ddos-protection (DDoS)
Syntax (ACX Series Routers, ACX7100, ACX7900 Devices)
ddos-protection
global {
disable-routing-engine;
disable-logging;
}
protocols protocol-group aggregate {
fpc fpc-number;
bandwidth packets-per-second;
burst size;
disable-logging;
disable-routing-engine;
priority level;
}
traceoptions {
file filename <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
Syntax (PTX Series Routers and QFX Series, EX4100, and EX4400 Switches)
ddos-protection
global {
disable-fpc;
disable-logging;
}
protocols protocol-group (aggregate | packet-type) {
bandwidth packets-per-second;
burst size;
bypass-aggregate;
disable-fpc;
disable-logging;
fpc slot-number {
bandwidth-scale percentage;
burst-scale percentage;
disable-fpc;
}
priority level;
}
traceoptions {
file filename <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
Syntax (Other Routers, ACX7100-48L, and EX9200 Switches)
ddos-protection
global {
disable-fpc;
disable-logging;
disable-routing-engine;
flow-detection;
flow-level-control;
flow-detection-mode;
flow-report-rate;
violation-report-rate;
}
protocols protocol-group (aggregate | packet-type) {
bandwidth packets-per-second;
burst size;
bypass-aggregate;
disable-fpc;
disable-logging;
disable-routing-engine;
flow-detection-mode (automatic | off | on);
flow-detect-time seconds;
flow-level-bandwidth {
logical-interface flow-bandwidth;
physical-interface flow-bandwidth;
subscriber flow-bandwidth;
}
flow-level-control {
logical-interface flow-control-mode;
physical-interface flow-control-mode;
subscriber flow-control-mode;
}
flow-level-detection {
logical-interface flow-detection-mode;
physical-interface flow-detection-mode;
subscriber flow-detection-mode;
}
flow-recover-time seconds;
flow-timeout-time seconds;
fpc slot-number {
bandwidth-scale percentage;
burst-scale percentage;
disable-fpc;
}
ipsec {
ike;
on-trigger;
mtu-error;
sn-alarm;
spi-inval;
tx-alarm;
unclassified;
}
no-flow-logging
priority level;
recover-time seconds;
timeout-active-flows;
}
traceoptions{
file filename <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
Hierarchy Level
[edit system]
Description
Configure DDoS protection policers for control plane DDoS protection.
DDoS attacks typically use network control packets to trigger large numbers of exceptions to a device’s control plane that disrupts normal network operations. DDoS protection polices traffic to enable the device to continue functioning under a DDoS attack.
DDoS protection is enabled by default on supporting devices for the protocol groups and packet types available on the device. You can disable particular policers or change default policer parameters, including:
-
Set the maximum allowed traffic rate, maximum burst size, and traffic priority.
-
(On some devices) Define how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack.
-
(On some devices) Scale bandwidth and burst values for individual line cards so that the policers at this level trigger at lower thresholds than the overall protocol or packet thresholds.
Some EX Series switches might have control plane DDoS protection but don’t support CLI options to show or change the default policer parameters.
DDoS protection supports policers for many protocol groups. On some devices, you can
change policer parameters for specific packet types within some protocol groups.
Protocol group and packet type support varies across platforms and Junos OS
releases. See the protocols statement for details on the main
differences, as follows:
-
For ACX Series routers, PTX Series routers and QFX Series switches, see protocols (DDoS) (ACX Series, PTX Series, and QFX Series).
-
For all other routing devices and EX9200 switches, see protocols (DDoS).
The remaining statements in this configuration statement hierarchy are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.
ACX7900 devices do not support Suspicious Control Flow Detection (SCFD) configuration.
FPC level configurations are only supported on ACX7900 devices.
PTX Series routers and QFX10002-60C switches do not support the
bypass-aggregate option.
Starting in Junos OS Release 24.2R1, you can configure the DDOS protocol using CLI on EX4100 and EX4400 devices.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 11.2.
Statement introduced in Junos OS Release 24.2R1 for MX304 devices.
Support for Enhanced Subscriber Management added in Junos OS Release 17.3R1.