Huawei Intelligent Anti-DDoS Solution, Safeguarding Data Center Services

During the 2024 Gulf Information Security Expo and Conference (GISEC), Dr. Claas Grohnfeldt, Principal AI and Cyber Security Expert at Huawei European Research Center, delivered a speech entitled "Huawei Anti-DDoS Solution, A Shield for Data Center Services", attracting multi-industry customer experts from around the world.

With the continuous expansion of enterprise services and the accelerated transformation of enterprises through digital intelligence, data centers have gradually evolved into the key to storing, processing, and applying enterprise data. As a result, data centers face increasingly severe network security risks. DDoS attacks are becoming more frequent, sophisticated, and large-scale, remaining one of the main threats to data centers. Dr. Claas Grohnfeldt, Principal AI and Cyber Security Expert at Huawei European Research Center, said that the rapid development of digital intelligence on both the attacker and defender sides poses much higher requirements on the protection of data centers against state-of-the-art DDoS attacks compared to just two to three years ago.

Dr. Claas Grohnfeldt, Principal AI and Cyber Security Expert at Huawei European Research Center

First, DDoS attacks have entered the Terabit-level era. In 2023, the number of Terabit-level attacks doubled that of 2021, leading to performance issues of traditional appliances. Second, the rapid development of attacker tools and increasingly handy access to such through the Internet and dark web has led to the advancement of attack methods. IPv6 attacks and IPv4/IPv6 dual-stack attacks occur frequently. In addition, more than 72% of attack traffic is encrypted, resulting in increasing attack complexity and severe challenges to effective defense. Third, attack traffic can climb to Terabit within 10 minutes. Traditional attack mitigation methods rely on expert knowledge and skills, and may take several minutes to respond to attacks, which can easily cause service interruption.

To effectively cope with the increasingly severe defense challenges, Huawei launches the HiSecEngine anti-DDoS series system. Standing out with three highlights — high-performance hardware acceleration, thousand-level concurrent carpet-bombing attack defense, and advanced decryption-less attack defense — the system can comprehensively ensure the security and integrity of customer services and protect against DDoS attacks.

1. Huawei HiSecEngine anti-DDoS system effectively defends against various types of attack traffic through collaborative defense of the NP and CPU. To elaborate, the NP is responsible for filtering out heavy-traffic attacks, and the CPU is responsible for processing complex attacks at the session layer and application layer. This collaborative mode blocks attack traffic with the lowest costs and highest efficiency. Traditional anti-DDoS devices provide only 400 Gbps bandwidth and mainly rely on device stacking for defense, resulting in high defense costs and low performance. In contrast, a single Huawei anti-DDoS device provides up to 2.4 Tbps defense performance, six times higher than the industry average.

2. Huawei HiSecEngine anti-DDoS system can effectively defend against carpet-bombing attacks, achieving concurrent attack defense on more than 2000 address segments. In a carpet-bombing attack event, all IP addresses on one or more address segments may be attacked at the same time. Address segment security is the prerequisite for normal service operation. Traditional single-IP defense cannot defend against such attacks, severely deteriorating service operation. Huawei anti-DDoS system uses a three-layer defense architecture — BGP FlowSpec, address segment defense, and host defense — and can intelligently trigger different defense layers to intercept attacks based on attack types. The exclusive address segment defense layer can protect a maximum of 2000 address segments concurrently, 40 times higher than the industry average.

3. Huawei HiSecEngine anti-DDoS system uses behavior analysis algorithms covering more than 30 dimensions to effectively defend against application-layer encrypted attacks, improving performance by 10 times. In this mobile Internet era, mobile applications and APIs face increasingly severe encrypted attacks. Traditional defense methods need to decrypt and analyze data packets, severely deteriorating system performance. With multi-dimensional behavior analysis and advanced AI learning algorithms, Huawei can effectively detect encrypted traffic without decryption, achieving more efficient and precise defense.

Leveraging years of research on anti-DDoS, Huawei's intelligent anti-DDoS solution has powerful attack defense capabilities. By now, it has been widely applied by global customers across industries such as finance, government, education, large enterprise, and IDC, helping to ensure always-on services.

For more information about Huawei's intelligent network security solutions, visit https://e.huawei.com/en/solutions/enterprise-network/security.

As an authoritative conference in the computer security and IoT domain in the Middle East, GISEC is held every year at the Dubai World Trade Centre in the UAE. This conference not only exhibited cutting-edge technologies, but also provided professional forums to attract top cyber security enterprises, innovation elites, and industry leaders from around the world, especially in the Middle East, Africa, and Asia. They delved into cyber security challenges and opportunities brought by digital-intelligent transformation as well as industry development trends and directions, and provided thought-provoking suggestions for global enterprises to build cyber security protection lines.