Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring DDoS Protection

Requirements

• MX Series 3D Universal Edge Routers that have only MPCs installed or T4000 Core Routers that have only FPC5s installed.

  Note: If the router has other cards in addition to MPCs or FPC5s, the CLI accepts the configuration but the other cards are not protected and therefore the router is not protected.

• Junos OS Release 11.2 or later

No special configuration beyond device initialization is required before you can configure this feature.

Overview

Distributed denial-of-service attacks use multiple sources to flood a network or router with protocol control packets. This malicious traffic triggers a large number of exceptions in the network and attempts exhaust the system resources to deny valid users access to the network or server.

This example describes how to configure rate-limiting policers that identify excess control traffic and drop the packets before the router is adversely affected. Sample tasks include configuring policers for particular control packet types within a protocol group, configuring an aggregate policer for a protocol group and bypassing that policer for a particular control packet type, and specifying trace options for DDoS operations.

This example does not show all possible configuration choices.

Configuration

CLI Quick Configuration

To quickly configure DDoS protection for protocol groups and particular control packet types, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.

Step-by-Step Procedure

1. Specify a protocol group.
   [edit system ddos-protection protocols]user@host# edit dhcpv4
2. Configure the maximum traffic rate for the DHCPv4 aggregate policer; that is, for the combination of all DHCPv4 packets.
   [edit system ddos-protection protocols dhcpv4]user@host# set aggregate bandwidth 669
3. Configure the maximum burst rate for the DHCPv4 aggregate policer.
   [edit system ddos-protection protocols dhcpv4]user@host# set aggregate burst 6000
4. Configure the maximum traffic rate for the DHCPv4 policer for discover packets.
   [edit system ddos-protection protocols dhcpv4]user@host# set discover bandwidth 100
5. Decrease the recover time for violations of the DHCPv4 discover policer.
   [edit system ddos-protection protocols dhcpv4]user@host# set discover recover-time 200
6. Configure the maximum burst rate for the DHCPv4 discover policer.
   [edit system ddos-protection protocols dhcpv4]user@host# set discover burst 300
7. Increase the priority for DHCPv4 offer packets.
   [edit system ddos-protection protocols dhcpv4]user@host# set offer priority medium
8. Prevent offer packets from being included in the aggregate bandwidth; that is, offer packets do not contribute towards the combined DHCPv4 traffic to determine whether the aggregate bandwidth is exceeded. However, the offer packets are still included in traffic rate statistics.
   [edit system ddos-protection protocols dhcpv4]user@host# set offer bypass-aggregate
9. Reduce the bandwidth and burst size allowed before violation is declared for the DHCPv4 offer policer on the MPC or FPC5 in slot 1.
   [edit system ddos-protection protocols dhcpv4]user@host# set offer fpc 1 bandwidth-scale 80user@host# set offer fpc 1 burst-scale 75
10. Configure the maximum traffic rate for the PPPoE aggregate policer, that is, for the combination of all PPPoE packets.
    [edit system ddos-protection protocols dhcpv4]user@host# up[edit system ddos-protection protocols]user@host# set pppoe aggregate bandwidth 800
11. Configure tracing for all DDoS protocol processing events.
    [edit system ddos-protection traceoptions]user@host# set file ddos-loguser@host# set file size 10muser@host# set flag all

Results

From configuration mode, confirm your configuration by entering the show ddos-protection command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the DDoS protection configuration is working properly, perform these tasks:

• Verifying the DHCPv4 DDoS Protection Configuration and Operation
• Verifying the PPPoE DDoS Configuration

Verifying the DHCPv4 DDoS Protection Configuration and Operation

Purpose

Verify that the DHCPv4 aggregate and protocol policer values have changed from the default. With DHCPv4 and PPPoE traffic flowing, verify that the policers are working correctly. You can enter commands to display the individual policers you are interested in, as shown here, or you can enter the show ddos-protection protocols dhcpv4 command to display this information for all DHCPv4 packet types.

Action

From operational mode, enter the show ddos-protection protocols dhcpv4 aggregate command.

Protocol Group: DHCPv4

  Packet type: aggregate (aggregate for all DHCPv4 traffic)
    Aggregate policer configuration:
      Bandwidth:        669 pps
      Burst:            6000 packets
      Priority:         medium
      Recover time:     300 seconds
      Enabled:          Yes
    System-wide information:
      Aggregate bandwidth is no longer being violated
        No. of FPCs currently receiving excess traffic: 0
        No. of FPCs that have received excess traffic:  1
        Violation first detected at: 2011-03-10 06:27:47 PST
        Violation last seen at:      2011-03-10 06:28:57 PST
        Duration of violation: 00:01:10 Number of violations: 1
      Received:  71064               Arrival rate:     0 pps
      Dropped:   23115               Max arrival rate: 1000 pps
    Routing Engine information:
      Bandwidth: 669 pps, Burst: 6000 packets, enabled
      Aggregate policer is never violated
      Received:  36130               Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 671 pps
        Dropped by aggregate policer: 0
    FPC slot 1 information:
      Bandwidth: 100% (669 pps), Burst: 100% (5000 packets), enabled
      Aggregate policer is no longer being violated
        Violation first detected at: 2011-03-10 06:27:48 PST
        Violation last seen at:      2011-03-10 06:28:58 PST
        Duration of violation: 00:01:10 Number of violations: 1
      Received:  71064               Arrival rate:     0 pps
      Dropped:   34934               Max arrival rate: 1000 pps
        Dropped by individual policers: 11819
        Dropped by aggregate policer: 23115

From operational mode, enter the show ddos-protection protocols dhcpv4 discover command.

Protocol Group: DHCPv4

  Packet type: discover (DHCPv4 DHCPDISCOVER)
    Individual policer configuration:
      Bandwidth:        100 pps
      Burst:            300 packets
      Priority:         low
      Recover time:     200 seconds
      Enabled:          Yes
      Bypass aggregate: No
    System-wide information:
      Bandwidth is no longer being violated
        No. of FPCs currently receiving excess traffic: 0
        No. of FPCs that have received excess traffic:  1
        Violation first detected at: 2011-03-10 06:28:34 PST
        Violation last seen at:      2011-03-10 06:28:55 PST
        Duration of violation: 00:00:21 Number of violations: 1
      Received:  47949               Arrival rate:     0 pps
      Dropped:   11819               Max arrival rate: 671 pps
    Routing Engine information:
      Bandwidth: 100 pps, Burst: 300 packets, enabled
      Policer is never violated
      Received:  36130               Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
    FPC slot 1 information:
      Bandwidth: 100% (100 pps), Burst: 100% (300 packets), enabled
      Policer is no longer being violated
        Violation first detected at: 2011-03-10 06:28:35 PST
        Violation last seen at:      2011-03-10 06:28:55 PST
        Duration of violation: 00:00:20 Number of violations: 1
      Received:  47949               Arrival rate:     0 pps
      Dropped:   11819               Max arrival rate: 671 pps
        Dropped by this policer: 11819
        Dropped by aggregate policer: 0

From operational mode, enter the show ddos-protection protocols dhcpv4 offer command.

Protocol Group: DHCPv4

  Packet type: offer (DHCPv4 DHCPOFFER)
    Individual policer configuration:
      Bandwidth:        1000 pps
      Burst:            1000 packets
      Priority:         medium
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: Yes
    System-wide information:
      Bandwidth is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0
    FPC slot 1 information:
      Bandwidth: 80% (800 pps), Burst: 75% (750 packets), enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0

Meaning

The output of these commands lists the policer configuration and traffic statistics for the DHCPv4 aggregate, discover, and offer policers respectively.

The Aggregate policer configuration section in the first output example and Individual policer configuration sections in the second and third output examples list the configured values for bandwidth, burst, priority, recover time, and bypass-aggregate.

The System-wide information section shows the total of all DHCPv4 traffic statistics and violations for the policer recorded across all line cards and at the Routing Engine. The Routing engine information section shows the traffic statistics and violations for the policer recorded at the Routing Engine. The FPC slot 1 information section shows the traffic statistics and violations for the policer recorded only at the line card in slot 1.

• The System-wide information section shows that 71,064 DHCPv4 packets of all types were received across all line cards and the Routing Engine. The section shows a single violation with a time stamp and that the aggregate policer at a line card dropped 23,115 of these packets.
• The FPC slot 1 information section shows that this line card received all 71,064 DHCPv4 packets, but its aggregate policer experienced a violation and dropped the 23,115 packets shown in the other section. The line card individual policers dropped an additional 11,819 packets.
• The Routing Engine information section shows that the remaining 36,130 packets all reached the Routing Engine and that its aggregate policer dropped no additional packets.

  The difference between the number of DHCPv4 packets received and dropped at the line card [71,064 - (23,115 + 11,819)] matches the number received at the Routing Engine. That might not always be the case, because packets can be received and dropped at more than one line card. In this example, only the line card in slot 1received any DHCPv4 packets.

• The System-wide information section shows that 47,949 DHCPv4 discover packets were received across all line cards and the Routing Engine. The section shows a single violation with a time stamp and that the aggregate policer at a line card dropped 11,819 of these packets.
• The FPC slot 1 information section shows that this line card received all 47,949 DHCPv4 discover packets, but its individual policer experienced a violation and dropped the 11,819 packets shown in the other section.
• The Routing Engine information section shows that only 36,130 DHCPv4 discover packets reached the Routing Engine and that it dropped no additional packets.

  The difference between the number of DHCPv4 discover packets received and dropped at the line card (47,949 - 11,819) matches the number received at the Routing Engine. That might not always be the case, because packets can be received and dropped at more than one line card. In this example, only the line card in slot 1received any DHCPv4 discover packets.

• This individual policer has never been violated at any location.
• No DHCPv4 offer packets have been received at any location.

Verifying the PPPoE DDoS Configuration

Purpose

Verify that the PPPoE policer values have changed from the default.

Action

From operational mode, enter the show ddos-protection protocols pppoe parameters brief command.

Number of policers modified: 1
Protocol    Packet      Bandwidth Burst  Priority Recover   Policer Bypass FPC
group       type        (pps)     (pkts)          time(sec) enabled aggr.  mod
pppoe       aggregate   800*      2000   medium   300       yes     --     no
pppoe       padi        500       500    low      300       yes     no     no
pppoe       pado        0         0      low      300       yes     no     no
pppoe       padr        500       500    medium   300       yes     no     no
pppoe       pads        0         0      low      300       yes     no     no
pppoe       padt        1000      1000   high     300       yes     no     no
pppoe       padm        0         0      low      300       yes     no     no
pppoe       padn        0         0      low      300       yes     no     no

From operational mode, enter the show ddos-protection protocols pppoe padi command, and enter the command for padr as well.

Protocol Group: PPPoE

  Packet type: padi (PPPoE PADI)
    Individual policer configuration:
      Bandwidth:        500 pps
      Burst:            500 packets
      Priority:         low
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: No
    System-wide information:
      Bandwidth for this packet type is being violated!
        Number of slots currently receiving excess traffic: 1
        Number of slots that have received excess traffic:  1
        Violation first detected at: 2011-03-09 11:26:33 PST
        Violation last seen at:      2011-03-10 12:03:44 PST
        Duration of violation: 1d 00:37 Number of violations: 1
      Received:  704832908           Arrival rate:     8000 pps
      Dropped:   660788548           Max arrival rate: 8008 pps
    Routing Engine information:
      Bandwidth: 500 pps, Burst: 500 packets, enabled
      Policer is never violated
      Received:  39950330            Arrival rate:     298 pps
      Dropped:   0                   Max arrival rate: 503 pps
        Dropped by aggregate policer: 0
    FPC slot 3 information:
      Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
      Policer is currently being violated!
        Violation first detected at: 2011-03-09 11:26:35 PST
        Violation last seen at:      2011-03-10 12:03:44 PST
        Duration of violation: 1d 00:37 Number of violations: 1
      Received:  704832908           Arrival rate:     8000 pps
      Dropped:   664882578           Max arrival rate: 8008 pps
        Dropped by this policer: 660788548
        Dropped by aggregate policer: 4094030

Protocol Group: PPPoE

  Packet type: padr (PPPoE PADR)
    Individual policer configuration:
      Bandwidth:        500 pps
      Burst:            500 packets
      Priority:         medium
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: No
    System-wide information:
      Bandwidth for this packet type is being violated!
        Number of slots currently receiving excess traffic: 1
        Number of slots that have received excess traffic:  1
        Violation first detected at: 2011-03-10 06:21:17 PST
        Violation last seen at:      2011-03-10 12:04:14 PST
        Duration of violation: 05:42:57 Number of violations: 1
      Received:  494663595           Arrival rate:     24038 pps
      Dropped:   484375900           Max arrival rate: 24062 pps
    Routing Engine information:
      Bandwidth: 500 pps, Burst: 500 packets, enabled
      Policer is never violated
      Received:  10287695            Arrival rate:     500 pps
      Dropped:   0                   Max arrival rate: 502 pps
        Dropped by aggregate policer: 0
    FPC slot 1 information:
      Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
      Policer is currently being violated!
        Violation first detected at: 2011-03-10 06:21:18 PST
        Violation last seen at:      2011-03-10 12:04:14 PST
        Duration of violation: 05:42:56 Number of violations: 1
      Received:  494663595           Arrival rate:     24038 pps
      Dropped:   484375900           Max arrival rate: 24062 pps
        Dropped by this policer: 484375900
        Dropped by aggregate policer: 0

Meaning

The output from the show ddos-protection protocols pppoe parameters brief command lists the current configuration for each of the individual PPPoE packet policers and the PPPoE aggregate policer. A change from a default value is indicated by an asterisk next to the modified value. The only change made to PPPoE policers in the configuration steps was to the aggregate policer bandwidth; this change is confirmed in the output. Besides the configuration values, the command output also reports whether a policer has been disabled, whether it bypasses the aggregate policer (meaning that the traffic for that packet type is not included for evaluation by the aggregate policer), and whether the policer has been modified for one or more line cards.

• The System-wide information section shows that 704,832,908 PPPoE PADI packets were received across all line cards and the Routing Engine. The section shows a single violation on a line card that is still in progress, and that the aggregate policer at the line card dropped 660,788,548 of the PADI packets.
• The FPC slot 3 information section shows that this line card received all 704,832,908 PADI packets. Its individual policer dropped 660,788,548 of those packets and its aggregate policer dropped the other 4,094,030 packets. The violation is ongoing and has lasted more than a day.
• The Routing Engine information section shows that only 39,950,330 PADI packets reached the Routing Engine and that it dropped no additional packets.

  The difference between the number of PADI packets received and dropped at the line card [704,832,908 - (660,788,548 + 4,094030)] matches the number received at the Routing Engine. That might not always be the case, because packets can be received and dropped at more than one line card. In this example, only the line card in slot 3 received any PADI packets.

• The System-wide information section shows that 494,663,595 PPPoE PADR packets were received across all line cards and the Routing Engine. The section shows a single violation on a line card that is still in progress, and that the policer at the line card dropped 484,375,900 of the PADR packets.
• The FPC slot 1 information section shows that this line card received all 494,663,595 PADR packets. Its individual policer dropped 484,375,900 of those packets. The violation is ongoing and has lasted more than five hours.
• The Routing Engine information section shows that only 10,287,695 PADR packets reached the Routing Engine and that it dropped no additional packets.

  The difference between the number of PADR packets received and dropped at the line card (494,663,595 - 484,375,900) matches the number received at the Routing Engine. That might not always be the case, because packets can be received and dropped at more than one line card. In this example, only the line card in slot 1 received any PADR packets.

Note: This scenario is unrealistic in showing all PADI packets received on one line card and all PADR packets on a different line card. The intent of the scenario is to illustrate how policer violations are reported for individual line cards.