I have it working perfectly and also for any type of attack too..... For other people looking for an answer, I thought I would post it here:
First up, I set the drop-profile.... this is required for RED and for class-of-service, a must:
set class-of-service drop-profiles low-drop fill-level 95 drop-probability 0
set class-of-service drop-profiles low-drop fill-level 100 drop-probability 100
set class-of-service drop-profiles med-drop fill-level 75 drop-probability 0
set class-of-service drop-profiles med-drop fill-level 95 drop-probability 30
set class-of-service drop-profiles high-drop fill-level 50 drop-probability 0
set class-of-service drop-profiles high-drop fill-level 95 drop-probability 50
Next up, we need to configure the schedulers themselves (Just read up on what the schedulers do) - Make sure you set the transmit-rates and buffer sizes to what you require. The small size and temporal count on one of the schedulers is for traffic that is unwanted.
set class-of-service schedulers be transmit-rate percent 65
set class-of-service schedulers be buffer-size percent 65
set class-of-service schedulers be priority medium-low
set class-of-service schedulers be drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers be drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers be drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers be drop-profile-map loss-priority low protocol any drop-profile low-drop
set class-of-service schedulers nc transmit-rate percent 5
set class-of-service schedulers nc buffer-size percent 5
set class-of-service schedulers nc priority medium-high
set class-of-service schedulers nc drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers nc drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers nc drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers nc drop-profile-map loss-priority low protocol any drop-profile low-drop
set class-of-service schedulers ef transmit-rate 5k
set class-of-service schedulers ef transmit-rate exact
set class-of-service schedulers ef buffer-size temporal 1
set class-of-service schedulers ef priority low
set class-of-service schedulers ef drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers ef drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers ef drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers ef drop-profile-map loss-priority low protocol any drop-profile low-drop
set class-of-service schedulers sv transmit-rate percent 30
set class-of-service schedulers sv buffer-size percent 30
set class-of-service schedulers sv priority high
set class-of-service schedulers sv drop-profile-map loss-priority high protocol any drop-profile high-drop
set class-of-service schedulers sv drop-profile-map loss-priority medium-high protocol any drop-profile med-drop
set class-of-service schedulers sv drop-profile-map loss-priority medium-low protocol any drop-profile med-drop
set class-of-service schedulers sv drop-profile-map loss-priority low protocol any drop-profile low-drop
Now we can set up the scheduler-maps (These maps reference the schedulers and the schedulers reference the drop-profiles):
set class-of-service scheduler-maps normal forwarding-class best-effort scheduler be
set class-of-service scheduler-maps normal forwarding-class expedited-forwarding scheduler ef
set class-of-service scheduler-maps normal forwarding-class SIP-VOICE scheduler sv
set class-of-service scheduler-maps normal forwarding-class network-control scheduler nc
Now we actually need to assign this to an interface.... as this is a scheduler and scheduler-maps, they are assigned to the egress interface. We don't assign to an interface as such, but more we set the interface inside the class-of service and assign the scheduler map as follows:
set class-of-service interfaces xe-1/2/5 scheduler-map normal
Okay, so you now have your exit schedulers configured and ready to go, but we have yet to assign and classifiers on the ingress interface to place into the queues. Here's how I did this (as there are two ways of doing this) - Mine is configured for voice traffic and then everything else:
set firewall filter cos term 1 from dscp 46
set firewall filter cos term 1 from dscp 26
set firewall filter cos term 1 then forwarding-class SIP-VOICE
set firewall filter cos term 1 then accept
set firewall filter cos term 2 then forwarding-class best-effort
set firewall filter cos term 2 then accept
The 46 and 26 mentioned above are dscp code-points for SIP and RTP.... you can also view the binary for this when viewing class-of-service interface (interface name) comprehensive.
The tricky part was always going to be "How are we going to know if we are being attacked, as the traffic is unlikely to be known"? Well, there is no easy way as I found. MX have built in default DDoS protection anyway, so I decided to rely on source and a manual input resolution as follows:
set firewall filter cos term 3 from source-address (attacking source or subnet)
set firewall filter cos term 3 then forwarding-class DDoS
set firewall filter cos term 3 then accept
I didn't want to deny it here as I want to view some of the packets, but I've sent them to a queue that is only 3k in bandwidth....
Hope this helps...