DDoS Defense Specifications
|
- Defense against malformed-packet attacks
Defense against LAND, Fraggle, Smurf, WinNuke, Ping of Death, Teardrop, and TCP error flag attacks
- Defense against scanning and sniffing attacks
Defense against port scan and IP sweep attacks, and attacks using Tracert packets and IP options, such as IP source route, IP timestamp, and IP route record options
- Defense against network-layer flood attacks
Defense against common network-layer flood attacks, such as SYN flood, SYN-ACK flood, ACK flood, FIN flood, RST flood, TCP Fragment flood, TCP Malformed flood, UDP flood, UDP Malformed, UDP Fragment flood, IP flood, ICMP Fragment flood and ICMP flood attacks, sweeping segment flooding, and pulse-wave attacks
- Defense against session-layer attacks
Defense against common session-layer attacks, such as real-source SYN flood, real-source ACK flood, TCP connection exhaustion, sockstress, and TCP null connection attacks
- Defense against UDP reflection attacks
Static rules for filtering common UDP amplification attacks, such as NTP, DNS, SSDP, CLDAP, Memcached, Chargen, SNMP and WSD Dynamic generation of filtering rules to defend against new UDP amplification attacks
- Defense against TCP reflection attacks
Static filtering rules that are created based on network-layer characteristics TCP reflection attack filtering rules that are dynamically generated
- Defense against TCP replay attacks
Static filtering rules that are created based on network-layer characteristics TCP replay attack filtering rules that are dynamically generated
- Defense against application-layer attacks (HTTP)
Defense against high-frequency application-layer attacks (HTTP and HTTP CC attacks) based on behavior analysis Defense against low-frequency application-layer attacks (HTTP and HTTP CC attacks) based on machine learning Defense against slow-rate HTTP attacks based on behavior analysis, including HTTP slow header, HTTP slow post, RUDY, LOIC, HTTP multi-methods, HTTP Range request amplification, and HTTP null connection attacks
- Defense against HTTPS/TLS encrypted application-layer attacks
Defense against high-frequency HTTPS/TLS encrypted attacks Defense against slow-rate incomplete TLS session and null connection attacks
- Defense against application-layer attacks (DNS)
Defense against DNS Malformed, DNS query flood, NXDomain flood, DNS reply flood, and DNS cache poisoning attacks Source-based rate limiting and domain name–based rate limiting
- Defense against application-layer attacks (SIP)
Defense against SIP flood/SIP methods flood attacks, including Register, Deregistration, Authentication, and Call flood attacks Source-based rate limiting
- User-defined filtering rules
User-defined filtering rules for local software and hardware, as well as BGP FlowSpec rules for remote filtering. The fields can be customized, including source/destination IP address, packet length, IP protocol, IP payload, source/destination port, TCP flag bit, TCP payload, UDP payload, ICMP payload, DNS domain name, HTTP URI, HTTP field user-agent, as well as caller and callee in the SIP protocol.
IPv4/IPv6 dual-stack defense against DDoS attacks
- Automatic tuning of defense policies
Attack traffic snapshot, defense effect evaluation, and automatic tuning of defense policies Automatic attack evidence collection
Support for dynamic traffic baseline learning and learning period configuration
- Packet capture-based evidence collection
Automatic packet capture based on attack events and user-defined ACLs for packet capture Online parsing and analysis, source tracing, and local analysis after downloading for captured packets
|