On 2011-12-01 08:42, [email protected] wrote:
I was reading the release notes for 11.2, and I noticed a new feature:
"Protection against distributed denial of service (DDoS) attacks"
While debugging a suspected layer 2 loop issue, we noticed that this
feature is implemented and enabled by default in Trio PFE already in
10.4. All related CLI operational and configuration commands are still
missing in 10.4, though...
Interesting. Could you say something more about *how* you discovered
this? How did it affect your traffic?
I discovered it from the PFE shell when searching filter/policer
information and statistics. Found that the DDoS policer statistics can
be found by "show ddos policer stats all" and state with "show ddos
state". On I-CHIP based cards these commands are not available, naturally.
In our case the DDoS policer seems to have policed a rather big amount
of RE-destined traffic during a storm that for some reason wasn't
policed by the lo0 filter. All routing protocols remained stable but
some ICMP or SNMP packets coming through the same PFE were also policed
by the DDoS policer. Anyway, it was a bit surprise that the DDoS policer
is enabled in PFE in 10.4 and no related CLI commands are available..
antti
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
