Example: Configuring DDoS Protection
This example shows how to configure DDoS protection that enables the router to quickly identify an attack and prevent a flood of malicious control packets from exhausting system resources.
Requirements
DDoS protection requires the following hardware and software:
- MX Series 3D Universal Edge Routers that have only MPCs
installed or T4000 Core Routers that have only FPC5s installed.
Note: If the router has other cards in addition to MPCs or FPC5s, the CLI accepts the configuration but the other cards are not protected and therefore the router is not protected.
- Junos OS Release 11.2 or later
No special configuration beyond device initialization is required before you can configure this feature.
Overview
Distributed denial-of-service attacks use multiple sources to flood a network or router with protocol control packets. This malicious traffic triggers a large number of exceptions in the network and attempts exhaust the system resources to deny valid users access to the network or server.
This example describes how to configure rate-limiting policers that identify excess control traffic and drop the packets before the router is adversely affected. Sample tasks include configuring policers for particular control packet types within a protocol group, configuring an aggregate policer for a protocol group and bypassing that policer for a particular control packet type, and specifying trace options for DDoS operations.
This example does not show all possible configuration choices.
Configuration
CLI Quick Configuration
To quickly configure DDoS protection for protocol groups and particular control packet types, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure DDoS protection:
- Specify a protocol group.[edit system ddos-protection protocols]user@host# edit dhcpv4
- Configure the maximum traffic rate for the DHCPv4 aggregate
policer; that is, for the combination of all DHCPv4 packets.[edit system ddos-protection protocols dhcpv4]user@host# set aggregate bandwidth 669
- Configure the maximum burst rate for the DHCPv4 aggregate
policer.[edit system ddos-protection protocols dhcpv4]user@host# set aggregate burst 6000
- Configure the maximum traffic rate for the DHCPv4 policer
for discover packets.[edit system ddos-protection protocols dhcpv4]user@host# set discover bandwidth 100
- Decrease the recover time for violations of the DHCPv4
discover policer.[edit system ddos-protection protocols dhcpv4]user@host# set discover recover-time 200
- Configure the maximum burst rate for the DHCPv4 discover
policer.[edit system ddos-protection protocols dhcpv4]user@host# set discover burst 300
- Increase the priority for DHCPv4 offer packets.[edit system ddos-protection protocols dhcpv4]user@host# set offer priority medium
- Prevent offer packets from being included in the aggregate
bandwidth; that is, offer packets do not contribute towards the combined
DHCPv4 traffic to determine whether the aggregate bandwidth is exceeded.
However, the offer packets are still included in traffic rate statistics.[edit system ddos-protection protocols dhcpv4]user@host# set offer bypass-aggregate
- Reduce the bandwidth and burst size allowed before violation
is declared for the DHCPv4 offer policer on the MPC or FPC5 in slot
1.[edit system ddos-protection protocols dhcpv4]user@host# set offer fpc 1 bandwidth-scale 80user@host# set offer fpc 1 burst-scale 75
- Configure the maximum traffic rate for the PPPoE aggregate
policer, that is, for the combination of all PPPoE packets.[edit system ddos-protection protocols dhcpv4]user@host# up[edit system ddos-protection protocols]user@host# set pppoe aggregate bandwidth 800
- Configure tracing for all DDoS protocol processing events.[edit system ddos-protection traceoptions]user@host# set file ddos-loguser@host# set file size 10muser@host# set flag all
Results
From configuration mode, confirm your configuration by entering the show ddos-protection command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the DDoS protection configuration is working properly, perform these tasks:
- Verifying the DHCPv4 DDoS Protection Configuration and Operation
- Verifying the PPPoE DDoS Configuration
Verifying the DHCPv4 DDoS Protection Configuration and Operation
Purpose
Verify that the DHCPv4 aggregate and protocol policer values have changed from the default. With DHCPv4 and PPPoE traffic flowing, verify that the policers are working correctly. You can enter commands to display the individual policers you are interested in, as shown here, or you can enter the show ddos-protection protocols dhcpv4 command to display this information for all DHCPv4 packet types.
Action
From operational mode, enter the show ddos-protection protocols dhcpv4 aggregate command.
user@host> show ddos-protection protocols dhcpv4
aggregateProtocol Group: DHCPv4
Packet type: aggregate (aggregate for all DHCPv4 traffic)
Aggregate policer configuration:
Bandwidth: 669 pps
Burst: 6000 packets
Priority: medium
Recover time: 300 seconds
Enabled: Yes
System-wide information:
Aggregate bandwidth is no longer being violated
No. of FPCs currently receiving excess traffic: 0
No. of FPCs that have received excess traffic: 1
Violation first detected at: 2011-03-10 06:27:47 PST
Violation last seen at: 2011-03-10 06:28:57 PST
Duration of violation: 00:01:10 Number of violations: 1
Received: 71064 Arrival rate: 0 pps
Dropped: 23115 Max arrival rate: 1000 pps
Routing Engine information:
Bandwidth: 669 pps, Burst: 6000 packets, enabled
Aggregate policer is never violated
Received: 36130 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 671 pps
Dropped by aggregate policer: 0
FPC slot 1 information:
Bandwidth: 100% (669 pps), Burst: 100% (5000 packets), enabled
Aggregate policer is no longer being violated
Violation first detected at: 2011-03-10 06:27:48 PST
Violation last seen at: 2011-03-10 06:28:58 PST
Duration of violation: 00:01:10 Number of violations: 1
Received: 71064 Arrival rate: 0 pps
Dropped: 34934 Max arrival rate: 1000 pps
Dropped by individual policers: 11819
Dropped by aggregate policer: 23115
From operational mode, enter the show ddos-protection protocols dhcpv4 discover command.
user@host> show ddos-protection protocols dhcpv4
discoverProtocol Group: DHCPv4
Packet type: discover (DHCPv4 DHCPDISCOVER)
Individual policer configuration:
Bandwidth: 100 pps
Burst: 300 packets
Priority: low
Recover time: 200 seconds
Enabled: Yes
Bypass aggregate: No
System-wide information:
Bandwidth is no longer being violated
No. of FPCs currently receiving excess traffic: 0
No. of FPCs that have received excess traffic: 1
Violation first detected at: 2011-03-10 06:28:34 PST
Violation last seen at: 2011-03-10 06:28:55 PST
Duration of violation: 00:00:21 Number of violations: 1
Received: 47949 Arrival rate: 0 pps
Dropped: 11819 Max arrival rate: 671 pps
Routing Engine information:
Bandwidth: 100 pps, Burst: 300 packets, enabled
Policer is never violated
Received: 36130 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 0 pps
Dropped by aggregate policer: 0
FPC slot 1 information:
Bandwidth: 100% (100 pps), Burst: 100% (300 packets), enabled
Policer is no longer being violated
Violation first detected at: 2011-03-10 06:28:35 PST
Violation last seen at: 2011-03-10 06:28:55 PST
Duration of violation: 00:00:20 Number of violations: 1
Received: 47949 Arrival rate: 0 pps
Dropped: 11819 Max arrival rate: 671 pps
Dropped by this policer: 11819
Dropped by aggregate policer: 0
From operational mode, enter the show ddos-protection protocols dhcpv4 offer command.
user@host> show ddos-protection protocols dhcpv4
offerProtocol Group: DHCPv4
Packet type: offer (DHCPv4 DHCPOFFER)
Individual policer configuration:
Bandwidth: 1000 pps
Burst: 1000 packets
Priority: medium
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: Yes
System-wide information:
Bandwidth is never violated
Received: 0 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 0 pps
Routing Engine information:
Policer is never violated
Received: 0 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 0 pps
Dropped by aggregate policer: 0
FPC slot 1 information:
Bandwidth: 80% (800 pps), Burst: 75% (750 packets), enabled
Policer is never violated
Received: 0 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 0 pps
Dropped by aggregate policer: 0
Meaning
The output of these commands lists the policer configuration and traffic statistics for the DHCPv4 aggregate, discover, and offer policers respectively.
The Aggregate policer configuration section in the first output example and Individual policer configuration sections in the second and third output examples list the configured values for bandwidth, burst, priority, recover time, and bypass-aggregate.
The System-wide information section shows the total of all DHCPv4 traffic statistics and violations for the policer recorded across all line cards and at the Routing Engine. The Routing engine information section shows the traffic statistics and violations for the policer recorded at the Routing Engine. The FPC slot 1 information section shows the traffic statistics and violations for the policer recorded only at the line card in slot 1.
The output for the aggregate policer in this example shows the following information:
- The System-wide information section shows that 71,064 DHCPv4 packets of all types were received across all line cards and the Routing Engine. The section shows a single violation with a time stamp and that the aggregate policer at a line card dropped 23,115 of these packets.
- The FPC slot 1 information section shows that this line card received all 71,064 DHCPv4 packets, but its aggregate policer experienced a violation and dropped the 23,115 packets shown in the other section. The line card individual policers dropped an additional 11,819 packets.
- The Routing Engine information section shows
that the remaining 36,130 packets all reached the Routing Engine and
that its aggregate policer dropped no additional packets.
The difference between the number of DHCPv4 packets received and dropped at the line card [71,064 - (23,115 + 11,819)] matches the number received at the Routing Engine. That might not always be the case, because packets can be received and dropped at more than one line card. In this example, only the line card in slot 1received any DHCPv4 packets.
The output for the DHCPv4 discover packet policer in this example shows the following information:
- The System-wide information section shows that 47,949 DHCPv4 discover packets were received across all line cards and the Routing Engine. The section shows a single violation with a time stamp and that the aggregate policer at a line card dropped 11,819 of these packets.
- The FPC slot 1 information section shows that this line card received all 47,949 DHCPv4 discover packets, but its individual policer experienced a violation and dropped the 11,819 packets shown in the other section.
- The Routing Engine information section shows
that only 36,130 DHCPv4 discover packets reached the Routing Engine
and that it dropped no additional packets.
The difference between the number of DHCPv4 discover packets received and dropped at the line card (47,949 - 11,819) matches the number received at the Routing Engine. That might not always be the case, because packets can be received and dropped at more than one line card. In this example, only the line card in slot 1received any DHCPv4 discover packets.
The output for the DHCPv4 offer packet policer in this example shows the following information:
- This individual policer has never been violated at any location.
- No DHCPv4 offer packets have been received at any location.
Verifying the PPPoE DDoS Configuration
Purpose
Verify that the PPPoE policer values have changed from the default.
Action
From operational mode, enter the show ddos-protection protocols pppoe parameters brief command.
user@host> show ddos-protection protocols pppoe
parameters briefNumber of policers modified: 1 Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPC group type (pps) (pkts) time(sec) enabled aggr. mod pppoe aggregate 800* 2000 medium 300 yes -- no pppoe padi 500 500 low 300 yes no no pppoe pado 0 0 low 300 yes no no pppoe padr 500 500 medium 300 yes no no pppoe pads 0 0 low 300 yes no no pppoe padt 1000 1000 high 300 yes no no pppoe padm 0 0 low 300 yes no no pppoe padn 0 0 low 300 yes no no
From operational mode, enter the show ddos-protection protocols pppoe padi command, and enter the command for padr as well.
user@host> show ddos-protection protocols pppoe
padiProtocol Group: PPPoE
Packet type: padi (PPPoE PADI)
Individual policer configuration:
Bandwidth: 500 pps
Burst: 500 packets
Priority: low
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
System-wide information:
Bandwidth for this packet type is being violated!
Number of slots currently receiving excess traffic: 1
Number of slots that have received excess traffic: 1
Violation first detected at: 2011-03-09 11:26:33 PST
Violation last seen at: 2011-03-10 12:03:44 PST
Duration of violation: 1d 00:37 Number of violations: 1
Received: 704832908 Arrival rate: 8000 pps
Dropped: 660788548 Max arrival rate: 8008 pps
Routing Engine information:
Bandwidth: 500 pps, Burst: 500 packets, enabled
Policer is never violated
Received: 39950330 Arrival rate: 298 pps
Dropped: 0 Max arrival rate: 503 pps
Dropped by aggregate policer: 0
FPC slot 3 information:
Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
Policer is currently being violated!
Violation first detected at: 2011-03-09 11:26:35 PST
Violation last seen at: 2011-03-10 12:03:44 PST
Duration of violation: 1d 00:37 Number of violations: 1
Received: 704832908 Arrival rate: 8000 pps
Dropped: 664882578 Max arrival rate: 8008 pps
Dropped by this policer: 660788548
Dropped by aggregate policer: 4094030
user@host> show ddos-protection protocols pppoe
padrProtocol Group: PPPoE
Packet type: padr (PPPoE PADR)
Individual policer configuration:
Bandwidth: 500 pps
Burst: 500 packets
Priority: medium
Recover time: 300 seconds
Enabled: Yes
Bypass aggregate: No
System-wide information:
Bandwidth for this packet type is being violated!
Number of slots currently receiving excess traffic: 1
Number of slots that have received excess traffic: 1
Violation first detected at: 2011-03-10 06:21:17 PST
Violation last seen at: 2011-03-10 12:04:14 PST
Duration of violation: 05:42:57 Number of violations: 1
Received: 494663595 Arrival rate: 24038 pps
Dropped: 484375900 Max arrival rate: 24062 pps
Routing Engine information:
Bandwidth: 500 pps, Burst: 500 packets, enabled
Policer is never violated
Received: 10287695 Arrival rate: 500 pps
Dropped: 0 Max arrival rate: 502 pps
Dropped by aggregate policer: 0
FPC slot 1 information:
Bandwidth: 100% (500 pps), Burst: 100% (500 packets), enabled
Policer is currently being violated!
Violation first detected at: 2011-03-10 06:21:18 PST
Violation last seen at: 2011-03-10 12:04:14 PST
Duration of violation: 05:42:56 Number of violations: 1
Received: 494663595 Arrival rate: 24038 pps
Dropped: 484375900 Max arrival rate: 24062 pps
Dropped by this policer: 484375900
Dropped by aggregate policer: 0
Meaning
The output from the show ddos-protection protocols pppoe parameters brief command lists the current configuration for each of the individual PPPoE packet policers and the PPPoE aggregate policer. A change from a default value is indicated by an asterisk next to the modified value. The only change made to PPPoE policers in the configuration steps was to the aggregate policer bandwidth; this change is confirmed in the output. Besides the configuration values, the command output also reports whether a policer has been disabled, whether it bypasses the aggregate policer (meaning that the traffic for that packet type is not included for evaluation by the aggregate policer), and whether the policer has been modified for one or more line cards.
The output of the show ddos-protection protocols pppoe padi command in this example shows the following information:
- The System-wide information section shows that 704,832,908 PPPoE PADI packets were received across all line cards and the Routing Engine. The section shows a single violation on a line card that is still in progress, and that the aggregate policer at the line card dropped 660,788,548 of the PADI packets.
- The FPC slot 3 information section shows that this line card received all 704,832,908 PADI packets. Its individual policer dropped 660,788,548 of those packets and its aggregate policer dropped the other 4,094,030 packets. The violation is ongoing and has lasted more than a day.
- The Routing Engine information section shows
that only 39,950,330 PADI packets reached the Routing Engine and
that it dropped no additional packets.
The difference between the number of PADI packets received and dropped at the line card [704,832,908 - (660,788,548 + 4,094030)] matches the number received at the Routing Engine. That might not always be the case, because packets can be received and dropped at more than one line card. In this example, only the line card in slot 3 received any PADI packets.
The output of the show ddos-protection protocols pppoe padr command in this example shows the following information:
- The System-wide information section shows that 494,663,595 PPPoE PADR packets were received across all line cards and the Routing Engine. The section shows a single violation on a line card that is still in progress, and that the policer at the line card dropped 484,375,900 of the PADR packets.
- The FPC slot 1 information section shows that this line card received all 494,663,595 PADR packets. Its individual policer dropped 484,375,900 of those packets. The violation is ongoing and has lasted more than five hours.
- The Routing Engine information section shows
that only 10,287,695 PADR packets reached the Routing Engine and that
it dropped no additional packets.
The difference between the number of PADR packets received and dropped at the line card (494,663,595 - 484,375,900) matches the number received at the Routing Engine. That might not always be the case, because packets can be received and dropped at more than one line card. In this example, only the line card in slot 1 received any PADR packets.
| Note: This scenario is unrealistic in showing all PADI packets received on one line card and all PADR packets on a different line card. The intent of the scenario is to illustrate how policer violations are reported for individual line cards. |
