A denial-of-service (DoS) attack is any attempt
to deny valid users access to network or server resources by using
up all the resources of the network element or server. Denial of service
protection provides reactive prevention from attack and determines
whether the source of traffic is valid or invalid. DoS protection
includes diagnostic tools and configuration options. DoS protection
groups provide a simple policy that can be applied to interfaces,
which can specify a set of parameters to tune behavior.
Figure 29 shows an example
of the state of a flow with DoS protection using suspicious control
flow detection (SCFD).
Figure 29: Typical Control Packet Processing
Suspicious Control Flow Detection
To reduce the chance of a successful denial of
service (DoS) attack and to provide diagnostic abilities while undergoing
an attack, the system can detect suspicious control flows and keep
state on those flows. A flow is a specific control protocol on a specific
interface from a particular source. When the system determines that
a control flow is suspicious, it can take corrective action on that
control flow.
Keeping full state on each control flow can use
a large number of resources. Instead, the system detects which flows
have suspicious traffic. If a control flow is marked as suspicious,
every packet associated with the flow is considered suspicious. When
a packet is marked as suspicious, it is dropped based on drop probability
before being delivered to the control processor.
When a distributed DoS attack occurs on a line
module, suspicious flow control resources can be exhausted. To provide
further counter measures, you can enable the group feature, where
flows are grouped together and treated as a whole. If you do not use
the group feature, suspicious flows can fill up the suspicious flow
table and prevent detection of additional attacking flows.
Suspicious Control Flow Monitoring
Each protocol has a per-protocol rate limit. The
rate limiter is used to limit the rate of packets that proceed to
the control processor for the specific protocol. Per-protocol rate
limiting is also used to begin the process by which flows of the specific
protocol are monitored.
Each priority has a per-priority rate limit. The
rate limiter limits the rate of packets that proceed to the control
processor for the specific priority. It also begins the process by
which flows of the specific priority are monitored.
All protocols on each line module have a rate limit.
Each protocol is associated with a given priority, which is also provided
with a rate limit. When a slot comes under attack, the first lines
of defense are the protocol and priority rate limiters. If the line
module determines that a specific protocol or priority is under attack
(because the rate has been exceeded), it proceeds to monitor all flows
from the problem protocol or priority. Initially, a control flow is
marked as nonsuspicious.
After a control flow is placed in the suspicious
flow table, the system inspects all packets that belong to the flow.
The interface controller (IC) and forwarding controller (FC) monitor
the table to determine whether the suspicious flow has a packet rate
above the suspicious level. If the packet rate is above this level,
the flow is marked as suspicious. Marking a control flow as suspicious
affects only a particular protocol on a particular interface. When
a flow is marked as suspicious, all packets belonging to that flow
are marked as suspicious and trapped at the forwarding controller.
Suspicious control flows are
continually monitored. The flow can be restored if the flow goes below
the low threshold level. The flow can also be restored based on a
backoff timer. The flow is removed from the suspicious flow table
if the related interface is removed.
Approximately 2000 flows can be monitored as suspicious
at any time for each line module. When the suspicious flow table on
a particular line module reaches its maximum and the system is not
set to group flows, flows that should be marked as suspicious proceed
as nonsuspicious. When you return a suspicious flow to a nonsuspicious
state or delete it, the flows that did not fit into the table are
added to the table.
By default, the system groups flows when the suspicious
flow table size is exceeded on a line module. When the flow table
is full, instead of marking a specific flow in that group as suspicious
and providing information on each flow on that line module, the system
groups flows based on group membership and provides information on
the group instead of each flow. This flow information is useful under
severe distributed DoS attacks. Group membership is based on physical
port and control protocol; all flows in that group are considered
suspicious.
Configurable Options
You can configure the following options for suspicious
flow detection:
Global on or off. When the option is set to off, flows
or packets are not marked as suspicious. The default is on.
Actions a line module takes when the suspicious flow table
on the line module overflows:
Overflow—Stop recognizing new suspicious flows
Group—Group flows into logical groupings where some
individual flows are monitored as a group
Suspicious threshold for each protocol. The threshold
is the rate in packets per second at which a flow becomes suspicious.
A zero setting disables suspicious flow detection for the protocol.
Flows are subject to protocol and priority rate limits, but not to
suspicious flow detection.
Low threshold for each protocol. The threshold rate determines
whether an interface transitions from suspicious back to nonsuspicious.
A zero setting means that the flow does not transition back to nonsuspicious
based on packet rate.
Backoff time in seconds for each protocol. After this
period expires, the flow transitions to nonsuspicious regardless of
the current rate. When set to zero, an interface does not return to
the nonsuspicious state using a time mechanism.
You can also clear the following:
All suspicious flows from the suspicious flow table for
a specific slot.
Suspicious flows from the suspicious flow table for the
entire system.
A single suspicious flow; returns the flow to the nonsuspicious
state.
Display Options
For monitoring purposes, you can:
Display all suspicious control flows when the system has
recognized an attack.
Display the current state and the number of transitions
into suspicious state for the protocol and priority.
Display historical counts about the number of flows made
suspicious.
View a trap or log generated when a control flow is considered
suspicious.
View a trap or log generated when a control flow is no
longer suspicious.
Traps and Logs
The system generates a trap and a log message under
the following conditions:
A control flow transitions into a suspicious state; another
trap and log message is generated on removal from a suspicious state.
A protocol transitions to or from the suspicious state.
A priority transitions to or from the suspicious state.
The suspicious flow control system is overflowing or grouping
flows on a line module.
You can control trap and log messages using CLI
or SNMP commands.
Suspicious Control Flow Commands
Use the commands described in this section to regulate
suspicious control flows.
baseline suspicious-control-flow-detection counts
Use to set a baseline for statistics for suspicious control
flow detection.
Use to turn off overflow protection for suspicious control
flow detection, enabling flows to be grouped into larger entities
when the line module flow table overflows.
Use to set a threshold for a specific protocol; if the
flow rate falls below this rate, a suspicious flow changes to the
nonsuspicious state.
Low threshold is the rate in packets per second at which
a suspicious flow becomes no longer suspicious.
When set to zero, a suspicious flow cannot change to the
nonsuspicious state by means of a low threshold rate. To clear this
flow, you must use the clear suspicious-control-flow-detection command.
Use the commands described in this section to monitor
suspicious control flows.
show suspicious-control-flow-detection counts
Use to display statistics for suspicious control flow
detection. When a slot is specified, displays only information for
the specific slot. If no slot is specified, displays information for
all slots.
The delta keyword displays
statistics for the current baseline.
Field descriptions
Number of suspicious flows total—Total number of
suspicious flows, current and past
Number of suspicious flows current—Number of suspicious
flows currently detected and monitored
Number of groups total—Total number of groups, current
and past
Number of groups current—Number of groups currently
detected and monitored
Number of false negatives total—Total number of
flows monitored that have not become suspicious (exceeded their threshold)
Number of false negatives current—Current number
of flows monitored that have not become suspicious (exceeded their
threshold)
Number of table overflows—Number of times a flow
table overflows
Example
host1(config)#show suspicious-control-flow-detection counts
Suspicious Flow Detection System Counts
Number of suspicious flows total: 0
Number of suspicious flows current: 0
Number of groups total: 0
Number of groups current: 0
Number of false negatives total: 0
Number of false negatives current: 0
Number of table overflows: 0
Use to display information about suspicious flows.
You can specify the following keywords:
delta—Displays statistics
for the current baseline
brief—Displays only
suspicious information
slot—Displays information
for the specific slot
Field descriptions
Protocol Information
Protocol—Control protocol of the flow
State
OK—Protocol is currently not receiving an excess
amount of traffic.
Suspicious—Protocol detected as receiving an excess
amount of traffic within the last backoff time in number of seconds.
Transitions—Number of times this protocol or priority
has transitioned to the suspicious state
Priority Information
Priority—Priorities map to a specific queue and
color; priority groups are Hi-Green, Hi-Yellow, Lo-Green and Lo-Yellow.
State:
OK—Protocol is currently not receiving an excess
amount of traffic
Suspicious—Protocol detected as receiving an excess
amount of traffic within the last backoff time in number of seconds.
Transitions—Number of times this protocol or priority
has transitioned to the suspicious state
Example
host1(config)#show suspicious-control-flow-detection info slot 2
Suspicious Flow Detection System Information
Suspicious Flow Detection System is enabled
Using Groups
The suspicious control flow system is not in overflow state or using groups
Protocol Information
Protocol State Transitions
--------------------------------------- ---------- -----------
Ppp Echo Request OK 0
Ppp Echo Reply OK 0
Ppp Echo Reply Fastpath OK 0
Ppp Control OK 0
Atm Control (ILMI) OK 0
Atm OAM OK 0
Atm Dynamic Interface Column Creation OK 0
Atm Inverse ARP OK 0
Frame Relay LMI Control OK 0
Frame Relay Inverse Arp OK 0
Pppoe Control OK 0
Pppoe Config Dynamic Interface Column OK 0
Creation
Ethernet ARP Miss OK 0
Ethernet ARP OK 0
Ethernet LACP packet OK 0
Ethernet Dynamic Interface Column OK 0
Creation
Slep SLARP OK 0
MPLS TTL Exceeded On Receive OK 0
MPLS TTL Exceeded On Transmit OK 0
MPLS MTU Exceeded OK 0
Ipsec Transport Mode L2tp Control OK 0
NAT/Firewall Payload OK 0
NAT/Firewall Update Table OK 0
DHCP External OK 0
IP OSI OK 0
IP TTL Expired OK 0
IP Options Other OK 0
IP Options Router Alert OK 0
IP Multicast/Broadcast Other OK 0
IP Multicast DHCP (SC) OK 0
IP Multicast Control (SC) OK 0
IP Multicast Control (IC) OK 0
IP Multicast VRRP OK 0
IP Mulitcast Cache Miss OK 0
IP Multicast Cache Miss Auto Reply OK 0
IP Multicast Wrong Interface OK 0
IP Local DHCP (SC) OK 0
IP Local Dhcp (IC) OK 0
IP Local Icmp Echo OK 0
IP Local Icmp Other OK 0
IP Local LDP OK 0
IP Local BGP OK 0
IP Local OSPF OK 0
IP Local RSVP OK 0
IP Local PIM OK 0
IP Local COPS OK 0
IP Local L2tp Control (SC) OK 0
IP Local L2tp Control (IC) OK 0
IP Local Other OK 0
IP Local Subscriber Interface Miss OK 0
IP Route To SRP Ethernet OK 0
IP Route No Route Exists OK 0
IP Normal Path MTU OK 0
IP Neighbor Discovery OK 0
IP Neighbor Discovery Miss OK 0
IP Search Error OK 0
IP MLD OK 0
IP Local PIM Assert OK 0
IP Local BFD OK 0
IP IKE OK 0
IP Reassembly OK 0
IP Local Icmp Frag OK 0
IP Local Frag OK 0
IP Application Classifier HTTP Redirect OK 0
Priority Information
Priority State Transitions
------------ ---------- -----------
Hi-Green-IC OK 0
Hi-Yellow-IC OK 0
Lo-Green-IC OK 0
Lo-Yellow-IC OK 1
Hi-Green-SC OK 0
Hi-Yellow-SC OK 0
Lo-Green-SC OK 0
Lo-Yellow-SC OK 0
Use to display protocol information for suspicious control
flows.
Field descriptions
Protocol—Control protocol
Threshold—Threshold in packets per second
Lo-Threshold—Low threshold in packets per second
Backoff-Time—Backoff time in seconds
Example
host1(config)#show suspicious-control-flow-detection protocol
Protocol Threshold Lo-Threshold Backoff-Time
------------------------------ --------- ------------ ------------
Ppp Echo Request 10 5 300
Ppp Echo Reply 10 5 300
Ppp Echo Reply Fastpath 10 5 300
Ppp Control 10 5 300
Atm Control (ILMI) 10 5 300
Atm OAM 10 5 300
Atm Dynamic Interface Column 10 5 300
Creation
Atm Inverse ARP 10 5 300
Frame Relay LMI Control 10 5 300
Frame Relay Inverse Arp 10 5 300
Pppoe Control 512 256 300
Pppoe Config Dynamic Interface 10 5 300
Column Creation
Ethernet ARP Miss 128 64 300
Ethernet ARP 128 64 300
Ethernet LACP packet 10 5 300
Ethernet Dynamic Interface 512 256 300
Column Creation
Slep SLARP 128 64 300
MPLS TTL Exceeded On Receive 10 5 300
MPLS TTL Exceeded On Transmit 10 5 300
MPLS MTU Exceeded 10 5 300
Ipsec Transport Mode L2tp 2048 1024 300
Control
NAT/Firewall Payload 512 256 300
NAT/Firewall Update Table 512 256 300
DHCP External 1024 512 300
IP OSI 2048 1024 300
IP TTL Expired 10 5 300
IP Options Other 512 256 300
IP Options Router Alert 2048 1024 300
IP Multicast/Broadcast Other 512 256 300
IP Multicast DHCP (SC) 512 256 300
IP Multicast Control (SC) 2048 1024 300
IP Multicast Control (IC) 512 256 300
IP Multicast VRRP 512 256 300
IP Mulitcast Cache Miss 128 64 300
IP Multicast Cache Miss Auto Reply 128 64 300
IP Multicast Wrong Interface 10 5 300
IP Local DHCP (SC) 512 256 300
IP Local Dhcp (IC) 512 256 300
IP Local Icmp Echo 512 256 300
IP Local Icmp Other 128 64 300
IP Local LDP 2048 1024 300
IP Local BGP 2048 1024 300
IP Local OSPF 64 32 300
IP Local RSVP 2048 1024 300
IP Local PIM 2048 1024 300
IP Local COPS 2048 1024 300
IP Local L2tp Control (SC) 2048 1024 300
IP Local L2tp Control (IC) 512 256 300
IP Local Other 512 256 300
IP Local Subscriber Interface Miss 512 256 300
IP Route To SRP Ethernet 512 256 300
IP Route No Route Exists 10 5 300
IP Normal Path MTU 10 5 300
IP Neighbor Discovery 128 64 300
IP Neighbor Discovery Miss 128 64 300
IP Search Error 10 5 300
IP MLD 512 256 300
IP Local PIM Assert 512 256 300
IP Local BFD 1024 512 300
IP IKE 512 256 300
IP Reassembly 2048 1024 300
IP Local Icmp Frag 512 256 300
IP Local Frag 512 256 300
IP Application Classifier HTTP 128 64 300
Redirect
A DoS protection group provides a simple policy that
can be applied to interfaces. This policy can specify a complete set
of parameters to tune the behavior of the DoS protection groups. The
system uses these parameters to determine the priority and rates for
various control protocols. The rate of traffic for a particular protocol
is unlikely to be the same on all ports in the system. A configuration
can have several types of interfaces, such as DHCP access clients,
PPPoE access clients, and uplink interfaces. Each of these interfaces
requires a different DoS configuration. All
interfaces are associated with a default DoS protection group, which
has standard system defaults. The maximum rates are per line module,
and the drop probability is 100 percent (all suspicious packets are
dropped).
Group Parameters
DoS
protection groups support the following set of parameters:
Protocol-to-priority mapping enables you to map a protocol
to one of four priorities.
Protocol burst enables you to configure the burst level
for the protocol. The burst is configurable in packets, and defaults
to a value in packets that is one half of the maximum rate.
Protocol maximum rate limit (per line module) enables
you to map a protocol to a maximum rate limit. This rate limit applies
to all packets for a particular protocol for interfaces belonging
to this particular DoS protection group on a line module. By having
a DoS protection group on a single line module, the total maximum
rate for a protocol can be up to the sum of the four rates configured,
depending on the DoS group attached to an interface. You can set a
maximum rate of zero for protocols that are not used. The actual rate
never exceeds the maximum rate, but the actual rate allowed can be
less than the configured maximum rate because of the weighting of
protocols within a DoS protection group and the use of multiple DoS
protection groups.
Protocol weight with respect to other protocols in the
DoS protection group enables you to balance the priority of the protocols.
For each priority grouping, weight determines the effective minimum
rate that each protocol receives. Within each priority, the sum of
the minimum rates for all protocols using that priority is equal to
or less than the priority rate times the over-subscription value.
Each priority has a separate rate for each DoS protection group.
Protocol drop probability for suspicious packets enables
you to map a protocol to a specific drop probability. The drop probability
is the percentage probability that a suspicious packet is dropped.
Protocol skip priority rate limiter enables you to configure
the system so that the specified protocol is not subject to the priority
rate limiter for the priority and DoS protection group selected. The
default is off—the protocol is subject to priority rate limiting.
Priority rate sets the rate of the priority in packets
per second for the line module. If this rate is exceeded, it triggers
DoS suspicious control flow detection.
Priority burst enables you to set the number of packets
allowed to exceed the maximum rate before packets are dropped and
DoS suspicious control flow detection is triggered.
Priority oversubscription enables you to set an oversubscription
factor for the priority rate limiter. In addition to the priority
rate, it calculates the minimum rate limits for protocols with a priority
grouping and allows for oversubscription of the priority rate. The
value indicates a percentage that the priority rate limiter is allowed
to be oversubscribed, in the range 100–1000.
Attaching Groups
By default, each interface belongs to the default
DoS protection group. The name is the only non-configurable aspect
of the default DoS protection group.
The DoS protection group is a configurable parameter
for all Layer 2 and IP interfaces. Similar to other configurable interface
parameters, the DoS protection group can be set using profiles.
Because all newly created interfaces default to
using the default DoS protection group, they do not inherit any DoS
protection group association from a higher or lower interface binding.
The DoS group applies to all types of control flows
for the specific interface. For example, an IP interface supports
a variety of control protocols, each of which can be separately mapped
to a priority and drop probability, but to a single DoS protection
group.
Protocol Mapping
Table 55 and Table 56 list the protocols mapped within DoS protection
groups.
PPP echo request packets generating an FC-based reply
pppControl
other PPP control packets
pppoeControl
PPPoE PADx packets
pppoePppConfig
PPPoE handling of PPP LCP packets for dynamic interface creation
slepSlarp
Serial Line Interface SLARP packets
Table 56: IP-Related
Protocols
CLI Name
Description of Flow
ipAppClassifierHttpRedirect
IP Application Classifier (HTTP redirect) packets
ipIke
IP IKE packet
ipLocalBfd
IP BFD packets
ipLocalBgp
IP BGP packets
ipLocalCops
IP COPS packets
ipLocalDemuxMiss
IP Subscriber Interface Miss packets
ipLocalDhcpIc
IP DHCP packets destined for the IC (not broadcast)
ipLocalDhcpSc
IP DHCP packets destined for the SC (broadcast and IC not enabled)
ipLocalFrag
IP fragments not classifiable
ipLocalIcmpEcho
IP ICMP echo request and reply
ipLocalIcmpFrag
IP ICMP packets that are not further classifiable (most likely
large ping packets)
ipLocalIcmpOther
IP ICMP except echo request and reply
ipLocalL2tpControlIC
IP L2TP control packets for IC
ipLocalL2tpControlSC
IP L2TP control packets for SC
ipLocalLDP
IP LDP packets
ipLocalOspf
IP OSPF packets
ipLocalOther
IP Local packets not otherwise classified
ipLocalPim
IP PIM packets (except typeAssert)
ipLocalPimAssert
IP PIM assert type packets
ipLocalRsvp
IP RSVP packets
ipMld
IP Multicast listener packet
ipMulticastBroadcastOther
Ip Multicast/Broadcast not otherwise classified
ipMulticastCacheMiss
IP Multicast route table misses
ipMulticastCacheMissAutoRp
IP Multicast route table Auto-RP misses
ipMulticastControlIc
IP IGMP packets for the IC
ipMulticastControlSc
IP Multicast control packet not otherwise classified
ipMulticastDhcpSc
IP Multicast DHCP destined for SC
ipMulticastVrrp
IP VRRP packets
ipMulticastWrongIf
IP Multicast on wrong interface
ipNeighborDiscovery
IPv6 Neighbor Discovery
ipNeighborDiscoveryMiss
IPv6 Neighbor Discovery miss
ipNormalPathMtu
IP Path MTU request
ipOptionsOther
IP options not otherwise classified
ipOptionsRouterAlert
IP Router Alert
ipOsi
OSI packets
ipReassembly
IP packets that have been reassembled on a server card
ipRouteNoRoute
IP packets with no route indication
ipRouteToSrpEthernet
Packets routed to the SRP Ethernet
ipTtlExpired
IP TTL expired
DoS Protection Group Configuration Example
Note:
To configure a DoS protection group for an interface, you must
configure the settings under the default group, which is the only
group that is currently supported.
To configure a DoS protection group for an interface:
default (canned-group: defaultCanned) *modified -- no references
Protocol Dest Mod Rate Burst Weight DropProb Priority Skip
-------------------- ---- --- ----- ----- ------ -------- --------- ----
Ppp Echo Request IC - 2048 1024 100 100 HI green Y
Ppp Echo Reply IC - 2048 1024 100 100 HI green Y
Ppp Echo Reply Fastp FC - 0 0 100 100 Data path Y
path
Ppp Control IC - 2048 1024 100 100 HI green N
Atm Control (ILMI) IC - 2048 1024 100 100 HI green Y
Atm OAM IC * 512 512 100 100 LO green N
Atm Dynamic Interfac IC - 1024 512 100 100 HI yellow N
e Column Creation
Atm Inverse ARP IC - 256 128 100 100 LO yellow N
Frame Relay Control IC - 2048 1024 100 100 HI green Y
(LMI)
Frame Relay Inverse IC - 256 128 100 100 LO yellow N
Arp
Pppoe Control IC * 512 512 100 100 HI yellow N
Pppoe Ppp Config Dyn IC - 1024 512 100 100 HI yellow N
amic Interface Colum
n Creation
Ethernet ARP Miss IC - 256 128 100 100 LO yellow N
Ethernet ARP IC - 256 128 100 100 LO yellow N
DoS Protection Group Commands
Use the commands described in this section to create
DoS protection groups and attach them to different types of interfaces
with the atm dos-protection-group command.
Use to attach an ATM DoS protection group to an interface.
Example
host1(config-if)#atm dos-protection-group
group1
Use the no version to remove
the attachment of the DoS protection group from the interface.
bridge1483 dos-protection-group
Use to attach a bridge 1483 DoS protection group to an
interface.
The rate limit applies to all packets of the protocol
for interfaces belonging to the DoS protection group.
A particular protocol can be up to the sum of the four
rates configured, depending on the DoS group attached to an interface.
Use a maximum rate of 0 for protocols that are not used.
The actual rate never exceeds the maximum rate, but can
be less than the configured maximum rate due to the weighting of the
protocols within a DoS protection group and the use of multiple DoS
protection groups.
Use the commands described in this section to monitor
DoS protection groups.
show dos-protection-group
Use to display DoS protection groups.
If you do not specify a group, displays the names of the
currently configured DoS protection groups.
If you specify a group, displays information about the
specified group.
If you do not specify the brief keyword, displays a list of references (interfaces and templates)
to the DoS protection group,
When *modified* appears next to the name of the DoS protection
group. the group or protocol within the group has changed from the
preprogrammed value of the associated group.
