3.2.25. ddos-protection¶

Note

requires a DDoS protection License.

Global DDoS protection configuration.

vsr running config# ddos-protection

enabled¶

Enable/Disable DDoS protection feature.

vsr running config# ddos-protection
vsr running ddos-protection# enabled true|false

Default value: true

tcp¶

Thresholds limiting TCP packets.

vsr running config# ddos-protection tcp

syn¶

Thresholds limiting TCP SYN packets.

vsr running config# ddos-protection tcp
vsr running tcp# syn global GLOBAL source SOURCE destination DESTINATION \
... unit UNIT

global¶

System global threshold.

global GLOBAL

GLOBAL

Rate in pps/bps. K/M/G/T multipliers are supported.

source¶

Per source IP address threshold.

source SOURCE

SOURCE

Rate in pps/bps. K/M/G/T multipliers are supported.

destination¶

Per destination IP address threshold.

destination DESTINATION

DESTINATION

Rate in pps/bps. K/M/G/T multipliers are supported.

unit¶

Thresholds unit.

unit UNIT

`UNIT` values	Description
`pps`	Thresholds are expressed in packets per second.
`bps`	Thresholds are expressed in bits per second.

Default value: pps

syn-ack¶

Thresholds limiting TCP SYN-ACK packets.

vsr running config# ddos-protection tcp
vsr running tcp# syn-ack global GLOBAL source SOURCE destination DESTINATION \
... unit UNIT

global¶

System global threshold.

global GLOBAL

GLOBAL

Rate in pps/bps. K/M/G/T multipliers are supported.

source¶

Per source IP address threshold.

source SOURCE

SOURCE

Rate in pps/bps. K/M/G/T multipliers are supported.

destination¶

Per destination IP address threshold.

destination DESTINATION

DESTINATION

Rate in pps/bps. K/M/G/T multipliers are supported.

unit¶

Thresholds unit.

unit UNIT

`UNIT` values	Description
`pps`	Thresholds are expressed in packets per second.
`bps`	Thresholds are expressed in bits per second.

Default value: pps

ack¶

Thresholds limiting TCP ACK packets.

vsr running config# ddos-protection tcp
vsr running tcp# ack global GLOBAL source SOURCE destination DESTINATION \
... unit UNIT

global¶

System global threshold.

global GLOBAL

GLOBAL

Rate in pps/bps. K/M/G/T multipliers are supported.

source¶

Per source IP address threshold.

source SOURCE

SOURCE

Rate in pps/bps. K/M/G/T multipliers are supported.

destination¶

Per destination IP address threshold.

destination DESTINATION

DESTINATION

Rate in pps/bps. K/M/G/T multipliers are supported.

unit¶

Thresholds unit.

unit UNIT

`UNIT` values	Description
`pps`	Thresholds are expressed in packets per second.
`bps`	Thresholds are expressed in bits per second.

Default value: pps

rst¶

Thresholds limiting TCP RST packets.

vsr running config# ddos-protection tcp
vsr running tcp# rst global GLOBAL source SOURCE destination DESTINATION \
... unit UNIT

global¶

System global threshold.

global GLOBAL

GLOBAL

Rate in pps/bps. K/M/G/T multipliers are supported.

source¶

Per source IP address threshold.

source SOURCE

SOURCE

Rate in pps/bps. K/M/G/T multipliers are supported.

destination¶

Per destination IP address threshold.

destination DESTINATION

DESTINATION

Rate in pps/bps. K/M/G/T multipliers are supported.

unit¶

Thresholds unit.

unit UNIT

`UNIT` values	Description
`pps`	Thresholds are expressed in packets per second.
`bps`	Thresholds are expressed in bits per second.

Default value: pps

udp¶

Thresholds limiting UDP packets.

vsr running config# ddos-protection udp

dns¶

Thresholds limiting UDP DNS packets.

vsr running config# ddos-protection udp
vsr running udp# dns global GLOBAL source SOURCE destination DESTINATION \
... unit UNIT

global¶

System global threshold.

global GLOBAL

GLOBAL

Rate in pps/bps. K/M/G/T multipliers are supported.

source¶

Per source IP address threshold.

source SOURCE

SOURCE

Rate in pps/bps. K/M/G/T multipliers are supported.

destination¶

Per destination IP address threshold.

destination DESTINATION

DESTINATION

Rate in pps/bps. K/M/G/T multipliers are supported.

unit¶

Thresholds unit.

unit UNIT

`UNIT` values	Description
`pps`	Thresholds are expressed in packets per second.
`bps`	Thresholds are expressed in bits per second.

Default value: pps

quic¶

Thresholds limiting UDP QUIC packets.

vsr running config# ddos-protection udp
vsr running udp# quic global GLOBAL source SOURCE destination DESTINATION \
... unit UNIT

global¶

System global threshold.

global GLOBAL

GLOBAL

Rate in pps/bps. K/M/G/T multipliers are supported.

source¶

Per source IP address threshold.

source SOURCE

SOURCE

Rate in pps/bps. K/M/G/T multipliers are supported.

destination¶

Per destination IP address threshold.

destination DESTINATION

DESTINATION

Rate in pps/bps. K/M/G/T multipliers are supported.

unit¶

Thresholds unit.

unit UNIT

`UNIT` values	Description
`pps`	Thresholds are expressed in packets per second.
`bps`	Thresholds are expressed in bits per second.

Default value: pps

raw¶

Thresholds limiting UDP RAW (i.e. neither DNS or QUIC) packets.

vsr running config# ddos-protection udp
vsr running udp# raw global GLOBAL source SOURCE destination DESTINATION \
... unit UNIT

global¶

System global threshold.

global GLOBAL

GLOBAL

Rate in pps/bps. K/M/G/T multipliers are supported.

source¶

Per source IP address threshold.

source SOURCE

SOURCE

Rate in pps/bps. K/M/G/T multipliers are supported.

destination¶

Per destination IP address threshold.

destination DESTINATION

DESTINATION

Rate in pps/bps. K/M/G/T multipliers are supported.

unit¶

Thresholds unit.

unit UNIT

`UNIT` values	Description
`pps`	Thresholds are expressed in packets per second.
`bps`	Thresholds are expressed in bits per second.

Default value: pps

icmp¶

Thresholds limiting ICMP packets.

vsr running config# ddos-protection icmp

echo¶

Thresholds limiting ICMP ECHO packets.

vsr running config# ddos-protection icmp
vsr running icmp# echo global GLOBAL source SOURCE destination DESTINATION \
... unit UNIT

global¶

System global threshold.

global GLOBAL

GLOBAL

Rate in pps/bps. K/M/G/T multipliers are supported.

source¶

Per source IP address threshold.

source SOURCE

SOURCE

Rate in pps/bps. K/M/G/T multipliers are supported.

destination¶

Per destination IP address threshold.

destination DESTINATION

DESTINATION

Rate in pps/bps. K/M/G/T multipliers are supported.

unit¶

Thresholds unit.

unit UNIT

`UNIT` values	Description
`pps`	Thresholds are expressed in packets per second.
`bps`	Thresholds are expressed in bits per second.

Default value: pps

trusted¶

Trusted IP addresses.

vsr running config# ddos-protection trusted

ipv4¶

Trusted IPv4 address.

vsr running config# ddos-protection trusted
vsr running trusted# ipv4 IPV4

IPV4

An IPv4 address which is not multicast (224.0.0.0 to 239.255.255.255 are rejected).

ipv6¶

Trusted IPv6 address.

vsr running config# ddos-protection trusted
vsr running trusted# ipv6 IPV6

IPV6

An IPv6 address which is not multicast (the range of ff00::/8 is rejected).