Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Packets-Per-Second (pps)-Based Policer Overview

In a modern network environment, both denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are very common. Over time, these attacks have evolved from brute force types of attacks, where the attacker might try to overrun a connection’s available bandwidth with a vast amount of directed traffic to more low-and-slow attacks that use smaller packets, sent at a slower rate to target specific resources in order to deny service.

Traffic policers, both interface-based and filter-based, have been available to mitigate brute force types of DDoS attacks . These policers operate by limiting the traffic rate through a logical interface or by limiting the traffic rate as the nonterminating action within a firewall filter.

Traffic policers can be defined using packets per second (pps) with the pps-limit and packet-burst statements. The unit of measure for pps-limit is packets per second (pps), and the unit of measure for packet-burst is packets. These pps-based policers are more effective at mitigating low-and-slow types of DDoS attacks.

Policers configured with the if-exceeding-pps statement are applied in the same manner and in the same locations as bandwidth-based policers. Pps-based policers cannot be applied simultaneously with bandwidth-based policers. Only one policer can be applied at a time except for hierarchical policers, which allow the configuration of two policing actions based on traffic classification.

Related Documentation