Ethernet Switching
Ethernet Switching

DDOS_PROTOCOL_VIOLATION

[ Edited ]
a month ago

Hi all,

The following log messages occur a lot.....DDOS_PROTOCOL_VIOLATION_SET  and then DDOS_PROTOCOL_VIOLATION_CLEAR....

What is "Host-bound traffic" that in the the following log messages... What kind of protocol is it using for?...I couldn't determine on >show ddos-protection protocols parameters brief and there is no any violation alert but it is hugely happening... And any idea on how to response?

 

>show configuration | display set | match ddos------There is no any ddos configuration on the device

 

EX9200> sh log messages
jddosd[17483]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception exceptions:mtu-exceeded has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 30849 times, from 2019-03-01 02:46:35 AEST to 2019-08-06 06:18:55 AEST

....

----

 

EX9200> show ddos-protection protocols parameters brief
Packet types: 216, Modified: 0
* = User configured value

Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPC
group type (pps) (pkts) time(sec) enabled aggr. mod
resolve aggregate 5000 10000 -- 300 yes -- no
resolve other 2000 2000 Low 300 yes no no
resolve ucast-v4 3000 5000 Low 300 yes no no
resolve mcast-v4 3000 5000 Low 300 yes no no
resolve ucast-v6 3000 5000 Low 300 yes no no
resolve mcast-v6 3000 5000 Low 300 yes no no
filter-act aggregate 5000 10000 -- 300 yes -- no
filter-act other 2000 5000 Low 300 yes no no
filter-act filter-v4 2000 5000 Low 300 yes no no
filter-act filter-v6 2000 5000 Low 300 yes no no
dynvlan aggregate 1000 500 -- 300 yes -- no
ppp aggregate 16000 16000 -- 300 yes -- no
ppp unclass 1000 500 Low 300 yes no no
ppp lcp 12000 12000 Medium 300 yes no no
ppp auth 2000 2000 Medium 300 yes no no
ppp ipcp 2000 2000 High 300 yes no no
ppp ipv6cp 2000 2000 High 300 yes no no
ppp mplscp 2000 2000 High 300 yes no no
ppp isis 2000 2000 High 300 yes no no
ppp echo-req 12000 12000 Low 300 yes no no
ppp echo-rep 12000 12000 Low 300 yes no no
ppp mlppp-lcp 12000 12000 Low 300 yes no no
pppoe aggregate 2000 2000 -- 300 yes -- no
pppoe padi 500 500 Low 300 yes no no
pppoe pado 0 0 Low 300 yes no no
pppoe padr 500 500 Medium 300 yes no no
pppoe pads 0 0 Low 300 yes no no
pppoe padt 1000 1000 High 300 yes no no
pppoe padm 0 0 Low 300 yes no no
pppoe padn 0 0 Low 300 yes no no
dhcpv4 aggregate 5000 5000 -- 300 yes -- no
dhcpv4 unclass.. 300 150 Low 300 yes no no
dhcpv4 discover 500 500 Low 300 yes no no
dhcpv4 offer 1000 1000 Low 300 yes no no
dhcpv4 request 1000 1000 Medium 300 yes no no
dhcpv4 decline 500 500 Low 300 yes no no
dhcpv4 ack 500 500 Medium 300 yes no no
dhcpv4 nak 500 500 Low 300 yes no no
dhcpv4 release 2000 2000 High 300 yes no no
dhcpv4 inform 500 500 Low 300 yes no no
dhcpv4 renew 2000 2000 High 300 yes no no
dhcpv4 forcerenew 2000 2000 High 300 yes no no
dhcpv4 leasequery 2000 2000 High 300 yes no no
dhcpv4 leaseuna.. 2000 2000 High 300 yes no no
dhcpv4 leaseunk.. 2000 2000 High 300 yes no no
dhcpv4 leaseact.. 2000 2000 High 300 yes no no
dhcpv4 bootp 300 300 Low 300 yes no no
dhcpv4 no-msgtype 1000 1000 Low 300 yes no no
dhcpv4 bad-pack.. 0 0 Low 300 yes no no
dhcpv4 rebind 2000 2000 High 300 yes no no
dhcpv6 aggregate 5000 5000 -- 300 yes -- no
dhcpv6 unclass.. 3000 3000 Low 300 yes no no
dhcpv6 solicit 500 500 Low 300 yes no no
dhcpv6 advertise 500 500 Low 300 yes no no
dhcpv6 request 1000 1000 Medium 300 yes no no
dhcpv6 confirm 1000 1000 Medium 300 yes no no
dhcpv6 renew 2000 2000 Medium 300 yes no no
dhcpv6 rebind 2000 2000 Medium 300 yes no no
dhcpv6 reply 1000 1000 Medium 300 yes no no
dhcpv6 release 2000 2000 High 300 yes no no
dhcpv6 decline 1000 1000 Low 300 yes no no
dhcpv6 reconfig 1000 1000 Low 300 yes no no
dhcpv6 info..req 1000 1000 Low 300 yes no no
dhcpv6 relay-for.. 1000 1000 Low 300 yes no no
dhcpv6 relay-rep.. 1000 1000 Low 300 yes no no
dhcpv6 leasequery 1000 1000 Low 300 yes no no
dhcpv6 leaseq..re 1000 1000 Low 300 yes no no
dhcpv6 leaseq..do 1000 1000 Low 300 yes no no
dhcpv6 leaseq..da 1000 1000 Low 300 yes no no
vchassis aggregate 30000 30000 -- 300 yes -- no
vchassis unclass.. 0 0 Low 300 yes no no
vchassis control-hi 10000 5000 High 300 yes no no
vchassis control-lo 8000 3000 Low 300 yes no no
vchassis vc-packets 30000 30000 Low 300 yes no no
vchassis vc-ttl-err 4000 10000 Low 300 yes no no
icmp aggregate 20000 20000 -- 300 yes -- no
igmp aggregate 20000 20000 -- 300 yes -- no
ospf aggregate 20000 20000 -- 300 yes -- no
rsvp aggregate 20000 20000 -- 300 yes -- no
pim aggregate 8000 16000 -- 300 yes -- no
rip aggregate 20000 20000 -- 300 yes -- no
ptp aggregate 20000 20000 -- 300 yes -- no
bfd aggregate 20000 20000 -- 300 yes -- no
lmp aggregate 20000 20000 -- 300 yes -- no
ldp aggregate 20000 20000 -- 300 yes -- no
msdp aggregate 20000 20000 -- 300 yes -- no
bgp aggregate 20000 20000 -- 300 yes -- no
vrrp aggregate 20000 20000 -- 300 yes -- no
telnet aggregate 20000 20000 -- 300 yes -- no
ftp aggregate 20000 20000 -- 300 yes -- no
ssh aggregate 20000 20000 -- 300 yes -- no
snmp aggregate 20000 20000 -- 300 yes -- no
igmpv4v6 aggregate 20000 20000 -- 300 yes -- no
ripv6 aggregate 20000 20000 -- 300 yes -- no
bfdv6 aggregate 20000 20000 -- 300 yes -- no
lmpv6 aggregate 20000 20000 -- 300 yes -- no
ldpv6 aggregate 20000 20000 -- 300 yes -- no
msdpv6 aggregate 20000 20000 -- 300 yes -- no
bgpv6 aggregate 20000 20000 -- 300 yes -- no
vrrpv6 aggregate 20000 20000 -- 300 yes -- no
telnetv6 aggregate 20000 20000 -- 300 yes -- no
ftpv6 aggregate 20000 20000 -- 300 yes -- no
sshv6 aggregate 20000 20000 -- 300 yes -- no
snmpv6 aggregate 20000 20000 -- 300 yes -- no
ancpv6 aggregate 20000 20000 -- 300 yes -- no
ospfv3v6 aggregate 20000 20000 -- 300 yes -- no
lacp aggregate 20000 20000 -- 300 yes -- no
stp aggregate 20000 20000 -- 300 yes -- no
esmc aggregate 20000 20000 -- 300 yes -- no
oam-lfm aggregate 20000 20000 -- 300 yes -- no
eoam aggregate 20000 20000 -- 300 yes -- no
lldp aggregate 20000 20000 -- 300 yes -- no
mvrp aggregate 20000 20000 -- 300 yes -- no
pmvrp aggregate 20000 20000 -- 300 yes -- no
arp aggregate 20000 20000 -- 300 yes -- no
pvstp aggregate 20000 20000 -- 300 yes -- no
isis aggregate 20000 20000 -- 300 yes -- no
pos aggregate 20000 20000 -- 300 yes -- no
mlp aggregate 10000 20000 -- 300 yes -- no
mlp unclass.. 1024 1024 Low 300 yes no no
mlp lookup 1024 2048 Low 300 yes no no
mlp add 4096 8192 Low 300 yes no no
mlp delete 4096 8192 Low 300 yes no no
mlp mac-pin.. 32 32 Low 300 yes no no
jfm aggregate 20000 20000 -- 300 yes -- no
atm aggregate 20000 20000 -- 300 yes -- no
pfe-alive aggregate 20000 20000 -- 300 yes -- no
ttl aggregate 2000 10000 -- 300 yes -- no
ip-opt aggregate 20000 20000 -- 300 yes -- no
ip-opt unclass.. 10000 10000 Low 300 yes no no
ip-opt rt-alert 20000 20000 High 300 yes no no
ip-opt non-v4v6 10000 10000 Low 300 yes no no
redirect aggregate 2000 10000 -- 300 yes -- no
exception aggregate 250 250 -- 300 yes -- no
exception unclass.. 250 250 High 300 yes no no
exception mtu-exceed 250 250 High 300 yes no no
exception mcast-rpf 250 250 High 300 yes no no
mac-host aggregate 20000 20000 -- 300 yes -- no
tun-frag aggregate 2000 10000 -- 300 yes -- no
mcast-snoop aggregate 20000 20000 -- 300 yes -- no
mcast-snoop igmp 20000 20000 High 300 yes no no
mcast-snoop pim 20000 20000 Low 300 yes no no
mcast-snoop mld 20000 20000 High 300 yes no no
services aggregate 20000 20000 -- 300 yes -- no
services packet 20000 20000 High 300 yes no no
services BSDT 20000 20000 Low 300 yes no no
demuxauto aggregate 2000 10000 -- 300 yes -- no
reject aggregate 2000 10000 -- 300 yes -- no
tcp-flags aggregate 20000 20000 -- 300 yes -- no
tcp-flags unclass.. 20000 20000 Low 300 yes no no
tcp-flags initial 20000 20000 Low 300 yes no no
tcp-flags establish 20000 20000 Low 300 yes no no
dtcp aggregate 20000 20000 -- 300 yes -- no
radius aggregate 20000 20000 -- 300 yes -- no
radius server 20000 20000 High 300 yes no no
radius account.. 20000 20000 High 300 yes no no
radius auth.. 20000 20000 High 300 yes no no
ntp aggregate 20000 20000 -- 300 yes -- no
tacacs aggregate 20000 20000 -- 300 yes -- no
dns aggregate 20000 20000 -- 300 yes -- no
diameter aggregate 20000 20000 -- 300 yes -- no
ip-frag aggregate 20000 20000 -- 300 yes -- no
ip-frag first-frag 20000 20000 Low 300 yes no no
ip-frag trail-frag 20000 20000 Low 300 yes no no
l2tp aggregate 20000 20000 -- 300 yes -- no
gre aggregate 20000 20000 -- 300 yes -- no
gre hbc 20000 20000 Low 300 yes no no
gre punt 20000 20000 Low 300 yes no no
pimv6 aggregate 8000 16000 -- 300 yes -- no
icmpv6 aggregate 20000 20000 -- 300 yes -- no
ndpv6 aggregate 20000 20000 -- 300 yes -- no
ndpv6 router-sol 5000 10000 High 300 yes no no
ndpv6 router-adv 5000 10000 Low 300 yes no no
ndpv6 neighb-sol 5000 10000 High 300 yes no no
ndpv6 neighb-adv 5000 10000 Low 300 yes no no
ndpv6 redirect 5000 10000 Low 300 yes no no
ndpv6 inval-hop 0 0 Low 300 yes no no
sample aggregate 1000 1000 -- 300 yes -- no
sample syslog 1000 1000 Medium 300 yes no no
sample host 1000 1000 Medium 300 yes no no
sample pfe 1000 1000 Medium 300 yes no no
sample tap 1000 1000 Medium 300 yes no no
sample sflow 1000 1000 Medium 300 yes no no
fab-probe aggregate 20000 20000 -- 300 yes -- no
uncls aggregate 20000 20000 -- 300 yes -- no
uncls other 2000 10000 Low 300 yes no no
uncls control-v4 2000 10000 Low 300 yes no no
uncls control-v6 2000 10000 Low 300 yes no no
uncls host-rt-v4 2000 10000 Low 300 yes no no
uncls host-rt-v6 2000 10000 Low 300 yes no no
uncls control-l2 2000 10000 Low 300 yes no no
uncls fw-host 20000 20000 High 300 yes no no
uncls mcast-copy 2000 10000 High 300 yes no no
rejectv6 aggregate 2000 10000 -- 300 yes -- no
l2pt aggregate 20000 20000 -- 300 yes -- no
frame-relay frf16 12000 12000 Low 300 yes no no
amtv4 aggregate 20000 20000 -- 300 yes -- no
amtv6 aggregate 20000 20000 -- 300 yes -- no
re-services aggregate 20000 20000 -- 300 yes -- no
re-services capti..v4 20000 20000 Medium 300 yes no no
re-services-v6 aggregate 20000 20000 -- 300 yes -- no
re-services-v6 capti..v6 20000 20000 Medium 300 yes no no
syslog aggregate 2000 10000 -- 300 yes -- no
vxlan aggregate 20000 20000 -- 300 yes -- no

EX9200>

12 REPLIES 12
Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

[ Edited ]
a month ago

Hello,

 


@Arix wrote:

Hi all,

The following log messages occur a lot.....DDOS_PROTOCOL_VIOLATION_SET  and then DDOS_PROTOCOL_VIOLATION_CLEAR....

What is "Host-bound traffic" that in the the following log messages... What kind of protocol is it using for?...I

 

The "Host-bound traffic" in this particular case are exception messages raised by linecard CPU towards Routing Engine. The protocol is Juniper proprietary.

The root cause is that You have lots of packets with DF bit set && exceeding Your link MTU on said linecard. According to RFC 1191 section 4, the EX9200 shall return ICMP Unreachable with "Next Hop MTU" embedded in the ICMP header.

Linecard CPU cannot embed this information, it has to be done by RE, hence it raises an exception message for each violating packet.

As a side note, linecard CPU can handle simpler cases such as sending ICMP TTL Exceeded without disturbing the RE.

Please check all Your link MTUs and correct as necessary to stop these messages from polluting Your logs.

Raising the DDOS policer limit is not recommended, it is there for a reason to protect Your RE CPU from wasting the cycles by sending ICMP Type 3 Code 4 which may be lost or blocked somewhere along the way to the traffic source.

HTH

Thx
Alex

 

 

 

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

a month ago

Hi Alex, thanks for the reply.

I am just concerning how to find the associated link as there is a number of links connected to? 

Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

a month ago

HI Arix, 

 

     Try collecting below commands . This will give you some idea about who is the culprit .

 

show ddos-protection protocols exceptions mtu-exceeded culprit-flows detail fpc-slot 0

show ddos-protection protocols culprit-flows detail fpc-slot 0

 

Additonally you can refer this link below to understand the Juniper DoS protection. Even if you have no DoS config , the system have some default DoS parameters which can be modified via config. 

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-ddos-protecti... 

 

Regards

Arpit 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings. 
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !

 

Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

a month ago

Hi Arpit,

I tried it to all pic and fpc cards, it didn't give any thing....Here:

 

> show ddos-protection protocols exceptions mtu-exceeded culprit-flows fpc-slot 0
Currently tracked flows: 0, Total detected flows: 0

 

> show ddos-protection protocols culprit-flows detail fpc-slot 2
Currently tracked flows: 0, Total detected flows: 0

 

thx

A

 

Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

a month ago

Can you collect : 

show ddos-protection protocols exceptions mtu-exceeded

show ddos-protection protocols violations

 

Are you having any violations currently (i.e. do you see any DDoS set messages")  ??

What code are you running ; can you share "show version"

 

Regards

Arpit 

Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

a month ago

Basically when this violation occurs  the packets that are forwarded have length greater than MTU size.

We need to find out which interface is receiving packets of higher MTU than configured and see if we can incrrease the MTU on that interface.

also collect 

 

show ddos-protection protocols statistics terse

show ddos-protection protocols statistics

show ddos-protection protocols flow-detection brief

request pfe execute command "show ddos policer exceptions stats" target fpc0

request pfe execute command "show ddos policer exceptions violations-history" target fpc0

request pfe execute command "show ddos policer violations-history" target fpc0

request pfe execute command "show syslog messages" target fpc0

 

check MTU of all the interfaces in FPC0 and the IRBs and see if any interface is accidently configured for a lower value.

 

show interfaces irb | match "irb|mtu"

 

 

Regards

Arpit 

Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

a month ago

Hi 

 

What is irb interface? What is the purpose use of irb interface as there is a plenty number of physical interface!!!

 

And also when number of "MTU error:" is increasing why we don't see number of "Dropped packets" is not increasing?

 

Please see your attached file....

 

 

thx

A.

 

 

Attachments

Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

a month ago

Hello,

 


@Arix wrote:

Hi Arpit,

I tried it to all pic and fpc cards, it didn't give any thing....Here:

 

You need to enable suspicious control flow-detection (SCFD) at least globally :

 

 

set system ddos-protection global flow-detection

 

 

And it will be detected and output populated when suspicious flow PPS rate is greater than default policer PPS.

For MTU-exceeded, the default policers are:

 

regress@agg3# run show ddos-protection protocols exceptions mtu-exceeded 
Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: exceptions

  Packet type: mtu-exceeded (Packets exceeded MTU)
    Individual policer configuration:
      Bandwidth:        250 pps  <==== overall policer towards RE
      Burst:            250 packets
      Priority:         High
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: No
    Flow detection configuration:
      Detection mode: Off        Detect time:  3 seconds
      Log flows:      Yes        Recover time: 60 seconds
      Timeout flows:  No         Timeout time: 300 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          10 pps  <=== per individual source
        Logical interface   Automatic       Drop          10 pps  <=== per subinterface
        Physical interface  Automatic       Drop          250 pps <=== per phys.interface

Once at least 1 policer is exceeded, the flow detection will report it in the syslog as below:

 

Aug 23 10:25:17.089 2019  agg2 jddosd[7279]: %DAEMON-4-DDOS_SCFD_FLOW_FOUND: A new flow of protocol exceptions:mtu-exceeded on xe-0/3/0.0 with source addr 192.168.99.33 is found at 2019-08-23 10:25:14 AST
Aug 23 10:25:17.089 2019  agg2 jddosd[7279]: %DAEMON-4-DDOS_SCFD_FLOW_FOUND: A new flow of protocol exceptions:mtu-exceeded on xe-0/3/0.0 with source addr -- -- -- is found at 2019-08-23 10:25:14 AST
Aug 23 10:26:17.086 2019  agg2 jddosd[7279]: %DAEMON-4-DDOS_SCFD_FLOW_RETURN_NORMAL: A flow of protocol exceptions:mtu-exceeded on xe-0/3/0.0 with source addr -- -- -- returned normal and is removed from monitoring. Found at 2019-08-23 10:25:14 AST, last observed at 2019-08-23 10:25:16 AST

- and in the below printout BUT ONLY during the ongoing violation:

 

regress@agg2# run show ddos-protection protocols exceptions culprit-flows detail 
Currently tracked flows: 2, Total detected flows: 8

Protocol    Packet      Arriving           Aggr    Flow Id
group       type        Interface          level
exception   mtu-exceed  xe-0/3/0.0         sub     0002000000000006
   Source Address:      192.168.99.33                          
   Destination Address: 192.168.99.107                         
   Source Port:    0        Destination Port: 0    
   Found at:       2019-08-23 10:36:47 AST
   Last Violation: 2019-08-23 10:37:01 AST
   Rate:        9 pps  received packets: 136
exception   mtu-exceed  xe-0/3/0.0         ifl     0002000000000007
   Found at:       2019-08-23 10:36:47 AST
   Last Violation: 2019-08-23 10:36:49 AST
   Rate:        0 pps  received packets: 19

If You want an early warning, You'd need to enable "always-on" flow detection for this particular protocol and/or lower the policer PPS, example below:

 

set system ddos-protection protocols exceptions mtu-exceeded flow-detection-mode on
set system ddos-protection protocols exceptions mtu-exceeded flow-level-bandwidth subscriber 2
set system ddos-protection protocols exceptions mtu-exceeded flow-level-bandwidth logical-interface 2
set system ddos-protection protocols exceptions mtu-exceeded flow-level-bandwidth physical-interface 3
set system ddos-protection protocols exceptions mtu-exceeded flow-level-detection subscriber on
set system ddos-protection protocols exceptions mtu-exceeded flow-level-detection logical-interface on
set system ddos-protection protocols exceptions mtu-exceeded flow-level-detection physical-interface on
set system ddos-protection protocols exceptions mtu-exceeded flow-detect-time 5

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

4 weeks ago

Hi arpitch,

What do you think about Alex's solutions? Any different idea or?

Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

3 weeks ago

Hi Arix, 

 

        Yes,  you should configure this to see the flow which is causing this. I thought you already have this configued but there is no current violation. But we do see that there are current violations. 

So configuring this command will help you narrow down the flow.

"set system ddos-protection global flow-detection"

 

Once you configur it ; please collect the following :

show ddos-protection protocols exceptions mtu-exceeded culprit-flows detail fpc-slot 0

show ddos-protection protocols culprit-flows detail fpc-slot 0

show log messages

 

As we see in outputs below that its violated. You should be able to find the cultprit soon. 

 

 

 

 

9200EX> show ddos-protection protocols statistics terse

Packet types: 216, Received traffic: 45, Currently violated: 1

 

Protocol    Packet      Received        Dropped        Rate     Violation State

group       type        (packets)       (packets)      (pps)    counts

resolve     aggregate   278951888       40812          6        0         ok

resolve     ucast-v4    278951888       40812          6        3         ok

dhcpv4      aggregate   70938878        268            4        0         ok

dhcpv4      discover    1986321         0              0        0         ok

dhcpv4      offer       37323           0              0        0         ok

dhcpv4      request     4245428         0              1        0         ok

dhcpv4      decline     38              0              0        0         ok

dhcpv4      ack         26861799        160            1        2         ok

dhcpv4      nak         26391           0              0        0         ok

dhcpv4      release     1099            0              0        0         ok

dhcpv4      inform      33886007        0              2        0         ok

dhcpv4      renew       3882593         0              0        0         ok

dhcpv4      bad-pack..  108             108            0        17        ok

dhcpv4      rebind      11771           0              0        0         ok

icmp        aggregate   26311463        0              1        0         ok

igmp        aggregate   419430          0              0        0         ok

ospf        aggregate   6260159         0              0        0         ok

bfd         aggregate   97833793        0              3        0         ok

ldp         aggregate   21633697        0              1        0         ok

bgp         aggregate   8094413         0              0        0         ok

vrrp        aggregate   359682365       0              14       0         ok

telnet      aggregate   40              0              0        0         ok

ftp         aggregate   941             0              0        0         ok

ssh         aggregate   9458765         0              0        0         ok

snmp        aggregate   165987353       0              0        0         ok

lacp        aggregate   744524855       0              26       0         ok

arp         aggregate   537301390       0              23       0         ok

mlp         aggregate   601759312       0              20       0         ok

mlp         lookup      82819413        0              2        0         ok

mlp         add         18911095        0              0        0         ok

mlp         delete      500028804       0              17       0         ok

ttl         aggregate   111902738       0              2        0         ok

exception   aggregate   80385260        23033587       0        1364      ok

exception   mtu-exceed  80385260        23033553       0        23756     viol

 

 

9200EX> ...show ddos policer exceptions violations-history" target fpc0 | no-more

SENT: Ukern command: show ddos policer exceptions violations-history

 

DDOS Policer Violations:

 

                                    seen   is   viol

 idx prot        group        proto viol viol  count  start-t(ms)   last-t(ms)

 ---  ---  -----------  ----------- ---- ---- ------  -----------  -----------

 140 4000    exception    aggregate  yes   no   1299  27042019255  27042019255

 142 4002    exception   mtu-exceed  yes  yes  23511  27109749565  27109749565

 

 

Hope this helps!

Thanks 

Arpit 

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
+++++++++++++++++++++++++++++++++++++++++++++
Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

[ Edited ]
3 weeks ago

Hi Arpitch,

Thanks for reply... And one thanks to Arseniev...

I will follow up your approaches that previously pointed. But I like to ask some interfaces's MTU value from output of cli >sh  irb | match "irb|mtu" | no-more are about 1496, I checked the interface configuration, there is no any mtu value manually assigned to..... What do you think about irb mtu 1496? HAve you noticed this from output? How does itself assign MTU 1496 there?

And also I have recently found that one Physical interface "MTU errors:" has been hugely and constantly increasing .... This interface sits on FPC 0..... This can be causing ddos alert?

 

Thanks A.

Ethernet Switching

Re: DDOS_PROTOCOL_VIOLATION

3 weeks ago

Hi Arix, 

 

      Please refer to this KB KB27446 regarding the MTU calculation of IRB. Artice is for MX but same logic applies to EX too.

       Basically you need to change (or increase) the MTU of all the physical interfaces that are part of that VLAN if you want to change the IRB MTU. 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB27446&actp=METADATA

 

Explanation for MTU errors. 

MTU errors—Number of packets whose size exceeded the MTU of the interface. 

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-interfaces-g... 

 

These are output errors , basically we are trying to send the packets out of these interface (which we got some other interface). 

Packets may received on a different interface ; we need to find out which interface is receiving packets with higher MTU.

 

Hope this helps!!

Regards

Arpit