What is DDoS protection?

Overview

DDoS protection extends DoS protection by controlling traffic destined for IOM or CPM CPUs on a per-SAP, per-protocol basis. A DDoS protection policy isolates protocols from each other and, at the same time, isolates subscribers so that attacks or misconfigurations affect only the source SAP or protocol.

Policers are used to enforce a traffic rate-limiting function. Rate limiting is configurable in packets per second or kb/s. Configurable burst tolerance allows extra full handshake attempts, as required by some protocols.

When a policer determines that a packet is non-conformant, it discards the packet or marks it as low-priority. Low-priority traffic is more likely to be discarded at a downstream queueing point if there is protocol congestion. Traffic marking is also useful for routing protocols, where an operator may need to offer all packets to the CPU, and only discard packets if the CPU cannot keep up. A policer can be mapped to one or more traffic protocols.

The following types of policer can be configured in a DDoS protection policy:

• static policers, which permanently instantiate enforcement policers on SAPs

• local monitoring policers, which dynamically instantiate enforcement policers on SAPs

A DDoS protection policy can be applied to a capture SAP or to an MSAP. A DDoS protection policy that is assigned to a capture SAP typically has higher traffic rate limiting values than a policy that is assigned to an MSAP.

There are two types of DDoS protection policies:

• Access-interface type

• Port type

A default port-type policy does not initially reside in the NFM-P, but is collected from a supporting NE during discovery synchronization. The port-type policy applies only for select port-based protocols, and is applied automatically to all ports when the policy is distributed to an NE that supports the port-type policy.

An access-interface type DDoS protection policy can be applied to the following objects:

• base router network interface other than a system or loopback interface

• VPRN network interface a loopback interface

• VPRN L3 access interface

• VPRN group interface SAP

• IES L3 access interface

• IES group interface SAP

• VPLS L2 access interface

• I-VPLS I-L2 access interface

• MVPLS L2 access interface

• I-MVPLS I-L2 access interface

• VLL E-Pipe L2 access interface

• VLL I-Pipe L2 access interface

See How do I configure an NE DDoS protection policy? for information about creating or modifying an NE DDoS protection policy and assigning the policy to one or more NEs.

DDoS alarm handling

To prevent raising multiple DDoS alarms against one affected object, the NFM-P raises one DDoS alarm per object, and updates the alarm as the object generates new DDoS events.

An operator can view dynamically updated alarm information, and avoid the generation of excessive numbers of individual DDoS alarm messages. Figure 10-1, Static policer alarm message sequence shows the alarm message sequence for a static policer. Figure 10-2, Local monitoring policer alarm message sequence shows the alarm message sequence for local monitoring policer. Figure 10-3, Dynamic policer alarm message sequence shows the alarm sequence for a dynamic policer. In each sequence, the alarm clears when the policer returns to the Conform state.

Figure 10-1: Static policer alarm message sequence

Figure 10-2: Local monitoring policer alarm message sequence

Figure 10-3: Dynamic policer alarm message sequence