No, it is just valid syn packets. A lot of them. On Dec 29, 2012 12:23 PM, "Jared Mauch" <ja...@puck.nether.net> wrote:
> Was it all ttl expired traffic? > > Jared Mauch > > On Dec 29, 2012, at 3:18 PM, 叶雨飞 <sunyuc...@gmail.com> wrote: > > > Hi, > > > > I was woken up this morning to deal with a DDOS syn-flodd situation, pps > ~15k/s. > > > > Here's monitor interface traffic: > > > > Interface Link Input packets (pps) Output packets > (pps) > > ge-0/0/0 Up 11772104571 (24744) 11662868938 > (161012) > > ge-0/0/3 Up 3405764281 (148559) 6036903599 > (12097) > > > > traffic is routed from ge-0/0/3 to ge-0/0/0. ge-0/0/3 is 100M link, > > which is not being used in full, ge-0/0/0 is 1G link: > > > > Interface Link Input bytes (bps) Output bytes > (bps) > > ge-0/0/0 Up 5190252823607 (65535424) 5285424390651 > (94655872) > > ge-0/0/3 Up 1710426561796 (52511712) 2822734491891 > (30575112) > > > > However, other packet is being dropped almost 100% on ge-0/0/3 link, > > which I am trying to figure out why. Link is not full, so it is not > > dropped by upstream. > > > > CPU is not full > > > >> show chassis routing-engine > > CPU utilization: > > User 1 percent > > Real-time threads 67 percent > > Kernel 0 percent > > Idle 32 percent > > > > Dropped counter is all 0 in > >> show interface queue ge-0/0/3 > > > > I don't have any QOS configured, so it's all best-effort traffic. > > > > What else maybe the reason? I am currently blaming J2350 to dropping > > legitimate traffic under stress (due to observation of downstream all > > works fine) but I can't find any evidence of it. > > > > Your help is much appreciated. > > > > Thanks. > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
