These alerts are triggered by traffic with a destination of the Junos device itself. So the investigation would be for traffic with the ip addresses assigned to the various QFX interfaces.
This kb gives some commands to check the source of the issue.
https://supportportal.juniper.net/s/article/MX-Syslog-message-DDOS-PROTOCOL-VIOLATION-SET-Warning-Host-bound-traffic-for-protocol-exception-Sample-aggregate-exceeded-its-allowed-bandwidth?language=en_US
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 05-02-2025 10:58
From: Anonymous
Subject: DDOS_PROTOCOL_VIOLATION_SET:
This message was posted by a user wishing to remain anonymous
Hi
From the logs of a qfx5120 with version 23.2R2.21 I see this error that repeats continuously.
DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception ARP:aggregate exceeded its allowed bandwidth at fpc 0
I can't figure out what traffic is creating the error, or what interface I'm receiving the attack from.
I tried to do some dumps but nothing, do you have any advice to figure out where I'm receiving the attack from?
I tried the various show ddos-protection commands but I only see the statistics, but I don't see any information about the flow