SCTP DDoS support

Enhanced support for distributed denial of service (DDoS) filters now extends to the SCTP for advanced forwarding toolkit (AFT) line cards, following its initial deployment for UKERN line cards. We segment SCTP packets into two categories: SCTP initialization packets (sctp-init) and unclassified packets (sctp-uncls). DDoS allows direct application of bandwidth, burst, and other filters to SCTP initialization packets. Additionally, users can monitor metrics such as priority, dropped packets, received packets, and violation information for SCTP initialization packets.

DDoS protection filters empower users to handle unexpected surges in traffic directed at the device. Users can define the expected packet bandwidth, priority, and burst rate using DDoS policers. When control traffic exceeds the default or configured policer values, the device drops excess packets and processes the traffic within set limits. Each violation triggers immediate notification, enabling swift response to potential attacks. The device logs each violation, and records the start time and the time of the last observed violation for further analysis.