Ddos

JUNIPER NETWORKS CONFIDENTIAL
DO NOT DISTRIBUTE

DDOS Implementation on MX Platform

- Steven Wong (JTAC)
Rev 2 (02-May-2014)
Introduction ........................................................................................................................................................................... 2
DDOS System Hierarchy ......................................................................................................................................................... 2
Policer Hierarchy .............................................................................................................................................................. 12
1. PUNT traffic with punt type ...................................................................................................................................... 34
2. PUNT traffic with subtype type ................................................................................................................................. 40
3. HBC traffic with subtype type ................................................................................................................................... 41
4. HBC traffic with hbc & other type ............................................................................................................................. 43
5. HBC type to PUNT type ............................................................................................................................................. 46
6. Aggregated policer under the same group ............................................................................................................... 48
7. HBC policer with exception traffic ............................................................................................................................ 49
Host Bound Queue Mapping ............................................................................................................................................ 56
uKern Level ....................................................................................................................................................................... 59
Routing Engine Level ........................................................................................................................................................ 65
Suspicious Control Flow Detection (SCFD) ...................................................................................................................... 66
DDOS Configuration Hierarchy ............................................................................................................................................. 80
Statistics/Errors .................................................................................................................................................................... 82
When DDOS Doesnt Seem To Work. ................................................................................................................................ 93
Major Upcoming Changes ................................................................................................................................................. 95
Reference ........................................................................................................................................................................... 118
Changes .............................................................................................................................................................................. 119

JUNIPER NETWORKS CONFIDENTIAL DO NOT DISTRIBUTE Juniper Networks, Inc. 1

Introduction
DDOS protection infrastructure is introduced with the TRIO ASIC which is mainly used to monitor, inspect, classify and
police the host bound traffic flows to avoid any misbehaved flows from causing any unexpected host queue congestion in
different part of the system (ASIC, uKern and RE). This is enabled by default with user-configurable pre-defined threshold
for various packet types.
In this documents, we will go through the implementation of DDOS on MX platform with TRIO MPC and explain the how
the policers are applied on different part of the system. The followings are based on JUNOS 13.3 version.
DDOS System Hierarchy

Basically, the policer is being implemented on three different levels ASIC, uKern and Routing Engine. With Suspicious
Control Flow Detection (SCFD), we can even drop/policer on per-flow basis. In the followings, we will use a TRIO board
as an example.
Once the host bound traffic is received via the PUNT nexthop with different PUNT reasons, it will be tagged to a DDOS
protocol ID according to their packet type. If the packet is control packet, for example, an IPv4/IPv6 packet, the Host
bound classification filter (HBC) (ie. HOSTBOUND_IPv4_FILTER / HOSTBOUND_IPv6_FILTER) filter is used to further
look into the packet content like ip-protocol , source / destination port numbers to determine the packet type and further
classify a DDOS protocol ID for it.
Once the packet is tagged with the DDOS protocol ID, the corresponding policer will be applied to rate limit that specific
packet type. Here is the HOSTBOUND_IPv4_FILTER.
NPC2(Dokinchan-re0 vty)# show filter index 46137345 program
Filter index = 46137345
Optimization flag: 0x0
Filter notify host id = 0
Filter properties: None
Filter state = CONSISTENT
term HOSTBOUND_IGMP_TERM
term priority 0
payload-protocol
2
then
accept
ddos proto 69
term HOSTBOUND_OSPF_TERM
term priority 0
payload-protocol
89
then
accept
ddos proto 70


term HOSTBOUND_RSVP_TERM
term priority 0
payload-protocol
46
then
accept
ddos proto 71
term HOSTBOUND_PIM_TERM
term priority 0
payload-protocol
103
then
accept
ddos proto 72
term HOSTBOUND_DHCP_TERM
term priority 0
payload-protocol
17
destination-port
67-68
then
accept
ddos proto 24
term HOSTBOUND_RIP_TERM
term priority 0
payload-protocol
17
destination-port
520-521
then
accept
ddos proto 73
term HOSTBOUND_PTP_TERM
term priority 0
payload-protocol
17
destination-port
319-320
then
action next-hop, type (set ptp nh)
ddos proto 74
term HOSTBOUND_BFD_TERM1
term priority 0


payload-protocol
17
destination-port
3784-3785
then
action next-hop, type (inline keepalive BFD nh)
ddos proto 75
term HOSTBOUND_BFD_TERM2
term priority 0
payload-protocol
17
destination-port
4784
then
accept
ddos proto 75
term HOSTBOUND_LMP_TERM
term priority 0
payload-protocol
17
destination-port
701
then
accept
ddos proto 76
term HOSTBOUND_ANCP_TERM
term priority 0
payload-protocol
6
destination-port
6068
then
accept
ddos proto 85
term HOSTBOUND_LDP_TERM1
term priority 0
payload-protocol
6
destination-port
646
then
accept
ddos proto 77


term priority 0
payload-protocol
6
source-port
646
then
accept
ddos proto 77
term priority 0
payload-protocol
17
destination-port
646
then
accept
ddos proto 77
term priority 0
payload-protocol
17
source-port
646
then
accept
ddos proto 77
term HOSTBOUND_MSDP_TERM1
term priority 0
payload-protocol
6
destination-port
639
then
accept
ddos proto 78
term HOSTBOUND_MSDP_TERM2
term priority 0
payload-protocol
6
source-port
639
then
accept


ddos proto 78
term HOSTBOUND_BGP_TERM1
term priority 0
payload-protocol
6
destination-port
179
then
accept
ddos proto 79
term HOSTBOUND_BGP_TERM2
term priority 0
payload-protocol
6
source-port
179
then
accept
ddos proto 79
term HOSTBOUND_VRRP_TERM
term priority 0
payload-protocol
112
destination-address
224.0.0.18/32
then
action next-hop, type (inline keepalive VRRP nh)
ddos proto 80
term HOSTBOUND_TELNET_TERM1
term priority 0
payload-protocol
6
destination-port
23
then
accept
ddos proto 81
term HOSTBOUND_TELNET_TERM2
term priority 0
payload-protocol
6
source-port
23


then
accept
ddos proto 81
term HOSTBOUND_FTP_TERM1
term priority 0
payload-protocol
6
destination-port
20-21
then
accept
ddos proto 82
term HOSTBOUND_FTP_TERM2
term priority 0
payload-protocol
6
source-port
20-21
then
accept
ddos proto 82
term HOSTBOUND_SSH_TERM1
term priority 0
payload-protocol
6
destination-port
22
then
accept
ddos proto 83
term HOSTBOUND_SSH_TERM2
term priority 0
payload-protocol
6
source-port
22
then
accept
ddos proto 83
term HOSTBOUND_SNMP_TERM1
term priority 0
payload-protocol
17
destination-port
161


then
accept
ddos proto 84
term HOSTBOUND_SNMP_TERM2
term priority 0
payload-protocol
17
source-port
161
then
accept
ddos proto 84
term HOSTBOUND_DTCP_TERM
term priority 0
payload-protocol
17
destination-port
652
destination-address
224.0.0.36/32
then
accept
ddos proto 148
term HOSTBOUND_RADIUS_TERM_SERVER
term priority 0
payload-protocol
17
destination-port
1812
then
accept
ddos proto 151
term HOSTBOUND_RADIUS_TERM_ACCOUNT
term priority 0
payload-protocol
17
destination-port
1813
then
accept
ddos proto 152
term HOSTBOUND_RADIUS_TERM_AUTH
term priority 0
payload-protocol


17
destination-port
3799
then
accept
ddos proto 153
term HOSTBOUND_NTP_TERM
term priority 0
payload-protocol
17
destination-port
123
destination-address
224.0.1.1/32
then
accept
ddos proto 154
term HOSTBOUND_TACACS_TERM
term priority 0
payload-protocol
17
destination-port
49
then
accept
ddos proto 155
term HOSTBOUND_DNS_TERM1
term priority 0
payload-protocol
6
destination-port
53
then
accept
ddos proto 156
term HOSTBOUND_DNS_TERM2
term priority 0
payload-protocol
17
destination-port
53
then
accept
ddos proto 156


term HOSTBOUND_DIAMETER_TERM1
term priority 0
payload-protocol
6
destination-port
3868
then
accept
ddos proto 157
term HOSTBOUND_DIAMETER_TERM2
term priority 0
payload-protocol
132
destination-port
3868
then
accept
ddos proto 157
term HOSTBOUND_L2TP_TERM
term priority 0
payload-protocol
17
destination-port
1701
then
accept
ddos proto 162
term HOSTBOUND_GRE_TERM
term priority 0
payload-protocol
47
then
accept
ddos proto 163
term HOSTBOUND_ICMP_TERM
term priority 0
payload-protocol
1
then
accept
ddos proto 68
term HOSTBOUND_TCP_FLAGS_TERM_INITIAL
term priority 0
payload-protocol


6
tcp-flags
value & 0x12 = 0x02
then
accept
ddos proto 146
term HOSTBOUND_TCP_FLAGS_TERM_ESTAB
term priority 0
payload-protocol
6
tcp-flags
value & 0x14 != 0x00
then
accept
ddos proto 147
term HOSTBOUND_TCP_FLAGS_TERM_UNCLS
term priority 0
payload-protocol
6
tcp-flags
value & 0x3f != 0x00
then
accept
ddos proto 145
term HOSTBOUND_IP_FRAG_TERM_FIRST
term priority 0
is-fragment
value & 0x3fff = 0x2000
then
accept
ddos proto 160
term HOSTBOUND_IP_FRAG_TERM_TRAIL
term priority 0
is-fragment
value & 0x1fff != 0x0000
then
accept
ddos proto 161
term HOSTBOUND_AMT_TERM1
term priority 0
payload-protocol
17
destination-port
2268


then
accept
ddos proto 198
term HOSTBOUND_AMT_TERM2
term priority 0
payload-protocol
17
source-port
2268
then
accept
ddos proto 198
term HOSTBOUND_IPV4_DEFAULT_TERM
term priority 0
then
accept
NPC2(Dokinchan-re0 vty)#
Policer Hierarchy
The DDOS configuration is mainly a combination of three different levels ASIC, uKern and Routing Engine. Each of
them will apply a rate limit on the corresponding packet type. The DDOS is enabled by default. Although it can be disabled
via a configuration knob, thats not recommended.
# set system ddos-protection global ?
Possible completions:
disable-fpc Disable FPC policing for all protocols
disable-logging Disable event logging for all protocols
disable-routing-engine Disable Routing Engine policing for all protocols
However, if we disable the DDOS for a specific protocol, it doesnt mean that it will fail thru the other term within the
DDOS filter it just means that we will accept all those packets without policing.
Here are the protocols defined under the DDOS infrastructure.

# set system ddos-protection protocols ?
> amtv4 Configure AMT v4 control packets
> amtv6 Configure AMT v6 control packets
> ancp Configure ANCP traffic
> ancpv6 Configure ANCPv6 traffic
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> arp Configure ARP traffic
> atm Configure ATM traffic


> bfd Configure BFD traffic

> bfdv6 Configure BFDv6 traffic
> bgp Configure BGP traffic
> bgpv6 Configure BGPv6 traffic
> demux-autosense Configure demux autosense traffic
> dhcpv4 Configure DHCPv4 traffic
> dhcpv6 Configure DHCPv6 traffic
> diameter Configure Diameter/Gx+ traffic
> dns Configure DNS traffic
> dtcp Configure dtcp traffic
> dynamic-vlan Configure dynamic vlan exceptions
> egpv6 Configure EGPv6 traffic
> eoam Configure EOAM traffic
> esmc Configure ESMC traffic
> fab-probe Configure fab out probe packets
> firewall-host Configure packets via firewall 'send-to-host' action
> frame-relay Configure frame relay control packets
> ftp Configure FTP traffic
> ftpv6 Configure FTPv6 traffic
> gre Configure GRE traffic
> icmp Configure ICMP traffic
> icmpv6 Configure ICMPv6 traffic
> igmp Configure IGMP traffic
> igmpv4v6 Configure IGMPv4-v6 traffic
> igmpv6 Configure IGMPv6 traffic
> inline-ka Configure inline keepalive packets
> inline-svcs Configure inline services
> ip-fragments Configure IP-Fragments
> ip-options Configure ip options traffic
> isis Configure ISIS traffic
> jfm Configure JFM traffic
> keepalive Configure keepalive packets
> l2pt Configure Layer 2 protocol tunneling
> l2tp Configure l2tp traffic
> lacp Configure LACP traffic
> ldp Configure LDP traffic
> ldpv6 Configure LDPv6 traffic
> lldp Configure LLDP traffic
> lmp Configure LMP traffic
> lmpv6 Configure LMPv6 traffic
> mac-host Configure L2-MAC configured 'send-to-host'
> mcast-snoop Configure snooped multicast control traffic
> mlp Configure MLP traffic
> msdp Configure MSDP traffic
> msdpv6 Configure MSDPv6 traffic
> mvrp Configure MVRP traffic
> ndpv6 Configure NDPv6 traffic
> ntp Configure NTP traffic
> oam-lfm Configure OAM-LFM traffic


> ospf Configure OSPF traffic

> ospfv3v6 Configure OSPFv3v6 traffic
> pfe-alive Configure pfe alive traffic
> pim Configure PIM traffic
> pimv6 Configure PIMv6 traffic
> pmvrp Configure PMVRP traffic
> pos Configure POS traffic
> ppp Configure PPP control traffic
> pppoe Configure PPPoE control traffic
> ptp Configure PTP traffic
> pvstp Configure PVSTP traffic
> radius Configure Radius traffic
> redirect Configure packets to trigger ICMP redirect
> reject Configure packets via 'reject' action
> rejectv6 Configure packets via 'rejectv6' action
> rip Configure RIP traffic
> ripv6 Configure RIPv6 traffic
> rsvp Configure RSVP traffic
> rsvpv6 Configure RSVPv6 traffic
> sample Configure sampled traffic
> services Configure services
> snmp Configure SNMP traffic
> snmpv6 Configure SNMPv6 traffic
> ssh Configure SSH traffic
> sshv6 Configure SSHv6 traffic
> stp Configure STP traffic
> tacacs Configure TACACS traffic
> tcp-flags Configure packets with tcp flags
> telnet Configure telnet traffic
> telnetv6 Configure telnet-v6 traffic
> ttl Configure ttl traffic
> tunnel-fragment Configure tunnel fragment
> unclassified Configure unclassified host-bound traffic
> virtual-chassis Configure virtual chassis traffic
> vrrp Configure VRRP traffic
> vrrpv6 Configure VRRPv6 traffic
Lets take IPv4 unclassified packets (ie. host bound packet which doesnt fall into any of the pre-defined IPv4 protocol type
above) as an example. Under unclassified protocol type, we have separated policer configuration on per-packet host
bound notification type. (Note: The unclassified protocol type should cover IPv6 as well but I take out the IPv6 part to
simplify it a bit. Also, the flow- related configuration will be covered under the SCFD section.)
# set system ddos-protection protocols unclassified ?
> aggregate Configure aggregate for all unclassified host-bound traffic
> control-layer2 Configure unclassified layer2 control packets
> control-v4 Configure unclassified v4 control packets


> filter-v4 Configure unclassified v4 filter action packets

> fw-host Configure Unclassified send to host fw traffic
> host-route-v4 Configure unclassified v4 routing protocol and host packets
> mcast-copy Configure Unclassified host copy due to multicast routing
> other Configure all other unclassified packets
> resolve-v4 Configure unclassified v4 resolve packets
Under each notif type, we can define the policer rate and the burst size for the whole system (ie. Routing Engine level) or
under each FPC (uKern level). Under each FPC, each PFE (ie. ASIC level) will take the FPC policer configuration and
apply that on the ASIC level under LUchip as well.
# set system ddos-protection protocols unclassified host-route-v4 ?
bandwidth Policer bandwidth (1..100000 packets per second)
burst Policer burst size (1..100000 packets)
bypass-aggregate Bypass aggregate policer
disable-fpc Turn off policing on all fpc's
disable-logging Disable event logging for protocol violation
disable-routing-engine Turn off policing on routing engine
> fpc Flexible PIC Concentrator parameters
recover-time Time for protocol to return to normal (1..3600 seconds)
# set system ddos-protection protocols unclassified host-route-v4 fpc 0 ?

bandwidth-scale Bandwidth scale from 1% to 100% (1..100 percent)
burst-scale Burst scale from 1% to 100% (1..100 percent)
disable-fpc Turn off policing on this slot
> show ddos-protection protocols unclassified parameters

Packet types: 13, Modified: 0
* = User configured value
Protocol Group: Unclassified
Packet type: aggregate (Aggregate for unclassified host-bound traffic)

Aggregate policer configuration:
Bandwidth: 20000 pps
Burst: 20000 packets
Recover time: 300 seconds
Enabled: Yes
Routing Engine information:
Bandwidth: 20000 pps, Burst: 20000 packets, enabled
FPC slot 1 information:
Bandwidth: 100% (20000 pps), Burst: 100% (20000 packets), enabled


Packet type: other (all other unclassified packets)

Individual policer configuration:
Bandwidth: 2000 pps
Priority: Low
Enabled: Yes
Bypass aggregate: No
Packet type: resolve-v4 (unclassified v4 resolve packets)

Bandwidth: 5000 pps
Priority: Low
Enabled: Yes
Packet type: resolve-v6 (unclassified v6 resolve packets)

Bandwidth: 5000 pps
Priority: Low
Enabled: Yes


Packet type: control-v4 (unclassified v4 control packets)

Bandwidth: 2000 pps
Priority: Low
Enabled: Yes
Packet type: control-v6 (unclassified v6 control packets)

Bandwidth: 2000 pps
Priority: Low
Enabled: Yes
Packet type: host-route-v4 (unclassified v4 routing protocol and host packet)

Bandwidth: 2000 pps
Priority: Low
Enabled: Yes



Packet type: host-route-v6 (unclassified v6 routing protocol and host packet)

Bandwidth: 2000 pps
Priority: Low
Enabled: Yes
Packet type: filter-v4 (unclassified v4 filter action packets)

Bandwidth: 2000 pps
Priority: Low
Enabled: Yes
Packet type: filter-v6 (unclassified v6 filter action packets)

Bandwidth: 2000 pps
Priority: Low
Enabled: Yes



Packet type: control-layer2 (unclassified layer2 control packets)

Bandwidth: 2000 pps
Priority: Low
Enabled: Yes
Packet type: fw-host (Unclassified send to host fw traffic)

Priority: High
Enabled: Yes
Packet type: mcast-copy ( Unclassified host copy due to multicast routing)

Bandwidth: 2000 pps
Priority: High
Enabled: Yes



Here is the policer configuration under PFE.

# # show ddos policer configuration unclassified
DDOS Policer Configuration:
UKERN-Config PFE-Config
idx prot group proto on Pri rate burst rate burst
--- --- ------------ ------------ -- -- ------ ----- ------ -----
176 5800 uncls aggregate Y Md 20000 20000 --- ---
177 5801 uncls other Y Lo 2000 10000 2000 10000
178 5802 uncls resolve-v4 Y Lo 5000 10000 5000 10000
180 5804 uncls control-v4 Y Lo 2000 10000 2000 10000
182 5806 uncls host-rt-v4 Y Lo 2000 10000 2000 10000
184 5808 uncls filter-v4 Y Lo 2000 10000 2000 10000
186 580a uncls control-l2 Y Lo 2000 10000 2000 10000
187 580b uncls fw-host Y Hi 20000 20000 20000 20000
188 580c uncls mcast-copy Y Hi 2000 10000 2000 10000
We can find exactly the same thing for other protocols. For example, PPP.
# set system ddos-protection protocols ppp ?
> aggregate Configure aggregate for all PPP control traffic
> authentication Configure Authentication Protocol
> echo-rep Configure LCP Echo Reply
> echo-req Configure LCP Echo Request
> ipcp Configure IP Control Protocol
> ipv6cp Configure IPv6 Control Protocol
> isis Configure ISIS Protocol
> lcp Configure Link Control Protocol
> mlppp-lcp Configure MLPPP LCP
> mplscp Configure MPLS Control Protocol
> unclassified Configure unclassified PPP control traffic
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ppp echo-req ?



bypass-aggregate Bypass aggregate policer
# show ddos policer configuration ppp


--- --- ------------ ------------ -- -- ------ ----- ------ -----
4 400 ppp aggregate Y Md 16000 16000 --- ---
5 401 ppp unclass Y Lo 1000 500 1000 500
6 402 ppp lcp Y Lo 12000 12000 12000 12000
7 403 ppp auth Y Md 2000 2000 2000 2000
8 404 ppp ipcp Y Hi 2000 2000 2000 2000
9 405 ppp ipv6cp Y Hi 2000 2000 2000 2000
10 406 ppp mplscp Y Hi 2000 2000 2000 2000
11 407 ppp isis Y Hi 2000 2000 2000 2000
12 408 ppp echo-req Y Lo 12000 12000 12000 12000
13 409 ppp echo-rep Y Lo 12000 12000 12000 12000
14 40a ppp mlppp-lcp Y Lo 12000 12000 12000 12000


We will cover the relationship of the policers in each level under the following sections.


ASIC Level
The policer on ASIC is done by the LUchip. The following is a map of protocol type and policer being applied. Under
DDOS, each protocol / frame type will have an index and protocol ID defined (which is NOT the IPv4-protocol ID). The
DDOS policer will map the corresponding protocol / frame type to the corresponding protocol ID for classification.
Here is a list of each protocol type and the corresponding protocol ID and index. For each of them, there are uKern level
and PFE (ie. LUchip) level configurations. There is a priority for each protocol type but its only between the protocols
(For example, lcp, auth, ipcp..etc) under the same group (i.e. PPP).
# show ddos policer configuration all
--- --- ------------ ------------ -- -- ------ ----- ------ -----
0 0 host-path aggregate Y -- --- --- 25000 25000
1 100 ipv4-uncls aggregate Y Md 2000 10000 2000 10000
2 200 ipv6-uncls aggregate Y Md 2000 10000 2000 10000
3 300 dynvlan aggregate Y Lo 1000 500 1000 500
4 400 ppp aggregate Y Md 16000 16000 --- ---
5 401 ppp unclass Y Lo 1000 500 1000 500
6 402 ppp lcp Y Lo 12000 12000 12000 12000
7 403 ppp auth Y Md 2000 2000 2000 2000
8 404 ppp ipcp Y Hi 2000 2000 2000 2000
9 405 ppp ipv6cp Y Hi 2000 2000 2000 2000
10 406 ppp mplscp Y Hi 2000 2000 2000 2000
11 407 ppp isis Y Hi 2000 2000 2000 2000
12 408 ppp echo-req Y Lo 12000 12000 12000 12000
13 409 ppp echo-rep Y Lo 12000 12000 12000 12000
14 40a ppp mlppp-lcp Y Lo 12000 12000 12000 12000
15 500 pppoe aggregate Y Md 2000 2000 --- ---
16 501 pppoe unclass.. Y -- --- --- 0 0
17 502 pppoe padi Y Lo 500 500 500 500
18 503 pppoe pado Y Lo 0 0 0 0
19 504 pppoe padr Y Md 500 500 500 500
20 505 pppoe pads Y Lo 0 0 0 0
21 506 pppoe padt Y Hi 1000 1000 1000 1000
22 507 pppoe padm Y Lo 0 0 0 0
23 508 pppoe padn Y Lo 0 0 0 0
24 600 dhcpv4 aggregate Y Md 5000 5000 5000 5000
25 601 dhcpv4 unclass.. Y Lo 300 150 --- ---
26 602 dhcpv4 discover Y Lo 500 500 --- ---
27 603 dhcpv4 offer Y Lo 1000 1000 --- ---
28 604 dhcpv4 request Y Md 1000 1000 --- ---
29 605 dhcpv4 decline Y Lo 500 500 --- ---
30 606 dhcpv4 ack Y Md 500 500 --- ---
31 607 dhcpv4 nak Y Lo 500 500 --- ---
32 608 dhcpv4 release Y Hi 2000 2000 --- ---
33 609 dhcpv4 inform Y Lo 500 500 --- ---
34 60a dhcpv4 renew Y Hi 2000 2000 --- ---


35 60b dhcpv4 forcerenew Y Hi 2000 2000 --- ---

36 60c dhcpv4 leasequery Y Hi 2000 2000 --- ---
37 60d dhcpv4 leaseuna.. Y Hi 2000 2000 --- ---
38 60e dhcpv4 leaseunk.. Y Hi 2000 2000 --- ---
39 60f dhcpv4 leaseact.. Y Hi 2000 2000 --- ---
40 610 dhcpv4 bootp Y Lo 300 300 --- ---
41 611 dhcpv4 no-msgtype Y Lo 1000 1000 --- ---
42 612 dhcpv4 bad-pack.. Y Lo 0 0 --- ---
43 700 dhcpv6 aggregate Y Lo 5000 5000 5000 5000
44 701 dhcpv6 unclass.. Y Lo 3000 3000 --- ---
45 702 dhcpv6 solicit Y Lo 500 500 --- ---
46 703 dhcpv6 advertise Y Lo 500 500 --- ---
47 704 dhcpv6 request Y Md 1000 1000 --- ---
48 705 dhcpv6 confirm Y Md 1000 1000 --- ---
49 706 dhcpv6 renew Y Md 2000 2000 --- ---
50 707 dhcpv6 rebind Y Md 2000 2000 --- ---
51 708 dhcpv6 reply Y Md 1000 1000 --- ---
52 709 dhcpv6 release Y Hi 2000 2000 --- ---
53 70a dhcpv6 decline Y Lo 1000 1000 --- ---
54 70b dhcpv6 reconfig Y Lo 1000 1000 --- ---
55 70c dhcpv6 info..req Y Lo 1000 1000 --- ---
56 70d dhcpv6 relay-for.. Y Lo 1000 1000 --- ---
57 70e dhcpv6 relay-rep.. Y Lo 1000 1000 --- ---
58 70f dhcpv6 leasequery Y Lo 1000 1000 --- ---
59 710 dhcpv6 leaseq..re Y Lo 1000 1000 --- ---
60 711 dhcpv6 leaseq..do Y Lo 1000 1000 --- ---
61 712 dhcpv6 leaseq..da Y Lo 1000 1000 --- ---
62 800 vchassis aggregate Y Lo 30000 30000 --- ---
63 801 vchassis unclass.. Y Lo 0 0 --- ---
64 802 vchassis control-hi Y Hi 10000 5000 10000 5000
65 803 vchassis control-lo Y Lo 8000 3000 8000 3000
66 804 vchassis vc-packets Y Hi 30000 30000 30000 30000
67 805 vchassis vc-ttl-err Y Hi 4000 10000 4000 10000
68 900 icmp aggregate Y Hi 20000 20000 20000 20000
69 a00 igmp aggregate Y Hi 20000 20000 20000 20000
70 b00 ospf aggregate Y Hi 20000 20000 20000 20000
71 c00 rsvp aggregate Y Hi 20000 20000 20000 20000
72 d00 pim aggregate Y Hi 20000 20000 20000 20000
73 e00 rip aggregate Y Hi 20000 20000 20000 20000
74 f00 ptp aggregate Y Hi 20000 20000 20000 20000
75 1000 bfd aggregate Y Hi 20000 20000 20000 20000
76 1100 lmp aggregate Y Hi 20000 20000 20000 20000
77 1200 ldp aggregate Y Hi 20000 20000 20000 20000
78 1300 msdp aggregate Y Hi 20000 20000 20000 20000
79 1400 bgp aggregate Y Lo 20000 20000 20000 20000
80 1500 vrrp aggregate Y Hi 20000 20000 20000 20000
81 1600 telnet aggregate Y Lo 20000 20000 20000 20000
82 1700 ftp aggregate Y Lo 20000 20000 20000 20000
83 1800 ssh aggregate Y Lo 20000 20000 20000 20000


84 1900 snmp aggregate Y Lo 20000 20000 20000 20000

85 1a00 ancp aggregate Y Lo 20000 20000 20000 20000
86 1b00 igmpv6 aggregate Y Hi 20000 20000 20000 20000
87 1c00 egpv6 aggregate Y Hi 20000 20000 20000 20000
88 1d00 rsvpv6 aggregate Y Hi 20000 20000 20000 20000
89 1e00 igmpv4v6 aggregate Y Hi 20000 20000 20000 20000
90 1f00 ripv6 aggregate Y Hi 20000 20000 20000 20000
91 2000 bfdv6 aggregate Y Hi 20000 20000 20000 20000
92 2100 lmpv6 aggregate Y Hi 20000 20000 20000 20000
93 2200 ldpv6 aggregate Y Hi 20000 20000 20000 20000
94 2300 msdpv6 aggregate Y Hi 20000 20000 20000 20000
95 2400 bgpv6 aggregate Y Lo 20000 20000 20000 20000
96 2500 vrrpv6 aggregate Y Hi 20000 20000 20000 20000
97 2600 telnetv6 aggregate Y Lo 20000 20000 20000 20000
98 2700 ftpv6 aggregate Y Lo 20000 20000 20000 20000
99 2800 sshv6 aggregate Y Lo 20000 20000 20000 20000
100 2900 snmpv6 aggregate Y Lo 20000 20000 20000 20000
101 2a00 ancpv6 aggregate Y Lo 20000 20000 20000 20000
102 2b00 ospfv3v6 aggregate Y Hi 20000 20000 20000 20000
103 2c00 lacp aggregate Y Hi 20000 20000 20000 20000
104 2d00 stp aggregate Y Hi 20000 20000 20000 20000
105 2e00 esmc aggregate Y Hi 20000 20000 20000 20000
106 2f00 oam-lfm aggregate Y Hi 20000 20000 20000 20000
107 3000 eoam aggregate Y Hi 20000 20000 20000 20000
108 3100 lldp aggregate Y Hi 20000 20000 20000 20000
109 3200 mvrp aggregate Y Hi 20000 20000 20000 20000
110 3300 pmvrp aggregate Y Hi 20000 20000 20000 20000
111 3400 arp aggregate Y Lo 20000 20000 20000 20000
112 3500 pvstp aggregate Y Hi 20000 20000 20000 20000
113 3600 isis aggregate Y Hi 20000 20000 20000 20000
114 3700 pos aggregate Y Hi 20000 20000 20000 20000
115 3800 mlp aggregate Y Lo 2000 10000 --- ---
116 3801 mlp unclass.. Y Lo 2000 10000 2000 10000
117 3802 mlp packets Y Lo 2000 10000 2000 10000
118 3803 mlp aging-exc Y Lo 2000 10000 --- ---
119 3900 jfm aggregate Y Hi 20000 20000 20000 20000
120 3a00 atm aggregate Y Hi 20000 20000 20000 20000
121 3b00 pfe-alive aggregate Y Hi 20000 20000 20000 20000
122 3c00 ttl aggregate Y Hi 2000 10000 2000 10000
123 3d00 ip-opt aggregate Y Hi 20000 20000 --- ---
124 3d01 ip-opt unclass.. Y Lo 10000 10000 10000 10000
125 3d02 ip-opt rt-alert Y Hi 20000 20000 20000 20000
126 3d03 ip-opt non-v4v6 Y Lo 10000 10000 10000 10000
127 3e00 redirect aggregate Y Hi 2000 10000 2000 10000
128 3f00 control aggregate Y -- --- --- 20000 20000
129 4000 mcast-copy aggregate Y Hi 2000 10000 2000 10000
130 4100 mac-host aggregate Y Hi 20000 20000 20000 20000
131 4200 tun-frag aggregate Y Hi 2000 10000 2000 10000
132 4300 mcast-snoop aggregate Y Hi 20000 20000 20000 20000


133 4301 mcast-snoop unclass.. Y -- --- --- 0 0

134 4302 mcast-snoop igmp Y Hi 20000 20000 20000 20000
135 4303 mcast-snoop pim Y Lo 20000 20000 20000 20000
136 4304 mcast-snoop mld Y Hi 20000 20000 20000 20000
137 4400 services aggregate Y Hi 20000 20000 --- ---
138 4401 services unclass.. Y -- --- --- 20000 20000
139 4402 services packet Y Hi 20000 20000 20000 20000
140 4403 services BSDT Y Lo 20000 20000 20000 20000
141 4500 demuxauto aggregate Y Hi 2000 10000 2000 10000
142 4600 reject aggregate Y Hi 2000 10000 2000 10000
143 4700 fw-host aggregate Y Hi 20000 20000 20000 20000
144 4800 tcp-flags aggregate Y Lo 20000 20000 --- ---
145 4801 tcp-flags unclass.. Y Lo 20000 20000 20000 20000
146 4802 tcp-flags initial Y Lo 20000 20000 20000 20000
147 4803 tcp-flags establish Y Lo 20000 20000 20000 20000
148 4900 dtcp aggregate Y Hi 20000 20000 20000 20000
149 4a00 radius aggregate Y Hi 20000 20000 --- ---
150 4a01 radius unclass.. Y -- --- --- 20000 20000
151 4a02 radius server Y Hi 20000 20000 20000 20000
152 4a03 radius account.. Y Hi 20000 20000 20000 20000
153 4a04 radius auth.. Y Hi 20000 20000 20000 20000
154 4b00 ntp aggregate Y Hi 20000 20000 20000 20000
155 4c00 tacacs aggregate Y Hi 20000 20000 20000 20000
156 4d00 dns aggregate Y Hi 20000 20000 20000 20000
157 4e00 diameter aggregate Y Hi 20000 20000 20000 20000
158 4f00 ip-frag aggregate Y Lo 20000 20000 --- ---
159 4f01 ip-frag unclass.. Y -- --- --- 20000 20000
160 4f02 ip-frag first-frag Y Lo 20000 20000 20000 20000
161 4f03 ip-frag trail-frag Y Lo 20000 20000 20000 20000
162 5000 l2tp aggregate Y Hi 20000 20000 20000 20000
163 5100 gre aggregate Y Hi 20000 20000 20000 20000
164 5200 ipsec aggregate Y -- --- --- 20000 20000
165 5300 pimv6 aggregate Y Hi 20000 20000 20000 20000
166 5400 icmpv6 aggregate Y Hi 20000 20000 20000 20000
167 5500 ndpv6 aggregate Y Lo 20000 20000 20000 20000
168 5600 sample aggregate Y Md 1000 1000 --- ---
169 5601 sample unclass.. Y -- --- --- 0 0
170 5602 sample syslog Y Md 1000 1000 1000 1000
171 5603 sample host Y Md 1000 1000 1000 1000
172 5604 sample pfe Y Md 1000 1000 1000 1000
173 5605 sample tap Y Md 1000 1000 1000 1000
174 5606 sample sflow Y Md 1000 1000 1000 1000
175 5700 fab-probe aggregate Y Hi 20000 20000 20000 20000
176 5800 uncls aggregate Y Md 20000 20000 --- ---
177 5801 uncls other Y Lo 2000 10000 2000 10000



186 580a uncls control-l2 Y Lo 2000 10000 2000 10000
187 580b uncls fw-host Y Hi 20000 20000 20000 20000
188 580c uncls mcast-copy Y Hi 2000 10000 2000 10000
189 5900 rejectv6 aggregate Y Hi 2000 10000 2000 10000
190 5a00 l2pt aggregate Y Lo 20000 20000 20000 20000
191 5b00 keepalive aggregate Y Hi 20000 20000 20000 20000
192 5c00 inline-ka aggregate Y Hi 20000 20000 20000 20000
193 5d00 inline-svcs aggregate Y Lo 20000 20000 20000 20000
194 5e00 frame-relay aggregate Y Lo 20000 20000 20000 20000
195 5e01 frame-relay unclass.. Y -- --- --- 0 0
196 5e02 frame-relay frf15 Y Lo 12000 12000 12000 12000
197 5e03 frame-relay frf16 Y Lo 12000 12000 12000 12000
198 5f00 amtv4 aggregate Y Lo 20000 20000 20000 20000
199 6000 amtv6 aggregate Y Lo 20000 20000 20000 20000
Each protocol will be associated to different policers under different levels. Here is a nexthop and host bound queue under
MQ mapping for each PUNT traffic type.
# show ddos asic punt-proto-maps

PUNT codes directly mapped to DDOS proto:
code PUNT name group proto idx q# bwidth burst
---- -------------------- --------- ------ ---- -- ------ ------
1 PUNT_TTL ttl aggregate 3c00 5 2000 10000
3 PUNT_REDIRECT redirect aggregate 3e00 0 2000 10000
5 PUNT_FAB_OUT_PROBE_PKT fab-probe aggregate 5700 0 20000 20000
7 PUNT_MAC_FWD_TYPE_HOST mac-host aggregate 4100 2 20000 20000
8 PUNT_TUNNEL_FRAGMENT tun-frag aggregate 4200 0 2000 10000
11 PUNT_MLP mlp packets 3802 2 2000 10000
12 PUNT_IGMP_SNOOP mcast-snoop igmp 4302 4 20000 20000
13 PUNT_VC_TTL_ERROR vchassis vc-ttl-err 805 2 4000 10000
14 PUNT_L2PT_ERROR l2pt aggregate 5a00 2 20000 20000
18 PUNT_PIM_SNOOP mcast-snoop pim 4303 4 20000 20000
35 PUNT_AUTOSENSE dynvlan aggregate 300 2 1000 500
38 PUNT_SERVICES services BSDT 4403 0 20000 20000
39 PUNT_DEMUXAUTOSENSE demuxauto aggregate 4500 0 2000 10000
40 PUNT_REJECT reject aggregate 4600 6 2000 10000
41 PUNT_SAMPLE_SYSLOG sample syslog 5602 7 1000 1000
42 PUNT_SAMPLE_HOST sample host 5603 7 1000 1000
43 PUNT_SAMPLE_PFE sample pfe 5604 7 1000 1000
44 PUNT_SAMPLE_TAP sample tap 5605 7 1000 1000
45 PUNT_PPPOE_PADI pppoe padi 502 2 500 500
46 PUNT_PPPOE_PADR pppoe padr 504 3 500 500
47 PUNT_PPPOE_PADT pppoe padt 506 3 1000 1000
48 PUNT_PPP_LCP ppp lcp 402 2 12000 12000
49 PUNT_PPP_AUTH ppp auth 403 3 2000 2000


50 PUNT_PPP_IPV4CP ppp ipcp 404 3 2000 2000

51 PUNT_PPP_IPV6CP ppp ipv6cp 405 3 2000 2000
52 PUNT_PPP_MPLSCP ppp mplscp 406 3 2000 2000
53 PUNT_PPP_UNCLASSIFIED_CP ppp unclass 401 2 1000 500
55 PUNT_VC_HI vchassis control-hi 802 3 10000 5000
56 PUNT_VC_LO vchassis control-lo 803 2 8000 3000
57 PUNT_PPP_ISIS ppp isis 407 3 2000 2000
58 PUNT_KEEPALIVE keepalive aggregate 5b00 3 20000 20000
59 PUNT_SEND_TO_HOST_FW_INLINE_SVCS inline-svcs aggregate 5d00 2 20000 20000
60 PUNT_PPP_LCP_ECHO_REQ ppp echo-req 408 2 12000 12000
61 PUNT_INLINE_KA inline-ka aggregate 5c00 3 20000 20000
63 PUNT_PPP_LCP_ECHO_REP ppp echo-rep 409 2 12000 12000
64 PUNT_MLPPP_LCP ppp mlppp-lcp 40a 2 12000 12000
65 PUNT_MLFR_CONTROL frame-relay frf15 5e02 2 12000 12000
66 PUNT_MFR_CONTROL frame-relay frf16 5e03 2 12000 12000
68 PUNT_REJECT_V6 rejectv6 aggregate 5900 6 2000 10000
70 PUNT_SEND_TO_HOST_SVCS services packet 4402 1 20000 20000
71 PUNT_SAMPLE_SFLOW sample sflow 5606 7 1000 1000
PUNT's that go through HBC. See following parsed proto

code PUNT name
---- -------------
2 PUNT_OPTIONS |
4 PUNT_CONTROL |
6 PUNT_HOST_COPY |
11 PUNT_MLP |---------------+
32 PUNT_PROTOCOL | |
33 PUNT_RESOLVE | |
34 PUNT_RECEIVE | |
36 PUNT_REJECT_FW | |
54 PUNT_SEND_TO_HOST_FW | |
69 PUNT_RESOLVE_V6 | |
|
------------------------------------------------------------------
type subtype group proto idx q# bwidth burst
------ ---------- ---------- ---------- ---- -- ------ ------
contrl LACP lacp aggregate 2c00 3 20000 20000
contrl STP stp aggregate 2d00 3 20000 20000
contrl ESMC esmc aggregate 2e00 3 20000 20000
contrl OAM_LFM oam-lfm aggregate 2f00 3 20000 20000
contrl EOAM eoam aggregate 3000 3 20000 20000
contrl LLDP lldp aggregate 3100 3 20000 20000
contrl MVRP mvrp aggregate 3200 3 20000 20000
contrl PMVRP pmvrp aggregate 3300 3 20000 20000
contrl ARP arp aggregate 3400 2 20000 20000
contrl PVSTP pvstp aggregate 3500 3 20000 20000
contrl ISIS isis aggregate 3600 1 20000 20000
contrl POS pos aggregate 3700 3 20000 20000
contrl MLP mlp packets 3802 2 2000 10000


contrl JFM jfm aggregate 3900 3 20000 20000

contrl ATM atm aggregate 3a00 3 20000 20000
contrl PFE_ALIVE pfe-alive aggregate 3b00 3 20000 20000
filter ipv4 dhcpv4 aggregate 600 0 5000 5000
filter ipv4 icmp aggregate 900 0 20000 20000
filter ipv4 igmp aggregate a00 1 20000 20000
filter ipv4 ospf aggregate b00 1 20000 20000
filter ipv4 rsvp aggregate c00 1 20000 20000
filter ipv4 pim aggregate d00 1 20000 20000
filter ipv4 rip aggregate e00 1 20000 20000
filter ipv4 ptp aggregate f00 1 20000 20000
filter ipv4 bfd aggregate 1000 1 20000 20000
filter ipv4 lmp aggregate 1100 1 20000 20000
filter ipv4 ldp aggregate 1200 1 20000 20000
filter ipv4 msdp aggregate 1300 1 20000 20000
filter ipv4 bgp aggregate 1400 0 20000 20000
filter ipv4 vrrp aggregate 1500 1 20000 20000
filter ipv4 telnet aggregate 1600 0 20000 20000
filter ipv4 ftp aggregate 1700 0 20000 20000
filter ipv4 ssh aggregate 1800 0 20000 20000
filter ipv4 snmp aggregate 1900 0 20000 20000
filter ipv4 ancp aggregate 1a00 1 20000 20000
filter ipv6 igmpv6 aggregate 1b00 1 20000 20000
filter ipv6 egpv6 aggregate 1c00 1 20000 20000
filter ipv6 rsvpv6 aggregate 1d00 1 20000 20000
filter ipv6 igmpv4v6 aggregate 1e00 1 20000 20000
filter ipv6 ripv6 aggregate 1f00 1 20000 20000
filter ipv6 bfdv6 aggregate 2000 1 20000 20000
filter ipv6 lmpv6 aggregate 2100 1 20000 20000
filter ipv6 ldpv6 aggregate 2200 1 20000 20000
filter ipv6 msdpv6 aggregate 2300 1 20000 20000
filter ipv6 bgpv6 aggregate 2400 0 20000 20000
filter ipv6 vrrpv6 aggregate 2500 1 20000 20000
filter ipv6 telnetv6 aggregate 2600 0 20000 20000
filter ipv6 ftpv6 aggregate 2700 0 20000 20000
filter ipv6 sshv6 aggregate 2800 0 20000 20000
filter ipv6 snmpv6 aggregate 2900 0 20000 20000
filter ipv6 ancpv6 aggregate 2a00 1 20000 20000
filter ipv6 ospfv3v6 aggregate 2b00 1 20000 20000
filter ipv4 tcp-flags unclass.. 4801 0 20000 20000
filter ipv4 tcp-flags initial 4802 0 20000 20000
filter ipv4 tcp-flags establish 4803 0 20000 20000
filter ipv4 dtcp aggregate 4900 0 20000 20000
filter ipv4 radius server 4a02 0 20000 20000
filter ipv4 radius account.. 4a03 0 20000 20000
filter ipv4 radius auth.. 4a04 0 20000 20000
filter ipv4 ntp aggregate 4b00 0 20000 20000
filter ipv4 tacacs aggregate 4c00 0 20000 20000


filter ipv4 dns aggregate 4d00 0 20000 20000

filter ipv4 diameter aggregate 4e00 0 20000 20000
filter ipv4 ip-frag first-frag 4f02 0 20000 20000
filter ipv4 ip-frag trail-frag 4f03 0 20000 20000
filter ipv4 l2tp aggregate 5000 0 20000 20000
filter ipv4 gre aggregate 5100 0 20000 20000
filter ipv4 ipsec aggregate 5200 0 20000 20000
filter ipv6 pimv6 aggregate 5300 1 20000 20000
filter ipv6 icmpv6 aggregate 5400 0 20000 20000
filter ipv6 ndpv6 aggregate 5500 0 20000 20000
filter ipv4 amtv4 aggregate 5f00 0 20000 20000
filter ipv6 amtv6 aggregate 6000 0 20000 20000
option rt-alert ip-opt rt-alert 3d02 1 20000 20000
option unclass ip-opt unclass.. 3d01 4 10000 10000
Here, the violation report message is one of the notification to the PPC. Hence, its also rate limited too 100pps by default.
#define DDOS_VIOL_REPORT_RATE 100 /* 100 reports/sec */
# show ddos asic nexthops

[LU:Prot:Idx]: policer-nh ddos-nh p-result cntr-nh ctr-addr type
[-----------]: ---------- ------- ------- ------- ----
[ 0:----:ind]: c004017e078c0001 e0145f000010000 4817d180 c0f278 802f viol-report
[ 0: 0: 0]: c0040096078c1001 0 4817d130 c0f270 8012 hbc & others
[ 0: 100: 1]: c004016e078c2001 0 4817d0b8 c0f268 802d punt
[ 0: 200: 2]: c004009e078c3001 0 4817d040 c0f260 8013 punt
[ 0: 300: 3]: c00400ae078ff001 e01452000010000 4817cfc8 c0f200 8015 punt
[ 0: 400: 4]: c0040156078fe001 0 4817cf50 c0f208 802a hbc & others
[ 0: 401: 5]: c00400b6078c4001 e02eba000010000 4817ced8 c0f210 8016 punt
[ 0: 402: 6]: c004013e078fd001 e02ea4000010000 4817ce60 c0f258 8027 punt
[ 0: 403: 7]: c004012e078c5001 e02ea5000010000 4817cde8 c0f218 8025 punt
[ 0: 404: 8]: c00400be078c6001 e02ebc000010000 4817cd70 c0f220 8017 punt
[ 0: 405: 9]: c00400ce078fc001 e02ebb000010000 4817ccf8 c0f250 8019 punt
[ 0: 406: 10]: c004011e078c7001 e02ea6000010000 4817cc80 c0f228 8023 punt
[ 0: 407: 11]: c0040116078c8001 e02eb4000010000 4817cc08 c0f248 8022 punt
[ 0: 408: 12]: c004010e078c9001 e023f5800020000 4817cb90 c0f240 8021 punt
[ 0: 409: 13]: c00400fe078ca001 e023ef800020000 4817cb18 c0f230 801f punt
[ 0: 40a: 14]: c00400f6078fb001 e02eac000010000 4817caa0 c0f238 801e punt
[ 0: 500: 15]: c03c0a0e078fa001 0 4817ca28 c0f2f8 78141 hbc & others
[ 0: 501: 16]: c03c0bf6078f9001 0 4817c9b0 c0f280 7817e hbc & others
[ 0: 502: 17]: c03c0a1e078f8001 e02ebf000010000 4c3df968 c0f2f0 78143 punt
[ 0: 503: 18]: c03c0a26078f7001 0 4c3df8f0 c0f288 78144 hbc & others
[ 0: 504: 19]: c03c0bde078f6001 e02ebe000010000 4c3df878 c0f290 7817b punt
[ 0: 505: 20]: c03c0bd6078cb001 0 4c3df800 c0f298 7817a hbc & others
[ 0: 506: 21]: c03c0bc6078f5001 e02ebd000010000 4c3df788 c0f2e8 78178 punt
[ 0: 507: 22]: c03c0a36078cc001 0 4c3df710 c0f2a0 78146 hbc & others
[ 0: 508: 23]: c03c0a3e078cd001 0 4c3df698 c0f2e0 78147 hbc & others
[ 0: 600: 24]: c03c0ba6078ce001 0 4c3df620 c0f2d8 78174 hbc & others
[ 0: 601: 25]: c03c0b96078cf001 0 4c3df5a8 c0f2a8 78172 hbc & others


[ 0: 602: 26]: c03c0a46078d0001 0 4c3df530 c0f2d0 78148 hbc & others

[ 0: 603: 27]: c03c0b7e078f4001 0 4c3df4b8 c0f2c8 7816f hbc & others
[ 0: 604: 28]: c03c0b76078f3001 0 4c3df440 c0f2b0 7816e hbc & others
[ 0: 605: 29]: c03c0a5e078f2001 0 4c3df3c8 c0f2b8 7814b hbc & others
[ 0: 606: 30]: c03c0b66078d1001 0 4c3df350 c0f2c0 7816c hbc & others
[ 0: 607: 31]: c03c0b56078f1001 0 4c3df2d8 c0f300 7816a hbc & others
[ 0: 608: 32]: c03c0b46078d2001 0 4c3df260 c0f308 78168 hbc & others
[ 0: 609: 33]: c03c0a66078d3001 0 4c3df1e8 c0f378 7814c hbc & others
[ 0: 60a: 34]: c03c0a6e078f0001 0 4c3df170 c0f310 7814d hbc & others
[ 0: 60b: 35]: c03c0a7e078d4001 0 4c3df0f8 c0f370 7814f hbc & others
[ 0: 60c: 36]: c03c0b26078d5001 0 4c3df080 c0f368 78164 hbc & others
[ 0: 60d: 37]: c03c0b16078d6001 0 4c3df008 c0f318 78162 hbc & others
[ 0: 60e: 38]: c03c0a8e078d7001 0 4c3def90 c0f320 78151 hbc & others
[ 0: 60f: 39]: c03c0b06078d8001 0 4c3def18 c0f328 78160 hbc & others
[ 0: 610: 40]: c03c0a9e078ef001 0 4c3deea0 c0f330 78153 hbc & others
[ 0: 611: 41]: c03c0aae078ee001 0 4c3dee28 c0f360 78155 hbc & others
[ 0: 612: 42]: c03c0af6078ed001 0 4c3dedb0 c0f338 7815e hbc & others
[ 0: 700: 43]: c03c0ab6078d9001 0 4c3ded38 c0f358 78156 hbc & others
[ 0: 701: 44]: c03c0abe078ec001 0 4c3decc0 c0f340 78157 hbc & others
[ 0: 702: 45]: c03c0ad6078da001 0 4c3dec48 c0f350 7815a hbc & others
[ 0: 703: 46]: c03c0ac6078eb001 0 4c3debd0 c0f348 78158 hbc & others
[ 0: 704: 47]: c03c0dfe078db001 0 4c3deb58 c0f380 781bf hbc & others
[ 0: 705: 48]: c03c0c0e078dc001 0 4c3deae0 c0f388 78181 hbc & others
[ 0: 706: 49]: c03c0c16078dd001 0 4c3dea68 c0f3f8 78182 hbc & others
[ 0: 707: 50]: c03c0dde078ea001 0 4c3de9f0 c0f390 781bb hbc & others
[ 0: 708: 51]: c03c0c1e078de001 0 4c3de978 c0f3f0 78183 hbc & others
[ 0: 709: 52]: c03c0dce078e9001 0 4c3de900 c0f398 781b9 hbc & others
[ 0: 70a: 53]: c03c0c2e078e8001 0 4c3de888 c0f3a0 78185 hbc & others
[ 0: 70b: 54]: c03c0db6078df001 0 4c3de810 c0f3a8 781b6 hbc & others
[ 0: 70c: 55]: c03c0c3e078e0001 0 4c3de798 c0f3b0 78187 hbc & others
[ 0: 70d: 56]: c03c0c46078e7001 0 4c3de720 c0f3e8 78188 hbc & others
[ 0: 70e: 57]: c03c0da6078e1001 0 4c3de6a8 c0f3b8 781b4 hbc & others
[ 0: 70f: 58]: c03c0d96078e6001 0 4c3de630 c0f3e0 781b2 hbc & others
[ 0: 710: 59]: c03c0d8e078e2001 0 4c3de5b8 c0f3d8 781b1 hbc & others
[ 0: 711: 60]: c03c0d7e078e3001 0 4c3de540 c0f3c0 781af hbc & others
[ 0: 712: 61]: c03c0c66078e5001 0 4c3de4c8 c0f3c8 7818c hbc & others
[ 0: 800: 62]: c03c0d6e078e4001 0 4c3de450 c0f3d0 781ad hbc & others
[ 0: 801: 63]: c03c0c6e07a3f001 0 4c3de3d8 c0f4f8 7818d hbc & others
[ 0: 802: 64]: c03c0c7607a00001 e02eb6000010000 4c3de360 c0f480 7818e punt
[ 0: 803: 65]: c03c0d5607a3e001 e02ea9000010000 4c3de2e8 c0f488 781aa punt
[ 0: 804: 66]: c03c0d4607a3d001 0 4c3de270 c0f490 781a8 hbc & others
[ 0: 805: 67]: c03c0c8e07a01001 e02eb5000010000 4c3de1f8 c0f4f0 78191 punt
[ 0: 900: 68]: c03c0c9e07a3c001 0 4c3de180 c0f4e8 78193 hbc & others
[ 0: a00: 69]: c03c0ca607a3b001 0 4c3de108 c0f4e0 78194 hbc & others
[ 0: b00: 70]: c03c0d2e07a3a001 0 4c3de090 c0f498 781a5 hbc & others
[ 0: c00: 71]: c03c0cae07a39001 0 4c3de018 c0f4a0 78195 hbc & others
[ 0: d00: 72]: c03c0cbe07a02001 0 4c3ddfa0 c0f4a8 78197 hbc & others
[ 0: e00: 73]: c03c0cc607a03001 0 4c3ddf28 c0f4d8 78198 hbc & others
[ 0: f00: 74]: c03c0cd607a04001 0 4c3ddeb0 c0f4b0 7819a hbc & others


[ 0:1000: 75]: c03c0d1607a38001 0 4c3dde38 c0f4b8 781a2 hbc & others

[ 0:1100: 76]: c03c0d0607a37001 0 4c3dddc0 c0f4c0 781a0 hbc & others
[ 0:1200: 77]: c03c0ce607a36001 0 4c3ddd48 c0f4d0 7819c hbc & others
[ 0:1300: 78]: c03c0cf607a35001 0 4c3ddcd0 c0f4c8 7819e hbc & others
[ 0:1400: 79]: c03c0ffe07a05001 0 4c3ddc58 c0f500 781ff hbc & others
[ 0:1500: 80]: c03c0e1607a06001 0 4c3ddbe0 c0f578 781c2 hbc & others
[ 0:1600: 81]: c03c0ff607a34001 0 4c3ddb68 c0f508 781fe hbc & others
[ 0:1700: 82]: c03c0fe607a33001 0 4c3ddaf0 c0f510 781fc hbc & others
[ 0:1800: 83]: c03c0fd607a07001 0 4c3dda78 c0f518 781fa hbc & others
[ 0:1900: 84]: c03c0fc607a08001 0 4c3dda00 c0f570 781f8 hbc & others
[ 0:1a00: 85]: c03c0e2e07a09001 0 4c3eb9d0 c0f568 781c5 hbc & others
[ 0:1b00: 86]: c03c0e3607a32001 0 4c3eb958 c0f560 781c6 hbc & others
[ 0:1c00: 87]: c03c0e3e07a31001 0 4c3eb8e0 c0f558 781c7 hbc & others
[ 0:1d00: 88]: c03c0fae07a0a001 0 4c3eb868 c0f520 781f5 hbc & others
[ 0:1e00: 89]: c03c0f9e07a0b001 0 4c3eb7f0 c0f528 781f3 hbc & others
[ 0:1f00: 90]: c03c0e5607a30001 0 4c3eb778 c0f530 781ca hbc & others
[ 0:2000: 91]: c03c0e6607a0c001 0 4c3eb700 c0f550 781cc hbc & others
[ 0:2100: 92]: c03c0e7607a2f001 0 4c3eb688 c0f538 781ce hbc & others
[ 0:2200: 93]: c03c0f9607a0d001 0 4c3eb610 c0f548 781f2 hbc & others
[ 0:2300: 94]: c03c0f8e07a2e001 0 4c3eb598 c0f540 781f1 hbc & others
[ 0:2400: 95]: c03c0f7e07a2d001 0 4c3eb520 c0f5f8 781ef hbc & others
[ 0:2500: 96]: c03c0f6e07a0e001 0 4c3eb4a8 c0f5f0 781ed hbc & others
[ 0:2600: 97]: c03c0f6607a0f001 0 4c3eb430 c0f5e8 781ec hbc & others
[ 0:2700: 98]: c03c0f5e07a2c001 0 4c3eb3b8 c0f5e0 781eb hbc & others
[ 0:2800: 99]: c03c0f5607a10001 0 4c3eb340 c0f580 781ea hbc & others
[ 0:2900:100]: c03c0eae07a11001 0 4c3eb2c8 c0f588 781d5 hbc & others
[ 0:2a00:101]: c03c0f4607a2b001 0 4c3eb250 c0f5d8 781e8 hbc & others
[ 0:2b00:102]: c03c0eb607a12001 0 4c3eb1d8 c0f590 781d6 hbc & others
[ 0:2c00:103]: c03c0f2e07a2a001 0 4c3eb160 c0f5d0 781e5 subtype
[ 0:2d00:104]: c03c0ebe07a29001 0 4c3eb0e8 c0f598 781d7 subtype
[ 0:2e00:105]: c03c0f1e07a13001 0 4c3eb070 c0f5a0 781e3 subtype
[ 0:2f00:106]: c03c0f1607a14001 0 4c3eaff8 c0f5c8 781e2 subtype
[ 0:3000:107]: c03c0f0e07a15001 0 4c3eaf80 c0f5a8 781e1 subtype
[ 0:3100:108]: c03c0ee607a28001 0 4c3eaf08 c0f5c0 781dc subtype
[ 0:3200:109]: c03c0efe07a16001 0 4c3eae90 c0f5b8 781df subtype
[ 0:3300:110]: c03c0eee07a27001 0 4c3eae18 c0f5b0 781dd subtype
[ 0:3400:111]: c03c11f607a17001 0 4c3eada0 c0f678 7823e subtype
[ 0:3500:112]: c03c100e07a18001 0 4c3ead28 c0f670 78201 subtype
[ 0:3600:113]: c03c11e607a26001 0 4c3eacb0 c0f668 7823c subtype
[ 0:3700:114]: c03c11de07a25001 0 4c3eac38 c0f660 7823b subtype
[ 0:3800:115]: c03c102607a19001 0 4c3eabc0 c0f658 78204 hbc & others
[ 0:3801:116]: c03c11d607a24001 0 4c3eab48 c0f600 7823a hbc & others
[ 0:3802:117]: c03c11ce07a1a001 e02eb9000010000 4c3eaad0 c0f650 78239 subtype
[ 0:3803:118]: c03c103e07a1b001 0 4c3eaa58 c0f648 78207 hbc & others
[ 0:3900:119]: c03c104607a23001 0 4c3ea9e0 c0f640 78208 subtype
[ 0:3a00:120]: c03c105607a1c001 0 4c3ea968 c0f638 7820a subtype
[ 0:3b00:121]: c03c11ae07a22001 0 4c3ea8f0 c0f608 78235 subtype
[ 0:3c00:122]: c03c106607a21001 e01454000010000 4c3ea878 c0f610 7820c punt
[ 0:3d00:123]: c03c106e07a20001 0 4c3ea800 c0f630 7820d hbc & others


[ 0:3d01:124]: c03c119607a1f001 0 4c3ea788 c0f618 78232 punt

[ 0:3d02:125]: c03c118e07a1d001 0 4c3ea710 c0f628 78231 punt
[ 0:3d03:126]: c03c108607a1e001 0 4c3ea698 c0f620 78210 punt
[ 0:3e00:127]: c03c108e07b7f001 e01455000010000 4c3ea620 c0f700 78211 punt
[ 0:3f00:128]: c03c117607b40001 0 4c3ea5a8 c0f778 7822e hbc & others
[ 0:4000:129]: c03c109607b41001 0 4c3ea530 c0f770 78212 hbc & others
[ 0:4100:130]: c03c109e07b42001 e02ea3000010000 4c3ea4b8 c0f708 78213 punt
[ 0:4200:131]: c03c115607b7e001 e02ec0000010000 4c3ea440 c0f710 7822a punt
[ 0:4300:132]: c03c10ae07b7d001 0 4c3ea3c8 c0f718 78215 hbc & others
[ 0:4301:133]: c03c114e07b43001 0 4c3ea350 c0f720 78229 hbc & others
[ 0:4302:134]: c03c114607b7c001 e02eb8000010000 4c3ea2d8 c0f728 78228 punt
[ 0:4303:135]: c03c10c607b44001 e02eb7000010000 4c3ea260 c0f768 78218 punt
[ 0:4304:136]: c03c113607b45001 0 4c3ea1e8 c0f760 78226 hbc & others
[ 0:4400:137]: c03c112607b7b001 0 4c3ea170 c0f758 78224 hbc & others
[ 0:4401:138]: c03c10d607b46001 0 4c3ea0f8 c0f750 7821a hbc & others
[ 0:4402:139]: c03c10e607b47001 e02f7f000010000 4c3ea080 c0f730 7821c punt
[ 0:4403:140]: c03c10f607b7a001 e01451000010000 4c3ea008 c0f748 7821e punt
[ 0:4500:141]: c03c110607b48001 e01450000010000 4c3e9f90 c0f740 78220 punt
[ 0:4600:142]: c03c111607b79001 e02ea1000010000 4c3e9f18 c0f738 78222 punt
[ 0:4700:143]: c03c13fe07b78001 0 4c3e9ea0 c0f7f8 7827f hbc & others
[ 0:4800:144]: c03c120e07b49001 0 4c3e9e28 c0f7f0 78241 hbc & others
[ 0:4801:145]: c03c121607b77001 0 4c3e9db0 c0f780 78242 hbc & others
[ 0:4802:146]: c03c122607b4a001 0 4c3e9d38 c0f7e8 78244 hbc & others
[ 0:4803:147]: c03c13de07b76001 0 4c3e9cc0 c0f788 7827b hbc & others
[ 0:4900:148]: c03c123607b75001 0 4c3e9c48 c0f790 78246 hbc & others
[ 0:4a00:149]: c03c124607b74001 0 4c3e9bd0 c0f7e0 78248 hbc & others
[ 0:4a01:150]: c03c13ce07b4b001 0 4c3e9b58 c0f798 78279 hbc & others
[ 0:4a02:151]: c03c124e07b4c001 0 4c3e9ae0 c0f7d8 78249 hbc & others
[ 0:4a03:152]: c03c13be07b73001 0 4c3e9a68 c0f7a0 78277 hbc & others
[ 0:4a04:153]: c03c125e07b4d001 0 4c3f3a08 c0f7a8 7824b hbc & others
[ 0:4b00:154]: c03c13a607b72001 0 4c3f3990 c0f7d0 78274 hbc & others
[ 0:4c00:155]: c03c126e07b4e001 0 4c3f3918 c0f7c8 7824d hbc & others
[ 0:4d00:156]: c03c139607b4f001 0 4c3f38a0 c0f7c0 78272 hbc & others
[ 0:4e00:157]: c03c127e07b50001 0 4c3f3828 c0f7b0 7824f hbc & others
[ 0:4f00:158]: c03c128e07b51001 0 4c3f37b0 c0f7b8 78251 hbc & others
[ 0:4f01:159]: c03c129e07b71001 0 4c3f3738 c0f878 78253 hbc & others
[ 0:4f02:160]: c03c12a607b70001 0 4c3f36c0 c0f800 78254 hbc & others
[ 0:4f03:161]: c03c12b607b52001 0 4c3f3648 c0f870 78256 hbc & others
[ 0:5000:162]: c03c138607b6f001 0 4c3f35d0 c0f868 78270 hbc & others
[ 0:5100:163]: c03c12c607b53001 0 4c3f3558 c0f860 78258 hbc & others
[ 0:5200:164]: c03c136e07b54001 0 4c3f34e0 c0f858 7826d hbc & others
[ 0:5300:165]: c03c12ce07b55001 0 4c3f3468 c0f850 78259 hbc & others
[ 0:5400:166]: c03c12de07b6e001 0 4c3f33f0 c0f848 7825b hbc & others
[ 0:5500:167]: c03c135607b6d001 0 4c3f3378 c0f840 7826a hbc & others
[ 0:5600:168]: c03c134607b6c001 0 4c3f3300 c0f838 78268 hbc & others
[ 0:5601:169]: c03c12e607b6b001 0 4c3f3288 c0f830 7825c hbc & others
[ 0:5602:170]: c03c12f607b6a001 e02eaf000010000 4c3f3210 c0f828 7825e punt
[ 0:5603:171]: c03c12fe07b69001 e02eb0000010000 4c3f3198 c0f820 7825f punt
[ 0:5604:172]: c03c130e07b68001 e02eb2000010000 4c3f3120 c0f808 78261 punt


[ 0:5605:173]: c03c131607b56001 e02eb1000010000 4c3f30a8 c0f810 78262 punt

[ 0:5606:174]: c03c132607b57001 e02f61000010000 4c3f3030 c0f818 78264 punt
[ 0:5700:175]: c03c15fe07b58001 e02f80000010000 4c3f2fb8 c0f8f8 782bf punt
[ 0:5800:176]: c03c15f607b59001 0 4c3f2f40 c0f8f0 782be punt
[ 0:5801:177]: c03c141e07b67001 0 4c3f2ec8 c0f8e8 78283 punt
[ 0:5802:178]: c03c15ee07b66001 0 4c3f2e50 c0f880 782bd punt
[ 0:5803:179]: c03c15e607b65001 0 4c3f2dd8 c0f8e0 782bc punt
[ 0:5804:180]: c03c15d607b5a001 0 4c3f2d60 c0f8d8 782ba punt
[ 0:5805:181]: c03c143607b64001 0 4c3f2ce8 c0f888 78286 punt
[ 0:5806:182]: c03c15c607b5b001 0 4c3f2c70 c0f8d0 782b8 punt
[ 0:5807:183]: c03c144607b63001 0 4c3f2bf8 c0f8c8 78288 punt
[ 0:5808:184]: c03c15b607b5c001 0 4c3f2b80 c0f890 782b6 punt
[ 0:5809:185]: c03c15a607b62001 0 4c3f2b08 c0f898 782b4 punt
[ 0:580a:186]: c03c159607b5d001 0 4c3f2a90 c0f8a0 782b2 punt
[ 0:580b:187]: c03c145607b5e001 0 4c3f2a18 c0f8a8 7828a punt
[ 0:580c:188]: c03c158607b61001 0 4c3f29a0 c0f8b0 782b0 punt
[ 0:5900:189]: c03c146607b5f001 e02ea2000010000 4c3f2928 c0f8b8 7828c punt
[ 0:5a00:190]: c03c146e07b60001 e01453000010000 4c3f28b0 c0f8c0 7828d punt
[ 0:5b00:191]: c03c147607cbf001 e02eb3000010000 4c3f2838 c0f9f8 7828e punt
[ 0:5c00:192]: c03c147e07c80001 e02eab000010000 4c3f27c0 c0f980 7828f punt
[ 0:5d00:193]: c03c155e07cbe001 e02eaa000010000 4c3f2748 c0f988 782ab punt
[ 0:5e00:194]: c03c148e07cbd001 0 4c3f26d0 c0f990 78291 hbc & others
[ 0:5e01:195]: c03c149607cbc001 0 4c3f2658 c0f9f0 78292 hbc & others
[ 0:5e02:196]: c03c149e07cbb001 e02ead000010000 4c3f25e0 c0f9e8 78293 punt
[ 0:5e03:197]: c03c153e07c81001 e02eae000010000 4c3f2568 c0f9e0 782a7 punt
[ 0:5f00:198]: c03c153607c82001 0 4c3f24f0 c0f998 782a6 hbc & others
[ 0:6000:199]: c03c14b607cba001 0 4c3f2478 c0f9a0 78296 hbc & others
Lets trace some of the nexthop here to explain how the policers are associated to each other.
1. PUNT traffic with punt type

There are some punt traffic using punt type nexthop. For example.
---- -------------------- --------- ------ ---- -- ------ ------

[-----------]: ---------- ------- ------- ------- ----
[ 0:3c00:122]: c03c106607a21001 e01454000010000 4c3ea878 c0f610 7820c punt
If we check the policer nexthop for this type, here is the policer configuration.
# show jnh 0 decode 0xc03c106607a21001
PolicerISSU_NH: Absolute Caddr = 0xc0f442, nextNH = 0x7820c, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f442


Addr:0xc0f442, Data = 0xa3d0000047c00000
% bits 13 20 2 3 4 22
0xa3d0000047c00000
Wid 13 20 2 3 4 22
Bin 1010001111010 00000000000000000000 10 001 1111 0000000000000000000000
Hex 147a 0 2 1 f 0
Dec 5242 0 2 1 15
This is a policer with rate = 5242 * 1562.5 = 8,190,625 bps. On LUchip, the packet policer is using a fixed packet size (512
bytes), hence, that becomes 2000 pps which matches the policer configuration.
#define PKT_BASED_POLICER_PKT_SIZE (512)
Furthermore, if we check the ddos-nh, its actually pointing to another policer configuration.
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xe01454000010000
CallNH:desc_ptr:0xc028a8, mode=0, rst_stk=0x0, count=0x1

0xc028a6 0 : 0x42f07fffff800f50
0xc028a7 1 : 0xdaf060208180c810
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xdaf060208180c810
IndexNH:key_ptr:0xbc/0, desc_ptr=0xc04103, max=200, nbits=16
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc04103

Addr:0xc04103, Data = 0x0e02120000020000
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0x0e02120000020000
CallNH:desc_ptr:0xc04240, mode=0, rst_stk=0x0, count=0x2

0xc0423d 0 : 0x42f07fffff800010
0xc0423e 1 : 0xc0040096078c1001
0xc0423f 2 : 0x127fffffe00003f8
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xc0040096078c1001

PolicerISSU_NH: Absolute Caddr = 0xc0f182, nextNH = 0x8012, , type:0, color=0, op=0 use_layer3_len = 0x0, num_nh
= 0x0

Addr:0xc0f182, Data = 0x8000000057c00000
0x8000000057c00000
Wid 13 20 2 3 4 22


Bin 1000000000000 00000000000000000000 10 101 1111 0000000000000000000000

Hex 1000 0 2 5 f 0
Dec 4096 0 2 5 15 0
The above policer is programmed with 4096 * 25000 = 25000 pps. Thats the host-path policer, which is trying to police
an aggregated traffic from some protocols to the host.
NPC2(Dokinchan-re0 vty)# show ddos policer configuration all

--- --- ------------ ------------ -- -- ------ ----- ------ -----
0 0 host-path aggregate Y -- --- --- 25000 25000

[-----------]: ---------- ------- ------- ------- ----
[ 0: 0: 0]: c0040096078c1001 0 4817d130 c0f270 8012 hbc & others
NPC2(Dokinchan-re0 vty)# show jnh 0 dec c0040096078c1001

= 0x0
This aggregated policer also applies to multiple protocols. For example, PUNT_REDIRECT, PUNT_REJECT,
PUNT_REJECT_FW, PUNT_RESOLVE etc
---- -------------------- --------- ------ ---- -- ------ ------
33 PUNT_RESOLVE

[-----------]: ---------- ------- ------- ------- ----
[ 0:3e00:127]: c03c108e07b7f001 e01455000010000 4c3ea620 c0f700 78211 punt
[ 0:4600:142]: c03c111607b79001 e02ea1000010000 4c3e9f18 c0f738 78222 punt
PUNT_REDIRECT
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c108e07b7f001
PolicerISSU_NH: Absolute Caddr = 0xc0f6fe, nextNH = 0x78211, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f6fe

Addr:0xc0f6fe, Data = 0xa3d0000047c00000


0xa3d0000047c00000
Wid 13 20 2 3 4 22
Bin 1010001111010 00000000000000000000 10 001 1111 0000000000000000000000
Hex 147a 0 2 1 f 0
Dec 5242 0 2 1 15 0
Here, RU[2,1] corresponds to value 1562.5.

static const struct jnh_fw_ru trinity_ru[JNH_POL_MAX_RU_PRODUCTS] = {
{24.414062,3,0}, {48.828125,3,1}, {97.65625,3,2}, {195.3125,3,3},
{390.625,3,4}, {781.25,2,0}, {781.25,3,5}, {1562.5,2,1}, {1562.5,3,6},
{3125,2,2}, {3125,3,7}, {6250,2,3}, {12500,2,4}, {25000,1,0}, {25000,2,5},
{50000,1,1}, {50000,2,6}, {100000,1,2}, {100000,2,7}, {200000,1,3},
{400000,1,4}, {800000,0,0}, {800000,1,5}, {1600000,0,1}, {1600000,1,6},
{3200000,0,2}, {3200000,1,7}, {6400000,0,3}, {12800000,0,4},
{25600000,0,5}, {51200000,0,6}, {102400000,0,7}
};
, hence, the rate is 5242 * 1562.5 / 8 / 512 = 2000 pps
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xe01455000010000
CallNH:desc_ptr:0xc028aa, mode=0, rst_stk=0x0, count=0x1

0xc028a8 0 : 0x42f07fffff800ff0
0xc028a9 1 : 0xdaf060208180c810


Addr:0xc04103, Data = 0x0e02120000020000

0xc0423d 0 : 0x42f07fffff800010
0xc0423e 1 : 0xc0040096078c1001
0xc0423f 2 : 0x127fffffe00003f8

= 0x0
PUNT_REJECT
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c111607b79001
PolicerISSU_NH: Absolute Caddr = 0xc0f6f2, nextNH = 0x78222, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0


NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f6f2

Addr:0xc0f6f2, Data = 0xa3d257b447f4db1e
0xa3d257b447f4db1e
Wid 13 20 2 3 4 22
Bin 1010001111010 01001010111101101000 10 001 1111 1101001101101100011110
Hex 147a 4af68 2 1 f 34db1e
Dec 5242 307048 2 1 15 3463966
Rate = 5242 * 1562.5 / 8 / 512 = 2000pps
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xe02ea1000010000

CallNH:desc_ptr:0xc05d42, mode=0, rst_stk=0x0, count=0x1
0xc05d40 0 : 0x42f07fffff8011d0
0xc05d41 1 : 0xdaf060208180c810


Addr:0xc04103, Data = 0x0e02120000020000

0xc0423d 0 : 0x42f07fffff800010
0xc0423e 1 : 0xc0040096078c1001
0xc0423f 2 : 0x127fffffe00003f8

= 0x0
PUNT_RESOLVE
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions terse
Reason Type Packets Bytes
==================================================================
Routing
----------------------
resolve route PUNT(33) 7199596 460774144
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions nh 33 punt

Nexthop Chain:
CallNH:desc_ptr:0xc0481c, mode=0, rst_stk=0x0, count=0x4
0xc04817 0 : 0x127fffffe00003fe
0xc04818 1 : 0x2ffffffe07ca8200


0xc04819 2 : 0xda00602d26800b04
0xc0481a 3 : 0xda00602d20800b04
0xc0481b 4 : 0xdaf060208180c810


Addr:0xc04103, Data = 0x0e02120000020000

0xc0423d 0 : 0x42f07fffff800010
0xc0423e 1 : 0xc0040096078c1001
0xc0423f 2 : 0x127fffffe00003f8

= 0x0
[ 0: 300: 11]: c004015e07186001 e02e76800020000 4dfbc4a8 c0e3c8 802b punt : dynvlan:aggregate

[ 0: 401: 13]: c0040066071b5001 e02e67800020000 4dfbc408 c0e3c0 800c punt : ppp:unclassified
[ 0: 402: 14]: c0040126071a9001 e02e78000020000 4dfbc3b8 c0e3d0 8024 punt : ppp:lcp
[ 0: 403: 15]: c00400a6071b1001 e02e79800020000 4dfbc368 c0e400 8014 punt : ppp:auth
[ 0: 404: 16]: c03c0bfe071ad001 e02e75000020000 4dfbc318 c0e478 7817f punt : ppp:ipcp
[ 0: 405: 17]: c03c0b7e071b9001 e02e7c800020000 4dfc82f8 c0e410 7816f punt : ppp:ipv6cp
[ 0: 406: 18]: c03c0b3e071a5001 e02e63000020000 4dfc82a8 c0e468 78167 punt : ppp:mplscp
[ 0: 407: 19]: c03c0ac607182001 e02f16800020000 4dfc8258 c0e408 78158 punt : ppp:isis
[ 0: 408: 20]: c03c0afe0718a001 e02eae000030000 4dfc8208 c0e418 7815f punt : ppp:echo-req
[ 0: 409: 21]: c03c0b860719d001 e02eb6000030000 4dfc81b8 c0e470 78170 punt : ppp:echo-rep
[ 0: 40a: 22]: c03c0a7e07195001 e02f0f000020000 4dfc8168 c0e420 7814f punt : ppp:mlppp-lcp
[ 0: 502: 25]: c03c0bb607185001 e02e64800020000 4dfc8078 c0e460 78176 punt : pppoe:padi
[ 0: 504: 27]: c03c0b0e071a2001 e02e73800020000 4dfc7fd8 c0e438 78161 punt : pppoe:padr
[ 0: 506: 29]: c03c0b36071b4001 e02e7e000020000 4dfc7f38 c0e450 78166 punt : pppoe:padt
[ 0: 802: 72]: c03c0c1e07296001 e02f1f800020000 4dfc71c8 c0e630 78183 punt : vchassis:control-high
[ 0: 803: 73]: c03c0c5e0728e001 e02f06000020000 4dfc7178 c0e628 7818b punt : vchassis:control-low
[ 0: 805: 75]: c03c0d6607286001 e02f1b000020000 4dfc70d8 c0e648 781ac punt : vchassis:vc-ttl-err
[ 0:3c00:130]: c03c10ee073e1001 e02e7f800020000 4dfcffc0 c0e8f0 7821d punt : ttl:aggregate
[ 0:3e00:135]: c03c1126073f6001 e02e61800020000 4dfcfe30 c0e8d8 78224 punt : redirect:aggregate
[ 0:4100:138]: c03c1066073f9001 e02e69000020000 4dfcfd40 c0e8c8 7820c punt : mac-host:aggregate
[ 0:4200:139]: c03c11d6073c2001 e02e6f000020000 4dfcfcf0 c0e8a8 7823a punt : tun-frag:aggregate
[ 0:4302:142]: c03c10de073d2001 e02e70800020000 4dfcfc00 c0e8b8 7821b punt : mcast-snoop:igmp
[ 0:4303:143]: c03c109e073d6001 e02f01800020000 4dfcfbb0 c0e978 78213 punt : mcast-snoop:pim
[ 0:4402:147]: c03c13be073ea001 e02f19800020000 4dfcfa70 c0e970 78277 punt : services:packet
[ 0:4403:148]: c03c1386073c6001 e02e66000020000 4dfcfa20 c0e908 78270 punt : services:BSDT
[ 0:4500:149]: c03c13c6073f2001 e02e72000020000 4dfcf9d0 c0e918 78278 punt : demuxauto:aggregate
[ 0:4600:150]: c03c120e073fd001 e02e6d800020000 4dfcf980 c0e920 78241 punt : reject:aggregate


[ 0:5602:178]: c03c144607537001 e02f18000020000 4dfcf0c0 c0eaf0 78288 punt : sample:syslog

[ 0:5603:179]: c03c14fe07510001 e02f1c800020000 4dfcf070 c0eae0 7829f punt : sample:host
[ 0:5604:180]: c03c14be07518001 e02f04800020000 4dfcf020 c0ea90 78297 punt : sample:pfe
[ 0:5605:181]: c03c143e0752f001 e02f1e000020000 4dfcefd0 c0ead8 78287 punt : sample:tap
[ 0:5606:182]: c03c150607520001 e02f03000020000 4dfcef80 c0ea88 782a0 punt : sample:sflow
[ 0:5700:183]: c03c15b607528001 e02f07800020000 4dfcef30 c0eac8 782b6 punt : fab-probe:aggregate
[ 0:5900:197]: c03c14ae07519001 e02e6a800020000 4dfcead0 c0eb70 78295 punt : rejectv6:aggregate
[ 0:5a00:198]: c03c159607526001 e02e7b000020000 4dfcea80 c0eb60 782b2 punt : l2pt:aggregate
[ 0:5b00:199]: c03c142e07521001 e02f12000020000 4dfcea30 c0eb58 78285 punt : keepalive:aggregate
[ 0:5c00:200]: c03c15e60751e001 e02f0a800020000 4dfce9e0 c0eb20 782bc punt : inline-ka:aggregate
[ 0:5d00:201]: c03c145e07516001 e02f0d800020000 4dfce990 c0eb30 7828b punt : inline-svcs:aggregate
[ 0:5e02:204]: c03c14de0753d001 e02f09000020000 4dfce8a0 c0eb50 7829b punt : frame-relay:frf15
[ 0:5e03:205]: c03c142607529001 e02f13800020000 4dfce850 c0eb40 78284 punt : frame-relay:frf16
2. PUNT traffic with subtype type

For example, MLP packet is under this category. (PR871500)
NPC2(Dokinchan-re0 vty)# show ddos policer configuration mlp
--- --- ------------ ------------ -- -- ------ ----- ------ -----
115 3800 mlp aggregate Y Lo 2000 10000 --- ---
116 3801 mlp unclass.. Y Lo 2000 10000 2000 10000
117 3802 mlp packets Y Lo 2000 10000 2000 10000
118 3803 mlp aging-exc Y Lo 2000 10000 --- ---

---- -------------------- --------- ------ ---- -- ------ ------

[-----------]: ---------- ------- ------- ------- ----
[ 0:3802:117]: c03c11ce07a1a001 e02eb9000010000 4c3eaad0 c0f650 78239 subtype
First, it hits the configure policer under MLP frame.

NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xc03c11ce07a1a001
PolicerISSU_NH: Absolute Caddr = 0xc0f434, nextNH = 0x78239, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0

Addr:0xc0f434, Data = 0xa3d0000047c00000
svl-jtac-tool02% bits 13 20 2 3 4 22
0xa3d0000047c00000


Wid 13 20 2 3 4 22
Bin 1010001111010 00000000000000000000 10 001 1111 0000000000000000000000
Hex 147a 0 2 1 f 0
Dec 5242 0 2 1 15 0
Policer Rate = 5242 * 1562.5 / 512 bytes = 2000 pps. Next it hits the DDOS-nh, which points to the host-path PFE policer.
NPC2(Dokinchan-re0 vty)# show jnh 0 decode e02eb9000010000
CallNH:desc_ptr:0xc05d72, mode=0, rst_stk=0x0, count=0x1
0xc05d70 0 : 0x42f07fffff800eb0
0xc05d71 1 : 0xdaf060208180c810
Addr:0xc04103, Data = 0x0e02120000020000
NPC2(Dokinchan-re0 vty)# show jnh 0 dec 0x0e02120000020000
0xc0423d 0 : 0x42f07fffff800010
0xc0423e 1 : 0xc0040096078c1001
0xc0423f 2 : 0x127fffffe00003f8
NPC2(Dokinchan-re0 vty)# show jnh 0 dec 0xc0040096078c1001
= 0x0
3. HBC traffic with subtype type

The subtype traffic is mainly for the L2 control traffic. For example, LACP and STP. Doesnt like the above traffic, it will be
policed by its own policer and no more ASIC policer will be applied to these control traffic. (The policer on uKern level will
be discussed later).
code PUNT name
---- -------------
2 PUNT_OPTIONS |
4 PUNT_CONTROL |
6 PUNT_HOST_COPY |


11 PUNT_MLP |---------------+
33 PUNT_RESOLVE | |
34 PUNT_RECEIVE | |
|
------------------------------------------------------------------
------ ---------- ---------- ---------- ---- -- ------ ------

[-----------]: ---------- ------- ------- ------- ----
[ 0:2c00:103]: c03c0f2e07a2a001 0 4c3eb160 c0f5d0 781e5 subtype
[ 0:2d00:104]: c03c0ebe07a29001 0 4c3eb0e8 c0f598 781d7 subtype
NPC2(Dokinchan-re0 vty)# show ddos policer configuration lacp

--- --- ------------ ------------ -- -- ------ ----- ------ -----
103 2c00 lacp aggregate Y Hi 20000 20000 20000 20000
NPC2(Dokinchan-re0 vty)# show ddos policer configuration stp

--- --- ------------ ------------ -- -- ------ ----- ------ -----
104 2d00 stp aggregate Y Hi 20000 20000 20000 20000


LACP
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c0f2e07a2a001
PolicerISSU_NH: Absolute Caddr = 0xc0f454, nextNH = 0x781e5, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0

Addr:0xc0f454, Data = 0xccc8000053c00000
0xccc8000053c00000
Wid 13 20 2 3 4 22
Bin 1100110011001 00000000000000000000 10 100 1111 0000000000000000000000
Hex 1999 0 2 4 f 0
Dec 6553 0 2 4 15 0
Rate = 6553 * 12500 / 8 / 512 = 20000pps
STP
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c0ebe07a29001
PolicerISSU_NH: Absolute Caddr = 0xc0f452, nextNH = 0x781d7, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0

0xccc8000053c00000
Wid 13 20 2 3 4 22
Bin 1100110011001 00000000000000000000 10 100 1111 0000000000000000000000
Hex 1999 0 2 4 f 0
Dec 6553 0 2 4 15 0
Rate = 6553 * 12500 / 8 / 512 = 20000pps
4. HBC traffic with hbc & other type

Each of the pre-defined L3 control protocol packets would have their own policer term as well.
code PUNT name


---- -------------
2 PUNT_OPTIONS |
4 PUNT_CONTROL |
6 PUNT_HOST_COPY |
11 PUNT_MLP |---------------+
33 PUNT_RESOLVE | |
34 PUNT_RECEIVE | |
|
------------------------------------------------------------------
------ ---------- ---------- ---------- ---- -- ------ ------




Take OSPF as an example. As the L2 control traffic, the only policer applied to this is the OSPF one. Once the packet
passes this policer, the packet will be sent to the host queue.

[-----------]: ---------- ------- ------- ------- ----
[ 0: b00: 70]: c03c0d2e07a3a001 0 4c3de090 c0f498 781a5 hbc & others
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c0d2e07a3a001
PolicerISSU_NH: Absolute Caddr = 0xc0f474, nextNH = 0x781a5, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0

0xccc8000053c00000
Wid 13 20 2 3 4 22
Bin 1100110011001 00000000000000000000 10 100 1111 0000000000000000000000
Hex 1999 0 2 4 f 0
Dec 6553 0 2 4 15 0


Rate = 6553 * 12500 / 8 / 512 = 20000pps
5. HBC type to PUNT type

Another traffic types being classified as control traffic is the one with option. Once it passes the policer from its type, no
more policer under the ASIC level will be applied.
code PUNT name
---- -------------
2 PUNT_OPTIONS |
4 PUNT_CONTROL |
6 PUNT_HOST_COPY |
11 PUNT_MLP |---------------+
33 PUNT_RESOLVE | |
34 PUNT_RECEIVE | |
|
------------------------------------------------------------------
------ ---------- ---------- ---------- ---- -- ------ ------

[-----------]: ---------- ------- ------- ------- ----
[ 0:3d01:124]: c03c119607a1f001 0 4c3ea788 c0f618 78232 punt
[ 0:3d02:125]: c03c118e07a1d001 0 4c3ea710 c0f628 78231 punt
NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c119607a1f001
PolicerISSU_NH: Absolute Caddr = 0xc0f43e, nextNH = 0x78232, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f43e

Addr:0xc0f43e, Data = 0xccc800004fc00000
0xccc800004fc00000
Wid 13 20 2 3 4 22
Bin 1100110011001 00000000000000000000 10 011 1111 0000000000000000000000
Hex 1999 0 2 3 f 0
Dec 6553 0 2 3 15 0
Rate = 6553 * 6250 / 8 / 512 = 10000 pps


NPC2(Dokinchan-re0 vty)# show jnh 0 decode c03c118e07a1d001
PolicerISSU_NH: Absolute Caddr = 0xc0f43a, nextNH = 0x78231, , type:0, color=0, op=0 use_layer3_len = 0x0,
num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 vread 0xc0f43a

Addr:0xc0f43a, Data = 0xccc8000053c00000
0xccc8000053c00000
Wid 13 20 2 3 4 22
Bin 1100110011001 00000000000000000000 10 100 1111 0000000000000000000000
Hex 1999 0 2 4 f 0
Dec 6553 0 2 4 15 0
Rate = 6553 * 12500 / 8 / 512 = 20000 pps
From the DDOS policer configuration, we see a protocol under the same group (ip-opt) as non-v4v6 and unclassified. The
unclassified is for the packet holding options which is not rt-alert and the non-v4v6 is for the non-v4v6 packet being sent
up with the PUNT_OPTION, which will be policed by the option punt nh policer.
Packet Exceptions
----------------------
IP options PUNT( 2) 121976 22902560
NPC3(zenith-re0 vty)# show jnh 0 exceptions nh 2 punt

Nexthop Chain:
CallNH:desc_ptr:0xc05cfc, mode=0, rst_stk=0x0, count=0x5
0xc05cf6 0 : 0x127fffffe00003fc
0xc05cf7 1 : 0x2ffffffe07caca00
0xc05cf8 2 : 0xda00602e41000a04
0xc05cf9 3 : 0xda00602d19800a04
0xc05cfa 4 : 0xda00602e47000a04
0xc05cfb 5 : 0xdaf060208080c010
NPC3(zenith-re0 vty)# show jnh 0 dec 0xdaf060208080c010

NPC3(zenith-re0 vty)# show jnh 0 vread 0xc04101

Addr:0xc04101, Data = 0x0e02102000020000
NPC3(zenith-re0 vty)# show jnh 0 dec 0x0e02102000020000

0xc04201 0 : 0x42f07fffff800010
0xc04202 1 : 0xc0040096078fe001
0xc04203 2 : 0x127fffffe00003f8
NPC3(zenith-re0 vty)# show jnh 0 dec 0xc0040096078fe001

PolicerISSU_NH: Absolute Caddr = 0xc0f1fc, nextNH = 0x8012, , type:0, color=0, op=0 use_layer3_len = 0x0, num_nh
= 0x0



--- --- ------------ ------------ -- -- ------ ----- ------ -----
126 3d03 ip-opt non-v4v6 Y Lo 10000 10000 10000 10000
[ 0: 101: 2]: c00401ee071a6001 0 4dfbc7a0 c0e390 803d punt : resolve:other

[ 0: 102: 3]: c004015607181001 0 4dfbc750 c0e3f0 802a punt : resolve:ucast-v4
[ 0: 103: 4]: c00401d607189001 0 4dfbc700 c0e388 803a punt : resolve:mcast-v4
[ 0: 104: 5]: c004001e07191001 0 4dfbc6b0 c0e3e0 8003 punt : resolve:ucast-v6
[ 0: 105: 6]: c004005e0719e001 0 4dfbc660 c0e398 800b punt : resolve-mcast-v6
[ 0: 201: 8]: c00400ae07196001 0 4dfbc598 c0e3d8 8015 punt : filter-act:other
[ 0: 202: 9]: c004002e071a1001 0 4dfbc548 c0e3b0 8005 punt : filter-act:filter-v4
[ 0: 203: 10]: c00401a60718e001 0 4dfbc4f8 c0e3a8 8034 punt : filter-act:filter-v6
[ 0:3d01:132]: c03c1096073f1001 0 4dfcff20 c0e8e0 78212 punt : ip-opt:uncassified
[ 0:3d02:133]: c03c102e073c7001 0 4dfcfed0 c0e888 78205 punt : ip-opt:rt-alert
[ 0:3d03:134]: c03c11a6073fe001 0 4dfcfe80 c0e898 78234 punt : ip-opt:non-v4v6
[ 0:5800:184]: c03c15c607527001 0 4dfceee0 c0ea98 782b8 punt : uncls:aggregate
[ 0:5801:185]: c03c140e07530001 0 4dfcee90 c0eaa0 78281 punt : uncls:other
[ 0:5802:186]: c03c15360751f001 0 4dfcee40 c0eab0 782a6 punt : uncls:resolve-v4
[ 0:5803:187]: c03c14f607517001 0 4dfcedf0 c0ead0 7829e punt : uncls:resolve-v6
[ 0:5804:188]: c03c14b60750f001 0 4dfceda0 c0eac0 78296 punt : uncls:control-v4
[ 0:5805:189]: c03c154e07507001 0 4dfced50 c0eab8 782a9 punt : uncls:control-v6
[ 0:5806:190]: c03c147607538001 0 4dfced00 c0eaa8 7828e punt : uncls:host-rt-v4
[ 0:5807:191]: c03c14160753e001 0 4dfcecb0 c0eb00 78282 punt : uncls:host-rt-v6
[ 0:5808:192]: c03c143607501001 0 4dfcec60 c0eb78 78286 punt : uncls:filter-v4
[ 0:5809:193]: c03c149607509001 0 4dfcec10 c0eb10 78292 punt : uncls:filter-v6
[ 0:580a:194]: c03c156e07511001 0 4dfcebc0 c0eb08 782ad punt : uncls:control-l2
[ 0:580b:195]: c03c152e07536001 0 4dfceb70 c0eb18 782a5 punt : uncls:fw-host
[ 0:580c:196]: c03c15560752e001 0 4dfceb20 c0eb68 782aa punt : uncls:mcast-copy
6. Aggregated policer under the same group

Some protocols have an aggregate policer applied in the HBC filter, for example, DHCPv4/v6 and REJECT. However, for
the others, they dont point to that. The rule is that, if we can parse the packet to get individual types, we will not have an
aggregate policer at ASIC level (ie. LUchip) and the aggregate will be placed in uKern. Otherwise, we will have an
aggregate policer at ASIC level and uKern level.
For example, this is for OSPF as we cant (doesnt need to ?) parse it with different types like Hello, LSA requestetc.
NPC2(Dokinchan-re0 vty)# show ddos policer configuration ospf
--- --- ------------ ------------ -- -- ------ ----- ------ -----
70 b00 ospf aggregate Y Hi 20000 20000 20000 20000


7. HBC policer with exception traffic

There are exceptions with DISC type but still need to send up to the host for further processing. For example.
Packet Exceptions
----------------------
mtu exceeded DISC(21) 0 0
frag needed but DF set DISC(22) 0 0
For these types of packet, that would go thru the hbc policer.
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions nh 21 discard
Nexthop Chain:
CallNH:desc_ptr:0xc05c48, mode=0, rst_stk=0x0, count=0x3
0xc05c44 0 : 0x2ffffffe07caba00
0xc05c45 1 : 0xc03c152607cb9001
0xc05c46 2 : 0x127fffffe00003fe
0xc05c47 3 : 0x260081d80000000c
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xc03c152607cb9001

num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions nh 22 discard

Nexthop Chain:
CallNH:desc_ptr:0xc05c4c, mode=0, rst_stk=0x0, count=0x3
0xc05c48 0 : 0x2ffffff800014600
0xc05c49 1 : 0xc03c152607cb9001
0xc05c4a 2 : 0x127fffffe00003fe
0xc05c4b 3 : 0x260081d80000000c
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xc03c152607cb9001

num_nh = 0x0
NPC2(Dokinchan-re0 vty)# show jnh 0 exception hbc policers

Global Policer:
policer_nexthop: 0xC03C152607CB9001
policer_result: 0x4C3F2360
dropped packets: 0
Hostbound policer packet drops: 0

Hostbound policer byte drops: 0
Aggregate policer packet drops: 206974807

Aggregate policer byte drops: 16144034946


Aggregate IPv6 policer packet drops: 0

Aggregate IPv6 policer byte drops: 0
NPC2(Dokinchan-re0 vty)# show jnh 0 decode 0xC03C152607CB9001

num_nh = 0x0

Addr:0xc0f972, Data = 0x29f0000043c00000
0x29f0000043c00000
Wid 13 20 2 3 4 22
Bin 0010100111110 00000000000000000000 10 000 1111 0000000000000000000000
Hex 53e 0 2 0 f 0
Dec 1342 0 2 0 15 0
Rate = 1342 * 781.25 ~= 1Mbps. This will be implemented as packet base policer as well which is = 256 pps.
Here is a table to list down the ASIC policer(s) applied to each host bound packet type.
DDOS Protocol DDOS Protocol

Group Protocol ASIC Aggregate Policer
ID Index Policer
host-path aggregate 0x0 0 --- Yes
ipv4-unclassifed aggregate 0x100 1 Yes No
ipv6-unclassified aggregate 0x200 2 Yes No
dynamic vlan aggregate 0x300 3 Yes Yes ( DDOS index 0)
ppp aggregate 0x400 4 --- Yes
ppp unclassified 0x401 5 Yes Yes ( DDOS index 0)
ppp lcp 0x402 6 Yes Yes ( DDOS index 0)
ppp auth 0x403 7 Yes Yes ( DDOS index 0)
ppp ipcp 0x404 8 Yes Yes ( DDOS index 0)
ppp ipv6cp 0x405 9 Yes Yes ( DDOS index 0)
ppp mplscp 0x406 10 Yes Yes ( DDOS index 0)
ppp isis 0x407 11 Yes Yes ( DDOS index 0)
ppp echo-req 0x408 12 Yes Yes ( DDOS index 0)
ppp echo-reply 0x409 13 Yes Yes ( DDOS index 0)
ppp mlppp-lcp 0x40a 14 Yes Yes ( DDOS index 0)
pppoe aggregate 0x500 15 Yes No


pppoe unclassified 0x501 16 DROP ---

pppoe padi 0x502 17 Yes Yes ( DDOS index 0)
pppoe pado 0x503 18 DROP ---
pppoe padr 0x504 19 Yes Yes ( DDOS index 0)
pppoe pads 0x505 20 DROP ---
pppoe padt 0x506 21 Yes Yes ( DDOS index 0)
pppoe padm 0x507 22 DROP ---
pppoe padn 0x508 23 DROP ---
dhcpv4 aggregate 0x600 24 Yes No
dhcpv4 unclassified 0x601 25 Yes No
dhcpv4 discover 0x602 26 Yes No
dhcpv4 offer 0x603 27 Yes No
dhcpv4 request 0x604 28 Yes No
dhcpv4 decline 0x605 29 Yes No
dhcpv4 ack 0x606 30 Yes No
dhcpv4 nak 0x607 31 Yes No
dhcpv4 release 0x608 32 Yes No
dhcpv4 inform 0x609 33 Yes No
dhcpv4 renew 0x60a 34 Yes No
dhcpv4 force-renew 0x60b 35 Yes No
dhcpv4 lease-query 0x60c 36 Yes No
dhcpv4 lease-unasigned 0x60d 37 Yes No
dhcpv4 lease-unknown 0x60e 38 Yes No
dhcpv4 lease-active 0x60f 39 Yes No
dhcpv4 bootp 0x610 40 Yes No
dhcpv4 no-message-type 0x611 41 Yes No
dhcpv4 bad-packet 0x612 42 DROP ---
dhcpv6 aggregate 0x700 43 Yes No
dhcpv6 unclassified 0x701 44 Yes No
dhcpv6 solict 0x702 45 Yes No
dhcpv6 advertise 0x703 46 Yes No
dhcpv6 request 0x704 47 Yes No
dhcpv6 confirm 0x705 48 Yes No


dhcpv6 renew 0x706 49 Yes No

dhcpv6 rebind 0x707 50 Yes No
dhcpv6 reply 0x708 51 Yes No
dhcpv6 release 0x709 52 Yes No
dhcpv6 decline 0x70a 53 Yes No
dhcpv6 reconfigure 0x70b 54 Yes No
information-
dhcpv6 0x70c 55 Yes No
request
dhcpv6 relay-forward 0x70d 56 Yes No
dhcpv6 reply-reply 0x70e 57 Yes No
dhcpv6 lease-query 0x70f 58 Yes No
dhcpv6 lease-query-reply 0x710 59 Yes No
dhcpv6 lease-query-done 0x711 60 Yes No
dhcpv6 lease-query-data 0x712 61 Yes No
vchassis aggregate 0x800 62 Yes No
vchassis unclassified 0x801 63 DROP ---
control-high-
vchassis 0x802 64 Yes Yes ( DDOS index 0)
priority
control-low-
vchassis 0x803 65 Yes Yes ( DDOS index 0)
priority
vchassis vc-packets 0x804 66 Yes No
vchassis vc-ttl-errors 0x805 67 Yes Yes ( DDOS index 0)
icmp aggreagte 0x900 68 Yes No
igmp aggregate 0xa00 69 Yes No
ospf aggregate 0xb00 70 Yes No
rsvp aggregate 0xc00 71 Yes No
pim aggregate 0xd00 72 Yes No
rip aggregate 0xe00 73 Yes No
ptp aggregate 0xf00 74 Yes No
bfd aggregate 0x1000 75 Yes No
lmp aggregate 0x1100 76 Yes No
ldp aggregate 0x1200 77 Yes No
msdp aggregate 0x1300 78 Yes No
bgp aggregate 0x1400 79 Yes No
vrrp aggregate 0x1500 80 Yes No


telnet aggregate 0x1600 81 Yes No

ftp aggregate 0x1700 82 Yes No
ssh aggregate 0x1800 83 Yes No
snmp aggregate 0x1900 84 Yes No
ancp aggregate 0x1a00 85 Yes No
igmpv6 aggregate 0x1b00 86 Yes No
egpv6 aggregate 0x1c00 87 Yes No
rsvpv6 aggregate 0x1d00 88 Yes No
igmpv4v6 aggregate 0x1e00 89 Yes No
ripv6 aggregate 0x1f00 90 Yes No
bfdv6 aggregate 0x2000 91 Yes No
lmpv6 aggregate 0x2100 92 Yes No
ldpv6 aggregate 0x2200 93 Yes No
msdpv6 aggregate 0x2300 94 Yes No
bgpv6 aggregate 0x2400 95 Yes No
vrrpv6 aggregate 0x2500 96 Yes No
telentv6 aggregate 0x2600 97 Yes No
ftpv6 aggregate 0x2700 98 Yes No
sshv6 aggregate 0x2800 99 Yes No
snmpv6 aggregate 0x2900 100 Yes No
ancpv6 aggregate 0x2a00 101 Yes No
ospfv3v6 aggregate 0x2b00 102 Yes No
lacp aggregate 0x2c00 103 Yes No
stp aggregate 0x2d00 104 Yes No
esmc aggregate 0x2e00 105 Yes No
oam-lfm aggregate 0x2f00 106 Yes No
eoam aggregate 0x3000 107 Yes No
lldp aggregate 0x3100 108 Yes No
mvrp aggregate 0x3200 109 Yes No
pmvrp aggregate 0x3300 110 Yes No
arp aggregate 0x3400 111 Yes No
pvstp aggregate 0x3500 112 Yes No
isis aggregate 0x3600 113 Yes No


pos aggregate 0x3700 114 Yes No

mlp aggregate 0x3800 115 Yes No
mlp unclassified 0x3801 116 Yes No
mlp packets 0x3802 117 Yes Yes ( DDOS index 0)
mlp aging-exception 0x3803 118 Yes No
jfm aggreagte 0x3900 119 Yes No
atm aggregate 0x3a00 120 Yes No
pfe-alive aggregate 0x3b00 121 Yes No
ttl aggregate 0x3c00 122 Yes Yes ( DDOS index 0)
ip-opt aggregate 0x3d00 123 Yes No
ip-opt unclassified 0x3d01 124 Yes No
ip-opt rt-alert 0x3d02 125 Yes No
ip-opt non-v4v6 0x3d03 126 Yes No
redirect aggregate 0x3e00 127 Yes Yes ( DDOS index 0)
control aggreagte 0x3f00 128 Yes No
mcast-copy aggregate 0x4000 129 Yes No
mac-host aggregate 0x4100 130 Yes Yes ( DDOS index 0)
tunnel-fragment aggregate 0x4200 131 Yes Yes ( DDOS index 0)
mcast-snoop aggregate 0x4300 132 Yes No
mcast-snoop unclassified 0x4301 133 DROP ---
mcast-snoop igmp 0x4302 134 Yes Yes ( DDOS index 0)
mcast-snoop pim 0x4303 135 Yes Yes ( DDOS index 0)
mcast-snoop mld 0x4304 136 Yes No
services aggregate 0x4400 137 Yes No
services unclassified 0x4401 138 Yes No
services packet 0x4402 139 Yes Yes ( DDOS index 0)
services BSDT 0x4403 140 Yes Yes ( DDOS index 0)
demuxauto aggregate 0x4500 141 Yes Yes ( DDOS index 0)
reject aggregate 0x4600 142 Yes Yes ( DDOS index 0)
fw-host aggregate 0x4700 143 Yes No
tcp-flags aggregate 0x4800 144 Yes No
tcp-flags unclassified 0x4801 145 Yes No
tcp-flags initial 0x4802 146 Yes No


tcp-flags establish 0x4803 147 Yes No

dtcp aggregate 0x4900 148 Yes No
radius aggregate 0x4a00 149 Yes No
radius unclassified 0x4a01 150 Yes No
radius server 0x4a02 151 Yes No
radius accounting traffic 0x4a03 152 Yes No
radius auth 0x4a04 153 Yes No
ntp aggregate 0x4b00 154 Yes No
tacacs aggregate 0x4c00 155 Yes No
dns aggregate 0x4d00 156 Yes No
diameter aggregate 0x4e00 157 Yes No
ip-fragment aggregate 0x4f00 158 Yes No
ip-fragment unclassified 0x4f01 159 Yes No
ip-fragment first-fragment 0x4f02 160 Yes No
ip-fragment trail-fragment 0x4f03 161 Yes No
l2tp aggregate 0x5000 162 Yes No
gre aggregate 0x5100 163 Yes No
ipsec aggregate 0x5200 164 Yes No
pimv6 aggregate 0x5300 165 Yes No
icmpv6 aggregate 0x5400 166 Yes No
ndpv6 aggregate 0x5500 167 Yes No
sample aggregate 0x5600 168 Yes No
sample unclassified 0x5601 169 DROP ---
sample syslog 0x5602 170 Yes No
sample host 0x5603 171 Yes No
sample pfe 0x5604 172 Yes No
sample tap 0x5605 173 Yes No
sample sflow 0x5606 174 Yes No
fab-out-probe-packet aggregate 0x5700 175 Yes No
unclassified aggregate 0x5800 176 Yes No
unclassified other 0x5801 177 Yes No
unclassified resolve-v4 0x5802 178 Yes No
unclassified resolve-v6 0x5803 179 Yes No


unclassified control-v4 0x5804 180 Yes No

unclassified control-v6 0x5805 181 Yes No
unclassified host-route-v4 0x5806 182 Yes No
unclassified host-route-v6 0x5807 183 Yes No
unclassified filter-v4 0x5808 184 Yes No
unclassified filter-v6 0x5809 185 Yes No
unclassified control-l2 0x580a 186 Yes No
unclassified fw-host 0x580b 187 Yes No
unclassified mcast-copy 0x580c 188 Yes No
rejectv6 aggregate 0x5900 189 Yes Yes ( DDOS index 0)
l2pt aggregate 0x5a00 190 Yes Yes ( DDOS index 0)
keepalive aggregate 0x5b00 191 Yes Yes ( DDOS index 0)
inline-ka aggregate 0x5c00 192 Yes Yes ( DDOS index 0)
inline-services aggregate 0x5d00 193 Yes Yes ( DDOS index 0)
frame-relay aggregate 0x5e00 194 Yes No
frame-relay unclassified 0x5e01 195 DROP ---
frame-relay frf15 0x5e02 196 Yes Yes ( DDOS index 0)
frame-relay ftf16 0x5e03 197 Yes Yes ( DDOS index 0)
amtv4 aggregate 0x5f00 198 Yes No
amtv6 aggregate 0x6000 199 Yes No
Host Bound Queue Mapping

For all the exception traffic (PUNT type), the mapping is under src/pfe/common/pfe-
arch/trinity/toolkits/jnh/jnh_exception.h. For example, this is a route hitting resolve nh and it uses Q_OTHER_ERRS host
bound queue.
{
.e_category = CAT_ROUTING,
.e_code = PACKET_PUNT_RESOLVE,
.e_name = "resolve route",
.e_type = PUNT,
.e_nh = CNT,
.e_queue = Q_OTHER_ERRS,
.e_help =
"Packet is punted to host as it hit an RNH_RESOLV nexthop."
},
Here is a table to list down the host queue being used for packet hitting the exception ucode.


Host queue Protocols

Q0 (Q_L3_LO) PACKET_PUNT_RECEIVE(34), PACKET_PUNT_PROTOCOL(32),
PACKET_PUNT_REDIRECT(3), PACKET_PUNT_SERVICES(38),
PACKET_PUNT_DEMUXAUTOSENSE(39),
PACKET_PUNT_TUNNEL_FRAGMENT(8)
Q1 (Q_L3_HI) PACKET_PUNT_LU_NOTIF(17),
PACKET_PUNT_SEND_TO_HOST_SVCS(70)
Q2 (Q_L2_LO) PACKET_PUNT_L2PT_ERROR(14),
PACKET_PUNT_HOST_COPY(6),
PACKET_PUNT_AUTOSENSE(35),
PACKET_PUNT_MAC_FWD_TYPE_HOST(7),
PACKET_PUNT_PPPOE_PADI(45),
PACKET_PUNT_PPPOE_PADR(46),
PACKET_PUNT_PPPOE_PADT(47),
PACKET_PUNT_PPP_LCP(48),
PACKET_PUNT_LCP_ECHO_REQ(60),
PACKET_PUNT_LCP_ECHO_REP(63),
PACKET_PUNT_PPP_AUTH(49),
PACKET_PUNT_PPP_IPV4CP(50),
PACKET_PUNT_PPP_IPV6CP(51),
PACKET_PUNT_PPP_MPLSCP(52),
PACKET_PUNT_PPP_ISIS(57), PACKET_PUNT_MLPPP_LCP(64),
PACKET_PUNT_PPP_UNCLASSIFIED_CP(53),
PACKET_PUNT_SEND_TO_HOST_FW(54),
PACKET_PUNT_SEND_TO_HOST_FW_INLINE_SVCS(59),
PACKET_PUNT_MLP(11), PACKET_PUNT_MLFR_CONTROL(65),
PACKET_PUNT_MFR_CONTROL(66)
Q3 (Q_L2_HI) PACKET_PUNT_CONTROL(4), PACKET_PUNT_VC_HI(55),
PACKET_PUNT_KEEPALIVE(58), PACKET_PUNT_INLINE_KA(61),
PACKET_PUNT_DDOS_POLICER_VIOL(15)
Q4 (Q_OPTN) PACKET_PUNT_OPTIONS(2), PACKET_PUNT_IGMP_SNOOP(12),

PACKET_PUNT_PIM_SNOOP(18),
PACKET_PUNT_MLD_SNOOP(19), PACKET_PUNT_VC_LO(56),
PACKET_PUNT_VC_TTL_ERROR(13)
Q5 PACKET_PUNT_TTL(1)
(Q_IIF_MMTCH_TTL_EXPR)
Q6 (Q_OTHER_ERRS) PACKET_PUNT_REJECT_FW(36), PACKET_PUNT_REJECT(40),

PACKET_PUNT_REJECT_V6(48), PACKET_PUNT_RESOLVE(33),
PACKET_PUNT_RESOLVE_V6(69),
PACKET_ERR_FRAG_NEED_DF_SET,
PACKET_ERR_MTU_EXCEEDED,
PACKET_ERR_ENUM_CHK_MISMATCH (IIF mismatch)
Q7 (Q_SAMPLE) PACKET_PUNT_SAMPLE_SYSLOG(41),
PACKET_PUNT_SAMPLE_HOST(42),
PACKET_PUNT_SAMPLE_PFE(43),


PACKET_PUNT_SAMPLE_TAP(44),
PACKET_PUNT_SAMPLE_SFLOW(71),
PACKET_PUNT_FAB_OUT_PROBE_PKT(5)
For the exception traffic hitting the HBC policer, its the discard exception type with TRKL tagged.
- PACKET_ERR_ENUM_CHK_MISMATCH (mcast rpf mismatch)
- PACKET_ERR_MTU_EXCEEDED (mtu exceeded)
- PACKET_ERR_FRAG_NEED_DF_SET (frag needed but DF set)
Furthermore, DDOS will classify the packets and apply the corresponding policer before sending to the host via the MQ
host bound queue. There are 8 host bound queues (ie. MQchip Qsys 0 queue 1016-1023) and each of them will carry
different types of traffic.
// Host bound queue offsets
#define Q_HOST_L3_LO_OFF 0
#define Q_HOST_L3_HI_OFF 1
#define Q_HOST_L2_LO_OFF 2
#define Q_HOST_L2_HI_OFF 3
#define Q_HOST_OPTN_OFF 4
#define Q_HOST_IIF_MMTCH_TTL_EXPR_OFF 5
#define Q_HOST_OTHER_ERRS_OFF 6
#define Q_HOST_SAMPLE_OFF 7
typedef enum hostbound_q_ {

Q_L3_LO = Q_HOST_L3_LO_OFF,
Q_L3_HI = Q_HOST_L3_HI_OFF,
Q_L2_LO = Q_HOST_L2_LO_OFF,
Q_L2_HI = Q_HOST_L2_HI_OFF,
Q_OPTN = Q_HOST_OPTN_OFF,
Q_IIF_MMTCH_TTL_EXPR = Q_HOST_IIF_MMTCH_TTL_EXPR_OFF,
Q_OTHER_ERRS = Q_HOST_OTHER_ERRS_OFF,
Q_SAMPLE = Q_HOST_SAMPLE_OFF
} hostbound_q_t;
The following provides a mapping between protocol packets and the host bound queue being used.
src/pfe/common/pfe-arch/trinity/tooklits/jnh_app/jnh_ddos.c - jnh_ddos_setup_asic_proto_id_maps()
Here is a table to list down the mapping between protocols and host bound queue being used after the classification and
policing. For example, once an IP option packet hits the PACKET_PUNT_OPTIONS exception, this PUNT will go thru the
HBC and be classified to either router-alert option (IP_OPT_RT_ALERT Q1) or others (IP_OPT_UNCLS Q4) protocol,
then, be assigned to the correct host bound queue.
Host queue Protocols


Q0 (Q_L3_LO) ICMP, DHCPV4, BGP, TELNET, FTP, SSH, SNMP, DHCPV6,

BGPV6, TELNETV6, FTPV6, SSHV6, SNMPV6, ICMPV6, NDPV6,
TCP_FLAGS_UNCLS, TCP_FLAGS_INITIAL, TCP_FLAGS_ESTAB,
DTCP, RADIUS_SERVER, RADIUS_ACCOUNT, RADIUS_AUTH,
NTP, TACACS, DNS, DIAMETER, IP_FRAG_FIRST,
IP_FRAG_TRAIL, L2TP, GRE, IPSEC, AMTV4, AMTV6, REDIRECT,
TUNNEL_FRAGMENT, SERVICES, DEMUXAUTOSENSE,
FAB_OUT_PROBE_PKT
Q1 (Q_L3_HI) IGMP, OSPF, RSVP, PIM, RIP, PTP, BFD, LMP, LDP, MSDP, VRRP,
ANCP, IGMPV6, EGPV6, RSVPV6, PIMV6, IGMPV4V6, RIPV6,
BFDV6, LMPV6, LDPV6, MSDPV6, VRRPV6, ANCPV6, OSPFV3V6,
SEND_TO_HOST_SVCS, ISIS, IP_OPT_RT_ALERT
Q2 (Q_L2_LO) AUTOSENSE, PPPOE_PADI, PPP_LCP, PPP_LCP_ECHO_REQ,
PPP_LCP_ECHO_REP, PPP_UNCLASSIFIED_CP, MLPPP_LCP,
VC_LO, VC_TTL_ERROR, MAC_FWD_TYPE_HOST, MLP,
L2PT_ERROR, SEND_TO_HOST_FW_INLINE_SVCS,
MLFR_CONTROL, MFR_CONTROL, ARP, MLP
Q3 (Q_L2_HI) PPPOE_PADR, PPPOE_PADT, PPP_AUTH, PPP_IPV4CP,
PPP_IPV6CP, PPP_MPLSCP, PPP_ISIS, VC_HI, KEEPALIVE,
INLINE_KA, LACP, STP, ESMC, OAM_LFM, EOAM, LLDP, MVRP,
PMVRP, PVSTP, POS, JFM, ATM, PFE_ALIVE
Q4 (Q_OPTN) IGMP_SNOOP, PIM_SNOOP, IP_OPT_UNCLS,
IP_OPT_NON_V4V6
Q5 TTL
(Q_IIF_MMTCH_TTL_EXPR)
Q6 (Q_OTHER_ERRS) REJECT, REJECT_V6,
Q7 (Q_SAMPLE) SAMPLE_SYSLOG, SAMPLE_HOST, SAMPLE_PFE,
SAMPLE_TAP, SAMPLE_SFLOW
uKern Level
After each PFE policed the host bound traffic, they will hit the uKern on the FPC and the aggregated traffic might be
policed again according to the DDOS policer configuration. The policer implementation on the uKern is a simple token
bucket algorithm policer rate is per-packet policer and the burst is the maximum number of accumulated credits.
Take IP option packets as an example. After each PFE applies a policer to police the corresponding optioned packet,
when the traffic from all PFEs hit the uKern, the corresponding protocol policer will police all the traffic again. As a result,
the packet will have to go through another round of policing.
- ip-option unclassified packets from all PFEs within the MPC will hit a policer (10000 pps : uKern-config)
- ip-option rt-alert packets from all PFEs within the MPC will hit a policer (20000 pps : uKern-config)
- The sum of both ip-option packet types will go thru an aggregate policer on uKern to make sure the sum of them
wont exceed 20000 pps (Ukern-config)


NPC2(Dokinchan-re0 vty)# show ddos policer configuration ip-options

--- --- ------------ ------------ -- -- ------ ----- ------ -----
126 3d03 ip-opt non-v4v6 Y Lo 10000 10000 10000 10000
Here, the priority plays an important role. The priority here becomes a strict priority (until that traffic exceeds its own
policer for sure). Here, we have both rt-alert packets and unclassified ip-option packet. Both hit the same PFE and FPC.
When the rt-alert is hitting the maximum rate, which is the aggregate policer rate on the uKern, none of the rt-alert packet
will be dropped.
NPC2(Dokinchan-re0 vty)# show ddos policer configuration ip-options
--- --- ------------ ------------ -- -- ------ ----- ------ -----
126 3d03 ip-opt non-v4v6 Y Lo 10000 10000 10000 10000
NPC2(Dokinchan-re0 vty)# show ddos policer stats ip-options

DDOS Policer Statistics:
arrival pass # of
idx prot group proto on loc pass drop rate rate flows
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
123 3d00 ip-opt aggregate Y UKERN 3415601 0 18227 18227 0
124 3d01 ip-opt unclass.. Y UKERN 249112 0 0 0 0
PFE-0 2145609 13509618 138885 9993 0
125 3d02 ip-opt rt-alert Y UKERN 3166489 0 18227 18227 0
PFE-0 3479716 6936119 19607 19607 0
126 3d03 ip-opt non-v4v6 Y UKERN 0 0 0 0 0
PFE-0 0 0 0 0 0

arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
PFE-0 2193323 14124657 138890 10013 0


PFE-0 3573282 6936119 19608 19608 0

PFE-0 0 0 0 0 0

arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
PFE-0 2284553 15300091 138812 9983 0
PFE-0 3752105 6936119 19596 19596 0
PFE-0 0 0 0 0 0
If we reduce the rt-alert rate a bit, then, can we see the higher rate for the ip-option unclassified packet.
arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
PFE-0 2774347 21530507 138973 10003 0
PFE-0 4640605 6936119 17166 17166 0
PFE-0 0 0 0 0 0

arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
PFE-0 2833222 22289521 138893 10006 0
PFE-0 4741638 6936119 17157 17157 0
PFE-0 0 0 0 0 0


lab@Dokinchan-re0> show ddos-protection protocols ip-options violations

Packet types: 4, Currently violated: 2
Protocol Packet Bandwidth Arrival Peak Policer bandwidth

group type (pps) rate(pps) rate(pps) violation detected at
ip-opt unclass.. 10000 138887 138976 2013-11-20 12:43:02 JST
Detected on: FPC-2
ip-opt rt-alert 20000 24510 65143 2013-11-20 13:17:04 JST
Detected on: FPC-2
lab@Dokinchan-re0> show ddos-protection protocols ip-options statistics detail

Packet types: 4, Received traffic: 3, Currently violated: 2
Protocol Group: IP-Options
Packet type: aggregate

System-wide information:
Aggregate bandwidth is never violated
Received: 279207038 Arrival rate: 163407 pps
Dropped: 0 Max arrival rate: 163554 pps
Aggregate policer is never violated
Dropped by individual policers: 0
Dropped by flow suppression: 0
Packet type: unclassified

Bandwidth is being violated!
No. of FPCs currently receiving excess traffic: 1
No. of FPCs that have received excess traffic: 1
Violation first detected at: 2013-11-20 12:43:02 JST
Violation last seen at: 2013-11-20 13:18:19 JST
Duration of violation: 00:35:17 Number of violations: 1
Policer is never violated
Dropped by aggregate policer: 0
Policer is currently being violated!



Dropped by this policer: 222044391
Flow counts:
Aggregation level Current Total detected State
Subscriber 0 0 Active
Logical-interface 0 0 Active
Physical-interface 0 0 Active
Packet type: router-alert

Flow counts:
lab@Dokinchan-re0>
The alarm will go off if the violation is cleared and last for recover time configured.


lab@Dokinchan-re0> show ddos-protection protocols ip-options parameters detail

Packet type: aggregate (Aggregate for all options traffic)

Enabled: Yes
Packet type: unclassified (Unclassified options traffic)

Priority: Low
Enabled: Yes
Packet type: router-alert (Router alert options traffic)

Priority: High
Enabled: Yes



lab@Dokinchan-re0# set system ddos-protection protocols ip-options aggregate recover-time ?

<recover-time> Time for protocol to return to normal (1..3600 seconds)
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ip-options router-alert recover-time ?
<recover-time> Time for protocol to return to normal (1..3600 seconds)
[edit]
lab@Dokinchan-re0#
The implementation details could be found from src/pfe/common/pfe-arch/trinity/toolkits/jnh_host/jnh_packet.c
Routing Engine Level

The policer implementation on the Routing Engine is pretty much the same as in the uKern. However, it will just police the
aggregated traffic for each group of traffic instead of looking into each protocol policer.
Taking the ip-option as an example again, the Routing Engine will just police the sum of all ip-option packets using the
aggregate policer rate (20000 pps). Also, the priority of each individual protocol packet still play a role here.
lab@Dokinchan-re0> show ddos-protection protocols ip-fragments statistics detail

Protocol Group: IP-Fragments

Aggregate bandwidth is no longer being violated
Last violation started at: 2013-11-25 16:57:17 JST
Last violation ended at: 2013-11-25 17:04:54 JST
Duration of last violation: 00:07:37 Number of violations: 7
Aggregate policer is no longer being violated
Last violation started at: 2013-11-25 17:03:21 JST
Last violation ended at: 2013-11-25 17:04:48 JST
Duration of last violation: 00:01:27 Number of violations: 3



The detail implementation of the policer in Routing Engine could be found under src/junos/bsd/sys/netpfe/ddos_policers.c.
Suspicious Control Flow Detection (SCFD)

This is a new feature introduced since 12.3 under RLI15473. With this new feature, other than policing the protocol
packets according to their protocol type, we can also detect/identify a possible attack flow, then, apply another policer or
even drop those packets in order to have a better protection for the host bound queue.
By default, the SCFD is disabled. This can be enabled by the folllwing configuration.
# set system ddos-protection global ?
flow-detection Enable flow detection for all protocols
Once its enabled, the DDOS system will monitor the host bound traffic from 3 levels of flow granularity in LUchip once an
violation happens.
- Subscriber level (SUB)
- IFL level (DDOS protocol ID, IIF, Aggregation-level as key)
- IFD level (DDOS protocol ID, IFD, Aggregation-level as key)
When the DDOS violation happens, the SCFD check all the packets within that protocol. The idea is to use a hash
function to filter out the suspicious flow. Then, the flow is inserted into a LU hardware hash table.
If the flow has rate consistently above its allowed bandwidth for a detect-time period (flow-detect-time 3 secs by
default), we declare the suspicious flow to be a culprit flow. The traffic form it will be dropped consequently unless we
disable the drop. If a flow does not exceed its allowed bandwidth for the detect-time period, we assume that its a false
positive and remove that from the hardware hash table.
Once a suspicious flow rate is below its bandwidth for the recover time period (recover-time 60 secs by default), the
SCFD declares the flow to be normal, removes it from hardware flow table and let traffic resume.
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate ?
flow-detect-time Time to determine a flow is bad (1..60 seconds)
flow-detection-mode Flow detection mode for the packet type
> flow-level-bandwidth Bandwidth for flows at various levels
> flow-level-control Specify how discovered flows are controlled
> flow-level-detection Specify detection mode at various levels
flow-recover-time Time to return to normal after last violation (1..3600 seconds)
flow-timeout-time Time to timeout the flow since found (1..7200 seconds)
no-flow-logging Disable logging of violating flows
timeout-active-flows Allow timeout active violating flows


This is to configure the aggregate policer rate.

[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-bandwidth ?
logical-interface Bandwidth for logical interface flows (1..30000 packets per second)
physical-interface Bandwidth for physical interface flows (1..50000 packets per second)
subscriber Bandwidth for subscriber flows (1..10000 packets per second)
This is to configure the SCFD IFL level policer rate

[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-bandwidth logical-interface ?
<logical-interface> Bandwidth for logical interface flows (1..30000 packets per second)
This is to configure the SCFD IFD level policer rate

[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-bandwidth physical-interface ?
<physical-interface> Bandwidth for physical interface flows (1..50000 packets per second)
This is to configure the action once a suspicious flow is detected on different level.
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-control ?
logical-interface Specify how logical-interface flows are controlled
physical-interface Specify how physical-interface flows are controlled
subscriber Specify how subscriber flows are controlled
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-control logical-interface ?
drop Drop all traffic of flows of this level
keep Keep all traffic of flows of this level
police Police flows to within the bandwidth of this level
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-control physical-interface ?
drop Drop all traffic of flows of this level
keep Keep all traffic of flows of this level
police Police flows to within the bandwidth of this level
This is to enable/disable the SCFD flow detection on different level.

[edit]


lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-detection ?

logical-interface Specify detection mode at logical-interface level
physical-interface Specify detection mode at physical-interface level
subscriber Specify detection mode at subscriber level
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-detection logical-interface ?
automatic Detect flows at logical-interface level if needed
off Do not detect flows at logical-interface level
on Always detect flows at logical-interface level
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate flow-level-detection physical-interface ?
automatic Detect flows at physical-interface level if needed
off Do not detect flows at physical-interface level
on Always detect flows at physical-interface level
[edit]
lab@Dokinchan-re0#
Here is the default SCFD configuration or each protocol. When the SCFD is enabled, by default, the flow detection mode
is auto (op-mode:a) and once the suspicious flow is detected, the action is to drop the packets (fc-mode:d). The detection
rate on all 3 levels is protocol dependent. For example, in OSPF, the sub level is 10pps (which is not being used I
believe), the ifl level is 10pps and the IFD level is 20000pps. When the mode is set to on, the new flow will be added to
the table automatically.
By default, the active-flow-timeout is disabled. If active-flow-timeout is enabled, the flow will be removed from the list when
its there for active-flow-timeout time (300 secs by default). Once its removed, the flow will generate a violation event
again and it will be added back to the list.
NPC2(Dokinchan-re0 vty)# show ddos scfd proto-states all
(sub|ifl|ifd)-cfg: op-mode:fc-mode:bwidth(pps)
op-mode: a=automatic, o=always-on, x=disabled
fc-mode: d=drop-all, k=keep-all, p=police
d-t: detect time, r-t: recover time, t-t: timeout time
aggr-t: last aggregated/deaggreagated time
idx prot group proto mode detect agg flags state sub-cfg ifl-cfg ifd-cfg d-t r-t t-t aggr-t
--- ---- -------- -------- ---- ------ --- ----- ----- --------- --------- --------- --- --- --- ------
0 0 host-path aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:25000 3 60 300 0
1 100 ipv4-uncls aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
2 200 ipv6-uncls aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
3 300 dynvlan aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
4 400 ppp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:16000 3 60 300 0
5 401 ppp unclass auto no 1 2 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0


6 402 ppp lcp auto no 1 2 0 a:d: 10 a:d: 10 a:d:12000 3 60 300 0

7 403 ppp auth auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
8 404 ppp ipcp auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
9 405 ppp ipv6cp auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
10 406 ppp mplscp auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
11 407 ppp isis auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
12 408 ppp echo-req auto no 1 2 0 a:d: 10 a:d: 10 a:d:12000 3 60 300 0
13 409 ppp echo-rep auto no 1 2 0 a:d: 10 a:d: 10 a:d:12000 3 60 300 0
14 40a ppp mlppp-lcp auto no 1 2 0 a:d: 10 a:d: 10 a:d:12000 3 60 300 0
15 500 pppoe aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
16 501 pppoe unclass.. auto no 1 2 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
17 502 pppoe padi auto no 1 2 0 a:d: 10 a:d: 10 a:d: 500 3 60 300 0
18 503 pppoe pado auto no 1 2 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
19 504 pppoe padr auto no 1 2 0 a:d: 10 a:d: 10 a:d: 500 3 60 300 0
20 505 pppoe pads auto no 1 2 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
21 506 pppoe padt auto no 1 2 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
22 507 pppoe padm auto no 1 2 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
23 508 pppoe padn auto no 1 2 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
24 600 dhcpv4 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 5000 3 60 300 0
25 601 dhcpv4 unclass.. auto no 1 1 0 a:d: 10 a:d: 10 a:d: 300 3 60 300 0
26 602 dhcpv4 discover auto no 1 1 0 a:d: 10 a:d: 10 a:d: 500 3 60 300 0
27 603 dhcpv4 offer auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
28 604 dhcpv4 request auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
29 605 dhcpv4 decline auto no 1 1 0 a:d: 10 a:d: 10 a:d: 500 3 60 300 0
30 606 dhcpv4 ack auto no 1 1 0 a:d: 10 a:d: 10 a:d: 500 3 60 300 0
31 607 dhcpv4 nak auto no 1 1 0 a:d: 10 a:d: 10 a:d: 500 3 60 300 0
32 608 dhcpv4 release auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
33 609 dhcpv4 inform auto no 1 1 0 a:d: 10 a:d: 10 a:d: 500 3 60 300 0
34 60a dhcpv4 renew auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
35 60b dhcpv4 forcerenew auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
36 60c dhcpv4 leasequery auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
37 60d dhcpv4 leaseuna.. auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
38 60e dhcpv4 leaseunk.. auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
39 60f dhcpv4 leaseact.. auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
40 610 dhcpv4 bootp auto no 1 1 0 a:d: 10 a:d: 10 a:d: 300 3 60 300 0
41 611 dhcpv4 no-msgtype auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
42 612 dhcpv4 bad-pack.. auto no 1 1 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
43 700 dhcpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 5000 3 60 300 0
44 701 dhcpv6 unclass.. auto no 1 1 0 a:d: 10 a:d: 10 a:d: 3000 3 60 300 0
45 702 dhcpv6 solicit auto no 1 1 0 a:d: 10 a:d: 10 a:d: 500 3 60 300 0
46 703 dhcpv6 advertise auto no 1 1 0 a:d: 10 a:d: 10 a:d: 500 3 60 300 0
47 704 dhcpv6 request auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
48 705 dhcpv6 confirm auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
49 706 dhcpv6 renew auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
50 707 dhcpv6 rebind auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
51 708 dhcpv6 reply auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
52 709 dhcpv6 release auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
53 70a dhcpv6 decline auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
54 70b dhcpv6 reconfig auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0


55 70c dhcpv6 info..req auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0

56 70d dhcpv6 relay-for.. auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
57 70e dhcpv6 relay-rep.. auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
58 70f dhcpv6 leasequery auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
59 710 dhcpv6 leaseq..re auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
60 711 dhcpv6 leaseq..do auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
61 712 dhcpv6 leaseq..da auto no 1 1 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
62 800 vchassis aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:30000 3 60 300 0
63 801 vchassis unclass.. auto no 1 1 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
64 802 vchassis control-hi auto no 1 2 0 a:d: 10 a:d: 10 a:d:10000 3 60 300 0
65 803 vchassis control-lo auto no 1 2 0 a:d: 10 a:d: 10 a:d: 8000 3 60 300 0
66 804 vchassis vc-packets auto no 1 2 0 a:d: 10 a:d: 10 a:d:30000 3 60 300 0
67 805 vchassis vc-ttl-err auto no 1 2 0 a:d: 10 a:d: 10 a:d: 4000 3 60 300 0
68 900 icmp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
69 a00 igmp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
70 b00 ospf aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
71 c00 rsvp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
72 d00 pim aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
73 e00 rip aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
74 f00 ptp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
75 1000 bfd aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
76 1100 lmp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
77 1200 ldp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
78 1300 msdp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
79 1400 bgp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
80 1500 vrrp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
81 1600 telnet aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
82 1700 ftp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
83 1800 ssh aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
84 1900 snmp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
85 1a00 ancp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
86 1b00 igmpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
87 1c00 egpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
88 1d00 rsvpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
89 1e00 igmpv4v6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
90 1f00 ripv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
91 2000 bfdv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
92 2100 lmpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
93 2200 ldpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
94 2300 msdpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
95 2400 bgpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
96 2500 vrrpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
97 2600 telnetv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
98 2700 ftpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
99 2800 sshv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
100 2900 snmpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
101 2a00 ancpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
102 2b00 ospfv3v6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
103 2c00 lacp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0


104 2d00 stp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0

105 2e00 esmc aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
106 2f00 oam-lfm aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
107 3000 eoam aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
108 3100 lldp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
109 3200 mvrp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
110 3300 pmvrp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
111 3400 arp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
112 3500 pvstp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
113 3600 isis aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
114 3700 pos aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
115 3800 mlp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
116 3801 mlp unclass.. auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
117 3802 mlp packets auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
118 3803 mlp aging-exc auto no 1 1 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
119 3900 jfm aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
120 3a00 atm aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
121 3b00 pfe-alive aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
122 3c00 ttl aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
123 3d00 ip-opt aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
124 3d01 ip-opt unclass.. auto no 7 2 10 a:d: 10 a:d: 10 a:d:10000 3 60 300 147024965
125 3d02 ip-opt rt-alert auto no 7 2 10 a:d: 10 a:d: 10 a:d:20000 3 60 300 147024965
126 3d03 ip-opt non-v4v6 auto no 1 2 0 a:d: 10 a:d: 10 a:d:10000 3 60 300 0
127 3e00 redirect aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
128 3f00 control aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
129 4000 mcast-copy aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
130 4100 mac-host aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
131 4200 tun-frag aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
132 4300 mcast-snoop aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
133 4301 mcast-snoop unclass.. auto no 1 2 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
134 4302 mcast-snoop igmp auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
135 4303 mcast-snoop pim auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
136 4304 mcast-snoop mld auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
137 4400 services aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
138 4401 services unclass.. auto no 1 2 0 a:d: 0 a:d: 0 a:d:20000 0 0 0 0
139 4402 services packet auto no 1 2 0 a:d: 0 a:d: 0 a:d:20000 0 0 0 0
140 4403 services BSDT auto no 1 2 0 a:d: 0 a:d: 0 a:d:20000 0 0 0 0
141 4500 demuxauto aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
142 4600 reject aggregate auto no 7 2 10 a:d: 10 a:d: 10 a:d: 2000 3 60 300 78193870
143 4700 fw-host aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
144 4800 tcp-flags aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
145 4801 tcp-flags unclass.. auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
146 4802 tcp-flags initial auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
147 4803 tcp-flags establish auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
148 4900 dtcp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
149 4a00 radius aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
150 4a01 radius unclass.. auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
151 4a02 radius server auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
152 4a03 radius account.. auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0


153 4a04 radius auth.. auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0

154 4b00 ntp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
155 4c00 tacacs aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
156 4d00 dns aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
157 4e00 diameter aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
158 4f00 ip-frag aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
159 4f01 ip-frag unclass.. auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
160 4f02 ip-frag first-frag auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
161 4f03 ip-frag trail-frag auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
162 5000 l2tp aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
163 5100 gre aggregate auto no 7 2 10 a:d: 10 a:d: 10 a:d:20000 3 60 300 146854970
164 5200 ipsec aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
165 5300 pimv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
166 5400 icmpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
167 5500 ndpv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
168 5600 sample aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
169 5601 sample unclass.. auto no 1 2 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
170 5602 sample syslog auto no 1 2 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
171 5603 sample host auto no 1 2 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
172 5604 sample pfe auto no 1 2 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
173 5605 sample tap auto no 1 2 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
174 5606 sample sflow auto no 1 2 0 a:d: 10 a:d: 10 a:d: 1000 3 60 300 0
175 5700 fab-probe aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
176 5800 uncls aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
177 5801 uncls other auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
178 5802 uncls resolve-v4 auto no 1 2 20 a:d: 10 a:d: 10 a:d: 5000 3 60 300 55243480
179 5803 uncls resolve-v6 auto no 1 2 0 a:d: 10 a:d: 10 a:d: 5000 3 60 300 0
180 5804 uncls control-v4 auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
181 5805 uncls control-v6 auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
182 5806 uncls host-rt-v4 auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
183 5807 uncls host-rt-v6 auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
184 5808 uncls filter-v4 auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
185 5809 uncls filter-v6 auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
186 580a uncls control-l2 auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
187 580b uncls fw-host auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
188 580c uncls mcast-copy auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
189 5900 rejectv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d: 2000 3 60 300 0
190 5a00 l2pt aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
191 5b00 keepalive aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
192 5c00 inline-ka aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
193 5d00 inline-svcs aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
194 5e00 frame-relay aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
195 5e01 frame-relay unclass.. auto no 1 2 0 a:d: 10 a:d: 10 a:d: 0 3 60 300 0
196 5e02 frame-relay frf15 auto no 1 2 0 a:d: 10 a:d: 10 a:d:12000 3 60 300 0
197 5e03 frame-relay frf16 auto no 1 2 0 a:d: 10 a:d: 10 a:d:12000 3 60 300 0
198 5f00 amtv4 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0
199 6000 amtv6 aggregate auto no 1 2 0 a:d: 10 a:d: 10 a:d:20000 3 60 300 0


State
#define DDOS_SCFD_STATE_CLEARING 0x00000001 /* is clearing */
#define DDOS_SCFD_STATE_RATE_MOD 0x00000002 /* on rate mod list */
#define DDOS_SCFD_STATE_AGGRED 0x00000010 /* prev op is aggr */
#define DDOS_SCFD_STATE_DEAGGRED 0x00000020 /* prev op is de-aggr */
#define DDOS_SCFD_STATE_AGGR_MASK 0x00000030 /* prev aggr op mask */
Agg
#define DDOS_SCFD_AGGR_ON_MAP(p) \
((((p)->aggr_levels[DDOS_SCFD_AGGR_LEVEL_SUB].flags & \
SCFD_AGGR_FLAG_ACTIVE) ? (1 << DDOS_SCFD_AGGR_LEVEL_SUB) : 0) | \
(((p)->aggr_levels[DDOS_SCFD_AGGR_LEVEL_IFL].flags & \
SCFD_AGGR_FLAG_ACTIVE) ? (1 << DDOS_SCFD_AGGR_LEVEL_IFL) : 0) | \
(((p)->aggr_levels[DDOS_SCFD_AGGR_LEVEL_IFD].flags & \
SCFD_AGGR_FLAG_ACTIVE) ? (1 << DDOS_SCFD_AGGR_LEVEL_IFD) : 0))
#define DDOS_SCFD_AGGR_LEVEL_1ST 0x00

#define DDOS_SCFD_AGGR_LEVEL_SUB 0x00
#define DDOS_SCFD_AGGR_LEVEL_IFL 0x01
#define DDOS_SCFD_AGGR_LEVEL_IFD 0x02
#define DDOS_SCFD_AGGR_LEVEL_INVALID 0x03
Flags
#define SCFD_PROTO_FLAG_LOCAL_MASK 0x0000FFFF
#define SCFD_PROTO_FLAG_RUN_UKERN 0x00000001
#define SCFD_PROTO_FLAG_RUN_ASIC 0x00000002
#define SCFD_PROTO_FLAG_NO_LOG 0x00010000
#define SCFD_PROTO_FLAG_TO_ACTV 0x00020000 /* Allow timeout of flow */
Here is an example with ip-option flows.

lab@Dokinchan-re0> show ddos-protection protocols ip-options flow-detection

Flow detection configuration:
Detection mode: Automatic Detect time: 3 seconds
Log flows: Yes Recover time: 60 seconds
Timeout flows: No Timeout time: 300 seconds
Flow aggregation level configuration:
Aggregation level Detection mode Control mode Flow rate
Subscriber Automatic Drop 10 pps
Logical interface Automatic Drop 10 pps
Physical interface Automatic Drop 20000 pps


Packet type: unclassified

Packet type: router-alert

Packet type: non-v4v6

Once a suspicious flow is detected, it will be deaggreagted from the subscriber/IFL levels, depending on the rate. With the
flow installed, none of these packets would hit the host as the action is drop by default.
Nov 20 13:57:52.659 Dokinchan-re0 jddosd[1723]: %DAEMON-4-DDOS_SCFD_FLOW_FOUND: A new flow of protocol IP-
Options:unclassified on ge-2/0/0.0 with source addr -- -- -- is found at 2013-11-20 13:57:52 JST
Options:router-alert on ge-2/0/0.0 with source addr -- -- -- is found at 2013-11-20 13:57:52 JST
Options:router-alert on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 13:57:52 JST
Options:unclassified on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 13:57:52 JST
Options:unclassified on ge-2/0/0 with source addr -- -- -- is found at 2013-11-20 13:57:52 JST
Nov 20 13:57:54.597 Dokinchan-re0 jddosd[1723]: %DAEMON-4-DDOS_SCFD_FLOW_DEAGGREGATED: Flows of protocol IP-
Options:router-alert on slot fpc 2 are deaggregated to subscriber, logical-interface level(s)


lab@Dokinchan-re0> show ddos-protection protocols ip-options violations

Packet types: 4, Currently violated: 2
Protocol Packet Bandwidth Arrival Peak Policer bandwidth

group type (pps) rate(pps) rate(pps) violation detected at
ip-opt unclass.. 10000 138893 138976 2013-11-20 12:43:02 JST
Detected on: FPC-2
ip-opt rt-alert 20000 24510 65143 2013-11-20 13:17:04 JST
Detected on: FPC-2
lab@Dokinchan-re0> show ddos-protection protocols ip-options culprit-flows

Currently tracked flows: 2, Total detected flows: 7
Protocol Packet Arriving Source Address

group type Interface MAC or IP
ip-opt unclass.. ge-2/0/0.0 192.1.1.2
sub:0002000000000008 2013-11-20 14:29:14 JST pps:138890 pkts:18334191
ip-opt rt-alert ge-2/0/0.0 192.1.1.2
sub:0002000000000007 2013-11-20 14:29:14 JST pps:24510 pkts:3235435
lab@Dokinchan-re0>

arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
PFE-0 42059480 591983015 138910 0 1
PFE-0 79020937 29282748 24513 0 1
PFE-0 0 0 0 0 0
NPC2(Dokinchan-re0 vty)# show ddos scfd proto-states ip-options

--- ---- -------- -------- ---- ------ --- ----- ----- --------- --------- --------- --- --- --- ------
124 3d01 ip-opt unclass.. auto detect 1 2 20 a:d: 10 a:d: 10 a:d:10000 3 60 300 151310230
125 3d02 ip-opt rt-alert auto detect 1 2 20 a:d: 10 a:d: 10 a:d:20000 3 60 300 151309230


NPC2(Dokinchan-re0 vty)# show ddos scfd asic-flows 0

pfe idx rindex prot aggr IIF/IFD pkts bytes source-info
--- ---- ------ ---- ---- ------- ------- -------- ----------
0 0 5 3d02 sub 339 12355587 963735708 c0010102 c0010101 0 0
0 1 3 3d01 sub 339 70015063 4620994092 c0010102 c0010101 0 0
NPC2(Dokinchan-re0 vty)# show ddos scfd asic-flows 0 details
PFE: 0
Flow Record Index: 5
Flow Key:
Proto-ID: 3d02
Key type: 1
IIF: 339
Src IP addr: c0010102 (192.1.1.2)
Dst IP addr: c0010101 (192.1.1.1)
Src port: 0
Dst port: 0
Flow Context Data:
Rcvd ack_add: 1
Rcvd ack_del: 0
Rcvd last flow op: 2
Flow state: 2
Aggr level: 0
Proto idx: 125
Policer idx: 3
Time inserted: 1944001488
Time last violated: 1944507734
Last received: 12408018
Flow Statitics:
Packet Count: 12410556
Byte Count: 968023290
PFE: 0
Flow Key:
Proto-ID: 3d01
Key type: 1
IIF: 339
Src IP addr: c0010102 (192.1.1.2)
Dst IP addr: c0010101 (192.1.1.1)
Src port: 0
Dst port: 0
Flow Context Data:
Rcvd ack_add: 1
Rcvd ack_del: 0
Flow state: 2
Aggr level: 0


Proto idx: 124

Policer idx: 4
Flow Statitics:
If active-flow-timeout is configured, the active monitoring flow will be removed form the list. If the rate of that flow still
exceeds the protocol DDOS rate, it will genereate another violation event and it will be re-added to the list.
[edit]
lab@Dokinchan-re0# show system ddos-protection
global {
flow-detection;
}
protocols {
ip-options {
aggregate {
timeout-active-flows;
}
unclassified {
}
router-alert {
}
}
}
NPC2(Dokinchan-re0 vty)# show ddos scfd proto-states ip-options

--- ---- -------- -------- ---- ------ --- ----- ----- --------- --------- --------- --- --- --- ------
124 3d01 ip-opt unclass.. auto detect 1 20002 20 a:d: 10 a:d: 10 a:d:10000 3 60 300 151310230
125 3d02 ip-opt rt-alert auto detect 1 20002 20 a:d: 10 a:d: 10 a:d:20000 3 60 300 151309230


Nov 20 14:34:13.661 Dokinchan-re0 jddosd[1723]: %DAEMON-4-DDOS_SCFD_FLOW_TIMEOUT: A flow of protocol IP-

Options:router-alert on ge-2/0/0.0 with source addr 192.1.1.2 is timed out. Found at 2013-11-20 14:29:14 JST,
last observed at 2013-11-20 14:29:14 JST
Nov 20 14:34:13.661 Dokinchan-re0 jddosd[1723]: %DAEMON-4-DDOS_SCFD_FLOW_TIMEOUT: A flow of protocol IP-
Options:unclassified on ge-2/0/0.0 with source addr 192.1.1.2 is timed out. Found at 2013-11-20 14:29:14 JST,
last observed at 2013-11-20 14:29:14 JST
Options:router-alert on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 14:34:16 JST
Options:unclassified on ge-2/0/0.0 with source addr 192.1.1.2 is found at 2013-11-20 14:34:16 JST
NPC2(Dokinchan-re0 vty)# show ddos scfd asic-flows 0 details
PFE: 0
Flow Key:
Proto-ID: 3d02
Key type: 1
IIF: 339
Src IP addr: c0010102 (192.1.1.2)
Dst IP addr: c0010101 (192.1.1.1)
Src port: 0
Dst port: 0
Flow Context Data:
Rcvd ack_add: 1
Rcvd ack_del: 0
Flow state: 2
Aggr level: 0
Proto idx: 125
Policer idx: 3
Flow Statitics:
PFE: 0
Flow Key:
Proto-ID: 3d01
Key type: 1
IIF: 339
Src IP addr: c0010102 (192.1.1.2)
Dst IP addr: c0010101 (192.1.1.1)
Src port: 0
Dst port: 0
Flow Context Data:


Rcvd ack_add: 1
Rcvd ack_del: 0
Flow state: 2
Aggr level: 0
Proto idx: 124
Policer idx: 4
Flow Statitics:


DDOS Configuration Hierarchy

Although disabling the DDOS is not recommended, however, it can still be disabled via configuration. We can disable the
DDOS on Routing Engine level or/and FPC level. We can also control the flow-report-rate and violation-report-rate.

[edit]
lab@Dokinchan-re0# set system ddos-protection global ?
disable-fpc Disable FPC policing for all protocols
disable-logging Disable event logging for all protocols
disable-routing-engine Disable Routing Engine policing for all protocols
flow-detection Enable flow detection for all protocols
flow-report-rate Set the rate of reporting flows for all FPC's (1..50000 reports per second)
violation-report-rate Set the rate of reporting protocol violations for all FPC's (1..50000 reports per
second)
[edit]
lab@Dokinchan-re0#

The granularity can go down to per-protocol basis.

[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate ?
flow-detect-time Time to determine a flow is bad (1..60 seconds)
flow-detection-mode Flow detection mode for the packet type
> flow-level-bandwidth Bandwidth for flows at various levels
> flow-level-control Specify how discovered flows are controlled
> flow-level-detection Specify detection mode at various levels
flow-recover-time Time to return to normal after last violation (1..3600 seconds)
flow-timeout-time Time to timeout the flow since found (1..7200 seconds)
no-flow-logging Disable logging of violating flows
timeout-active-flows Allow timeout active violating flows
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate fpc 0 ?
bandwidth-scale Bandwidth scale from 1% to 100% (1..100 percent)
burst-scale Burst scale from 1% to 100% (1..100 percent)
disable-fpc Turn off policing on this slot
[edit]
lab@Dokinchan-re0#

The bandwidth-scale/burst-scale configuration under the FPC is used to configure how much bandwidth (bandwidth *
bandwith-scale% / burst * burst-scale%) should be applied on that FPC. For example, with 50% for both bandwidth and
burst scale, the OSPF protocol policer becomes:

[edit]
lab@Dokinchan-re0# run show ddos-protection protocols ospf parameters
Protocol Group: OSPF


Packet type: aggregate (Aggregate for all ospf traffic)

Enabled: Yes
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate fpc 2 bandwidth-scale 50
[edit]
lab@Dokinchan-re0# set system ddos-protection protocols ospf aggregate fpc 2 burst-scale 50
[edit]
lab@Dokinchan-re0# commit
commit complete
[edit]
lab@Dokinchan-re0# run show ddos-protection protocols ospf parameters
Protocol Group: OSPF
Packet type: aggregate (Aggregate for all ospf traffic)

Enabled: Yes
[edit]
lab@Dokinchan-re0#


Statistics/Errors
We can capture the per-protocol statistics before and after the policers being applied on the packets.
lab@Dokinchan-re0> show ddos-protection protocols ip-options unclassified
Packet type: unclassified (Unclassified options traffic)

Priority: Low
Enabled: Yes
Subscriber Automatic Drop 10000 pps*
Logical interface Automatic Drop 10000 pps*
Dropped: 98645 Max arrival rate: 13895 pps Drop doesnt count the uKern Agg policer.
Flow counts: (92837 + 5808 = 98645). This is PR942816.
Aggregation level Current Total detected
Subscriber 1 1
Total 1 1
Received: 16963 Arrival rate: 0 pps 17574 611 = 16963 sent to Routing Engine



Received: 134723 Arrival rate: 0 pps 134723 117149 = 17574 sent to host queue
Dropped: 117149 Max arrival rate: 13895 pps 5808 + 18504 + 92837 = 117149
Dropped by this policer: 5808 Drop by protocol policer
Dropped by aggregate policer: 18504 Drop by aggregate policer on uKern
Dropped by flow suppression: 92837 Drop by SCFD policer
Flow counts:
Total 1 1

arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
^^^^^ Agg Policer + Protocol Policer in uKern
^^^^^ Protocol Policer in uKern
PFE-0 36078 98645 7841 0 1
^^^^^ Protocol Policer + SCFD drops
PFE-0 0 0 0 0 0
PFE-0 0 0 0 0 0
NPC2(Dokinchan-re0 vty)# show mqchip 0 dstat stats 0 1020

QSYS 0 QUEUE 1020 colormap 2 stats index 48:
Counter Packets Pkt Rate Bytes Byte Rate

------------------------ ---------------- ------------ ---------------- ------------
Forwarded (NoRule) 0 0 0 0
Forwarded (Rule) 36078 0 3283098 0
^^^^^^^ Packet sent via the option queue to uKern
Color 0 Dropped (WRED) 0 0 0 0
Color 0 Dropped (TAIL) 0 0 0 0
Dropped (Force) 0 0 0 0
Dropped (Error) 0 0 0 0
Queue inst depth : 0

Queue avg len (taql): 0


NPC2(Dokinchan-re0 vty)# show options statistics

IP Option Values:
LSRR/SSRR forwarding disabled
IP Option Statistics:
0 loose source routes
0 strict source routes
0 record routes
0 router alerts
16963 other options
IP Option Errors:
0 runts
0 bad versions
0 runt header lengths
0 giant header lengths
0 null frames
0 bad option lengths
0 duplicate options
0 bad option pointers
0 source route frames dropped
IP Option Queue Stats:

16963 queued
0 queue drops
0 queue deletes
25 high water mark queued
0 current queued
611 policer drops
IP option protocol queue stats:
Protocol Other max number tokens 025

16963 queued
0 queue drops
0 queue deletes
0 current queued
611 policer drops Option queue policer drop
IGMP Queue Stats:

0 queued
0 queue drops
0 queue deletes
0 current queued
0 policer drops


If we check the aggregate policer drop, the system wide statistics will count the uKern aggregate policer drop. Here, we
inject 30K pkts for each ip-frag type. The following might be confusing as the pass count is including the drop pkts.
PR942813 has filed to enhance this command output.
NPC2(Dokinchan-re0 vty)# show ddos policer stats ip-fragments

arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
158 4f00 ip-frag aggregate Y UKERN 12751 47249 0 0 0
^^^^^ Sum of the drop below
159 4f01 ip-frag unclass.. Y N/A --- --- --- --- ---
160 4f02 ip-frag first-frag Y UKERN 30000 23484 0 0 0
^^^^^ Drop by uKern Agg policer. This is PR942813
PFE-0 30000 0 0 0 0
161 4f03 ip-frag trail-frag Y UKERN 30000 23765 0 0 0
^^^^^ Drop by uKern Agg policer. This is PR942813
PFE-0 30000 0 0 0 0
Total drop on MPC is 23484 + 23765 = 47249. With 7 pkts drop on RE, the total drop becomes 47256.
lab@Dokinchan-re0> show ddos-protection protocols ip-fragments aggregate
Packet type: aggregate (Aggregate for all IP Fragment traffic)

Bandwidth: 3000 pps*
Burst: 3000 packets*
Enabled: Yes
Aggregate bandwidth is being violated!



Dropped: 47256 Max arrival rate: 6933 pps 47249 + 7 = 47256
Aggregate policer is currently being violated!
Aggregate policer is currently being violated!
Dropped by aggregate policer: 47249 With aggregate statistics, this count includes the drops under
Dropped by flow suppression: 0 flow suppression which is incorrect. This is PR942816.
Flow counts:
This shows us a summary of drop statistics.
NPC2(Dokinchan-re0 vty)# show jnh 0 exceptions hbc policers
Global Policer:
policer_nexthop: 0xC03C152607CB9001
policer_result: 0x4C3F2360
dropped packets: 0
Hostbound policer packet drops: 0 Sum of HBC policer drop for exception nhs.
Aggregate policer packet drops: 40160393 Sum of all DDOS IPv4 policer drops.
Aggregate IPv6 policer packet drops: 76521499 Sum of all DDOS IPv6 policer drops.


Here are some DDOS error counters to record errors when it parses the received protocol frames.
NPC2(Dokinchan-re0 vty)# show ddos asic global-rx-errors

DDOS ASIC counters:
Pkts on unsupported reason code: 0
Reason -- Proto-ID Errors:

Code Reason Error Type Pkts
---- ------------ ---------- ----
0 --- unsupported 0
1 PUNT_TTL mismatch-id 0
2 PUNT_OPTIONS non-exist-id 0
3 PUNT_REDIRECT mismatch-id 0
4 PUNT_CONTROL non-exist-id 0
5 PUNT_FAB_OUT_PROBE_PKT mismatch-id 0
6 PUNT_HOST_COPY non-exist-id 0
7 PUNT_MAC_FWD_TYPE_HOST mismatch-id 0
8 PUNT_TUNNEL_FRAGMENT mismatch-id 0
9 --- unsupported 0 PUNT_GIMLET_PKT
10 --- unsupported 0 PUNT_FLOW_REJECT
11 PUNT_MLP non-exist-id 0
12 PUNT_IGMP_SNOOP mismatch-id 0
13 PUNT_VC_TTL_ERROR mismatch-id 0
14 PUNT_L2PT_ERROR mismatch-id 0
15 --- unsupported 0 PUNT_DDOS_POLICER_VIOL
16 --- unsupported 0 PUNT_DDOS_SCFD
17 --- unsupported 0 PUNT_LU_NOTIF
18 PUNT_PIM_SNOOP mismatch-id 0
19 --- unsupported 0 PUNT_MLD_SNOOP
20 --- unsupported 0 Undefined
32 PUNT_PROTOCOL non-exist-id 0
33 PUNT_RESOLVE non-exist-id 0
34 PUNT_RECEIVE non-exist-id 0


35 PUNT_AUTOSENSE mismatch-id 0
36 PUNT_REJECT_FW non-exist-id 0
37 --- unsupported 0 PUNT_UNUSED
38 PUNT_SERVICES mismatch-id 0
39 PUNT_DEMUXAUTOSENSE mismatch-id 0
40 PUNT_REJECT mismatch-id 0
41 PUNT_SAMPLE_SYSLOG mismatch-id 0
42 PUNT_SAMPLE_HOST mismatch-id 0
43 PUNT_SAMPLE_PFE mismatch-id 0
44 PUNT_SAMPLE_TAP mismatch-id 0
45 PUNT_PPPOE_PADI mismatch-id 0
46 PUNT_PPPOE_PADR mismatch-id 0
47 PUNT_PPPOE_PADT mismatch-id 0
48 PUNT_PPP_LCP mismatch-id 0
49 PUNT_PPP_AUTH mismatch-id 0
50 PUNT_PPP_IPV4CP mismatch-id 0
51 PUNT_PPP_IPV6CP mismatch-id 0
52 PUNT_PPP_MPLSCP mismatch-id 0
53 PUNT_PPP_UNCLASSIFIED_CP mismatch-id 0
54 PUNT_SEND_TO_HOST_FW non-exist-id 0
55 PUNT_VC_HI mismatch-id 0
56 PUNT_VC_LO mismatch-id 0
57 PUNT_PPP_ISIS mismatch-id 0
58 PUNT_KEEPALIVE mismatch-id 0
59 PUNT_SEND_TO_HOST_FW_INLINE_SVCS mismatch-id 0
60 PUNT_PPP_LCP_ECHO_REQ mismatch-id 0
61 PUNT_INLINE_KA mismatch-id 0
63 PUNT_PPP_LCP_ECHO_REP mismatch-id 0
64 PUNT_MLPPP_LCP mismatch-id 0
65 PUNT_MLFR_CONTROL mismatch-id 0
66 PUNT_MFR_CONTROL mismatch-id 0
68 PUNT_REJECT_V6 mismatch-id 0
69 PUNT_RESOLVE_V6 non-exist-id 0
70 PUNT_SEND_TO_HOST_SVCS mismatch-id 0
71 PUNT_SAMPLE_SFLOW mismatch-id 0
Here are the IPC msg stats between the DDOS module on the MPC and the Routing Engine (jddosd).
NPC2(Dokinchan-re0 vty)# show ddos ipc

DDOS IPC Messages:
Name Requests Failures Duplicates Tx messages
----------------------- ---------- ---------- ---------- ----------
Unknown 0 0 0 0
global_ctrl 3 0 0 0
global_ctrl_rts 0 0 0 0
global_states 0 0 0 0
global_states_rts 0 0 0 0


violation set 0 0 0 7
violation clr 0 0 0 5
protocol_stats_get 24 0 0 0
protocol_stats_clr 0 0 0 0
protocol_stats_rts 0 0 0 0
policer 5 0 0 0
policer_rts 0 0 0 0
pstates 0 0 0 0
pstates_rts 0 0 0 0
pfe_peer_info 0 0 0 0
flow_get 0 0 0 0
flow_clr 0 0 0 0
scfd_proto_get 0 0 0 0
NPC2(Dokinchan-re0 vty)# show ddos socket

DDOS PFE-to-JDDOSD Socket Stats:
Name Counts
------------------------------------ ---------------
total request pkts 0
total response pkts 0
total ipc writes to RE 95
retry count for last connection 1
max retrys for a connection to RE 1
reconnect count 1
max length of pipe write queue 0
timer events with NULL timer 0
packet read length errors 0
packet read type errors 0
msg version errors 0
msg subtype errors 0
msg write failures 0
packet write failures 0
packet allocation failures 0
pipe write failures 0
pipe queue overflow errors 0
debug string
Here is the global configuration and statistics summary for the SCFD module.
NPC2(Dokinchan-re0 vty)# show ddos scfd global-info

DDOS-SCFD global context
------------------------------------------------------
FLow entry/state/hash size: 288/12/8 bytes
Flow scan: Yes
Send async msg to RE: Yes
Send periodic update to RE: No
Default enabled: No
Enabled: Yes
Last aggr op is: Deaggr


Next available flow id: d

Culprit flows: 2
Culprit flows on scan: 2
Violated protocols: 2
Violated protocols on scan: 2
Violation report rate: 100(pps)
Flow change report rate: 100(pps)
Scan cookie: 30772
Free SCFD states: 4096
Free flow entries: 4094
Free notif blocks: 400
Free re request blocks: 400
Free flow msg blocks: 4096
Free flow policers: 4221
Socket notif queue size: 0
Has queued work state items: 0
Has queued re requests: 0
Has queued flow rate modifies: 0
Has queued flow messages: 0
Send packet size: 16384
Send batch size: 1
Last aggr op time: 151310230
Per PFE flows: 0=2
Run out of flows: 0
Reuse an entry not freed yet: 0
Run out of state items: 0
Bad proto ID: 0
rindex changed for same flow: 0
Remove flow on an empty proto: 0
Remove non-exist flow: 0
Read ASIC failed: 0
Failed tries write flow params: 0
Failed change flow params: 0
Run out of policers: 0
Run out of msg blocks: 0
Run out of mod flow blocks: 0
SCFD stats for PFE 0
Global configuration
violation report rate: 100
flow report rate: 100
Flow counters read from LU
current suspicious flows: 0
current culprit flows: 2
discovered suspicious flows: 15
discovered culprit flows: 13
deleted culprit flows: 11
false positives: 2
hash insertion errors: 0
hash deletion errors: 0


max flow tbl scan time(ms): 0

debug values: 0
Flow reports received through PUNT
policer violation: 967586
flow found: 13
flow timeout: 6
flow return to normal: 5
flow cleared: 0
unknown reports: 0
bad flow type: 0
Violation indication policer stats
Passed indications: 967586
Dropped indications: 1203589195
NPC2(Dokinchan-re0 vty)# show ddos work-queues

[ 0] flow entry called 0 times, discarded 0 items
no semaphore, no work queue, has item store, no handler, loop is off
queue request stats----------------------------------------------------------
queue name size items dequeues deq-empty enqueues enq-fail
item queue 4096 4094 15 0 13 0
[ 1] flow update asic called 15 times, discarded 0 items
has semaphore, has work queue, has item store, has handler, loop is off
item queue 1000 1000 28 0 28 0
work queue 1000 0 28 15 28 0
[ 2] policer scan called 277173 times, discarded 0 items
has semaphore, no work queue, no item store, has handler, loop is off
[ 3] flow state called 27 times, discarded 0 items
item queue 4096 4096 43 0 43 0
work queue 4096 0 43 23 43 0
[ 4] async notif called 12 times, discarded 0 items
item queue 400 400 12 0 12 0
work queue 400 0 12 0 12 0
[ 5] req request called 94 times, discarded 0 items
item queue 400 400 50 0 50 0
work queue 400 0 50 0 50 0
[ 6] flow modify called 0 times, discarded 0 items



item queue 400 400 0 0 0 0
work queue 400 0 0 0 0 0
[ 7] flow message called 98 times, discarded 0 items
item queue 4096 4096 1030 0 1030 0
work queue 4096 0 1030 94 1030 0
[ 8] flow scan called 30797 times, discarded 0 items
has semaphore, no work queue, no item store, has handler, loop is off


When DDOS Doesnt Seem To Work.

Although the DDOS feature can help us to identify an attack flow and drop it, it still takes some time for the system to
detect such flows which means that the flow have to be steady.
When we check the DDOS statistics, there is a gap in-between the ASIC and uKern. For example, in the followings, we
could see uKern having arrival rate far less than the once measured on PFE(ASIC). However, between the ASIC and
uKern, the drop could happen in TOE/MQ if the host bound traffic rate is too high. In this case, the drop happens on the
MQ hostbound queue and thats why uKern sees far less traffic volume than the PFE.
NPC2(Dokinchan-re0 vty)# show ddos policer stats ip-fragments
arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
PFE-0 4594919 0 19997 19997 0
PFE-0 4594921 0 19998 19998 0
NPC2(Dokinchan-re0 vty)# show mqchip 0 dstat stats 0 1016

------------------------ ---------------- ------------ ---------------- ------------
Forwarded (Rule) 18313974 16661 4513626054 1716045

The same happens on the path between PPC and RE (ie. TTP drop..etc).


Indeed, there are cases that the DDOS might not help.
https://gnats.juniper.net/web/default/878789
This PR is related to SCFD flow detection against arp storm. When an arp packet comes in, it will be handled by the
default arp policer (__default_arp_policer__) before it hits the HBC. Since the default arp policer is stateless, it will just
drop arp packets based on the policer rate without considering that the passed arp packets are actually the same. As a
result, the non-attack arp packets might be dropped by the default arp policer and the attack arp storm will be dropped by
the SCFD once it detects the flow.
In order to workaround this, we need to disable the default arp policer by configuring a high arp policer rate, which is the
same as passing all the arp packets to the SCFD. In SCFD, it will identify the attack flow(s) and drop it from there.
As mentioned above, DDOS requires a steady traffic volume to detect the suspicious flow. In this PR, its related to a
bursty traffic source typical case for start up multicast flow.
In this PR, when we receive multicast packets hitting the resolve nh, the resolve request will come up to the RPD in the
Routing Engine and create a multicast route on the PFE. Starting from that point, the flow hitting the resolve nh will no
longer be there and thats why the DDOS couldnt detect that.
Even if we turn on SCFD, since it requires some time (in the order of secs) to detect the flow, it wont be quick enough to
stop the resolve requests from the same multicast group from entering the resolve queue on the host (resolve_nh -> host
queue -> PPC -> resolve queue -> RPD[RE]) and let other multicast group to enter the resolve queue. Hence, enabling
DDOS wont help much to speed up the multicast route setup time in this case.
The problem is that the MLP packets are processed differently. The packets do not go through the regular exception
processing path. The MLP packets sent in general at 200 pps directly to host by the learning process. It actually bypasses
most of the DDOS processing. This is why you cannot control it. The MLP is self paced. This means that MLP pose NO
DDOS threats.


Major Upcoming Changes

Here are some enhancement being done / on progress for the DDOS module.
This is mainly a code enhancement for DDOS and add the supportability on XM chip. Would suggest a customer to pick
up this fix for DDOS usage.
This is a major design flaw in DDOS where the packet hitting the resolve/fw reject nexthop will be classified as protocol
control packet as long as the protocol field matches the specific DDOS term. With this fix, we separate the notification
hitting the resolve and reject nexthops to a different DDOS term.
NPC1(currypanman-re0 vty)# show ddos asic punt-proto-maps
PUNT exceptions directly mapped to DDOS proto:
---- -------------------- --------- ------ ---- -- ------ ------
12 PUNT_IGMP_SNOOP igmp-snoop aggregate 4300 4 20000 20000
38 PUNT_SERVICES services aggregate 4400 0 2000 10000



PUNT exceptions that go through HBC. See following parsed proto

code PUNT name
---- -------------
2 PUNT_OPTIONS |
4 PUNT_CONTROL |
6 PUNT_HOST_COPY |
11 PUNT_MLP |---------------+
34 PUNT_RECEIVE | |
|
------------------------------------------------------------------
------ ---------- ---------- ---------- ---- -- ------ ------





PUNT exceptions parsed by their own parsers

code PUNT name
---- -------------
200 PUNT_RESOLVE |
200 PUNT_RESOLVE_V6 |---------------+
|
------------------------------------------------------------------
resolve aggregate 100 0 5000 10000
resolve other 101 6 2000 2000
resolve ucast-v4 102 6 3000 5000
resolve mcast-v4 103 6 3000 5000
resolve ucast-v6 104 6 3000 5000
resolve mcast-v6 105 6 3000 5000
REJECT_FW exception mapped to DHCPv4/6 and filter-act. Only filter-act shown

7 PUNT_REJECT_FW |---------------+
|
------------------------------------------------------------------
filter-act aggregate 200 0 10000 10000
filter-act other 201 6 2000 10000
filter-act filter-v4 202 6 2000 10000
filter-act filter-v6 203 6 2000 10000
NPC1(currypanman-re0 vty)# show ddos asic nexthops

[-----------]: ---------- ------- ------- ------- ----
[ 0:----:ind]: c0040086071b9001 e02292000010000 4cc5c9b0 c0e3f8 8010 viol-report
[ 0: 0: 0]: c004009607182001 0 4cc5c938 c0e3f0 8012 hbc & others
[ 0: 100: 1]: c004018e07183001 e023fe000030000 4cc5c8e8 c0e3e8 8031 hbc & others
[ 0: 101: 2]: c00400a6071b8001 0 4cc5c870 c0e3e0 8014 punt
[ 0: 102: 3]: c00400b607184001 0 4cc5c820 c0e380 8016 punt
[ 0: 103: 4]: c004017e07185001 0 4cc5c7d0 c0e388 802f punt
[ 0: 104: 5]: c00400ce071b7001 0 4cc5c780 c0e3d8 8019 punt
[ 0: 105: 6]: c004016e071b6001 0 4cc5c730 c0e390 802d punt
[ 0: 200: 7]: c004015e071b5001 e023d7000020000 4cc5c6e0 c0e398 802b hbc & others
[ 0: 201: 8]: c00400de07186001 0 4cc5c668 c0e3a0 801b punt
[ 0: 202: 9]: c004015607187001 0 4cc5c618 c0e3d0 802a punt
[ 0: 203: 10]: c00400ee07188001 0 4cc5c5c8 c0e3c8 801d punt
[ 0: 300: 11]: c00400fe07189001 e023d1000020000 4cc5c578 c0e3a8 801f punt
[ 0: 400: 12]: c0040106071b4001 0 4cc5c528 c0e3c0 8020 hbc & others
[ 0: 401: 13]: c0040136071b3001 e02e9d000020000 4cc5c4d8 c0e3b8 8026 punt
[ 0: 402: 14]: c00401260718a001 e02e86800020000 4cc5c488 c0e3b0 8024 punt
[ 0: 403: 15]: c0040116071b2001 e02e88000020000 4cc5c438 c0e400 8022 punt
[ 0: 404: 16]: c03c0a06071b1001 e02e9e800020000 4cc5c3e8 c0e478 78140 punt
[ 0: 405: 17]: c03c0a16071b0001 e02e89800020000 4cc5c398 c0e408 78142 punt
[ 0: 406: 18]: c03c0a26071af001 e02e8b000020000 4cc5c348 c0e410 78144 punt
[ 0: 407: 19]: c03c0bf60718b001 e02e8f800020000 4cc5c2f8 c0e418 7817e punt
[ 0: 408: 20]: c03c0a2e0718c001 e02eb4000030000 4cc5c2a8 c0e420 78145 punt


[ 0: 409: 21]: c03c0be6071ae001 e02eb2000030000 4cc5c258 c0e470 7817c punt

[ 0: 40a: 22]: c03c0bde071ad001 e02e92800020000 4cc5c208 c0e468 7817b punt
[ 0: 500: 23]: c03c0bce0718d001 0 4cc5c1b8 c0e460 78179 hbc & others
[ 0: 501: 24]: c03c0bc60718e001 0 4cc5c168 c0e428 78178 hbc & others
[ 0: 502: 25]: c03c0bbe0718f001 e02ea0000020000 4cc5c118 c0e458 78177 punt
[ 0: 503: 26]: c03c0a5e071ac001 0 4cc5c0c8 c0e450 7814b hbc & others
[ 0: 504: 27]: c03c0bae071ab001 e02e83800020000 4cc5c078 c0e430 78175 punt
[ 0: 505: 28]: c03c0a6e071aa001 0 4cc5c028 c0e438 7814d hbc & others
[ 0: 506: 29]: c03c0ba607190001 e02e85000020000 4cc5bfd8 c0e440 78174 punt
[ 0: 507: 30]: c03c0b96071a9001 0 4cc5bf88 c0e448 78172 hbc & others
[ 0: 508: 31]: c03c0a8607191001 0 4cc5bf38 c0e4f8 78150 hbc & others
[ 0: 600: 32]: c03c0a8e07192001 0 4cc5bee8 c0e480 78151 hbc & others
[ 0: 601: 33]: c03c0a9e071a8001 0 4cc5be98 c0e488 78153 hbc & others
[ 0: 602: 34]: c03c0b86071a7001 0 4cc5be48 c0e490 78170 hbc & others
[ 0: 603: 35]: c03c0aae07193001 0 4cc5bdf8 c0e4f0 78155 hbc & others
[ 0: 604: 36]: c03c0b6e071a6001 0 4cc5bda8 c0e498 7816d hbc & others
[ 0: 605: 37]: c03c0ab6071a5001 0 4cc5bd58 c0e4e8 78156 hbc & others
[ 0: 606: 38]: c03c0b56071a4001 0 4cc5bd08 c0e4e0 7816a hbc & others
[ 0: 607: 39]: c03c0b4e07194001 0 4cc5bcb8 c0e4d8 78169 hbc & others
[ 0: 608: 40]: c03c0ac6071a3001 0 4cc5bc68 c0e4d0 78158 hbc & others
[ 0: 609: 41]: c03c0ace071a2001 0 4cc5bc18 c0e4a0 78159 hbc & others
[ 0: 60a: 42]: c03c0b2e07195001 0 4cc5bbc8 c0e4c8 78165 hbc & others
[ 0: 60b: 43]: c03c0ade07196001 0 4cc5bb78 c0e4a8 7815b hbc & others
[ 0: 60c: 44]: c03c0ae6071a1001 0 4cc5bb28 c0e4c0 7815c hbc & others
[ 0: 60d: 45]: c03c0aee07197001 0 4cc5bad8 c0e4b0 7815d hbc & others
[ 0: 60e: 46]: c03c0b0e07198001 0 4cc5ba88 c0e4b8 78161 hbc & others
[ 0: 60f: 47]: c03c0b06071a0001 0 4cc65a50 c0e578 78160 hbc & others
[ 0: 610: 48]: c03c0c0607199001 0 4cc65a00 c0e570 78180 hbc & others
[ 0: 611: 49]: c03c0c0e0719a001 0 4cc659b0 c0e568 78181 hbc & others
[ 0: 612: 50]: c03c0dee0719b001 0 4cc65960 c0e560 781bd hbc & others
[ 0: 700: 51]: c03c0de60719c001 0 4cc65910 c0e500 781bc hbc & others
[ 0: 701: 52]: c03c0dd60719f001 0 4cc658c0 c0e508 781ba hbc & others
[ 0: 702: 53]: c03c0c260719e001 0 4cc65870 c0e558 78184 hbc & others
[ 0: 703: 54]: c03c0dc60719d001 0 4cc65820 c0e510 781b8 hbc & others
[ 0: 704: 55]: c03c0db6072ff001 0 4cc657d0 c0e550 781b6 hbc & others
[ 0: 705: 56]: c03c0dae072fe001 0 4cc65780 c0e548 781b5 hbc & others
[ 0: 706: 57]: c03c0c36072c0001 0 4cc65730 c0e518 78186 hbc & others
[ 0: 707: 58]: c03c0d96072c1001 0 4cc656e0 c0e520 781b2 hbc & others
[ 0: 708: 59]: c03c0c3e072fd001 0 4cc65690 c0e540 78187 hbc & others
[ 0: 709: 60]: c03c0c46072c2001 0 4cc65640 c0e538 78188 hbc & others
[ 0: 70a: 61]: c03c0c56072c3001 0 4cc655f0 c0e530 7818a hbc & others
[ 0: 70b: 62]: c03c0c5e072fc001 0 4cc655a0 c0e528 7818b hbc & others
[ 0: 70c: 63]: c03c0c6e072c4001 0 4cc65550 c0e600 7818d hbc & others
[ 0: 70d: 64]: c03c0d6e072fb001 0 4cc65500 c0e608 781ad hbc & others
[ 0: 70e: 65]: c03c0d5e072c5001 0 4cc654b0 c0e678 781ab hbc & others
[ 0: 70f: 66]: c03c0c7e072fa001 0 4cc65460 c0e670 7818f hbc & others
[ 0: 710: 67]: c03c0d4e072c6001 0 4cc65410 c0e610 781a9 hbc & others
[ 0: 711: 68]: c03c0d3e072f9001 0 4cc653c0 c0e618 781a7 hbc & others
[ 0: 712: 69]: c03c0c8e072c7001 0 4cc65370 c0e668 78191 hbc & others


[ 0: 800: 70]: c03c0d2e072c8001 0 4cc65320 c0e620 781a5 hbc & others

[ 0: 801: 71]: c03c0c9e072f8001 0 4cc652d0 c0e628 78193 hbc & others
[ 0: 802: 72]: c03c0d26072f7001 e02e9b800020000 4cc65280 c0e660 781a4 punt
[ 0: 803: 73]: c03c0d1e072c9001 e02e9a000020000 4cc65230 c0e658 781a3 punt
[ 0: 804: 74]: c03c0cb6072ca001 0 4cc651e0 c0e630 78196 hbc & others
[ 0: 805: 75]: c03c0d0e072cb001 e02e98800020000 4cc65190 c0e650 781a1 punt
[ 0: 900: 76]: c03c0cc6072cc001 0 4cc65140 c0e638 78198 hbc & others
[ 0: a00: 77]: c03c0cce072f6001 0 4cc650f0 c0e640 78199 hbc & others
[ 0: b00: 78]: c03c0cd6072f5001 0 4cc650a0 c0e648 7819a hbc & others
[ 0: c00: 79]: c03c0ce6072cd001 0 4cc65050 c0e6f8 7819c hbc & others
[ 0: d00: 80]: c03c0ffe072f4001 0 4cc65000 c0e6f0 781ff hbc & others
[ 0: e00: 81]: c03c0fee072f3001 0 4cc64fb0 c0e6e8 781fd hbc & others
[ 0: f00: 82]: c03c0e0e072ce001 0 4cc64f60 c0e6e0 781c1 hbc & others
[ 0:1000: 83]: c03c0fe6072cf001 0 4cc64f10 c0e6d8 781fc hbc & others
[ 0:1100: 84]: c03c0e1e072f2001 0 4cc64ec0 c0e680 781c3 hbc & others
[ 0:1200: 85]: c03c0fd6072f1001 0 4cc64e70 c0e6d0 781fa hbc & others
[ 0:1300: 86]: c03c0e36072d0001 0 4cc64e20 c0e688 781c6 hbc & others
[ 0:1400: 87]: c03c0fce072f0001 0 4cc64dd0 c0e6c8 781f9 hbc & others
[ 0:1500: 88]: c03c0e46072ef001 0 4cc64d80 c0e6c0 781c8 hbc & others
[ 0:1600: 89]: c03c0e4e072ee001 0 4cc64d30 c0e690 781c9 hbc & others
[ 0:1700: 90]: c03c0e5e072d1001 0 4cc64ce0 c0e698 781cb hbc & others
[ 0:1800: 91]: c03c0fae072ed001 0 4cc64c90 c0e6a0 781f5 hbc & others
[ 0:1900: 92]: c03c0e66072d2001 0 4cc64c40 c0e6a8 781cc hbc & others
[ 0:1a00: 93]: c03c0f9e072d3001 0 4cc64bf0 c0e6b8 781f3 hbc & others
[ 0:1b00: 94]: c03c0e7e072d4001 0 4cc64ba0 c0e6b0 781cf hbc & others
[ 0:1c00: 95]: c03c0e86072d5001 0 4cc64b50 c0e778 781d0 hbc & others
[ 0:1d00: 96]: c03c0e8e072d6001 0 4cc64b00 c0e770 781d1 hbc & others
[ 0:1e00: 97]: c03c0e96072ec001 0 4cc64ab0 c0e768 781d2 hbc & others
[ 0:1f00: 98]: c03c0e9e072eb001 0 4cc64a60 c0e760 781d3 hbc & others
[ 0:2000: 99]: c03c0eae072ea001 0 4cc64a10 c0e700 781d5 hbc & others
[ 0:2100:100]: c03c0f76072e9001 0 4cc649c0 c0e758 781ee hbc & others
[ 0:2200:101]: c03c0ec6072e8001 0 4cc64970 c0e708 781d8 hbc & others
[ 0:2300:102]: c03c0f66072e7001 0 4cc64920 c0e710 781ec hbc & others
[ 0:2400:103]: c03c0f5e072e6001 0 4cc648d0 c0e718 781eb hbc & others
[ 0:2500:104]: c03c0f56072e5001 0 4cc64880 c0e750 781ea hbc & others
[ 0:2600:105]: c03c0ede072e4001 0 4cc64830 c0e720 781db hbc & others
[ 0:2700:106]: c03c0eee072d7001 0 4cc647e0 c0e748 781dd hbc & others
[ 0:2800:107]: c03c0ef6072d8001 0 4cc64790 c0e728 781de hbc & others
[ 0:2900:108]: c03c0f36072d9001 0 4cc64740 c0e740 781e6 hbc & others
[ 0:2a00:109]: c03c0efe072e3001 0 4cc646f0 c0e730 781df hbc & others
[ 0:2b00:110]: c03c0f06072da001 0 4cc646a0 c0e738 781e0 hbc & others
[ 0:2c00:111]: c03c0f16072e2001 0 4cc64650 c0e7f8 781e2 subtype
[ 0:2d00:112]: c03c11fe072db001 0 4cc64600 c0e780 7823f subtype
[ 0:2e00:113]: c03c11f6072dc001 0 4cc645b0 c0e788 7823e subtype
[ 0:2f00:114]: c03c100e072e1001 0 4cc64560 c0e7f0 78201 subtype
[ 0:3000:115]: c03c11e6072dd001 0 4cc64510 c0e7e8 7823c subtype
[ 0:3100:116]: c03c11de072de001 0 4cc644c0 c0e790 7823b subtype
[ 0:3200:117]: c03c11ce072df001 0 4cc64470 c0e798 78239 subtype
[ 0:3300:118]: c03c11c6072e0001 0 4cc64420 c0e7e0 78238 subtype


[ 0:3400:119]: c03c11be0743f001 0 4cc643d0 c0e7d8 78237 subtype

[ 0:3500:120]: c03c11b607400001 0 4cc64380 c0e7a0 78236 subtype
[ 0:3600:121]: c03c10460743e001 0 4cc64330 c0e7a8 78208 subtype
[ 0:3700:122]: c03c11ae0743d001 0 4cc642e0 c0e7b0 78235 subtype
[ 0:3800:123]: c03c119e07401001 0 4cc64290 c0e7b8 78233 hbc & others
[ 0:3801:124]: c03c118e0743c001 0 4cc64240 c0e7d0 78231 hbc & others
[ 0:3802:125]: c03c117e07402001 e02e8c800020000 4cc641f0 c0e7c8 7822f subtype
[ 0:3803:126]: c03c11760743b001 0 4cc641a0 c0e7c0 7822e hbc & others
[ 0:3900:127]: c03c11660743a001 0 4cc64150 c0e880 7822c subtype
[ 0:3a00:128]: c03c115e07439001 0 4cc64100 c0e8f8 7822b subtype
[ 0:3b00:129]: c03c106607438001 0 4cc640b0 c0e888 7820c subtype
[ 0:3c00:130]: c03c106e07403001 e023d4000020000 4cc64060 c0e890 7820d punt
[ 0:3d00:131]: c03c114607404001 0 4cc64010 c0e898 78228 hbc & others
[ 0:3d01:132]: c03c108607405001 0 4cc63fc0 c0e8a0 78210 punt
[ 0:3d02:133]: c03c109607406001 0 4cc63f70 c0e8f0 78212 punt
[ 0:3d03:134]: c03c113607407001 0 4cc63f20 c0e8e8 78226 punt
[ 0:3e00:135]: c03c112e07408001 e023d5800020000 4cc63ed0 c0e8e0 78225 punt
[ 0:3f00:136]: c03c111e07409001 0 4cc63e80 c0e8a8 78223 hbc & others
[ 0:4000:137]: c03c10ae0740a001 0 4cc63e30 c0e8d8 78215 hbc & others
[ 0:4100:138]: c03c111607437001 e02e82000020000 4cc63de0 c0e8b0 78222 punt
[ 0:4200:139]: c03c110607436001 e023cb000020000 4cc63d90 c0e8b8 78220 punt
[ 0:4300:140]: c03c10f607435001 e02e8e000020000 4cc63d40 c0e8d0 7821e punt
[ 0:4400:141]: c03c10be07434001 e023cf800020000 4cc63cf0 c0e8c0 78217 punt
[ 0:4500:142]: c03c10e607433001 e023c9800020000 4cc63ca0 c0e8c8 7821c punt
[ 0:4600:143]: c03c10de0740b001 e023ce000020000 4cc63c50 c0e978 7821b punt
[ 0:4700:144]: c03c12060740c001 0 4cc63c00 c0e900 78240 hbc & others
[ 0:4800:145]: c03c13f60740d001 0 4cc63bb0 c0e970 7827e hbc & others
[ 0:4801:146]: c03c13ee07432001 0 4cc63b60 c0e968 7827d hbc & others
[ 0:4802:147]: c03c13de0740e001 0 4cc63b10 c0e908 7827b hbc & others
[ 0:4803:148]: c03c12160740f001 0 4cc63ac0 c0e910 78242 hbc & others
[ 0:4900:149]: c03c121e07410001 0 4cc6faa0 c0e918 78243 hbc & others
[ 0:4a00:150]: c03c13c607431001 0 4cc6fa50 c0e920 78278 hbc & others
[ 0:4a01:151]: c03c13be07411001 0 4cc6fa00 c0e928 78277 hbc & others
[ 0:4a02:152]: c03c13b607412001 0 4cc6f9b0 c0e960 78276 hbc & others
[ 0:4a03:153]: c03c123e07430001 0 4cc6f960 c0e930 78247 hbc & others
[ 0:4a04:154]: c03c124607413001 0 4cc6f910 c0e938 78248 hbc & others
[ 0:4b00:155]: c03c124e0742f001 0 4cc6f8c0 c0e940 78249 hbc & others
[ 0:4c00:156]: c03c13960742e001 0 4cc6f870 c0e958 78272 hbc & others
[ 0:4d00:157]: c03c126607414001 0 4cc6f820 c0e948 7824c hbc & others
[ 0:4e00:158]: c03c126e0742d001 0 4cc6f7d0 c0e950 7824d hbc & others
[ 0:4f00:159]: c03c12760742c001 0 4cc6f780 c0e9f8 7824e hbc & others
[ 0:4f01:160]: c03c137e0742b001 0 4cc6f730 c0e980 7826f hbc & others
[ 0:4f02:161]: c03c12860742a001 0 4cc6f6e0 c0e988 78250 hbc & others
[ 0:4f03:162]: c03c136e07429001 0 4cc6f690 c0e990 7826d hbc & others
[ 0:5000:163]: c03c129e07415001 0 4cc6f640 c0e9f0 78253 hbc & others
[ 0:5100:164]: c03c12a607416001 0 4cc6f5f0 c0e998 78254 hbc & others
[ 0:5200:165]: c03c12b607417001 0 4cc6f5a0 c0e9e8 78256 hbc & others
[ 0:5300:166]: c03c135e07428001 0 4cc6f550 c0e9e0 7826b hbc & others
[ 0:5400:167]: c03c134e07418001 0 4cc6f500 c0e9a0 78269 hbc & others


[ 0:5500:168]: c03c12c607427001 0 4cc6f4b0 c0e9d8 78258 hbc & others

[ 0:5600:169]: c03c133e07426001 0 4cc6f460 c0e9a8 78267 hbc & others
[ 0:5601:170]: c03c12de07425001 0 4cc6f410 c0e9b0 7825b hbc & others
[ 0:5602:171]: c03c132e07419001 e02f02000020000 4cc6f3c0 c0e9b8 78265 punt
[ 0:5603:172]: c03c131e07424001 e02f03800020000 4cc6f370 c0e9d0 78263 punt
[ 0:5604:173]: c03c13160741a001 e02f1e800020000 4cc6f320 c0e9c8 78262 punt
[ 0:5605:174]: c03c12f60741b001 e02f05000020000 4cc6f2d0 c0e9c0 7825e punt
[ 0:5700:175]: c03c12fe0741c001 e02f1d000020000 4cc6f280 c0ea78 7825f punt
[ 0:5800:176]: c03c15fe07423001 0 4cc6f230 c0ea00 782bf punt
[ 0:5801:177]: c03c15f60741d001 0 4cc6f1e0 c0ea70 782be punt
[ 0:5802:178]: c03c15ee07422001 0 4cc6f190 c0ea68 782bd punt
[ 0:5803:179]: c03c14160741e001 0 4cc6f140 c0ea08 78282 punt
[ 0:5804:180]: c03c15d60741f001 0 4cc6f0f0 c0ea10 782ba punt
[ 0:5805:181]: c03c15c607420001 0 4cc6f0a0 c0ea60 782b8 punt
[ 0:5806:182]: c03c141e07421001 0 4cc6f050 c0ea58 78283 punt
[ 0:5807:183]: c03c14260757f001 0 4cc6f000 c0ea50 78284 punt
[ 0:5808:184]: c03c15ae07540001 0 4cc6efb0 c0ea48 782b5 punt
[ 0:5809:185]: c03c15a607541001 0 4cc6ef60 c0ea18 782b4 punt
[ 0:580a:186]: c03c15960757e001 0 4cc6ef10 c0ea40 782b2 punt
[ 0:580b:187]: c03c143e07542001 0 4cc6eec0 c0ea20 78287 punt
[ 0:580c:188]: c03c158607543001 0 4cc6ee70 c0ea38 782b0 punt
[ 0:5900:189]: c03c14560757d001 e023cc800020000 4cc6ee20 c0ea28 7828a punt
[ 0:5a00:190]: c03c157e0757c001 e023d2800020000 4cc6edd0 c0ea30 782af punt
[ 0:5b00:191]: c03c146e07544001 e02e97000020000 4cc6ed80 c0eb78 7828d punt
[ 0:5c00:192]: c03c147607545001 e02e91000020000 4cc6ed30 c0eb70 7828e punt
[ 0:5d00:193]: c03c156607546001 e02e95800020000 4cc6ece0 c0eb68 782ac punt
[ 0:5e00:194]: c03c14860757b001 0 4cc6ec90 c0eb60 78290 hbc & others
[ 0:5e01:195]: c03c155e07547001 0 4cc6ec40 c0eb58 782ab hbc & others
[ 0:5e02:196]: c03c149e0757a001 e02e94000020000 4cc6ebf0 c0eb00 78293 punt
[ 0:5e03:197]: c03c155607548001 e02f20000020000 4cc6eba0 c0eb50 782aa punt
[ 0:5f00:198]: c03c14ae07549001 0 4cc6eb50 c0eb08 78295 hbc & others
[ 0:6000:199]: c03c153e0754a001 0 4cc6eb00 c0eb10 782a7 hbc & others
[ 1:----:ind]: c00401fe070fc001 e00a73000010000 4cc76d90 c0e200 803f viol-report
[ 1: 0: 0]: c00401f6070fb001 0 4cc76d18 c0e278 803e hbc & others
[ 1: 100: 1]: c0040026070fa001 e00bc2000030000 4cc76cc8 c0e270 8004 hbc & others
[ 1: 101: 2]: c0040036070c5001 0 4cc76c50 c0e268 8006 punt
[ 1: 102: 3]: c00401e6070f9001 0 4cc76c00 c0e208 803c punt
[ 1: 103: 4]: c004003e070c6001 0 4cc76bb0 c0e210 8007 punt
[ 1: 104: 5]: c0040046070f8001 0 4cc76b60 c0e218 8008 punt
[ 1: 105: 6]: c0040056070c7001 0 4cc76b10 c0e220 800a punt
[ 1: 200: 7]: c004005e070c8001 e00ba9000020000 4cc76ac0 c0e260 800b hbc & others
[ 1: 201: 8]: c00401c6070c9001 0 4cc76a48 c0e258 8038 punt
[ 1: 202: 9]: c004006e070ca001 0 4cc769f8 c0e228 800d punt
[ 1: 203: 10]: c004007e070f7001 0 4cc769a8 c0e230 800f punt
[ 1: 300: 11]: c00401ae070f6001 e00bac000020000 4cc76958 c0e238 8035 punt
[ 1: 400: 12]: c00401a6070cb001 0 4cc76908 c0e250 8034 hbc & others
[ 1: 401: 13]: c0040096070f5001 e02f99800020000 4cc768b8 c0e240 8012 punt
[ 1: 402: 14]: c004019e070cc001 e02f84800020000 4cc76868 c0e248 8033 punt
[ 1: 403: 15]: c00400a6070f4001 e02f9c800020000 4cc76818 c0e2f8 8014 punt


[ 1: 404: 16]: c00400ae070f3001 e02f86000020000 4cc767c8 c0e2f0 8015 punt

[ 1: 405: 17]: c0040186070f2001 e02f9b000020000 4cc76778 c0e2e8 8030 punt
[ 1: 406: 18]: c004017e070f1001 e02f87800020000 4cc76728 c0e280 802f punt
[ 1: 407: 19]: c00400c6070f0001 e02f8d800020000 4cc766d8 c0e2e0 8018 punt
[ 1: 408: 20]: c00400d6070ef001 e02fae000030000 4cc76688 c0e288 801a punt
[ 1: 409: 21]: c004016e070ee001 e02fba000030000 4cc76638 c0e2d8 802d punt
[ 1: 40a: 22]: c004015e070cd001 e02f90800020000 4cc765e8 c0e290 802b punt
[ 1: 500: 23]: c0040156070ce001 0 4cc76598 c0e298 802a hbc & others
[ 1: 501: 24]: c00400f6070ed001 0 4cc76548 c0e2a0 801e hbc & others
[ 1: 502: 25]: c0040106070ec001 e02f83000020000 4cc764f8 c0e2d0 8020 punt
[ 1: 503: 26]: c0040146070eb001 0 4cc764a8 c0e2c8 8028 hbc & others
[ 1: 504: 27]: c0040136070ea001 e02f9f800020000 4cc76458 c0e2c0 8026 punt
[ 1: 505: 28]: c004010e070e9001 0 4cc76408 c0e2b8 8021 hbc & others
[ 1: 506: 29]: c0040126070cf001 e02f9e000020000 4cc763b8 c0e2b0 8024 punt
[ 1: 507: 30]: c0040406070d0001 0 4cc76368 c0e2a8 8080 hbc & others
[ 1: 508: 31]: c00405fe070d1001 0 4cc76318 c0e300 80bf hbc & others
[ 1: 600: 32]: c0040416070e8001 0 4cc762c8 c0e378 8082 hbc & others
[ 1: 601: 33]: c00405ee070e7001 0 4cc76278 c0e370 80bd hbc & others
[ 1: 602: 34]: c00405de070d2001 0 4cc76228 c0e368 80bb hbc & others
[ 1: 603: 35]: c0040426070e6001 0 4cc761d8 c0e308 8084 hbc & others
[ 1: 604: 36]: c004042e070e5001 0 4cc76188 c0e310 8085 hbc & others
[ 1: 605: 37]: c004043e070e4001 0 4cc76138 c0e318 8087 hbc & others
[ 1: 606: 38]: c00405be070d3001 0 4cc760e8 c0e320 80b7 hbc & others
[ 1: 607: 39]: c004044e070d4001 0 4cc76098 c0e360 8089 hbc & others
[ 1: 608: 40]: c0040456070e3001 0 4cc76048 c0e328 808a hbc & others
[ 1: 609: 41]: c00405a6070e2001 0 4cc75ff8 c0e330 80b4 hbc & others
[ 1: 60a: 42]: c004045e070e1001 0 4cc75fa8 c0e338 808b hbc & others
[ 1: 60b: 43]: c0040466070e0001 0 4cc75f58 c0e358 808c hbc & others
[ 1: 60c: 44]: c004046e070d5001 0 4cc75f08 c0e340 808d hbc & others
[ 1: 60d: 45]: c0040476070d6001 0 4cc75eb8 c0e348 808e hbc & others
[ 1: 60e: 46]: c004047e070d7001 0 4cc75e68 c0e350 808f hbc & others
[ 1: 60f: 47]: c0040576070df001 0 4cc75e18 c0e380 80ae hbc & others
[ 1: 610: 48]: c004048e070de001 0 4cc75dc8 c0e388 8091 hbc & others
[ 1: 611: 49]: c0040566070d8001 0 4cc75d78 c0e390 80ac hbc & others
[ 1: 612: 50]: c004055e070dd001 0 4cc75d28 c0e398 80ab hbc & others
[ 1: 700: 51]: c00404a6070dc001 0 4cc75cd8 c0e3a0 8094 hbc & others
[ 1: 701: 52]: c0040546070db001 0 4cc75c88 c0e3a8 80a8 hbc & others
[ 1: 702: 53]: c00404ae070d9001 0 4cc75c38 c0e3b0 8095 hbc & others
[ 1: 703: 54]: c0040536070da001 0 4cc75be8 c0e3b8 80a6 hbc & others
[ 1: 704: 55]: c004052e07200001 0 4cc75b98 c0e3c0 80a5 hbc & others
[ 1: 705: 56]: c004051e0723f001 0 4cc7fb60 c0e3f8 80a3 hbc & others
[ 1: 706: 57]: c00404ce0723e001 0 4cc7fb10 c0e3c8 8099 hbc & others
[ 1: 707: 58]: c00404de0723d001 0 4cc7fac0 c0e3d0 809b hbc & others
[ 1: 708: 59]: c00404e60723c001 0 4cc7fa70 c0e3f0 809c hbc & others
[ 1: 709: 60]: c00405060723b001 0 4cc7fa20 c0e3e8 80a0 hbc & others
[ 1: 70a: 61]: c00404ee0723a001 0 4cc7f9d0 c0e3e0 809d hbc & others
[ 1: 70b: 62]: c00407fe07239001 0 4cc7f980 c0e3d8 80ff hbc & others
[ 1: 70c: 63]: c004060e07238001 0 4cc7f930 c0e4f8 80c1 hbc & others
[ 1: 70d: 64]: c00407ee07237001 0 4cc7f8e0 c0e4f0 80fd hbc & others


[ 1: 70e: 65]: c00407e607201001 0 4cc7f890 c0e4e8 80fc hbc & others

[ 1: 70f: 66]: c00407d607236001 0 4cc7f840 c0e4e0 80fa hbc & others
[ 1: 710: 67]: c00407ce07202001 0 4cc7f7f0 c0e480 80f9 hbc & others
[ 1: 711: 68]: c00407c607235001 0 4cc7f7a0 c0e4d8 80f8 hbc & others
[ 1: 712: 69]: c004063607203001 0 4cc7f750 c0e4d0 80c6 hbc & others
[ 1: 800: 70]: c004063e07204001 0 4cc7f700 c0e4c8 80c7 hbc & others
[ 1: 801: 71]: c004064e07205001 0 4cc7f6b0 c0e4c0 80c9 hbc & others
[ 1: 802: 72]: c00407ae07206001 e02f8a800020000 4cc7f660 c0e488 80f5 punt
[ 1: 803: 73]: c004065607234001 e02f8c000020000 4cc7f610 c0e490 80ca punt
[ 1: 804: 74]: c004065e07207001 0 4cc7f5c0 c0e4b8 80cb hbc & others
[ 1: 805: 75]: c004066e07233001 e02f96800020000 4cc7f570 c0e498 80cd punt
[ 1: 900: 76]: c004067607232001 0 4cc7f520 c0e4b0 80ce hbc & others
[ 1: a00: 77]: c004067e07231001 0 4cc7f4d0 c0e4a8 80cf hbc & others
[ 1: b00: 78]: c004077e07208001 0 4cc7f480 c0e4a0 80ef hbc & others
[ 1: c00: 79]: c004076e07230001 0 4cc7f430 c0e500 80ed hbc & others
[ 1: d00: 80]: c004068e0722f001 0 4cc7f3e0 c0e508 80d1 hbc & others
[ 1: e00: 81]: c004076607209001 0 4cc7f390 c0e510 80ec hbc & others
[ 1: f00: 82]: c00407560722e001 0 4cc7f340 c0e578 80ea hbc & others
[ 1:1000: 83]: c00406a60720a001 0 4cc7f2f0 c0e518 80d4 hbc & others
[ 1:1100: 84]: c00406b60720b001 0 4cc7f2a0 c0e570 80d6 hbc & others
[ 1:1200: 85]: c00407460722d001 0 4cc7f250 c0e520 80e8 hbc & others
[ 1:1300: 86]: c00406be0720c001 0 4cc7f200 c0e528 80d7 hbc & others
[ 1:1400: 87]: c004072e0722c001 0 4cc7f1b0 c0e530 80e5 hbc & others
[ 1:1500: 88]: c00406ce0720d001 0 4cc7f160 c0e568 80d9 hbc & others
[ 1:1600: 89]: c00406de0722b001 0 4cc7f110 c0e560 80db hbc & others
[ 1:1700: 90]: c00406ee0720e001 0 4cc7f0c0 c0e558 80dd hbc & others
[ 1:1800: 91]: c004071e0722a001 0 4cc7f070 c0e538 80e3 hbc & others
[ 1:1900: 92]: c004070e07229001 0 4cc7f020 c0e540 80e1 hbc & others
[ 1:1a00: 93]: c00406f60720f001 0 4cc7efd0 c0e550 80de hbc & others
[ 1:1b00: 94]: c00409fe07228001 0 4cc7ef80 c0e548 813f hbc & others
[ 1:1c00: 95]: c00409f607227001 0 4cc7ef30 c0e580 813e hbc & others
[ 1:1d00: 96]: c004080e07210001 0 4cc7eee0 c0e588 8101 hbc & others
[ 1:1e00: 97]: c004081e07226001 0 4cc7ee90 c0e590 8103 hbc & others
[ 1:1f00: 98]: c004082e07225001 0 4cc7ee40 c0e5f8 8105 hbc & others
[ 1:2000: 99]: c00409de07211001 0 4cc7edf0 c0e598 813b hbc & others
[ 1:2100:100]: c004083607224001 0 4cc7eda0 c0e5a0 8106 hbc & others
[ 1:2200:101]: c004084607223001 0 4cc7ed50 c0e5f0 8108 hbc & others
[ 1:2300:102]: c00409c607222001 0 4cc7ed00 c0e5a8 8138 hbc & others
[ 1:2400:103]: c004085607221001 0 4cc7ecb0 c0e5b0 810a hbc & others
[ 1:2500:104]: c004085e07212001 0 4cc7ec60 c0e5b8 810b hbc & others
[ 1:2600:105]: c00409b607220001 0 4cc7ec10 c0e5c0 8136 hbc & others
[ 1:2700:106]: c00409ae0721f001 0 4cc7ebc0 c0e5c8 8135 hbc & others
[ 1:2800:107]: c004087e07213001 0 4cc7eb70 c0e5e8 810f hbc & others
[ 1:2900:108]: c004099e0721e001 0 4cc7eb20 c0e5e0 8133 hbc & others
[ 1:2a00:109]: c004098e0721d001 0 4cc7ead0 c0e5d0 8131 hbc & others
[ 1:2b00:110]: c004098607214001 0 4cc7ea80 c0e5d8 8130 hbc & others
[ 1:2c00:111]: c00408960721c001 0 4cc7ea30 c0e600 8112 subtype
[ 1:2d00:112]: c00408a607215001 0 4cc7e9e0 c0e608 8114 subtype
[ 1:2e00:113]: c004097e07216001 0 4cc7e990 c0e610 812f subtype


[ 1:2f00:114]: c004097607217001 0 4cc7e940 c0e678 812e subtype

[ 1:3000:115]: c00408be0721b001 0 4cc7e8f0 c0e618 8117 subtype
[ 1:3100:116]: c00408c60721a001 0 4cc7e8a0 c0e670 8118 subtype
[ 1:3200:117]: c00408ce07219001 0 4cc7e850 c0e668 8119 subtype
[ 1:3300:118]: c00408d607218001 0 4cc7e800 c0e660 811a subtype
[ 1:3400:119]: c00408e60737f001 0 4cc7e7b0 c0e658 811c subtype
[ 1:3500:120]: c00409460737e001 0 4cc7e760 c0e650 8128 subtype
[ 1:3600:121]: c00409360737d001 0 4cc7e710 c0e648 8126 subtype
[ 1:3700:122]: c00408f60737c001 0 4cc7e6c0 c0e620 811e subtype
[ 1:3800:123]: c004092607340001 0 4cc7e670 c0e628 8124 hbc & others
[ 1:3801:124]: c004091e07341001 0 4cc7e620 c0e640 8123 hbc & others
[ 1:3802:125]: c00409160737b001 e02f98000020000 4cc7e5d0 c0e638 8122 subtype
[ 1:3803:126]: c0040bfe07342001 0 4cc7e580 c0e630 817f hbc & others
[ 1:3900:127]: c0040bf607343001 0 4cc7e530 c0e778 817e subtype
[ 1:3a00:128]: c0040be607344001 0 4cc7e4e0 c0e770 817c subtype
[ 1:3b00:129]: c0040bd607345001 0 4cc7e490 c0e700 817a subtype
[ 1:3c00:130]: c0040a0e0737a001 e00baa800020000 4cc7e440 c0e708 8141 punt
[ 1:3d00:131]: c0040bbe07379001 0 4cc7e3f0 c0e768 8177 hbc & others
[ 1:3d01:132]: c0040a1e07346001 0 4cc7e3a0 c0e760 8143 punt
[ 1:3d02:133]: c0040a2e07347001 0 4cc7e350 c0e758 8145 punt
[ 1:3d03:134]: c0040a3e07348001 0 4cc7e300 c0e750 8147 punt
[ 1:3e00:135]: c0040a4e07349001 e00bb6800020000 4cc7e2b0 c0e748 8149 punt
[ 1:3f00:136]: c0040bae0734a001 0 4cc7e260 c0e710 8175 hbc & others
[ 1:4000:137]: c0040a5607378001 0 4cc7e210 c0e718 814a hbc & others
[ 1:4100:138]: c0040b9607377001 e02f81800020000 4cc7e1c0 c0e720 8172 punt
[ 1:4200:139]: c0040a5e0734b001 e00bb2000020000 4cc7e170 c0e728 814b punt
[ 1:4300:140]: c0040a660734c001 e02f89000020000 4cc7e120 c0e730 814c punt
[ 1:4400:141]: c0040a7607376001 e00bad800020000 4cc7e0d0 c0e738 814e punt
[ 1:4500:142]: c0040a8607375001 e00bb3800020000 4cc7e080 c0e740 8150 punt
[ 1:4600:143]: c0040b760734d001 e00baf000020000 4cc7e030 c0e780 816e punt
[ 1:4700:144]: c0040b6e07374001 0 4cc7dfe0 c0e788 816d hbc & others
[ 1:4800:145]: c0040a960734e001 0 4cc7df90 c0e7f8 8152 hbc & others
[ 1:4801:146]: c0040aa60734f001 0 4cc7df40 c0e7f0 8154 hbc & others
[ 1:4802:147]: c0040aae07373001 0 4cc7def0 c0e790 8155 hbc & others
[ 1:4803:148]: c0040b5607372001 0 4cc7dea0 c0e798 816a hbc & others
[ 1:4900:149]: c0040b4e07350001 0 4cc7de50 c0e7e8 8169 hbc & others
[ 1:4a00:150]: c0040ac607371001 0 4cc7de00 c0e7a0 8158 hbc & others
[ 1:4a01:151]: c0040b3607370001 0 4cc7ddb0 c0e7e0 8166 hbc & others
[ 1:4a02:152]: c0040b2e07351001 0 4cc7dd60 c0e7d8 8165 hbc & others
[ 1:4a03:153]: c0040ade07352001 0 4cc7dd10 c0e7d0 815b hbc & others
[ 1:4a04:154]: c0040aee0736f001 0 4cc7dcc0 c0e7c8 815d hbc & others
[ 1:4b00:155]: c0040b1e07353001 0 4cc7dc70 c0e7c0 8163 hbc & others
[ 1:4c00:156]: c0040b1607354001 0 4cc7dc20 c0e7a8 8162 hbc & others
[ 1:4d00:157]: c0040afe0736e001 0 4cc85bd0 c0e7b0 815f hbc & others
[ 1:4e00:158]: c0040dfe07355001 0 4cc85b80 c0e7b8 81bf hbc & others
[ 1:4f00:159]: c0040c060736d001 0 4cc85b30 c0e800 8180 hbc & others
[ 1:4f01:160]: c0040dee0736c001 0 4cc85ae0 c0e878 81bd hbc & others
[ 1:4f02:161]: c0040c1e07356001 0 4cc85a90 c0e808 8183 hbc & others
[ 1:4f03:162]: c0040c260736b001 0 4cc85a40 c0e870 8184 hbc & others


[ 1:5000:163]: c0040dd607357001 0 4cc859f0 c0e810 81ba hbc & others

[ 1:5100:164]: c0040dce07358001 0 4cc859a0 c0e818 81b9 hbc & others
[ 1:5200:165]: c0040dc607359001 0 4cc85950 c0e868 81b8 hbc & others
[ 1:5300:166]: c0040c460736a001 0 4cc85900 c0e860 8188 hbc & others
[ 1:5400:167]: c0040c4e0735a001 0 4cc858b0 c0e858 8189 hbc & others
[ 1:5500:168]: c0040db607369001 0 4cc85860 c0e850 81b6 hbc & others
[ 1:5600:169]: c0040c5e0735b001 0 4cc85810 c0e820 818b hbc & others
[ 1:5601:170]: c0040c6607368001 0 4cc857c0 c0e848 818c hbc & others
[ 1:5602:171]: c0040c760735c001 e03003000020000 4cc85770 c0e840 818e punt
[ 1:5603:172]: c0040c860735d001 e03004800020000 4cc85720 c0e828 8190 punt
[ 1:5604:173]: c0040c8e07367001 e0301f800020000 4cc856d0 c0e830 8191 punt
[ 1:5605:174]: c0040d8e0735e001 e03006000020000 4cc85680 c0e838 81b1 punt
[ 1:5700:175]: c0040c9607366001 e03007800020000 4cc85630 c0e880 8192 punt
[ 1:5800:176]: c0040c9e0735f001 0 4cc855e0 c0e888 8193 punt
[ 1:5801:177]: c0040ca607365001 0 4cc85590 c0e890 8194 punt
[ 1:5802:178]: c0040d6e07360001 0 4cc85540 c0e8f8 81ad punt
[ 1:5803:179]: c0040d6607361001 0 4cc854f0 c0e898 81ac punt
[ 1:5804:180]: c0040d5e07362001 0 4cc854a0 c0e8a0 81ab punt
[ 1:5805:181]: c0040d5607364001 0 4cc85450 c0e8f0 81aa punt
[ 1:5806:182]: c0040cce07363001 0 4cc85400 c0e8a8 8199 punt
[ 1:5807:183]: c0040cde07480001 0 4cc853b0 c0e8e8 819b punt
[ 1:5808:184]: c0040ce607481001 0 4cc85360 c0e8e0 819c punt
[ 1:5809:185]: c0040cee07482001 0 4cc85310 c0e8d8 819d punt
[ 1:580a:186]: c0040cf607483001 0 4cc852c0 c0e8b0 819e punt
[ 1:580b:187]: c0040cfe07484001 0 4cc85270 c0e8b8 819f punt
[ 1:580c:188]: c0040d2607485001 0 4cc85220 c0e8d0 81a4 punt
[ 1:5900:189]: c0040d16074bf001 e00bb0800020000 4cc851d0 c0e8c0 81a2 punt
[ 1:5a00:190]: c0040ffe074be001 e00bb5000020000 4cc85180 c0e8c8 81ff punt
[ 1:5b00:191]: c0040e0e07486001 e02f95000020000 4cc85130 c0e9f8 81c1 punt
[ 1:5c00:192]: c0040fee07487001 e02f92000020000 4cc850e0 c0e9f0 81fd punt
[ 1:5d00:193]: c0040fe6074bd001 e02f93800020000 4cc85090 c0e9e8 81fc punt
[ 1:5e00:194]: c0040e26074bc001 0 4cc85040 c0e9e0 81c4 hbc & others
[ 1:5e01:195]: c0040e3607488001 0 4cc84ff0 c0e980 81c6 hbc & others
[ 1:5e02:196]: c0040e46074bb001 e02f8f000020000 4cc84fa0 c0e9d8 81c8 punt
[ 1:5e03:197]: c0040e4e07489001 e03001800020000 4cc84f50 c0e9d0 81c9 punt
[ 1:5f00:198]: c0040fce0748a001 0 4cc84f00 c0e9c8 81f9 hbc & others
[ 1:6000:199]: c0040e5e074ba001 0 4cc84eb0 c0e988 81cb hbc & others
NPC1(currypanman-re0 vty)# show ddos asic punt-proto-maps

PUNT exceptions directly mapped to DDOS proto:
---- -------------------- --------- ------ ---- -- ------ ------
12 PUNT_IGMP_SNOOP igmp-snoop aggregate 4300 4 20000 20000



38 PUNT_SERVICES services aggregate 4400 0 2000 10000
NPC1(currypanman-re0 vty)#
This is the DDOS statistics output after PR942816 fix.
<-- No SCFD
lab@currypanman-re0> show ddos-protection protocols ip-fragments statistics





Packet type: first-fragment

Bandwidth is never violated
Packet type: trail-fragment

<-- Pkt received by the RE (NOT considering the drop on hostbound queue and ttp queue)



<-- Total received
<-- Dropped by the tail-fragment policer on PFE
Flow counts:
lab@currypanman-re0> show interfaces ge-1/0/0 extensive

Physical interface: ge-1/0/0, Enabled, Physical link is Up
Interface index: 169, SNMP ifIndex: 0, Generation: 172
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback:
Disabled, Source filtering: Disabled,
Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Hold-times : Up 0 ms, Down 0 ms
Current address: 00:24:dc:90:2a:95, Hardware address: 00:24:dc:90:2a:95
Last flapped : 2014-02-13 11:57:08 JST (00:35:49 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes : 11466195340 0 bps
Output bytes : 48 0 bps
Input packets: 11676370 0 pps
Output packets: 1 0 pps
NPC1(currypanman-re0 vty)# show ttp statistics

TTP Statistics:
Receive Transmit
---------- ----------
L2 Packets 0 1
L3 Packets 953127 0
Drops 0 0
Netwk Fail 0 0
Queue Drops 0 0
Unknown 0 0
Coalesce 0 0
Coalesce Fail 0 0
TTP Transmit Statistics:


Queue 0 Queue 1 Queue 2 Queue 3

---------- ---------- ---------- ----------
L2 Packets 1 0 0 0
L3 Packets 0 0 0 0
TTP Receive Statistics:

Control High Medium Low Discard
---------- ---------- ---------- ---------- ----------
L2 Packets 0 0 0 0 0
L3 Packets 0 0 953127 0 0
Drops 0 0 0 0 0
Queue Drops 0 0 0 0 0
Unknown 0 0 0 0 0
Coalesce 0 0 0 0 0
Coalesce Fail 0 0 0 0 0
TTP Receive Queue Sizes:

Control Plane : 0 (max is 4473)
High : 0 (max is 4473)
Medium : 0 (max is 4473)
Low : 0 (max is 2236)
TTP Transmit Queue Size: 0 (max is 6710)
NPC1(currypanman-re0 vty)# show ddos policer stats ip-fragments

arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
PFE-0 0 0 0 0 0
PFE-1 0 0 0 0 0
<-- 964156 is missing.
PFE-0 1917283 9759087 0 0 0
PFE-1 0 0 0 0 0
NPC1(currypanman-re0 vty)# show ddos policer 0x4f03

Basic Protocol/Policer Info:
Name: IP-Fragments-trail-fragment, Proto: 0x4f03, flags: 0x78, states: 0x20002
Time to recover: 300000, first violated: 1653545, last violated: 1753280
UKERN Info:
configured: rate=20000(pps) burst=20000(pkts)
configured: max-credits=81920000 priority=Lo
actual used: rate=20000.00(pps) (m, n)=(128, 16)
current credits=0


PFE Info:
configured: rate=20000 (pps) burst=20000 (pkts)
SCFD Info:
op-mode=automatic, state=normal, flags=0x1(never timeout, log)
detect-time=3000(ms), recover-time=60000(ms), timeout-time=300000(ms)
aggr-level allowed active force ctrl rate(pps) flow-count
sub yes yes no drop 10 0
ifl yes yes no drop 10 0
ifd yes yes no drop 20000 0
total 3 3 0 --- --- 0
flow drop rate=0, flow drop trend=ff, pol viol trend=0
Packet Statistics:
stats PFE-0 PFE-1 UKERN TOTAL
----------------- --------- --------- --------- ---------
received 11676370 0 953127 11676370
arrived at policer 11676370 0 953127 ---
dropped: indv pol 9759087 0 0 9759087
dropped: aggr pol --- --- 0 0
dropped: indv flow 0 0 --- 0
dropped: aggr flow --- --- --- ---
total dropped 9759087 0 0 9759087
final passed 1917283 0 953127 953127
arrival rate(pps) 0 0 0 0
max arvl rate(pps) 122585 0 9998 122585
pass rate(pps) 0 0 0 0
NPC1(currypanman-re0 vty)# show jnh 0 exceptions hbc policers
Global Policer:
policer_nexthop: 0xC03C15360754B001
policer_result: 0x4CC84D48
dropped packets: 0

Aggregate policer packet drops: 9759086 <-- ***


NPC1(currypanman-re0 vty)# show mqchip 0 dstat stats 0 1016



------------------------ ---------------- ------------ ---------------- ------------
Forwarded (Rule) 953127 0 973142667 0
<-- Dropped here
<-- 9887 + 954269 = 964156

<-- With SCFD
lab@currypanman-re0> show interfaces ge-1/0/0 extensive

Physical interface: ge-1/0/0, Enabled, Physical link is Up
Interface index: 169, SNMP ifIndex: 0, Generation: 199
Link-level type: Ethernet, MTU: 1514, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback:
Disabled, Source filtering: Disabled,
Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Hold-times : Up 0 ms, Down 0 ms
Current address: 00:24:dc:90:2a:95, Hardware address: 00:24:dc:90:2a:95
Last flapped : 2014-02-13 12:46:16 JST (00:02:38 ago)
Statistics last cleared: Never
Traffic statistics:
Input bytes : 5021080894 0 bps
Output bytes : 0 0 bps
Input packets: 5113117 0 pps
Output packets: 0 0 pps
lab@currypanman-re0> show ddos-protection protocols ip-fragments statistics




Packet type: first-fragment

Bandwidth is never violated
Packet type: trail-fragment

Flow counts:
Aggregation level Current Total detected
Subscriber 1 1
Total 1 1



Flow counts:
Total 1 1
lab@currypanman-re0>
NPC1(currypanman-re0 vty)# show ddos policer ip-fragments stats

arrival pass # of
--- --- ----------- ----------- -- ------ -------- -------- ------ ------ -----
PFE-0 0 0 0 0 0
PFE-1 0 0 0 0 0
<-- 5066511 = SCFD + DDOS policer drop
PFE-0 46606 5066511 0 0 1
PFE-1 0 0 0 0 0
NPC1(currypanman-re0 vty)# show ddos policer 0x4f03

Basic Protocol/Policer Info:
Name: IP-Fragments-trail-fragment, Proto: 0x4f03, flags: 0x78, states: 0x2000e
Time to recover: 300000, first violated: 222210, last violated: 267820
UKERN Info:
configured: rate=20000(pps) burst=20000(pkts)
configured: max-credits=81920000 priority=Lo
actual used: rate=20000.00(pps) (m, n)=(128, 16)
current credits=0
PFE Info:
configured: rate=20000 (pps) burst=20000 (pkts)


SCFD Info:
op-mode=automatic, state=detect, flags=0x1(never timeout, log)
detect-time=3000(ms), recover-time=60000(ms), timeout-time=300000(ms)
aggr-level allowed active force ctrl rate(pps) flow-count
sub yes yes no drop 10 1
ifl yes no no drop 10 0
ifd yes no no drop 20000 0
total 3 1 0 --- --- 1
flow drop rate=0, flow drop trend=ff, pol viol trend=0
Packet Statistics:
stats PFE-0 PFE-1 UKERN TOTAL
----------------- --------- --------- --------- ---------
<-- pkt can reach ukern = 46606 - 28820 = 17786
received 5113117 0 17786 5113117
<-- After SCFD
arrived at policer 211479 0 17786 ---
<-- 211479 - 164873 = 46606 = final pass up to ukern
dropped: indv pol 164873 0 0 164873
dropped: aggr pol --- --- 0 0
<-- 5113117 - 4901638 = 211479 = pkt sent to DDOS policer term
dropped: indv flow 4901638 0 --- 4901638
dropped: aggr flow --- --- --- ---
total dropped 5066511 0 0 5066511
final passed 46606 0 17786 17786
arrival rate(pps) 0 0 0 0
max arvl rate(pps) 122657 0 2159 122657
pass rate(pps) 0 0 0 0
NPC1(currypanman-re0 vty)# show mqchip 0 dstat stats 0 1016

------------------------ ---------------- ------------ ---------------- ------------
Forwarded (Rule) 17786 0 18159506 0
<-- total queue drop = 8867 + 19953 = 28820



NPC1(currypanman-re0 vty)# show ttp statistics

TTP Statistics:
Receive Transmit
---------- ----------
L2 Packets 0 0
L3 Packets 17786 0
Drops 0 0
Netwk Fail 0 0
Queue Drops 0 0
Unknown 0 0
Coalesce 0 0
Coalesce Fail 0 0
TTP Transmit Statistics:

Queue 0 Queue 1 Queue 2 Queue 3
---------- ---------- ---------- ----------
L2 Packets 0 0 0 0
L3 Packets 0 0 0 0
TTP Receive Statistics:

Control High Medium Low Discard
---------- ---------- ---------- ---------- ----------
L2 Packets 0 0 0 0 0
L3 Packets 0 0 17786 0 0
Drops 0 0 0 0 0
Queue Drops 0 0 0 0 0
Unknown 0 0 0 0 0
Coalesce 0 0 0 0 0
Coalesce Fail 0 0 0 0 0
TTP Receive Queue Sizes:

Control Plane : 0 (max is 4473)
High : 0 (max is 4473)
Medium : 0 (max is 4473)
Low : 0 (max is 2236)
TTP Transmit Queue Size: 0 (max is 6710)
NPC1(currypanman-re0 vty)# show jnh 0 exceptions hbc policers
Global Policer:
policer_nexthop: 0xC03C15360754B001
policer_result: 0x4CC84D48
dropped packets: 0


Aggregate policer packet drops: 164872 <-- ***


The aggregate policer packet drop counter is always 1 less than the actual drop from the above test. Thats because it is
counted as a violation. When a policer is in normal mode (not starting detecting flow yet), and when violation is detected
(we are going to drop), the drop will be converted to a violation report and sent to ukern. This drop is counted at the
violating policer but not at the global counter. These violations are never dropped and not processed as the original
exception, and are only used as an indication of a policer violation. This was introduced in 12.3 with SCFD. Also we could
keep sending these violation reports until host acks the receiving or switching to flow detection. Apparently, in your test
case, the first violation got acked right away and you only lost one packet. The ack feature is just introduced in this PR
fix. We used to keep sending violation reports if we are not doing SCFD.
NPC1(abc vty)# sh jnh 1 exceptions terse
Reason Type Packets Bytes
==================================================================
Packet Exceptions
----------------------
DDOS policer violation notifs PUNT(15) 1 4224


Reference
1. http://www-in.juniper.net/eng/cvs_pdf/sw-projects/platform/trinity/pfe/host/host.doc
2. http://cvs.juniper.net/cgi-bin/viewcvs.cgi/*checkout*/sw-projects/platform/commonedge/arch/RLI15473-
DDOS-SCFD-FS.pdf?rev=1.4


Changes
18-Nov-2013 (Rev 0) Initial Draft
13-Feb-2014 (Rev 1) Add changes under PR942816 and PR924807
26-Mar-2014 (Rev 2) Add MLP exception


Ddos

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Ddos

Enviado por

Direitos autorais:

Formatos disponíveis

JUNIPER NETWORKS CONFIDENTIAL

DDOS Implementation on MX Platform

DDOS System Hierarchy ......................................................................................................................................................... 2

Policer Hierarchy .............................................................................................................................................................. 12

1. PUNT traffic with punt type ...................................................................................................................................... 34

2. PUNT traffic with subtype type ................................................................................................................................. 40

3. HBC traffic with subtype type ................................................................................................................................... 41

4. HBC traffic with hbc & other type ............................................................................................................................. 43

5. HBC type to PUNT type ............................................................................................................................................. 46

6. Aggregated policer under the same group ............................................................................................................... 48

7. HBC policer with exception traffic ............................................................................................................................ 49

Host Bound Queue Mapping ............................................................................................................................................ 56

uKern Level ....................................................................................................................................................................... 59

Routing Engine Level ........................................................................................................................................................ 65

Suspicious Control Flow Detection (SCFD) ...................................................................................................................... 66

DDOS Configuration Hierarchy ............................................................................................................................................. 80

When DDOS Doesnt Seem To Work. ................................................................................................................................ 93

Major Upcoming Changes ................................................................................................................................................. 95

Reference ........................................................................................................................................................................... 118

Changes .............................................................................................................................................................................. 119

DDOS System Hierarchy

Here are the protocols defined under the DDOS infrastructure.

> bfd Configure BFD traffic

> ospf Configure OSPF traffic

> filter-v4 Configure unclassified v4 filter action packets

# set system ddos-protection protocols unclassified host-route-v4 fpc 0 ?

> show ddos-protection protocols unclassified parameters

Protocol Group: Unclassified

Packet type: aggregate (Aggregate for unclassified host-bound traffic)

Packet type: other (all other unclassified packets)

Packet type: resolve-v4 (unclassified v4 resolve packets)

Packet type: resolve-v6 (unclassified v6 resolve packets)

Bandwidth: 100% (5000 pps), Burst: 100% (10000 packets), enabled

Packet type: control-v4 (unclassified v4 control packets)

Packet type: control-v6 (unclassified v6 control packets)

Packet type: host-route-v4 (unclassified v4 routing protocol and host packet)

Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled

Packet type: host-route-v6 (unclassified v6 routing protocol and host packet)

Packet type: filter-v4 (unclassified v4 filter action packets)

Packet type: filter-v6 (unclassified v6 filter action packets)

Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled

Packet type: control-layer2 (unclassified layer2 control packets)

Packet type: fw-host (Unclassified send to host fw traffic)

Packet type: mcast-copy ( Unclassified host copy due to multicast routing)

Bandwidth: 2000 pps, Burst: 10000 packets, enabled

Here is the policer configuration under PFE.

+ apply-groups-except Don't inherit configuration data from these groups

# show ddos policer configuration ppp

idx prot group proto on Pri rate burst rate burst

35 60b dhcpv4 forcerenew Y Hi 2000 2000 --- ---

84 1900 snmp aggregate Y Lo 20000 20000 20000 20000

133 4301 mcast-snoop unclass.. Y -- --- --- 0 0

182 5806 uncls host-rt-v4 Y Lo 2000 10000 2000 10000

# show ddos asic punt-proto-maps

50 PUNT_PPP_IPV4CP ppp ipcp 404 3 2000 2000

PUNT's that go through HBC. See following parsed proto

contrl JFM jfm aggregate 3900 3 20000 20000

filter ipv4 dns aggregate 4d00 0 20000 20000

#define DDOS_VIOL_REPORT_RATE 100 /* 100 reports/sec */

# show ddos asic nexthops

[ 0: 602: 26]: c03c0a46078d0001 0 4c3df530 c0f2d0 78148 hbc & others

[ 0:1000: 75]: c03c0d1607a38001 0 4c3dde38 c0f4b8 781a2 hbc & others

[ 0:3d01:124]: c03c119607a1f001 0 4c3ea788 c0f618 78232 punt

[ 0:5605:173]: c03c131607b56001 e02eb1000010000 4c3f30a8 c0f810 78262 punt