Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding DoS Protection

    A denial-of-service (DoS) attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Denial of service protection provides reactive prevention from attack and determines whether the source of traffic is valid or invalid. DoS protection includes diagnostic tools and configuration options. DoS protection groups provide a simple policy that can be applied to interfaces, which can specify a set of parameters to tune behavior.

    Note: You can configure a maximum of three DoS protection groups on a router, excluding the default group.

    Figure 1 shows an example of the state of a flow with DoS protection using suspicious control flow detection (SCFD).

    Figure 1: Typical Control Packet Processing

    Typical Control Packet Processing

    Suspicious Control Flow Detection

    To reduce the chance of a successful denial of service (DoS) attack and to provide diagnostic abilities while undergoing an attack, the system can detect suspicious control flows and keep state on those flows. A flow is a specific control protocol on a specific interface from a particular source. When the system determines that a control flow is suspicious, it can take corrective action on that control flow.

    Keeping full state on each control flow can use a large number of resources. Instead, the system detects which flows have suspicious traffic. If a control flow is marked as suspicious, every packet associated with the flow is considered suspicious. When a packet is marked as suspicious, it is dropped based on drop probability before being delivered to the control processor.

    When a distributed DoS attack occurs on a line module, suspicious flow control resources can be exhausted. To provide further counter measures, you can enable the group feature, where flows are grouped together and treated as a whole. If you do not use the group feature, suspicious flows can fill up the suspicious flow table and prevent detection of additional attacking flows.

    Suspicious Control Flow Monitoring

    Each protocol has a per-protocol rate limit. The rate limiter is used to limit the rate of packets that proceed to the control processor for the specific protocol. Per-protocol rate limiting is also used to begin the process by which flows of the specific protocol are monitored.

    Each priority has a per-priority rate limit. The rate limiter limits the rate of packets that proceed to the control processor for the specific priority. It also begins the process by which flows of the specific priority are monitored.

    All protocols on each line module have a rate limit. Each protocol is associated with a given priority, which is also provided with a rate limit. When a slot comes under attack, the first lines of defense are the protocol and priority rate limiters. If the line module determines that a specific protocol or priority is under attack (because the rate has been exceeded), it proceeds to monitor all flows from the problem protocol or priority. Initially, a control flow is marked as nonsuspicious.

    After a control flow is placed in the suspicious flow table, the system inspects all packets that belong to the flow. The interface controller (IC) and forwarding controller (FC) monitor the table to determine whether the suspicious flow has a packet rate above the suspicious level. If the packet rate is above this level, the flow is marked as suspicious. Marking a control flow as suspicious affects only a particular protocol on a particular interface. When a flow is marked as suspicious, all packets belonging to that flow are marked as suspicious and trapped at the forwarding controller.

    Suspicious control flows are continually monitored. The flow can be restored if the flow goes below the low threshold level. The flow can also be restored based on a backoff timer. The flow is removed from the suspicious flow table if the related interface is removed.

    Approximately 2000 flows can be monitored as suspicious at any time for each line module. When the suspicious flow table on a particular line module reaches its maximum and the system is not set to group flows, flows that should be marked as suspicious proceed as nonsuspicious. When you return a suspicious flow to a nonsuspicious state or delete it, the flows that did not fit into the table are added to the table.

    By default, the system groups flows when the suspicious flow table size is exceeded on a line module. When the flow table is full, instead of marking a specific flow in that group as suspicious and providing information on each flow on that line module, the system groups flows based on group membership and provides information on the group instead of each flow. This flow information is useful under severe distributed DoS attacks. Group membership is based on physical port and control protocol; all flows in that group are considered suspicious.

    Configurable Options

    You can configure the following options for suspicious flow detection:

    • Global on or off. When the option is set to off, flows or packets are not marked as suspicious. The default is on.
    • Actions a line module takes when the suspicious flow table on the line module overflows:
      • Overflow—Stop recognizing new suspicious flows
      • Group—Group flows into logical groupings where some individual flows are monitored as a group
    • Suspicious threshold for each protocol. The threshold is the rate in packets per second at which a flow becomes suspicious. A zero setting disables suspicious flow detection for the protocol. Flows are subject to protocol and priority rate limits, but not to suspicious flow detection.
    • Low threshold for each protocol. The threshold rate determines whether an interface transitions from suspicious back to nonsuspicious. A zero setting means that the flow does not transition back to nonsuspicious based on packet rate.
    • Backoff time in seconds for each protocol. After this period expires, the flow transitions to nonsuspicious regardless of the current rate. When set to zero, an interface does not return to the nonsuspicious state using a time mechanism.

    You can also clear the following:

    • All suspicious flows from the suspicious flow table for a specific slot.
    • Suspicious flows from the suspicious flow table for the entire system.
    • A single suspicious flow; returns the flow to the nonsuspicious state.

    Display Options

    For monitoring purposes, you can:

    • Display all suspicious control flows when the system has recognized an attack.
    • Display the current state and the number of transitions into suspicious state for the protocol and priority.
    • Display historical counts about the number of flows made suspicious.
    • View a trap or log generated when a control flow is considered suspicious.
    • View a trap or log generated when a control flow is no longer suspicious.

    Traps and Logs

    The system generates a trap and a log message under the following conditions:

    • A control flow transitions into a suspicious state; another trap and log message is generated on removal from a suspicious state.
    • A protocol transitions to or from the suspicious state.
    • A priority transitions to or from the suspicious state.
    • The suspicious flow control system is overflowing or grouping flows on a line module.

    You can control trap and log messages using CLI or SNMP commands.

    DoS Protection Groups

    A DoS protection group provides a simple policy that can be applied to interfaces. This policy can specify a complete set of parameters to tune the behavior of the DoS protection groups. The system uses these parameters to determine the priority and rates for various control protocols. The rate of traffic for a particular protocol is unlikely to be the same on all ports in the system. A configuration can have several types of interfaces, such as DHCP access clients, PPPoE access clients, and uplink interfaces. Each of these interfaces requires a different DoS configuration. All interfaces are associated with a default DoS protection group, which has standard system defaults. The maximum rates are per line module, and the drop probability is 100 percent (all suspicious packets are dropped).

    Group Parameters

    DoS protection groups support the following set of parameters:

    • Protocol-to-priority mapping enables you to map a protocol to one of four priorities.
    • Protocol burst enables you to configure the burst level for the protocol. The burst is configurable in packets, and defaults to a value in packets that is one half of the maximum rate.
    • Protocol maximum rate limit (per line module) enables you to map a protocol to a maximum rate limit. This rate limit applies to all packets for a particular protocol for interfaces belonging to this particular DoS protection group on a line module. By having a DoS protection group on a single line module, the total maximum rate for a protocol can be up to the sum of the four rates configured, depending on the DoS group attached to an interface. You can set a maximum rate of zero for protocols that are not used. The actual rate never exceeds the maximum rate, but the actual rate allowed can be less than the configured maximum rate because of the weighting of protocols within a DoS protection group and the use of multiple DoS protection groups.
    • Protocol weight with respect to other protocols in the DoS protection group enables you to balance the priority of the protocols. For each priority grouping, weight determines the effective minimum rate that each protocol receives. Within each priority, the sum of the minimum rates for all protocols using that priority is equal to or less than the priority rate times the over-subscription value. Each priority has a separate rate for each DoS protection group.
    • Protocol drop probability for suspicious packets enables you to map a protocol to a specific drop probability. The drop probability is the percentage probability that a suspicious packet is dropped.
    • Protocol skip priority rate limiter enables you to configure the system so that the specified protocol is not subject to the priority rate limiter for the priority and DoS protection group selected. The default is off—the protocol is subject to priority rate limiting.
    • Priority rate sets the rate of the priority in packets per second for the line module. If this rate is exceeded, it triggers DoS suspicious control flow detection.
    • Priority burst enables you to set the number of packets allowed to exceed the maximum rate before packets are dropped and DoS suspicious control flow detection is triggered.
    • Priority oversubscription enables you to set an oversubscription factor for the priority rate limiter. In addition to the priority rate, it calculates the minimum rate limits for protocols with a priority grouping and allows for oversubscription of the priority rate. The value indicates a percentage that the priority rate limiter is allowed to be oversubscribed, in the range 100–1000.

    Attaching Groups

    By default, each interface belongs to the default DoS protection group. The name is the only non-configurable aspect of the default DoS protection group.

    The DoS protection group is a configurable parameter for all Layer 2 and IP interfaces. Similar to other configurable interface parameters, the DoS protection group can be set using profiles.

    Because all newly created interfaces default to using the default DoS protection group, they do not inherit any DoS protection group association from a higher or lower interface binding.

    The DoS group applies to all types of control flows for the specific interface. For example, an IP interface supports a variety of control protocols, each of which can be separately mapped to a priority and drop probability, but to a single DoS protection group.

    Protocol Mapping

    Table 1 and Table 2 list the protocols mapped within DoS protection groups.

    Table 1: Layer 2-Related Protocols

    CLI Name

    Description of Flow


    ATM ILMI packets


    ATM OAM packets


    ATM dynamic interface column creation


    ATM inverse ARP packets




    DHCP external packets




    Ethernet/Bridged Ethernet request to send ARP


    Ethernet/Bridged Ethernet reception of ARP packet


    Ethernet LACP packet


    Ethernet/Bridged Ethernet dynamic VLAN interface creation




    Firewall/NAT payload


    Firewall/NAT payload and update table




    Frame Relay LMI packets


    Frame Relay inverse ARP packets




    IPsec transport mode L2TP control packets




    MPLS TTL expired on ingress


    MPLS TTL expired on egress


    MPLS MTU exceeded




    PPP echo request packets destined for the IC


    PPP echo reply packets destined for the IC


    PPP echo request packets generating an FC-based reply


    other PPP control packets




    PPPoE PADx packets


    PPPoE handling of PPP LCP packets for dynamic interface creation




    Serial Line Interface SLARP packets

    Table 2: IP-Related Protocols

    CLI Name

    Description of Flow


    IP Application Classifier (HTTP redirect) packets


    IP IKE packet


    IP BFD packets


    IP BGP packets


    IP COPS packets


    IP Subscriber Interface Miss packets


    IP DHCP packets destined for the IC (not broadcast)


    IP DHCP packets destined for the SC (broadcast and IC not enabled)


    IP fragments not classifiable


    IP ICMP echo request and reply


    IP ICMP packets that are not further classifiable (most likely large ping packets)


    IP ICMP except echo request and reply


    IP L2TP control packets for IC


    IP L2TP control packets for SC


    IP LDP packets


    IP OSPF packets


    IP Local packets not otherwise classified


    IP PIM packets (except typeAssert)


    IP PIM assert type packets


    IP RSVP packets


    IP Multicast listener packet


    Ip Multicast/Broadcast not otherwise classified


    IP Multicast route table misses


    IP Multicast route table Auto-RP misses


    IP IGMP packets for the IC


    IP Multicast control packet not otherwise classified


    IP Multicast DHCP destined for SC


    IP VRRP packets


    IP Multicast on wrong interface


    IPv6 Neighbor Discovery


    IPv6 Neighbor Discovery miss


    IP Path MTU request


    IP options not otherwise classified


    IP Router Alert


    OSI packets


    IP packets that have been reassembled on a server card


    IP packets with no route indication


    Packets routed to the SRP Ethernet


    IP TTL expired

    DoS Protection Group Commands

    The following table lists the commands that are used to attach DoS protection groups to different types of interfaces and configure protocols:

    Published: 2014-08-12