Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ddos-protection (DDoS)

Syntax (ACX Series Routers, ACX7100, ACX7900 Devices)

Syntax (PTX Series Routers and QFX Series, EX4100, and EX4400 Switches)

Syntax (Other Routers, ACX7100-48L, and EX9200 Switches)

Hierarchy Level

Description

Configure DDoS protection policers for control plane DDoS protection.

DDoS attacks typically use network control packets to trigger large numbers of exceptions to a device’s control plane that disrupts normal network operations. DDoS protection polices traffic to enable the device to continue functioning under a DDoS attack.

DDoS protection is enabled by default on supporting devices for the protocol groups and packet types available on the device. You can disable particular policers or change default policer parameters, including:

  • Set the maximum allowed traffic rate, maximum burst size, and traffic priority.

  • (On some devices) Define how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack.

  • (On some devices) Scale bandwidth and burst values for individual line cards so that the policers at this level trigger at lower thresholds than the overall protocol or packet thresholds.

Note:

Some EX Series switches might have control plane DDoS protection but don’t support CLI options to show or change the default policer parameters.

DDoS protection supports policers for many protocol groups. On some devices, you can change policer parameters for specific packet types within some protocol groups. Protocol group and packet type support varies across platforms and Junos OS releases. See the protocols statement for details on the main differences, as follows:

The remaining statements in this configuration statement hierarchy are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Note:

ACX7900 devices do not support Suspicious Control Flow Detection (SCFD) configuration.

FPC level configurations are only supported on ACX7900 devices.

PTX Series routers and QFX10002-60C switches do not support the bypass-aggregate option.

Starting in Junos OS Release 24.2R1, you can configure the DDOS protocol using CLI on EX4100 and EX4400 devices.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.2.

Statement introduced in Junos OS Release 24.2R1 for MX304 devices.

Support for Enhanced Subscriber Management added in Junos OS Release 17.3R1.