Understanding Forwarding Packets to the Discard Interface
The discard (dsc) interface is a virtual interface that can silently discard forwarded packets as they are received (no ICMP message is sent). It is useful in the case of a denial-of-service
(DoS) attacks. Once you know the IP address that is being targeted, you can configure a policy to forward all packets received on that interface to the discard interface, where they will be dropped.
Likewise, silently discarding packets that have no valid route in the associated forwarding table can prevent the device from becoming a distributed denial-of-service (DDoS) reflector, in which
a spoofed source IP address is used to trigger a flood of ICMP error messages from the device.
The dsc interface can be only be configured on unit 0 of the given physical interface, and only one dsc instance per device is supported.
Configure an input filter if, for example, you want to take an action such as logging the discard to better understand the nature of the attack.
[edit interfaces interface-name]
dsc {
unit 0 {
family inet {
filter {
output filter-name;
}
}
}
}
You can configure an input policy to associate a BGP community with the discard interface. To configure an input policy to associate a community with the discard interface:
[edit]
policy-options {
community community-name members [ community-id ];
policy-statement statement-name {
term term-name {
from community community-name;
then {
next-hop address; # Remote end of the point-to-point interface
accept;
}
}
}
}
Configure an output policy to set up the community on the routes injected into the network:
[edit]
policy-options {
policy-statement statement-name {
term term-name {
from prefix-list name;
then community (set | add | delete) community-name;
}
}
}