DDoS protection

Overview

The DDoS protection service provides mitigation capabilities in cases of DoS or DDoS attacks. It enables a set of rate limiters at ingress that can be configured to limit different traffic types globally, per IP source address or per IP destination address. It depends on the fast path service and can only be enabled on interfaces managed by the fast path.

Definitions

Traffic types

The DDoS protection can be configured to rate limit the following traffic types:

  • icmp

    • echo: ICMP echo request or reply

  • udp

    • dns: UDP DNS packets

    • quic: UDP QUIC packets

    • raw: all but DNS and QUIC

  • tcp

    • syn: TCP with SYN flag set

    • syn-ack: TCP with SYN+ACK flags set

    • ack: TCP with ACK flag set

    • rst: TCP with RST flag set

Rate limiter types

The DDoS protection supports three rate limiters per traffic type:

  • global: Global rate limit

  • source: Per source IP address rate limit (DoS mitigation)

  • destination: Per destination IP address rate limit (DDoS mitigation)

Trusted addresses list

A list of known and trusted addresses can be configured. No rate limitation will apply to traffic from/to those addresses.

Configuration

This example configures Virtual Service Router so that UDP raw traffic on eth0 doesn’t exceed:

  • 400000 pps system-wide

  • 1500 pps from each unique source address

  • 3000 pps to each unique destination address

Some known DNS servers are set in the trusted addresses list.

vsr running config# / ddos-protection udp raw global 400K source 1500 destination 3K unit pps
vsr running config# / ddos-protection trusted ipv4 8.8.8.8
vsr running config# / ddos-protection trusted ipv4 8.8.4.4
vsr running config# / ddos-protection trusted ipv6 2001:4860:4860::8888
vsr running config# / ddos-protection trusted ipv6 2001:4860:4860::8844
vsr running config# / vrf main interface physical eth0 ddos-protection enabled true

The same configuration can be made using this NETCONF XML configuration:

vsr> show config xml absolute ddos-protection
<config xmlns="urn:6wind:vrouter">
  <ddos-protection xmlns="urn:6wind:vrouter/fast-path-ddos">
    <enabled>true</enabled>
    <udp>
      <raw>
        <global>400000</global>
        <source>1500</source>
        <destination>3000</destination>
        <unit>pps</unit>
      </raw>
    </udp>
    <trusted>
      <ipv4>8.8.8.8</ipv4>
      <ipv4>8.8.4.4</ipv4>
      <ipv6>2001:4860:4860::8888</ipv6>
      <ipv6>2001:4860:4860::8844</ipv6>
    </trusted>
  </ddos-protection>
</config>

vsr> show config xml absolute vrf main interface physical eth0
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <physical>
        <name>eth0</name>
        <ipv4>
          <enabled>true</enabled>
        </ipv4>
        <enabled>true</enabled>
        <ddos-protection>
          <enabled>true</enabled>
        </ddos-protection>
        <port>pci-b0s4</port>
        <ipv6>
          <enabled>true</enabled>
        </ipv6>
      </physical>
    </interface>
  </vrf>
</config>

Limitations

Rate limits can be configured in pps (default) or bps, but all limits of a given traffic type must share the same unit.

Fast path limits configuration

The DDoS protection capabilities can be tuned according to your scalability and memory footprint requirements. This is done through the fast path limits configuration. DDoS protection limits are available in fast path limits ddos-protection container.

Number of monitored IP addresses

The maximum number of IP addresses monitored by the DDoS protection feature can be configured through max-entries parameter. If some IP addresses can not be monitored because this limit is exceeded, their traffic will not be rate-limited.

Hash table slots

To be retrieved efficiently, monitored addresses are stored in a hash table. If the number of entries is increased, the first level of the associated hash table must also be increased. To obtain good performance, the number of hash slots should be greater than or equal to the maximum number of entries.

Configuration

Here is an example of configuration with a custom number of monitored IP addresses and hash table size:

vsr> edit running
vsr running config# / system fast-path limits ddos-protection max-entries 1048576
vsr running config# / system fast-path limits ddos-protection hash-slots 1048576
vsr running config# show config system fast-path limits ddos-protection
ddos-protection
     max-entries 1048576
     hash-slots 1048576
     ..

The same configuration can be made using this NETCONF XML configuration:

vsr> show config xml absolute system fast-path limits ddos-protection
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <fast-path xmlns="urn:6wind:vrouter/fast-path">
      <limits>
        <ddos-protection xmlns="urn:6wind:vrouter/fast-path-ddos">
          <max-entries>1048576</max-entries>
          <hash-slots>1048576</hash-slots>
        </ddos-protection>
      </limits>
    </fast-path>
  </system>
</config>