This example will describe how you can use the AppDDoS module to protect a DNS server.
When setting up AppDDoS protection for a DNS server, you will first observe the average load of DNS requests. If the DNS server is expected to handle a normal load of 1000 requests per second, choose 20% in excess of the normal load (1200 requests per second) as the connection-rate-threshold. This is essentially 60,000 transactions in 60 seconds, so choose 20% in excess of this load as context hit-rate-threshold (72,000). You can choose context value-hit-rate-threshold based on the maximum load of requests for the same domain name being queried for non exempt context dns-type-cname values. For example, if it is impractical for DNS to receive queries for domain xyz.com in excess of 2000 times in 60 seconds, context value-hit-rate-threshold should be set to 20% more than that value, which would be 2400 times in 60 seconds. For monitoring and reporting, you will optionally set max-context-values to 100, so at the maximum, the most active 100 DNS query requests will be monitored and reported. If a client is in this range, it is mostly likely a malicious bot client. Once bot clients are identified, you can configure ip-action as ip-block with timeout as 600 seconds (the bot client gets access denied for 1 hour) and session action is set as drop-packet.
In the above example, IDP starts deep protocol analysis when the number of connections per second exceeds 1200, and will start bot client classification either if total number of queries for context dns-type-name exceeds 72000 or requests for the same query value exceeds 2400.
![]() |
Note: When an AppDDoS attack occurs on the application server, it will have much higher transaction rates than it does under normal or even peak load. With this in mind, it is best to set higher thresholds than the normal peak of the application server so it does not trigger unnecessary client classification processing. This will improve the over all performance of the Juniper device since the AppDDoS module will not start client classification until the server has actually reached abnormal transaction rates. |
Before You Begin |
---|
For background information, read Application-level Distributed Denial-of-Service (AppDDoS) Attack Overview , and Application-level Distributed Denial-of-Service (AppDDoS) Protection Overview. |
To enable protection against AppDDoS for a DNS server, use the CLI configuration editor.
For detailed information about the following commands, see the JUNOS Software CLI Reference.
This topic covers:
- [edit security idp]
- user@host# set application-ddos dns-server-1
- [edit security idp]
- user@host# set application-ddos dns-server
service dns
- [edit security idp]
- user@host# set application-ddos dns-server-1
connection-rate-threshold 1200
- [edit security idp]
- user@host# set application-ddos dns-server-1
context dns-type-name hit-rate-threshold 72000
- [edit security idp]
- user@host# set application-ddos dns-server-1
context dns-type-name value-hit-rate-threshold 2400
- [edit security idp]
- user@host# set application-ddos dns-server-1
context dns-type-name max-context-values 100
- [edit security idp]
- user@host# set application-ddos dns-server-1
context dns-type-name time-binding-count 10
- [edit security idp]
- user@host# set application-ddos dns-server-1
context dns-type-name time-binding-period 30
![]() |
Note: You can continue to set other protocol contexts and thresholds that you would like to monitor. |
![]() |
Note: You can only define one DDoS application per AppDDoS rule. Create additional rules to monitor multiple DDoS applications. Each AppDDoS rule is a terminal rule, meaning that only one matching rule is considered for incoming traffic matching. |
- [edit security idp]
- user@host# set idp-policy AppDDoS-policy-1
rulebase-ddos rule AppDDoS-rule1 match source-address any
- [edit security idp]
- user@host# set idp-policy AppDDoS-policy-1
rulebase-ddos rule AppDDoS-rule1 match to-zone any
- [edit security idp]
- user@host# set idp-policy AppDDoS-policy-1
rulebase-ddos rule AppDDoS-rule1 match destination-address any
- [edit security idp]
- user@host# set idp-policy AppDDoS-policy-1
rulebase-ddos rule AppDDoS-rule1 match application default
- [edit security idp]
- user@host# set idp-policy AppDDoS-policy-1
rulebase-ddos rule AppDDoS-rule1 match application-ddos dns-server-1
- [edit security idp]
- [edit security idp]
- user@host# set idp-policy AppDDoS-policy-1
rulebase-ddos rule AppDDoS-rule1 then action drop-packet
- [edit security idp]
- user@host# set idp-policy AppDDoS-policy-1
rulebase-ddos rule AppDDoS-rule1 then ip-action ip-block
- [edit security idp]
- user@host# set idp-policy AppDDoS-policy-1
rulebase-ddos rule AppDDoS-rule1 then ip-action timeout 600