1) check filter pointer for later use (to verify we're getting sane pointer) NPC0(mx960-re0 vty)# show filter 46137345 Classic HOSTBOUND_IPv4_FILTER NPC0(mx960-re0 vty)# show filter index 46137345 jnh JNH_FW_START: opcode = 0x0000000c desc_ptr = 0x00008095 base_ptr = 0x000e818c 2) figure out punt path nexthops NPC0(mx960-re0 vty)# show jnh 0 exceptions terse host route PUNT(32) 37832 7533660 NPC0(mx960-re0 vty)# show jnh 0 exceptions nh 32 punt 0xd021a1 0 : 0x2ffffffe8711b200 0xd021a2 1 : 0x127fffffe00003f8 0xd021a3 2 : 0x0200681098800a04 3) first one is just counter, sees all hitting punt adjacency, unpoliced by ddos, ie 10Mpps if you're getting 10Mpps DDoS (assuming not dropped earlier by lo0 etc) NPC0(mx960-re0 vty)# show jnh 0 decode 0x2ffffffe8711b200 CounterNH: Absolute Caddr = 0xd0e236, nextNH = 0xffffff, prMask = 0x0, Act = 0x0, Index = 0 NPC0(mx960-re0 vty)# show jnh 0 caddr 0xd0e236 Packets / Bytes 0x00000000000094f4/0x00000000007371cb 4) second one is queue, likely does not mean policing, but unsure of its purpose NPC0(mx960-re0 vty)# show jnh 0 decode 0x127fffffe00003f8 ModifyNH: Subcode=SetQueue(9),Desc=0xffffff,Data=0x3f8,NextNH=1 When I start DDoS I can briefly see changes here: NPC0(mx960-re0 vty)# show mqchip 0 sched 0 q 0x3f8 excess credits added: 0 excess credits : 4194205 NPC0(mx960-re0 vty)# show mqchip 0 sched 0 q 0x3f8 excess credits added: 1 excess credits : 0 But unsure if it actually is relevant, seems consistent thought. 5) third one is kinda interesting NPC0(mx960-re0 vty)# show jnh 0 decode 0x0200681098800a04 IndexNH:key_ptr:0x80/0, desc_ptr=0xd02131, max=10, nbits=4 NPC0(mx960-re0 vty)# show jnh 0 vread 0xd02131 3 Addr:0xd02131, Data = 0x27fffff80000000c Addr:0xd02132, Data = 0x02026810a2001004 Addr:0xd02133, Data = 0x600404a8000e818c NPC0(mx960-re0 vty)# show jnh 0 decode 0x600404a8000e818c JNH_FW_START: opcode = 0x0000000c desc_ptr = 0x00008095 base_ptr = 0x000e818c I have to assume 'max=10' means this pointer and up-to 9 other (if no termination/match), if that assumption is correct, then 3rd match seems to point to the DDOS firewall filter. You can also find DDoS policers (and LO0 filters before them) by looking at punt ifl OIF result in jnh. It'll give you something like this: (show ifl brief (get punt.0), show jnh if , show jnh 0 decode , we can check 'show route route hw 0 2 ', to ensure that we are heading towards punt ifl. The HW walk is rather depressing, as it increments desc_ptr 0, 1 or more between 'hops', and no clue which one) CallNH:desc_ptr:0xfc646, mode=0, rst_stk=0x0, count=0x4 0x0fc641 0 : 0x2ffffffc000e2200 counter 0x0fc642 1 : 0x087416a000010000 enumcheckhw bitopnh lo0 ipv4 lo0 ipv6 jnh_call_return 0x0fc643 2 : 0x020007e316800804 (Q:0x3f8, OIF:131080 .punt.0, mtu:4000) 0x0fc644 3 : 0x02086810e000ff08 (0xd021c0 x 255) _255 desc pointers!_ long bastard, counters, policers, setbitop, etc etc *BUT* also HOSTBOUND_IPv4_FILTER / HOSTBOUND_IPv6_FILTER (like 33rd desc_pointer) huge chore to parse completely as it branches so much likely source to post ddos policing? Or could it be done after 'host'? 0x0fc645 4 : 0x27fffff800000002 UcodeNH:Host TODO: 1) What is 'key_ptr:0x80/0', what is 'nbits=4'? 2) 0xd02131 leads to 'UcodeNH:Indirect, Next = 0xffffff'. What is 0xffffff, I see it very often? Maybe NOOP? 3) 0xd02132 lead to triplet of nexthops, 0xd02132 eg: 1) PolicerISSU_NH: Absolute Caddr = 0xd0e27e, nextNH = 0x804d, , type:0, color=0, op=0 use_layer3_len = 0x1, num_nh = 0x0 2) ModifyNH: Subcode=SetQueue(9),Desc=0xffffff,Data=0x3fb,NextNH=1 3) BitOpNH:desc_ptr=0xffffff, key=0xbc/0, op=0, data=11264, nbits=16 4) How to resolve BitOpNH? How can I generally determine from above what packets it policies and how much? How to see current offered rate? 5) How can I see policer rates, while just walking jnh vread/decode? Key point in locating post ddos policer, as I can find lot in path, but can't see what they do. 6) DDOS/HOSTBOUND_IPv4_FILTER filter works in pps, but we see the filter programmed as bps, is this UI problem? How can we determine via vread/decode pps rates? 7) How to determine what happens next, after we've parsed the FW, there is just NOOP (assuming 0xffffff is NOOP) so we're going back to some 'well-known' process of punting? How to look into it?