Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    IDP Application-Level DDoS Attack Overview

    The intent of an application-level DDoS attack is to overwhelm the targeted server, such as a DNS or HTTP server, so it cannot perform its intended services. This is done by making a tremendous number of application requests from malicious bot clients that often use spoofed IP addresses.

    Application-level DDoS attacks are different from traditional Layer 3 and Layer 4 DDoS attacks, such as a SYN flood. From a Layer 3 and Layer 4 perspective, the attack can appear to be legitimate transactions. Traditional Layer 3 and Layer 4 DDoS solutions can only rate limit these attacks and begin the application transactions, instead of denying the attacks.

    Application-level distributed denial-of-service (application-level DDoS) detection does not work if two rules with different application-level DDoS applications process traffic going to a single destination application server. When setting up application-level DDoS rules, make sure that you do not configure rulebase-ddos rules that have two different application-ddos objects when the traffic destined to one application server can process more than one rule. Essentially, for each protected application server, you have to configure the application-level DDoS rules so that traffic destined for one protected server processes only one application-level DDoS rule.

    Note: Application-level DDoS rules are terminal, which means that once traffic is processed by one rule, it will not be processed by other rules.

    The following configuration options can be committed, but they will not work properly:




    Application-level DDoS rule base (rulebase-ddos) does not support port mapping. If you configure an application other than default, and if the application is from either predefined Junos OS applications or a custom application that maps an application service to a nonstandard port, application-level DDoS detection does not work.

    When you configure the application setting as default, IDP uses application identification to detect applications running on standard and nonstandard ports; thus, the application-level DDoS detection would work properly.

    Modified: 2018-01-28