Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Enabling IDP Protection Against Application-Level DDoS Attacks

    This example shows how to use the application-level DDoS module to protect a DNS server from an application-level DDoS attack.

    Requirements

    No special configuration beyond device initialization is required before configuring this feature.

    Overview

    Before configuring application-level DDoS protection for a DNS server, observe the average load of DNS requests on the server you want to protect so you can decide the application thresholds to configure. Next, define the application thresholds and when the client application for transactions exceeds those thresholds, session and IP actions are applied on traffic from the offending client address.

    For example, if the DNS server is expected to handle a normal load of 1000 requests per second, choose 20 percent in excess of the normal load (1200 requests per second) as the connection-rate-threshold value. This value is essentially 60,000 transactions in 60 seconds, so choose 20 percent in excess of this load (72,000) as the context hit-rate-threshold value. You can choose a context value-hit-rate-threshold based on the maximum load of requests for the same domain name being queried. For example, if it is impractical for DNS to receive queries for domain xyz.com in excess of 2000 times in 60 seconds, set the context value-hit-rate-threshold to 20 percent more than that value, which would be 2400 times in 60 seconds.

    For monitoring and reporting, you can optionally set the max-context-values to 100, so at the maximum, the most active 100 DNS query requests will be monitored and reported. If a client is in this range, it is most likely a malicious bot client. Once bot clients are identified, you can configure ip-action as ip-block with a timeout of 600 seconds (the bot client gets access denied for 10 minutes) and session action is set as drop-packet.

    In this example, IDP starts deep protocol analysis when the number of connections per second exceeds 1200. IDP also starts bot client classification if either the total number of queries for context dns-type-name exceeds 72,000 or if requests for the same query value exceeds 2400.

    Note: When an application-level DDoS attack occurs on the application server, it will have much higher transaction rates than it does under normal or even peak load. Therefore, best practice is to set higher thresholds than the normal peak of the application server so it does not trigger unnecessary client classification processing. This setting improves the overall performance of the Juniper Networks device because the application-level DDoS module will not start client classification until the server has actually reached abnormal transaction rates.

    Note: You can only define one DDoS application per application-level DDoS rule. Create additional rules to monitor multiple DDoS applications.

    Each application-level DDoS rule is a terminal rule, meaning that only one matching rule is considered for incoming traffic matching.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security idp idp-policy AppDDos-policy-1 rulebase-ddos rule AppDDos-rule1 match source-address anyset security idp idp-policy AppDDos-policy-1 rulebase-ddos rule AppDDos-rule1 match to-zone any set security idp idp-policy AppDDos-policy-1 rulebase-ddos rule AppDDos-rule1 match destination-address any set security idp idp-policy AppDDos-policy-1 rulebase-ddos rule AppDDos-rule1 match application default set security idp idp-policy AppDDos-policy-1 rulebase-ddos rule AppDDos-rule1 match application-ddos dns-server-1 set security idp idp-policy AppDDos-policy-1 rulebase-ddos rule AppDDos-rule1 then action drop-packet set security idp idp-policy AppDDos-policy-1 rulebase-ddos rule AppDDos-rule1 then ip-action ip-block set security idp idp-policy AppDDos-policy-1 rulebase-ddos rule AppDDos-rule1 then ip-action timeout 600 set security idp application-ddos dns-server-1 connection-rate-threshold 1200 set security idp application-ddos dns-server-1 context dns-type-name hit-rate-threshold 72000 set security idp application-ddos dns-server-1 context dns-type-name value-hit-rate-threshold 2400 set security idp application-ddos dns-server-1 context dns-type-name max-context-values 100 set security idp application-ddos dns-server-1 context dns-type-name time-binding-count 10 set security idp application-ddos dns-server-1 context dns-type-name time-binding-period 30 set security idp application-ddos dns-server-1 context dns-type-name exclude-context-values .*google.com set security idp application-ddos dns-server-1 context dns-type-name exclude-context-values .*yahoo.com set security idp application-ddos dns-server-1 service dns

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure IDP protection against application-level DDoS attacks:

    1. Define the type of traffic, the protocol context to monitor, and thresholds to use to trigger an action.
      [edit security idp]user@host# set application-ddos dns-server-1user@host# set application-ddos dns-server-1 service dnsuser@host# set application-ddos dns-server-1 connection-rate-threshold 1200user@host# set application-ddos dns-server-1 context dns-type-name hit-rate-threshold 72000user@host# set application-ddos dns-server-1 context dns-type-name value-hit-rate-threshold 2400user@host# set application-ddos dns-server-1 context dns-type-name max-context-values 100user@host# set application-ddos dns-server-1 context dns-type-name time-binding-count 10user@host# set application-ddos dns-server-1 context dns-type-name time-binding-period 30
    2. Set context values that will be exempt from monitoring.
      [edit security idp]user@host# set application-ddos dns-server-1 context dns-type-name exclude-context-values .*google.com[edit security idp]user@host# set application-ddos dns-server-1 context dns-type-name exclude-context-values .*yahoo.com
    3. Set the IDP policy rule for rulebase-ddos to define the source and destination of monitored traffic.
      [edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match source-address any[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match to-zone any[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match destination-address any[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match application default[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match application-ddos dns-server-1[edit security idp]
    4. Define the action to be taken when application-level DDoS attack traffic is detected.
      [edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 then action drop-packet[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 then ip-action ip-block[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 then ip-action timeout 600

    Results

    From configuration mode, confirm your configuration by entering the show security idp and show security idp application-ddos dns-server-1 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security idpidp-policy AppDDoS-policy-1 {rulebase-ddos {rule AppDDoS-rule1 {match {source-address any;to-zone any;destination-address any;application default;application-ddos {dns-server-1;}}then {action {drop-packet;}ip-action {ip-block;timeout 600;}}}}}[edit]user@host#show security idp application-ddos dns-server-1context dns-type-name {hit-rate-threshold 72000;value-hit-rate-threshold 2400;max-context-values 100;time-binding-count 10;time-binding-period 30;exclude-context-values [ .*google.com .*yahoo.com ];}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Verifying IDP Protection Against Application-Level DDoS Attacks

    Purpose

    Verify basic statistics for the servers being protected by the IDP application-level DDoS feature.

    Action

    From operational mode, enter the show security idp application-ddos command.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page