Example: Enabling IDP Protection Against Application-Level DDoS Attacks (CLI)

This example describes how you can use the application-level distributed denial-of-service (application-level DDoS) module to protect a DNS server.

When setting up application-level DDoS protection for a DNS server, you will first observe the average load of DNS requests. If the DNS server is expected to handle a normal load of 1000 requests per second, choose 20 percent in excess of the normal load (1200 requests per second) as the connection-rate-threshold. This is essentially 60,000 transactions in 60 seconds, so choose 20percent in excess of this load as context hit-rate-threshold (72,000). You can choose context value-hit-rate-threshold based on the maximum load of requests for the same domain name being queried for nonexempt context dns-type-cname values. For example, if it is impractical for DNS to receive queries for domain xyz.com in excess of 2000 times in 60 seconds, context value-hit-rate-threshold should be set to 20percent more than that value, which would be 2400 times in 60 seconds. For monitoring and reporting, you will optionally set max-context-values to 100, so at the maximum, the most active 100 DNS query requests will be monitored and reported. If a client is in this range, it is mostly likely a malicious bot client. Once bot clients are identified, you can configure ip-action as ip-block with timeout as 600 seconds (the bot client gets access denied for 1 hour) and session action is set as drop-packet.

In the example, IDP starts deep protocol analysis when the number of connections per second exceeds 1200, and will start bot client classification if either the total number of queries for context dns-type-name exceeds 72,000 or if requests for the same query value exceeds 2400.

Note: When an application-level DDoS attack occurs on the application server, it will have much higher transaction rates than it does under normal or even peak load. With this in mind, it is best to set higher thresholds than the normal peak of the application server so it does not trigger unnecessary client classification processing. This will improve the over-all performance of the Juniper device because the application-level DDoS module will not start client classification until the server has actually reached abnormal transaction rates.

For detailed information about the following commands, see the Junos OS CLI Reference.

To enable protection against application-level DDoS for a DNS server, use the CLI configuration editor.

1. Access the IDP security configuration hierarchy.
   [edit]user@host# edit security idp
2. Configure application-ddos to define the type of traffic, the protocol context that will be monitored, and thresholds that will be used to trigger an action. In this example, DNS traffic and the protocol context dns-type-name will be monitored.
   [edit security idp]user@host# set application-ddos dns-server-1[edit security idp]user@host# set application-ddos dns-server service dns[edit security idp]user@host# set application-ddos dns-server-1 connection-rate-threshold 1200[edit security idp]user@host# set application-ddos dns-server-1 context dns-type-name hit-rate-threshold 72000[edit security idp]user@host# set application-ddos dns-server-1 context dns-type-name value-hit-rate-threshold 2400[edit security idp]user@host# set application-ddos dns-server-1 context dns-type-name max-context-values 100[edit security idp]user@host# set application-ddos dns-server-1 context dns-type-name time-binding-count 10[edit security idp]user@host# set application-ddos dns-server-1 context dns-type-name time-binding-period 30

   Note: You can continue to set other protocol contexts and thresholds that you would like to monitor.

3. (Optional) Set context values that will be exempt from monitoring.
   [edit security idp]user@host# set application-ddos dns-server-1 context dns-type-name exclude-context-values .*google.com[edit security idp]user@host# set application-ddos dns-server-1 context dns-type-name exclude-context-values .*yahoo.com
4. Set the IDP policy rule for rulebase-ddos to define the source and destination of traffic that will be monitored.

   Note: You can only define one DDoS application per application-level DDoS rule. Create additional rules to monitor multiple DDoS applications. Each application-level DDoS rule is a terminal rule, meaning that only one matching rule is considered for incoming traffic matching.

   [edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match source-address any[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match to-zone any[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match destination-address any[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match application default[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 match application-ddos dns-server-1[edit security idp]
5. Define the action to be taken when application-level DDoS attack traffic is detected.
   [edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 then action drop-packet[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 then ip-action ip-block[edit security idp]user@host# set idp-policy AppDDoS-policy-1 rulebase-ddos rule AppDDoS-rule1 then ip-action timeout 600

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding IDP Application-Level DDoS Rulebases
• IDP Application-Level DDoS Attack Overview
• IDP Application-Level DDoS Protection Overview