTP/WebSocket or HTTPS/WebSockets connection timeout is 120s.

    Solution

    It is recommended that you deploy a heartbeat mechanism to process time-consuming tasks at the application layer. This mechanism helps keep connections alive during the wait time.

    For occasional time-consuming requests, you can send them directly to cloud servers by bypassing AAD.

  • Can AAD Be Used Across Regions?

    Advanced Anti-DDoS is a global service that is not region-specific. Therefore, it can be used across regions.

Videos

AAD Service Introduction

04:08

AAD Service Introduction

Getting Started with Anti-DDoS

01:32

Getting Started with Anti-DDoS