Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding DoS Protection

    A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Denial of service protection provides reactive prevention from attack and determines whether the source of traffic is valid or invalid. DoS protection includes diagnostic tools and configuration options. DoS protection groups provide a simple policy that can be applied to interfaces, which can specify a set of parameters to tune behavior.

    Note: You can configure a maximum of three DoS protection groups on a router, excluding the default group.

    Figure 1 shows an example of the state of a flow with DoS protection using suspicious control flow detection (SCFD).

    Figure 1: Typical Control Packet Processing

    Typical Control Packet Processing

    Suspicious Control Flow Detection

    To reduce the chance of a successful denial of service (DoS) attack and to provide diagnostic abilities while undergoing an attack, the system can detect suspicious control flows and keep state on those flows. A flow is a specific control protocol on a specific interface from a particular source. When the system determines that a control flow is suspicious, it can take corrective action on that control flow.

    Keeping full state on each control flow can use a large number of resources. Instead, the system detects which flows have suspicious traffic. If a control flow is marked as suspicious, every packet associated with the flow is considered suspicious. When a packet is marked as suspicious, it is dropped based on drop probability before being delivered to the control processor.

    When a distributed DoS attack occurs on a line module, suspicious flow control resources can be exhausted. To provide further counter measures, you can enable the group feature, where flows are grouped together and treated as a whole. If you do not use the group feature, suspicious flows can fill up the suspicious flow table and prevent detection of additional attacking flows.

    Suspicious Control Flow Monitoring

    Each protocol has a per-protocol rate limit. The rate limiter is used to limit the rate of packets that proceed to the control processor for the specific protocol. Per-protocol rate limiting is also used to begin the process by which flows of the specific protocol are monitored.

    Each priority has a per-priority rate limit. The rate limiter limits the rate of packets that proceed to the control processor for the specific priority. It also begins the process by which flows of the specific priority are monitored.

    All protocols on each line module have a rate limit. Each protocol is associated with a given priority, which is also provided with a rate limit. When a slot comes under attack, the first lines of defense are the protocol and priority rate limiters. If the line module determines that a specific protocol or priority is under attack (because the rate has been exceeded), it proceeds to monitor all flows from the problem protocol or priority. Initially, a control flow is marked as nonsuspicious.

    After a control flow is placed in the suspicious flow table, the system inspects all packets that belong to the flow. The interface controller (IC) and forwarding controller (FC) monitor the table to determine whether the suspicious flow has a packet rate above the suspicious level. If the packet rate is above this level, the flow is marked as suspicious. Marking a control flow as suspicious affects only a particular protocol on a particular interface. When a flow is marked as suspicious, all packets belonging to that flow are marked as suspicious and trapped at the forwarding controller.

    Suspicious control flows are continually monitored. The flow can be restored if the flow goes below the low threshold level. The flow can also be restored based on a backoff timer. The flow is removed from the suspicious flow table if the related interface is removed.

    Approximately 2000 flows can be monitored as suspicious at any time for each line module. When the suspicious flow table on a particular line module reaches its maximum and the system is not set to group flows, flows that should be marked as suspicious proceed as nonsuspicious. When you return a suspicious flow to a nonsuspicious state or delete it, the flows that did not fit into the table are added to the table.

    By default, the system groups flows when the suspicious flow table size is exceeded on a line module. When the flow table is full, instead of marking a specific flow in that group as suspicious and providing information on each flow on that line module, the system groups flows based on group membership and provides information on the group instead of each flow. This flow information is useful under severe distributed DoS attacks. Group membership is based on physical port and control protocol; all flows in that group are considered suspicious.

    Configurable Options

    You can configure the following options for suspicious flow detection:

    • Global on or off. When the option is set to off, flows or packets are not marked as suspicious. The default is on.
    • Actions a line module takes when the suspicious flow table on the line module overflows:
      • Overflow—Stop recognizing new suspicious flows
      • Group—Group flows into logical groupings where some individual flows are monitored as a group
    • Suspicious threshold for each protocol. The threshold is the rate in packets per second at which a flow becomes suspicious. A zero setting disables suspicious flow detection for the protocol. Flows are subject to protocol and priority rate limits, but not to suspicious flow detection.
    • Low threshold for each protocol. The threshold rate determines whether an interface transitions from suspicious back to nonsuspicious. A zero setting means that the flow does not transition back to nonsuspicious based on packet rate.
    • Backoff time in seconds for each protocol. After this period expires, the flow transitions to nonsuspicious regardless of the current rate. When set to zero, an interface does not return to the nonsuspicious state using a time mechanism.

    You can also clear the following:

    • All suspicious flows from the suspicious flow table for a specific slot.
    • Suspicious flows from the suspicious flow table for the entire system.
    • A single suspicious flow; returns the flow to the nonsuspicious state.

    Display Options

    For monitoring purposes, you can:

    • Display all suspicious control flows when the system has recognized an attack.
    • Display the current state and the number of transitions into suspicious state for the protocol and priority.
    • Display historical counts about the number of flows made suspicious.
    • View a trap or log generated when a control flow is considered suspicious.
    • View a trap or log generated when a control flow is no longer suspicious.

    Traps and Logs

    The system generates a trap and a log message under the following conditions:

    • A control flow transitions into a suspicious state; another trap and log message is generated on removal from a suspicious state.
    • A protocol transitions to or from the suspicious state.
    • A priority transitions to or from the suspicious state.
    • The suspicious flow control system is overflowing or grouping flows on a line module.

    You can control trap and log messages using CLI or SNMP commands.

    DoS Protection Groups

    A DoS protection group provides a simple policy that can be applied to interfaces. This policy can specify a complete set of parameters to tune the behavior of the DoS protection groups. The system uses these parameters to determine the priority and rates for various control protocols. The rate of traffic for a particular protocol is unlikely to be the same on all ports in the system. A configuration can have several types of interfaces, such as DHCP access clients, PPPoE access clients, and uplink interfaces. Each of these interfaces requires a different DoS configuration. All interfaces are associated with a default DoS protection group, which has standard system defaults. The maximum rates are per line module, and the drop probability is 100 percent (all suspicious packets are dropped).

    Group Parameters

    DoS protection groups support the following set of parameters:

    • Protocol-to-priority mapping enables you to map a protocol to one of four priorities.
    • Protocol burst enables you to configure the burst level for the protocol. The burst is configurable in packets, and defaults to a value in packets that is one half of the maximum rate.
    • Protocol maximum rate limit (per line module) enables you to map a protocol to a maximum rate limit. This rate limit applies to all packets for a particular protocol for interfaces belonging to this particular DoS protection group on a line module. By having a DoS protection group on a single line module, the total maximum rate for a protocol can be up to the sum of the four rates configured, depending on the DoS group attached to an interface. You can set a maximum rate of zero for protocols that are not used. The actual rate never exceeds the maximum rate, but the actual rate allowed can be less than the configured maximum rate because of the weighting of protocols within a DoS protection group and the use of multiple DoS protection groups.
    • Protocol weight with respect to other protocols in the DoS protection group enables you to balance the priority of the protocols. For each priority grouping, weight determines the effective minimum rate that each protocol receives. Within each priority, the sum of the minimum rates for all protocols using that priority is equal to or less than the priority rate times the over-subscription value. Each priority has a separate rate for each DoS protection group.
    • Protocol drop probability for suspicious packets enables you to map a protocol to a specific drop probability. The drop probability is the percentage probability that a suspicious packet is dropped.
    • Protocol skip priority rate limiter enables you to configure the system so that the specified protocol is not subject to the priority rate limiter for the priority and DoS protection group selected. The default is off—the protocol is subject to priority rate limiting.
    • Priority rate sets the rate of the priority in packets per second for the line module. If this rate is exceeded, it triggers DoS suspicious control flow detection.
    • Priority burst enables you to set the number of packets allowed to exceed the maximum rate before packets are dropped and DoS suspicious control flow detection is triggered.
    • Priority oversubscription enables you to set an oversubscription factor for the priority rate limiter. In addition to the priority rate, it calculates the minimum rate limits for protocols with a priority grouping and allows for oversubscription of the priority rate. The value indicates a percentage that the priority rate limiter is allowed to be oversubscribed, in the range 100–1000.

    Attaching Groups

    By default, each interface belongs to the default DoS protection group. The name is the only non-configurable aspect of the default DoS protection group.

    The DoS protection group is a configurable parameter for all Layer 2 and IP interfaces. Similar to other configurable interface parameters, the DoS protection group can be set using profiles.

    Because all newly created interfaces default to using the default DoS protection group, they do not inherit any DoS protection group association from a higher or lower interface binding.

    The DoS group applies to all types of control flows for the specific interface. For example, an IP interface supports a variety of control protocols, each of which can be separately mapped to a priority and drop probability, but to a single DoS protection group.

    Protocol Mapping

    Table 1 and Table 2 list the protocols mapped within DoS protection groups.

    Table 1: Layer 2-Related Protocols

    CLI Name

    Description of Flow

    atmControl

    ATM ILMI packets

    atmOAM

    ATM OAM packets

    atmDynamicIf

    ATM dynamic interface column creation

    atmInverseArp

    ATM inverse ARP packets

     

     

    dhcpExternal

    DHCP external packets

     

     

    ethernetArpMiss

    Ethernet/Bridged Ethernet request to send ARP

    ethernetArp

    Ethernet/Bridged Ethernet reception of ARP packet

    ethernetLacp

    Ethernet LACP packet

    ethernetDynamicIf

    Ethernet/Bridged Ethernet dynamic VLAN interface creation

     

     

    flisInPayload

    Firewall/NAT payload

    flisInPayloadUpdateTbl

    Firewall/NAT payload and update table

     

     

    frameRelayControl

    Frame Relay LMI packets

    frameRelayArp

    Frame Relay inverse ARP packets

     

     

    itmL2tpControl

    IPsec transport mode L2TP control packets

     

     

    mplsTtlOnRx

    MPLS TTL expired on ingress

    mplsTtlOnTx

    MPLS TTL expired on egress

    mplsMtu

    MPLS MTU exceeded

     

     

    pppEchoRequest

    PPP echo request packets destined for the IC

    pppEchoReply

    PPP echo reply packets destined for the IC

    pppEchoReplyFast

    PPP echo request packets generating an FC-based reply

    pppControl

    other PPP control packets

     

     

    pppoeControl

    PPPoE PADx packets

    pppoePppConfig

    PPPoE handling of PPP LCP packets for dynamic interface creation

     

     

    slepSlarp

    Serial Line Interface SLARP packets

    Table 2: IP-Related Protocols

    CLI Name

    Description of Flow

    ipAppClassifierHttpRedirect

    IP Application Classifier (HTTP redirect) packets

    ipIke

    IP IKE packet

    ipLocalBfd

    IP BFD packets

    ipLocalBgp

    IP BGP packets

    ipLocalCops

    IP COPS packets

    ipLocalDemuxMiss

    IP Subscriber Interface Miss packets

    ipLocalDhcpIc

    IP DHCP packets destined for the IC (not broadcast)

    ipLocalDhcpSc

    IP DHCP packets destined for the SC (broadcast and IC not enabled)

    ipLocalFrag

    IP fragments not classifiable

    ipLocalIcmpEcho

    IP ICMP echo request and reply

    ipLocalIcmpFrag

    IP ICMP packets that are not further classifiable (most likely large ping packets)

    ipLocalIcmpOther

    IP ICMP except echo request and reply

    ipLocalL2tpControlIC

    IP L2TP control packets for IC

    ipLocalL2tpControlSC

    IP L2TP control packets for SC

    ipLocalLDP

    IP LDP packets

    ipLocalOspf

    IP OSPF packets

    ipLocalOther

    IP Local packets not otherwise classified

    ipLocalPim

    IP PIM packets (except typeAssert)

    ipLocalPimAssert

    IP PIM assert type packets

    ipLocalRsvp

    IP RSVP packets

    ipMld

    IP Multicast listener packet

    ipMulticastBroadcastOther

    Ip Multicast/Broadcast not otherwise classified

    ipMulticastCacheMiss

    IP Multicast route table misses

    ipMulticastCacheMissAutoRp

    IP Multicast route table Auto-RP misses

    ipMulticastControlIc

    IP IGMP packets for the IC

    ipMulticastControlSc

    IP Multicast control packet not otherwise classified

    ipMulticastDhcpSc

    IP Multicast DHCP destined for SC

    ipMulticastVrrp

    IP VRRP packets

    ipMulticastWrongIf

    IP Multicast on wrong interface

    ipNeighborDiscovery

    IPv6 Neighbor Discovery

    ipNeighborDiscoveryMiss

    IPv6 Neighbor Discovery miss

    ipNormalPathMtu

    IP Path MTU request

    ipOptionsOther

    IP options not otherwise classified

    ipOptionsRouterAlert

    IP Router Alert

    ipOsi

    OSI packets

    ipReassembly

    IP packets that have been reassembled on a server card

    ipRouteNoRoute

    IP packets with no route indication

    ipRouteToSrpEthernet

    Packets routed to the SRP Ethernet

    ipTtlExpired

    IP TTL expired

    DoS Protection Group Commands

    The following table lists the commands that are used to attach DoS protection groups to different types of interfaces and configure protocols:

    Published: 2014-08-12