[Data Sheet]

NSFOCUS Anti-DDoS System

Overview
The NSFOCUS Anti-DDoS (ADS) system is an active distributed Denial of Service (DDoS) attack mitigation appliance that defends against known and unknown DDoS attacks. It detects the presence of potential DDoS attacks and block malicious traffic in real time, without affecting the flow of legitimate mission-critical transactions, thus ensuring availability and business continuity. The NSFOCUS ADS series supports IPv4 and IPv6 dual stacks, and is able to intelligently recognize DDoS attacks targeting government/enterprise websites, Internet Data Centers (IDCs), LANs/MANs, and backbone networks. It can efficiently mitigate attack traffic with industry-leading techniques such as traffic modeling, anti-spoofing, protocol stack behavior analysis, specific application prevention, user behavior analysis, dynamic fingerprinting, and rate limiting. The deployment of the NSFOCUS ADS is very flexible. Based on network environments and customers requirements, the ADS appliance can be deployed either in inline mode or in out-of-path diversion mode. In the traffic diversion mode, working with NSFOCUS Anomaly Traffic Analyst (NSFOCUS NTA) and NSFOCUS management system (NSFOCUS ADS-M), the NSFOCUS ADS is capable of protecting complicated networks for ISPs and large IDCs. The NSFOCUS ADS series has several varients, depending on the size and complexity of your network. For large networks (10+ Gbps) we offer units with a multi-core processing architecture ASIC+NP (network processors). For smaller environments, we have X-86 architecture to clean traffic at the speed range from 1-Gbps to 6-Gbps. All NSFOCUS ADS appliances fully meet the crucial demands of high performance, excellent extendibility, and powerful protection capability to defend against even the most sophisticated DDoS attacks.

What does the ADS do?

Block malicious traffic without affecting the legitimate traffic. Ensure network availability and business continuity.

Who need Anti-DDoS?

eCommerce Banking/Finance Health/Insurance Government Anyone with a measurable ROI for downtime

What are the components?

ADS, DDoS mitigation device NTA, Network Traffic Analysis ADS-M, Management Platform

What is the capacity?

From 1 to 10+ Gbps DDoS mitigation

1 / 10

[Data Sheet]

Features
Accurate Detection and Recognition Detection & Mitigation
Anti-Spoofing Protocol Behavior Pattern Analysis User Behavior Analysis Dynamic Fingerprint Rate Limiting Blacklist & whitelist Payload analysis Network level ACL URL ACL User-defined CAPTCHA Policy template

The ADS series employs specific-purpose proprietary algorithms developed by NSFOCUS to accurately recognize and mitigate a wide range of different DDoS attacks. These algorithms include: traffic modeling, anti-proofing, protocol stack behavior analysis, specific application prevention, dynamic fingerprinting, and rate limiting. The system can prevent any type of massive DDoS attack because of its outstanding recognition and prevention capabilities. For example, the connection retention rate and new available connection rate while preventing a SYN Flood attack have far exceeded those rates in typical SYN-cookie and Random-drop algorithms.

Powerful Prevention Capability

The NSFOCUS ADS delivers high prevention performance against a wide variety of attacks, such as SYN Flood, UDP Flood, UDP DNS Query Flood, (M) Stream Flood, ICMP Flood, and ACK Flood/DRDoS. The system also has the capability to detect and dispose of more dangerous application-layer DDoS attacks like HTTP Flood, online game attacks, and video/audio service attacks. There is no limitation for concurrent sessions. The rate limiting function in the NSFOCUS ADS is specifically designed to cope with sudden traffic increases. The ACL function helps the administrator easily control some specific applications with black and white lists. In-depth packet inspection rules allow the administrator to carry out quick prevention by creating templates according to source/destination IP, source/destination protocol port, protocol type, or other signatures such as TCP flag, ICMP type, and ICMP code. Even when faced with different prevention requirements from carriers, hosting providers and service providers, the NSFOCUS ADS provides a user-group prevention function with individual prevention policies for each group so administrators of these companies can scale the protection to multiple customers. New DDoS attack methods and other hacking techniques are emerging and continuously changing. To track attack techniques and uncover new attack types, NSFOCUS has built an expert team engaged in the research of network security attacks and countermeasures. When a new attack is uncovered, NSFOCUS can quickly respond and update the NSFOCUS ADS to keep users network secure.
2 / 10

Prevention Capability
SYN Flood UDP Flood UDP DNS Query Flood (M) Stream Flood ACK Flood HTTP get/post Flood SIP attacks Anonymous attacks
- LOIC - HOIC - SlowLoris - PyLoris - etc.

[Data Sheet]

Massive Attack Traffic Prevention

High-end NSFOCUS ADS series for telecom-class networks employs advanced multi-core processors or NP+ASIC architecture (multiple high-performance parallel network processors). These architectures endow a single ADS appliance with the capability of analyzing and processing DDoS attacks at 10-Gbps line speed. Take SYN Flood, the typical 64-byte attack, as the example: NSFOCUS ADS 6000 is able to handle 14,800,000 pps SYN

Deployment Options
Traffic diversion (Out-of-path ) Inline deployment

Flood traffic. An NSFOCUS ADS cluster, which comprises several ADS devices, can scale up the prevention and attack traffic processing capability significantly. Much more volume of complicated traffic can be diverted for mitigation as predefined conditions on attack destinations, traffic amount and traffic types. Even when ISPs or large corporations are facing an extremely serious DDoS attack, the NSFOCUS ADS 4000 can still provide the best prevention effects. To ensure network availability, the system adopts many techniques like host recognition and traffic diversion to filter attack traffic but not to compromise the normal traffic and quality of network services.

Diversion
BGP OSPF

Re-injection
PBR GRE MPLS VLAN

IPv4/IPv6 Dual Stacks

As IPv4 addresses are becoming increasingly scarce, more and more IPv6 traffic appears in networks. Unfortunately, DDoS attack traffic has been found in IPv6 networks and the current detection methods are insufficient to finding attack traffic for telecom carriers and corporations because of the significant difference between IPv6 format and IPv4 format. Therefore, to recognize IPv6 traffic and mitigate DDoS traffic from the traffic is becoming critical. IPv4 and IPv6 dual stacks have solved this problem. No matter which traffic it is, the detection device can accurately recognize it. And once DDoS attack traffic is found, no matter whether it is in IPv4 traffic or IPv6 traffic, the ADS appliance can efficiently block it.

Flexible Deployment
Different network environments and scales determine which product models are needed and which deployment mode can be adopted. These include inline mode, inline cluster, diversion (out-of-path) mode, and diversion cluster mode. These flexible deployment modes and support for various types of network protocols allow the NSFOCUS ADS product to easily adapt to complicated network environments and provide carrier-grade solutions at a reasonable cost to hosting/solution providers, SMEs, large
3 / 10

[Data Sheet]

enterprises, and ISPs. Diversion mode can be used to deploy the NSFOCUS ADS products at the outbound interface of large IDC and ICP networks for on-demand protection. When suspicious activity is discovered, the system employs a dynamic traffic diversion technique to redirect the next hop of the traffic destined to protected zone or hosts to the traffic cleaning device, leaving the normal traffic passing through. After the attack traffic is recognized and filtered, the cleaned traffic is sent back to the mainstream and routed to the original destination. For smooth operation in complicated network environments, without making significant changes to the current architecture, the NSFOCUS ADS series provides traffic diversion and injection features that easily adapt to the existing network.

User-Friendly System and Report Management

The NSFOCUS ADS series provides a user-friendly management system for administrators to monitor running status, configure policies, check reports, capture packets, and perform forensic analysis. Hierarchical privilege management allows network engineers, security administrators and customers to check real-time statistical information, monitoring information, and reports on different levels. The detailed reports; including attack events, attack types, attack characteristics and attack sources, helps the system administrators monitor attacks in real time and trace attacks to build historical forensic analytics. The NSFOCUS ADS products also provide tools to monitor or check report traffic, log information, and attack history; all of which are very convenient and useful for users to tune prevention policies according to real-time situations. The NSFOCUS ADS-M product provides centralized management, monitoring, control and maintenance for several NSFOCUS ADS appliances. Using centralized management, the user can check and modify the configurations of several ADS devices at one time, and then deliver the modified results in a unified manner. The centralized monitoring function allows users to check traffic, attack information and reports of several NSFOCUS ADS appliances at the same time and can assign remote restart and packet capture tasks conveniently. Configuration files, traffic statistical data and alert information of several NSFOCUS ADS devices can also be stored in NSFOCUS ADS-M system for centralized report and event management.
4 / 10

[Data Sheet]

Unique Value-added Business Management

Combined with the NSFOCUS ADS-M product, the ADS product can offer more benefits to telecom/hosting providers who provide value-added anti-DDoS services to their customers. The NSFOCUS ADS-M product provides a self-service system to allow customers who have subscribed to the service to log into the management system for checking intranet traffic and attack prevention status as predefined privileges, without seeing any details of other customers. With the self-service system and attack forensic analysis, the NSFOCUS ADS product provides a wide range of services to telecom/hosting providers for their value-added business customers.

Professional Customer Support

With almost ten years of experience in DDoS attack research and product development, NSFOCUS experts can quickly respond to attack events and provide support on prevention consultation, installation, training and other services to help customers establish secure prevention system and build an expert attack prevention team.

Applications
NSFOCUS ADS series adopts industry-leading intelligent algorithms to recognize and mitigate DDoS attack traffic. No matter how sophisticated the network is, NSFOCUS can provide suitable anti-DDoS solution for SMEs, IDCs, and telecom carriers.

Inline Deployment
Inline deployment is suitable for corporations with a small number of servers or low bandwidth. The ADS appliance is deployed transparently at the network ingress to detect, analyze, and block DDoS attacks. The topology is shown as below:

5 / 10

[Data Sheet]

Traffic Diversion Deployment

For IDCs, ICPs, or critical business systems, the NSFOCUS ADS series can be deployed in out-of-path mode to divert suspicious traffic. Generally, the traffic detection appliance - NSFOCUS Network Traffic Analyst (NSFOCUS NTA) can be deployed at any position in the network, but the ADS product is deployed at the network ingress out of the main path. The NSFOCUS NTA monitors incoming traffic and detects the type and source of DDoS attack traffic in real-time. When a DDoS attack is detected, the NTA notifies the ADS immediately and the ADS enables the traffic diversion mechanism to redirect suspicious traffic at the route or switch to the ADS. After the DDoS attack traffic is filtered, the ADS sends clean traffic back to the network. During all of this, the ADS-M product manages and records all of the activities (who, what, when, how).

Out-of-path Diversion Deployment

6 / 10

[Data Sheet]

Distributed Traffic Diversion Deployment

7 / 10

[Data Sheet]

Specifications

ADS 6000 Series SPECIFICATIONS ADS6020 Cleaning Capacity (bps)

1

ADS 4000 Series

ADS 2000 Series

ADS6000A

ADS4020 1G Up to 6G (by license)

ADS2020 2G

ADS2010 1G

6G Up to 10G (by license)

Max DDoS Mitigation Rate (pps) Latency Attack Prevention 40 s

2

14,880,000

8,928,000

2,976,000

1,488,000

TCP
- Syn flood - Ack flood - Fins flood - Fragments

UDP
- random port floods - fragments

Anonymous attacks Connection Exhaustion Stream Flood Malformed HTTP header attacks DNS flood attacks SIP attacks

ICMP
- Unreachable - Echo - fragments

HTTP GET/POST Flood

Detection & Mitigation Algorithms

Real-time traffic monitoring (Signature-based, Behavior-based), Client-Side Identification (SYN cookie, URL Redirection, CAPTCHA), ACL Mechanism (Network Layer and Application Layer), pattern matching.

Interfaces

Console: RJ45 (RS232)

Cleaning capacity is the maximum anomaly traffic mitigation ability with security rules enabled.
2

The data is obtained when all packets are 64 bytes. With the increase of the bytes, traffic cleaning rate increases correspondingly. 8 / 10

[Data Sheet]

Management: GE copper DDoS mitigation: ADS 6020: 2*10GE XFP (10GE LAN), 12*1000M SFP optical port, 8*GE copper port ADS 6000A: 2*10GE SFP+ (10GE LAN) interface; 2*1000M SFP interface ADS 4020 (modular slot): Interface (optional): 2*10GE SFP+ interface , 8*GE copper port, 8*1000M SFP interface ADS 2020/2010: 4*GE copper port, 4*1000M SFP interface Fail-Open/Fail-close Solution enabled Solution enabled Internal fail-open/fail-close for 8GE copper ports Deployment Traffic Diversion (Out-of-path) In-line, Traffic Diversion (out-of-path) Redundancy IP protocols Routing Protocols Network Layer Protocol Weight Dimension (W*D*H) 10.5 Kg 550mmx 440mm x 88 mm Rack 2U 2U 2U 2U 2U 11.5 Kg 500mm430mm 88 mm 11 Kg 575mm432mm88 mm 11 Kg 575mm432 mm88 mm 11 Kg 575mm432m m88 mm IPV4/V6 IPV4 Active-Standby IPV4/V6 IPV4/V6 IPV4/V6 N/A N/A In-line Internal fail-open/fail-close for both copper and SFP ports

BGP, OSPF, RIP, IS-IS, static routing PBR, MPLS-LSP, MPLS VPN, GRE tunnel, L2 VLAN

9 / 10

[Data Sheet]

Power Supply

AC/DC Dual power supply

AC/DC Dual power supply 150W 87,600 hours 0-45 (32-113F) -20-65

AC/DC Dual power supply 350W 45,000 hours 0-40 (32-104F) -20-80

AC/DC Dual power supply 350W 45,000 hours 0-40 (32-104F) -20-80

AC/DC Dual power supply 350W 45,000 hours 0-40 (32-104F) -20-80

Power Consumption MTBF Operating Temperature

150W 87,600 hours 0-45 (32-113F) -20-65

Storage Temperature Compliance

CE, FCC, UL, CB, KCC, ROHS

For more information:

For more information visit NSFOCUS Website: www.nsfocus.com

NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without w ritten permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way.

About NSFOCUS
NSFOCUS is a proven global leader in active perimeter network security for service providers, data centers, and corporations. It focuses on providing network security solutions including: carrier-grade Anti-DDoS System, Web Application Firewall, and Network Intrusion Prevention System - all designed to help customers secure their networks and corporate-critical information. More detailed information is available at http://www.nsfocus.com.

10 / 10