Just noticed this today: chr...@vmx1.mel-lab1> monitor traffic interface xe-0/0/0 no-resolve size 1500 matching "not port 22" verbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is OFF. Listening on ge-0/0/0, capture size 1500 bytes
01:50:20.710920 In IP 207.174.181.174.47550 > 43.247.124.125.111: UDP, length 40 01:50:20.711049 Out IP 43.247.124.125.111 > 207.174.181.174.47550: UDP, length 368 01:50:20.711454 In IP 207.174.181.174.55654 > 43.247.124.125.111: UDP, length 40 01:50:20.711506 Out IP 43.247.124.125.111 > 207.174.181.174.55654: UDP, length 368 01:50:20.721262 In IP 207.174.181.174.22724 > 43.247.124.125.111: UDP, length 40 01:50:20.721307 Out IP 43.247.124.125.111 > 207.174.181.174.22724: UDP, length 368 01:50:20.727638 In IP 207.174.181.173.58698 > 43.247.124.125.111: UDP, length 40 01:50:20.727680 Out IP 43.247.124.125.111 > 207.174.181.173.58698: UDP, length 368 01:50:20.762255 In IP 207.174.181.173.10131 > 43.247.124.125.111: UDP, length 40 01:50:20.762393 Out IP 43.247.124.125.111 > 207.174.181.173.10131: UDP, length 368 01:50:20.777967 In IP 207.174.181.173.17923 > 43.247.124.125.111: UDP, length 40 01:50:20.778010 Out IP 43.247.124.125.111 > 207.174.181.173.17923: UDP, length 368 01:50:20.793727 In IP 207.174.181.173.15406 > 43.247.124.125.111: UDP, length 40 01:50:20.793807 Out IP 43.247.124.125.111 > 207.174.181.173.15406: UDP, length 368 01:50:20.849286 In IP 207.174.181.173.65209 > 43.247.124.125.111: UDP, length 40 01:50:20.849360 Out IP 43.247.124.125.111 > 207.174.181.173.65209: UDP, length 368 01:50:21.073702 In IP 207.174.181.174.22724 > 43.247.124.125.111: UDP, length 40 01:50:21.073843 Out IP 43.247.124.125.111 > 207.174.181.174.22724: UDP, length 368 01:50:21.214115 In IP 207.174.181.173.58698 > 43.247.124.125.111: UDP, length 40 01:50:21.214229 Out IP 43.247.124.125.111 > 207.174.181.173.58698: UDP, length 368 Seems JunOS is listening on port 111 and retuning some big bytes (i.e. in 40 bytes, out 368 bytes) or a 9.2X amplification UDP reflection. This on vMX .. dunno if hardware MX does the same thing, but likely. I added this into our loopback lo0.0 filter (as we do deny-then-accept-all-else -- i should really re-write this as accept-and-deny-all-else logic, would've stopped it in it's tracks...). + term block-udp-111 { + from { + protocol udp; + destination-port 111; + } + then { + discard; + } + } Just a heads up; I'm probably not the first person to see this-- and if you've seen it before, apologies for the noise... - CK. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp