Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Understanding DoS Protection
A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Denial of service protection provides reactive prevention from attack and determines whether the source of traffic is valid or invalid. DoS protection includes diagnostic tools and configuration options. DoS protection groups provide a simple policy that can be applied to interfaces, which can specify a set of parameters to tune behavior.
 | Note: You can configure a maximum of three DoS protection groups on a router, excluding the default group. |
Figure 26 shows an example of the state of a flow with DoS protection using suspicious control flow detection (SCFD).
Figure 26: Typical Control Packet Processing
Suspicious Control Flow Detection
To reduce the chance of a successful denial of service (DoS) attack and to provide diagnostic abilities while undergoing an attack, the system can detect suspicious control flows and keep state on those flows. A flow is a specific control protocol on a specific interface from a particular source. When the system determines that a control flow is suspicious, it can take corrective action on that control flow.
Keeping full state on each control flow can use a large number of resources. Instead, the system detects which flows have suspicious traffic. If a control flow is marked as suspicious, every packet associated with the flow is considered suspicious. When a packet is marked as suspicious, it is dropped based on drop probability before being delivered to the control processor.
When a distributed DoS attack occurs on a line module, suspicious flow control resources can be exhausted. To provide further counter measures, you can enable the group feature, where flows are grouped together and treated as a whole. If you do not use the group feature, suspicious flows can fill up the suspicious flow table and prevent detection of additional attacking flows.
Suspicious Control Flow Monitoring
Each protocol has a per-protocol rate limit. The rate limiter is used to limit the rate of packets that proceed to the control processor for the specific protocol. Per-protocol rate limiting is also used to begin the process by which flows of the specific protocol are monitored.
Each priority has a per-priority rate limit. The rate limiter limits the rate of packets that proceed to the control processor for the specific priority. It also begins the process by which flows of the specific priority are monitored.
All protocols on each line module have a rate limit. Each protocol is associated with a given priority, which is also provided with a rate limit. When a slot comes under attack, the first lines of defense are the protocol and priority rate limiters. If the line module determines that a specific protocol or priority is under attack (because the rate has been exceeded), it proceeds to monitor all flows from the problem protocol or priority. Initially, a control flow is marked as nonsuspicious.
After a control flow is placed in the suspicious flow table, the system inspects all packets that belong to the flow. The interface controller (IC) and forwarding controller (FC) monitor the table to determine whether the suspicious flow has a packet rate above the suspicious level. If the packet rate is above this level, the flow is marked as suspicious. Marking a control flow as suspicious affects only a particular protocol on a particular interface. When a flow is marked as suspicious, all packets belonging to that flow are marked as suspicious and trapped at the forwarding controller.
Suspicious control flows are continually monitored. The flow can be restored if the flow goes below the low threshold level. The flow can also be restored based on a backoff timer. The flow is removed from the suspicious flow table if the related interface is removed.
Approximately 2000 flows can be monitored as suspicious at any time for each line module. When the suspicious flow table on a particular line module reaches its maximum and the system is not set to group flows, flows that should be marked as suspicious proceed as nonsuspicious. When you return a suspicious flow to a nonsuspicious state or delete it, the flows that did not fit into the table are added to the table.
By default, the system groups flows when the suspicious flow table size is exceeded on a line module. When the flow table is full, instead of marking a specific flow in that group as suspicious and providing information on each flow on that line module, the system groups flows based on group membership and provides information on the group instead of each flow. This flow information is useful under severe distributed DoS attacks. Group membership is based on physical port and control protocol; all flows in that group are considered suspicious.
Configurable Options
You can configure the following options for suspicious flow detection:
- Global on or off. When the option is set to off, flows or packets are not marked as suspicious. The default is on.
- Actions a line module takes when the suspicious flow table
on the line module overflows:
- Overflow—Stop recognizing new suspicious flows
- Group—Group flows into logical groupings where some individual flows are monitored as a group
- Suspicious threshold for each protocol. The threshold is the rate in packets per second at which a flow becomes suspicious. A zero setting disables suspicious flow detection for the protocol. Flows are subject to protocol and priority rate limits, but not to suspicious flow detection.
- Low threshold for each protocol. The threshold rate determines whether an interface transitions from suspicious back to nonsuspicious. A zero setting means that the flow does not transition back to nonsuspicious based on packet rate.
- Backoff time in seconds for each protocol. After this period expires, the flow transitions to nonsuspicious regardless of the current rate. When set to zero, an interface does not return to the nonsuspicious state using a time mechanism.
You can also clear the following:
- All suspicious flows from the suspicious flow table for a specific slot.
- Suspicious flows from the suspicious flow table for the entire system.
- A single suspicious flow; returns the flow to the nonsuspicious state.
Display Options
For monitoring purposes, you can:
- Display all suspicious control flows when the system has recognized an attack.
- Display the current state and the number of transitions into suspicious state for the protocol and priority.
- Display historical counts about the number of flows made suspicious.
- View a trap or log generated when a control flow is considered suspicious.
- View a trap or log generated when a control flow is no longer suspicious.
Traps and Logs
The system generates a trap and a log message under the following conditions:
- A control flow transitions into a suspicious state; another trap and log message is generated on removal from a suspicious state.
- A protocol transitions to or from the suspicious state.
- A priority transitions to or from the suspicious state.
- The suspicious flow control system is overflowing or grouping flows on a line module.
You can control trap and log messages using CLI or SNMP commands.
DoS Protection Groups
A DoS protection group provides a simple policy that can be applied to interfaces. This policy can specify a complete set of parameters to tune the behavior of the DoS protection groups. The system uses these parameters to determine the priority and rates for various control protocols. The rate of traffic for a particular protocol is unlikely to be the same on all ports in the system. A configuration can have several types of interfaces, such as DHCP access clients, PPPoE access clients, and uplink interfaces. Each of these interfaces requires a different DoS configuration. All interfaces are associated with a default DoS protection group, which has standard system defaults. The maximum rates are per line module, and the drop probability is 100 percent (all suspicious packets are dropped).
Group Parameters
DoS protection groups support the following set of parameters:
- Protocol-to-priority mapping enables you to map a protocol to one of four priorities.
- Protocol burst enables you to configure the burst level for the protocol. The burst is configurable in packets, and defaults to a value in packets that is one half of the maximum rate.
- Protocol maximum rate limit (per line module) enables you to map a protocol to a maximum rate limit. This rate limit applies to all packets for a particular protocol for interfaces belonging to this particular DoS protection group on a line module. By having a DoS protection group on a single line module, the total maximum rate for a protocol can be up to the sum of the four rates configured, depending on the DoS group attached to an interface. You can set a maximum rate of zero for protocols that are not used. The actual rate never exceeds the maximum rate, but the actual rate allowed can be less than the configured maximum rate because of the weighting of protocols within a DoS protection group and the use of multiple DoS protection groups.
- Protocol weight with respect to other protocols in the DoS protection group enables you to balance the priority of the protocols. For each priority grouping, weight determines the effective minimum rate that each protocol receives. Within each priority, the sum of the minimum rates for all protocols using that priority is equal to or less than the priority rate times the over-subscription value. Each priority has a separate rate for each DoS protection group.
- Protocol drop probability for suspicious packets enables you to map a protocol to a specific drop probability. The drop probability is the percentage probability that a suspicious packet is dropped.
- Protocol skip priority rate limiter enables you to configure the system so that the specified protocol is not subject to the priority rate limiter for the priority and DoS protection group selected. The default is off—the protocol is subject to priority rate limiting.
- Priority rate sets the rate of the priority in packets per second for the line module. If this rate is exceeded, it triggers DoS suspicious control flow detection.
- Priority burst enables you to set the number of packets allowed to exceed the maximum rate before packets are dropped and DoS suspicious control flow detection is triggered.
- Priority oversubscription enables you to set an oversubscription factor for the priority rate limiter. In addition to the priority rate, it calculates the minimum rate limits for protocols with a priority grouping and allows for oversubscription of the priority rate. The value indicates a percentage that the priority rate limiter is allowed to be oversubscribed, in the range 100–1000.
Attaching Groups
By default, each interface belongs to the default DoS protection group. The name is the only non-configurable aspect of the default DoS protection group.
The DoS protection group is a configurable parameter for all Layer 2 and IP interfaces. Similar to other configurable interface parameters, the DoS protection group can be set using profiles.
Because all newly created interfaces default to using the default DoS protection group, they do not inherit any DoS protection group association from a higher or lower interface binding.
The DoS group applies to all types of control flows for the specific interface. For example, an IP interface supports a variety of control protocols, each of which can be separately mapped to a priority and drop probability, but to a single DoS protection group.
Protocol Mapping
Table 99 and Table 100 list the protocols mapped within DoS protection groups.
Table 99: Layer 2-Related Protocols
CLI Name | Description of Flow |
|---|---|
atmControl | ATM ILMI packets |
atmOAM | ATM OAM packets |
atmDynamicIf | ATM dynamic interface column creation |
atmInverseArp | ATM inverse ARP packets |
|
|
dhcpExternal | DHCP external packets |
|
|
ethernetArpMiss | Ethernet/Bridged Ethernet request to send ARP |
ethernetArp | Ethernet/Bridged Ethernet reception of ARP packet |
ethernetLacp | Ethernet LACP packet |
ethernetDynamicIf | Ethernet/Bridged Ethernet dynamic VLAN interface creation |
|
|
flisInPayload | Firewall/NAT payload |
flisInPayloadUpdateTbl | Firewall/NAT payload and update table |
|
|
frameRelayControl | Frame Relay LMI packets |
frameRelayArp | Frame Relay inverse ARP packets |
|
|
itmL2tpControl | IPsec transport mode L2TP control packets |
|
|
mplsTtlOnRx | MPLS TTL expired on ingress |
mplsTtlOnTx | MPLS TTL expired on egress |
mplsMtu | MPLS MTU exceeded |
|
|
pppEchoRequest | PPP echo request packets destined for the IC |
pppEchoReply | PPP echo reply packets destined for the IC |
pppEchoReplyFast | PPP echo request packets generating an FC-based reply |
pppControl | other PPP control packets |
|
|
pppoeControl | PPPoE PADx packets |
pppoePppConfig | PPPoE handling of PPP LCP packets for dynamic interface creation |
|
|
slepSlarp | Serial Line Interface SLARP packets |
Table 100: IP-Related Protocols
CLI Name | Description of Flow |
|---|---|
ipAppClassifierHttpRedirect | IP Application Classifier (HTTP redirect) packets |
ipIke | IP IKE packet |
ipLocalBfd | IP BFD packets |
ipLocalBgp | IP BGP packets |
ipLocalCops | IP COPS packets |
ipLocalDemuxMiss | IP Subscriber Interface Miss packets |
ipLocalDhcpIc | IP DHCP packets destined for the IC (not broadcast) |
ipLocalDhcpSc | IP DHCP packets destined for the SC (broadcast and IC not enabled) |
ipLocalFrag | IP fragments not classifiable |
ipLocalIcmpEcho | IP ICMP echo request and reply |
ipLocalIcmpFrag | IP ICMP packets that are not further classifiable (most likely large ping packets) |
ipLocalIcmpOther | IP ICMP except echo request and reply |
ipLocalL2tpControlIC | IP L2TP control packets for IC |
ipLocalL2tpControlSC | IP L2TP control packets for SC |
ipLocalLDP | IP LDP packets |
ipLocalOspf | IP OSPF packets |
ipLocalOther | IP Local packets not otherwise classified |
ipLocalPim | IP PIM packets (except typeAssert) |
ipLocalPimAssert | IP PIM assert type packets |
ipLocalRsvp | IP RSVP packets |
ipMld | IP Multicast listener packet |
ipMulticastBroadcastOther | Ip Multicast/Broadcast not otherwise classified |
ipMulticastCacheMiss | IP Multicast route table misses |
ipMulticastCacheMissAutoRp | IP Multicast route table Auto-RP misses |
ipMulticastControlIc | IP IGMP packets for the IC |
ipMulticastControlSc | IP Multicast control packet not otherwise classified |
ipMulticastDhcpSc | IP Multicast DHCP destined for SC |
ipMulticastVrrp | IP VRRP packets |
ipMulticastWrongIf | IP Multicast on wrong interface |
ipNeighborDiscovery | IPv6 Neighbor Discovery |
ipNeighborDiscoveryMiss | IPv6 Neighbor Discovery miss |
ipNormalPathMtu | IP Path MTU request |
ipOptionsOther | IP options not otherwise classified |
ipOptionsRouterAlert | IP Router Alert |
ipOsi | OSI packets |
ipReassembly | IP packets that have been reassembled on a server card |
ipRouteNoRoute | IP packets with no route indication |
ipRouteToSrpEthernet | Packets routed to the SRP Ethernet |
ipTtlExpired | IP TTL expired |
DoS Protection Group Commands
The following table lists the commands that are used to attach DoS protection groups to different types of interfaces and configure protocols:
