DDoS protection¶
Overview¶
The DDoS protection service provides mitigation capabilities in cases of DoS or DDoS attacks. It enables a set of rate limiters at ingress that can be configured to limit different traffic types globally, per IP source address or per IP destination address. It depends on the fast path service and can only be enabled on interfaces managed by the fast path.
Definitions¶
Traffic types¶
The DDoS protection can be configured to rate limit the following traffic types:
icmp
echo: ICMP echo request or reply
udp
dns: UDP DNS packets
quic: UDP QUIC packets
raw: all but DNS and QUIC
tcp
syn: TCP with SYN flag set
syn-ack: TCP with SYN+ACK flags set
ack: TCP with ACK flag set
rst: TCP with RST flag set
Rate limiter types¶
The DDoS protection supports three rate limiters per traffic type:
global: Global rate limit
source: Per source IP address rate limit (DoS mitigation)
destination: Per destination IP address rate limit (DDoS mitigation)
Trusted addresses list¶
A list of known and trusted addresses can be configured. No rate limitation will apply to traffic from/to those addresses.
Configuration¶
This example configures Virtual Service Router so that UDP raw traffic on eth0
doesn’t exceed:
400000 pps system-wide
1500 pps from each unique source address
3000 pps to each unique destination address
Some known DNS servers are set in the trusted addresses list
.
vsr running config# / ddos-protection udp raw global 400K source 1500 destination 3K unit pps
vsr running config# / ddos-protection trusted ipv4 8.8.8.8
vsr running config# / ddos-protection trusted ipv4 8.8.4.4
vsr running config# / ddos-protection trusted ipv6 2001:4860:4860::8888
vsr running config# / ddos-protection trusted ipv6 2001:4860:4860::8844
vsr running config# / vrf main interface physical eth0 ddos-protection enabled true
The same configuration can be made using this NETCONF XML configuration:
vsr> show config xml absolute ddos-protection
<config xmlns="urn:6wind:vrouter">
<ddos-protection xmlns="urn:6wind:vrouter/fast-path-ddos">
<enabled>true</enabled>
<udp>
<raw>
<global>400000</global>
<source>1500</source>
<destination>3000</destination>
<unit>pps</unit>
</raw>
</udp>
<trusted>
<ipv4>8.8.8.8</ipv4>
<ipv4>8.8.4.4</ipv4>
<ipv6>2001:4860:4860::8888</ipv6>
<ipv6>2001:4860:4860::8844</ipv6>
</trusted>
</ddos-protection>
</config>
vsr> show config xml absolute vrf main interface physical eth0
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<interface xmlns="urn:6wind:vrouter/interface">
<physical>
<name>eth0</name>
<ipv4>
<enabled>true</enabled>
</ipv4>
<enabled>true</enabled>
<ddos-protection>
<enabled>true</enabled>
</ddos-protection>
<port>pci-b0s4</port>
<ipv6>
<enabled>true</enabled>
</ipv6>
</physical>
</interface>
</vrf>
</config>
Limitations¶
Rate limits can be configured in pps (default) or bps, but all limits of a given traffic type must share the same unit.
Fast path limits configuration¶
The DDoS protection capabilities can be tuned according to your scalability and memory footprint requirements. This is done through the fast path limits configuration. DDoS protection limits are available in fast path limits ddos-protection container.
Number of monitored IP addresses¶
The maximum number of IP addresses monitored by the DDoS protection feature can be configured through max-entries parameter. If some IP addresses can not be monitored because this limit is exceeded, their traffic will not be rate-limited.
Hash table slots¶
To be retrieved efficiently, monitored addresses are stored in a hash table. If the number of entries is increased, the first level of the associated hash table must also be increased. To obtain good performance, the number of hash slots should be greater than or equal to the maximum number of entries.
Configuration¶
Here is an example of configuration with a custom number of monitored IP addresses and hash table size:
vsr> edit running
vsr running config# / system fast-path limits ddos-protection max-entries 1048576
vsr running config# / system fast-path limits ddos-protection hash-slots 1048576
vsr running config# show config system fast-path limits ddos-protection
ddos-protection
max-entries 1048576
hash-slots 1048576
..
The same configuration can be made using this NETCONF XML configuration:
vsr> show config xml absolute system fast-path limits ddos-protection
<config xmlns="urn:6wind:vrouter">
<system xmlns="urn:6wind:vrouter/system">
<fast-path xmlns="urn:6wind:vrouter/fast-path">
<limits>
<ddos-protection xmlns="urn:6wind:vrouter/fast-path-ddos">
<max-entries>1048576</max-entries>
<hash-slots>1048576</hash-slots>
</ddos-protection>
</limits>
</fast-path>
</system>
</config>