Packets-Per-Second (pps)-Based Policer Overview
In a modern network environment, both denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are very common. Over time, these attacks have evolved from brute force types of attacks, where the attacker might try to overrun a connection’s available bandwidth with a vast amount of directed traffic to more low-and-slow attacks that use smaller packets, sent at a slower rate to target specific resources in order to deny service.
Traffic policers, both interface-based and filter-based, have been available to mitigate brute force types of DDoS attacks since Junos OS Release 9.6. These policers operate by limiting the traffic rate through a logical interface or by limiting the traffic rate as the nonterminating action within a firewall filter.
In Junos OS Release 15.1 and earlier releases, there were two parameters available for policers: bandwidth and burst-size. The unit of measure for the bandwidth parameter is bits per second (bps), and the unit of measure for the burst-size parameter is bytes (B). See Policer Bandwidth and Burst-Size Limits for details. Policers defined within these parameters are not effective at stopping low-and-slow types of DDoS attacks.
Starting in Junos OS Release 16.1, traffic policers can be defined
using packets per second (pps) with the pps-limit and packet-burst statements. The unit of measure for pps-limit is packets per second (pps), and the unit of measure for packet-burst is packets. These pps-based policers are more effective at mitigating
low-and-slow types of DDoS attacks.
Policers configured with the if-exceeding-pps statement
are applied in the same manner and in the same locations as bandwidth-based
policers. Pps-based policers cannot be applied simultaneously with
bandwidth-based policers. Only one policer can be applied at a time
except for hierarchical policers, which allow the configuration of
two policing actions based on traffic classification.