[j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET

Saku Ytti saku at ytti.fi
Tue Nov 21 07:19:42 EST 2017


On 21 November 2017 at 14:12, Luis Balbinot <luis at luisbalbinot.com> wrote:

> The DDoS protection factory defaults are very low in some cases. The
> Juniper MX Series book has a nice chapter on that.

Do you have an example? Most of them are like 20kpps, which ismore
than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they
are massively too large out-of-the-box.

I doubt anyone has configured them to sensible values, as it would be
hundreds of lines of ddos-protection config, as you cannot set default
values which apply to all of them and then more-specific ones to the
ones you care. Correct configuration needs to manually configure each
and every one, those which you don't need, as low as you want, like
10pps.


-- 
  ++ytti


More information about the juniper-nsp mailing list