0% found this document useful (0 votes)

190 views

Ddos Secure Cli User Guide

Uploaded by

Tạ Phương

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

190 views

Ddos Secure Cli User Guide

Uploaded by

Tạ Phương

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 372

DDoS Secure

CLI User Guide

Release

5.14.2-0

Published: 2014-10-30

Copyright 2014, Juniper Networks, Inc.

Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Copyright 2014, Juniper Networks, Inc.
Copyright Webscreen Technology 2001-2013
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.

DDoS Secure CLI User Manual

Copyright 2014, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.

Copyright 2014, Juniper Networks, Inc.

Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

Part 1

CLI Overview

Chapter 1

Command-Line Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Introducing the DDoS Secure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Connecting to a DDoS Appliance Using a Serial Port Connection . . . . . . . . . . . . . . 4
Connecting to a DDoS Appliance Using an SSH Connection . . . . . . . . . . . . . . . . . . 4
Connecting to a DDoS Appliance Using a System Console Connection . . . . . . . . . 5
Starting a CLI Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Navigating Through the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Changing the Configuration Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Part 2

Configuration Commands

Chapter 2

Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Access Control Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
show access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
set access https . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
set access https_juniper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
set access ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
set access ssh_juniper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
set access snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3

Appliance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Appliance Mode Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
show appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
set appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 4

Bandwidth and Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Bandwidth and Port Filter Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . 27
show filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
remove filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
set filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Copyright 2014, Juniper Networks, Inc.

iii

DDoS Secure CLI User Guide

Chapter 5

BGP Flow Spec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

BGP Flow Spec Definitions Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . 35
show bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
set bgp peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
set bgp flowspec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
remove bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Chapter 6

Block Country and IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Block Country and IP Address Configuration Overview . . . . . . . . . . . . . . . . . . . . . . 41
show block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
set block country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
set block cignoreip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
set block ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
set block as . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 7

Country Code Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Country Code (geoip) Definitions Configuration Overview . . . . . . . . . . . . . . . . . . . 47
show geoip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
remove geoip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
set geoip ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
set geoip url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
set geoip megaproxy_ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
set geoip megaproxy_url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
set geoip auto_akamai . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 8

CHARM Tunables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
CHARM Tunables Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
show tuneable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
remove tuneable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
set tuneable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Chapter 9

Chassis Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chassis Definitions Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
show chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
set chassis vip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
set chassis blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
set chassis bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
set chassis reroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 10

Disable RFC Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Disable RFC Testing Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
show disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
set disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Chapter 11

Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Date and Time Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
set clock timenow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
set clock timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
set clock ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
show timezones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Copyright 2014, Juniper Networks, Inc.

Table of Contents

Chapter 12

Debug Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Debug Options Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
show debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
set debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Chapter 13

External Authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
External Authenticators Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 84
show auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
set auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Chapter 14

Filter Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Filter Aggregation Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
show fagg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
remove fagg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
set fagg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Chapter 15

Layer 7 Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Layer 7 Inspection Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
show inspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
remove inspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
set inspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Chapter 16

Logging Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Logging Thresholds Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
show threshold view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
show threshold create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
show threshold offenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
show threshold alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
set threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
show incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
set incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Chapter 17

MAC Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

MAC Gateway Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
show gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
remove gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
set gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Chapter 18

Mail Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Mail Reporting Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
show mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
set mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Chapter 19

Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Network Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
set interface management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
set interface datashare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
set interface protected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
set interface internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
set interface global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

set interface ipmi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

show dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
set dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
remove route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
show route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
set route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Chapter 20

NetFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
NetFlow Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
show netflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
set netflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Chapter 21

Preferred Clients and Whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Preferred Clients and Whitelisting Configuration Overview . . . . . . . . . . . . . . . . . . 141
show preferred . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
set preferred clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
set preferred countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
set preferred whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
set preferred whitenolog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
set preferred default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Chapter 22

Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Portals Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
show portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
remove portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
set portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Chapter 23

Portal Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Portal Operational Mode Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . 155
show operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
set operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Chapter 24

Portal Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Portal Defense Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
show portaldefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
set portaldefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Chapter 25

Protected IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Protected IP Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
show protected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
remove protected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
set protected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Chapter 26

Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Proxy Server Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
show proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
set proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Chapter 27

Pseudol3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Pseudol3 Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
show pseudol3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
set pseudol3 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Copyright 2014, Juniper Networks, Inc.

Table of Contents

set pseudol3 network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

set pseudol3 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
remove pseudol3 all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
remove pseudol3 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
remove pseudol3 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Chapter 28

Remote Alerts, Reports, and Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Remote Alerts, Reports, and Logging Configuration Overview . . . . . . . . . . . . . . . 185

Chapter 29

Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Shares Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
show share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
remove share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
set share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Chapter 30

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
SNMP Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
show snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
set snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Chapter 31

Structured Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Structured Syslog Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
show structured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
set structured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Chapter 32

Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Syslog Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
show syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
set syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Chapter 33

TCP State Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

TCP State Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
show timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
set timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Chapter 34

SSL Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

SSL Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
show decryptkeys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
set decryptkeys default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
set decryptkeys specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
remove decryptkeys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Chapter 35

Traffic Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Traffic Interception Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
show wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
set wrapper blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
set wrapper reverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
set wrapper unwrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Copyright 2014, Juniper Networks, Inc.

vii

DDoS Secure CLI User Guide

Chapter 36

Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Usage Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
show usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
set usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Chapter 37

User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

User Management Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
show user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
remove user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
set user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Chapter 38

System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

system restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
system restart_clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
system shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
system powerdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
system factoryreset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
system config_reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
system clear_custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
system check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
system helpdesk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Chapter 39

Settings for Command-Line Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Terminal Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
show terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
set terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Chapter 40

Statistics and Informational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

stats view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Chapter 41

BGP Trigger Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

DDoS Secure BGP Trigger Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
DDoS Secure Appliance BGP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Peering Router Sample Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Rerouting Trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Force Specific Rerouting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Chapter 42

Understanding Blocked Country Response Configuration . . . . . . . . . . . . . 257

Understanding BlackListed Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Content Presentation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Filenaming Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Standard File Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Understanding Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
DDoS Secure Appliance Engine Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Testing the Country Codes for IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Bypassing Country Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

viii

Copyright 2014, Juniper Networks, Inc.

Table of Contents

Part 3

Appendix

Appendix A

Parameter Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Variable Value Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Appendix B

Structured Syslog Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Structured Syslog Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Event Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
LEEF Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Arcsight Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
General Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Incident Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Worst Offender Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Temporary Black-List Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Permanent Black-List/White-List Messages . . . . . . . . . . . . . . . . . . . . . . . . . 297

Appendix C

DDoS Secure Appliance TCP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Understanding TCP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Appendix D

ICMP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Understanding ICMP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Appendix E

Incident (Attack) Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Understanding Index Attack Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Appendix F

Letter Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

DDoS Secure Appliance Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Appendix G

Panel and Connector Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

DDoS Secure Appliance Panel Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
DDoS Secure-1200-Fail-Safe Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Appendix H

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Troubleshooting a DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Appendix I

GUI Branding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Customizing the DDoS Secure Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Images/CSS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Updating Customized Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Removing Customized Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Part 4

Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Copyright 2014, Juniper Networks, Inc.

List of Figures
Part 3

Appendix

Appendix G

Panel and Connector Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Figure 1: DDoS Secure-1200-Fail-Safe Front Panel . . . . . . . . . . . . . . . . . . . . . . . 333
Figure 2: DDoS Secure-1200-Fail-Safe Back Panel . . . . . . . . . . . . . . . . . . . . . . . 333

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

xii

Copyright 2014, Juniper Networks, Inc.

List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Part 1

CLI Overview

Chapter 1

Command-Line Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Basic CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Part 2

Configuration Commands

Chapter 3

Appliance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 4: Appliance Mode Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 4

Bandwidth and Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Table 5: Filter Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 5

BGP Flow Spec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Table 6: BGP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 7: remove bgp Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Chapter 6

Block Country and IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Table 8: Block Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 7

Country Code Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Table 9: Geoip Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Chapter 8

CHARM Tunables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 10: Tunable Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 9

Chassis Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Table 11: Chassis Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Chapter 10

Disable RFC Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Table 12: Disable Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Chapter 11

Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Table 13: Date and Time Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Chapter 12

Debug Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Table 14: Debug Option Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Chapter 13

External Authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Table 15: External Authenticator Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Table 16: External Authenticator Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Copyright 2014, Juniper Networks, Inc.

xiii

DDoS Secure CLI User Guide

Chapter 14

Filter Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 17: Filter Aggregation Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 18: Filter Fixed Value Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Chapter 15

Layer 7 Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Table 19: Show Inspect Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Chapter 16

Logging Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Table 20: Logging Threshold Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Table 21: Logging Threshold Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Table 22: Incident Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Chapter 17

MAC Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Table 23: Gateway Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Table 24: Gateway Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Chapter 18

Mail Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Table 25: Mail Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Chapter 19

Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Table 26: Interface Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Table 27: Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Table 28: DNS Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Table 29: Route Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Chapter 20

NetFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Table 30: NetFlow Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Chapter 21

Preferred Clients and Whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Table 31: Preferred Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Chapter 22

Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Table 32: Portal Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Chapter 23

Portal Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Table 33: Operational Mode Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Chapter 24

Portal Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Table 34: Portal Defense Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Chapter 25

Protected IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Table 35: Protected IP Address Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Chapter 26

Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Table 36: Proxy Server Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Chapter 27

Pseudol3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Table 37: Pseudo Layer 2 and Layer 3 Parameters . . . . . . . . . . . . . . . . . . . . . . . . 176

Chapter 29

Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Table 38: Share Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Chapter 30

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Table 39: SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

xiv

Copyright 2014, Juniper Networks, Inc.

List of Tables

Chapter 31

Structured Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Table 40: Structured Syslog Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Chapter 32

Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Table 41: Syslog Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Chapter 33

TCP State Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Table 42: Timeout Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Chapter 34

SSL Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Table 43: Decryptkeys Default Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Table 44: Decryptkeys Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Chapter 35

Traffic Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Table 45: Traffic Interception Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Chapter 36

Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Table 46: Usage Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Chapter 37

User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Table 47: User Access Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Table 48: User Account Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Chapter 39

Settings for Command-Line Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Table 49: Terminal Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Chapter 40

Statistics and Informational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Table 50: Show Version Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Chapter 41

BGP Trigger Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Table 51: Rerouting Trigger Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Chapter 42

Understanding Blocked Country Response Configuration . . . . . . . . . . . . . 257

Table 52: File Content Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Part 3

Appendix

Appendix A

Parameter Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Table 53: Variable Value Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Table 54: Fixed Value Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Appendix B

Structured Syslog Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Table 55: Structured Syslog Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Table 56: Basic Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Table 57: Additional Status Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Table 58: Incident Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Table 59: Worst Offenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Table 60: Temporary Black-List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Table 61: Permanent White-List/Black-List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Table 62: LEEF Extensions Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Table 63: Arcsight Extensions Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Appendix C

DDoS Secure Appliance TCP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Table 64: TCP Status Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Appendix D

ICMP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Table 65: ICMPv4 Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Table 66: ICMPv6 Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Appendix E

Incident (Attack) Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Table 67: Type Code Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Table 68: Attack Type Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Appendix F

Letter Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Table 69: Code Type Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 70: Sort by Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Table 71: Sort by Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Table 72: Sort by Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Appendix G

Panel and Connector Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Table 73: DDoS Secure 1200-Fail-Safe Callout Details . . . . . . . . . . . . . . . . . . . . 333

xvi

Copyright 2014, Juniper Networks, Inc.

About the Documentation

Documentation and Release Notes on page xvii

Documentation Conventions on page xvii

Documentation Feedback on page xix

Requesting Technical Support on page xx

Documentation and Release Notes

To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.

Documentation Conventions
Table 1 on page xviii defines notice icons used in this guide.

Copyright 2014, Juniper Networks, Inc.

xvii

DDoS Secure CLI User Guide

Table 1: Notice Icons

Icon

Meaning

Description

Informational note

Indicates important features or instructions.

Caution

Indicates a situation that might result in loss of data or hardware damage.

Warning

Alerts you to the risk of personal injury or death.

Laser warning

Alerts you to the risk of personal injury from a laser.

Tip

Indicates helpful information.

Best practice

Alerts you to a recommended use or implementation.

Table 2 on page xviii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Convention

Description

Examples

Bold text like this

Represents text that you type.

To enter configuration mode, type the

configure command:
user@host> configure

Fixed-width text like this

Italic text like this

xviii

Represents output that appears on the

terminal screen.

user@host> show chassis alarms

Introduces or emphasizes important

new terms.

Identifies guide names.

A policy term is a named structure

that defines match conditions and
actions.

Identifies RFC and Internet draft titles.

Junos OS CLI User Guide

RFC 1997, BGP Communities Attribute

Represents variables (options for which

you substitute a value) in commands or
configuration statements.

No alarms currently active

Configure the machines domain name:

[edit]
root@# set system domain-name
domain-name

Copyright 2014, Juniper Networks, Inc.

About the Documentation

Table 2: Text and Syntax Conventions (continued)

Convention

Description

Examples

Text like this

Represents names of configuration

statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.

To configure a stub area, include the

stub statement at the [edit protocols
ospf area area-id] hierarchy level.

The console port is labeled CONSOLE.

< > (angle brackets)

Encloses optional keywords or variables.

stub <default-metric metric>;

| (pipe symbol)

Indicates a choice between the mutually

exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.

broadcast | multicast

# (pound sign)

Indicates a comment specified on the

same line as the configuration statement
to which it applies.

rsvp { # Required for dynamic MPLS only

[ ] (square brackets)

Encloses a variable for which you can

substitute one or more values.

community name members [

community-ids ]

Indention and braces ( { } )

Identifies a level in the configuration

hierarchy.

; (semicolon)

Identifies a leaf statement at a

configuration hierarchy level.

(string1 | string2 | string3)

[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}

GUI Conventions
Bold text like this

Represents graphical user interface (GUI)

items you click or select.

> (bold right angle bracket)

Separates levels in a hierarchy of menu

selections.

In the Logical Interfaces box, select

All Interfaces.

To cancel the configuration, click

Cancel.

In the configuration editor hierarchy,

select Protocols>Ospf.

Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:

Online feedback rating systemOn any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, and use the pop-up form to provide us with information about
your experience. Alternately, you can use the online feedback form at
https://www.juniper.net/cgi-bin/docbugreport/.

Copyright 2014, Juniper Networks, Inc.

xix

DDoS Secure CLI User Guide

E-mailSend your comments to [email protected]. Include the document

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

Product warrantiesFor product warranty information, visit

http://www.juniper.net/support/warranty/.

JTAC hours of operationThe JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:

Find CSC offerings: http://www.juniper.net/customers/support/

Search for known bugs: http://www2.juniper.net/kb/

Find product documentation: http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright 2014, Juniper Networks, Inc.

About the Documentation

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

Copyright 2014, Juniper Networks, Inc.

xxi

DDoS Secure CLI User Guide

xxii

Copyright 2014, Juniper Networks, Inc.

PART 1

CLI Overview

Command-Line Overview on page 3

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Copyright 2014, Juniper Networks, Inc.

CHAPTER 1

Command-Line Overview
This chapter includes gives an overview of the DDoS Secure CLI and describes the
available show commands.

Introducing the DDoS Secure CLI on page 3

Connecting to a DDoS Appliance Using a Serial Port Connection on page 4

Connecting to a DDoS Appliance Using an SSH Connection on page 4

Connecting to a DDoS Appliance Using a System Console Connection on page 5

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Introducing the DDoS Secure CLI

The command-line interface (CLI) provides a simple command syntax for the purpose
of making configuration changes to a DDoS Secure appliance. The CLI can be accessed
in one of three ways:

Related
Documentation

ANSI terminal software through a serial line connection to the appliance serial port.

SSH connection to the appliance management interface.

System console with the use of a keyboard and monitor.

Connecting to a DDoS Appliance Using a System Console Connection on page 5

Starting a CLI Session on page 5

Connecting to a DDoS Appliance Using an SSH Connection on page 4

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Connecting to a DDoS Appliance Using a Serial Port Connection

The serial port is located on the back of the DDoS Secure appliance and uses
industry-standard pinouts.
To communicate with the appliance (the serial port on the device that the appliance is
connected to), set one of the following:

9600 baud, 1 stop bit, no parity, and hardware flow control.

57600 baud, 1 stop bit, no parity, and hardware flow control.

115200 baud, 1 stop bit, no parity, and hardware flow control.

The appliance displays the hardware initialization and booting diagnostic messages at
9600 baud. This is the recommended speed to use for troubleshooting.
To switch to a faster speed for normal system management, it is necessary to send a
BREAK to switch to the next available speed, followed by two or three RETURN or
LINE-FEED characters. Each time a BREAK is sent, the speed cycles between the
supported speeds in the following order:

Related
Documentation

DDoS Secure Appliance Panel Information on page 333

Connecting to a DDoS Appliance Using a System Console Connection on page 5

Starting a CLI Session on page 5

Connecting to a DDoS Appliance Using an SSH Connection on page 4

Connecting to a DDoS Appliance Using an SSH Connection

To use the CLI through the Internet SSH protocol:
1.

The DDoS Secure appliance management interface must first be configured with an
appropriate IP address, network mask, default gateway, and the interface speed.

2. SSH access from the client IP address must be enabled.

For the detailed procedure, see the DDoS Secure GUI User Guide. Once enabled, the
configuration can be modified through the CLI.
Related
Documentation

Connecting to a DDoS Appliance Using a Serial Port Connection on page 4

Connecting to a DDoS Appliance Using a System Console Connection on page 5

Starting a CLI Session on page 5

Copyright 2014, Juniper Networks, Inc.

Chapter 1: Command-Line Overview

Connecting to a DDoS Appliance Using a System Console Connection

The system console operates like a PC that supports a USB or PS2 style keyboard, and
a SVGA monitor.
Related
Documentation

Connecting to a DDoS Appliance Using an SSH Connection on page 4

Starting a CLI Session on page 5

Connecting to a DDoS Appliance Using a Serial Port Connection on page 4

Starting a CLI Session

To start a CLI session, you must authenticate to the CLI subsystem using one of the
authentication methods. The initial default user is user, and the default password is
password.

NOTE: We recommend that you change the default authentication credentials

as soon as possible.

Example login using the console or a serial interface:

DDoS Secure appliance version 5.14.1.0
ws_192_168_0_196 login: user
Password: password
JS>sh version
DDoS Secure Code Version:
DDoS Secure Code Base:
DDoS Secure Build Date:
CD Base Image:
Actual Memory Size:
Actual Number of CPUs:
Serial No:
Hardware ID:
Platform:
Last Restart:
Licensed Throughput:
Memory To Use:
CPUs To Use:
Protected IPs Supported:
Tracked IPs Supported:
Portals Supported:
Filters Supported:
MAC Entries Supported:
TCP Entries Supported:
UDP Entries Supported:
ICMP Entries Supported:
Other IP Entries Supported:
Fragment Entries Supported:
FTP Entries Supported:
SSL Decoders Supported:
SSL Sessions Supported:

Copyright 2014, Juniper Networks, Inc.

5.14.1-0
CENTOS_6_3
201305201820GMT
5.14.1-0
31.3G
16
A1RYMW1
90:B1:1C:2A:A3:28
J-DDOS-SEC-AP2
Tue May 21 16:54:09 2013
10G
31G
16
64K
32M
256
4K
16K
4M
512K
64K
64K
32K
8K
512K
512K

DDoS Secure CLI User Guide

SSL Handshake Buffers:

SSL Block Buffers:
SSL Key Exchanges Supported:

1K
2K
512K

JS>

Example login using SSH from the Unix command line:

Prompt>ssh l user 192.168.0.196
[email protected] users password:password
JS>sh version
DDoS Secure Code Version:
DDoS Secure Code Base:
DDoS Secure Build Date:
CD Base Image:
Actual Memory Size:
Actual Number of CPUs:
Serial No:
Hardware ID:
Platform:
Last Restart:
Licensed Throughput:
Memory To Use:
CPUs To Use:
Protected IPs Supported:
Tracked IPs Supported:
Portals Supported:
Filters Supported:
MAC Entries Supported:
TCP Entries Supported:
UDP Entries Supported:
ICMP Entries Supported:
Other IP Entries Supported:
Fragment Entries Supported:
FTP Entries Supported:
SSL Decoders Supported:
SSL Sessions Supported:
SSL Handshake Buffers:
SSL Block Buffers:
SSL Key Exchanges Supported:

5.14.1-0
CENTOS_6_3
201305201820GMT
5.14.1-0
31.3G
16
A1RYMW1
90:B1:1C:2A:A3:28
J-DDOS-SEC-AP2
Tue May 21 16:54:09 2013
10G
31G
16
64K
32M
256
4K
16K
4M
512K
64K
64K
32K
8K
512K
512K
1K
2K
512K

JS>

For more information about how users are allocated to different portals (virtual
subappliances) and how users can gain access to the CLI to allow configuration of their
individual portals, see the DDoS Secure GUI User Guide. If the portal is not the master
portal (-General-), then it is indicated in the prompt as follows:
Prompt> ssh l user 192.168.0.196
[email protected] users password:password
JS portal>show config
version e2
configuration portal
remove user all
remove server all
remove fagg all
remove filter all
set operation mode defensive countries all aslist all
set user portaluser password $1$blI73sjE$wA.A7vHC1qvdfROlEHJtM. perms administrator
...
set mail server none dailystats yes alerts no

Copyright 2014, Juniper Networks, Inc.

Chapter 1: Command-Line Overview

JS portal>

If the CLI connection is to the Standby member of an Active/Standby pair, then the
prompt also includes (Standby):
JS(Standby)>

or
JS(Standby) portal>

Related
Documentation

Connecting to a DDoS Appliance Using a Serial Port Connection on page 4

Connecting to a DDoS Appliance Using an SSH Connection on page 4

Navigating Through the CLI on page 7

Connecting to a DDoS Appliance Using a System Console Connection on page 5

Navigating Through the CLI

The CLI environment has shortcuts and built-in help messages to aid in the configuration
of the DDoS Secure appliance.
When you enter a command or the name of a parameter, it is not necessary to type the
full name. A command can be abbreviated to the smallest sequence of characters that
uniquely identifies the command.

To automatically complete the current command you are typing, press Tab. If the
command cannot be completed, press Tab again to display a brief list of available
matching commands. Once you have entered a command, press Tab to complete the
next parameter. If there is more than one option available, pressing Tab displays the
available valid parameters. If this is in the middle of a free-text input parameter value
field, terminate the field with a space first.

NOTE: If the command is a free-text value field, you must complete the
field with a space character before you press the Tab key.

Press the up and down arrow keys to display the previously entered commands.

Use the left and right arrow keys to move back and forth along the text line currently
displayed; this allows you to edit any part of the command line before you submit the
command by pressing Enter.

When the text to be displayed is longer than a single screen, the output is paused and
the phrase more is shown at the bottom of the screen. To display the next page of
information, press [SPACE]. To display the next line, press [ENTER]. To exit the display
and return the CLI to the previous command prompt, press [Q].
To stop the terminal pause (for example, if the CLI commands are scripted), use the set
terminal pause off command. This setting is not replicated across sessions and therefore
needs to be entered at the start of every CLI session, when required. To restart the terminal
pause during a session, use the set terminal pause off command.

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Related
Documentation

Starting a CLI Session on page 5

Connecting to a DDoS Appliance Using a System Console Connection on page 5

Changing the Configuration Using the CLI on page 8

Changing the Configuration Using the CLI

The CLI has three principle configuration commands:

showThis is a general-purpose command used to display the current value for various

configuration settings. Changes to these configuration settings are performed using

the set and remove commands.

setThis command is used in the majority of cases to configure the system.

removeThis command is used to completely remove a block of configuration (a table

entry), such as a server and all its settings. Most individual settings, however, cannot
be removed, because they must have a value. Such settings can only be changed from
one value to another with the set command.
When you make changes to the configuration using the CLI, the pending changes are
recorded and applied later (using apply command) when instructed by the operator. At
any time prior to applying the new configuration, the list of changes to be made can be
displayed or cleared.
When the first configuration line is entered, a snapshot of the current configuration is
made and all subsequent configuration changes are made against the snapshot
configuration. The apply command takes the snapshot configuration, applies the
configuration changes, and then activates the new configuration. This method avoids
the possibility of other users changing the configuration at the same time in such a way
that your configuration cannot be applied.

CAUTION: If more than one user attempts to change the configuration

simultaneously, then the changes made by the last user are applied, and the
other users lose their changes. For this reason, warnings are displayed when
two users start to change the configuration at the same time.
Any command used to change the configuration can include the now keyword
at the end of the input line. Use of this keyword causes the configuration
change to be applied immediately.

NOTE: You cannot use the now keyword when there are pending changes to
be applied.
All CLI commands are case-sensitive and must be entered in lowercase. Most
parameters are also case-sensitive; exceptions are detailed in the applicable
sections. Table 3 on page 9 describes the basic CLI commands.

Copyright 2014, Juniper Networks, Inc.

Chapter 1: Command-Line Overview

Table 3: Basic CLI Commands

Command

Description

apply

Commits and invokes any pending configuration changes.

write

Commits and invokes any pending configuration changes.

discard

It is often helpful when a large amount of configuration has been performed and an error
detected, to use the show pending changes command prior to discard. Then relevant
parts of the previous configuration changes can be copied to the terminal. If another user
has started editing the configuration, you can also use this method to show the
configuration changes you have made. Once the other user has finished, you can then
use the discard command, paste your changes, and then apply the configuration. This
procedure avoids undoing the other user changes.

revert

Reverts the appliance back to the previous configuration.

The previous configuration is defined as the configuration prior to the last committed
configuration change (with apply, or the command suffixed with now).
WARNING: A revert might also undo any configuration changes performed by other
users, so care should be taken when you use this command.

now

The now option is not a command; rather, it can be appended as the last argument to
any CLI command used to change the configuration. When you append the now option
to a command, that command is not added to the list of pending changes but instead
is executed immediately, changing the current running configuration. The now option
cannot be used if there are any pending changes waiting to be applied. Any such pending
changes must either be applied or discarded before a command can use the now
command.

exit

Exits from the CLI.

quit

Quits from the CLI.

context

Synopsis: context newportal

The context command allows a user to change between portals, but only if originally
logged in to the appliance portal.

show config
Syntax
Description

show config

Displays the current active configuration of the device.

Sample Output
JS>show config

set
set
set
set

mail server none

access https all
access ssh all
access snmp 192.168.1.221

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

show run
Syntax
Description

show running

Displays the current active configuration of the device.

Sample Output
JS>show running

set mail server none

set access https all
set access ssh all
set access snmp 192.168.1.221

show pending changes

Syntax
Description

show pending changes

Displays the list of pending changes for the current user session. The pending changes
of other CLI users are not displayed.

Sample Output
JS>set access https 192.168.0.0/16
JS>set access ssh 192.168.0.0/16
JS>set access snmp 192.168.0.0/16
JS>show pending changes
set access https 192.168.0.0/16
set access ssh 192.168.0.0/16
set access snmp 192.168.0.0/16
JS>

Related
Documentation

Starting a CLI Session on page 5

Connecting to a DDoS Appliance Using a System Console Connection on page 5

Navigating Through the CLI on page 7

Copyright 2014, Juniper Networks, Inc.

PART 2

Configuration Commands

Access Control on page 13

Appliance Mode on page 21

Bandwidth and Port Filter on page 27

BGP Flow Spec on page 35

Block Country and IP Address on page 41

Country Code Definitions on page 47

CHARM Tunables on page 57

Chassis Definitions on page 61

Disable RFC Testing on page 69

Date and Time on page 73

Debug Options on page 79

External Authenticators on page 83

Filter Aggregation on page 87

Layer 7 Inspection on page 93

Logging Thresholds on page 99

MAC Gateway on page 111

Mail Reporting on page 117

Network on page 121

NetFlow on page 137

Preferred Clients and Whitelisting on page 141

Portals on page 149

Portal Operational Mode on page 155

Portal Defense on page 159

Protected IP on page 163

Proxy Server on page 171

Pseudol3 on page 175

Remote Alerts, Reports, and Logging on page 185

Shares on page 187

SNMP on page 193

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Structured Syslog on page 197

Syslog on page 201

TCP State Timeouts on page 205

SSL Decryption on page 209

Traffic Interception on page 215

Usage on page 221

User Management on page 225

System Maintenance on page 231

Settings for Command-Line Environment on page 243

Statistics and Informational Commands on page 247

BGP Trigger Router Configuration on page 253

Understanding Blocked Country Response Configuration on page 257

Copyright 2014, Juniper Networks, Inc.

CHAPTER 2

Access Control
This chapter explains access control for DDoS Secure and describes the available
advanced configuration commands.

Access Control Configuration Overview on page 13

show access

set access https

set access https_juniper

set access ssh

set access ssh_juniper

set access snmp

Access Control Configuration Overview

The DDoS Secure appliance supports multiple remote access methods. The control of
each type of access must be specified with its own set access command.

NOTE: Only IPv4 addresses are currently supported.

When you are configuring access control for an appliance, the appliance interprets IP
addresses and their networks as classless. You can use both IP host addresses and IP
network addresses. You can specify a network address in either network/mask or
network/bits format.
Any compound value you enter is parsed as a single entry; there can be no spaces between
the entries and the commas that separate them.
Related
Documentation

User Management Configuration Overview on page 225

Starting a CLI Session on page 5

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

show access
Syntax
Description

show access all

Lists the current access settings.

Sample Output
JS>show access all
set access https 192.168.1.0/24,192.168.2.3
set access https_juniper yes
set access ssh all
set access ssh_juniper yes
set access snmp 192.168.1.1

You can also show individual values by specifying the access type of interest. For example,
JS>show access https:
JS>show access https
set access https 192.168.0.0/16
set access https_juniper yes

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 2: Access Control

set access https

Syntax
Description

Related
Documentation

set access https <IPLIST|all|none>

Sets the list of IP addresses permitted to connect to the Web-based configuration

interface.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

set access https_juniper

Syntax
Description

Related
Documentation

set access https_juniper <yes|no>

Enables/disables the Juniper defined list of public IP addresses permitted to connect to

the Web-based configuration interface.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 2: Access Control

set access ssh

Syntax
Description

set access ssh <IPLIST|all|none>

Appliance Mode
This chapter explains appliance mode for DDoS Secure and describes the available
advanced configuration commands.

Appliance Mode Configuration Overview on page 21

If enabled, the appliance automatically blocks all

traffic from the worst offending IP addresses
exceeding the autoblockrate thresholds.

autoblockratet1

RATE

The minimum required packet drop rate (type 1)

before an IP address is added to the blocked list
when automatic blocking is enabled. Whenever a
packet is dropped, it is classed as a type 1 or a type
2 drop. Typically, RFC violations are of type 1, and
decisions/resource consumptions are of type 2.
Type 1 rates are usually several orders of
magnitude greater than those of type 2.

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Table 4: Appliance Mode Parameters (continued)

hostname

SERVERNAME

Alternative hostname for the appliance, instead

of the management IP address.

mode

MODE

Current defense mode. See the DDoS Secure GUI

User Guide for a full description of operational
modes.

priority

PRIORITY

Active-standby priority weighting.

serverautodetect

yes|no

If enabled, protected IP addresses not previously

defined will be protected. If trackindeterminate is
enabled, then all IP addresses defined by the
appliance portal are allowed to be automatically
included. If trackindeterminate is not enabled, then
all IP addresses defined in the nonappliance
portals are automatically included.

Copyright 2014, Juniper Networks, Inc.

Chapter 3: Appliance Mode

Table 4: Appliance Mode Parameters (continued)

Parameter

Value

Description

ssl_inspection

realtime|lowlatency

Defines the mode by which SSL decryption takes

place.

RealTimeprocessing is done serially for a

packet.

LowLatencyprocessing is done in parallel with

other packet analysis, potentially causing some
packets not to get decrypted.

trackindeterminate

yes|no

Used to determine which set of IP addresses can

be auto-detected (see serverautodetect).

testenvironment

yes|no

If set, reduces the time that a connection remains

in the closed state to 5 seconds from 60 seconds.
This is in violation of the RFCs, but might be
needed in a testing environment.

Related
Documentation

DDoS Secure Appliance BGP Configuration on page 254

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

show appliance
Syntax
Description

show appliance

Displays the operating settings of the current appliance.

Sample Output
JS>show appliance
set appliance hostname 10.30.12.121 mode logging hamode
active-standby autoblockenable yes autoblockratet1 200
autoblockratet2 100 autoblocksynrst 300 autoblockfragrate 10
autoblockgetrate 300 autonoblock none serverautodetect yes
trackindeterminate yes testenvironment no allportalsdefending
no fips_enabled no ssl_inspection lowlatency asymrouting no
priority 0 groupingid 15

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 3: Appliance Mode

set appliance
Syntax

Description

set appliance [hostname <SERVERNAME>] [mode <MODE>]

[hamode <HAMODE>] [autoblockenable <yes|no>]
[autoblockratet1 <RATE>] [autoblockratet2 <RATE>]
[autoblocksynrst <VALUE>] [autoblockfragrate <RATE>]
[autoblockgetrate <RATE>] [autonoblock <IPRANGE|none>
[serverautodetect <yes|no>] [trackindeterminate <yes|no>]
[testenvironment <yes|no>] [priority <PRIORITY>]
[asymrouting <yes|no>] [groupingid <GROUPINGID>]
[fips_enabled <yes|no>] [ssl_inspection <realtime|lowlatency>][allportalsdefending
<yes|no>]

Sets the global appliance operating settings.

Sample Output
JS>set appliance priority 1
JS>apply
JS>show appliance
set appliance hostname 192.168.0.189 mode logging hamode active-standby
autoblockenable yes autoblockratet1 200 autoblockratet2 100 autoblocksynrst 300
autoblockfragrate 10
autoblockgetrate 300 autonoblock none serverautodetect yes trackindeterminate yes
testenvironment no
allportalsdefending no fips_enabled no ssl_inspection lowlatency asymrouting no
priority 1 groupingid 15
JS>

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Copyright 2014, Juniper Networks, Inc.

CHAPTER 4

Bandwidth and Port Filter

This chapter explains bandwidth and port filter for DDoS Secure and describes the
available advanced configuration commands.

Bandwidth and Port Filter Configuration Overview on page 27

show filter

remove filter

set filter

Bandwidth and Port Filter Configuration Overview

A DDoS Secure appliance has support for user-defined static packet filter rules. A list of
filters associated with a protected IP address and the first filter to be matched in the list
is used. If there is no filter match, the traffic is dropped. Each filter consists of a name
and a set of options. Filter options are used to define the traffic the appliance allows as
well as control the bandwidth used.
Once a filter has been defined, it can be referenced in later parts of the system
configuration for use.
Appliance filters are directionless, meaning that they are not specific to a particular
direction of traffic. A filter direction is defined when the filter is named in a filter reference,
which has a directional context. Additionally, each filter is stateful. Any traffic a filter
allows through in one direction will be associated with a session that permits
corresponding replies back through in the opposite direction. This is an automatic process,
so no filter needs to be defined for the corresponding replies.

NOTE: Once a filter is associated with a connection, the bandwidth controls

associated with that filter are applied in both directions.
If multiple servers refer to the same filter, then the bandwidth controls are
applied as a sum of all the server traffic matching that filter.

Once a TCP filter session is established, the corresponding traffic is allowed to pass until
the session finishes, even if the original permitting filter is altered or replaced with a
stricter filter that would otherwise block (any new traffic sessions will be blocked if
appropriate). However, UDP, ICMP, and other IP address filter sessions will be blocked

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

as soon as a new filter is applied that would no longer permit that sessions traffic. An
FTP (port 21) filter also handles the data connections (PORT and PASV) automatically,
so no additional filter needs to be defined for FTP.
The appliance filtering system has a logical filter named default. This is reserved for use
as a default filter where no filter selection has been configured. The filter default allows
all traffic to pass, with the exception of UDP port 80, and some ICMP types with no
bandwidth restrictions.
There are three other predefined filters with the names broadcast, multicast, and redirect.
These filters are applied by default to IP address broadcast, multicast, and redirect traffic,
respectively. In contrast to filter default, the settings for these predefined filters can be
altered.
A filter must already be defined before it can be named within an option that requires a
filter. A filter can be named against more than one server configuration or filter
aggregation.
Table 5 on page 28 describes the filter parameters and their formats.

Table 5: Filter Parameters

Parameter

Value

Default Value

Description

src_tcp

PORTLIST|all|none

all

The list of tcp source ports permitted for TCP

connections.

tcp

PORTLIST|all|none

none

The list of ports permitted for TCP connections.

src_udp

PORTLIST|all|none

all

The list of udp source ports permitted for UDP

connections.

udp

PORTLIST|all|none

none

The list of ports permitted for UDP connections.

icmp

ICMPTYPELIST|all|none

none

The list of ICMP types permitted.

icmp6

ICMP6TYPELIST|all|none

none

The list of ICMPv6 types permitted.

otherip

PROTOCOLLIST

none

The list of other IP address protocols (not TCP,

UDP, ICMP, or ICMPv6) permitted.

countries

COUNTRIES|all|none

all

Defines the countries that are to be permitted by

the appliance for this filter.
NOTE: The countries test always is applied to the
Internet client addresses, not to the protected IP
addresses.

aslist

ASLIST|all

all

Defines the AS numbers that are to be permitted

by the appliance for this portal.
NOTE: The AS numbers test always is applied to
the Internet client addresses, not to the protected
IP addresses.

Copyright 2014, Juniper Networks, Inc.

Chapter 4: Bandwidth and Port Filter

Table 5: Filter Parameters (continued)

Parameter

Value

Default Value

Description

networks

IPRANGE|all|none

all

Defines all the networks (up to 4 entries) that are

to be permitted by the appliance for this filter.
Can be IPv6.
NOTE: The networks test always is applied to the
Internet client addresses, not to the protected IP
addresses.

validpkts

PKTS|U

Guaranteed packet rate.

burstpkts

PKTS|U

Burstable packet rate.

validspeed

SPEED|U

Guaranteed bandwidth.

burstspeed

SPEED|U

Burstable bandwidth.

ratelimit-by

filter|internet-ip|
protected-ip|match-ips|
session

filter

The type of rate limiter matching to create on a

filter match.

Related
Documentation

DDoS Secure Appliance BGP Configuration on page 254

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

show filter
Syntax
Description

show filter <FILTERNAME|all>

Displays the settings of the named filters.

Sample Output
JS>show filter test1
set filter test1 src_tcp all tcp 80 http 80 src_udp none udp none icmp none
none otherip none countries all networks all aslist all validpkts
U burstpkts U validspeed U burstspeed U ratelimit-by filter

Alternatively, the reserved filter name all can be specified to show all defined filters.
JS>show filter all
set filter inb-tcp src_tcp all tcp all http 80 src_udp none udp none icmp
none icmp6 none otherip none countries all networks all aslist all validpkts
U burstpkts U validspeed U burstspeed U ratelimit-by filter
set filter inb-udp src_tcp none tcp none http none src_udp all udp
1-79,81-442,444-65535 icmp none icmp6 none otherip none countries all
networks all aslist all validpkts 30K burstpkts 30K validspeed U burstspeed
U ratelimit-by filter
set filter inb-icmp src_tcp none tcp none http none src_udp none udp none icmp
0-18 icmp6 1-4,128-154 otherip none countries all networks all aslist all
validpkts 1K burstpkts 1K validspeed U burstspeed U ratelimit-by filter
set filter inb-other src_tcp none tcp none http none src_udp none udp none icmp
none icmp6 none otherip all countries all networks all aslist all validpkts
30K burstpkts 30K validspeed U burstspeed U ratelimit-by filter
set filter out-tcp src_tcp all tcp all http 80 src_udp none udp none icmp
none icmp6 none otherip none countries all networks all aslist all validpkts
U burstpkts U validspeed U burstspeed U ratelimit-by filter
set filter out-udp src_tcp none tcp none http none src_udp all udp all icmp
none icmp6 none otherip none countries all networks all aslist all validpkts
U burstpkts U validspeed U burstspeed U ratelimit-by filter
set filter out-icmp src_tcp none tcp none http none src_udp none udp none icmp
0-18 icmp6 1-4,128-154 otherip none countries all networks all aslist all
validpkts U burstpkts U validspeed U burstspeed U ratelimit-by filter
set filter out-other src_tcp none tcp none http none src_udp none udp none icmp
none icmp6 none otherip all countries all networks all aslist all validpkts
U burstpkts U validspeed U burstspeed U ratelimit-by filter
set filter multicast src_tcp none tcp none http none src_udp all udp all icmp
0-18 icmp6 1-4,128-154 otherip all countries all networks all aslist all
validpkts U burstpkts U validspeed U burstspeed U ratelimit-by filter
set filter broadcast src_tcp none tcp none http none src_udp all udp
1-6,8-65535 icmp none icmp6 none otherip all countries all networks all aslist
all validpkts U burstpkts U validspeed U burstspeed U ratelimit-by filter
set filter intercept src_tcp all tcp all http 80 src_udp none udp none icmp
none icmp6 none otherip none countries all networks all aslist all validpkts
U burstpkts U validspeed U burstspeed U ratelimit-by filter

Copyright 2014, Juniper Networks, Inc.

Chapter 4: Bandwidth and Port Filter

NOTE: The logical filter default is not listed. Attempts to use default, or any
nonexistent filter name as a parameter to the show filter command, result in
the error message Not configured. This error is also displayed when the
parameter all is used but no filters are defined.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

remove filter
Syntax
Description

remove filter <FILTERNAME|all>

Deletes a specified filter. The specified filter will not be deleted if it is currently assigned
to a server. The logical filter default cannot be deleted.

Sample Output
JS>show filter test1
set filter test1 tcp 80 udp none icmp none icmp6 none otherip none
countries all networks all aslist all validpkts U burstpkts U
validspeed U burstspeed U ratelimit-by filter
JS>remove filter test1
JS>apply
JS>show filter test1
Not configured

The remove filter command can also be used to delete all filters, as long as none are
assigned to a server, by using the reserved filter name all. If all the filters cannot be
removed, then an error message is returned and none are removed. If all the filters can
be safely removed, the user will be prompted for confirmation.
JS>show filter all
set filter test1 tcp 80 udp none icmp none icmp6 none otherip none validpkts U
countries all networks all aslist all burstpkts U validspeed U burstspeed U
ratelimit-by filter
set filter test2 tcp 80,443 udp none icmp none icmp6 none otherip none
countries all networks all aslist all validpkts U burstpkts U validspeed U
burstspeed U ratelimit-by filter
JS>remove filter all
Are you sure [yes/no]? yes
JS>apply
JS>show filter all
Not configured

NOTE: It is possible to turn off prompting, which can be useful when using
automated scripts.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 4: Bandwidth and Port Filter

set filter
Syntax

Description

set filter <FILTERNAME>

Creates a new filter entry or to modifies an existing one. At a minimum, a name and one
parameter value pair must be specified when using this command. If the name specified
does not match an existing filter entry, a new entry is created with that name, and any
parameter value pair not specified causes that parameter to be set with the default value.
If an entry already exists that matches the name specified then only the parameter value
pairs specified are altered.
The following protocol numbers have no effect when used as values with the other IP
address parameter, as these protocols are handled separately by their own parameter
value pair:

1 (ICMP

6 (TCP)

17 (UDP)

58 (ICMPv6)

Sample Output
JS>show filter all
set filter inb-tcp tcp all http 80 udp none icmp none icmp6 none otherip none
countries all networks all aslist all validpkts U burstpkts U validspeed U
burstspeed U ratelimit-by filter
set filter inb-udp tcp none http none udp 1-79,81-442,444-65535 icmp none
icmp6 none otherip none countries all networks all aslist all validpkts 30K
burstpkts 30K validspeed U burstspeed U ratelimit-by filter
set filter inb-icmp tcp none http none udp none icmp 0-18 icmp6 1-4,128-154
otherip none countries all networks all aslist all validpkts 1K burstpkts 1K
validspeed U burstspeed U ratelimit-by filter
set filter inb-other tcp none http none udp none icmp none icmp6 none
otherip all countries all networks all aslist all validpkts 30K
burstpkts 30K validspeed U burstspeed U ratelimit-by filter
JS>set filter test1 tcp 80-85,443
JS>set filter test2 udp none icmp 8
JS>apply

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

JS>show filter all

set filter test1 tcp 80-85,443 udp none icmp none icmp6 none otherip none
countries all networks all aslist all validpkts U burstpkts U validspeed U
burstspeed U ratelimit-by filter
set filter test2 tcp 80,443 udp none icmp 8 otherip none icmp6 none countries
all networks all aslist all validpkts U burstpkts U validspeed U burstspeed U
ratelimit-by filter

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 5

BGP Flow Spec

This chapter explains BGP Flow Spec for DDoS Secure and describes the available
advanced configuration commands.

BGP Flow Spec Definitions Configuration Overview on page 35

show bgp

set bgp peer

set bgp flowspec

remove bgp

BGP Flow Spec Definitions Configuration Overview

DDoS Secure can be used as a BGP Flow Spec injector into an upstream router. The
upstream router acts upon these Flow Spec rules (as determined by its configuration).
Automatically inserted Flow Spec rules are used to rate-limit specific traffic from the
Internet to the DDoS Secure appliance. Rules are automatically added for any IP address
that has moved from the Worst Offenders list to the Temporary Black-List list.
Table 6 on page 35 describes the BGP parameters.

Table 6: BGP Parameters

Parameter

Value

Description

ddos_secure

IPADDRESS

The IP address of the DDoS Secure appliance that the BGP Flow
Spec injector will run on. For active-standby HA, both management
IP addresses need to be defined as separate statements.

our_as

ASNUMBER

Local AS#.

neigh_ip

IPADDRESS

BGP neighbor router IP.

neigh_as

ASNUMBER

Neighbor AS#.

neigh_pass

PASSWORD

Password for secure communications with neighbor.

lowertimer

NUMBER

Length of time before idle BGP Flow Spec rule is dropped.

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Table 6: BGP Parameters (continued)

Parameter

Value

Description

autoinject

yes|no

If set, automatically injects rules into the router; otherwise, the

rules are only displayed in the GUI as Inactive.

ratelimit

SPEED

Rate-limit speed used in the auto-created Flow Spec rules. The

default is 100 K.

source

IPNETWORK

Network address that will match the Source IP.

destination

IPNETWORK

Network address that will match the Destination IP. Note that only
protected IPs can be defined here, and the entire network must sit
in one portal.

protocol

PROTOCOLLIST

List of protocols to match.

srcport

PORTLIST

List of source ports to match (tcp/udp).

dstport

PORTLIST

List of destination ports to match (tcp/udp).

tcpflags

TCPFLAGS

List of TCP flags to match against.

icmpcode

ICMPCODELIST

List of ICMP codes to match (icmp).

icmptype

ICMPTYPELIST

List of ICMP types to match (icmp).

fragment

FRAGMENTLIST

List of fragment types to match.

length

LENGTHLIST

List of packet lengths to match against.

dscp

DSCPLIST

List of DSCP to match against.

action

ACTION

Action to take on Flow Spec rule match.

actionvalue

ACTIONVALUE

Value to apply to action where appropriate.

Related
Documentation

show bgp on page 37

set bgp peer on page 38

set bgp flowspec on page 39

remove bgp on page 40

Copyright 2014, Juniper Networks, Inc.

Chapter 5: BGP Flow Spec

show bgp
Syntax
Description

show bgp <all|peer|flowspec>

Displays the current BGP configuration.

Sample Output
JS>show bgp all
set bgp peer ddos_secure 192.168.0.189 our_as 65099 neigh_ip 192.168.0.254
neigh_as 65014 neigh_pass 123456 lowertimer 1000 autoinject no
ratelimit 100K

NOTE: A simple peer (MX Series router) working definition example that
matches the DDoS Secure BGP definition above is:

routing-options {
router-id 192.168.0.254;
autonomous-system 65014;
}
protocols {
bgp {
family inet {
flow {
no-validate everything;
}
}
authentication-key 123456
group flow {
multihop;
local-preference 100;
local-address 192.168.0.254;
export everything;
peer-as 65099;
neighbor 192.168.0.189;
}
}
}

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

set bgp peer

Syntax

Description

set bgp peer ddos_secure <IPADDRESS> our_as <ASNUMBER>

neigh_ip <IPADDRESS> neigh_as <ASNUMBER> neigh_pass <PASSWORD>
lowertimer <NUMBER> autoinject <yes|no> ratelimit <SPEED>

Defines a BGP setup where the defined DDoS Secure appliance acts as a BGP Flow Spec
injector. For active-standby HA systems, each DDoS Secure needs a BGP definition, and
the upstream router needs to recognize both DDoS Secure as peers.
If autoinject is set to no when a BGP Flow Spec rule is dynamically created, DDoS Secure
sets it to the Inactive state; so that it is not uploaded to the BGP peer. If autoinject is set
to yes when the BGP FlowSpec rule is created, it is set to the Active state and the Flow
Spec rule is immediately uploaded to the BGP Peer. Through the GUI, you can easily swap
the dynamic Flow Spec rules between Inactive and Active states.

NOTE: If the DDoS Secure is running in the Logging mode, then the dynamic
Flow Spec rules are always created as Inactive.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 5: BGP Flow Spec

set bgp flowspec

Syntax

Description

Related
Documentation

set bgp flowspec [source <IPNETWORK>] destination <IPNETWORK>

Allows you to manually configure the Flow Spec rules that will always be sent to the BGP
peer. Only specify the entities that you want to match against. Destination and action
are mandatory.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

remove bgp
Syntax
Description

remove bgp <all|peer|flowspec>

Allows you to remove the specified BGP definitions.

Sample Output
JS>remove bgp all
JS>apply
JS>show bgp all
No BGP definitions set up

Table 7: remove bgp Parameters

Parameter

Description

all

If set, removes all BGP definitions.

peer

If set, removes all BGP peer definition rules.

flowspec

If set, removes all BGP flowspec definitions.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 6

Block Country and IP Address

This chapter explains block country and IP address for DDoS Secure and describes the
available advanced configuration commands.

Block Country and IP Address Configuration Overview on page 41

show block

set block country

set block cignoreip

set block ip

set block as

Block Country and IP Address Configuration Overview

Table 8 on page 41 describes the block parameters.

Table 8: Block Parameters

Parameter

Value

Description

country

COUNTRIES|all|none

Defines the countries that are to be blocked by

the appliance.

cignoreip

IPLIST

Ignores country code blocking for these IP

addresses, even though the IP in question is
located in that country.

IPRANGE|none

Defines the list of IP address and networks that

are to be blocked by the appliance.

1 - 65535

Autonomous system number that BGP uses for

routing traffic across the Internet.

Related
Documentation

DDoS Secure Appliance BGP Configuration on page 254

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

show block
Syntax
Description

show block

Displays the current blocked countries and IP addresses.

Sample Output
JS>show block
set
set
set
set

Related
Documentation

block
block
block
block

country none
cignoreip none
ip none
as none

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 6: Block Country and IP Address

set block country

Syntax
Description

set block country <COUNTRIES|all|none>

Drops all traffic to or from a country for the duration of an attack that originates in that
country. Specify a list of countries to block IP addresses from those countries, as tagged
by MaxMind. This requires that you periodically update the MaxMind database.

Permanently drops all traffic to or from a specific AS. You specify the list of AS numbers,
separated by commas.

Sample Output
JS>set block as 65001
JS>apply
JS>show block
set
set
set
set

Related
Documentation

block
block
block
block

country USA
cignoreip none
ip 10.20.0.0/25
as 65001

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 7

Country Code Definitions

This chapter explains country code (geoIP) definitions for DDoS Secure and describes
the available advanced configuration commands.

Country Code (geoip) Definitions Configuration Overview on page 47

show geoip

remove geoip

set geoip ip

set geoip url

set geoip megaproxy_ip

set geoip megaproxy_url

set geoip auto_akamai

Country Code (geoip) Definitions Configuration Overview

You can specify country codes for specific IP addresses that override the MaxMind
definitions or to categorize pseudo-countries for ease of control of blocks of addresses.
You do this by defining the country code with a list of IP addresses and specifying a URL
from which to download the IP addresses. These IP addresses are held in a flat file,
line-delimited, each line being an IP address, a subnet, or a range of IP addresses.
Several country codes have a special significance:

-blAny IP addresses matching this code are always black-listed.

-wlAny IP addresses matching this code are always white-listed.

-plAny IP addresses matching this code are treated as preferred clients.

-wnAny IP addresses matching this code are always white-listed, but no logs

generated.
The IP address lookup database is built in the following order, with subsequent entries
overwriting any previous IP address definitions:

MaxMind Information

Bogon list (which contains RFC1918 addresses defined as bogons)

http://www.cymru.com/Documents/bogon-bn-agg.txt.

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

RFC 1918 addresses

User definitions specified by geoip entries

Table 9 on page 48 describes the geoip parameters.

Table 9: Geoip Parameters

Parameter

Value

Description

code

COUNTRYCODE

Defines the country code that is to be set.

IPRANGE

Defines the list of IP address and networks that

are to be associated with the country code.

freq

FREQUENCY

Frequency at which the URL is checked for

updates.

url

URL

Defines the URL containing the list of IP

addresses, line-separated, an IP address range
per line.

header

HEADER

Matches header definition, including trailing :.

respcode

Copyright 2014, Juniper Networks, Inc.

Chapter 7: Country Code Definitions

set geoip ip
Syntax
Description

set geoip ip code <COUNTRYCODE> ip <IPRANGE>

Sets a range of IP addresses to be associated with the given country code. The country
codes include -bl (black-list) and -wl (white-list) as described in Country Code (geoip)
Definitions Configuration Overview on page 47.

Sample Output
JS>set geoip ip code -bl ip 1.2.3.4

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

set geoip url

Syntax
Description

set geoip url code <COUNTRYCODE> freq <FREQUENCY> url <URL>

Updates the country code to use for the list of IP addresses, networks, or IP address range
(one entry per line) at the given URL, updated at the given frequency.

Sample Output
JS>set geoip url code -wl freq h url http://www.domain.com/white-list.txt

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 7: Country Code Definitions

set geoip megaproxy_ip

Syntax

Description

set geoip megaproxy_ip header <HEADER>

respcode <RESPCODE> ip <IPRANGE>

Defines a list of IP addresses, networks, or IP address ranges, to be treated as a megaproxy.

If the defined header is matched (typically X-forwarded-for:), then the original client is
abstracted and used for charm calculations. If the session is to be dropped (for example:
original client is blacklisted) then a suitable message is constructed using the specified
HTTP response code (for example: 503).

Sample Output
JS>set geoip megaproxy_ip header X-Forwarded-For: respcode 503 ip 1.2.3.4-1.2.3.7

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

set geoip megaproxy_url

Syntax

Description

set geoip megaproxy_url header <HEADER>

respcode <RESPCODE> freq <FREQUENCY> url <URL>

Defines a remote URL that contains a list of IP addresses, networks, or IP address ranges,
one per line, to be treated as a megaproxy.
If the defined Header is matched (typically X-forwarded-for:), then the original client is
abstracted and used for charm calculations. If the session is to be dropped (for example:
original client is blacklisted) then a suitable message is constructed using the specified
HTTP response code (for example: 503).
The list of IP addresses is updated at the specified frequency.

Sample Output
JS>set geoip megaproxy_url header True-Client-IP: respcode 503 freq h url
http://www.domain.com/megaproxy-list.txt

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 7: Country Code Definitions

set geoip auto_akamai

Syntax
Description

set geoip auto_akamai respcode <RESPCODE>

The auto_akamai parameter instructs DDoS Secure to assume that client's traffic that
contains the header: true-client-IP: is coming from Akamai, and to treat the client IP
address as being a megaproxy.

Sample Output
JS>set geoip url code bl freq h http://black.list.com/list.txt
JS>set geoip auto_akamai respcode 503
JS>apply
JS>show geoip all
set geoip url code bl freq h url http://black.list.com/list.txt
set geoip auto_akamai respcode 503

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Copyright 2014, Juniper Networks, Inc.

CHAPTER 8

CHARM Tunables
This chapter explains CHARM tunables for DDoS Secure and describes the available
advanced configuration commands.

CHARM Tunables Configuration Overview on page 57

show tuneable

remove tuneable

set tuneable

CHARM Tunables Configuration Overview

Changing these values should only be done under the guidance of a DDoS Secure
appliance engineer and any changes will affect the charm weighting values.
Table 10 on page 57 describes the tunable parameters.

Table 10: Tunable Parameters

Parameter

Value

Default Value

Description

charmgetratebias

BIAS

A scalar multiplier for reducing the CHARM score when the

URL request rate reaches its limit.

charmconnratebias

BIAS

A scalar multiplier for reducing the CHARM score when the

new connection request rate reaches its limit.

set tuneable
Syntax

Description

set tuneable
<charmgetratebias|charmconnratebias|charmconnbias> <BIAS>

Allows specific charm biases to be modified.

Sample Output
JS>set tuneable charmgetratebias 10
JS>apply
JS>show tuneable all
set tuneable charmgetreatebias 10

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 9

Chassis Definitions
This chapter explains chassis definitions for DDoS Secure and describes the available
advanced configuration commands.

Chassis Definitions Configuration Overview on page 61

show chassis

set chassis vip

set chassis blade

set chassis bgp

set chassis reroute

Chassis Definitions Configuration Overview

One version of the DDoS Secure appliance is provided in a chassis configuration with
multiple blades where each blade is effectively an appliance in its own right, but can
share a common VIP for management access. Associated with this is the ability to
configure the appliance as a BGP trigger router for rerouting of traffic. Table 11 on page 61
describes the chassis parameters.

Table 11: Chassis Parameters

Parameter

Value

Description

IPADDRESS

IP address to be used.

netmask

NETMASK

Netmask to be used.

ddos_secure

IPADDRESS

The appliance blade acting as trigger router.

our_as

ASNUMBER

Local AS #.

neigh_ip

IPADDRESS

BGP neighbor router.

neigh_as

ASNUMBER

Neighbor AS #.

neigh_pass

PASSWORD

Password to secure communications with

neighbor.

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Table 11: Chassis Parameters (continued)

Parameter

Value

Description

comm_as

ASNUMBER

Trigger community AS #.

comm_no

NUMBER

Trigger community number.

lowertimer

NUMBER

Length of time below rerouting rate before

dropping the trigger route.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 9: Chassis Definitions

show chassis
Syntax
Description

show chassis <all|vip|blade|bgp|reroute>

Displays the current chassis configuration.

Related
Documentation

set chassis bgp ddos_secure <IPADDRESS>

our_as <ASNUMBER>
neigh_ip <IPADDRESS> neigh_as <ASNUMBER>
neigh_pass <PASSWORD> comm_as <ASNUMBER>
comm_no <NUMBER> lowertimer <NUMBER>

Defines the BGP setup where the defined DDoS Secure appliance is going to act as a
trigger router for injecting BGP routes. This is used in conjunction with the reroute
definitions for a portal, which are applied on a per-protected-IP-address basis, to inject
or withdraw a route.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 9: Chassis Definitions

set chassis reroute

Syntax
Description

Related
Documentation

set chassis reroute ip <IPADDRESS>

Sets a permanent injection of the defined protected IP address into the BGP trigger
routing tables.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Copyright 2014, Juniper Networks, Inc.

CHAPTER 10

Disable RFC Testing

This chapter explains disable RFC testing for DDoS Secure and describes the available
advanced configuration commands.

Disable RFC Testing Configuration Overview on page 69

show disabled

set disabled

Disable RFC Testing Configuration Overview

It is possible to disable some of the RFC compliancy checking, but this does provide a
security risk for the protected servers. Not all the RFC checking can be configured.
Table 12 on page 69 describes the disable parameters.

Table 12: Disable Parameters

Parameter

Value

Description

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

show disabled
Syntax
Description

show disabled

Displays the current RFC disabled state.

Sample Output
JS>show disabled
Nothing disabled

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 10: Disable RFC Testing

set disabled
Syntax

Description

set disabled <all|badudppacket_nodata|tcpattack_nodata|

blockedstate_invalidstate|blockedstate_nostate> <yes|no>

Specifies RFC checks to be disabled.

Sample Output
JS>set disabled all yes
JS>apply
JS>show disabled
set disabled unknownsession_nostate yes
unknownsession_invalidstate yes badudppacket_nodata yes
tcpattack_nodata yes badippacket_reflectedroute yes
tcpattack_url_ratelimited yes udpattack_dns_ratelimited yes
udpattack_sip_ratelimited yes badtcppacket_chksum yes
tcpattack_http_format yes unknownsession_reflective yes

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Copyright 2014, Juniper Networks, Inc.

CHAPTER 11

Date and Time

This chapter explains date and time for DDoS Secure and describes the available
advanced configuration commands.

Date and Time Configuration Overview on page 73

show clock

set clock timenow

set clock timezone

set clock ntp

show timezones

Date and Time Configuration Overview

Table 13 on page 73 describes the date and time parameters and their formats.

Table 13: Date and Time Parameters

Parameter

Value

Description

timenow

TIMESTRING

The date and time.

timezone

TIMEZONE

The time zone for displaying date and time.

ntp

IPLIST|none

NTP server(s) with which to synchronize.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

show clock
Syntax
Description

show clock

Displays the current time, time zone and NTP server configured.

Sample Output
JS>show clock
set clock timenow 2003-01-15T15:26:27
set clock timezone Europe/London
set clock ntp none

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 11: Date and Time

set clock timenow

Syntax
Description

set clock timenow <TIMESTRING>

Sets the system clock. It is important to set the system time zone to the correct value
before adjusting the clock time. This is because the set clock timenow command assumes
that all time values entered are offset from UTC time by the local time zone. If the local
time is configured while the time zone is set to a region with a different time offset from
UTC, the clock will effectively be wrong by the number of hours separating the current
local time zone from the system set time zone. This difference will clear when the system
time zone value is corrected.

NOTE: This command is applied immediately without having to use the now
parameter or using the apply command.

Sample Output
JS>show clock timenow
set clock timenow 2013-11-14T14:21:27
JS>set clock timenow 2013-11-14T14:00:00
JS>apply
JS>show clock timenow
set clock timenow 2013-11-14T14:00:03
JS>set clock timenow 14 nov2013 15:00:00
JS>apply
JS>show clock timenow
set clock timenow 2013-11-14T15:00:03
JS>set clock timenow 14-nov-13 16:00:00
JS>apply
JS>show clock timenow
set clock timenow 2013-11-14T16:00:03
JS>set clock timenow nov 14 17:00:00 2013
JS>apply
JS>show clock timenow
JS>set clock timenow 2013-11-14T17:00:02
JS>apply

Related
Documentation

set clock timezone on page 76

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

set clock timezone

Syntax
Description

set clock timezone <TIMEZONE>

Sets the time zone of the appliance. A complete list of valid time zones can be displayed
using the show timezones command.

Sample Output
JS>show clock
set clock timenow 2003-08-13T21:01:11
set clock timezone Europe/London
set clock ntp none
JS>set clock timezone Europe/Paris
JS>apply
JS>show clock
set clock timenow 2003-08-13T22:01:22
set clock timezone Europe/Paris
set clock ntp none

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 11: Date and Time

set clock ntp

Syntax
Description

set clock ntp <IPLIST|none>

Defines the NTP server or servers. A DDoS Secure appliance unit can also take advantage
of an NTP server to help maintain a more accurate value for the time. The set clock ntp
command can be used to define one or more NTP servers to be used for synchronizing
the time. Time synchronizations are performed every hour but if the difference between
the appliance local clock and the NTP server clock is greater than a few minutes. It is
recommended that the set clock timenow command is used first to bring the two clocks
closer together.

Sample Output
JS>set clock ntp 128.118.25.3,140.162.8.25,130.88.200.98

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

show timezones
Syntax
Description

show timezones

Displays a complete list of time zones supported by the DDoS Secure appliance. Since
the list is long, the system automatic paging takes over before the first line of the answer
scrolls off the top of the display. It is important to note that time zone values are
case-sensitive.

Sample Output
JS>show timezones
Available timezones:
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
Africa/Algiers
Africa/Asmera
Africa/Bamako
Africa/Bangui
Africa/Banjul
Africa/Bissau
Africa/Blantyre
Africa/Brazzaville
Africa/Bujumbura
Africa/Cairo
Africa/Casablanca
-- more

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 12

Debug Options
This chapter explains debug options for DDoS Secure and describes the available
advanced configuration commands.

Debug Options Configuration Overview on page 79

show debugging

set debugging

Debug Options Configuration Overview

The debug options are used to aid in the diagnosis of suspicious traffic handling by a
DDoS secure appliance unit. When enabled, the DDoS secure appliance generates detailed
logs, but this can be at the expense of top end performance. The debug options should
only be enabled at the suggestion of DDoS secure appliance support staff. By default,
worstoffenders and autoblacklist are enabled, as they tend not to create too high a loading.
Table 14 on page 79 describes the Debug Option parameters and their formats.

Table 14: Debug Option Parameters

Parameter

Value

Description

attackotherip

yes|no

Other IP attack debugging.

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Table 14: Debug Option Parameters (continued)

Parameter

Value

Description

combination of all the above combinations.

worstoffenders

yes|no

Log Worst Offenders to main log file.

autoblacklist

yes|no

Log Auto-Blacklist to main log file.

Copyright 2014, Juniper Networks, Inc.

Chapter 12: Debug Options

show debugging
Syntax
Description

show debugging

Displays the current debugging options.

Sample Output
JS>show debugging
set debugging bandwidth no packetrate no blockedprotocol no blockedstate no
attackip no attacktcp no attackudp no attackicmp no attackotherip no
attackfragment no badippacket no badtcppacket no badudppacket no
badicmppacket no badotherippacket no overloadedip no worstoffenders yes
autoblacklist yes incidentdetail no

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

set debugging
Syntax
Description

Related
Documentation

set debugging <PARAMETER> <VALUE> []

Sets the <PARAMETER> <VALUE> pair is taken from the debug option parameters.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 13

External Authenticators
This chapter explains external authenticators for DDoS Secure and describes the available
advanced configuration commands.

External Authenticators Configuration Overview on page 84

show auth

set auth

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

External Authenticators Configuration Overview

There are two types of external authenticators, as well as the local password file, for
authentication. If an external authenticator is defined and enabled, then the password
checking order is external (RADIUS), then external (TACACS+), if both the options fail,
then local is used. Table 15 on page 84 describes the external authenticator type details.

Table 15: External Authenticator Types

Parameter

Value

Description

radius

RADIUS

Requires an external RADIUS server, which holds

the user authentication records.

tacacs+

TACACS+

Requires an external TACACS+ server, which holds

the user authentication records.

NOTE: TACACS+ is not available by default.

Table 16 on page 84 describes the external authenticator parameters and their formats.

Table 16: External Authenticator Parameters

Parameter

Value

Description

server

IPADDRESS

The IP address of the server.

backup

IPADDRESS|none

Alternative server IP address.

secret

SECRET

The secret need to encrypt/decrypt the

authentication session.

enabled

yes|no

Whether the authenticator is enabled or not.

port

PORT

The port the RADIUS server is listening on.

protocol

TPROTOCOL

TACACS+ protocol.

service

TSERVICE

TACACS+ service.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

User Management Configuration Overview on page 225

Access Control Configuration Overview on page 13

Copyright 2014, Juniper Networks, Inc.

Chapter 13: External Authenticators

show auth
Syntax
Description

show auth

Displays the list of the authenticator definitions.

Sample Output
JS>show auth
set auth radius server 192.168.0.3 backup none port 1812 secret secret
enabled yes
set auth tacacs+ server 192.168.0.3 backup none secret secret-1 protocol
lcp service juniper appliance enabled no

Users with operator permissions will be shown the secrets masked out.
JS>show auth
set auth radius server 192.168.0.3 backup none port 1812 secret xxxxxxxx
enabled yes
set auth tacacs+ server 192.168.0.3 backup none secret xxxxxxxx protocol
lcp service juniper enabled no

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

set auth
Syntax

Description

set auth radius server <IPADDRESS>

[backup <IPADDRESS>|none> secret <SECRET> [port <PORT>]
set auth tacacs+ server <IPADDRESS>
[backup <IPADDRESS>|none>] secret <SECRET>
protocol <TPROTOCOL> service <TSERVICE>

Modifies any parameters of an authenticator definition.

A user has to be defined on the DDoS Secure appliance (with a password) before this
command can be used to either connect to the GUI or to connect through SSH. We
recommend that you set at least one known local password so that it is possible to
authenticate to the appliance in an emergency when the external authenticator is not
available.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 14

Filter Aggregation
This chapter explains filter aggregation for DDoS Secure and describes the available
advanced configuration commands.

Filter Aggregation Configuration Overview on page 88

show fagg

remove fagg

set fagg

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Filter Aggregation Configuration Overview

Servers require a list of one or more filters when determining what traffic to allow. This
list is searched for the first match and then used. To aid you in configuring these lists,
filter aggregations are used to define a list of up to seven filters. A filter aggregation might
refer to a (previously defined) filter aggregation to extend the list.
A filter aggregation must already be defined before it can be named within an option
that expects a filter or filter aggregation. A filter aggregation can be named against more
than one server configuration or filter aggregation.
Table 17 on page 88 describes the filter aggregation parameters and their formats.

Table 17: Filter Aggregation Parameters

Parameter

Value

Default Value

check against.

filterg

FILTERNAME

-undefined-

The name of the filter or filter aggregation to

check against.

Table 18 on page 88 describes the filter fixed value and its format.

Table 18: Filter Fixed Value Formats

Parameter Value

Description

-undefined-

Entry not in use.

Copyright 2014, Juniper Networks, Inc.

Chapter 14: Filter Aggregation

show fagg
Syntax
Description

show fagg <FILTERNAME|all>

Displays the settings of the named filter aggregation.

Sample Output
JS>show fagg web-agg
set fagg web-agg filtera web filterb default filterc undefinedfilterd
undefined- filtere undefined- filterf undefinedfilterg undefined-

Alternatively, the reserved filter name all can be specified to show all defined filters.
JS>show fagg all
set fagg web-agg filtera web filterb default filterc undefinedfilterd
undefined- filtere undefined- filterf undefinedfilterg undefinedset fagg example-agg filtera default filterb undefined- filterc
undefinedfilterd undefined- filtere undefined- filterf
undefinedfilterg undefined-

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

remove fagg
Syntax
Description

remove fagg <FILTERNAME|all>

Deletes a specified filter aggregation. The specified filter aggregation will not be deleted
if it is currently assigned to a server.

Sample Output
JS>show fagg web-agg
set fagg web-agg filtera web filterb default filterc undefinedfilterd
undefined- filtere undefined- filterf undefinedfilterg
undefinedJS>remove fagg web-agg
JS>apply
JS>show fagg web-agg
Not configured

The remove fagg command can also be used to delete all filter aggregations, as long as
none are assigned to a server, by using the reserved filter name all. If all the filter
aggregations cannot be removed then an error message is returned and none are removed.
If all the filter aggregations can be safely removed, the user will be prompted for
confirmation.
JS>show fagg all
set fagg web-agg filtera web filterb default filterc undefinedfilterd
undefined- filtere undefined- filterf undefinedfilterg
undefinedset fagg example-agg filtera default filterb undefined- filterc undefinedfilterd undefined- filtere undefined- filterf undefinedfilterg undefinedJS>remove fagg all
Are you sure [yes/no]? yes
JS>apply
JS>show fagg all
Not configured

NOTE: It is possible to turn off prompting which can be useful when using
automated scripts.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 14: Filter Aggregation

set fagg
Syntax

Description

set fagg <FILTERNAME> [filtera <FILTERNAME|-undefined->]

Creates a new filter aggregation entry or modifies an existing one. At a minimum, a name
and one parameter value pair must be specified when using the command. If the name
specified does not match an existing filter entry, a new entry is created with that name
and any parameter value pair not specified causes that parameter to be set with the
default value. If an entry already exists that matches the name specified then only the
parameter value pairs specified are altered.

Sample Output
JS>show fagg all
set fagg web-agg filtera web filterb default filterc undefinedfilterd
undefined- filtere undefined- filterf undefinedfilterg undefinedset fagg example-agg filtera default filterb undefined- filterc
undefinedfilterd undefined- filtere undefined- filterf undefinedfilterg undefinedJS>set fagg web-agg filterg webplus
JS>apply
JS>show fagg all
set fagg web-agg filtera web filterb default filterc undefinedfilterd
undefined- filtere undefined- filterf undefinedfilterg webplus
set fagg example-agg filtera default filterb undefined- filterc undefinedfilterd undefined- filtere undefined- filterf undefinedfilterg undefined-

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Copyright 2014, Juniper Networks, Inc.

CHAPTER 15

Layer 7 Inspection
This chapter explains Layer 7 inspection for DDoS Secure and describes the available
advanced configuration commands.

Layer 7 Inspection Configuration Overview on page 93

show inspect

remove inspect

set inspect

Layer 7 Inspection Configuration Overview

It is possible to inspect certain Layer 7 requests, and give weightings (negative CHARM
bias) to specific requests to discourage repeated access to these requests. This bias is
also added to the Worst Offenders Resource Usage average rate, so it must have a value
that is less than autoblockratet2 (see set appliance). Currently, inspection of HTTP URLs
and DNS queries is supported. Matching is defined by:

The matching of the entire request, including parameters.

The matching of the initial part of the request, which can possibly include some
parameters.

The use of Basic Regular Expression syntax.

The use of Extended Regular Expression syntax. To prevent unexpected matchesfor

example, a match on any / in the URL that does not indicate a homepageuse the ^
and $ anchors.

Where possible, we recommend that you use matching methods 1 and 2 for performance
reasons.
Table 19 on page 93 describes the show inspect parameters.

Table 19: Show Inspect Parameters

Parameter

Value

Example

Description

url_match

all|STRING

http://a.b.c/file

Exact match of an HTTP query.

url_regex

all|REGEX

http://a.*/file

Regular expression match of an HTTP request.

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Table 19: Show Inspect Parameters (continued)

Parameter

Value

Example

Description

dns_match

all|STRING

www.juniper.net?A

Match on a DNS query.

dns_regex

all|REGEX

*?ANY

Regular expression match on a DNS query.

sip_match

all|STRING

sip:[email protected]

Exact match on a SIP query.

sip_regex

all|REGEX

sip:[email protected]

Regex match on a SIP query.

sip_eregex

all|EREGEX

sip:[email protected]

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

Copyright 2014, Juniper Networks, Inc.

CHAPTER 16

Logging Thresholds
This chapter explains logging thresholds for DDoS Secure and describes the available
advanced configuration commands.

Logging Thresholds Configuration Overview on page 99

show threshold view

show threshold create

show threshold offenders

show threshold alert

set threshold

show incidents

set incidents

Logging Thresholds Configuration Overview

A DDoS secure appliance uses a set of values known as Create Thresholds to determine
the rate, for each defense type, at which the user would like an incident record to be
created. The thresholds define at what rate packets must be dropped before the incident
is created. An incident is considered closed when the drop rate remains below the defined
threshold for longer than the specified incident timeout.
Create thresholds are mirrored by three other sets of thresholds. The first of these is the
offenders threshold set, which determines the rate at which packets must be dropped
for an individual client IP address to warrant addition to the worst offenders table. The
second set is the alert thresholds set, which determines when an alert e-mail or SNMP
trap is sent, as well as being logged in the regular log file. The third is the view thresholds
set, which determines the rates at which packets must be dropped before the
corresponding incidents are listed on the Web UI. This last set is effectively a viewing
filter to limit the display of incidents to those of most interest.
The following commands describe how to examine and change these threshold values,
as well as ignore certain types of attack completely if desired:

show threshold create

show threshold offenders

Copyright 2014, Juniper Networks, Inc.

DDoS Secure CLI User Guide

show threshold alert

show threshold view

Table 20 on page 100 describes the logging threshold types.

Table 20: Logging Threshold Types

Parameter

Description

create

Thresholds associated with the creation of incidents.

offenders

Thresholds associated with entry into the worst offenders table.

alert

Thresholds associated with the sending of e-mail alerts.

view

Thresholds associated with the viewing/display of incidents.

Table 21 on page 100 describes the logging threshold parameters and their formats.

Table 21: Logging Threshold Parameters

Parameter

Value

they constitute an IP attack.

100

Copyright 2014, Juniper Networks, Inc.

Chapter 16: Logging Thresholds

Table 21: Logging Threshold Parameters (continued)

they are an invalid UDP packet.

Copyright 2014, Juniper Networks, Inc.

101

DDoS Secure CLI User Guide

Table 21: Logging Threshold Parameters (continued)

Parameter

Value

show threshold view

Syntax
Description

show threshold view

Displays the current incident view threshold configuration.

Sample Output
JS>show threshold view
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

Related
Documentation

threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold

view
view
view
view
view
view
view
view
view
view
view
view
view
view
view
view

bandwidthenable yes bandwidthrate 100

packetrateenable yes packetraterate 100
blockedprotocolenable yes blockedprotocolrate 100
blockedstateenable yes blockedstaterate 100
attackipenable yes attackiprate 100
attacktcpenable yes attacktcprate 100
attackudpenable yes attackudprate 100
attackicmpenable yes attackicmprate 100
attackotheripenable yes attackotheriprate 100
attackfragmentenable yes attackfragmentrate 100
badippacketenable yes badippacketrate 100
badtcppacketenable yes badtcppacketrate 100
badudppacketenable yes badudppacketrate 100
badicmppacketenable yes badicmppacketrate 100
badotherippacketenable yes badotherippacketrate 100
overloadedipenable yes overloadediprate 100

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

103

DDoS Secure CLI User Guide

show threshold create

Syntax
Description

show threshold create

Displays the current incident create threshold configuration.

Sample Output
JS>show threshold create
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

Related
Documentation

104

threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold

create
create
create
create
create
create
create
create
create
create
create
create
create
create
create
create
create

autoadjust yes
bandwidthenable yes bandwidthrate 10
packetrateenable yes packetraterate 10
blockedprotocolenable yes blockedprotocolrate 10
blockedstateenable yes blockedstaterate 10
attackipenable yes attackiprate 10
attacktcpenable yes attacktcprate 10
attackudpenable yes attackudprate 10
attackicmpenable yes attackicmprate 10
attackotheripenable yes attackotheriprate 10
attackfragmentenable yes attackfragmentrate 10
badippacketenable yes badippacketrate 10
badtcppacketenable yes badtcppacketrate 10
badudppacketenable yes badudppacketrate 10
badicmppacketenable yes badicmppacketrate 10
badotherippacketenable yes badotherippacketrate 10
overloadedipenable yes overloadediprate 10

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 16: Logging Thresholds

show threshold offenders

Syntax
Description

show threshold offenders

Displays the worst offenders recording thresholds.

Sample Output
JS>show threshold offenders
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

Related
Documentation

threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold

offenders
offenders
offenders
offenders
offenders
offenders
offenders
offenders
offenders
offenders
offenders
offenders
offenders
offenders
offenders
offenders

bandwidthenable yes bandwidthrate 10

packetrateenable yes packetraterate 10
blockedprotocolenable yes blockedprotocolrate 10
blockedstateenable yes blockedstaterate 10
attackipenable yes attackiprate 10
attacktcpenable yes attacktcprate 10
attackudpenable yes attackudprate 10
attackicmpenable yes attackicmprate 10
attackotheripenable yes attackotheriprate 10
attackfragmentenable yes attackfragmentrate 10
badippacketenable yes badippacketrate 10
badtcppacketenable yes badtcppacketrate 10
badudppacketenable yes badudppacketrate 10
badicmppacketenable yes badicmppacketrate 10
badotherippacketenable yes badotherippacketrate 10
overloadedipenable no overloadediprate 10

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

105

DDoS Secure CLI User Guide

show threshold alert

Syntax
Description

show threshold alert

Displays the current incident alert threshold configurations.

Sample Output
JS>show threshold alert
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

Related
Documentation

106

threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold
threshold

alert
alert
alert
alert
alert
alert
alert
alert
alert
alert
alert
alert
alert
alert
alert
alert

bandwidthenable yes bandwidthrate 100

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 16: Logging Thresholds

set threshold
Syntax

Description

set threshold <create|view|alert|offenders>

<PARAMETER> <VALUE> []

Sets the <PARAMETER> <VALUE> pair is taken from the logging threshold parameter.
The threshold is the number of packets dropped per second while the attack is in progress.
Once this threshold rate is exceeded, then the attack is logged as an incident. Create
rates are calculated on a per-protected-server basis. The offender rates are calculated
on a per-client basis.

NOTE: If the view/alert threshold is set lower than the create threshold for
a particular defense type, then it will only trigger when the Incident has been
created.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

107

DDoS Secure CLI User Guide

show incidents
Syntax
Description

show incidents

Displays the incident timeout, lifetime, and warning threshold. An incident is closed when
the packet rate has been below the create threshold for the specified number of timeout
minutes, or the incident has been open for more than the specified lifetime minutes.
An Incident is only alerted on if the Incident has been above the alert threshold for at
least the configured threshold number of seconds. Table 22 on page 108 describes the
incident parameters.

Sample Output
JS>show incidents
set incidents timeout 5 lifetime 60 threshold 60

Table 22: Incident Parameters

Parameter

Value

Description

timeout

TIMEOUT

How long an incident drop rate must be below

the create threshold before the incident is closed
(in minutes).

lifetime

LIFETIME

How long an Incident can live for (in minutes).

threshold

THRESHOLDTIME

Length of time an item is above the threshold

before an event triggers (in seconds).

logrefresh

LOGREFRESHTIME

Length of time an incident refresh update for

Structured Log (secs).

Related
Documentation

108

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 16: Logging Thresholds

set incidents
Syntax

Description

Related
Documentation

set incidents [timeout <TIMEOUT>] [lifetime <LIFETIME>]

[threshold <THRESHOLDTTIME>]
[logrefresh <LOGREFRESHTIME>]

Sets the incident timeout, lifetime, logrefresh, or threshold times.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

109

DDoS Secure CLI User Guide

110

Copyright 2014, Juniper Networks, Inc.

CHAPTER 17

MAC Gateway
This chapter explains MAC gateway configuration for DDoS Secure and describes the
available advanced configuration commands.

MAC Gateway Configuration Overview on page 111

show gateway

remove gateway

set gateway

MAC Gateway Configuration Overview

A DDoS Secure appliance unit operates at both the Ethernet layer and the Internet
Protocol layers. Defense is managed at the Ethernet layer based on a list of gateways,
which are tracked by Ethernet MAC addresses. The Ethernet addresses discovered can
be those of routers and firewalls, or they can be those of individual hosts, but they are
all treated the same way. Ethernet addresses detected on the appliance Internet interface
are classified as Internet gateways, and the addresses detected on the appliance
protected interface are classified as protected gateways. Gateways are detected
automatically and each is configured with the default maximum bandwidth allowed
until configured otherwise.
Table 23 on page 111 describes the gateway types.

Table 23: Gateway Types

Gateway Type

Description

protected

All gateways detected or specified connected to the protected interface.

Internet

All gateways detected or specified connected to the Internet interface.

Table 24 on page 112 describes the gateway parameters and their formats.

Copyright 2014, Juniper Networks, Inc.

111

DDoS Secure CLI User Guide

Table 24: Gateway Parameters

Parameter

Value

Description

tospeed

SPEED

The maximum speed that data can be sent to the

gateway. If the data trying to be sent to the
gateway exceeds this speed then bandwidth
defense will be applied.

topkts

PKTS

The maximum packet rate that can be sent to the

gateway. If the packet rate to the gateway
exceeds this setting then packet rate defense will
be applied.

Related
Documentation

112

DDoS Secure Appliance BGP Configuration on page 254

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

Copyright 2014, Juniper Networks, Inc.

Chapter 17: MAC Gateway

show gateway
Syntax

Description

show gateway <internet|protected> <MAC|all|autodetected>

show gateway <all>

Displays the selected gateway configuration

The second parameter is used to refine the selection of the gateways still further. The
value all is used to show all defined gateways and their configuration. A value of <MAC>
displays the gateway with the specified MAC address along with its configuration. The
value auto-detected displays only the MAC address of any auto-detected gateways.
Auto-detected gateways are not part of the actual configuration and thus only MAC
addresses are listed.

Sample Output
JS>show gateway all
set gateway internet 00:90:27:EA:BF:96 tospeed 0 topkts 10K
set gateway protected 01:02:03:04:05:06 tospeed 100M topkts 37.2K

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

113

DDoS Secure CLI User Guide

remove gateway
Syntax
Description

remove gateway <internet|protected> <MAC|all|autodetected>

Removes the defined gateway from the configuration.

NOTE: When the value all, or autodetected, is used with the remove gateway
command, the user is prompted to verify the selection. This prompting can
be turned off, which may be of use for scripted configurations.
When autodetected is used, the command is applied immediately without
having to use the now parameter or the apply command.

Sample Output
JS>remove gateway internet all
Are you sure [yes/no]? yes

Related
Documentation

114

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 17: MAC Gateway

set gateway
Syntax

Description

set gateway <internet|protected> <MAC> [tospeed <SPEED>]

[topkts <PKTS>]

Adds a new gateway to the configuration, or changes the settings of a gateway already
defined in the configuration. The two parameters determine when bandwidth defense
and packet rate defense should be activated. By default, the packet rate defense
maximum threshold value <PKTS> is 25% of the maximum packet rate of the bandwidth
threshold value <SPEED> when composed entirely of minimum-size packets (this
percentage is increased for speeds less than 8M, and 100% for speeds less than 2M). A
higher value may be needed for a busy gateway heavily used by chat software, but many
gateways start to suffer from performance problems when over 50% of their rated
bandwidth limit is used to carry small packets alone.

Sample Output
JS>set gateway internet 00:01:02:03:04:05 tospeed 10M
JS>apply
JS>show gateway internet 00:01:02:03:04:05
set gateway internet 00:01:02:03:04:05 tospeed 10M topkts 3720

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

115

DDoS Secure CLI User Guide

116

Copyright 2014, Juniper Networks, Inc.

CHAPTER 18

Mail Reporting
This chapter explains mail reporting for DDoS Secure and describes the available
advanced configuration commands.

Mail Reporting Configuration Overview on page 117

show mail

set mail

Mail Reporting Configuration Overview

A DDoS Secure appliance unit can send incident alerts or daily reports through e-mail.
These are configurable on a per-portal basis. Table 25 on page 117 describes the e-mail
parameters.

Table 25: Mail Parameters

Parameter

Value

Description

EMAILADDRESSES

The e-mail address to which the alert or daily

report is to be sent. Comma-separated addresses
can be specified.

from

EMAILADDRESS

The e-mail address from which the alert or daily

report appears to come.

server

IPADDRESS|none

The IP address of the SMTP server to which the

alert or daily report is to be forwarded.

wsserver

IPADDRESS|none

The IP address through which the appliance is

accessed, which may be different from the actual
appliance management IP address.

dailystats

yes|no

If set, a daily summary of statistics is e-mailed.

weeklystats

yes|no

If set, a weekly summary of statistics is e-mailed.

monthlystats

yes|no

If set, a monthly summary of statistics is e-mailed.

cluster

yes|no

If set, a cluster daily summary is sent out as well.

Copyright 2014, Juniper Networks, Inc.

117

DDoS Secure CLI User Guide

Table 25: Mail Parameters (continued)

Parameter

Value

Description

alerts

yes|no

If set, incident alerts are e-mailed out at a rate no

faster than specified by alert interval.

alertinterval

ALERTINTERVAL

This is the minimum amount of time (in minutes)

between two e-mail alerts, acting as a rate limiter.
Each e-mail can contain information about
multiple incidents.

Related
Documentation

118

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 18: Mail Reporting

show mail
Syntax
Description

show mail

Displays the current daily e-mail configuration.

Sample Output
JS>show mail
set mail server none dailystats yes weeklystats yes monthlystats yes alerts no
nullsender yes cluster no alertinterval 5

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

119

DDoS Secure CLI User Guide

set mail
Syntax

Description

set mail [to <EMAILADDRESSES>] [from <EMAILADDRESS>]

E-mail is not sent unless, at a minimum, the to, from, and server parameter values are
defined. The server IP address cannot be configured without valid to and from parameters.
The to and from parameters may be configured previously or along with the server IP
address. Below is an example warning given when attempting to set a server IP address
without valid to and from parameters.

Sample Output
JS>set mail server 192.168.0.10
mail: from <EMAILADDRESS>: missing
mail: to <EMAILADDRESS>: missing
JS>apply
Nothing to apply!
JS>set mail server 192.168.0.10 to [email protected]
from [email protected]
JS>apply
JS>show mail
set mail server 192.168.0.10 from [email protected]
to [email protected] dailystats yes weeklystats yes monthlystats yes
alerts no nullsender yes cluster no alertinterval 5

Once a parameter value has been set, that value will be used until changed. It is not
necessary to set all the values every time one of them needs to be changed. The server
address can be set to none to disable e-mails from being sent.

Related
Documentation

120

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 19

Network
This chapter explains network configuration for DDoS Secure and describes the available
advanced configuration commands.

Network Configuration Overview on page 121

show interface

set interface management

set interface datashare

set interface protected

set interface internet

set interface global

set interface ipmi

show dns

set dns

remove route

show route

set route

Network Configuration Overview

Each DDoS Secure appliance has four network interfaces, along with a common definition,
as described in Table 26 on page 121.

Table 26: Interface Types

Interface Name

Description

management

The management interface, for the appliance management.

protected

The protected interface, connected to the protected hosts on the LAN.

internet

The Internet interface, connected to hosts on the rest of the LAN or the Internet.

datashare

The data share interface, used to share state and incident information between the
appliances. This interface might not be available on all hardware configurations.

Copyright 2014, Juniper Networks, Inc.

121

DDoS Secure CLI User Guide

Table 26: Interface Types (continued)

Interface Name

Description

global

For setting parameters that are common to both Internet and protected interfaces.

ipmi

The IPMI interface management IP address for remote appliance access (not available
on virtual appliances).
NOTE: The IPMI Controller must be enabled to use Network Access. This can only be
done through configuring the BIOS /IPMI during the appliance boot phase.

Table 27 on page 122 lists all the possible configuration parameters. However, not all
interface type will accept them. IP addresses can only be configured on the management
and data share interfaces as they are the only interfaces on an appliance unit that have
an active TCP/IP stack.

Table 27: Interface Parameters

Parameter

Value

Description

hwid

HARDWARE-ID

The hardware ID of the appliance. If this

parameter is specified then any following
parameters are ignored if the hardware ID
specified does not match that of the appliance.
This parameter is always shown when displaying
the configuration because interface configuration
is unique to an individual appliance.

IPADDRESS

The IPv4 address of the appliance management

or data share interface.

netmask

NETMASK

The netmask of the appliance management or

data share interface.

gateway

IPADDRESS|none

The default gateway of the appliance

management interface. Specify none to clear the
default gateway.

linkmode

LINKMODE

The link mode of the interface.

fcmode

FCMODE

The flow control mode of the interface.

mtu

MTU_SIZE

The MTU size (default 1500) for traffic flowing

between the Internet and protected interfaces.

lfpt

yes|no

Whether a link failure on one (Internet/protected)

interface of the appliance is to be passed through
to the other side by dropping the transmitter.

cdp

yes|no

Whether all the interfaces are to generate CDP

packets or not.

122

Copyright 2014, Juniper Networks, Inc.

Chapter 19: Network

Table 27: Interface Parameters (continued)

Parameter

Value

Description

portpair1

yes|no

Multiple fail-safe cards are available. The first

fail-safe card is known as portpair1.

portpair2

yes|no

Multiple fail-safe cards are available. The second

fail-safe card is known as portpair2.

trackvlans

yes|no

If set, different VLANs will cause different stateful

sessions even if they have the same IP addresses
and ports.

dhcp

yes|no

If set, DHCP is enabled on this interface.

Related
Documentation

DDoS Secure Appliance BGP Configuration on page 254

DDoS Secure Appliance Engine Configuration on page 259

MAC Gateway Configuration Overview on page 111

Copyright 2014, Juniper Networks, Inc.

123

DDoS Secure CLI User Guide

show interface
Syntax
Description

show interface

Displays the network interface configuration. Each interface can be configured with or
without the unique appliance hardware ID (always shown on display output), that enables
the automatic generation of a common configuration to be shared with multiple DDoS
Secure appliance units. It also allows each unit to have customized network interface
configurations when the hardware ID is included.

Sample Output
JS>show interface
set interface management hwid 00:80:B4:07:CE:25 dhcp no ip 192.168.0.189 netmask
255.255.255.0 gateway 192.168.0.4 linkmode auto fcmode auto
set interface protected hwid 00:80:B4:07:CE:25 linkmode auto fcmode auto
set interface internet hwid 00:80:B4:07:CE:25 linkmode auto fcmode auto
set interface datashare hwid 00:80:B4:07:CE:25 dhcp no ip none netmask
255.255.255.0 linkmode auto fcmode auto
set interface global mtu 1500 cdp yes lfpt no trackvlans no portpair1 yes portpair2
yes
set interface ipmi hwid 00:80:B4:07:CE:25 dhcp no ip none netmask 255.255.255.0
gateway none

Related
Documentation

124

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 19: Network

set interface management

Syntax

Description

Related
Documentation

set interface management [hwid <HARDWARE-ID>]

[dhcp <yes|no>] [ip <IPADDRESS>] [netmask <NETMASK>]
[gateway <IPADDRESS|none>] [linkmode <LINKMODE>]
[fcmode <FCMODE>]

Sets the basic TCP/IP configuration and link mode of the management interface. The
TCP/IP options are required for remote network management of the DDoS Secure
appliance. One or more parameters can be configured at the same time, with or without
the addition of the hwid parameter. But, the hwid parameter cannot be specified alone.
Even if only one parameter is set, all the current settings are shown when the configuration
is displayed.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

125

DDoS Secure CLI User Guide

set interface datashare

Syntax

Description

Related
Documentation

126

set interface datashare [hwid <HARDWARE-ID>]

[dhcp <yes|no>] [ip <IPADDRESS|none] [netmask <NETMASK>]
[linkmode <LINKMODE>] [fcmode <FCMODE>] [mtu <MTU_SIZE>]

Sets the basic TCP/IP configuration and link mode of the data share interface. If the IP
address is set to none, then the data share interface will not be used. One or more
parameters can be configured at the same time, with or without the addition of the hwid
parameter. But, the hwid parameter cannot be specified alone. Even if only one parameter
is set, all the current settings are shown when the configuration is displayed.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 19: Network

set interface protected

Syntax

Description

set interface protected [hwid <HARDWARE-ID>]

linkmode <LINKMODE> [fcmode <FCMODE>]

Sets the link mode of the protected interface. Not all link mode values can be supported
depending on the DDoS Secure appliance model. The specification of
hwid<HARDWARE-ID> is optional but helps avoid misconfiguration when sharing
configuration files between the appliances. The hwid option and its value are always
included when the configuration is displayed or saved. The hwid option cannot be specified
alone.
If this interface spans multiple interfaces (WS-3G), then all subinterfaces will be set to
the same specification. Load sharing across the multiple interfaces will be done by the
switch connected to the protected interface. Any 802.3ad packets are passed through
to the Internet interface for onward transmission, so that the Internet and protected
switches can set up their own link aggregation. Any packet received on one of the
subinterfaces will be sent out of the corresponding subinterface. The
upstream/downstream switch must be configured for lag/teaming mode and load share
appropriately.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

127

DDoS Secure CLI User Guide

set interface internet

Syntax

Description

set interface internet [hwid <HARDWARE-ID>]

linkmode <LINKMODE> [fcmode <FCMODE>]

Sets the link mode of the Internet interface. Not all link mode values may be supported
depending on the DDoS Secure appliance model. The specification of hwid
<HARDWARE-ID> is optional but helps avoid misconfiguration when sharing configuration
files between the appliances. The hwid option and its value are always included when
the configuration is displayed or saved. The hwid option cannot be specified alone.
If this interface spans multiple interfaces (WS-3G), then all subinterfaces will be set to
the same specification. Load sharing across the multiple interfaces will be done by the
switch connected to the Internet interface. Any 802.3ad packets are passed through to
the protected interface for onward transmission so that the Internet and protected
switches can set up their own link aggregation. Any packet received on one of the
subinterfaces will be sent out of the corresponding subinterface. The
upstream/downstream switch must be configured for lag/teaming mode and load share
appropriately.

Related
Documentation

128

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 19: Network

set interface global

Syntax

Description

Related
Documentation

set interface global mtu <MTU_SIZE> lftp <yes|no>

cdp <yes|no> trackvlans <yes|no>
portpair1 <yes|no> portpair2 <yes|no>

Sets the common definition for traffic flowing between the Internet and protected
interfaces, which port pairs are enabled, and whether CDP packets are to be generated
or not on all interfaces.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

129

DDoS Secure CLI User Guide

set interface ipmi

Syntax

Description

Related
Documentation

130

set interface ipmi [hwid <HARDWARE-ID>] [dhcp <yes|no>] [ip <<IPADDRESS>]

[netmask <NETMASK>] [gateway <<IPADDRESS|none>]

Sets the basic TCP/IP configuration of the IPMI interface. The TCP/IP options are required
for remote network IPMI management of the DDoS Secure appliance. One or more
parameters can be configured at the same time, with or without the addition of the hwid
parameter. But, the hwid parameter cannot be specified alone. Even if only one parameter
is set, all the current settings are shown when the configuration is displayed.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 19: Network

show dns
Syntax
Description

show dns

Shows the current DNS configuration.

Sample Output
JS>show dns
set dns forwarder 192.168.0.3

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

131

DDoS Secure CLI User Guide

set dns
Syntax
Description

set dns forwarder <IPLIST>

Sets the IP address of the DNS server(s), to forward any DNS queries to.
Table 28 on page 132 lists the DNS configuration parameter.

Table 28: DNS Parameter

Parameter

Value

Description

forwarder

IPLIST

One or more IP addresses, which acts as the DNS server.

Sample Output
JS>set dns forwarder 192.168.0.3
JS>show dns
set dns forwarder 192.168.0.3

Related
Documentation

132

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 19: Network

remove route
Syntax
Description

Related
Documentation

remove route <all|IPNETWORK>

Removes additional routing.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

133

DDoS Secure CLI User Guide

show route
Syntax

show route <all|IPNETWORK>

Description

Shows the additional routing.

Sample Output
JS>show route all
Not configured

Related
Documentation

134

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 19: Network

set route
Syntax
Description

set route cidr <IPNETWORK> gateway <IPADDRESS>

Sets additional routing incase the default gateway is insufficient to access different IP
addresses. It is not normally required, as the default gateway is usually sufficient.
Table 29 on page 135 lists the route configuration parameter.

Table 29: Route Parameter

Parameter

Value

Description

cidr

IPNETWORK

A classless Internet domain routing definition.

gateway

IPADDRESS

The gateway for the classless Internet domain.

Sample Output
JS>show route all
Not configured
JS>set route cidr 192.168.1.0/24 gateway 192.168.0.1
JS>apply
JS>show route all
set route cidr 192.168.1.0/24 gateway 192.168.0.1

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

135

DDoS Secure CLI User Guide

136

Copyright 2014, Juniper Networks, Inc.

CHAPTER 20

NetFlow
This chapter explains netflow configuration for DDoS Secure and describes the available
advanced configuration commands.

NetFlow Configuration Overview on page 137

show netflow

set netflow

NetFlow Configuration Overview

The DDoS Secure appliance is capable of sending netflow packets (Version 9: RFC 3954)
to a NetFlow collector for data analysis and reporting. Table 30 on page 137 describes
the netflow parameters.

Table 30: NetFlow Parameters

Parameter

Value

Description

IPLIST|IPMULTI|none

The IP address to which webtrends messages will

be sent.

port

PORT

The port number that the netflow collector is

listening on.

templatep

TEMPLATEP

Retransmit the netflow templates after

transmitting this number of netflow packets, or
the templatem timeout has expired.

templatem

TEMPLATEM

Retransmit the netflow templates after this time

in minutes, or when templatep packets have been
transmitted.

flowflush

FLOWFLUSH

Generate a netflow record for a flow after this

time in minutes.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

137

DDoS Secure CLI User Guide

show netflow
Syntax
Description

show netflow

Displays the current netflow logging configuration.

Sample Output
JS>show netflow
set netflow ip 192.168.1.99 port 9996 templatep 1000 templatem 60 flowflush 1

Related
Documentation

138

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 20: NetFlow

set netflow
Syntax

Description

Related
Documentation

set netflow [ip <IPLIST|IPMULTI|none>] [port <PORT>]

[templatep <TEMPLATEP>] [templatem <TEMPLATEM>]
[flowflush <FLOWFLUSH>]

Sets the netflow collector to be configured to receive data on the correct port, and the
DDoS Secure appliance IP address to be configured as a valid source address.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

139

DDoS Secure CLI User Guide

140

Copyright 2014, Juniper Networks, Inc.

CHAPTER 21

Preferred Clients and Whitelisting

This chapter explains preferred clients and whitelisting configuration for DDoS Secure
and describes the available advanced configuration commands.

Preferred Clients and Whitelisting Configuration Overview on page 141

show preferred

set preferred clients

set preferred countries

set preferred whitelist

set preferred whitenolog

set preferred default

Preferred Clients and Whitelisting Configuration Overview

Table 31 on page 141 describes the preferred parameters and their formats.

Table 31: Preferred Parameters

Parameter

Value

Description

clients

IPRANGE|none

Defines the client IP addresses (on the Internet

side of the appliance) get preferential treatment
by giving them a charm boost.

countries

COUNTRIES|none

Defines which countries get preferential treatment

by giving them a charm boost.

default

IPRANGE|none

Defines the client IP addresses (on the Internet

side of the appliance) always get the default
charm scoring.

whitelisted

IPRANGE|none

Defines the client network (on the Internet side

of the appliance) that can be used for pen-testing.
All packets coming from a white-listed network
are passed through as if the appliance was
operating in logging. There is therefore no
protection for the protected IP addresses by the
appliance for any packets coming from this
network address.

Copyright 2014, Juniper Networks, Inc.

141

DDoS Secure CLI User Guide

Table 31: Preferred Parameters (continued)

Parameter

Value

Description

whitenolog

IPRANGE|none

Defines the client network (on the Internet side

Related
Documentation

142

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 21: Preferred Clients and Whitelisting

show preferred
Syntax

Description

Displays the current clients and pen-test networks.

Sample Output
JS>show preferred all
set
set
set
set
set

Related
Documentation

preferred
preferred
preferred
preferred
preferred

clients none
whitenolog 192.168.213.0/24,172.16.166.0/24
whitelisted none
default none
countries none

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

143

DDoS Secure CLI User Guide

set preferred clients

Syntax
Description

set preferred clients <IPRANGE|none>

Sets the preferred clients. It is possible that there may be some client addresses that
need preferential treatment by the DDoS Secure appliance charm engine when the
protected servers are under load/attack conditions. By specifying these IP addresses in
the preferred clients list, these IP addresses will get a boost when calculated. If these IP
addresses do not perform properly, packets from these IP addresses may still get dropped.

Sample Output
JS>set preferred clients 192.168.10.1
JS>apply
JS>show preferred clients
set preferred clients 192.168.10.1

Related
Documentation

144

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 21: Preferred Clients and Whitelisting

set preferred countries

Syntax
Description

set preferred countries <COUNTRIES|none>

Specifies the countries in the preferred countries list. It is possible that there may be some
countries that need preferential treatment by the DDoS Secure appliance charm engine
when the protected servers are under load/attack conditions. By specifying these countries
in the preferred countries list, the IP addresses from these countries will get a charm
boost when is calculated. If the IP addresses from these countries misbehave badly,
packets from these IP addresses may still get dropped.

Sample Output
JS>set preferred countries GBR
JS>apply
JS>show preferred countries
set preferred countries GBR

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

145

DDoS Secure CLI User Guide

set preferred whitelist

Syntax
Description

set preferred whitelisted <IPRANGE|none>

Sets the preferred whitelist. If there is a client network that needs to pen-test servers
through the DDoS Secure appliance, even if the IP addresses are specified as preferred
clients, it is likely that the pen-test traffic will get blocked. The preferred whitelist option
effectively makes the appliance engine run in logging mode for the defined whitelisted
network addresses. For all other IP addresses, the appliance engine will run in the defined
appliance mode.

Sample Output
JS>set preferred whitelisted 10.20.0.0/25
JS>apply
JS>show preferred whitelisted
set preferred whitelisted 10.20.0.0/25

Related
Documentation

146

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 21: Preferred Clients and Whitelisting

set preferred whitenolog

Syntax
Description

set preferred whitenolog <IPRANGE|none>

Sets the preferred whitelist for which no logging will be performed. If there is a client
network that needs to pen-test servers through the DDoS Secure appliance, even if the
IP addresses are specified as preferred clients, it is likely that the pen-test traffic will get
blocked. The preferred whitenolog option effectively makes the appliance engine run in
logging mode for the defined whitelisted network addresses. For all other IP addresses,
the appliance engine will run in the defined appliance mode.

NOTE: Any misbehaving activity to/from these IP addresses will not get
logged anywhere.

Sample Output
JS>set preferred whitenolog 10.30.0.0/25
JS>apply
JS>show preferred whitenolog
set preferred whitelisted 10.30.0.0/25

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

147

DDoS Secure CLI User Guide

set preferred default

Syntax
Description

set preferred default <IPRANGE|none>

Sets the preferred default list. It is possible that there may be some client addresses that
always need default treatment by the DDoS Secure appliance engine when the protected
servers are under load/attack conditions. By specifying these IP addresses in the preferred
default list, these IP addresses will always get the default when is calculated. If these IP
addresses misbehave badly, packets from these IP addresses may still get dropped.

NOTE: Examples could be website availability monitors.

Sample Output
JS>set preferred default 192.168.20.1
JS>apply
JS>show preferred default
set preferred clients 192.168.20.1

Related
Documentation

148

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 22

Portals
This chapter explains portals for DDoS Secure and describes the available advanced
configuration commands.

Portals Configuration Overview on page 149

show portal

remove portal

set portal

Portals Configuration Overview

It is possible to specify blocks of addresses (networks and/or single IP addresses, known
as portals), which can be managed separately by designated users. This gives the ability
for customers, clients or business groups to be able to manage what appliance does for
their portal. Any user that has full managerial access can override these portal
configurations. The master portal is known as a DDoS Secure appliance.
The sum of all the values of the portals (excluding the master) cannot exceed that of
the master portal, with the exception of the burst values, which individually cannot exceed
that of the master portal.
Table 32 on page 149 describes the portal parameters and their format.

Table 32: Portal Parameters

Parameter

Value

Description

IPRANGE|all

The list of protected IP addresses.

vlan

VLANSDEF

The list of VLANs/MPLS definitions to track as

opposed to IP addresses.

validpkts

PKTS|U

Guaranteed packet rate.

burstpkts

PKTS|U

Burstable packet rate. Over this rate triggers an

Incident.

validspeed

SPEED|U

Guaranteed bandwidth.

Copyright 2014, Juniper Networks, Inc.

149

DDoS Secure CLI User Guide

Table 32: Portal Parameters (continued)

Parameter

Value

Description

burstspeed

SPEED|U

Burstable bandwidth. Over this rate triggers an

Incident.

filters

FILTERS

The number of configurable filters.

rerouteminpkts

PKTS

Rerouting is dropped when IP address is below

this packet rate.

reroutemaxpkts

PKTS

Rerouting is potentially triggered when above this

packet rate.

rerouteminspeed

SPEED

Rerouting is dropped when IP address is below

this bandwidth.

reroutemaxspeed

SPEED

Rerouting is potentially triggered when above this

bandwidth.

protected

PROTECTED

The number of configurable protected IP

addresses.

Related
Documentation

150

Access Control Configuration Overview on page 13

MAC Gateway Configuration Overview on page 111

Shares Configuration Overview on page 187

show portal on page 151

remove portal on page 152

set portal on page 153

Copyright 2014, Juniper Networks, Inc.

Chapter 22: Portals

show portal
Syntax
Description

show portal <PORTALNAME|all>

Displays the settings of the named portal.

Sample Output
JS>show portal test1
set portal test1 ip 10.0.0.0/24 validpkts 3720 burstpkts 3720 validspeed 10M
burstspeed 50M filters 31 rerouteminpkts 1K reroutemaxpkts 50K rerouteminspeed
20M reroutemaxspeed 1G protected 16

Alternatively the reserved portal name all can be specified to show all defined portals.
JS>show portal all
set portal DDoS Secure appliance ip all validpkts 37.2K burstpkts 37.2K
validspeed 100M burstspeed 100M filters 991 rerouteminpkts 1K
reroutemaxpkts 50K rerouteminspeed 20M reroutemaxspeed 1G protected 1
set portal example ip 10.0.0.0/24 validpkts 3720 burstpkts 3720 validspeed 10M
burstspeed 50M filters 31 rerouteminpkts 1K reroutemaxpkts 50K rerouteminspeed
20M reroutemaxspeed 1G protected 16

Related
Documentation

Portals Configuration Overview on page 149

remove portal on page 152

set portal on page 153

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

151

DDoS Secure CLI User Guide

remove portal
Syntax
Description

remove portal <PORTALNAME|all>

Deletes a specific portal. This command can also be used to delete all current portals.
To do this the parameter value all is used instead of a portal name. When deleting all
portals the command will ask for confirmation.

NOTE: It is possible to disable the prompting, which can be useful for

automated scripts.

Related
Documentation

152

Portals Configuration Overview on page 149

show portal on page 151

set portal on page 153

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 22: Portals

set portal
Syntax

Description

Related
Documentation

set portal <PORTALNAME> [ip <IPRANGE|all>|vlan <VLANSDEF>]

[validpkts <PKTS>] [burstpkts <PKTS>]
[validspeed <SPEED>] [burstspeed <SPEED>]
[filters <FILTERS>] [rerouteminpkts <PKTS>]
[reroutemaxpkts <PKTS>] [rerouteminspeed <SPEEED>]
[reroutemaxspeed <SPEEED>] [protected <PROTECTED>]

Creates a new portal or modifies an existing one.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

show portal on page 151

remove portal on page 152

Copyright 2014, Juniper Networks, Inc.

153

DDoS Secure CLI User Guide

154

Copyright 2014, Juniper Networks, Inc.

CHAPTER 23

Portal Operational Mode

This chapter explains portal operational mode configuration for DDoS Secure and
describes the available advanced configuration commands.

Portal Operational Mode Configuration Overview on page 155

show operation

set operation

Portal Operational Mode Configuration Overview

This section describes the operational mode of a portal.
Table 33 on page 155 describes the operational mode parameters and their formats.

Table 33: Operational Mode Parameters

Parameter

Value

Default Value

Description

mode

MODEPORTAL

defending

Current defense mode of the portal. This can be

defending or logging.

countries

COUNTRIES|all

all

Defines the countries that are to be permitted by

the appliance for this portal.
NOTE: The countries test always is applied to the
Internet client addresses, not to the protected IP
addresses.

aslist

ASLIST|all

all

Defines the AS numbers that are to be permitted

by the appliance for this portal.
NOTE: The AS numbers test always is applied to
the Internet client addresses, not to the protected
IP addresses.

Related
Documentation

DDoS Secure Appliance BGP Configuration on page 254

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

Copyright 2014, Juniper Networks, Inc.

155

DDoS Secure CLI User Guide

show operation
Syntax
Description

show operation

Displays the current operational mode of the portal.

Sample Output
JS>show operation
set operation mode defending countries all aslist all

Related
Documentation

156

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 23: Portal Operational Mode

set operation
Syntax

Description

set operation mode <MODEPORTAL> countries <COUNTRIES|all>

aslist <ASLIST|all>

Sets the operational mode of the portal.

Sample Output
JS>set operation mode logging
JS>apply
JS>show operation
set operation mode logging countries all aslist all

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

157

DDoS Secure CLI User Guide

158

Copyright 2014, Juniper Networks, Inc.

CHAPTER 24

Portal Defense
This chapter explains portal defense configuration for DDoS Secure and describes the
available advanced configuration commands.

Portal Defense Configuration Overview on page 159

show portaldefense

set portaldefense

Portal Defense Configuration Overview

Table 34 on page 159 describes the portal defense parameters and their formats. An
example for a portal could be a load balancer with multiple VIPs. Portal defense could
then be used to protect this load balancer from overload.

Table 34: Portal Defense Parameters

Parameter

Value

Description

backlog

BACKLOG|auto-BACKLOG

The TCP backlog setting. Refer to the DDoS Secure

GUI User Guide for further details.

connections

CONNECTIONS|auto-CONNECTIONS

The maximum number of connections. Refer to

the DDoS Secure GUI User Guide for further details.

connrate

CONNRATE|auto-CONNRATE

The maximum connection rate. Refer to the DDoS

Secure GUI User Guide for further details.

gets

GETS|auto-GETS

The maximum concurrent number of active

GET/HEAD/POST that a server can handle at
once. An example is IIS ASP thread count.

Related
Documentation

DDoS Secure Appliance BGP Configuration on page 254

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

Copyright 2014, Juniper Networks, Inc.

159

DDoS Secure CLI User Guide

show portaldefense
Syntax
Description

show portaldefense

Displays the portal defense configuration.

Sample Output
JS>show portal defense
set portaldefense backlog U connections U connrate U gets U

Related
Documentation

160

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 24: Portal Defense

set portaldefense
Syntax

Description

set portaldefense
[backlog <BACKLOG|auto-BACKLOG>]
[connections <CONNECTIONS|auto-CONNECTIONS>]
[connrate <CONNRATE|auto-CONNRATE>]
[gets <GETS|auto-GETS>]

Sets the portal defense. If all parameters are not present when defining the portal defense
then any unspecified parameters are automatically set to those of the default server.

Sample Output
JS>set portaldefense backlog 10000 connections U connrate U gets U
JS>apply
JS>show portaldefense
set portaldefense backlog 10000 connections U connrate U gets U

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

161

DDoS Secure CLI User Guide

162

Copyright 2014, Juniper Networks, Inc.

CHAPTER 25

Protected IP
This chapter explains protected IP configuration for DDoS Secure and describes the
available advanced configuration commands.

Protected IP Configuration Overview on page 163

show protected

remove protected

set protected

Protected IP Configuration Overview

Table 35 on page 163 describes the protected IP address parameters and their format.

Table 35: Protected IP Address Parameters

Parameter

Value

Description

name

PROTECTEDNAME

The text name of the protected IP address. This

parameter is ignored when defining settings for
the default protected IP address.

backlog

BACKLOG|auto-BACKLOG

The TCP backlog setting. Refer to the DDoS Secure

GUI User Guide for further details.

connections

CONNECTIONS|auto-CONNECTIONS

The maximum number of connections. Refer to

the DDoS Secure GUI User Guide for further details.

connrate

CONNRATE|auto-CONNRATE

The maximum connection rate. Refer to the DDoS

Secure GUI User Guide for further details.

gets

GETS|auto-GETS

The maximum concurrent number of active

GET/HEAD/POST that a protected IP address can
handle at once. An example is IISs ASP thread
count.

infilter

FILTERNAME|default

The filter used for inbound connections.

outfilter

FILTERNAME

The filter used for outbound connections.

Copyright 2014, Juniper Networks, Inc.

163

DDoS Secure CLI User Guide

Table 35: Protected IP Address Parameters (continued)

Parameter

Value

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

Copyright 2014, Juniper Networks, Inc.

Chapter 25: Protected IP

show protected
Syntax

Description

show protected <IPADDRESS|all|default|indeterminate|

broadcast|multicast|redirect|autodetected>

Displays the specified protected IP address configuration.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

165

DDoS Secure CLI User Guide

remove protected
Syntax
Description

remove protected <IPADDRESS|all|autodetected>

Deletes the specified protected IP address. The <IPADDRESS> field should have a value
that matches an existing defined protected IP address, an auto-detected protected entry
is not considered a defined protected IP address. If the IP address used does not match
any of the existing defined protected IP addresses, the command is ignored.
It is also possible to delete all the defined protected IP addresses. The command remove
protected all deletes all configured protected IP addresses but prompts for confirmation
before the command is accepted. The default protected parameters are not altered by
the use of the value all. The default, indeterminate, multicast, broadcast, and redirect
protected IP address settings cannot be removed.

NOTE: When the value all, or autodetected is used with the remove protected
command the user is prompted if they are sure. This prompting can be turned
off, which may be of use for scripted configurations.
When autodetected is used, the command is applied immediately without
having to use the now parameter or issue the apply command.

Sample Output
JS>remove protected all
Are you sure [yes/no]? yes
JS>show protected all
set protected default backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter inbound outfilter outbound sendtcprejects
no soap no fragsdisabled no patgw no mode defending
set protected multicast backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter multicast outfilter multicast
sendtcprejects no soap no fragsdisabled no patgw no mode defending
set protected broadcast backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter broadcast outfilter broadcast
sendtcprejects no soap no fragsdisabled no patgw no mode defending
set protected indeterminate backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter default outfilter default sendtcprejects
no soap no fragsdisabled no patgw no mode defending
set protected 10.50.1.1 backlog 1000 connections 5000 connrate 100
gets U infilter default outfilter default sendtcprejects yes
soap no fragsdisabled no patgw no mode defending
set protected 10.50.2.1 backlog 1000 connections 5000 connrate 100
gets U infilter default outfilter default sendtcprejects yes
soap no fragsdisabled no patgw no mode defending
JS>remove server 10.50.1.1
JS>apply
JS>show protected all
set protected default backlog auto-1000 connections auto-1000 connrate

166

Copyright 2014, Juniper Networks, Inc.

Chapter 25: Protected IP

auto-1000 gets auto-1000 infilter inbound outfilter outbound

sendtcprejects no soap no fragsdisabled no mode defending
set protected multicast backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter multicast outfilter multicast
sendtcprejects no soap no fragsdisabled no mode defending
set protected broadcast backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter broadcast outfilter broadcast
sendtcprejects no soap no fragsdisabled no mode defending
set protected indeterminate backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter default outfilter default
sendtcprejects no soap no fragsdisabled no mode defending
set protected 10.50.2.1 backlog 1000 connections 5000 connrate 100
gets U infilter default outfilter default sendtcprejects yes soap
no fragsdisabled no mode defending

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

167

DDoS Secure CLI User Guide

set protected
Syntax

Description

Sets the protected IP address. If all parameters are not present while defining a new
protected IP address then any unspecified parameters are automatically set to those of
the default protected IP address.

Sample Output
JS>show protected all
set protected default backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter inbound outfilter outbound
sendtcprejects no soap no fragsdisabled no mode defending
set protected multicast backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter multicast outfilter multicast
sendtcprejects no soap no fragsdisabled no mode defending
set protected broadcast backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter broadcast outfilter broadcast
sendtcprejects no soap no fragsdisabled no mode defending
set protected indeterminate backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter default outfilter default sendtcprejects
no soap no fragsdisabled no mode defending
set protected 10.50.2.1 backlog 1000 connections 5000 connrate 100 gets U
infilter default outfilter default sendtcprejects yes soap no
fragsdisabled no mode defending
JS>set protected 10.50.1.1 infilter default outfilter default
JS>apply
JS>show protected all
set protected default backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter inbound outfilter outbound
sendtcprejects no soap no fragsdisabled no mode defending
set protected multicast backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter multicast outfilter multicast
sendtcprejects no soap no fragsdisabled no mode defending
set protected broadcast backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter broadcast outfilter broadcast sendtcprejects
no soap no fragsdisabled no mode defending
set protected indeterminate backlog auto-1000 connections auto-1000 connrate
auto-1000 gets auto-1000 infilter default outfilter default
sendtcprejects no soap no fragsdisabled no mode defending
set protected 10.50.1.1 backlog auto-1000 connections auto-1000 connrate
auto-1000 gets U infilter default outfilter default
sendtcprejects yes soap no fragsdisabled no mode defending
set protected 10.50.2.1 backlog 1000 connections 5000 connrate 100

168

Copyright 2014, Juniper Networks, Inc.

Chapter 25: Protected IP

gets U infilter default outfilter default sendtcprejects yes soap no

fragsdisabled no mode defending

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

169

DDoS Secure CLI User Guide

170

Copyright 2014, Juniper Networks, Inc.

CHAPTER 26

Proxy Server
This chapter explains proxy server for DDoS Secure and describes the available advanced
configuration commands.

Proxy Server Configuration Overview on page 171

show proxy

set proxy

Proxy Server Configuration Overview

If the DDoS Secure appliance needs to get update information through a URL, then the
http traffic may have to go through a proxy server to get to the Internet.
Table 36 on page 171 describes the proxy server parameters.

Table 36: Proxy Server Parameters

Parameter

Value

Description

proxyip

IPADDRESS|none

The IP address of the proxy server.

proxyport

PORT

The port number that the proxy server is listening

on.

proxyuser

USERNAME|none

The user for authenticating to the proxy server.

proxypassword

PASSWORD

The password for the user for authenticating to

the proxy server.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

171

DDoS Secure CLI User Guide

show proxy
Syntax
Description

show proxy

Displays the current proxy server configuration.

Sample Output
JS>show proxy
set proxy proxyip 192.168.1.99 proxyport 8080

Related
Documentation

172

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 26: Proxy Server

set proxy
Syntax

Description

Related
Documentation

set proxy [proxyip <IPADDRESS|none>] [proxyport <PORT>]

[proxyuser <USERNAME|none>] [proxypassword <PASSWORD>]

Sets the current proxy server configuration.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

173

DDoS Secure CLI User Guide

174

Copyright 2014, Juniper Networks, Inc.

CHAPTER 27

Pseudol3
This chapter explains pseudol3 configuration for DDoS Secure and describes the available
advanced configuration commands.

Pseudol3 Configuration Overview on page 175

show pseudol3

set pseudol3 interface

set pseudol3 network

set pseudol3 route

remove pseudol3 all

remove pseudol3 interface

remove pseudol3 route

Pseudol3 Configuration Overview

The pseudol3 commands are used to configure the interfaces, networks and routes for
the L3 or L2/L3 split modes of operation.
Layer 3: Configure IP/subnets for both the Internet and Protected interfaces as well as
a default gateway route for layer 3 functionality. Additional interface aliases and routes
can also be defined.
Layer 2/3: This mode splits a network in two and acts as an ARP Man-In-The-Middle.
The local subnet must be defined as well as the default gateway route. Additional
networks/routes can also be defined.

NOTE: Any IP addresses/routes configured for Layer 3 are not added to the
Linux network stack. This means that these IP addresses are not available
for ping from any external device. Also, the ping command is unable to ping
IP addresses connected to (or routed through) the Internet or Protected.

Copyright 2014, Juniper Networks, Inc.

175

DDoS Secure CLI User Guide

Table 37: Pseudo Layer 2 and Layer 3 Parameters

Parameter

Value

Description

interface

internet|protected

The interface to which the IP/prefix is assigned.

ip/prefixlen

IP/PREFIXLEN

The IP and prefix length assigned to this interface.

cidr

IPNETWORK

The subnet which is part of the L2/L3 split network.

cidr

IPNETWORK|default|
default-ipv4

The subnet for the route to be added.

gateway

IPADDRESS

The gateway for the subnet.

Related
Documentation

176

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 27: Pseudol3

show pseudol3
Syntax
Description

show pseudol3<interface|network|route|all>

Displays the pseudol3 configuration information. The sections can be divided by

interface/network/route, or all can be displayed.

L2/L3 (Split Network)

JS>show pseudol3 all
set pseudol3 network cidr 192.168.1.0/24
set pseudol3 route cidr 192.168.1.0/24 gateway 192.168.1.1
JS>show pseudol3 interface

No pseudo layer 3 local interface definitions set up.

JS>show pseudol3 network
set pseudol3 network cidr 192.168.1.0/24
JS>show pseudol3 route
set pseudol3 route cidr 192.168.1.0/24 gateway 192.168.1.1

L2 Example
JS>show pseudol3 all
set pseudol3 interface located internet ip/prefixlen 192.168.1.230/24
set pseudol3 interface located protected ip/prefixlen 192.168.0.1/24
set pseudol3 route cidr default-ipv4 gateway 192.168.1.1

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

177

DDoS Secure CLI User Guide

set pseudol3 interface

Syntax
Description

set pseudol3 route cidr <IPNETWORK|default|default-ipv4> gateway <IPADDRESS>

Assigns a given IP address (with prefix for the subnet) to either the Internet or protected
interfaces. This is only used for Layer 3 mode.

Sample Output
JS>set pseudol3 interface located internet ip/prefixlen 192.168.1.200/24

Related
Documentation

178

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 27: Pseudol3

set pseudol3 network

Syntax
Description

set pseudol3 network cidr <IPNETWORK>

Adds a network to the L2/L3 (Split Network) mode. This is not compatible with Layer 3
mode.

Sample Output
JS>set pseudol3 network cidr 192.168.0.0/24

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

179

DDoS Secure CLI User Guide

set pseudol3 route

Syntax
Description

set pseudol3 route cidr <IPNETWORK|default|default-ipv4>gateway <IPADDRESS>

Adds a route entry for the L3 mode.

Sample Output
JS>set pseudol3 route cidr default gateway 192.168.1.1

Related
Documentation

180

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 27: Pseudol3

remove pseudol3 all

Syntax
Description

remove pseudol3 all

Removes any pseudol3 configuration.

Sample Output
JS>remove pseudol3 all

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

181

DDoS Secure CLI User Guide

remove pseudol3 interface

Syntax
Description

remove pseudol3 interface

Removes all pseudol3 interface settings. This will disable layer3 operation.

Sample Output
JS>remove pseudol3 interface

Related
Documentation

182

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 27: Pseudol3

remove pseudol3 route

Syntax
Description

remove pseudol3 route

Removes all pseudol3 route settings.

Sample Output
JS>remove pseudol3 route

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

183

DDoS Secure CLI User Guide

184

Copyright 2014, Juniper Networks, Inc.

CHAPTER 28

Remote Alerts, Reports, and Logging

This chapter explains remote alerts, reports, and logging for DDoS Secure and describes
the available advanced configuration commands.

Remote Alerts, Reports, and Logging Configuration Overview on page 185

Remote Alerts, Reports, and Logging Configuration Overview

The DDoS Secure appliance currently supports a number of methods for remote alerts,
reports, and logs. Incident alerts can be sent remotely either using SNMP traps, or through
e-mail. Daily reports can also be sent remotely by e-mail. Additionally, continuous log
data can be sent to a remote syslog server, structured syslog server, or netFlow collector.
This topic describes how to configure the specific settings needed to enable the above
forms of remote messaging. This topic does not, however, cover the configuration of
event triggers that would then result in incident logs or alerts. These associated settings
are covered in the logging threshold topic.
Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

185

DDoS Secure CLI User Guide

186

Copyright 2014, Juniper Networks, Inc.

CHAPTER 29

Shares
This chapter explains shares configuration for DDoS Secure and describes the available
advanced configuration commands.

Shares Configuration Overview on page 187

show share

remove share

set share

Shares Configuration Overview

This section describes the configuration setting for sharing information between DDoS
Secure appliances, other than those working in an active-standby relationship.
Table 38 on page 187 describes the share parameters and their formats.

Table 38: Share Parameters

Parameter

Value

Copyright 2014, Juniper Networks, Inc.

187

DDoS Secure CLI User Guide

188

Network Configuration Overview on page 121

Copyright 2014, Juniper Networks, Inc.

Chapter 29: Shares

show share
Syntax
Description

show share <IPADDRESS|all>

Displays the specified share configuration.

Sample Output
JS>show share all
set share 10.1.1.192 gateway none config yes incident yes state yes required no
set share 10.1.1.191 gateway none config yes incident yes state no required no

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

189

DDoS Secure CLI User Guide

remove share
Syntax
Description

remove share <IPADDRESS|all>

Deletes the specified share. The <IPADDRESS> field should have a value that matches
an existing defined share IP address. If the IP address used does not match any of the
existing defined shares, the command is ignored.
It is also possible to delete all the defined shares. The command remove share all deletes
all configured shares but prompts for confirmation before the command is accepted.

NOTE: When the value all is used with the remove share command the user
is prompted if they are sure. This prompting can be turned off, which may be
of use for scripted configurations.

Sample Output
JS>remove share all
Are you sure [yes/no]? yes
JS>show share all
set share 10.1.1.192 gateway none config yes incident yes state yes required no
set share 10.1.1.191 gateway none config yes incident yes state no required no
JS>remove share 10.1.1.191
JS>apply
JS>show share all
set share 10.1.1.192 gateway none config yes incident yes state yes required no

Related
Documentation

190

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 29: Shares

set share
Syntax

Description

set share <IPADDRESS> [gateway <IPADDRESS|none>]

[config <yes|no>] [incident <yes|no>] [state <yes|no]
[required <yes|no>]

Defines the share. If all parameters are not present when defining a new share then any
unspecified parameters are automatically set to no.

Sample Output
JS>show share all
set share 10.1.1.192 gateway none config yes incident yes state yes required no
JS>set share 10.1.1.191 config yes
JS>apply
JS>show share all
set share 10.1.1.192 gateway none config yes incident yes state yes required no
set share 10.1.1.191 gateway none config yes incident no state no required no

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

191

DDoS Secure CLI User Guide

192

Copyright 2014, Juniper Networks, Inc.

CHAPTER 30

SNMP
This chapter explains SNMP for DDoS Secure and describes the available advanced
configuration commands.

SNMP Configuration Overview on page 193

show snmp

set snmp

SNMP Configuration Overview

The SNMP protocol can be used with DDoS Secure appliance to request data as well as
send alerts. Thus, SNMP query related settings are also covered here. The same
commands are used to manage settings that affect both SNMP alerts and queries.
Table 39 on page 193 describes the SNMP parameters.

Table 39: SNMP Parameters

Parameter

Value

Description

trap

IPLIST|none

The IP address(es) to which SNMP traps are sent.

rocommunity

COMMUNITY

The community name required for read-only

access to the SNMP variables.

trapcommunity

COMMUNITY

The community name used when sending SNMP

traps.

syslocation

TEXT

A description of the location of the appliance unit.

syscontact

TEXT

Who to contact about the appliance unit.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

193

DDoS Secure CLI User Guide

show snmp
Syntax
Description

show snmp

Displays the current SNMP settingsthe trap destination address, the read-only
community string, the trap community string, the system location reference name, and
the contact information for the system administrator.

Sample Output
JS>show snmp
set snmp trap 192.168.1.15 rocommunity public trapcommunity trapcom
syslocation test-lab syscontact
[email protected]

Related
Documentation

194

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 30: SNMP

set snmp
Syntax

Description

set snmp [trap <IPLIST|none>]

[rocommunity <COMMUNITY>] [trapcommunity <COMMUNITY>]
[syslocation <TEXT>] [syscontact <TEXT>]

Adjusts the values of the SNMP trap address trap, the read-only community string
rocommunity, the snmpcommunity string trapcommunity, the system location string
syslocation, and the system admin contact syscontact.

Sample Output
JS>show snmp
set snmp trap 192.168.1.15 rocommunity public trapcommunity public
syslocation test-lab syscontact [email protected]
JS>set snmp syslocation DDoS Secure appliance test lab
JS>apply
JS>show snmp
set snmp trap 192.168.1.15 rocommunity public trapcommunity public
syslocation DDoS Secure appliance test lab syscontact
[email protected]

NOTE: Although set snmp allows the changing of both SNMP remote alerting
and SNMP querying related settings, it does not change the security access
settings to the appliance management interface. It is important that the set
access snmp command also be used to ensure that trusted IP addresses have
access to the appliance to be allowed to make SNMP queries.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

195

DDoS Secure CLI User Guide

196

Copyright 2014, Juniper Networks, Inc.

CHAPTER 31

Structured Syslog
This chapter explains structured syslog for DDoS Secure and describes the available
advanced configuration commands.

Structured Syslog Configuration Overview on page 197

show structured

set structured

Structured Syslog Configuration Overview

The DDoS Secure appliance can be configured to send messages to a SEIM server in the
following formats: STRM (also known as Log Event Extended Format or LEEF), Webtrends
Enhanced Logging Format (WELF), or ArcSight Common Event Format (CEF). The remote
SEIM server may require reconfiguration before it will accept DDoS Secure structured
syslog messages. The SEIM server will receive the messages at the specified Facility and
for Priorities greater than or equal to that configured. Table 40 on page 197 describes the
structured syslog parameters.

Table 40: Structured Syslog Parameters

Parameter

Value

Description

IPLIST|none

The IP address to which DDoS Secure will send structured syslog messages.

format

welf|leef|cef

The structured syslog format of the messages.

facility

SYSFACILITY

The syslog facility to which messages will be sent. If no previous facility has
been defined and this parameter is not specified then the default daemon
facility will be used.

priority

SYSPRIORITY

The syslog priority at or above appropriate messages will be sent. If no previous

priority has been defined and this parameter is not specified then the default
info priority will be used.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Syslog Configuration Overview on page 201

Copyright 2014, Juniper Networks, Inc.

197

DDoS Secure CLI User Guide

show structured
Syntax
Description

show structured

Displays the current structured syslog configuration.

Sample Output
JS>show structured
set structured ip 192.168.1.99 format leef facility local0 priority info

Related
Documentation

198

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Syslog Configuration Overview on page 201

Copyright 2014, Juniper Networks, Inc.

Chapter 31: Structured Syslog

set structured
Syntax

Description

Related
Documentation

set structured [ip <IPLIST|none>]

[facility <SYSFACILITY>] [priority <SYSPRIORITY>][format<welf|leef|arcsight>]

Sets the structured syslog configuration, which is handled in the same was as ordinary
syslog configuration.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Syslog Configuration Overview on page 201

Copyright 2014, Juniper Networks, Inc.

199

DDoS Secure CLI User Guide

200

Copyright 2014, Juniper Networks, Inc.

CHAPTER 32

Syslog
This chapter explains syslog for DDoS Secure and describes the available advanced
configuration commands.

Syslog Configuration Overview on page 201

show syslog

set syslog

Syslog Configuration Overview

The syslog protocol is based on the message logging system of the same name (see
RFC3164The BSD syslog protocol). A DDoS Secure appliance unit can be configured
to send copies of messages that it records in its local log files to a remote syslog server.
Table 41 on page 201 describes the syslog parameters.

Table 41: Syslog Parameters

Parameter

Value

Description

IPLIST|none

The IP address(es) to which syslog messages will

be sent.

facility

SYSFACILITY

The syslog facility to which messages will be sent.

If no previous facility has been defined and this
parameter is not specified then the default
daemon facility will be used.

priority

SYSPRIORITY

The syslog priority at or above appropriate

messages will be sent. If no previous priority has
been defined and this parameter is not specified
then the default info priority will be used.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

201

DDoS Secure CLI User Guide

show syslog
Syntax
Description

show syslog

Displays the current syslog configuration.

Sample Output
JS>show syslog
set syslog ip 192.168.1.15 facility local5 priority info

Related
Documentation

202

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 32: Syslog

set syslog
Syntax
Description

set syslog [ip <IPLIST|none>] [facility <SYSFACILITY>] [priority <SYSPRIORITY>]

Sets the syslog protocol. The DDoS Secure appliance has three syslog configuration
settings, but the only one that must be configured for messages to be sent is the IP
address of the remote syslog server.
The appliance will send syslog messages to the log file that are priority or higher.

Sample Output
JS>set syslog ip 192.168.0.10
JS>apply
JS>show syslog
set syslog ip 192.168.0.10 facility daemon priority info

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

203

DDoS Secure CLI User Guide

204

Copyright 2014, Juniper Networks, Inc.

CHAPTER 33

TCP State Timeouts

This chapter explains TCP state timeouts for DDoS Secure and describes the available
advanced configuration commands.

TCP State Timeouts on page 205

show timeout

set timeout

TCP State Timeouts

It is possible to change the TCP State timeouts from their default values. Changing these
values to low numbers can have a detrimental effect on the traffic flows and should only
be done under the guidance of a DDoS Secure appliance engineer.

Table 42: Timeout Parameters

Parameter

Value

Default Value

Sends Keepalive

Sends RST on
Session End

syn

STATETIMEOUT|default

10 seconds

s-a

STATETIMEOUT|default

7 seconds

Yes

s-s

STATETIMEOUT|default

10 seconds

ack

STATETIMEOUT|default

60 seconds

Yes

p-a

STATETIMEOUT|default

60 seconds

Yes

get

STATETIMEOUT|default

15 minutes

Yes

est

STATETIMEOUT|default

15 minutes

Yes

f1s

STATETIMEOUT|default

3 minutes

Yes

f2s

STATETIMEOUT|default

3 minutes

Yes

f3s

STATETIMEOUT|default

70 seconds

Copyright 2014, Juniper Networks, Inc.

205

DDoS Secure CLI User Guide

Table 42: Timeout Parameters (continued)

Parameter

Value

Default Value

Sends Keepalive

Sends RST on
Session End

f-f

STATETIMEOUT|default

70 seconds

Yes

f1d

STATETIMEOUT|default

3 minutes

Yes

f2d

STATETIMEOUT|default

3 minutes

Yes

f3d

STATETIMEOUT|default

70 seconds

cls

STATETIMEOUT|default

70 seconds

rst

STATETIMEOUT|default

30 seconds

r-c

STATETIMEOUT|default

30 seconds

unk

STATETIMEOUT|default

70 seconds

spf

STATETIMEOUT|default

10 seconds

sif

STATETIMEOUT|default

10 seconds

gets

STATETIMEOUT|default

2 minutes

ack80

STATETIMEOUT|default

20 seconds

Yes

url

STATETIMEOUT|default

10 seconds

f2d80

STATETIMEOUT|default

20 seconds

Yes

swin

STATETIMEOUT|default

2 minutes

NOTE: Sends RST on session end is applicable only if, source and destination
IP addresses of the session are both in defending mode.

Related
Documentation

206

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 33: TCP State Timeouts

show timeout
Syntax
Description

show timeout [all|default]

Displays the current state timeouts that do not have some of the default values, or all
the default values.

Sample Output
JS>show timeout all
No timeout changes

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

207

DDoS Secure CLI User Guide

set timeout
Syntax
Description

set timeout <PARAMETER> <VALUE> []

Sets the timeout value. The <PARAMETER> <VALUE> pair is taken from the timeout
parameters.

Sample Output
JS>set timeout s-a 25
JS>apply
JS>show timeout all
set timeout s-a 25

Related
Documentation

208

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 34

SSL Decryption
This chapter explains SSL decryption for DDoS Secure and describes the available
advanced configuration commands.

SSL Decryption on page 209

show decryptkeys

set decryptkeys default

set decryptkeys specific

remove decryptkeys

SSL Decryption
You can set up the DDoS Secure appliance to decrypt SSL data streams for analyzing
the HTTP contents for attack mitigation.
To decrypt SSL data streams, upload the private keys through the Web interface, and
then associate these private keys with protected IPs and potentially different domains
on the protected IP.
This method for the decryption is not man-in-the-middle, so it is not possible to decrypt
data streams that make use of the Perfect Forward Secrecy (PFS) algorithms.
Related
Documentation

show decryptkeys on page 210

set decryptkeys default on page 212

set decryptkeys specific on page 213

Copyright 2014, Juniper Networks, Inc.

209

DDoS Secure CLI User Guide

show decryptkeys
Syntax
Description

show decryptkeys<all|IPADDRESS>

Displays the decrypt key configuration. Each decrypt key definition can be configured as
either default or specific. For default definitions, the ports and private key to be used for
the decryption of SSL traffic to and from a protected IP address are specified. For a
specific definition, a domain name and private key combination are applied in addition
to the default configuration. An associated default configuration is required for a specific
configuration for a protected IP address to exist.

Sample Output
JS>show decryptkeys all
nodle.pem
set decryptkeys default protected 192.168.1.189 ports 443 privatekey server.com.pem
set decryptkeys default protected 192.168.1.37 ports 443 privatekey f5-private.key
set decryptkeys specific protected 192.168.1.37 domain f5.com privatekey
f5-private.key
set decryptkeys specific protected 192.168.1.37 domain testserver.com privatekey
testserver.pem
set decryptkeys specific protected 192.168.1.37 domain server.com privatekey
tserver.pem
set decryptkeys default protected 192.168.1.156 ports 443 privatekey test_pkey.pem
set decryptkeys default protected 192.168.1.157 ports 443 privatekey 157.pem
set decryptkeys default protected 192.168.21.125 ports 443 privatekey tserver.pem

The configurations associated with a single IP address can be shown by specifying the
protected IP address as part of the command, as shown in the following example.
JS>show decryptkeys 192.168.1.37
set decryptkeys default protected 192.168.1.37 ports 443 privatekey f5-private.key
set decryptkeys specific protected 192.168.1.37 domain f5.com privatekey
f5-private.key
set decryptkeys specific protected 192.168.1.37 domain testserver.com privatekey
testserver.pem
set decryptkeys specific protected 192.168.1.37 domain server.com privatekey
tserver.pem
JS>show decryptkeys stats

210

New Sessions Success

Resumed Sessions Success

:
:

592
1241

Priv/Pub Key Mismatch

Failed RSA Decrypt
No Private Key
Failed Key Generation
Client Hello not seen
PFS Not Supported
Key Exchange Not Supported
Unsupported Cipher
Deflate Error
Session setup not seen
Unknown compression
Record Not Multiple of Block Size

:
:
:
:
:
:
:
:
:
:
:
:

0
0
0
0
0
15
0
0
0
0
0
0

Copyright 2014, Juniper Networks, Inc.

Chapter 34: SSL Decryption

Decryption Failed
Session Resume Support Disabled
Session Resumed But Not Found
Unknown Message Type / Corrupt Header
Unrecognised Protocol Version
Invalid Record Size / Corrupt Header
Session setup not seen
Not Configured for SSL Inspection
SSLv2 Inspection Not Supported
Failed Exchange Allocation
Failed Decrypt Allocation
Failed Deflate Allocation
Failed Deflater Allocation
Failed Record Allocation
Failed Decoder Allocation

Related
Documentation

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

211

DDoS Secure CLI User Guide

set decryptkeys default

Syntax

Description

Output Fields

set decryptkeys default protected <IPADDRESS> port <PORTLIST> privatekey

Set the ports and default private key for SSL inspection associated with the given
protected IP address. The private key must be uploaded with the GUI beforehand and
referenced by the filename.
Table 43 on page 212 describes the decryptkeys default parameters.

Table 43: Decryptkeys Default Parameters

Parameter

Value

Description

protected

IPADDRESS

The protected IP address associated with this configuration.

ports

PORTLIST

The ports on which traffic to be decrypted is flowing.

privatekey

PRIVATEKEY

The filename of the private key used to decrypt the traffic.

Sample Output
JS>set decryptkeys default protected 192.168.1.40 ports 443 privatekey testserver.pem

Related
Documentation

212

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 34: SSL Decryption

set decryptkeys specific

Syntax

Description

Output Fields

set decryptkeys specific protected <IPADDRESS> domain <DOMAIN> privatekey

Adds a specific domain for SSL inspection in association with the protected IP address.
The IP address must already have a default definition and the private key must be
uploaded with the GUI beforehand, referenced by filename.
Table 44 on page 213 lists the decryptkeys specific parameters.

Table 44: Decryptkeys Specific Parameters

Parameter

Value

Description

protected

IPADDRESS

The protected IP address associated with this configuration.

domain

DOMAIN

The ports on which traffic to be decrypted is flowing.

privatekey

PRIVATEKEY

The filename of the private key used to decrypt the traffic.

Sample Output
JS>set decryptkeys specific protected 192.168.1.40 domain testitnow.com privatekey
privatekey.pem

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

213

DDoS Secure CLI User Guide

remove decryptkeys
Syntax
Description

remove decryptkeys <all|IPADDRESS>

Removes the specified decrypt key configuration.

Sample Output
JS>remove decryptkeys 192.168.1.40

Related
Documentation

214

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 35

Traffic Interception
This chapter explains traffic interception for DDoS Secure and describes the available
advanced configuration commands.

Traffic Interception Configuration Overview on page 215

show wrapper

set wrapper blocked

set wrapper reverse

set wrapper unwrap

Traffic Interception Configuration Overview

The DDoS Secure appliance can generate pages that can be served back to the requesting
client if the traffic would otherwise be dropped by a appliance filter. For further information
on how to configure these, see subsequent chapters in this document
It is also possible to reverse the direction sense for specific VLANs where the notion of
Internet and protected have to be reversed due to the network routing.
It is also possible to define whether some protocols are to be unwrapped to inspect the
IP address packets contained within. IPv6 in IPv4, GRE tunnels, and GTP tunnels are
supported. Table 45 on page 215 describes the traffic interception parameters.

Table 45: Traffic Interception Parameters

Parameter

Value

Description

enable

yes|no

Enables/disables response page generation.

respcode

CODE

HTTP response code to be generated.

http_ports

PORTLIST|none

HTTP response on these ports only.

https_ports

PORTLIST|none

HTTPS response on these ports only.

vlan

VLAN

Operates on this VLAN.

Copyright 2014, Juniper Networks, Inc.

215

DDoS Secure CLI User Guide

Table 45: Traffic Interception Parameters (continued)

Parameter

Value

Description

gtp

yes|no

Wraps IP packets (used by the mobile space)

with a different outer set of IP headers and other
information for routing traffic across mobile
networks.

gre

yes|no

Wrasp IP packets with a different outer set of IP

headers for routing traffic across networks.

ip6in4

yes|no

Wraps IPv6 packets with an outer IPv4 set of

headers, so that the IPv6 traffic can be routed
over an IPv4 network.

Related
Documentation

216

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 35: Traffic Interception

show wrapper
Syntax

show wrapper <all|blocked|reverse|unwrap>

Description

Displays the current wrapping configuration.

Sample Output
JS>show wrapper all
set wrapper blocked country enable yes respcode 200 http_ports 80
https_ports none
set wrapper blocked ip enable yes respcode 200 http_ports 80 https_ports none

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

217

DDoS Secure CLI User Guide

set wrapper blocked

Syntax

Description

set wrapper blocked country enable <yes|no>

Sets the wrapper blocked configuration. It is possible to set up a customized access

denied page based on whether a country or IP address has been blacklisted. This is only
done for the specified ports.

Sample Output
JS>set wrapper blocked country enable yes http_ports 80
JS>apply
JS>show wrapper all
set wrapper blocked country enable yes respcode 404 http_ports 80
https_ports none
set wrapper unwrap gtp no gre yes ip6in4 yes

Related
Documentation

218

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 35: Traffic Interception

set wrapper reverse

Syntax
Description

Related
Documentation

set wrapper reverse vlan <VLAN>

Sets the traffic that match the specific VLAN tag to be treated as if flowing in the opposite
direction.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

219

DDoS Secure CLI User Guide

set wrapper unwrap

Syntax
Description

Related
Documentation

220

set wrapper unwrap <gtp|gre|ip6in4> <yes|no>

Defines the IP address protocols that are to be unwrapped and to inspect the IP address
packets that are contained within.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 36

Usage
This chapter explains usage configuration for DDoS Secure and describes the available
advanced configuration commands.

Usage Configuration Overview on page 221

show usage

set usage

Usage Configuration Overview

It is possible to define different table sizes for all the tracked information. The defined
sizes are subjected to the amount of RAM, so the DDoS Secure appliance will reduces
the values if they are too large.
Table 46 on page 221 describes the usage parameters and their format.

Table 46: Usage Parameters

Parameter

Value

Description

hwid

HARDWARE-ID

The hardware ID of the appliance.

bandwidth

BANDWIDTH

The purchased license count (in 1G units) to be

shared across all DDoS Secure units.

bgprules

1K|2K|4K|8K

The number of supported BGP FlowSpec rules.

NOTE: Some routers have limits on supported
FlowSpec rules, so making this too large could
cause issues on the router.

protected

2|4|8|16|32|64|128|256|512|1K|
2K|4K|8K|16K|32K|64K

The number of protected IP addresses.

portals

2|4|8|16|32|64|128|256

The number of protected portals.

filter

32|64|128|256|512|1K|2K|4K|8K|16K

The number of filter entries.

ratelimiters

2K|4K|8K|16K|32K|64K|128K|
256K|512K|1M|2M|4M

The number of supported rate limiters.

Copyright 2014, Juniper Networks, Inc.

221

DDoS Secure CLI User Guide

Table 46: Usage Parameters (continued)

Parameter

Value

Description

tracked

128K|256K|512K|1M|2M|4M
|8M|16M|32M

The number of tracked IP addresses.

macs

128|256|512|1K|2K|4K|8K|16K|32K

The number of MAC addresses.

tcps

128K|256K|512K|1M|2M|4M

The number of TCP sessions.

udps

128K|256K|512K| 1M|2M|4M

The number of UDP sessions.

icmps

2K|4K|8K|16K|32K|64K

The number of ICMP sessions.

others

2K|4K|8K|16K|32K|64K

The number of other IP address sessions.

frags

2K|4K|8K|16K|32K

The number of fragment sessions.

ftps

512|1K|2K|4K|8K|16K

Navigating Through the CLI on page 7

show usage on page 223

set usage on page 224

Copyright 2014, Juniper Networks, Inc.

Chapter 36: Usage

show usage
Syntax
Description

show usage

Displays the usage settings.

Sample Output
JS>show usage
set usage hwid 00:80:B4:07:CE:25 bandwidth 1G protected 64 portals 16 filters
256 ratelimiters 4K macs 1K tracked 2M tcps 512K udps 64K icmps 8K others 8K
frags 8K ftps 1K httpparsers 1K bfsrules 2K ssldecoders 1K sslsessions 1K
sslhsbuffers 32 sslbbuffers 256 sslkx 1K

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Usage Configuration Overview on page 221

set usage on page 224

Copyright 2014, Juniper Networks, Inc.

223

DDoS Secure CLI User Guide

set usage
Syntax

Description

Related
Documentation

224

JS>set usage
hwid Appliance hardware ID (if for another machine)
[bandwidth <BANDWIDTH>]
[protected <2|4|8|16|32|64|128|256|512|1K|2K|4K|8K|16K|32K|64K>]
[portals <2|4|8|16|32|64|128|256>]
[filters <32|64|128|256|512|1K|2K|4K|8K|16K>]
[ratelimiters <2K|4K|8K|16K|32K|64K|128K|256K|512K|1M|2M|4M>]
[tracked <128K|256K|512K|1M|2M|4M|8M|16M|32M>]
[macs <128|256|512|1K|2K|4K|8K|16K|32K>]
[tcps <128K|256K|512K|1M|2M|4M>]
[udps <128K|256K|512K|1M|2M|4M>]
[icmps <2K|4K|8K|16K|32K|64K>]
[others <2K|4K|8K|16K|32K|64K>]
[frags <2K|4K|8K|16K|32K>]
[ftps <512|1K|2K|4K|8K|16K>]
[httpparsers <1K|2K|4K|8K|16K|32K|64K|128K|256|512K|1M|2M>]
[ssldecoders <512|1K|2K|4K|8K|16K>]
[sslsessions <512|1K|2K|4K|8K|16K>]
[sslhsbuffers <512|1K|2K|4K|8K|16K>]
[sslbbuffers <512|1K|2K|4K|8K|16K>]
[sslkx <512|1K|2K|4K|8K|16K>]

Updates the usage tables.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Usage Configuration Overview on page 221

show usage on page 223

Copyright 2014, Juniper Networks, Inc.

CHAPTER 37

User Management
This chapter explains user management configuration for DDoS Secure and describes
the available advanced configuration commands.

User Management Configuration Overview on page 225

show user

remove user

set user

User Management Configuration Overview

User accounts as determined by one of the following permissions. Users are only allowed
to access their allocated portal information.
There are two basic types of users:

Users who can access the GUI or CLI.

Users who can access the RESTful interface through an API key.

A user can only be one of the basic types, which is determined by the rest parameter.
Table 47 on page 225 describes the user access permission details.

Table 47: User Access Permissions

Parameter

Value

administrator

Has full access to change any configuration entry.

operator

Has full access to change any configuration entry other than user account configuration.
Limited read-only access to user information.

guest

Has read-only access to configuration settings.

Has no access to user information.

sso

Copyright 2014, Juniper Networks, Inc.

Can only change user information.

225

DDoS Secure CLI User Guide

Table 48 on page 226 table describes the user parameters and their formats.

Table 48: User Account Parameters

Parameter

Value

Description

user

USERNAME

The username for this account.

password

PASSWORD

The user password.

perms

PERMS

The user access permissions.

rest

yes|no

If true, this is a RESTful API user only and the user

password field is ignored.

apikey-digest

APIKEYDIGEST

RESTful user's API digest key.

Related
Documentation

226

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Access Control Configuration Overview on page 13

Copyright 2014, Juniper Networks, Inc.

Chapter 37: User Management

show user
Syntax
Description

show user <USERNAME|all>

Displays the complete list of the configured user accounts. If the user using the command
has administrator or SSO permissions then the encrypted passwords or API digest keys
are also shown along with the account name and permissions.

Sample Output
JS>show user all
set user user password $1$ehL5yai/$ewwyx00qx3VIdKXITvRUG. perms administrator
set user test password $1$wLh6yBh0$vmth1CmyrvQDg6ZKDTuqn. perms operator

Users with operator or guest permissions will be shown the list of users without the
passwords.
JS>show user all
set user user perms administrator
set user test perms operator

Alternatively, the details of a specific user can be shown if the username is specified
instead of the parameter all.
This command is not available to guest accounts.
JS>show user test
set user test password $1$wLh6yBh0$vmth1CmyrvQDg6ZKDTuqn. perms operator

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

227

DDoS Secure CLI User Guide

remove user
Syntax
Description

remove user <USERNAME|all>

Deletes a specific user. Only administrators or SSOs can remove users, and they cannot
delete themselves or change their own permission status.
This command can also be used to delete all current users. To do this the parameter
value all is used instead of a user account name. Administrators or SSOs can use remove
user all but the command will not remove the logged in user account. When deleting all
users the command will ask for confirmation.

NOTE: It is possible to disable the prompting, which can be useful for

automated scripts.

Related
Documentation

228

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 37: User Management

set user
Syntax

Description

set user<USERNAME> [perms <administrator|operator|guest|sso>] [password]

<PASSWORD> [rest <yes|no>]

Creates a new user or modifies an existing one. When creating a new user the password
or rest must be specified. If the permissions are not specified then the permissions for
the guest is assumed.
For an existing user account the set user command can be used to modify the password,
rest mode, or permissions.
When specifying the password either the encrypted form or a plain text password may
be entered. An encrypted password, in the form of an MD5 hashed key, is recognized by
the password starting with $1$.

NOTE:

There is no echo suppression or masquerading of the input data when using

the set user command, even when plain text password entry is in use.

The standard Linux /etc/passwd file is used, so if a username already exists,

this user cannot be used for DDoS Secure management.

CAUTION: Unlike the Web-based interface, there is no prompting for a repeat

of the password entry, therefore extra care must be taken to avoid typing
mistakes.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

229

DDoS Secure CLI User Guide

230

Copyright 2014, Juniper Networks, Inc.

CHAPTER 38

System Maintenance
This chapter explains system maintenance configuration for DDoS Secure and describes
the available advanced configuration commands.

system restart

system restart_clear

system shutdown

system reboot

system powerdown

system factoryreset

system config_reset

system clear_custom

system check

system helpdesk

Copyright 2014, Juniper Networks, Inc.

231

DDoS Secure CLI User Guide

system restart
Syntax
Description

Related
Documentation

232

system restart

Restarts the DDoS Secure appliance software but does not restart the underlying
operating system.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 38: System Maintenance

system restart_clear
Syntax
Description

Related
Documentation

system restart_clear

Restarts the DDoS Secure appliance software but does not restart the underlying
operating system. All tables are cleared out, so the DDoS Secure appliance will need to
re-learn everything.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

233

DDoS Secure CLI User Guide

system shutdown
Syntax
Description

Related
Documentation

234

system shutdown

Shuts down the DDoS Secure appliance engine only. The underlying operating system
continues to run as does the GUI/CLI.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 38: System Maintenance

system reboot
Syntax
Description

Related
Documentation

system reboot

Reboots the DDoS Secure appliance.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

235

DDoS Secure CLI User Guide

Related
Documentation

system clear_custom

Removes any custom installed templates, certificates, or images.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

239

DDoS Secure CLI User Guide

system check
Syntax
Description

Related
Documentation

240

system check

Outputs a build and health check summary.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 38: System Maintenance

system helpdesk
Syntax
Description

Related
Documentation

system helpdesk

Writes a copy of the HelpDesk file and the Hardware Diagnostics file to a formatted
external USB drive.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

241

DDoS Secure CLI User Guide

242

Copyright 2014, Juniper Networks, Inc.

CHAPTER 39

Settings for Command-Line Environment

This chapter describes the settings for the CLI environment.

Terminal Configuration on page 243

show terminal

set terminal

Terminal Configuration
Table 49 on page 243 describes the terminal configuration parameters and their formats.

Table 49: Terminal Configuration Parameters

Parameter

Value

Description

pause

yes|no

Enables or disables the automatic pause at the

end of a screen of text. Disabling this feature can
be useful in scripts to avoid the possibility of
pauses which might interfere with the next line of
the script.
Default value is yes.

confirmations

yes|no

Enables or disables confirmations. Disabling

confirmations will stop the prompts are you sure,
from appearing. This can be useful in scripts.
Default value is yes.

lines

LINES

The number of vertical character lines the terminal

is capable of displaying.

cols

COLS

The number of horizontal character columns the

terminal is capable of displaying.

term

TERMTYPE

The terminal type. For example, vt220.

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Copyright 2014, Juniper Networks, Inc.

243

DDoS Secure CLI User Guide

244

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 39: Settings for Command-Line Environment

show terminal
Syntax
Description

show terminal

Displays the current terminal settings for this session.

Sample Output
JS>show terminal
set terminal pause yes confirmations yes lines 24 cols 80 term vt100

Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

245

DDoS Secure CLI User Guide

set terminal
Syntax

set terminal [pause <yes|no>] [confirmations <yes|no>]

[lines <LINES>] [cols <COLS>] [term <TERMTYPE>]

NOTE: Only single parameter or value pair can be defined at once.

Description

Sets the terminal settings for the current CLI session. At the start of each new session
the default values will be restored.

Sample Output
JS>set terminal pause yes
Terminal pause is now ON
JS>set terminal pause no
Terminal pause is now OFF

Related
Documentation

246

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 40

Statistics and Informational Commands

This chapter describes statistics and informational commands.

stats view

show version

ping

Copyright 2014, Juniper Networks, Inc.

247

DDoS Secure CLI User Guide

stats view
Syntax
Description

Related
Documentation

248

stats view

Displays the graphical output on the screen. Entering any key gives a list of all the available
display options. The screen size and output format is based on terminal settings described
in the chapter, Settings for Command-Line Environment.

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

Chapter 40: Statistics and Informational Commands

show version
Syntax
Description

show version

Displays the current software release along with other version details about the unit.

Sample Output
JS>sh version
DDoS Secure Code Version:
DDoS Secure Code Base:
DDoS Secure Build Date:
CD Base Image:
Actual Memory Size:
Actual Number of CPUs:
Serial No:
Hardware ID:
Platform:
Last Restart:
Licensed Throughput:
Memory To Use:
CPUs To Use:
Protected IPs Supported:
Tracked IPs Supported:
Portals Supported:
Filters Supported:
Rate Limiters Supported:
MAC Entries Supported:
TCP Entries Supported:
UDP Entries Supported:
ICMP Entries Supported:
Other IP Entries Supported:
Fragment Entries Supported:
FTP Entries Supported:
SSL Decoders Supported:
SSL Sessions Supported:
SSL Handshake Buffers:
SSL Block Buffers:
SSL Key Exchanges Supported:

5.14.1-0
CENTOS_6_3
201305201820GMT
5.14.1-0
31.3G
16
A1RYMW1
90:B1:1C:2A:A3:28
J-DDOS-SEC-AP2
Tue May 21 16:54:09 2013
10G
31G
16
64K
32M
256
4K
4K
16K
4M
512K
64K
64K
32K
8K
512K
512K
1K
2K
512K

Table 50 on page 249 describes the information of each line.

Table 50: Show Version Parameters

Parameter

Description

DDoS Secure Code Version

The current version of the core DDoS Secure appliance software.

DDoS Secure Code Base

The underlying operating system.

DDoS Secure Build Date

When the build took place.

CD Base Image

The version of the CD used to re-image the unit.

Actual Memory Size

The available RAM.

Copyright 2014, Juniper Networks, Inc.

249

DDoS Secure CLI User Guide

Table 50: Show Version Parameters (continued)

Parameter

Description

Actual Number of CPUs

The number of CPU available.

Serial No

The serial number of the appliance.

Hardware ID

The ID key of the appliance.

Platform

The Juniper appliance model number.

Last Restart

The last time the DDoS Secure engine was restarted.

Licensed Throughput

This should match the size of the purchased license.

Memory To Use

Amount of memory the appliance is allowed to use.

CPUs To Use

Number of CPU the appliance is allowed to use.

Protected IP addresses Supported

The maximum number of protected IP addresses that can be tracked.

Tracked IP addresses Supported

Tracked IP addresses supported and the maximum number of Internet client IP addresses
that can be tracked.

Portals Supported

The maximum number of portals supported.

Filters Supported

The maximum number of filters supported.

Rate Limiters Supported

The maximum number of rate-limiters supported.

MAC Entries Supported

The maximum number of MAC entries supported.

TCP Entries Supported

The maximum number of TCP sessions supported.

UDP Entries Supported

The maximum number of UDP sessions supported.

ICMP Entries Supported

The maximum number of ICMP sessions supported.

Other IP Entries Supported

The maximum number of other IP address sessions supported.

Fragment Entries Supported

The maximum number of fragment sessions supported.

FTP Entries Supported

The maximum number of FTP sessions supported.

SSL Decoders Supported

The number of decoders available for SSL inspection.

SSL Sessions Supported

The number of sessions cached for resumption during SSL Inspection.

SSL Handshake Buffers

The number of handshake buffers available for SSL inspection.

250

Copyright 2014, Juniper Networks, Inc.

Chapter 40: Statistics and Informational Commands

Table 50: Show Version Parameters (continued)

Parameter

Description

SSL Block Buffers

The number of block buffers available for SSL inspection.

SSL Key Exchanges Supported

The number of key exchange buffers available for SSL inspection.

It is possible to update the supported counts with the set usage command.
Related
Documentation

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

251

DDoS Secure CLI User Guide

ping
Syntax
Description

ping <IPADDRESS>

Provides the ability to ping an IP address that is routable over the management or
DataShare interfaces for troubleshooting purposes.

NOTE: If Layer 2/3 or Layer 3 mode is configured, any IP addresses attached

to or routed through the Internet or Protected interfaces will not respond to
the ping command.

Sample Output
JS>ping 192.168.0.4
PING 192.168.0.4 (192.168.0.4) 56(84)
64 bytes from 192.168.0.4: icmp_seq=1
64 bytes from 192.168.0.4: icmp_seq=2
64 bytes from 192.168.0.4: icmp_seq=3
64 bytes from 192.168.0.4: icmp_seq=4
64 bytes from 192.168.0.4: icmp_seq=5

bytes of data.
ttl=64 time=1.46 ms
ttl=64 time=0.411 ms
ttl=64 time=0.359 ms
ttl=64 time=0.401 ms
ttl=64 time=0.392 ms

--- 192.168.0.4 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 0.359/0.605/1.466/0.431 ms
JS>

Related
Documentation

252

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

CHAPTER 41

BGP Trigger Router Configuration

This chapter describes how a DDoS Secure appliance can act as a trigger router in a
Remote Triggered Black Hole (RTBH) environment.

DDoS Secure BGP Trigger Router on page 253

DDoS Secure Appliance BGP Configuration on page 254

Peering Router Sample Configuration on page 254

Rerouting Trigger on page 255

Force Specific Rerouting

DDoS Secure BGP Trigger Router

The DDoS Secure appliance can act as a trigger router in a Remote Triggered Black Hole
(RTBH) environment. It is then down to the BGP environment as to whether any IP address
re-routed by the trigger router is either null routed, or re-routed through some other
infrastructure.
The code was initially created for the appliance mitigation blade chassishence the CLI
chassis syntax, where traffic can be re-routed through alternative blades. Something
similar to the following lines are needed to get BGP working, where A.B.C.D is your DDoS
Secure appliance management IP address, and W.X.Y.Z is the peering BGP router:
JS>set chassis blade ip A.B.C.D
JS>set chassis bgp ddos_secure A.B.C.D our_as 65099 neigh_ip
W.X.Y.Z neigh_as 65014 neigh_pass 123456
comm_as 65040 comm_no 99 lowertimer 300
JS>apply

This then generates a (quagga) configuration file on the appliance which is similar to the
following (ip prefix-list not-ours deny are the local DDoS Secure appliance IP addresses).

NOTE: This is not the same as Configuring BGP Flow Spec, which does not
use the Quagga process.

Related
Documentation

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

Copyright 2014, Juniper Networks, Inc.

253

DDoS Secure CLI User Guide

DDoS Secure Appliance BGP Configuration

!
router bgp 65099
bgp router-id A.B.C.D
bgp log-neighbor-changes
redistribute kernel route-map scrub-out
redistribute static route-map scrub-out
neighbor W.X.Y.Z remote-as 65014
neighbor W.X.Y.Z password 123456
neighbor W.X.Y.Z maximum-prefix 500
neighbor W.X.Y.Z route-map scrub-out out
neighbor W.X.Y.Z route-map scrub-in in
!
ip prefix-list not-ours seq 10 deny 1.1.1.128/30 le 32
ip prefix-list not-ours seq 20 deny 1.234.56.0/24 le 32
ip prefix-list not-ours seq 30 deny 169.254.0.0/16 le 32
ip prefix-list not-ours seq 40 deny 127.0.0.0/8 le 32
ip prefix-list not-ours seq 60 deny 192.168.0.0/24 le 32
ip prefix-list not-ours seq 70 deny 0.0.0.0/0
ip prefix-list not-ours seq 80 permit any
!
ip community-list 99 permit 65040:99
!
route-map scrub-out permit 10
match ip address prefix-list not-ours
set community 65040:99
!
route-map scrub-in deny 10

Related
Documentation

DDoS Secure BGP Trigger Router on page 253

Network Configuration Overview on page 121

MAC Gateway Configuration Overview on page 111

Peering Router Sample Configuration

!
router bgp 65014
bgp log-neighbor-changes
neighbor A.B.C.D remote-as 65099
neighbor A.B.C.D password 123456
!
address-family ipv4
redistribute connected route-map internal
redistribute static route-map internal
neighbor A.B.C.D activate
neighbor A.B.C.D send-community
neighbor A.B.C.D route-map scrubbing in
neighbor A.B.C.D route-map scrubbout out
no auto-summary
no synchronization
exit-address-family
!
ip bgp-community new-format
ip community-list 99 permit 65040:99

254

Copyright 2014, Juniper Networks, Inc.

Chapter 41: BGP Trigger Router Configuration

!
ip prefix-list localdeny seq 5 permit 10.10.10.1/32
!
ip prefix-list scrubb seq 5 permit F.G.H.0/21 le 32
!
route-map scrubbing permit 10
match ip address prefix-list scrubb
match community 99 exact-match
set local-preference 200
set community no-advertise
set ip next-hop W.X.Y.Z
!
route-map scrubbout permit 10
match ip address prefix-list localdeny

Related
Documentation

DDoS Secure BGP Trigger Router on page 253

Network Configuration Overview on page 121

MAC Gateway Configuration Overview on page 111

Rerouting Trigger
These are based on the thresholds defined in the portal definition, and then applied to
any IP address within that portal.
Table 51 on page 255 describes the portal definitions that will be actioned if BGP is enabled.

Table 51: Rerouting Trigger Parameters

Parameter

Description

rerouteminpkts

Packet rate has to remain below this threshold for at least lower timer seconds for the
routing trigger to be removed.

reroutemaxpkts

Packet rate threshold for routing trigger to be invoked.

rerouteminspeed

Speed has to remain below this threshold for at least lower timer seconds for the routing
trigger to be removed.

reroutemaxspeed

Speed threshold for routing trigger to be invoked.

Currently, only the protected IP address is inserted as a trigger route.

Related
Documentation

DDoS Secure BGP Trigger Router on page 253

Network Configuration Overview on page 121

MAC Gateway Configuration Overview on page 111

Copyright 2014, Juniper Networks, Inc.

255

DDoS Secure CLI User Guide

Force Specific Rerouting

Description

Forces specific rerouting.

Sample Output
JS>set chassis reroute ip 1.2.3.4
JS>apply

Related
Documentation

256

DDoS Secure BGP Trigger Router on page 253

Network Configuration Overview on page 121

MAC Gateway Configuration Overview on page 111

Copyright 2014, Juniper Networks, Inc.

CHAPTER 42

Understanding Blocked Country Response

Configuration

Understanding BlackListed Traffic on page 257

Content Presentation Information on page 257

Understanding Server Information on page 259

DDoS Secure Appliance Engine Configuration on page 259

Testing the Country Codes for IP Addresses on page 259

Bypassing Country Block on page 260

Understanding BlackListed Traffic

Before configuring block country response, if a packet is detected coming from a country
that has been blacklisted, the packet is simply dropped and recorded.
After configuring block country response, if a start of a new session packet comes from
a country that is blacklisted and is a webpage request (to port 80, 443, or other optional
ports), this is then redirected to an internal server that serves up a content page indicating
that access from this country is blocked, potentially giving a reason why and some contact
information. This allows the originator of the connection to request temporary access if
they legitimately need it.
Related
Documentation

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

DDoS Secure BGP Trigger Router on page 253

Content Presentation Information

Filenaming Convention on page 257

Standard File Content on page 258

Filenaming Convention
There are a series of template files named blockedcountryXXXXYYYYZZZZ.tmpl or
blockedcountryXXXXYYYYZZZZ.tmpl, where:

Copyright 2014, Juniper Networks, Inc.

257

DDoS Secure CLI User Guide

XXXX optionally can be <DDoS Secure appliance portal name> where DDoS Secure
appliance portal name is one of the optional user defined DDoS Secure appliance
portals.

YYYY optionally can be CCC where CCC is the 3 letter country code.

ZZZZ optionally can be -www.domain.com.

The most specific match will be used with blockedcountryYYYY.tmpl overriding

blockedcountryXXXX.tmpl.

Standard File Content

The content will be standard html (<html> .. </html>) with replaceable keywords.

NOTE: Any references to external (to the page) information (for example:
<img>, <frame>, href= and so on.) should be used with care, as they cannot
be hosted on any of the protected websites as access to the references will
also get (recursively) blocked.

Table 52 on page 258 describes keywords that can be recognized and replaced.

Table 52: File Content Parameters

Parameter

Description

%HOST%

Entry from the Host: Header.

%URL%

URL from the GET/POST/HEAD request. The host: header entry will be prefixed when
appropriate.

%CCC%

Country name.

%IP%

Requesting IP address.

%TIME%

Current time of day (local time) in DAY MMM NNN HH:MM:SS YEAR format. For example:
Wed Nov 30 21:49:08 2013).

Cache-control will be set to cache-control: no-cache, no-store in the response headers.

The page must be no more than 1000 bytes, so that it (along with the headers) can be
sent back in a single packet.
The connection will be closed after serving the content.
If templates are not added, or are not matched, the following built-in template are used:
<html>
<h1>Access Administratively Blocked</h1>
<br>URL : '%URL%'
<br>Country : '%CCC%'
<br>Client IP address : '%IP%'
</html>

258

Copyright 2014, Juniper Networks, Inc.

Chapter 42: Understanding Blocked Country Response Configuration

Related
Documentation

DDoS Secure Appliance Engine Configuration on page 259

Network Configuration Overview on page 121

DDoS Secure BGP Trigger Router on page 253

Understanding Server Information

A simple webserver, running in a chroot, setuid environment on the DDoS Secure appliance.
The blockedcountryXXXYYYYZZZZ.tmpl files will have the % keywords replaced at
usage time.
The blockedcountryXXXYYYYZZZZ.tmpl files are updated through the DDoS Secure
appliance GUI using the patch update mechanism. The patch update file (bc.upg) will
(on a Linux system) need to be built with the following command:
echo 5.13 >webscreen- ; tar cvf bc.upg webscreen- blockedcountry*.tmpl

To delete a .tmpl file, repeat the line above, but without the file in question and re-install
the bc.upg patch.
This server will handle both HTTP and HTTPS connections. For HTTPS connections,
either a self-signed certificate or a CA signed certificate can be uploaded by including
the file redirect.pem (which includes both the public and private key) in the bc.upg file.
Related
Documentation

DDoS Secure Appliance Engine Configuration on page 259

DDoS Secure Appliance Engine Configuration

The DDoS Secure appliance engine can be configured only through the CLI interface. The
commands are:

show wrapper all

show wrapper blocked

remove wrapper blocked

set wrapper blocked country enable <yes|no> respcode <resp code>

http_ports <none|PORT> https_posts <none|PORT>

Related
Documentation

Network Configuration Overview on page 121

DDoS Secure BGP Trigger Router on page 253

Testing the Country Codes for IP Addresses

It is possible to re-classify the country code for any IP address.The testing process is:

Copyright 2014, Juniper Networks, Inc.

259

DDoS Secure CLI User Guide

Select and Block a particular country (e.g pr (RFC1918 addresses))

set block country pr

Reassign IP Address through the CLI.

set geoip ip code pr ip 1.2.3.4

Test with connections from the IP 1.2.3.4 to get warning page.

Add 1.2.3.4 to allow country block override list and verify that the normal page is
reached.
set block cignoreip 1.2.3.4

Reverse out configuration changes when finished.

NOTE: If the DDoS Secure appliance Engine is in Logging mode, then this
warning page will not get generated as all traffic is passed through anyway
even if a country is blocked.

Bypassing Country Block

You can configure Individual IP addresses, ranges, or subnets to override country blocking;
so they are then allowed normal access, despite the traffic coming from a blocked country.
This can be done through the GUI or CLI.
Related
Documentation

260

Network Configuration Overview on page 121

DDoS Secure BGP Trigger Router on page 253

Copyright 2014, Juniper Networks, Inc.

PART 3

Appendix

Parameter Definitions on page 263

Structured Syslog Details on page 273

DDoS Secure Appliance TCP States on page 299

ICMP Types on page 301

Incident (Attack) Types on page 303

Letter Country Codes on page 309

Panel and Connector Locations on page 333

Troubleshooting on page 335

GUI Branding on page 337

Copyright 2014, Juniper Networks, Inc.

261

DDoS Secure CLI User Guide

262

Copyright 2014, Juniper Networks, Inc.

APPENDIX A

Parameter Definitions
This appendix defines the syntax for the variable values that are used throughout this
guide.

Variable Value Formats

Table 53 on page 263 describes the variable value formats.

Table 53: Variable Value Formats

Parameter Value

Example

Description

ACTION

discard

One of accept, discard, mark, redirect, ratelimit, sample,

terminal, or sample-terminal.

ACTIONVALUE

100K

Appropriate value for ACTION. For example, SPEED and

COMMUMITY.

ALERTINTERVAL

A positive value representing minutes.

ASLIST

1 - 3333, 3335 - 65535

A list of one or more comma separated ASNUMBER (max

AS # 65535).

ASNUMBER

6523

An Autonomous System (BGP Routing) number.

AUTO-BACKLOG

auto-100

System rebooted.

AUTO-CONNECTIONS

auto-500

DDoS Secure engine prompts to restart.

AUTO-CONNRATE

auto-500

DDoS Secure engine prompts to shutdown.

AUTO-GETS

auto-500

Factory reset occurred.

BACKLOG

100

Software upgraded.

BANDWIDTH

Number of software licenses (in 1G units) to be applied

across a cluster of DDoS Secure devices.

BIAS

Configuration changed.

Copyright 2014, Juniper Networks, Inc.

263

DDoS Secure CLI User Guide

Table 53: Variable Value Formats (continued)

Parameter Value

Example

Description

COLS

Logging state started.

CONNECTIONS

500

Logging state with no TCP keepalives started.

CONNRATE

200

Defending state started.

COUNTRIES

all,!USA

A list of one or more COUNTRYCODE comma separated.

COUNTRYCODE

USA

Three letter country codes. A full list can be found in

Appendix C. A prefix of ! means not this country. all means
all countries.

DOMAIN

mydomain.com

A domain name.

DSCP

A Differentiated Services Code Point (DSCP).

DSCPLIST

3 - 4,8

A potentially mixed comma separated list of DSCP and

DSCPRANGE. Spaces or line breaks must not be present
within the list.
Can be a single DSCP or DSCPRANGE.

DSCPRANGE

3-4

A range of inclusive DSCPs, separated by -, specified in

ascending order.

DISKNAME

/dev/sdb

Specific disk name.

DROPRATE

Rate above which traffic will get auto-black-listed.

EMAILADDRESS

[email protected]

Any valid e-mail address containing @ and a fully qualified

domain.

MAILADDRESSES

[email protected],
[email protected]

One or more EMAILADDRESS that are comma separated.

EREGEX

^/index\.(asp|htm)$

Posix EREGEX.

FCMODE

none

The flow control mode of the interface. Valid values are

none, tx_only, rx_only, full, and auto. FCMODE auto is only
supported if LINKMODE is set to auto.

FILTERNAME

Inweb

Can be any printable character other than a space.

Maximum length is 15 characters.

FILTERS

The number (of limited) filters to allocate to this portal.

FLOWFLUSH

A positive value between 1 and 60 inclusive (in minutes).

FREQUENCY

One of h(our), d(ay) or w(eek).

264

Copyright 2014, Juniper Networks, Inc.

Appendix A: Parameter Definitions

Table 53: Variable Value Formats (continued)

Parameter Value

Example

Description

GETS

200

A single non-negative number, or U.

GROUPINGID

An integer between 1 and 254 inclusive.

HAMODE

active-standby

Valid modes are standalone, active-standby,

active-standby-fs, and load-share-mc.

HARDWARE-ID

00:01:02:03:04:05

Six hexadecimal values separated by colons. Case

insensitive.

HEADER

X-Forwarded-For:

Must include trailing : and this is case insensitive.

ICMPCODE

An ICMP code number in the range 0 to 255.

ICMPCODELIST

3 - 4,8

A potentially mixed comma separated list of ICMPCODE

and ICMPCODERANGE. Spaces or line breaks must not be
present within the list. Can be a single ICMPCODE or
ICMPCODERANGE.

ICMPCODERANGE

3-4

A range of inclusive ICMPTYPEs, separated by -, specified

in ascending order.

ICMPTYPE

An ICMP type number in the range 0 to 255. 18 is the largest

currently defined type.

ICMPTYPELIST

3 - 4,8

A potentially mixed comma separated list of ICMPTYPE

and ICMPTYPERANGE. Spaces or line breaks must not be
present within the list. Can be a single ICMPTYPE or
ICMPTYPERANGE.

ICMPTYPERANGE

3-4

A range of inclusive ICMPTYPEs, separated by -, specified

in ascending order.

ICMP6TYPE

128

An ICMP6 type number in the range 0 to 255. 18 is the

largest currently defined type.

ICMP6TYPELIST

128 - 129,131

A potentially mixed comma separated list of ICMP6TYPE

and ICMP6TYPERANGE. Spaces or line breaks must not
be present within the list. Can be a single ICMP6TYPE or
ICMP6TYPERANGE.

ICMP6TYPERANGE

128 - 129

A range of inclusive ICMP6TYPEs, separated by -, specified

in ascending order.

IPADDRESS

192.168.1.1

A single host entry (can be IPv6).

IPBLOCK

192.168.0.3-192.168.0.9

A contiguous block of IP addresses (can be IPv6).

IPLIST

192.168.1.1,192.158.0.3

One or more comma separated IPADDRESS entries.

Copyright 2014, Juniper Networks, Inc.

265

DDoS Secure CLI User Guide

Table 53: Variable Value Formats (continued)

Parameter Value

Example

Description

IPMULTI

225.0.0.1

A multi-cast IP address.

IPNETWORK

192.168.2.0/24

A network entry in network/bits format, it uses a bit count

mask entry (can be IPv6).

IPNETWORK

192.168.3.0/255.255.255.0

A network entry in network/mask format, uses a dotted

decimal mask entry.

IPRANGE

10.1.1.1,10.1.2.0/24
10.1.3.0/255.255.255.0,
192.168.0.3-192.168.0.9

A potentially mixed comma separated list of IPADDRESS,

IPNETWORK, and IPBLOCK. Spaces or line breaks must
not be present within the list. Can consist of a single
IPADDRESS, IPNETWORK, and IPBLOCK (can be IPv6).

LENGTH

100

A packet length, including the IP headers.

LENGTHLIST

100 - 200,300

A potentially mixed comma separated list of LENGTH and

LENGTHRANGE. Spaces or line breaks must not be present
within the list. Can be a single LENGTH or LENGTHRANGE.

LENGTHRANGE

100 - 200

A range of inclusive LENGTH, separated by -, specified in

ascending order.

LICENSE-KEY

78c683db-2de8514486424180-d868a0894c329901-205a4986-075f8d0c

62 characters long and case sensitive (without newlines).

LIFETIME

A positive value between 30 and 6000 inclusive (in

minutes).

LIMIT

Limit above which traffic will get auto-black-listed.

LINES

A valid positive number. Default value is 24.

LINKMODE

100full

The link mode of the interface. Valid values are 10half,

10full, 100half, 100full, 1000full, 10000full and auto. Not
all values may be supported depending on the Webscreen
model.

MAC

00:02:04:06:08:10

A single 6-byte Ethernet MAC entry. This entry may be

followed parameters describing the VLAN or MPLS labels
associated with this MAC address as follows:

MODE

266

defensive

v VLAN

q QINQ

u Unicast MPLS label

m Multicast MPLS label

Valid modes are defending, defending-nostatelearn, logging,

logging-nokeepalives, logging-tap, bypass-software, and
bypass-fs-hardware.

Copyright 2014, Juniper Networks, Inc.

Appendix A: Parameter Definitions

Table 53: Variable Value Formats (continued)

Parameter Value

Example

Description

MODEIP

defensive

Valid modes are defending, logging, and notreported.

MODEPORTAL

defensive

Valid modes are defending and logging.

MTU_SIZE

1500

IP Packet length with 16 bytes for vlans/mpls.

NETMASK

255.255.255.0

A network mask in dotted decimal mask entry.

PASSWORD

mypassword

Must contain printable characters and have a maximum

length of 35 characters when not encrypted.

PERMS

administrator

One of administrator, sso, operator, or guest.

PKTS

3.7K

Packet rate for the appropriate threshold.

PORT

A port number in the range 1 to 65535.

PORTALNAME

portal123

Starts with a alpha character, contains alpha-numeric

characters, ., _ and -. Maximum length is 15 characters.

PORTLIST

22, 35 - 40

A potentially mixed comma separated list of PORT and

PORTRANGE. Spaces or line breaks must not be present
within the list. Can be a single PORT or PORTRANGE.

PORTRANGE

35 - 40

A range of inclusive PORTs, separated by "-", specified in

ascending order.

PRIORITY

Priority weighting for failover systems to determine if a

system is a natural active. Valid values are -127 to 127.

PROTECTED

The number (of limited) protected IPs to allocate to this

portal.

PROTECTEDNAME

webserver1

Starts with an alpha-numeric character, contains

alpha-numeric characters, _, -, and .. Maximum length
is 31 characters.

PROTOCOL

A protocol number in the range 1 to 255.

NOTE: Protocols 1 (ICMP), 6 (TCP), and 17 (UDP) are
handled separately and ignored if specified here.

PROTOCOLLIST

22, 35 - 40

A potentially mixed comma separated list of PROTOCOL

and PROTOCOLRANGE. Spaces or line breaks must not
be present within the list. Can be a single PROTOCOL or
PROTOCOLRANGE.

PROTOCOLRANGE

50 - 51

A range of inclusive PROTOCOLs, separated by -, specified

in ascending order.

Copyright 2014, Juniper Networks, Inc.

267

DDoS Secure CLI User Guide

Table 53: Variable Value Formats (continued)

Parameter Value

Example

Description

RATE

100

An integer value between 0 and 65535 packets per second.

REGEX

^/index.asp$

Posix REGEX. Use end and start locators to prevent false

matches.

RESPCODE

503

3 digit response code.

SECRET

serverPassword

Must contain printable characters and has a maximum

length of 128 characters.

SERVERNAME

webserver1

Starts with an alpha-numeric character, contains

alpha-numeric characters, _, -, and .. Maximum length
is 31 characters.

SPEED

10M

Speed in bits per second (bps). The numeric value can be

suffixed with K, M, or G as appropriate. All speeds are
rounded down to a multiple of 8 bps.

STATETIMEOUT

A value between 2 and 3600 seconds.

STRING

/index.asp

Any printable characters.

SYSFACILITY

local1

One of auth, cron, daemon, kern, lpr, mail, new, user, uucp,
syslog, local0, local1, local2, local3, local4, local5, local6,
or local7. The receiving Syslog server must be configured
to accept and redirect the Syslog information based on
SYSFACILITY and SYSPRIORITY.

SYSPRIORITY

info

One of alert, crit, debug, emerg, err, info, notice, or warning.

TEMPLATEP

1000

A positive value between 1 and 1000 inclusive.

TEMPLATEM

A positive value between 1 and 3600 inclusive (in minutes).

TERMTYPE

vt220

The terminal type. Default is vt100.

TEXT

some text contained within

quotes

Any printable character excluding . The text must be

enclosed in quotes if there are any spaces.

THRESHOLD

Erroneous packets per second.

THRESHOLDTIME

Time in seconds before something happens.

TIMEOUT

A positive value between 1 and 60 inclusive (in minutes).

268

Copyright 2014, Juniper Networks, Inc.

Appendix A: Parameter Definitions

Table 53: Variable Value Formats (continued)

Parameter Value

Example

Description

TIMESTRING

24-jan-03 16:00:00

Can be one of the following formats:

yyyy-mm-ddThh:mm:ss (preferred)

dd mmm yyyy hh:mm:ss

dd-mmm-yy hh:mm:ss

mmm dd hh:mm:ss yyyy

TIMEZONE

Europe/London

The full list of available timezones can be found by using

the show timezones command.

TPROTOCOL

lcp

The notional protocol in use.

TSERVICE

Webscreen

Request to use particular service.

URL

http://f.t.com/file.txt

URL containing IP address information.

USERNAME

user123

Starts with a lower alpha character, contains lower

alpha-numeric characters, _, and -. Maximum length is
20 characters.

VALUE

100

An integer value between 0 and 65535.

VLANSDEF

v1024,m1234

A potentially mixed, comma separated list of Vlan

definitions or MPLS labels.

Table 54 on page 269 lists the fixed value formats.

Table 54: Fixed Value Formats

Parameter Values

Specific Area

Description

Webscreen is to be run as part of an Active Standby

configuration with fail-safe card enabled.

Copyright 2014, Juniper Networks, Inc.

269

DDoS Secure CLI User Guide

Table 54: Fixed Value Formats (continued)

Parameter Values

Specific Area

Description

administrator

User

User role that has full administrative rights.

alert

Syslog

Logging Level.

all

All valid entities matched.

auth

Syslog

Logging Facility.

auto

Interface

Auto negotiate configuration.

autodetected

Items that have been auto-detected by the Webscreen, but not

configured.

GeoIP, URL, DNS

Item it to be black-listed.

bl+

DNS

Item is to be black-listed, even if logging.

broadcast

The settings for all servers responding to broadcast MAC

address.

bypass-fs-hardware

Appliance

Pass all traffic straight through the fail-safe card.

bypass-software

Appliance

Pass all the traffic straight through using software.

crit

Syslog

Logging Level.

cron

Syslog

Logging Facility.

daemon

Syslog

Logging Facility.

debug

Syslog

Logging Level.

default

Protected

The default server settings, used for unspecified server fields or

by autodetected servers.

default

The default settings.

defending

Appliance, Portal, Protected

Enabled for defending.

defending-nostatelearn

Appliance

Diagnostic mode where state learning is disabled.

emerg

Syslog

Logging Level.

err

Syslog

Logging Level.

full

Interface

Force full flow control.

guest

User

User role that has only read-only access.

270

Copyright 2014, Juniper Networks, Inc.

Appendix A: Parameter Definitions

Table 54: Fixed Value Formats (continued)

Parameter Values

Specific Area

Description

indeterminate

Protected

The settings for all servers detected by Webscreen after filling

its internal server table, or for traffic to an IP address that has
not yet been confirmed as a genuine server.

info

Syslog

Logging Level.

intercept

Protected

Server used to generate response failure pages.

kern

Syslog

Logging Facility.

load-share-mc

Appliance

Appliance is to be run in a load sharing environment using

multi-cast MAC addresses.

local0

Syslog

Logging Facility.

local1

Syslog

Logging Facility.

local2

Syslog

Logging Facility.

local3

Syslog

Logging Facility.

local4

Syslog

Logging Facility.

local5

Syslog

Logging Facility.

local6

Syslog

Logging Facility.

local7

Syslog

Logging Facility.

logging

Appliance, Portal, Protected

Disable this item.

none

Effectively disable this item.

Copyright 2014, Juniper Networks, Inc.

271

DDoS Secure CLI User Guide

Table 54: Fixed Value Formats (continued)

Parameter Values

Specific Area

Description

notice

Syslog

Logging Level.

notreported

Protected

Nothing is reported for traffic to this IP.

operator

User

User role that has full rights, apart from configuring users.

rx_only

Interfaces

Force flow control to only receive.

sso

User

User role that can only configure users.

standalone

Appliance

Webscreen is not part of an Active-Standby relationship.

standalone-nofs

Appliance

Appliance is not part of an Active-Standby relationship, and the

fail-safe card is to be disabled.

tx_only

Interfaces

Force flow control to only transmit.

user

Syslog

Logging Facility.

uucp

Syslog

Logging Facility.

warning

Syslog

Logging Level.

GeoIP, URL, DNS

Whitelist the item.

yes

Enable this item.

Unrestricted.

Related
Documentation

272

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

Copyright 2014, Juniper Networks, Inc.

APPENDIX B

Structured Syslog Details

Structured Syslog Description
DDoS Secure supports three different structured syslog formats: the legacy WebTrends
format (WELF), STRM format (LEEF), and ArcSight format (CEF). The format is selectable
under the structured syslog option of the GUI or the CLI.
Each message format consists of an Event ID field and a number of different parameters.
The message parameters for the different formats are described from Table 56 on page 275
through Table 60 on page 289 based on the type of event being reported.
Table 55 on page 273 describes the types of structured syslog messages.

Table 55: Structured Syslog Message Types

Message Type

Range

Description

Standard
Administration
Messages

1001 - 1xxx

Sent out as events happen.

Includes Health Check messages, sent out at 5-minute intervals, which contain
information about licensing usage.

Appliance Defense
States

2001 - 2xxx

Copyright 2014, Juniper Networks, Inc.

Reflects the status of the right pane as it turns red.

273

DDoS Secure CLI User Guide

Table 55: Structured Syslog Message Types (continued)

Message Type

Range

Description

Incidents

3001 - 3xxx

a. An Incident Active message is sent out when an attack exceeds threshold alert and
that has been ongoing for longer than the value of incidents threshold:
1.

From GUI -> Incident Alert Threshold

2. From CLI -> show threshold alert

3. From CLI -> show incidents
b. An Incident Active Update message is sent out periodically while the attack is active.
The frequency is determined by incidents logrefresh.
1.

From CLI -> show incidents

c. An Incident Active Complete message is sent out when the incident is either idle or
closed down because its lifetime has expired. If an attack is still active after the
incident is closed down and the conditions in Step i are met, a new incident with a
new incident ID is created.
d. An Incident Detail message is sent only if it is configured with the CLI command set
debugging incidentdetail yes (the default is no). Otherwise, only summary Incident
messages are sent.
e. An Incident Detail message includes the top 10 IPs, as well as a remaining entry
where the IP address is 0.0.0.0.
Worst Offenders

4001 - 4xxx

a. A Worst Offender Start message is created whenever an IP address is marked as

being a Worst Offender and exceeds threshold offenders.
1.

From CLI -> show threshold offenders

b. A Worst Offender Complete message is sent whenever an IP address is removed

from the Worst Offender list.
c. A Worst Offenders message is sent only if it is configured with the CLI command set
debugging worstoffenders yes (the default).
Temporary Black List

5001 - 5xxx

Thresholds are configurable for transitioning an IP address from Worst Offenders

(occasional packets dropped) to Temporary Black List (all packets dropped).
1.

From GUI -> Configure DDoS Secure

2. From CLI -> show appliance

a. A Temporary Black List Start message is created whenever an IP address is marked
as being a Temporary Black List IP. These are the IP addresses from which or to
which DDoS Secure does not allow traffic.
b. A Temporary Black List Update message is sent out periodically when the attack is
active. The frequency is determined by incidents logrefresh.
c. A Temporary Black List Complete message is sent whenever an IP address is removed
from the Temporary Black List list.
d. A Temporary Black List message is sent only if it is configured with the CLI command
set debugging autoblacklist yes (the default).
Permanent
White-List/Black-List

6001 - 6xxx

These messages are sent out every time there is a configuration file change that
affects the permanently defined white-list or black-list definitions.

These messages are sent out every hour.

Information for a definition is concatenated (comma separated) subject to a

maximum of 1,000 characters per record.

274

Information is continued in the next record.

Copyright 2014, Juniper Networks, Inc.

Appendix B: Structured Syslog Details

Event Types
Table 56 on page 275 through Table 60 on page 289 describe event types.

Table 56: Basic Events

Event ID

Event Name

Description

1001

User Login

User logs in to the system. Reports valid and failed login attempts.

1002

User Logout

User logs out of the system.

1003

Create User

User created on the system.

1004

Modify User

User updated on the system.

1005

Delete User

User deleted from the system.

1006

Power Off

System powered off.

1007

Reboot

System rebooted.

1008

DDoS Secure Engine Start

DDoS Secure engine directed to start.

1009

DDoS Secure Engine Restart

DDoS Secure engine directed to restart.

1010

DDoS Secure Engine Shutdown

DDoS Secure engine directed to shut down.

1011

Factory Reset

Factory reset occurred.

1012

Software Upgrade

Software upgraded.

1013

Configuration Changed

Configuration changed.

1014

Logging State

Logging state started.

1015

Logging State No Keep Alives

Logging state with no TCP keepalives started.

1016

Defending State

Defending state started.

1017

Defending State No Keep Alives

Defending state with no TCP keepalives started.

1018

IPMI

IPMI messages.

1019

Cover Intrusion Detected

Cover intrusion detected.

1020

Power Supply Failure

Power supply failure.

1021

Disk Write Error

Disk write error.

1022

Disk SMART Info

Disk SMART info received.

Copyright 2014, Juniper Networks, Inc.

275

DDoS Secure CLI User Guide

Table 56: Basic Events (continued)

Event ID

Event Name

Description

1023

Interface Restart

Internet or Protected interface restarted.

1024

HA State Standalone

High availability standalone state entered.

1025

HA State Active Standby

High availability active state entered.

1026

HA State Load Share

High availability load share state entered.

1027

HA State Activity Standby FS

High availability active standby with fail-safe state entered.

1028

Administrative Information

Administrative messages.

1029

SSL

SSL messages.

1030

Configuration

Configuration changes and updates.

1031

Dropped

Messages dropped because of heavy processing load.

1032

Debug

Debug information.

1033

Watchdog

Watchdog messages.

1034

Health Check

Health Check messages, including licensing usage information.

Table 57: Additional Status Events

Event ID

Event Name

Description

2001

Output Error Protected

The DDoS Secure appliance is having trouble transmitting packets

on the Protected interface. This might be caused by a
downstream link being saturated or a duplex speed mismatch.

2002

Output Error Internet

The DDoS Secure appliance is having trouble transmitting packets

on the Internet interface. This might be caused by a downstream
link being saturated or a duplex speed mismatch.

2003

Output Error Management

The DDoS Secure appliance is having trouble transmitting packets

on the Management interface. This might be caused by a
downstream link being saturated or a duplex speed mismatch.

2004

New Configuration

This is in response to the configuration being updated, potentially

by a remote Webscreen.

2005

Not Licensed

The DDoS Secure appliance is not authorized for use.

2006

MAC Table Full

The appliance has run out of internal table space for MAC
addresses. The oldest (by use) entry has been dropped.

276

Copyright 2014, Juniper Networks, Inc.

Appendix B: Structured Syslog Details

Table 57: Additional Status Events (continued)

Event ID

Event Name

Description

2007

Protected IP Table Full

The appliance has run out of internal table space for protected
IP addresses. This usually indicates that your Internet and
protected cable connections are swapped. If not, then your
appliance is trying to protect too many protected IPs and the
network topology needs to be reviewed, or a feature upgrade
should be purchased (if available).

2008

INCIDENT Table Full

The appliance has run out of internal table space for active
Incidents. The oldest (by use) entry has been dropped.

2009

TCP Table Full

The appliance has used all the internal table space for TCP
connections. The entries that are not required are removed to
create space for the next TCP connection. This should normally
happen only when defending against a large-scale attack.

2010

UDP Table Full

The appliance has used up all the internal table space for UDP
sessions. The entries that are not required are removed to create
space for the next UDP session. This should normally happen
only when defending against a large-scale attack.

2011

ICMP Table Full

The appliance has run out of internal table space for ICMP
sessions. This table size is deliberately restricted. The oldest (by
use) entry has been dropped. This should normally happen only
when defending against a large-scale attack.

2012

Other-IP Table Full

The appliance has used up all the internal table space for IP
protocol sessions. The entries that are not required are removed
to create space for the next IP protocol session. This should
normally happen only when defending against a large-scale
attack.

2013

FRAGMENT Table Full

The appliance has run out of internal table space for handling
fragments. This table size is deliberately restricted. The oldest
(by use) entry has been dropped.

2014

FTP Table Full

The appliance has used up all the internal table space for tracking
FTP connections. The entries that are not required are removed
to create space for the next FTP connection. This should normally
happen only when defending against a large-scale attack.

2015

Black-Listed IP Table Full

The appliance has used up all the internal space for tracking IP
addresses that are being temporarily black-listed. Any inactive
black-listed IP address will be removed from the list.

Copyright 2014, Juniper Networks, Inc.

277

DDoS Secure CLI User Guide

Table 57: Additional Status Events (continued)

Event ID

Event Name

Description

2016

Network Short Circuit

The DDoS Secure appliance has detected the same source MAC
address in use on both the I-I/F and P-I/F interfaces. Bypass
packets are not passed through the appliance when it is in
defensive mode. This means that there is either an alternative
data path around the appliance, or a topology change has placed
a previously determined MAC address on the opposite side of
the appliance. In the event of a topology change the cached entry
can be modified by configuring the MAC address as either an
Internet or a protected gateway; or if not configured, the MAC
will be allowed to change sides automatically after 5 seconds.

2017

Internet-I/F N/C

The Internet interface is not physically connected. This occurs

when the appliance is running as STANDBY in a VMware
environment.

2018

Protected-I/F N/C

The Protected interface is not physically connected.

2019

Management-I/F N/C

The Management interface is not physically connected.

2020

Upgrading

The DDoS Secure appliance is undergoing a software update.

2021

Rate Limit Table Full

The appliance has run out of internal table space for handling
rate limiters. You cannot create any new rate limiters until the
existing ones expire.

2022

Routing Loop

The DDoS Secure appliance has detected that a packet that has
just been passed through the appliance is now returning back
through the appliance. This usually indicates that two routers,
one on either side of the appliance, have incorrectly determined
that traffic needs to be redirected through the opposite router to
get to a specific IP address.

2023

Forced Inactive

The appliance has detected a network short circuit before the

system is licensed. Consequently, no more traffic will be passed
through until the bypass situation is sorted out and the appliance
is restarted.

2024

State Learning

For the first 5-minute after a reboot or a network cable being

plugged in, the DDoS Secure appliance bypasses State Table
rigorous checking, so that existing connections that are active
when the appliance becomes active are not blocked. Override
this 5-minute window by setting the appliance to DefendingNoStateLearn mode.

2025

Support Expired

The DDoS Secure appliance support license has expired.

2026

Sever Loading

The appliance has detected that some packets have been

dropped as a result of heavy loading. Logging activity has been
substantially reduced to minimize the further dropping of any
packets.

278

Copyright 2014, Juniper Networks, Inc.

Appendix B: Structured Syslog Details

Table 57: Additional Status Events (continued)

Event ID

Event Name

Description

2027

MAC Misconfigured

A MAC address has been defined as an Internet or Protected

address type, but the address has also been detected on the
opposite side of the DDoS Secure appliance. Correct this situation.

2028

Interface Speed Mismatch

On fail-safe systems, the interface speeds on the fail-safe card

are defined, or detected to be different, which will cause an issue
if the card becomes fail-safe.

2029

Internet Sub-Link Down

One of the links on the Internet interface is not physically

connected.

2030

Protected Sub-Link Down

One of the links on the Protected interface is not physically

connected.

2031

DataShare-I/F N/C

The Data Share interface is not physically connected, and has

an IP address configured.

2032

Disk Failure

One of the disks has failed a SMART test and should be replaced
as soon as possible.

2033

PSU Failure

The system BIOS is reporting that one of the redundant power

supplies is not working or not powered up. This situation needs
to be rectified as soon as possible to prevent the appliance from
losing power should the working PSU fail.

2034

Fan Failure

The system BIOS is reporting that there has been a fan failure,
or that the appliance is running in a hot environment. This needs
to be repaired as a soon as possible to prevent hardware
component failure.

2035

Config Transfer Failed

The DDoS Secure appliance was unable to transmit the

configuration file changes to a partner.

2036

Missing Partner

A State Synchronization partner defined as required is not

available. The DDoS Secure appliance is running in a degraded
state, where all DDoS activity will not be detected and protected
against.

2037

BGP Misconfigured

The DDoS Secure appliance has detected a BGP session but the
server is excluded by the DDoS Secure appliance portal network
list.

2038

Missing State Packets

The DDoS Secure appliance has detected that some state

synchronization packets were not received.

Table 58: Incident Events

Event ID

Event Name

Description

3001

Bandwidth

Bandwidth rate exceeded for MAC address, portal, or filter.

Copyright 2014, Juniper Networks, Inc.

279

DDoS Secure CLI User Guide

Table 58: Incident Events (continued)

Event ID

Event Name

Description

3002

Packet Rate

Packet rate exceeded for MAC address, portal, or filter. The

appliance has detected high rates of small packets.

3003

Blocked Protocol Black-Listed

This IP address has been black-listed, because it is has been

defined as part of a black-listed network.

3004

Blocked Protocol Icmp Type

No filters match for this ICMP packet.

3005

Blocked Protocol Port

No filters match for this destination port.

3006

Blocked Protocol Other Proto

No filters match for this protocol type.

3007

Not Passed Thru Runt Packet

Undersized packet has been dropped.

3008

Unknown Session Icmp

Response

ICMP response packet has no matching ICMP request in the state

table.

3009

Unknown Session Icmp Diag

Response

ICMP diagnostic response packet does not match a state table

entry for the respective IP protocol.

3010

Unknown Session No State

TCP packet has no state table entry and is not a SYN packet.

3011

Unknown Session Invalid State

TCP packet has a state table entry, but packet is out of state.

3012

TCP Attack RST

RST packet has invalid sequence number.

3013

IP Attack Land

Source and destination IP addresses are equal.

3014

TCP Attack Syn-Ack Timeout

The client IP did not complete the TCP connection.

3015

Block Protocol Black-Listed

Country

Traffic to or from a country has been blocked, because the country

is black-listed.

3016

TCP Attack Syn Flood

The protected IP is receiving SYN packets at a rate higher than

it is configured for or can handle.

3017

TCP Attack Connection Flood

The protected IP has reached its concurrent connection

configured limit.

3018

TCP Attack Table Full

Internal state table for TCP connections is being CHARM

protected.

3019

Bad TCP Packet Fast Repeat

Ack

Identical packets containing ACKs are being repeated at a rate

of greater than 10 per second.

3020

TCP Attack HTTP Flood

The protected IP has reached its concurrent GET/HEAD

configured limit.

3021

UDP Attack Table Full

Internal state table for UDP information is full.

280

Copyright 2014, Juniper Networks, Inc.

Appendix B: Structured Syslog Details

Table 58: Incident Events (continued)

Event ID

Event Name

Description

3022

Not Passed Thru Pause Frame

Ethernet pause frame has been dropped.

3023

TCP Attack HTTP Timeout

The protected IP did not respond to a GET/HEAD request in a

timely manner.

3024

ICMP Attack Repeats

ICMP packets being repeated at a rate of more than 40 per

second.

3025

ICMP Attack Table Full

Internal state table for ICMP is being CHARM protected.

3026

Not Passed Thru State Sync

State Synchronization packets are being processed but not

passed through.

3027

Other-IP Attack Table Full

Internal state table for Other Ips is being CHARM protected.

3028

Not Passed Thru State Sync

Sent

State Synchronization packets are being processed but not

passed through.

3029

Fragment Attack Ping of Death

Assembled packet is longer than 65,535 bytes.

3030

Fragment Attack Header

Overlay

Fragment start overlays protocol header.

3031

Fragment Attack Table Full

Internal state table for fragments is being CHARM protected.

3032

Fragment Attack Small Size

Initial TCP fragment is smaller than header.

3033

Fragment Attack No Fragments

allowed

No fragmented packets are allowed to or from this protected IP.

3034

Bad IP Packet Invalid Source

Address

IP packet has invalid source address.

3035

Bad IP Packet Broken Header

IP header malformed RFC non-compliant.

3036

Bad IP Packet Invalid Option

IP packet has invalid option field or field length.

3037

Bad IP Packet Size Mismatch

IP packet has invalid field length.

3038

Blocked Protocol Temp

Black-Listed

This IP address has been temporarily black-listed because of its

aggressive behavior.

3039

Bad TCP Packet Flags

Invalid TCP flags combinations.

3040

Bad TCP Packet Malformed

Format of TCP header invalid.

3041

Bad TCP Packet Option

Invalid TCP option field.

Copyright 2014, Juniper Networks, Inc.

281

DDoS Secure CLI User Guide

Table 58: Incident Events (continued)

Event ID

Event Name

Description

3042

Blocked Protocol Black-Listed

DNS

DNS query has been black-listed.

3043

Bad UDP Packet No data

UDP packet contains no data.

3044

Bad UDP Packet Malformed

UDP header malformed.

3045

Blocked Protocol Black-Listed

AS number has been black-listed.

3046

TCP Attack HTTP Rate Flood

The protected IP is receiving GET requests at a rate higher than

it is configured for.

3047

Bad ICMP Packet Malformed

ICMP header malformed.

3048

Blocked Protocol Black-Listed

URL

URL request has been black-listed.

3049

Not Passed Thru Unexpected

Interface

Received packet came in over an unexpected interface, so it was

not passed on.

3050

Bad O-IP Packet Protocol

Invalid IP protocol number.

3051

Bad O-IP Packet Length

IP packet is too short to contain the IP protocol header.

3052

TCP Attack HTTP Req

Incomplete

The HTTP GET request was never completed.

3053

Overloaded IP Stall

The protected IP has stopped responding to anything.

3054

Fragment Attack Timeout

Not all fragments seen.

3055

Fragment Attack Repeats

ICMP packets being repeated at a rate of more than 40 per

second.

3056

Fragment Attack Bad Length

Invalid fragment length in IP header.

3057

Not Passed Thru Keep-Alive

Response

TCP response packet to internally generated keepalive probe

packet has been dropped.

3058

Not Passed Thru MAC Table

Overflow

Internal table for MAC addresses is full. Oldest entry has been
expired.

3059

Not Passed Thru Packet To Us

Packet sent to an Internet or a protected interface MAC address.

3060

Not Passed Thru Packet From

Packet sent by someone pretending to be an Internet or a

protected interface using their MAC address.

282

Copyright 2014, Juniper Networks, Inc.

Appendix B: Structured Syslog Details

Table 58: Incident Events (continued)

Event ID

Event Name

Description

3061

Not Passed Thru Short Circuit

Active

The same (source) MAC address has been seen on both sides of
the DDoS Secure appliance.

3062

Not Passed Thru Same Side

The source and destination MAC address both reside on the same
side of the DDoS Secure appliance.

3063

Not Passed Thru Probe State

Failover is in the probe state, so no traffic is passing through yet.

3064

Not Passed Thru Standby State

Failover is in the standby state traffic flows through other DDoS

Secure appliance.

3065

Not Passed Thru Out Of Service

State

The DDoS Secure appliance processing engine is not currently

running.

3066

Not Passed Thru Deactivated

DDoS Secure appliance has detected an error and has disabled

the passing of any traffic.

3067

Not Passed Thru HeartBeat

Failover heartbeat is never passed through a DDoS Secure

appliance.

3068

Overloaded IP Backlog

The protected IP cannot keep up with new TCP connection

requests.

3069

Blocked Protocol Undefined

Protected IP

Invalid Protected IP not within the valid list of IPs.

3070

TCP Attack No Data Xfer

No data in either direction was transferred on the TCP connection.

The connection was just opened and then closed.

3071

TCP Attack No Server Data Xfer

A webserver did not respond to a GET request.

3072

TCP Attack Connection Rate

Flood

The protected IP is receiving GET requests at a rate higher than

it is configured for.

3073

Overloaded IP Threads

The protected IP has stopped responding to new TCP requests.

3074

Bad IP Packet Reflected Route

IP packet is being reflected off a router same packet is passed

both ways through the DDoS Secure appliance. Informational
only.

3075

Not Passed Thru BPDU Packet

Failover mode does not allow through Spanning Tree packets.

3076

Not Passed Thru Direction

Unknown

Logging-Tap only. MAC address not learned yet.

3077

Not Passed Thru MAC

Misconfigured

A MAC address has been configured for one side of the DDoS
Secure appliance, but this packet with this source MAC address
has been seen on the other side of the DDoS Secure appliance.

3078

TCP Attack Port Scan

A potential port scan was detected.

283

DDoS Secure CLI User Guide

Table 58: Incident Events (continued)

Event ID

Event Name

Description

3079

TCP Attack Small Window

Client has closed TCP window.

3080

TCP Attack Client Abort

Client aborted connection after request.

3081

Not Passed Thru Generated

Response

This is a response packet to a DDoS Secure generated request

and is being dropped. Example is the generation of a TCP
keepalive packet.

3082

Blocked Protocol Blocked SIP

SIP request has been black-listed.

3083

TCP Attack URL Rate Limited

DDoS Secure is rate-limiting traffic requesting this URL.

3084

UDP Attack DNS Rate Limited

DDoS Secure is rate-limiting traffic requesting this DNS query.

3085

UDP Attack SIP Rate Limited

DDoS Secure is rate-limiting traffic requesting this SIP.

3086

Bad TCP Packet CheckSum

The TCP packet has an invalid checksum.

3087

TCP Attack HTTP format

The format of the HTTP request is illegal.

3088

Unknown Session Reflective

Attack

Defending against a reflective attack where a protected IP is the

target.

Table 59: Worst Offenders

Event ID

Event Name

Description

4001

Bandwidth

Bandwidth rate exceeded for MAC address, portal, or filter.

4002

Packet Rate

Packet rate exceeded for MAC address, portal, or filter. The

appliance has detected high rates of small packets.

4003

Blocked Protocol Black-Listed

This IP address has been black-listed, because it is has been

defined as part of a black-listed network.

4004

Blocked Protocol Icmp Type

No filters match for this ICMP packet.

4005

Blocked Protocol Port

No filters match for this destination port.

4006

Blocked Protocol Other Proto

No filters match for this protocol type.

4007

Not Passed Thru Runt Packet

Undersized packet has been dropped.

4008

Unknown Session Icmp

Response

ICMP response packet has no matching ICMP request in the state

table.

4009

Unknown Session Icmp Diag

Response

ICMP diagnostic response packet does not match a state table

entry for the respective IP protocol.

284

Appendix B: Structured Syslog Details

Table 59: Worst Offenders (continued)

Event ID

Event Name

Description

4010

Unknown Session No State

TCP packet has no state table entry and is not a SYN packet.

4011

Unknown Session Invalid State

TCP packet has a state table entry, but packet is out of state.

4012

TCP Attack RST

RST packet has invalid sequence number.

4013

IP Attack Land

Source and destination IP addresses are equal.

4014

TCP Attack Syn-Ack Timeout

The client IP did not complete the TCP connection.

4015

Blocked Protocol Country

Black-Listed

Traffic to or from a country has been blocked, because the country

is black-listed.

4016

TCP Attack Syn Flood

The protected IP is receiving SYN packets at a rate higher than

it is configured for or can handle.

4017

TCP Attack Connection Flood

The protected IP has reached its concurrent connection

configured limit.

4018

TCP Attack Table Full

Internal state table for TCP connections is being CHARM

protected.

4019

Bad TCP Packet Fast Repeat

Ack

Identical packets containing ACKs are being repeated at a rate

of greater than 10 per second.

4020

TCP Attack HTTP Flood

The protected IP has reached its concurrent GET/HEAD

configured limit.

4021

UDP Attack Table Full

Internal state table for UDP information is full.

4022

Not Passed Thru Pause Frame

Ethernet pause frame has been dropped.

4023

TCP Attack HTTP Timeout

The protected IP did not respond to a GET/HEAD request in a

timely manner.

4024

ICMP Attack Repeats

ICMP packets being repeated at a rate of more than 40 per

second.

4025

ICMP Attack Table Full

Internal state table for ICMP is being CHARM protected.

4026

Not Passed Thru State Sync

State synchronization packets are being processed but not

passed through.

4027

Other-IP Attack Table Full

Internal state table for Other IPs is being CHARM protected.

4028

Not Passed Thru State Sync

Sent

State synchronization packets are being processed but not

passed through.

4029

Fragment Attack Ping of Death

Assembled packet is longer than 65,535 bytes.

285

DDoS Secure CLI User Guide

Table 59: Worst Offenders (continued)

Event ID

Event Name

Description

4030

Fragment Attack Header

Overlay

Fragment start overlays protocol header.

4031

Fragment Attack Table Full

Internal state table for fragments is being CHARM protected.

4032

Fragment Attack Small Size

Initial TCP fragment is smaller than header.

4033

Fragment Attack No Fragments

allowed

No fragmented packets are allowed to or from this protected IP.

4034

Bad IP Packet Invalid Source

Address

IP packet has invalid source address.

4035

Bad IP Packet Broken Header

IP header malformed - RFC non-compliant.

4036

Bad IP Packet Invalid Option

IP packet has invalid option field or field length.

4037

Bad IP Packet Size Mismatch

IP packet has invalid field length.

4038

Blocked Protocol Temp

Black-Listed

This IP address has been temporarily black-listed because of its

aggressive behavior.

4039

Bad TCP Packet Flags

Invalid TCP flags combinations.

4040

Bad TCP Packet Malformed

Format of TCP header invalid.

4041

Bad TCP Packet Option

Invalid TCP option field.

4042

Blocked Protocol Black-Listed

DNS

DNS query has been black-listed.

4043

Bad UDP Packet No data

UDP packet contains no data.

4044

Bad UDP Packet Malformed

UDP header malformed.

4045

Blocked Protocol Black-Listed

AS number has been black-listed.

4046

TCP Attack HTTP Rate Flood

The protected IP is receiving GET requests at a rate higher than

it is configured for.

4047

Bad ICMP Packet Malformed

ICMP header malformed.

4048

Blocked Protocol Black-Listed

URL

URL request has been black-listed.

4049

Not Passed Thru Unexpected

Interface

Received packet came in over an unexpected interface, so it was

not passed on.

286

Appendix B: Structured Syslog Details

Table 59: Worst Offenders (continued)

Event ID

Event Name

Description

4050

Bad O-IP Packet Protocol

Invalid IP protocol number.

4051

Bad O-IP Packet Length

IP packet is too short to contain the IP protocol header.

4052

TCP Attack HTTP Req

Incomplete

The HTTP GET request was never completed.

4053

Overloaded IP Stall

The protected IP has stopped responding to anything.

4054

Fragment Attack Timeout

Not all fragments seen.

4055

Fragment Attack Repeats

ICMP packets being repeated at a rate of more than 40 per

second.

4056

Fragment Attack Bad Length

Invalid fragment length in IP header.

4057

Not Passed Thru Keep-Alive

Response

TCP response packet to internally generated keepalive probe

packet has been dropped.

4058

Not Passed Thru MAC Table

Overflow

Internal table for MAC addresses is full. Oldest entry has been
expired.

4059

Not Passed Thru Packet To Us

Packet sent to Internet or protected interface MAC address.

4060

Not Passed Thru Packet From

Packet sent by someone pretending to be an Internet or a

protected interface using their MAC address.

4061

Not Passed Thru Short Circuit

Active

The same (source) MAC address has been seen on both sides of
the DDoS Secure appliance.

4062

Not Passed Thru Same Side

The source and destination MAC address both reside on the same
side of the DDoS Secure appliance.

4063

Not Passed Thru Probe State

Failover is in the probe state, so no traffic passing through yet.

4064

Not Passed Thru Standby State

Failover is in the standby state traffic flows through the other

DDoS Secure appliance.

4065

Not Passed Thru Out Of Service

State

The DDoS Secure appliance processing engine is not currently

running.

4066

Not Passed Thru Deactivated

DDoS Secure appliance has detected an error and has disabled

the passing of any traffic.

4067

Not Passed Thru HeartBeat

Failover heartbeat is never passed through a DDoS Secure

appliance.

4068

Overloaded IP Backlog

The protected IP cannot keep up with new TCP connection

requests.

287

DDoS Secure CLI User Guide

Table 59: Worst Offenders (continued)

Event ID

Event Name

Description

4069

Blocked Protocol Undefined

Protected IP

Invalid protected IPnot in the valid list of IPs.

4070

TCP Attack No Data Xfer

No data in either direction was transferred on the TCP connection.

The connection was just opened and then closed.

4071

TCP Attack No Server Data Xfer

A webserver did not respond to a GET request.

4072

TCP Attack Connection Rate

Flood

The protected IP is receiving GET requests at a rate higher than

it is configured for.

4073

Overloaded IP Threads

The protected IP has stopped responding to new TCP requests.

4074

Bad IP Packet Reflected Route

IP packet is being reflected off a router - same packet is passed

both ways through the DDoS Secure appliance. Informational
only.

4075

Not Passed Thru BPDU Packet

Failover mode does not allow through spanning tree packets.

4076

Not Passed Thru Direction

Unknown

Logging-Tap only. MAC address not learned yet.

4077

Not Passed Thru MAC

Misconfigured

A MAC address has been configured for one side of the DDoS
Secure appliance, but this packet with this source MAC address
has been seen on the other side of the DDoS Secure appliance.

4078

TCP Attack Port Scan

A potential port scan was detected.

4079

TCP Attack Small Window

Client has closed TCP window.

4080

TCP Attack Client Abort

Client aborted connection after request.

4081

Not Passed Thru Generated

Response

This is a response packet to a DDoS Secure generated request

and is being dropped. Example is the generation of a TCP
keepalive packet.

4082

Blocked Protocol Blocked SIP

SIP request has been black-listed.

4083

TCP Attack URL Rate Limited

DDoS Secure is rate-limiting traffic requesting this URL.

4084

UDP Attack DNS Rate Limited

DDoS Secure is rate-limiting traffic requesting this DNS query.

4085

UDP Attack SIP Rate Limited

DDoS Secure is rate-limiting traffic requesting this SIP.

4086

Bad TCP Packet CheckSum

The TCP packet has an invalid checksum.

4087

TCP Attack HTTP format

The format of the HTTP request is illegal.

288

Appendix B: Structured Syslog Details

Table 59: Worst Offenders (continued)

Event ID

Event Name

Description

4088

Unknown Session Reflective

Attack

Defending against a reflective attack where a protected IP is the

target.

Table 60: Temporary Black-List

Event ID

Event Name

Description

5002

Exceeded URI GET Request Rate

Worst Offender IP is temporarily black-listed, because it exceeds

show appliance autoblockgetrate.

5003

Exceeds SYN + RST + F2D Count

Worst Offender IP is temporarily black-listed, because it exceeds

show appliance autoblocksynrst.

5004

GUI Request

The user elected to temporarily black-list this IP address.

5005

Exceeded Fragmented Packets

Timeout Rate

Worst Offender IP is temporarily black-listed, because it exceeds

show appliance autoblockfragrate.

5006

Exceeded Irritant Rate

Worst Offender IP is temporarily black-listed, because it exceeds

show appliance autoblockratet1.

5007

Exceeded Resource Consumption

Rate

Worst Offender IP is temporarily black-listed, because it exceeds

show appliance autoblockgratet2.

Table 61: Permanent White-List/Black-List

Event ID

Event Name

Description

6001

Black List IP(s)

IP addresses that are permanently black-listed.

6002

White List IP(s)

IP addresses that are permanently white-listed.

6003

Preferred List IP(s)

IP addresses that are permanently preferred listed (gets a CHARM

boost).

6004

White No Log List IP(s)

IP addresses that are permanently white-listed but activity is not

logged.

6005

No Auto Black List List IP(s)

IP addresses that are permanently flagged as not being allowed

to become temporarily black-listed.

6006

Country Allow List IP(s)

IP addresses that are allowed to override any country black-list.

6007

MegaProxy List IP(s)

IP addresses that are defined as proxy servers.

6008

Default Charm List IP(s)

IP addresses that are defined as permanently having the default

CHARM score.

6009

Black List AS#

AS numbers that are to be black-listed.

289

DDoS Secure CLI User Guide

Table 61: Permanent White-List/Black-List (continued)

Event ID

Event Name

Description

6010

Black List Country

Countries that are to be black-listed.

6011

Preferred Country

Countries that are on the permanently Preferred list (gets a

CHARM boost).

LEEF Extensions
Table 62 on page 290 describes the supported LEEF extensions parameter.

Table 62: LEEF Extensions Parameter

Name

Description

Attribute Type

Attribute Limits

action

Action mentioned in the event.

For the DDoS Secure
appliance, it indicates DROP
or NOTIFY.

String

cat

The device event category. For

the DDoS Secure appliance, it
indicates the type of incident
message. The values are
START, END, or ONGOING.

String

1023

CurrentPps

The current packets per

seconds (PPS) that are being
observed.

Integer

0 to 4294967295

desc

Description of the event ID.

String

255

devTime

The time when event started.

Timestamp

devTimeFormat

Specifies the format of the

time.

String

dir

Indicates the direction that the

packets are flowing. 0 ==
Inbound.

0 or 1

dst

The IP address of the event

destination.

IPv4 or IPv6 address

dstPort

The destination port of the

event.

Integer

0 to 65535

end

Time the event finishes.

String

255

290

Appendix B: Structured Syslog Details

Table 62: LEEF Extensions Parameter (continued)

Name

Description

Attribute Type

Attribute Limits

entity

The zone category of incident

that is being reported. This
provides information on what
zone the incident was
detected in. The choices are
MAC, IP, PORTAL, FILTER,
URL, DNS, SIP, BLACKLIST.

String

255

Incident ID.

String

255

identSrc

The source IP address of an

event. This will be included if
identHostName is included.

IPv4 or IPv6 address

identHostName

The host name of the source.

This will be used to specify the
TEID of a source.

String

255

msg

Associated message

String

255

myip

The IP address of the DDoS

Integer

1-10

src

The IP address of the event

source.

IPv4 or IPv6 address

291

DDoS Secure CLI User Guide

Table 62: LEEF Extensions Parameter (continued)

Name

Description

Attribute Type

Attribute Limits

srcPort

The source port of the event.

Integer

0 to 65535

totalPackets

The number of packets that

This is set to CurrentPps to
indicate that the cn1 field is the
current PPS.

String

cn2

Custom field for DDoS Secure.

cn2Label is set to PeakPps to
indicate that this field is the
peak PPS.

Integer

292

0 to 4294967295

Appendix B: Structured Syslog Details

Table 63: Arcsight Extensions Parameter (continued)

Name

Description

Attribute Type

cn2Label

Custom field for DDoS Secure.

This is set to PeakPps to
indicate that the cn2 field is
the peak PPS.

String

cn3

Custom field for DDoS Secure.

cn3Label is set to PeakBps to
indicate that this field is the
peak bytes per second (Bps)
that are being observed.

Integer

cn3Label

device.

IPv6 address

c6a2Label

Set to SrcIP to indicate that

c6a2 is the IPv6 source
address.

c6a3

The destination IPv6 address

of a device.

c6a3Label

Set to DstIP to indicate that

c6a3 is the IPv6 destination
address.

Attribute Limits

0 to 4294967295

IPv6 address

293

DDoS Secure CLI User Guide

Table 63: Arcsight Extensions Parameter (continued)

Name

Description

Attribute Type

Attribute Limits

deviceDirection

Indicates the direction that the

packets are flowing.

0 or 1

deviceFacility

The syslog facility generating

this event.

String

255

dpt

The destination port of the

event.

information on why the
request was blocked.

String

255

spt

The source port of the event.

Integer

0 to 65535

src

The IP address of the event

source.

IPv4 Address

start

The time when the event

started.

Time Stamp

255

LEEF Message Format

Apr 7 17:58:34 ws_192_168_0_189 LEEF: 1.0|Juniper|DDoS Secure|5.13.2-2a|
4084|desc=UDP Attack - DNS Rate Limited sev=4 proto=UDP
scrPort=21252 dstPort=53 src=37.60.61.86 dst=111.91.237.115 cat=END
devTime=2014-04-07 17:58:32 devTimeFormat=yyyy-MM-dd HH:mm:ss

296

Appendix B: Structured Syslog Details

CurrentPps=331 PeakPps=331 totalPackets=663 realm=-Generalaction=DROP

Temporary Black-List Messages

Temporary Black List Message Start Message
CEF Message Format
Apr 7 17:55:48 ws_192_168_0_189 CEF: 0|Juniper|DDoS Secure|5.13.2-2a|
5003|Exceeds SYN + RST + F2D Count|7|src=190.57.152.142
dst=255.255.255.255 proto=TCP spt=3536 dpt=5000 cat=START start=Apr 07 2014
17:55:47 cn1=100 cn1Label=CurrentPps cn2=100 cn2Label=PeakPps cn3=58904
cn3Label=PeakBps cnt=200 duser=-General- act=DROP

LEEF Message Format

Apr 7 17:59:04 ws_192_168_0_189 LEEF: 1.0|Juniper|DDoS Secure|5.13.2-2a|
5007|desc=Exceeded Resource Consumption Rate sev=7 proto=UDP
scrPort=31254 dstPort=53 src=37.60.61.86 dst=255.255.255.255 cat=START
devTime=2014-04-07 17:59:02 devTimeFormat=yyyy-MM-dd HH:mm:ss
CurrentPps=382 PeakPps=382 PeakBps=247256 totalPackets=764 realm=General- action=DROP

Temporary Black List Message End Message

CEF Message Format
Apr 7 17:56:18 ws_192_168_0_189 CEF: 0|Juniper|DDoS Secure|5.13.2-2a|
5007|Exceeded Resource Consumption Rate|6|src=37.60.61.86
dst=255.255.255.255 proto=UDP spt=60183 dpt=53 cat=END start=Apr 07 2014
17:55:44 end=Apr 07 2014 17:55:47 cn1=0 cn1Label=CurrentPps cn2=508
cn2Label=PeakPps cn3=328840 cn3Label=PeakBps cnt=1674 duser=-General-act=DROP

LEEF Message Format

Apr 7 17:59:35 ws_192_168_0_189 LEEF: 1.0|Juniper|DDoS Secure|5.13.2-2a|
5007|desc=Exceeded Resource Consumption Rate sev=6 proto=UDP
scrPort=60183 dstPort=53 src=37.60.61.86 dst=255.255.255.255 cat=END
devTime=2014-04-07 17:59:02 devTimeFormat=yyyy-MM-dd HH:mm:ss
CurrentPps=0 PeakPps=382 PeakBps=247256 totalPackets=891 realm=General- action=DROP

Permanent Black-List/White-List Messages

LEEF Message Format

297

DDoS Secure CLI User Guide

Apr 7 17:59:08 ws_192_168_0_189 LEEF: 1.0|Juniper|DDoS Secure|5.13.2-2a|

6002|desc=White List IP(s) sev=4 id=1396889947 catmsg=1.2.3.5,4.5.6.0/24

Multiline example:
Apr 17 17:12:45 ws_192_168_0_189 LEEF: 1.0|Juniper|DDoS Secure|5.13.2-2d|
6001|desc=Black List IP(s) sev=4 id=1397751165 msg=1.2.3.6/31,1.100.100.1,
1.100.101.1,1.100.102.1,1.100.103.1,1.100.104.1,1.100.105.1,1.100.106.1,1.100.107.1,
1.100.108.1,1.100.109.1,1.100.110.1,1.100.111.1,1.100.112.1,1.100.113.1,1.100.114.1,
1.100.115.1,1.100.116.1,1.100.117.1,1.100.118.1,1.100.119.1,1.100.120.1,1.100.121.1,
1.100.122.1,1.100.123.1,1.100.124.1,1.100.125.1,1.100.126.1,1.100.127.1,1.100.128.1,
1.100.129.1,1.100.130.1,1.100.131.1,1.100.132.1,1.100.133.1,1.100.134.1,1.100.135.1,
1.100.136.1,1.100.137.1,1.100.138.1,1.100.13139.1,1.100.140.1,1.100.141.1,1.100.142.1,
1.100.143.1,1.100.144.1,1.100.145.1,1.100.146.1,1.100.147.1,1.100.148.1,1.100.149.1,
1.100.150.1,1.100.151.1,1.100.152.1,1.100.153.1,1.100.154.1,1.100.155.1,1.100.156.1,
1.100.157.1,1.100.158.1,1.100.159.1,1.100.160.1,1.100.161.1,1.100.162.1,1.100.163.1,
1.100.164.1,1.100.165.1,1.100.166.1,1.100.167.1,1.100.168.1,1.100.169.1,1.100.170.1,
1.100.171.1,1.100.172.1,1.100.173.1
Apr 17 17:12:45 ws_192_168_0_189 LEEF: 1.0|Juniper|DDoS Secure|5.13.2-2d|
6001|desc=Black List IP(s) sev=4 id=1397751165 msg=1.100.174.1,1.100.175.1,
1.100.176.1,1.100.177.1,1.100.178.1,1.100.179.1,1.100.180.1,
1.100.181.1,1.100.182.1,1.100.183.1,1.100.184.1,1.100.185.1,1.100.186.1,
1.100.187.1,1.100.188.1,1.100.189.1,1.100.190.1,1.100.191.1,1.100.192.1,1.100.193.1,
1.100.194.1,1.100.195.1,1.100.196.1,1.100.197.1,1.100.198.1,1.100.199.1,1.100.200.1,
1.100.201.1,1.100.202.1,1.100.203.1,1.100.204.1,1.100.205.1,1.100.206.1,1.100.207.1,
1.100.208.1,1.100.209.1,1.100.210.1,1.100.211.1,1.100.212.1,1.100.213.1,1.100.214.1,
1.100.215.1,1.100.216.1,1.100.217.1,1.100.218.1,1.100.219.1,1.100.220.1,1.100.221.1,
1.100.222.1,1.100.223.1,1.100.224.1,1.100.225.1,1.100.226.1,1.100.227.1,1.100.228.1,
1.100.229.1,1.100.230.1,1.100.231.1,1.100.232.1,1.100.233.1,1.100.234.1,1.100.235.1,
1.100.236.1,1.100.237.1,1.100.238.1,1.100.239.1,1.100.240.1,1.100.241.1,1.100.242.1,
1.100.243.1,1.100.244.1,1.100.245.1,1.100.246.1,1.100.247.1,1.100.248.1
Apr 17 17:12:45 ws_192_168_0_189 LEEF: 1.0|Juniper|DDoS Secure|5.13.2-2d|
6001|desc=Black List IP(s) sev=4 id=1397751165 msg=1.100.249.1,1.100.250.1,
1.100.251.1,1.100.252.1,1.100.253.1,1.100.254.1,1.100.255.1,4.5.6.7

Related
Documentation

298

Starting a CLI Session on page 5

Navigating Through the CLI on page 7

Changing the Configuration Using the CLI on page 8

APPENDIX C

DDoS Secure Appliance TCP States

Understanding TCP States on page 299

Understanding TCP States

Table 64 on page 299 provides the details of TCP states held by DDoS Secure appliance
during operation. The parameters correspond approximately to the standard states held
by a conventional TCP device, but are subdivided due to the unique method of handling
connections by the appliance.

Table 64: TCP Status Details

Parameter

Description

SYN

Client has sent a SYN.

SPF

Client has sent a SYN to an internally filtered port.

SIF

Client has sent a SYN to an internally filtered IP address.

S-A

Server has responded with SYN-ACK.

S-S

Client and server SYN.

ACK

Connection established, but no data from client or server.

P-A

Client sent data, server did not acknowledged any data.

GET

Currently processing an HTTP GET/HEAD/POST request.

EST

Connection established, data is flowing.

F1S

Internet has sent a FIN.

F2S

Protected ACKd FIN.

F3S

Internet sent FIN, protected ACKd FIN and has sent its own FIN.

F-F

Internet and protected sent FIN, but neither ACKd FIN.

299

DDoS Secure CLI User Guide

Table 64: TCP Status Details (continued)

Parameter

Description

F1D

Protected has sent a FIN.

F2D

Internet has ACKd FIN.

F3D

Protected sent FIN, Internet ACKd FIN and sent its own FIN.

CLS

Closed (All FINs ACKd).

RST

RESET (either end) to SYN.

R-C

RESET (either end) to force session close.

UNK

Session in unknown state.

GETs

Count of connections processing a GET/HEAD request.

Related
Documentation

300

Understanding ICMP Types on page 301

Understanding Index Attack Types on page 303

APPENDIX D

ICMP Types

Understanding ICMP Types on page 301

Understanding ICMP Types

Table 65 on page 301 provides ICMPv4 details.

Table 65: ICMPv4 Details

Parameter

Description

Echo Reply

Destination Unreachable

Source Quench

Redirect (change route)

Echo Request

Time Exceeded

Parameter Problem

Timestamp Request

Timestamp Reply

Information Request

Information Reply

Address Mask Request

Address Mask Reply

Table 66 on page 302 provides ICMPv6 details.

301

DDoS Secure CLI User Guide

Table 66: ICMPv6 Details

Related
Documentation

302

Parameter

Description

Destination Unreachable

Packet Too Big

Time Exceeded

Parameter Problem

Echo Request

128

Echo Reply

129

Group Membership Query

130

Group Membership Reply

131

Group Membership
Reduction

132

Router Solicitation

133

Router Advertisement

134

Neighbor Solicitation

135

Neighbor Advertisement

136

Redirect

137

Understanding TCP States on page 299

Understanding Index Attack Types on page 303

APPENDIX E

Incident (Attack) Types

Understanding Index Attack Types on page 303

Understanding Index Attack Types

Table 67 on page 303 provides type code details.

Table 67: Type Code Details

Field

Description

-2

Recorded in auto black-list.

-1

Packets not dropped, not recorded in worst offenders.

Not recorded in worst offenders.

Irritant attacks used by worst offenders and auto black-list.

Resource consuming attacks used by worst offenders and auto black-list.

Table 68 on page 303 provides attack type code details.

Table 68: Attack Type Details

Attack Type

Type

Details

Bad ICMP Packet Malformed

ICMP header malformed (length, options, and so on).

Bad IP Packet - Broken Header

IP address header malformed RFC non-compliant.

Bad IP Packet - Invalid Option

IP address packet has invalid option field or field length.

Bad IP Packet - Invalid Source Address

IP address packet has invalid source address.

Bad IP Packet - Reflected Route

-1

IP address packet is being reflected off a router same packet

is passed both ways through the DDoS Secure appliance.
Informational only.

Bad IP Packet - Size Mismatch

IP address packet has invalid field length.

303

DDoS Secure CLI User Guide

Table 68: Attack Type Details (continued)

Attack Type

Type

Details

Bad O-IP Packet - Length

IP address packet too short to contain IP address protocol

header.

Bad O-IP Packet - Protocol

Invalid IP address protocol number.

Bad TCP Packet - Fast Repeat Ack

Identical packets containing ACKs are being repeated at a rate

of greater than 10 per second.

Bad TCP Packet - Flags

Invalid TCP flag combinations.

Bad TCP Packet - Malformed

Format of TCP header invalid.

Bad TCP Packet - Option

Invalid TCP option field.

Bad UDP Packet - Malformed

UDP header malformed.

Bad UDP Packet - No data

UDP packet contains no data.

Bandwidth - Rate Limited

Bandwidth rate exceeded for MAC address/portal/filter.

Blocked Protocol Black-Listed

This IP address is black-listed as it is part of a black-listed

network.

Blocked Protocol Black-Listed AS

AS is blocked.

Blocked Protocol Black-Listed DNS

DNS query is blocked.

Blocked Protocol - Black-Listed SIP

SIP request is blocked.

Blocked Protocol Black-Listed URL

URL request is blocked.

Blocked Protocol Country Black-Listed

Traffic to and from country is blocked.

Blocked Protocol - Icmp Type

No filters match for this ICMP packet.

Blocked Protocol Other Proto

No filters match for this protocol type.

Blocked Protocol - Port

No filter match for this destination port.

Blocked Protocol Temp Black-Listed

-2

This IP address is temporarily black-listed.

Blocked ProtocolUndefined protected

Traffic to or from an address that is not defined as a protected

IP address.

Fragment Attack - Bad Length

Invalid fragment length in IP address header.

Fragment Attack - Header Overlay

Fragment start overlays protocol header.

304

Appendix E: Incident (Attack) Types

Table 68: Attack Type Details (continued)

Attack Type

Type

Details

Fragment Attack - No Fragments

allowed

Fragmentation is disabled in the filter.

Fragment Attack - Ping of Death

Assembled packet is longer than 65,535 bytes.

Fragment Attack Repeats

Same fragment is sent again.

Fragment Attack Small Size

Initial TCP fragment is smaller than header.

Fragment Attack Table Full

Internal state table for fragments is full.

Fragment Attack Timeout

Not all fragments seen.

ICMP Attack - Repeats

ICMP packets being repeated at a rate of more than 40 per

second.

ICMP Attack - Table Full

Internal state table for ICMP is full.

IP Attack - Land

Source and destination IP addresses are equal.

Not Passed Thru BPDU Packet

Failover mode does not allow through spanning tree packets.

Not Passed Thru Deactivated

DDoS Secure appliance has operationally closed down.

Not Passed Thru Direction Unknown

Logging-tap only. MAC address not obtained yet.

Not Passed Thru Generated Response

ARP packet generated by redirect server.

Not Passed Thru - HeartBeat

Failover heartbeat is never passed through a DDoS Secure

appliance.

Not Passed Thru - Keep-Alive Response

TCP response packet to internally generated keepalive probe

packet is dropped.

Not Passed Thru - MAC Misconfigured

A MAC address is configured for one side of DDoS Secure

appliance, but this packet with this source MAC address is seen
on the wrong side of the DDoS Secure appliance.

Not Passed Thru - MAC Table Overflow

Internal table for MAC addresses is full. Oldest entry is expired.

Not Passed Thru - Out Of Service State

Failover device is out of service. No packets passing through.

Not Passed Thru - Packet From Us

Packet sent by someone pretending to be an Internet or a

protected interface by using their MAC address.

Not Passed Thru - Packet To Us

Packet sent to Internet or protected interface MAC address.

Not Passed Thru - Pause Frame

Ethernet pause frame is dropped.

305

DDoS Secure CLI User Guide

Table 68: Attack Type Details (continued)

Attack Type

Type

Details

Not Passed Thru - Probe State

Failover is in the probe state, so no traffic passing through yet.

Not Passed Thru Runt Packet

Undersized packet is dropped.

Not Passed Thru - Same Side

The source and destination MAC addresses both reside on the

same side of the DDoS Secure appliance.

Not Passed Thru - Short Circuit Active

The same (source) MAC address is seen on both sides of the

DDoS Secure appliance.

Not Passed Thru - Standby State

Failover is in the standby state traffic flows through other

DDoS Secure appliance.

Not Passed Thru State Sync

State synchronization packets are being processed but not

passed through.

Not Passed Thru State Sync Sent

State synchronization packets are being processed but not

passed through.

Other-IP Attack - Table Full

Internal state table for other IP address protocols is full. Oldest

entry is expired.

Overloaded IP - Backlog

The protected IP address cannot keep up with new TCP

connection requests.

Overloaded IP - Stall

The protected IP address has stopped responding to anything.

Overloaded IP - Threads

The protected IP address has stopped responding to new HTTP

GET requests.

Packet Rate - Rate Limited

Packet rate exceeded as defined in a filter or portal.

TCP Attack Client Abort

Client aborted connection after request.

TCP Attack - Connection Flood

The protected IP address has reached its concurrent

connection configured limit.

TCP Attack - Connection Rate Flood

The protected IP address is receiving connection requests at

a rate higher than it is configured for.

TCP Attack - HTTP Flood

The protected IP address has reached its concurrent

GET/HEAD configured limit.

TCP Attack - HTTP Format

HTTP packet incorrectly formatted.

TCP Attack HTTP Rate Flood

The protected IP address is receiving GET requests at a rate

higher than it is configured for.

TCP Attack - HTTP Req Incomplete

The HTTP GET request was never completed.

306

Appendix E: Incident (Attack) Types

Table 68: Attack Type Details (continued)

Attack Type

Type

Details

TCP Attack - HTTP Timeout

The protected IP address did not respond to a GET/HEAD

request in a timely manner.

TCP Attack No Data Xfer

No data in either direction was transferred on the TCP

connection. The connection was just opened and then closed.

TCP Attack No Server Data Xfer

A webserver did not respond to a GET request. Usually seen

when an IP addresses is requested in the host: header field,
instead of a domain name.

TCP Attack Port Scan

A potential port scan was detected.

TCP Attack RST

RST packet has invalid sequence number.

TCP Attack Small Window

Client has closed TCP window.

TCP Attack - Syn-Ack Timeout

The client IP address did not complete the TCP connection.

TCP Attack - Syn Flood

The protected IP address is receiving SYN packets at a rate

higher than it is configured for or can handle.

TCP Attack - Table Full

Internal state table for TCP connections is full.

UDP Attack - DNS Rate Limited

DNS queries are not being responded to quickly enough.

UDP Attack - SIP Rate Limited

SIP queries are not being responded to quickly enough.

UDP Attack - Table Full

Internal state table for UDP information is full.

Unknown Session - Icmp Diag Response

ICMP diagnostic response packet does not match a state table

entry for the respective IP address protocol.

Unknown Session - Icmp Response

ICMP response packet has no matching ICMP request in state

table.

Unknown Session - Invalid State

TCP packet has a state table entry, but packet is out of state
(sequence numbers mismatch, or incorrect TCP flags).

Unknown Session - No State

TCP packet has no state table entry and is not a SYN (start of
connection) packet.

Unknown Session - Reflective Attack

Unknown response packets to queries not initiated by a

protected IP.

307

DDoS Secure CLI User Guide

308

APPENDIX F

Letter Country Codes

DDoS Secure Appliance Country Codes on page 309

DDoS Secure Appliance Country Codes

Table 69 on page 309 and Table 70 on page 310 provides the details of DDoS Secure
appliance that are sort by codes.

Table 69: Code Type Details

Code

Type

---

--Unknown

-bc

---Broadcast---

Cannot be blocked

-bl

---Black List---

Always is blocked

-bo

---Bogon address---

-ca

---Country Allow ---

-ce

---Class E---

-dc

---Default CHARM---

-lo

---Loopback---

-mc

---Multicast---

Cannot be blocked

-mp

---Mega Proxy---

Cannot be blocked

-nb

---No Auto Block---

-pl

---Preferred List---

-pr

---RFC1918 address---

-u1

---User Defined #1---

Details

309

DDoS Secure CLI User Guide

Table 69: Code Type Details (continued)

Code

Type

Details

-u2

---User Defined #2---

-u3

---User Defined #3---

-u4

---User Defined #4---

-u5

---User Defined #5---

-u6

---User Defined #6---

-u7

---User Defined #7---

-u8

---User Defined #8---

-u9

---User Defined #9---

-wl

---White-list---

Cannot be blocked

-wn

---White No Log---

Cannot be blocked

Table 70: Sort by Country

310

Code

Details

Anonymous Proxy

Satellite Provider

ABW

Aruba

AFG

Afghanistan

AGO

Angola

AIA

Anguilla

ALA

Aland Islands

ALB

Albania

AND

Andorra

ANT

Netherlands Antilles

Asia/Pacific Region

Antarctica

Appendix F: Letter Country Codes

Table 70: Sort by Country (continued)

Code

Details

ARE

United Arab Emirates

ARG

Argentina

ARM

Armenia

ASM

American Samoa

ATG

Antigua and Barbuda

AUS

Australia

AUT

Austria

AZE

Azerbaijan

BDI

Burundi

BEL

Belgium

BEN

Benin

BFA

Burkina Faso

BGD

Bangladesh

BGR

Bulgaria

BHR

Bahrain

BHS

Bahamas

BIH

Bosnia and Herzegovina

BLR

Belarus

BLZ

Belize

BMU

Bermuda

BOL

Bolivia

BRA

Brazil

BRB

Barbados

BRN

Brunei Darussalam

311

DDoS Secure CLI User Guide

Table 70: Sort by Country (continued)

312

Code

Details

BTN

Bhutan

Bouvet Island

BWA

Botswana

CAF

Central African Republic

CAN

Canada

Cocos (Keeling) Islands

CHE

Switzerland

CHL

Chile

CHN

China

CIV

Cte dIvoire

CMR

Cameroon

COD

Congo, The Democratic Republic of the

COG

Congo

COK

Cook Islands

COL

Colombia

COM

Comoros

CPV

Cape Verde

CRI

Costa Rica

CUB

Cuba

Christmas Island

CYM

Cayman Islands

CYP

Cyprus

CZE

Czech Republic

DEU

Germany

Appendix F: Letter Country Codes

Table 70: Sort by Country (continued)

Code

Details

DJI

Djibouti

DMA

Dominica

DNK

Denmark

DOM

Dominican Republic

DZA

Algeria

ECU

Ecuador

EGY

Egypt

ERI

Eritrea

ESH

Western Sahara

ESP

Spain

EST

Estonia

ETH

Ethiopia

Europe

FIN

Finland

FJI

Fiji

FLK

Falkland Islands (Malvinas)

FRA

France

FRO

Faroe Islands

FSM

Micronesia, Federated States of

France, Metropolitan

GAB

Gabon

GBR

United Kingdom

GEO

Georgia

GGY

Guernsey

313

DDoS Secure CLI User Guide

Table 70: Sort by Country (continued)

314

Code

Details

GHA

Ghana

GIB

Gibraltar

GIN

Guinea

GLP

Guadeloupe

GMB

Gambia

GNB

Guinea-Bissau

GNQ

Equatorial Guinea

GRC

Greece

GRD

Grenada

GRL

Greenland

South Georgia and the South Sandwich Islands

GTM

Guatemala

GUF

French Guiana

GUM

Guam

GUY

Guyana

HKG

Hong Kong

Heard Island and McDonald Islands

HND

Honduras

HRV

Croatia

HTI

Haiti

HUN

Hungary

IDN

Indonesia

IMN

Isle of Man

IND

India

Appendix F: Letter Country Codes

Table 70: Sort by Country (continued)

Code

Details

British Indian Ocean Territory

IRL

Ireland

IRN

Iran, Islamic Republic of

IRQ

Iraq

ISL

Iceland

ISR

Israel

ITA

Italy

JAM

Jamaica

JEY

Jersey

JOR

Jordan

JPN

Japan

KAZ

Kazakhstan

KEN

Kenya

KGZ

Kyrgyzstan

KHM

Cambodia

KIR

Kiribati

KNA

Saint Kitts and Nevis

KOR

Korea, Republic of

KWT

Kuwait

LAO

Lao Peoples Democratic Republic

LBN

Lebanon

LBR

Liberia

LBY

Libyan Arab Jamahiriya

LCA

Saint Lucia

315

DDoS Secure CLI User Guide

Table 70: Sort by Country (continued)

316

Code

Details

LIE

Liechtenstein

LKA

Sri Lanka

LSO

Lesotho

LTU

Lithuania

LUX

Luxembourg

LVA

Latvia

MAC

Macau

MAR

Morocco

MCO

Monaco

MDA

Moldova, Republic of

MDG

Madagascar

MDV

Maldives

MEX

Mexico

MHL

Marshall Islands

MKD

Macedonia

MLI

Mali

MLT

Malta

MMR

Myanmar

MNE

Montenegro

MNG

Mongolia

MNP

Northern Mariana Islands

MOZ

Mozambique

MRT

Mauritania

MSR

Montserrat

Appendix F: Letter Country Codes

Table 70: Sort by Country (continued)

Code

Details

MTQ

Martinique

MUS

Mauritius

MWI

Malawi

MYS

Malaysia

NAM

Namibia

NCL

New Caledonia

NER

Niger

NFK

Norfolk Island

NGA

Nigeria

NIC

Nicaragua

NIU

Niue

NLD

Netherlands

NOR

Norway

NPL

Nepal

NRU

Nauru

NZL

New Zealand

Other

OMN

Oman

PAK

Pakistan

PAN

Panama

PCN

Pitcairn Islands

PER

Peru

PHL

Philippines

PLW

Palau

317

DDoS Secure CLI User Guide

Table 70: Sort by Country (continued)

318

Code

Details

PNG

Papua New Guinea

POL

Poland

PRI

Puerto Rico

PRK

Korea, Democratic Peoples Republic of

PRT

Portugal

PRY

Paraguay

PSE

Palestinian Territory

PYF

French Polynesia

QAT

Qatar

REU

Reunion

ROU

Romania

RUS

Russian Federation

RWA

Rwanda

Saudi Arabia

SDN

Sudan

SEN

Senegal

SGP

Singapore

SHN

Saint Helena

SJM

Svalbard and Jan Mayen

SLB

Solomon Islands

SLE

Sierra Leone

SLV

El Salvador

SMR

San Marino

SOM

Somalia

Appendix F: Letter Country Codes

Table 70: Sort by Country (continued)

Code

Details

SPM

Saint Pierre and Miquelon

SRB

Serbia

STP

Sao Tome and Principe

SUR

Suriname

SVK

Slovakia

SVN

Slovenia

SWE

Sweden

SWZ

Swaziland

SYC

Seychelles

SYR

Syrian Arab Republic

TCA

Turks and Caicos Islands

TCD

Chad

French Southern Territories

TGO

Togo

THA

Thailand

TJK

Tajikistan

TKL

Tokelau

TKM

Turkmenistan

TLS

Timor-Leste

TON

Tonga

TTO

Trinidad and Tobago

TUN

Tunisia

TUR

Turkey

TUV

Tuvalu

319

DDoS Secure CLI User Guide

Table 70: Sort by Country (continued)

Code

Details

TWN

Taiwan

TZA

Tanzania, United Republic of

UGA

Uganda

UKR

Ukraine

United States Minor Outlying Islands

URY

Uruguay

USA

United States

UZB

Uzbekistan

VAT

Holy See (Vatican City State)

VCT

Saint Vincent and the Grenadines

VEN

Venezuela

VGB

Virgin Islands, British

VIR

Virgin Islands, U.S.

VNM

Vietnam

VUT

Vanuatu

WLF

Wallis and Futuna

WSM

Samoa

YEM

Yemen

Mayotte

ZAF

South Africa

ZMB

Zambia

ZWE

Zimbabwe

Table 71 on page 321 and Table 72 on page 322 provides the details of DDoS Secure
appliance that are sort by country.

320

Appendix F: Letter Country Codes

Table 71: Sort by Code

-bl

---Black List---

-bo

---Bogon address---

-bc

---Broadcast---

-ca

---Country Allow---

-ce

---Class E---

-dc

---Default CHARM---

-lo

---Loopback---

-mc

---Multicast---

Cannot be blocked

-mp

---Mega Proxy---

Cannot be blocked

-nb

---No Auto Block---

-pt

---Pen Test List---

-pl

---Preferred List---

-pr

---RFC1918 address---

-u1

---User Defined #1---

-u2

---User Defined #2---

-u3

---User Defined #3---

-u4

---User Defined #4---

-u5

---User Defined #5---

-u6

---User Defined #6---

-u7

---User Defined #7---

-u8

---User Defined #8---

-u9

---User Defined #9---

-wl

---White List---

Cannot be blocked

-wn

---White No Log---

Cannot be blocked

---

--Unknown--

Always is blocked

Cannot be blocked

321

DDoS Secure CLI User Guide

Table 72: Sort by Country

322

AFG

Afghanistan

ALA

Aland Islands

ALB

Albania

DZA

Algeria

ASM

American Samoa

AND

Andorra

AGO

Angola

AIA

Anguilla

Anonymous Proxy

Antarctica

ATG

Antigua and Barbuda

ARG

Argentina

ARM

Armenia

ABW

Aruba

Asia/Pacific Region

AUS

Australia

AUT

Austria

AZE

Azerbaijan

BHS

Bahamas

BHR

Bahrain

BGD

Bangladesh

BRB

Barbados

BLR

Belarus

BEL

Belgium

BLZ

Belize

Appendix F: Letter Country Codes

Table 72: Sort by Country (continued)

BEN

Benin

BMU

Bermuda

BTN

Bhutan

BOL

Bolivia

BIH

Bosnia and Herzegovina

BWA

Botswana

Bouvet Island

BRA

Brazil

British Indian Ocean Territory

BRN

Brunei Darussalam

BGR

Bulgaria

BFA

Burkina Faso

BDI

Burundi

KHM

Cambodia

CMR

Cameroon

CAN

Canada

CPV

Cape Verde

CYM

Cayman Islands

CAF

Central African Republic

TCD

Chad

CHL

Chile

CHN

China

Christmas Island

Cocos (Keeling) Islands

COL

Colombia

323

DDoS Secure CLI User Guide

Table 72: Sort by Country (continued)

324

COM

Comoros

COG

Congo

COD

Congo, The Democratic Republic of the

COK

Cook Islands

CRI

Costa Rica

CIV

Cte dIvoire

HRV

Croatia

CUB

Cuba

CYP

Cyprus

CZE

Czech Republic

DNK

Denmark

DJI

Djibouti

DMA

Dominica

DOM

Dominican Republic

ECU

Ecuador

EGY

Egypt

SLV

El Salvador

GNQ

Equatorial Guinea

ERI

Eritrea

EST

Estonia

ETH

Ethiopia

Europe

FLK

Falkland Islands (Malvinas)

FRO

Faroe Islands

FJI

Fiji

Appendix F: Letter Country Codes

Table 72: Sort by Country (continued)

FIN

Finland

FRA

France

France, Metropolitan

GUF

French Guiana

PYF

French Polynesia

French Southern Territories

GAB

Gabon

GMB

Gambia

GEO

Georgia

DEU

Germany

GHA

Ghana

GIB

Gibraltar

GRC

Greece

GRL

Greenland

GRD

Grenada

GLP

Guadeloupe

GUM

Guam

GTM

Guatemala

GGY

Guernsey

GIN

Guinea

GNB

Guinea-Bissau

GUY

Guyana

HTI

Haiti

Heard Island and McDonald Islands

VAT

Holy See (Vatican City State)

325

DDoS Secure CLI User Guide

Table 72: Sort by Country (continued)

326

HND

Honduras

HKG

Hong Kong

HUN

Hungary

ISL

Iceland

IND

India

IDN

Indonesia

IRN

Iran, Islamic Republic of

IRQ

Iraq

IRL

Ireland

IMN

Isle of Man

ISR

Israel

ITA

Italy

JAM

Jamaica

JPN

Japan

JEY

Jersey

JOR

Jordan

KAZ

Kazakhstan

KEN

Kenya

KIR

Kiribati

PRK

Korea, Democratic Peoples Republic of

KOR

Korea, Republic of

KWT

Kuwait

KGZ

Kyrgyzstan

LAO

Lao Peoples Democratic Republic

LVA

Latvia

Appendix F: Letter Country Codes

Table 72: Sort by Country (continued)

LBN

Lebanon

LSO

Lesotho

LBR

Liberia

LBY

Libyan Arab Jamahiriya

LIE

Liechtenstein

LTU

Lithuania

LUX

Luxembourg

MAC

Macau

MKD

Macedonia

MDG

Madagascar

MWI

Malawi

MYS

Malaysia

MDV

Maldives

MLI

Mali

MLT

Malta

MHL

Marshall Islands

MTQ

Martinique

MRT

Mauritania

MUS

Mauritius

Mayotte

MEX

Mexico

FSM

Micronesia, Federated States of

MDA

Moldova, Republic of

MCO

Monaco

MNG

Mongolia

327

DDoS Secure CLI User Guide

Table 72: Sort by Country (continued)

328

MNE

Montenegro

MSR

Montserrat

MAR

Morocco

MOZ

Mozambique

MMR

Myanmar

NAM

Namibia

NRU

Nauru

NPL

Nepal

NLD

Netherlands

ANT

Netherlands Antilles

NCL

New Caledonia

NZL

New Zealand

NIC

Nicaragua

NER

Niger

NGA

Nigeria

NIU

Niue

NFK

Norfolk Island

MNP

Northern Mariana Islands

NOR

Norway

OMN

Oman

Other

PAK

Pakistan

PLW

Palau

PSE

Palestinian Territory

PAN

Panama

Appendix F: Letter Country Codes

Table 72: Sort by Country (continued)

PNG

Papua New Guinea

PRY

Paraguay

PER

Peru

PHL

Philippines

PCN

Pitcairn Islands

POL

Poland

PRT

Portugal

PRI

Puerto Rico

QAT

Qatar

REU

Reunion

ROU

Romania

RUS

Russian Federation

RWA

Rwanda

SHN

Saint Helena

KNA

Saint Kitts and Nevis

LCA

Saint Lucia

SPM

Saint Pierre and Miquelon

VCT

Saint Vincent and the Grenadines

WSM

Samoa

SMR

San Marino

STP

Sao Tome and Principe

Satellite Provider

Saudi Arabia

SEN

Senegal

SRB

Serbia

329

DDoS Secure CLI User Guide

Table 72: Sort by Country (continued)

330

SYC

Seychelles

SLE

Sierra Leone

SGP

Singapore

SVK

Slovakia

SVN

Slovenia

SLB

Solomon Islands

SOM

Somalia

ZAF

South Africa

South Georgia and the South Sandwich Islands

ESP

Spain

LKA

Sri Lanka

SDN

Sudan

SUR

Suriname

SJM

Svalbard and Jan Mayen

SWZ

Swaziland

SWE

Sweden

CHE

Switzerland

SYR

Syrian Arab Republic

TWN

Taiwan

TJK

Tajikistan

TZA

Tanzania, United Republic of

THA

Thailand

TLS

Timor-Leste

TGO

Togo

TKL

Tokelau

Appendix F: Letter Country Codes

Table 72: Sort by Country (continued)

TON

Tonga

TTO

Trinidad and Tobago

TUN

Tunisia

TUR

Turkey

TKM

Turkmenistan

TCA

Turks and Caicos Islands

TUV

Tuvalu

UGA

Uganda

UKR

Ukraine

ARE

United Arab Emirates

GBR

United Kingdom

USA

United States

United States Minor Outlying Islands

URY

Uruguay

UZB

Uzbekistan

VUT

Vanuatu

VEN

Venezuela

VNM

Vietnam

VGB

Virgin Islands, British

VIR

Virgin Islands, U.S.

WLF

Wallis and Futuna

ESH

Western Sahara

YEM

Yemen

ZMB

Zambia

ZWE

Zimbabwe

331

DDoS Secure CLI User Guide

Related
Documentation

332

Understanding Index Attack Types on page 303

APPENDIX G

Panel and Connector Locations

DDoS Secure Appliance Panel Information on page 333

DDoS Secure Appliance Panel Information

DDoS Secure-1200-Fail-Safe Panels
Figure 1 on page 333 and Figure 2 on page 333 shows the front and back panel of the DDoS
Secure-1200-Fail-safe.

Figure 1: DDoS Secure-1200-Fail-Safe Front Panel

Figure 2: DDoS Secure-1200-Fail-Safe Back Panel

Table 73 on page 333 lists the front and back panel components of the DDoS
Secure-1200-Fail-Safe appliance.

Table 73: DDoS Secure 1200-Fail-Safe Callout Details

Callout

Component

Front Panel

Power ON/OFF button

Back Panel

333

DDoS Secure CLI User Guide

Table 73: DDoS Secure 1200-Fail-Safe Callout Details (continued)

Related
Documentation

334

Callout

Component

I-IF (1Gb/10Gb Internet interface)

P-I/F (1Gb/10Gb protected interface)

Power supply

D-IF (Optional 1Gb data share interface)

M-I/F+ILO (1Gb management interface and Integrated Lights Out)

USB port (Optional)

Video (Optional)

Serial interface

Understanding Index Attack Types on page 303

APPENDIX H

Troubleshooting

Troubleshooting a DDoS Secure Appliance on page 335

Troubleshooting a DDoS Secure Appliance

My browser gives an SSL connection error.

If the DDoS Secure appliance SSL certificate changes for any reason, some PC
browsers choke on the previously installed certificate. If so, the old certificate will have
to be removed by hand from the Browser Root Certificate cache. It is possible that
exiting the browser and reconnecting fixes the situation.

2. How do I recover my lost username and password?

You are unable to recover the username and password. If Juniper Networks personnel
able to access your appliance, they might be able to reset the password. It might be
that you have to re-image the system.
3. What does Init Phase xxx mean?

When the appliance starts up, various large data sets have to be initialized. Each phase
is the initialization of a different data set.
4. What does Exit Phase xxx mean?

When the appliance closes down, various large data sets have to be cleanly closed
down. Each phase is the cleanup of a different data set.
5. Why do I get Protected IP Table Full turning to red?

The appliance is set up to protect a maximum number of protected IP addresses. If

this limit is exceeded, then protected IP address table full will turn to red. If your I-I/F
and P-I/F connectors are reversed, the appliance is effectively protecting the Internet
from your internal users. Confirm this using the Protected Information option. Correct
any cabling errors. Review the location of the appliance in your network topology, if
the appliance has to protect more than the specified number of protected IP addresses.
If cabling arrangements are logically reversed without physical disconnection, the
DDoS Secure appliance engine must be restarted to ensure the correct automatic
detection of the network topology. It is also possible to swap the interfaces with
Configure Interfaces option.

335

DDoS Secure CLI User Guide

Related
Documentation

336

Understanding Index Attack Types on page 303

APPENDIX I

GUI Branding

Customizing the DDoS Secure Web Interface on page 337

Customizing the DDoS Secure Web Interface

You can customize both the GUI initial login landing page and the format/style of pages.

Take a copy of the source of the initial login page, https://a.b.c.d, and save it locally.

2. Name the file customer.tmpl or host_uri-customer.tmpl, where host_uri is the name

or IP address that a user uses to access the DDoS Secure appliance.

The customer.tmpl file:

Is preserved across software upgrades.

Can include references to external URLs.

Can reference existing image files or portal-specific images.

Must link to webviewcheck.wsp to enter the DDoS Secure appliance portal.

For example, If the site is accessed with the URL https://some.host.com, then the
search sequence is some.host.com-customer.tmpl, then customer.tmpl, and finally
the original login page.

Images/CSS Files
Once you have logged in, you are associated with a portal. Any .css file in the /css directory,
or any images in the /images directory, can be customized to modify the output.
For example, you are logged in to portal CustomerX and are requesting
css/center_pane.css. The search order is css/portal-CustomerX-center_pane.css, then
css/portal-center_pane.css, and finally css/center_pane.css. The same is true for any
images.

337

DDoS Secure CLI User Guide

Updating Customized Files

To upload the files on a Linux server, you need to collect all the customized files in a
directory, and then run the following Linux command to create an update package:
echo w.x.y > webscreen- ; tar cvf files.upg webscreen- *customer.tmpl portal*.css portal*.gif

where w.x.y is the current version of the DDoS Secure appliance (for example: 5.13.1),
and then upload files.upg as a DDoS Secure appliance patch.

Removing Customized Files

G
general
messages.......................................................................294
geoIP
configuration....................................................................47

I
ICMP types
DDoS Secure appliance.............................................301
image file..................................................................................337
incident
messages.......................................................................295
index attack types
DDoS Secure appliance............................................303
information
content presentation..................................................257
inspection
layer 7..................................................................................93
introduction
DDoS Secure CLI...............................................................3
IP address
configuration.....................................................................41

L
layer 7
inspection.........................................................................93
LEEF extension
parameters....................................................................290
log
DDoS Secure appliance.............................................185

344

N
navigate
through CLI..........................................................................7
netflow
configuration...................................................................137
network
configuration...................................................................121

O
option
debug..................................................................................79

P
parameter
arcsight extensions.....................................................292
LEEF extensions..........................................................290
portals..............................................................................149
proxy server......................................................................171
rerouting trigger............................................................255
SNMP................................................................................193
structured syslog...........................................................197
syslog................................................................................201
TCP state timeouts....................................................205
terminal configuration...............................................243
traffic interception........................................................215
usage.................................................................................221
parentheses, in syntax descriptions................................xix

Index

Peering router sample

configuration.................................................................254
permanent blacklist
messages........................................................................297
permanent whitelist
messages........................................................................297
ping
command.......................................................................252
port filter
configuration....................................................................27
portal
parameters.....................................................................149
portal defense
configuration..................................................................159
portal operational mode
configuration..................................................................155
preferred clients
configuration...................................................................141
preferred whitelist
configuration...................................................................141
protected IP
configuration..................................................................163
proxy server
parameters.......................................................................171
pseudol3
configuration...................................................................175

R
remote alert
DDoS Secure appliance.............................................185
remove
customized files...........................................................338
remove bgp
CLI........................................................................................40
remove decryptkeys
CLI.......................................................................................214
remove fagg
CLI.......................................................................................90
remove filter
CLI........................................................................................32
remove gateway
CLI.......................................................................................114
remove geoip
CLI........................................................................................50
remove inspect
CLI........................................................................................96
remove portal
CLI.......................................................................................152

remove protected
CLI......................................................................................166
remove pseudol3 all
CLI.......................................................................................181
remove pseudol3 interface
CLI......................................................................................182
remove pseudol3 route
CLI......................................................................................183
remove route
CLI.......................................................................................133
remove share
CLI......................................................................................190
remove tuneable
CLI........................................................................................59
remove user
CLI......................................................................................228
report
DDoS Secure appliance.............................................185
mail......................................................................................117
rerouting trigger
parameters.....................................................................255
RFC testing
disable................................................................................69

S
serial port connect
DDoS Secure appliance.................................................4
set access https
CLI.........................................................................................15
set access https_juniper
CLI.........................................................................................16
set access snmp
CLI.........................................................................................19
set access ssh
CLI..........................................................................................17
set access ssh_juniper
CLI.........................................................................................18
set appliance
CLI........................................................................................25
set auth
CLI........................................................................................86
set bgp flowspec
CLI........................................................................................39
set bgp peer
CLI........................................................................................38
set block as
CLI........................................................................................46
set block cignoreip
CLI........................................................................................44

345

DDoS Secure CLI User Guide

set block country

CLI........................................................................................43
set block ip
CLI........................................................................................45
set chassis bgp
CLI........................................................................................66
set chassis blade
CLI........................................................................................65
set chassis reroute
CLI........................................................................................67
set chassis vip
CLI........................................................................................64
set clock ntp
CLI.........................................................................................77
set clock timenow
CLI........................................................................................75
set clock timezone
CLI........................................................................................76
set debugging
CLI........................................................................................82
set decryptkeys default
CLI.......................................................................................212
set decryptkeys specific
CLI.......................................................................................213
set disabled
CLI..........................................................................................71
set dns
CLI.......................................................................................132
set fagg
CLI.........................................................................................91
set filter
CLI........................................................................................33
set gateway
CLI........................................................................................115
set geoip auto_akamai
CLI........................................................................................55
set geoip ip
CLI.........................................................................................51
set geoip megaproxy_ip
CLI........................................................................................53
set geoip megaproxy_url
CLI........................................................................................54
set geoip url
CLI........................................................................................52
set incidents
CLI......................................................................................109
set inspect
CLI........................................................................................97

346

set interface datashare

CLI......................................................................................126
set interface internet
CLI......................................................................................128
set interface ipmi
CLI......................................................................................130
set interface management
CLI.......................................................................................125
set interface protected
CLI.......................................................................................127
set mail
CLI......................................................................................120
set netflow
CLI......................................................................................139
set operation
CLI.......................................................................................157
set portal
CLI.......................................................................................153
set portaldefense
CLI.......................................................................................161
set preferred clients
CLI......................................................................................144
set preferred countries
CLI......................................................................................145
set preferred default
CLI......................................................................................148
set preferred whitelist
CLI......................................................................................146
set preferred whitenolog
CLI.......................................................................................147
set protected
CLI......................................................................................168
set proxy
CLI.......................................................................................173
set pseudol3 interface
CLI.......................................................................................178
set pseudol3 network
CLI.......................................................................................179
set pseudol3 route
CLI......................................................................................180
set route
CLI.......................................................................................135
set share
CLI.......................................................................................191
set snmp
CLI......................................................................................195
set structured
CLI......................................................................................199

Index

set syslog
CLI.....................................................................................203
set terminal
CLI.....................................................................................246
set threshold
CLI.......................................................................................107
set timeout
CLI.....................................................................................208
set tuneable
CLI.......................................................................................60
set usage
CLI......................................................................................224
set user
CLI......................................................................................229
set wrapper blocked
CLI......................................................................................218
set wrapper reverse
CLI......................................................................................219
set wrapper unwrap
CLI.....................................................................................220
shares
configuration..................................................................187
show access
CLI.........................................................................................14
show appliance
CLI........................................................................................24
show auth
CLI........................................................................................85
show bgp
CLI.........................................................................................37
show block
CLI........................................................................................42
show chassis
CLI........................................................................................63
show clock
CLI.........................................................................................74
show config
CLI..........................................................................................9
show debugging
CLI.........................................................................................81
show decryptkeys
CLI......................................................................................210
show disabled
CLI........................................................................................70
show dns
CLI........................................................................................131
show fagg
CLI........................................................................................89

show filter
CLI........................................................................................30
show gateway
CLI........................................................................................113
show geoip
CLI........................................................................................49
show incidents
CLI......................................................................................108
show inspect
CLI........................................................................................95
show interface
CLI.......................................................................................124
show mail
CLI.......................................................................................119
show netflow
CLI......................................................................................138
show operation
CLI......................................................................................156
show pending changes
CLI.........................................................................................10
show portal
CLI........................................................................................151
show portaldefense
CLI......................................................................................160
show preferred
CLI.......................................................................................143
show protected
CLI......................................................................................165
show proxy
CLI.......................................................................................172
show pseudol3
CLI.......................................................................................177
show route
CLI......................................................................................134
show run
CLI.........................................................................................10
show share
CLI......................................................................................189
show snmp
CLI......................................................................................194
show structured
CLI......................................................................................198
show syslog
CLI.....................................................................................202
show terminal
CLI......................................................................................245
show threshold alert
CLI......................................................................................106

347

DDoS Secure CLI User Guide

show threshold create

CLI......................................................................................104
show threshold offenders
CLI......................................................................................105
show threshold view
CLI......................................................................................103
show timeout
CLI......................................................................................207
show timezones
CLI........................................................................................78
show tuneable
CLI........................................................................................58
show usage
CLI......................................................................................223
show user
CLI......................................................................................227
show version
CLI.....................................................................................249
show wrapper
CLI.......................................................................................217
SNMP
parameters.....................................................................193
SSH connect
DDoS Secure appliance.................................................4
SSL
decryption......................................................................209
standard file
content............................................................................258
start
CLI session...........................................................................5
stats view
CLI.....................................................................................248
structured syslog
description......................................................................273
parameters......................................................................197
support, technical See technical support
syntax conventions..............................................................xviii
syslog
parameters.....................................................................201
system check
CLI.....................................................................................240
system clear_custom
CLI.....................................................................................239
system config_reset
CLI.....................................................................................238
system console connect
DDoS Secure appliance.................................................5
system factoryreset
CLI......................................................................................237

348

system helpdesk
CLI.......................................................................................241
system powerdown
CLI.....................................................................................236
system reboot
CLI......................................................................................235
system restart
CLI......................................................................................232
system restart_clear
CLI......................................................................................233
system shutdown
CLI......................................................................................234

T
TCP state
DDoS Secure appliance............................................299
timeout parameters...................................................205
technical support
contacting JTAC...............................................................xx
temporary blacklist
messages........................................................................297
terminal configuration
parameters.....................................................................243
threshold
logging...............................................................................99
traffic interception
parameters......................................................................215
troubleshoot
DDoS Secure appliance............................................335
tunable
CHARM...............................................................................57

U
understand
blacklisted traffic.........................................................257
webserver information..............................................259
update
customized files...........................................................338
usage
parameters......................................................................221
user
management.................................................................225

V
variable value
formats............................................................................263

Index

W
webserver information
understanding..............................................................259
worst offender
messages.......................................................................296

349

DDoS Secure CLI User Guide

350

THE LTSPICE XVII SIMULATOR: Commands and Applications
From Everand
THE LTSPICE XVII SIMULATOR: Commands and Applications
Gilles Brocard
5/5 (1)
Eleven Rack User Guide PDF
No ratings yet
Eleven Rack User Guide PDF
148 pages
PAN-OS 5.0 CLI Reference Guide
No ratings yet
PAN-OS 5.0 CLI Reference Guide
560 pages
Eleven Rack User Guide v90x 71670 PDF
No ratings yet
Eleven Rack User Guide v90x 71670 PDF
142 pages
Pan Os 6.0 Cli Ref
No ratings yet
Pan Os 6.0 Cli Ref
770 pages
Pan Os 6.1 Cli Ref
No ratings yet
Pan Os 6.1 Cli Ref
784 pages
CLI Reference Guide Panorama 5.1 PAN OS 5.0
No ratings yet
CLI Reference Guide Panorama 5.1 PAN OS 5.0
562 pages
Pan Os 6.0 Cli Ref
No ratings yet
Pan Os 6.0 Cli Ref
770 pages
PAN-OS ™ Command Line Interface Reference Guide
No ratings yet
PAN-OS ™ Command Line Interface Reference Guide
466 pages
Pan Os 6.1 Cli Ref
No ratings yet
Pan Os 6.1 Cli Ref
778 pages
Mobility 05200 ControllerCLIGuide PDF
No ratings yet
Mobility 05200 ControllerCLIGuide PDF
854 pages
MAXPRO NVR 2.5 Operators Guide
No ratings yet
MAXPRO NVR 2.5 Operators Guide
195 pages
Peribit Seq Reducer Operators Guide SR - 31 - Og
No ratings yet
Peribit Seq Reducer Operators Guide SR - 31 - Og
210 pages
9301810702_V1_7750 SR OS OAM and Diagnostics Guide 11.0R3
No ratings yet
9301810702_V1_7750 SR OS OAM and Diagnostics Guide 11.0R3
442 pages
EdgeSwitch AdminGuide
No ratings yet
EdgeSwitch AdminGuide
274 pages
Netvisor-OS-Config-Guide
No ratings yet
Netvisor-OS-Config-Guide
314 pages
Infoblox CLI Guide: NIOS 6.1 For Infoblox Network Core Services Appliances
No ratings yet
Infoblox CLI Guide: NIOS 6.1 For Infoblox Network Core Services Appliances
118 pages
Vyatta Quick Start VC4.1 v02
No ratings yet
Vyatta Quick Start VC4.1 v02
48 pages
Bti7800 Cli Ref Guide
No ratings yet
Bti7800 Cli Ref Guide
298 pages
Sdffsadadsf
No ratings yet
Sdffsadadsf
226 pages
NIOS 6.0.0 CLIGuide
No ratings yet
NIOS 6.0.0 CLIGuide
114 pages
airOS UG
No ratings yet
airOS UG
68 pages
N750 Wireless Dual Band Gigabit Router WNDR4000: User Manual
No ratings yet
N750 Wireless Dual Band Gigabit Router WNDR4000: User Manual
104 pages
Complete Production Toolkit
No ratings yet
Complete Production Toolkit
101 pages
Net-Net 9000 D6.0 Configuration Guide
No ratings yet
Net-Net 9000 D6.0 Configuration Guide
644 pages
LinuxCNC Getting Started
100% (1)
LinuxCNC Getting Started
72 pages
Quick Start Guide: Vyatta System
No ratings yet
Quick Start Guide: Vyatta System
46 pages
Zilog Datasheet
No ratings yet
Zilog Datasheet
282 pages
Controllogix Remote I/O Communication Module: User Manual
No ratings yet
Controllogix Remote I/O Communication Module: User Manual
170 pages
Leitch Routerworks Manual
100% (1)
Leitch Routerworks Manual
138 pages
Ubiquity airOS User Guide PDF
No ratings yet
Ubiquity airOS User Guide PDF
67 pages
GigaVUE OS CLI ReferenceGuide v5700
No ratings yet
GigaVUE OS CLI ReferenceGuide v5700
734 pages
Advantys STB: Standard Ethernet Modbus TCP/IP Network Interface Module Applications Guide
No ratings yet
Advantys STB: Standard Ethernet Modbus TCP/IP Network Interface Module Applications Guide
194 pages
ZebOS Core Configuration Guide Version 75
No ratings yet
ZebOS Core Configuration Guide Version 75
84 pages
VENUE SC48 Guide 75438 PDF
No ratings yet
VENUE SC48 Guide 75438 PDF
284 pages
Teles Vgate 17 - 11 Setup Manual
No ratings yet
Teles Vgate 17 - 11 Setup Manual
141 pages
airOS UG V55 3-20-12
No ratings yet
airOS UG V55 3-20-12
66 pages
11214-29185-ug821-zynq-7000-swdev
No ratings yet
11214-29185-ug821-zynq-7000-swdev
92 pages
N300 Wireless Gigabit Router WNR3500Lv2: User Manual
No ratings yet
N300 Wireless Gigabit Router WNR3500Lv2: User Manual
114 pages
SFTOS CLI v2.1.4
No ratings yet
SFTOS CLI v2.1.4
380 pages
V1 7750 SR OS OAM and Diagnos
No ratings yet
V1 7750 SR OS OAM and Diagnos
272 pages
Ug470 7series Config
No ratings yet
Ug470 7series Config
174 pages
FTOS Configuration Guide
No ratings yet
FTOS Configuration Guide
1,220 pages
MB Ref Guide
No ratings yet
MB Ref Guide
194 pages
6000 Series
No ratings yet
6000 Series
78 pages
Xilinx System Generator For DSP PDF
No ratings yet
Xilinx System Generator For DSP PDF
376 pages
098-00106-000-Rev A
No ratings yet
098-00106-000-Rev A
124 pages
FastTrak TX Series User v2.0
No ratings yet
FastTrak TX Series User v2.0
138 pages
TCS CLI 8.4.2.4 20-Jul-2011
No ratings yet
TCS CLI 8.4.2.4 20-Jul-2011
1,822 pages
9301830504_V1_7450 ESS OS OAM and Diagnostics Guide 9.0.R4
No ratings yet
9301830504_V1_7450 ESS OS OAM and Diagnostics Guide 9.0.R4
374 pages
WNDR4000 Manual
No ratings yet
WNDR4000 Manual
104 pages
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
CNC Machining Handbook: Building, Programming, and Implementation
From Everand
CNC Machining Handbook: Building, Programming, and Implementation
Alan Overby
No ratings yet
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
Programming the Intel Galileo: Getting Started with the Arduino -Compatible Development Board
From Everand
Programming the Intel Galileo: Getting Started with the Arduino -Compatible Development Board
Christopher Rush
5/5 (1)
Teardowns: Learn How Electronics Work by Taking Them Apart
From Everand
Teardowns: Learn How Electronics Work by Taking Them Apart
Bryan Bergeron
No ratings yet
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
1/5 (1)
Programming the Photon: Getting Started with the Internet of Things
From Everand
Programming the Photon: Getting Started with the Internet of Things
Christopher Rush
5/5 (1)
Powerboater's Guide to Electrical Systems, Second Edition
From Everand
Powerboater's Guide to Electrical Systems, Second Edition
Edwin R. Sherman
5/5 (1)
Tips & Traps for Building Decks, Patios, and Porches
From Everand
Tips & Traps for Building Decks, Patios, and Porches
R. Dodge Woodson
No ratings yet
Submitted in Partial Fulfillment of The Requirement For The Award of The Degree of
No ratings yet
Submitted in Partial Fulfillment of The Requirement For The Award of The Degree of
22 pages
System Requirements: About The Share Pictures Function
No ratings yet
System Requirements: About The Share Pictures Function
7 pages
Microsoft Word: Syllabus of ICT For First Term (48 CTP)
No ratings yet
Microsoft Word: Syllabus of ICT For First Term (48 CTP)
4 pages
Telco Presentation
No ratings yet
Telco Presentation
31 pages
Pedro Medeiros - A Basic Aseprite Animation
No ratings yet
Pedro Medeiros - A Basic Aseprite Animation
8 pages
PowerEdge MX Vs HPE Synergy 0319 v2
No ratings yet
PowerEdge MX Vs HPE Synergy 0319 v2
19 pages
Super Mario Galaxy 2 PC by Kelvin Setup Log
No ratings yet
Super Mario Galaxy 2 PC by Kelvin Setup Log
78 pages
9 - Software Testing
No ratings yet
9 - Software Testing
61 pages
Informatica Command Line Reference
No ratings yet
Informatica Command Line Reference
95 pages
Medical Store Management
No ratings yet
Medical Store Management
17 pages
PPT1 - Introduction To Data Structure
No ratings yet
PPT1 - Introduction To Data Structure
37 pages
0.5''&1''#800-#600 GBV BB Bwe-80
No ratings yet
0.5''&1''#800-#600 GBV BB Bwe-80
1 page
FLIGHT
No ratings yet
FLIGHT
7 pages
(Ebook) The Practical Handbook of Internet Computing by Munindar P. Singh ISBN 9781584883814, 1584883812 download
No ratings yet
(Ebook) The Practical Handbook of Internet Computing by Munindar P. Singh ISBN 9781584883814, 1584883812 download
49 pages
SS7 Pocket Guide
100% (6)
SS7 Pocket Guide
43 pages
Assignment1_SU24_SE07203_VuDangKhoi_BS01129
No ratings yet
Assignment1_SU24_SE07203_VuDangKhoi_BS01129
30 pages
Install Guide For RPi+LabVIEW+MakerHub
No ratings yet
Install Guide For RPi+LabVIEW+MakerHub
84 pages
Smart Home Automation: A Literature Review
100% (2)
Smart Home Automation: A Literature Review
5 pages
Gas Leakage Detection and Prevention
No ratings yet
Gas Leakage Detection and Prevention
3 pages
Unit 4 - Assignment Brief a - 24_25
No ratings yet
Unit 4 - Assignment Brief a - 24_25
2 pages
Types of Addressing Modes
No ratings yet
Types of Addressing Modes
17 pages
CO - Computer Science PDF
No ratings yet
CO - Computer Science PDF
20 pages
VLSI Course Modules
No ratings yet
VLSI Course Modules
2 pages
Name: Patricia Mae L. Navarro Address: 294 San Roque, Rosario, Batangas Phone No. 09754760506
No ratings yet
Name: Patricia Mae L. Navarro Address: 294 San Roque, Rosario, Batangas Phone No. 09754760506
1 page
5.6 Information Architecture in UX
No ratings yet
5.6 Information Architecture in UX
6 pages
Infor Basics
No ratings yet
Infor Basics
15 pages
Change The Product Key On Windows XP
100% (7)
Change The Product Key On Windows XP
4 pages
Ds TDR 500 TDR 510 Baur En-Gb
0% (1)
Ds TDR 500 TDR 510 Baur En-Gb
3 pages
DMPMarkEditor CD-ROM v00
No ratings yet
DMPMarkEditor CD-ROM v00
76 pages
APCSA Steganography Lab A2
No ratings yet
APCSA Steganography Lab A2
4 pages