Understanding DoS Protection

A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Denial of service protection provides reactive prevention from attack and determines whether the source of traffic is valid or invalid. DoS protection includes diagnostic tools and configuration options. DoS protection groups provide a simple policy that can be applied to interfaces, which can specify a set of parameters to tune behavior.

Note: You can configure a maximum of three DoS protection groups on a router, excluding the default group.

Figure 26 shows an example of the state of a flow with DoS protection using suspicious control flow detection (SCFD).

Figure 26: Typical Control Packet Processing

Typical Control Packet Processing

Suspicious Control Flow Detection

To reduce the chance of a successful denial of service (DoS) attack and to provide diagnostic abilities while undergoing an attack, the system can detect suspicious control flows and keep state on those flows. A flow is a specific control protocol on a specific interface from a particular source. When the system determines that a control flow is suspicious, it can take corrective action on that control flow.

Keeping full state on each control flow can use a large number of resources. Instead, the system detects which flows have suspicious traffic. If a control flow is marked as suspicious, every packet associated with the flow is considered suspicious. When a packet is marked as suspicious, it is dropped based on drop probability before being delivered to the control processor.

When a distributed DoS attack occurs on a line module, suspicious flow control resources can be exhausted. To provide further counter measures, you can enable the group feature, where flows are grouped together and treated as a whole. If you do not use the group feature, suspicious flows can fill up the suspicious flow table and prevent detection of additional attacking flows.

Suspicious Control Flow Monitoring

Each protocol has a per-protocol rate limit. The rate limiter is used to limit the rate of packets that proceed to the control processor for the specific protocol. Per-protocol rate limiting is also used to begin the process by which flows of the specific protocol are monitored.

Each priority has a per-priority rate limit. The rate limiter limits the rate of packets that proceed to the control processor for the specific priority. It also begins the process by which flows of the specific priority are monitored.

All protocols on each line module have a rate limit. Each protocol is associated with a given priority, which is also provided with a rate limit. When a slot comes under attack, the first lines of defense are the protocol and priority rate limiters. If the line module determines that a specific protocol or priority is under attack (because the rate has been exceeded), it proceeds to monitor all flows from the problem protocol or priority. Initially, a control flow is marked as nonsuspicious.

After a control flow is placed in the suspicious flow table, the system inspects all packets that belong to the flow. The interface controller (IC) and forwarding controller (FC) monitor the table to determine whether the suspicious flow has a packet rate above the suspicious level. If the packet rate is above this level, the flow is marked as suspicious. Marking a control flow as suspicious affects only a particular protocol on a particular interface. When a flow is marked as suspicious, all packets belonging to that flow are marked as suspicious and trapped at the forwarding controller.

Suspicious control flows are continually monitored. The flow can be restored if the flow goes below the low threshold level. The flow can also be restored based on a backoff timer. The flow is removed from the suspicious flow table if the related interface is removed.

Approximately 2000 flows can be monitored as suspicious at any time for each line module. When the suspicious flow table on a particular line module reaches its maximum and the system is not set to group flows, flows that should be marked as suspicious proceed as nonsuspicious. When you return a suspicious flow to a nonsuspicious state or delete it, the flows that did not fit into the table are added to the table.

By default, the system groups flows when the suspicious flow table size is exceeded on a line module. When the flow table is full, instead of marking a specific flow in that group as suspicious and providing information on each flow on that line module, the system groups flows based on group membership and provides information on the group instead of each flow. This flow information is useful under severe distributed DoS attacks. Group membership is based on physical port and control protocol; all flows in that group are considered suspicious.

Configurable Options

You can configure the following options for suspicious flow detection:

You can also clear the following:

Display Options

For monitoring purposes, you can:

Traps and Logs

The system generates a trap and a log message under the following conditions:

You can control trap and log messages using CLI or SNMP commands.

DoS Protection Groups

A DoS protection group provides a simple policy that can be applied to interfaces. This policy can specify a complete set of parameters to tune the behavior of the DoS protection groups. The system uses these parameters to determine the priority and rates for various control protocols. The rate of traffic for a particular protocol is unlikely to be the same on all ports in the system. A configuration can have several types of interfaces, such as DHCP access clients, PPPoE access clients, and uplink interfaces. Each of these interfaces requires a different DoS configuration. All interfaces are associated with a default DoS protection group, which has standard system defaults. The maximum rates are per line module, and the drop probability is 100 percent (all suspicious packets are dropped).

Group Parameters

DoS protection groups support the following set of parameters:

Attaching Groups

By default, each interface belongs to the default DoS protection group. The name is the only non-configurable aspect of the default DoS protection group.

The DoS protection group is a configurable parameter for all Layer 2 and IP interfaces. Similar to other configurable interface parameters, the DoS protection group can be set using profiles.

Because all newly created interfaces default to using the default DoS protection group, they do not inherit any DoS protection group association from a higher or lower interface binding.

The DoS group applies to all types of control flows for the specific interface. For example, an IP interface supports a variety of control protocols, each of which can be separately mapped to a priority and drop probability, but to a single DoS protection group.

Protocol Mapping

Table 99 and Table 100 list the protocols mapped within DoS protection groups.

Table 99: Layer 2-Related Protocols

CLI Name

Description of Flow


ATM ILMI packets


ATM OAM packets


ATM dynamic interface column creation


ATM inverse ARP packets




DHCP external packets




Ethernet/Bridged Ethernet request to send ARP


Ethernet/Bridged Ethernet reception of ARP packet


Ethernet LACP packet


Ethernet/Bridged Ethernet dynamic VLAN interface creation




Firewall/NAT payload


Firewall/NAT payload and update table




Frame Relay LMI packets


Frame Relay inverse ARP packets




IPsec transport mode L2TP control packets




MPLS TTL expired on ingress


MPLS TTL expired on egress


MPLS MTU exceeded




PPP echo request packets destined for the IC


PPP echo reply packets destined for the IC


PPP echo request packets generating an FC-based reply


other PPP control packets




PPPoE PADx packets


PPPoE handling of PPP LCP packets for dynamic interface creation




Serial Line Interface SLARP packets

Table 100: IP-Related Protocols

CLI Name

Description of Flow


IP Application Classifier (HTTP redirect) packets


IP IKE packet


IP BFD packets


IP BGP packets


IP COPS packets


IP Subscriber Interface Miss packets


IP DHCP packets destined for the IC (not broadcast)


IP DHCP packets destined for the SC (broadcast and IC not enabled)


IP fragments not classifiable


IP ICMP echo request and reply


IP ICMP packets that are not further classifiable (most likely large ping packets)


IP ICMP except echo request and reply


IP L2TP control packets for IC


IP L2TP control packets for SC


IP LDP packets


IP OSPF packets


IP Local packets not otherwise classified


IP PIM packets (except typeAssert)


IP PIM assert type packets


IP RSVP packets


IP Multicast listener packet


Ip Multicast/Broadcast not otherwise classified


IP Multicast route table misses


IP Multicast route table Auto-RP misses


IP IGMP packets for the IC


IP Multicast control packet not otherwise classified


IP Multicast DHCP destined for SC


IP VRRP packets


IP Multicast on wrong interface


IPv6 Neighbor Discovery


IPv6 Neighbor Discovery miss


IP Path MTU request


IP options not otherwise classified


IP Router Alert


OSI packets


IP packets that have been reassembled on a server card


IP packets with no route indication


Packets routed to the SRP Ethernet


IP TTL expired

DoS Protection Group Commands

The following table lists the commands that are used to attach DoS protection groups to different types of interfaces and configure protocols:

atm dos-protection-group

lag dos-protection-group

protocol drop-probability

bridge1483 dos-protection-group

ppp dos-protection-group

protocol priority

ethernet dos-protection-group

pppoe dos-protection-group

protocol rate

frame-relay dos-protection-group

priority burst

protocol skip-priority-rate-limiter

hdlc dos-protection-group

priority over-subscription-factor

protocol weight

ip dos-protection-group

priority rate

use canned-group

ipv6 dos-protection-group

protocol burst

vlan dos-protection-group

Related Documentation