Configuring DDoS Protection

 

DDoS protection is enabled by default for all supported protocol groups and packet types. Default values are present for bandwidth, bandwidth scale, burst, burst scale, priority, and recover time. You can change the DDoS configuration for individual packet types supported within a protocol group or for the aggregate policer for the protocol group.

DDoS logging is enabled by default, but you can disable it globally for all DDoS events or for individual packet types within a protocol group. You can also fine-tune monitoring of DDoS events by configuring tracing operations.

On routing devices, you can disable DDoS protection at the Routing Engine and for all line cards either globally or for individual packet types within a protocol group. On PTX Series routers and QFX Series switches, policers are supported only at the line cards; you can disable DDoS protection for all line cards globally or for individual packet types.

Note

MX Series routers with MPCs and T4000 routers with FPC5s support DDoS protection. The CLI accepts the configuration if other line cards are also installed on either of these types of routers, but the other line cards are not protected so the router is essentially not protected.

To configure DDoS protection:

  1. (Optional) Configure global DDoS protection settings or disable DDoS protection.
  2. (Optional) Configure DDoS protection settings for the aggregate policer or individual packet types for the desired protocol groups.
  3. (Optional) Configure tracing for DDoS protection operations.

Disabling DDoS Protection Policers and Logging Globally

DDoS policers are enabled by default for all supported protocol groups and packet types.

On MX Series routers, T4000 routers, and EX9200 switches, policers are established at the level of the individual line card and the Routing Engine. You can disable the line card policers globally for all MPCs or FPC5s. You can also disable the Routing Engine policer. When you disable either of these policers, the policers at that level for all protocol groups and packet types are disabled.

On PTX Series routers and QFX Series switches, policers are established at the level of individual line cards only. If you disable line-card policers globally, DDoS protection is disabled on the switch.

DDoS logging is also enabled by default. You can disable all DDoS event logging (including flow detection event logging) for all protocol groups and packet types across the router or switch.

Note

The global configuration for disabling policers and logging overrides any local configuration for packet types.

To configure global DDoS settings:

  1. (Optional) To disable line card policers:
  2. (Optional) (Not available on PTX Series Routers or QFX Series switches) To disable Routing Engine policers:
  3. (Optional) To disable event logging:

Configuring DDoS Protection Aggregate or Individual Packet Type Policers

DDoS policers are applied to control packet traffic. You can configure the maximum allowed traffic rate, maximum burst size, traffic priority, and how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack. You can also scale the bandwidth and burst values for individual line cards so that the policers at this level trigger at lower thresholds than the overall protocol or packet thresholds.

Protocol group and packet type support varies across platforms and Junos OS releases, as follows:

You can configure an aggregate policer for any protocol group. The aggregate policer applies to the combination of all types of control packet traffic for that group. For some protocol groups, you can also configure policers for individual packet types. When you configure an aggregate policer for certain protocol groups, you can optionally bypass that policer for one or more particular packet types in that group.

DDoS protection is enabled by default. Although all policers have default parameter values, these values might not accurately reflect the control traffic pattern of your network.

Best Practice

We recommend that you model your network to determine the best values for your situation. Before you configure policers for your network, you can quickly view the default values for all packet types from operational mode using the show ddos-protection protocols parameters brief command. You can also use the command to specify a single protocol group of interest. For example, to see default values for the dhcpv4 protocol group, use the show ddos-protection protocols dhcpv4 parameters brief command.

You can disable a packet type policer at either the Routing Engine (if supported), at a specified line card, or for all line cards. You can also disable logging of all DDoS events for individual packet types within a protocol group.

To configure the desired aggregate or packet-type DDoS protection policer settings:

  1. Specify the protocol group.

    For example, to specify the DHCPv4 protocol group:

    or, on PTX Series or QFX Series devices, DDoS protection support has a combined DHCPv4 and DHCPv6 option that allows only aggregate policer configuration:

  2. Specify an individual packet type or the aggregate option to encompass all packet types in the protocol group.

    or

    For example, to specify the DHCPv4 release packets on devices that support individual DHCPv4 packet types:

  3. (Optional) Configure the maximum traffic rate the policer allows for the packet type (or aggregate).

    For example, to set a bandwidth of 600 packets per second for DHCPv4 release packets:

  4. (Optional) Configure the maximum number of packets of this packet type (or aggregate) that the policer allows in a burst of traffic.

    For example, to set a maximum of 5000 DHCPv4 release packets:

  5. (Optional) Set the traffic priority.

    For example, to specify a medium priority for DHCPv4 release packets:

  6. (Optional) Configure how much time must pass since the last violation before the traffic flow is considered to have recovered from the attack.

    For example, to specify that 600 seconds must have passed since the last violation of the DHCPv4 release packet policer:

  7. (Optional, supported on some devices) Bypass the aggregate policer configuration. This is applicable only when an aggregate policer and an individual policer is configured for the protocol group.

    For example, to bypass the aggregate policer for DHCPv4 renew packets:

  8. (Optional) Disable line card policers for the packet type (or aggregate) on all line cards.
    Note

    When you disable line card policers globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable the line card policer for DHCPv4 bootp packets:

  9. (Optional) Disable DDoS event logging for only one packet type (or aggregate).
    Note

    Events disabled for the packet are associated with policer violations; logging of flow detection culprit flow events is not affected by this statement.

    Note

    When you disable DDoS event logging globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable DDoS event logging on the line card policer for DHCPv4 discover packets:

  10. (Optional, if Routing Engine policers are supported) Disable the Routing Engine policer for only this packet type.
    Note

    When you disable the Routing Engine policer globally at the [edit system ddos-protection global] hierarchy level, the global setting overrides the per-packet type setting shown in this step. If you subsequently remove the global configuration, then the per-packet type configuration takes effect.

    For example, to disable the Routing Engine policer for DHCPv4 discover packets:

  11. (Optional) Configure packet-level settings for the packet type (or aggregate) on a single line card. On switches with a single, fixed line card (a single FPC considered to be in slot 0 and labeled fpc0), scaling the policer values affects the entire switch.

    For example, to access DHCPv4 discover packet settings on the line card in slot 3:

  12. (Optional) Scale the policer bandwidth for the packet type (or aggregate) on the line card.

    For example, to scale the bandwidth to 80 percent of the all-line-card setting configured for DHCPv4 discover packets on the line card in slot 3:

  13. (Optional) Scale the policer burst size for the packet type (or aggregate) on the line card.

    For example, to scale the maximum bandwidth to 75 percent of the all-line-card setting configured for DHCPv4 discover packets on the line card in slot 3:

  14. (Optional) Disable the line card policer for the packet type (or aggregate) on a particular line card.

    For example, to disable the line card policer for DHCPv4 discover packets on the line card in slot 3:

Verifying and Managing DDoS Protection

Purpose

View or clear information about DDoS configurations, states, and statistics.

Action

  • To display the DDoS policer configuration, violation state, and statistics for all packet types in all protocol groups:

    If you issue the command before you make any configuration changes, the default policer values are displayed.

  • To display the DDoS policer configuration, violation state, and statistics for a particular packet type in a particular protocol group:

  • To display only the number of DDoS policer violations for all protocol groups:

  • To display a table of the DDoS configuration for all packet types in all protocol groups:

  • To display a complete list of packet statistics and DDoS violation statistics for all packet types in all protocol groups:

  • To display global DDoS violation statistics:

  • To display the DDoS version number:

  • To clear DDoS statistics for all packet types in all protocol groups:

  • To clear DDoS statistics for all packet types in a particular protocol group:

  • To clear DDoS statistics for a particular packet type in a particular protocol group:

  • To clear DDoS violation states for all packet types in all protocol groups:

  • To clear DDoS violation states for all packet types in a particular protocol group:

  • To clear DDoS violation states for a particular packet type in a particular protocol group: