DoS Protection Group Configuration Example

The examples in this section illustrate how to configure a denial-of-service (DoS) protection group.

Requirements

This example uses the following software and hardware components:

Overview of Denial of Service Protection

A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Denial of service protection provides reactive prevention from attack and determines whether the source of traffic is valid or invalid. DoS protection includes diagnostic tools and configuration options. DoS protection groups provide a simple policy that can be applied to interfaces, which can specify a set of parameters to tune behavior.

Configuring DoS Protection Group

Configuration Example

Step-by-Step Procedure

To configure a DoS protection group for an interface:

  1. Enter DoS Protection Group Configuration mode.
    host1(config)#dos-protection-group default

    Note: Beginning with JunosE Release 10.0.0, you can configure up to three DoS protection groups in addition to the one DoS protection group that is available by default. You can associate any of the configured DoS protection groups to an interface.

  2. Set the maximum rates for the protocols.
    host1(config-dos-protection)#protocol AtmOam rate 512 host1(config-dos-protection)#protocol PppoeControl rate 512 host1(config-dos-protection)#protocol IpLocalOther rate 512
  3. Set the burst size for the protocols.
    host1(config-dos-protection)#protocol AtmOam burst 512 host1(config-dos-protection)#protocol PppoeControl burst 512 host1(config-dos-protection)#protocol IpLocalOther burst 512
  4. Set the weight for the protocols.
    host1(config-dos-protection)#protocol AtmOam weight 100 host1(config-dos-protection)#protocol PppoeControl weight 100 host1(config-dos-protection)#protocol IpLocalOther weight 100
  5. Set the priority for the protocols.
    host1(config-dos-protection)#protocol AtmOam priority Lo-Green host1(config-dos-protection)#protocol PppoeControl priority Hi-Yellow host1(config-dos-protection)#protocol IpLocalOther priority dataPath
  6. (Optional) You can also use a preconfigured (canned) set of parameters.
    host1(config-dos-protection)#use canned-group default

Monitoring DoS Protection Groups

Monitoring Example

Purpose

Display the configuration of the default DoS protection group.

Action

To display configuration of the default DoS protection group:

host1#show dos-protection-group default
        default (canned-group: defaultCanned)  *modified -- no references
 
      Protocol         Dest Mod Rate  Burst Weight DropProb Priority  Skip
--------------------   ---- --- ----- ----- ------ -------- --------- ----
Ppp Echo Request       IC     -  2048  1024    100      100 HI green  Y
Ppp Echo Reply         IC     -  2048  1024    100      100 HI green  Y
Ppp Echo Reply Fastp   FC     -     0     0    100      100 Data path Y
path
Ppp Control            IC     -  2048  1024    100      100 HI green  N
Atm Control (ILMI)     IC     -  2048  1024    100      100 HI green  Y
Atm OAM                IC     *   512   512    100      100 LO green  N
Atm Dynamic Interface  IC     -  1024   512    100      100 HI yellow N
Column Creation
Atm Inverse ARP        IC     -   256   128    100      100 LO yellow N
Frame Relay Control    IC     -  2048  1024    100      100 HI green  Y
(LMI)
Frame Relay Inverse    IC     -   256   128    100      100 LO yellow N
Arp
Pppoe Control          IC     *   512   512    100      100 HI yellow N
Pppoe Ppp Config Dyn   IC     -  1024   512    100      100 HI yellow N
amic Interface Colum
n Creation
Ethernet ARP Miss      IC     -   256   128    100      100 LO yellow N
Ethernet ARP           IC     -   256   128    100      100 LO yellow N

Meaning

Table 101 lists the show dos-protection-group default command output fields.

Table 101: show dos-protection-group default Output Fields

Field Name

Field Description

Protocol

Names of the protocols configured for the default DoS protection groups

Dest

Destination of a protocol

Mod

  • *—Indicates that the group or protocol within the group has changed from the preprogrammed value of the associated group
  • - —Indicates no references

Rate

Maximum rate limit of a protocol

Burst

Burst level of a protocol

Weight

Protocol weight. For each priority grouping, weight determines the effective minimum rate that each protocol receives

DropProb

Protocol drop probability. The drop probability is the percentage probability that a suspicious packet is dropped

Priority

Maps a protocol to one of four priorities

Skip

Protocol skip priority rate limiter

Related Documentation