What is DoS protection?

Overview

The NFM-P supports the use of DoS protection on network and access interfaces. To protect NEs from the high incoming packet rates that characterize DoS attacks, you can use the NFM-P to configure DoS protection for the following scenarios:

• the arrival of unprovisioned link-layer protocol packets that are received from CE devices in the core network

• the arrival of excessive subscriber control-plane packets on L2 or L3 access interfaces in aggregation networks

• the arrival of excessive Ethernet CFM frames on L2 and L3 access interfaces, SAPs, and SDP bindings, based on a combination of CFM OpCode and MEG-level values

DoS protection limits the number of packets that are received each second, and optionally logs a violation notification if a policy limit is exceeded. You can use the NE System Security form to view the violations for a specific NE.

DoS protection in the core network

DoS protection in the core network limits the number of link-layer protocol packets that each network interface on an NE accepts for protocols that are not enabled on the interface. The interface drops the excessive packets instead of queueing the packets for processing by the CPU.

You can configure global DoS protection on an NE using the NE System Security form. DoS protection controls the following for unprovisioned link-layer protocols:

• the packet arrival rate per source on each network interface

• the overall packet arrival rate per source on the NE

• whether an NE sends a notification trap if a policy limit is exceeded

An NE that supports DoS protection automatically applies default DoS protection parameters to each network and access interface. These defaults limit only the overall packet arrival rate and apply to all of the interfaces on the NE.

DoS protection policies in aggregation networks

In a subscriber aggregation network, an NE typically receives few control-plane packets from a specific subscriber. If one or more subscribers generate excessive control-plane traffic, DoS protection policies can help to ensure that NEs do not become overburdened by these unwanted packets.

You can configure DoS protection policies to control the following on network interfaces, VPLS L2 access interfaces, and IES and VPRN L3 access interfaces:

• the control-plane packet arrival rate per subscriber host

• the overall control-plane packet arrival rate for the interface

• whether an NE sends a notification trap if a policy limit is exceeded

An NE that supports DoS protection automatically assigns a default DoS protection policy to each network and access interface. This default policy limits only the overall packet arrival rate for the interface, and cannot be deleted or modified.

See How do I configure an NE DoS protection policy? for information about creating or modifying a DoS protection policy and assigning the policy to one or more NEs, and the NSP NFM-P User Guide for information about applying a policy to service interfaces.