Huawei HiSecEngine AntiDDoS12000 Series DDoS Defense System
Superb performance, millisecond-level response, precise protection, intelligent mitigation
Productos, soluciones and servicios para los negocios
Huawei HiSecEngine AntiDDoS12000 Series DDoS Defense System
Huawei HiSecEngine AntiDDoS12000 series provides up to 2.4Tbps security protection performance and service expansion capabilities, ideal for mitigating heavy-traffic DDoS attacks. It can also effectively defend against and block hundreds of complex attacks in seconds or even milliseconds, ensuring customers' service continuity.
Superb performance
NP-boosted defense acceleration, ensuring up to 2.4Tbps defense for a single device.
Millisecond-level response
Millisecond-level response to attacks, causing no impact to services.
Precise protection
Intelligent mitigation
Specifications
Model | AntiDDoS12004 | AntiDDoS12008 | AntiDDoS12016 |
Max Defense Bandwidth | 400 Gbps | 1.2 Tbps | 2.4 Tbps |
Max Defense Packet Rate | 300 Mpps | 900 Mpps | 1800 Mpps |
Expansion Slots | 4 | 8 | 16 |
Expansion Interfaces | • 24-port 10GBase-SFP+ + 2-port 40G/100GBase-QSFP28 • 48-port 10GBase-SFP+ |
• 24-port 10GBase-SFP+ + 2-port 40G/100GBase-QSFP28 • 48-port 10GBase-SFP+ • 4-port 400GBase-QSFP • 12-port 40G/100GBase-QSFP28 (Only four ports are provided by default. If needed, you can purchase 100G interface expansion RTUs for capacity expansion. Only a maximum of two ports can be added.) |
• 24-port 10GBase-SFP+ + 2-port 40G/100GBase-QSFP28 • 48-port 10GBase-SFP+ • 4-port 400GBase-QSFP • 12-port 40G/100GBase-QSFP28 (Only four ports are provided by default. If needed, you can purchase 100G interface expansion RTUs for capacity expansion. Only a maximum of two ports can be added.) |
Dimensions (H x W x D) | 438 mm × 442 mm × 874 mm (9.8U) | 703 mm x 442 mm × 874 mm (15.8U) | 1436 mm x 442 mm x 1033 mm (32.3U) |
DDoS Defense Specifications |
• Defense against malformed-packet attacks Defense against LAND, Fraggle, Smurf, WinNuke, Ping of Death, Teardrop, and TCP error flag attacks • Defense against scanning and sniffing attacks Defense against port scan and IP sweep attacks, and attacks using Tracert packets and IP options, such as IP source route, IP timestamp, and IP route record options • Defense against network-layer flood attacks Defense against common network-layer flood attacks, such as SYN flood, SYN-ACK flood, ACK flood, FIN flood, RST flood, TCP Fragment flood, TCP Malformed flood, UDP flood, UDP Malformed, UDP Fragment flood, IP flood, ICMP Fragment flood, ICMP flood, Other flood, carpet-bombing flood, and pulse-wave attacks • Defense against session-layer attacks Defense against common session-layer attacks, such as real-source SYN flood, real-source ACK flood, TCP connection exhaustion, sockstress, and TCP null connection attacks • Defense against UDP reflection attacks Static rules for filtering common UDP amplification attacks, such as NTP, DNS, SSDP, CLDAP,
Memcached, Chargen, SNMP and WSD • Defense against TCP reflection attacks Static filtering rules that are created based on network-layer characteristics • Defense against TCP replay attacks Static filtering rules that are created based on network-layer characteristics • Defense against application-layer attacks (HTTP) Defense against high-frequency application-layer attacks (HTTP and HTTP CC attacks) based on behavior
analysis • Defense against HTTPS/TLS encrypted application-layer attacks Defense against high-frequency HTTPS/TLS encrypted attacks • Defense against application-layer attacks (DNS) Defense against DNS Malformed, DNS query flood, NXDomain flood, DNS reply flood, and DNS cache
poisoning attacks • Defense against application-layer attacks (SIP) Defense against SIP flood/SIP methods flood attacks, including Register, Deregistration,
Authentication, and Call flood attacks • User-defined filtering rules User-defined filtering rules for local software and hardware, as well as BGP FlowSpec rules for remote filtering. The fields can be customized, including source/destination IP address, packet length, IP protocol, IP payload, source/destination port, TCP flag bit, TCP payload, UDP payload, ICMP payload, DNS domain name, HTTP URI, HTTP field user-agent, as well as caller and callee in the SIP protocol. • Geographical location filtering The blocking policy can be customized. For countries outside china, blocking policies can be customized based on country. In China, blocking policies can be customized based on province. • Dual-stack defense IPv4/IPv6 dual-stack defense against DDoS attacks • Automatic tuning of defense policies Attack traffic snapshot, defense effect evaluation, and automatic tuning of defense policies • Baseline learning Support for dynamic traffic baseline learning and learning period configuration • Packet capture-based evidence collection Automatic packet capture based on attack events and user-defined ACLs for packet capture |
Model | AntiDDoS12004-F | AntiDDoS12008-F |
Max Defense Bandwidth | 300 Gbps | 600 Gbps |
Max Defense Packet Rate | 200 Mpps | 400 Mpps |
Slots of Main Control Unit | 2 | |
Main Control Unit | Supports 1*100GE QSFP28/2*40GE QSFP+/4*25G SFP28/8*10G SFP+ ports | |
Expansion Slots | 4 | 8 |
Expansion Interfaces | 2 x 40G/100GBase-QSFP28 + 12 x 100M/1G/10GBase-SFP+ 24 x 100M/1G/10GBase-SFP+ |
|
Dimensions (H x W x D) | 352.8mm x 442mm x 515.5mm (8U) | 575mm x 442mm x 515.5mm (13U) |
DDoS Defense Specifications |
• Defense against malformed-packet attacks Defense against LAND, Fraggle, Smurf, WinNuke, Ping of Death, Teardrop, and TCP error flag attacks • Defense against scanning and sniffing attacks Defense against port scan and IP sweep attacks, and attacks using Tracert packets and IP options, such as IP source route, IP timestamp, and IP route record options • Defense against network-layer flood attacks Defense against common network-layer flood attacks, such as SYN flood, SYN-ACK flood, ACK flood, FIN flood, RST flood, TCP Fragment flood, TCP Malformed flood, UDP flood, UDP Malformed, UDP Fragment flood, IP flood, ICMP Fragment flood, ICMP flood, Other flood, carpet-bombing flood, and pulse-wave attacks • Defense against session-layer attacks Defense against common session-layer attacks, such as real-source SYN flood, real-source ACK flood, TCP connection exhaustion, sockstress, and TCP null connection attacks • Defense against UDP reflection attacks Static rules for filtering common UDP amplification attacks, such as NTP, DNS, SSDP, CLDAP,
Memcached, Chargen, SNMP and WSD • Defense against TCP reflection attacks Static filtering rules that are created based on network-layer characteristics • Defense against TCP replay attacks Static filtering rules that are created based on network-layer characteristics • Defense against application-layer attacks (HTTP) Defense against high-frequency application-layer attacks (HTTP and HTTP CC attacks) based on behavior
analysis • Defense against HTTPS/TLS encrypted application-layer attacks Defense against high-frequency HTTPS/TLS encrypted attacks • Defense against application-layer attacks (DNS) Defense against DNS Malformed, DNS query flood, NXDomain flood, DNS reply flood, and DNS cache
poisoning attacks • Defense against application-layer attacks (SIP) Defense against SIP flood/SIP methods flood attacks, including Register, Deregistration,
Authentication, and Call flood attacks • User-defined filtering rules User-defined filtering rules for local software and hardware, as well as BGP FlowSpec rules for remote filtering. The fields can be customized, including source/destination IP address, packet length, IP protocol, IP payload, source/destination port, TCP flag bit, TCP payload, UDP payload, ICMP payload, DNS domain name, HTTP URI, HTTP field user-agent, as well as caller and callee in the SIP protocol. • Dual-stack defense IPv4/IPv6 dual-stack defense against DDoS attacks • Automatic tuning of defense policies Attack traffic snapshot, defense effect evaluation, and automatic tuning of defense policies • Baseline learning Support for dynamic traffic baseline learning and learning period configuration • Packet capture-based evidence collection Automatic packet capture based on attack events and user-defined ACLs for packet capture |