[j-nsp] EX3400 DDOS protection strangeness
Jason Healy
jhealy at logn.net
Wed Sep 24 13:42:40 EDT 2025
On Sep 24, 2025, at 12:42 PM, Saku Ytti <saku at ytti.fi> wrote:
>
> There are plenty of reasons to punt L2 frames, regardless of IRB. E.g.
> LACP, LLDP, STP, DHCP snooping.
Good point. I figured that L2 was going to be data plane only.
> If you capture on the PFE-RE interface (em0 or something like that,
> depending on platform)
OK, I think I've got ahold of that (bme0 in this case). The packets aren't decodable (yet) but I am seeing some small spikes to ~150pps that correspond with a DDOS violation.
Would love to see the Lua scripts or any info on stripping/skipping the internal headers to see the contents of the packets and try to classify them. Leafing through I'm seeing some mDNS and other stuff embedded in the packets but would be helpful to categorize and graph.
Thanks,
Jason
More information about the juniper-nsp
mailing list