Supported Platforms
Configuring the Detection Period for Suspicious Flows
DDoS protection flow detection considers a monitored flow to be a suspicious flow whenever the flow exceeds its allowed bandwidth, based on a crude test that eliminates obviously good flows from consideration. A closer examination of a suspicious flow requires the flow to remain in violation of the bandwidth for a period of time before flow detection considers it to be a culprit flow against which it must take action. You can include the flow-detect-time statement to configure the duration of this detection period or you can rely on the default period of three seconds.
 | Best Practice: We recommend that you use the default value for the detection period. |
To specify how long a flow must be in violation before flow detection declares it to be a culprit flow:
- Set the detection period.[edit system ddos-protection protocols protocol-group packet-type]user@host# set flow-detect-time seconds
For example, include the following statement to require the DHCPv4 discover packet flow to be in violation of its allowed bandwidth for 30 seconds before it is considered to be a culprit flow:
[edit system ddos-protection protocols dhcpv4 discover]user@host# set flow-detect-time 30
