Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Forwarding Packets to the Discard Interface

The discard (dsc) interface is a virtual interface that can silently discard forwarded packets as they are received (no ICMP message is sent). It is useful in the case of a denial-of-service (DoS) attacks. Once you know the IP address that is being targeted, you can configure a policy to forward all packets received on that interface to the discard interface, where they will be dropped. Likewise, silently discarding packets that have no valid route in the associated forwarding table can prevent the device from becoming a distributed denial-of-service (DDoS) reflector, in which a spoofed source IP address is used to trigger a flood of ICMP error messages from the device.

The dsc interface can be only be configured on unit 0 of the given physical interface, and only one dsc instance per device is supported.

Configure an input filter if, for example, you want to take an action such as logging the discard to better understand the nature of the attack.

You can configure an input policy to associate a BGP community with the discard interface. To configure an input policy to associate a community with the discard interface:

Configure an output policy to set up the community on the routes injected into the network: