A network element (such as a router or switch) transmits and receives network data using one or more ports of that network element. Each port on the network element has a physical link speed that limits the rate at which network data can be transmitted from that port. The network element uses one or more queues to store the network data that is to be transmitted from one of the ports of the network element.
One type of network data that is transmitted from the one or more ports is control plane network data. This is network data that is to be transmitted to a control plane of the network element, and processed by a control plane processor. The control plane processor is responsible for configuring the network element, maintaining forwarding routes for the network element, and for performing other network element functions. Thus, proper and expedient processing of control plane network data is essential to the healthy functioning of a network element, as well as to the network to which the network element belongs.
Denial of service attacks are a threat to network elements. These types of attacks may involve otherwise innocuous network traffic, but result in a control plane processor of a network element being made unavailable for the normal processing of control plane functions. This is generally achieved purposefully by an attacker, or unknowingly by a benign source, by flooding the control plane processor with control plane network data messages. The control plane network data may be innocuous, and are only sent to the control plane for the purpose of consuming processing resources. The volume of innocuous control plane network data in a denial of service attack, which is queued and forwarded to the control plane processor, can cause the control plane processor to expend resources to process the flood of attack traffic, thereby denying or severely limiting services to legitimate control plane network data (e.g., protocol network data, routing network data, etc.).