[j-nsp] Decoding DDOS messages

Jason Healy jhealy at logn.net
Wed Mar 18 09:46:34 EDT 2020


Questions about the ddos-protection "features".  We're on a qfx5100-48 running 16.1.  I know that folks on the list aren't always big fans of ddos-protection; I'm just trying to understand what is triggering it so I can make decisions about tuning/disabling/ignoring it.

We are not a service provider; we're an end site running a flat L2 network (LAN) with the QFX as our L3 core for IRB and routing to our ISP.  Since the QFX is seeing all the BUM traffic I'm curious if ddos-protection is being triggered as a result of seeing all the L2 packets.

In the past month we've seen violations for the following packet types:

IPMCAST-miss (lots of this one!)
ARP
TTL
Redirect
L3MTU-fail
RESOLVE
L3NHOP

I'm trying to figure out if these violations are normal in a LAN environment.  For example, we have a lot of Apple devices that are sending mDNS all day long; that might trigger the MCAST counters.  When our students change classes (all at the same time), that might cause a spike in ARP traffic as everyone comes online when they open their laptops.

Does anyone have a link to documentation for these packet types?  The Juniper docs don't give any examples; you just get descriptions like this:

  arp:  ARP traffic

So is that all ARP?  ARP that the switch needs to answer for?  Similar for the other packet types: are these thresholds for packets that the switch is processing (sent to the RE), or just for any traffic that is seen on any interface?  If it's just an issue of too much stuff going to the RE I can firewall it off so long as I know it's spurious.

Sorry if I'm not asking the right questions... I'm just trying to figure out if these errors are actually problems that I need to track down, or if the default reporting is just too noisy.

Thanks,

Jason


More information about the juniper-nsp mailing list