 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
To reduce the chance of a successful denial of service (DoS) attack and to provide diagnostic abilities while undergoing an attack, the system can detect suspicious control flows and keep state on those flows. A flow is a specific control protocol on a specific interface from a particular source. When the system determines that a control flow is suspicious, it can take corrective action on that control flow.
Keeping full state on each control flow can use a large number of resources. Instead, the system detects which flows have suspicious traffic. If a control flow is marked as suspicious, every packet associated with the flow is considered suspicious. When a packet is marked as suspicious, it is dropped based on drop probability before being delivered to the control processor.
When a distributed DoS attack occurs on a line module, suspicious flow control resources can be exhausted. To provide further counter measures, you can enable the group feature, where flows are grouped together and treated as a whole. If you do not use the group feature, suspicious flows can fill up the suspicious flow table and prevent detection of additional attacking flows.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |