Switching

last person joined: 19 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
Expand all | Collapse all

DDOS_PROTOCOL_VIOLATION

  • 1.  DDOS_PROTOCOL_VIOLATION

     
    Posted 08-22-2019 03:53

    Hi all,

    The following log messages occur a lot.....DDOS_PROTOCOL_VIOLATION_SET  and then DDOS_PROTOCOL_VIOLATION_CLEAR....

    What is "Host-bound traffic" that in the the following log messages... What kind of protocol is it using for?...I couldn't determine on >show ddos-protection protocols parameters brief and there is no any violation alert but it is hugely happening... And any idea on how to response?

     

    >show configuration | display set | match ddos------There is no any ddos configuration on the device

     

    EX9200> sh log messages
    jddosd[17483]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception exceptions:mtu-exceeded has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 30849 times, from 2019-03-01 02:46:35 AEST to 2019-08-06 06:18:55 AEST

    ....

    ----

     

    EX9200> show ddos-protection protocols parameters brief
    Packet types: 216, Modified: 0
    * = User configured value

    Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPC
    group type (pps) (pkts) time(sec) enabled aggr. mod
    resolve aggregate 5000 10000 -- 300 yes -- no
    resolve other 2000 2000 Low 300 yes no no
    resolve ucast-v4 3000 5000 Low 300 yes no no
    resolve mcast-v4 3000 5000 Low 300 yes no no
    resolve ucast-v6 3000 5000 Low 300 yes no no
    resolve mcast-v6 3000 5000 Low 300 yes no no
    filter-act aggregate 5000 10000 -- 300 yes -- no
    filter-act other 2000 5000 Low 300 yes no no
    filter-act filter-v4 2000 5000 Low 300 yes no no
    filter-act filter-v6 2000 5000 Low 300 yes no no
    dynvlan aggregate 1000 500 -- 300 yes -- no
    ppp aggregate 16000 16000 -- 300 yes -- no
    ppp unclass 1000 500 Low 300 yes no no
    ppp lcp 12000 12000 Medium 300 yes no no
    ppp auth 2000 2000 Medium 300 yes no no
    ppp ipcp 2000 2000 High 300 yes no no
    ppp ipv6cp 2000 2000 High 300 yes no no
    ppp mplscp 2000 2000 High 300 yes no no
    ppp isis 2000 2000 High 300 yes no no
    ppp echo-req 12000 12000 Low 300 yes no no
    ppp echo-rep 12000 12000 Low 300 yes no no
    ppp mlppp-lcp 12000 12000 Low 300 yes no no
    pppoe aggregate 2000 2000 -- 300 yes -- no
    pppoe padi 500 500 Low 300 yes no no
    pppoe pado 0 0 Low 300 yes no no
    pppoe padr 500 500 Medium 300 yes no no
    pppoe pads 0 0 Low 300 yes no no
    pppoe padt 1000 1000 High 300 yes no no
    pppoe padm 0 0 Low 300 yes no no
    pppoe padn 0 0 Low 300 yes no no
    dhcpv4 aggregate 5000 5000 -- 300 yes -- no
    dhcpv4 unclass.. 300 150 Low 300 yes no no
    dhcpv4 discover 500 500 Low 300 yes no no
    dhcpv4 offer 1000 1000 Low 300 yes no no
    dhcpv4 request 1000 1000 Medium 300 yes no no
    dhcpv4 decline 500 500 Low 300 yes no no
    dhcpv4 ack 500 500 Medium 300 yes no no
    dhcpv4 nak 500 500 Low 300 yes no no
    dhcpv4 release 2000 2000 High 300 yes no no
    dhcpv4 inform 500 500 Low 300 yes no no
    dhcpv4 renew 2000 2000 High 300 yes no no
    dhcpv4 forcerenew 2000 2000 High 300 yes no no
    dhcpv4 leasequery 2000 2000 High 300 yes no no
    dhcpv4 leaseuna.. 2000 2000 High 300 yes no no
    dhcpv4 leaseunk.. 2000 2000 High 300 yes no no
    dhcpv4 leaseact.. 2000 2000 High 300 yes no no
    dhcpv4 bootp 300 300 Low 300 yes no no
    dhcpv4 no-msgtype 1000 1000 Low 300 yes no no
    dhcpv4 bad-pack.. 0 0 Low 300 yes no no
    dhcpv4 rebind 2000 2000 High 300 yes no no
    dhcpv6 aggregate 5000 5000 -- 300 yes -- no
    dhcpv6 unclass.. 3000 3000 Low 300 yes no no
    dhcpv6 solicit 500 500 Low 300 yes no no
    dhcpv6 advertise 500 500 Low 300 yes no no
    dhcpv6 request 1000 1000 Medium 300 yes no no
    dhcpv6 confirm 1000 1000 Medium 300 yes no no
    dhcpv6 renew 2000 2000 Medium 300 yes no no
    dhcpv6 rebind 2000 2000 Medium 300 yes no no
    dhcpv6 reply 1000 1000 Medium 300 yes no no
    dhcpv6 release 2000 2000 High 300 yes no no
    dhcpv6 decline 1000 1000 Low 300 yes no no
    dhcpv6 reconfig 1000 1000 Low 300 yes no no
    dhcpv6 info..req 1000 1000 Low 300 yes no no
    dhcpv6 relay-for.. 1000 1000 Low 300 yes no no
    dhcpv6 relay-rep.. 1000 1000 Low 300 yes no no
    dhcpv6 leasequery 1000 1000 Low 300 yes no no
    dhcpv6 leaseq..re 1000 1000 Low 300 yes no no
    dhcpv6 leaseq..do 1000 1000 Low 300 yes no no
    dhcpv6 leaseq..da 1000 1000 Low 300 yes no no
    vchassis aggregate 30000 30000 -- 300 yes -- no
    vchassis unclass.. 0 0 Low 300 yes no no
    vchassis control-hi 10000 5000 High 300 yes no no
    vchassis control-lo 8000 3000 Low 300 yes no no
    vchassis vc-packets 30000 30000 Low 300 yes no no
    vchassis vc-ttl-err 4000 10000 Low 300 yes no no
    icmp aggregate 20000 20000 -- 300 yes -- no
    igmp aggregate 20000 20000 -- 300 yes -- no
    ospf aggregate 20000 20000 -- 300 yes -- no
    rsvp aggregate 20000 20000 -- 300 yes -- no
    pim aggregate 8000 16000 -- 300 yes -- no
    rip aggregate 20000 20000 -- 300 yes -- no
    ptp aggregate 20000 20000 -- 300 yes -- no
    bfd aggregate 20000 20000 -- 300 yes -- no
    lmp aggregate 20000 20000 -- 300 yes -- no
    ldp aggregate 20000 20000 -- 300 yes -- no
    msdp aggregate 20000 20000 -- 300 yes -- no
    bgp aggregate 20000 20000 -- 300 yes -- no
    vrrp aggregate 20000 20000 -- 300 yes -- no
    telnet aggregate 20000 20000 -- 300 yes -- no
    ftp aggregate 20000 20000 -- 300 yes -- no
    ssh aggregate 20000 20000 -- 300 yes -- no
    snmp aggregate 20000 20000 -- 300 yes -- no
    igmpv4v6 aggregate 20000 20000 -- 300 yes -- no
    ripv6 aggregate 20000 20000 -- 300 yes -- no
    bfdv6 aggregate 20000 20000 -- 300 yes -- no
    lmpv6 aggregate 20000 20000 -- 300 yes -- no
    ldpv6 aggregate 20000 20000 -- 300 yes -- no
    msdpv6 aggregate 20000 20000 -- 300 yes -- no
    bgpv6 aggregate 20000 20000 -- 300 yes -- no
    vrrpv6 aggregate 20000 20000 -- 300 yes -- no
    telnetv6 aggregate 20000 20000 -- 300 yes -- no
    ftpv6 aggregate 20000 20000 -- 300 yes -- no
    sshv6 aggregate 20000 20000 -- 300 yes -- no
    snmpv6 aggregate 20000 20000 -- 300 yes -- no
    ancpv6 aggregate 20000 20000 -- 300 yes -- no
    ospfv3v6 aggregate 20000 20000 -- 300 yes -- no
    lacp aggregate 20000 20000 -- 300 yes -- no
    stp aggregate 20000 20000 -- 300 yes -- no
    esmc aggregate 20000 20000 -- 300 yes -- no
    oam-lfm aggregate 20000 20000 -- 300 yes -- no
    eoam aggregate 20000 20000 -- 300 yes -- no
    lldp aggregate 20000 20000 -- 300 yes -- no
    mvrp aggregate 20000 20000 -- 300 yes -- no
    pmvrp aggregate 20000 20000 -- 300 yes -- no
    arp aggregate 20000 20000 -- 300 yes -- no
    pvstp aggregate 20000 20000 -- 300 yes -- no
    isis aggregate 20000 20000 -- 300 yes -- no
    pos aggregate 20000 20000 -- 300 yes -- no
    mlp aggregate 10000 20000 -- 300 yes -- no
    mlp unclass.. 1024 1024 Low 300 yes no no
    mlp lookup 1024 2048 Low 300 yes no no
    mlp add 4096 8192 Low 300 yes no no
    mlp delete 4096 8192 Low 300 yes no no
    mlp mac-pin.. 32 32 Low 300 yes no no
    jfm aggregate 20000 20000 -- 300 yes -- no
    atm aggregate 20000 20000 -- 300 yes -- no
    pfe-alive aggregate 20000 20000 -- 300 yes -- no
    ttl aggregate 2000 10000 -- 300 yes -- no
    ip-opt aggregate 20000 20000 -- 300 yes -- no
    ip-opt unclass.. 10000 10000 Low 300 yes no no
    ip-opt rt-alert 20000 20000 High 300 yes no no
    ip-opt non-v4v6 10000 10000 Low 300 yes no no
    redirect aggregate 2000 10000 -- 300 yes -- no
    exception aggregate 250 250 -- 300 yes -- no
    exception unclass.. 250 250 High 300 yes no no
    exception mtu-exceed 250 250 High 300 yes no no
    exception mcast-rpf 250 250 High 300 yes no no
    mac-host aggregate 20000 20000 -- 300 yes -- no
    tun-frag aggregate 2000 10000 -- 300 yes -- no
    mcast-snoop aggregate 20000 20000 -- 300 yes -- no
    mcast-snoop igmp 20000 20000 High 300 yes no no
    mcast-snoop pim 20000 20000 Low 300 yes no no
    mcast-snoop mld 20000 20000 High 300 yes no no
    services aggregate 20000 20000 -- 300 yes -- no
    services packet 20000 20000 High 300 yes no no
    services BSDT 20000 20000 Low 300 yes no no
    demuxauto aggregate 2000 10000 -- 300 yes -- no
    reject aggregate 2000 10000 -- 300 yes -- no
    tcp-flags aggregate 20000 20000 -- 300 yes -- no
    tcp-flags unclass.. 20000 20000 Low 300 yes no no
    tcp-flags initial 20000 20000 Low 300 yes no no
    tcp-flags establish 20000 20000 Low 300 yes no no
    dtcp aggregate 20000 20000 -- 300 yes -- no
    radius aggregate 20000 20000 -- 300 yes -- no
    radius server 20000 20000 High 300 yes no no
    radius account.. 20000 20000 High 300 yes no no
    radius auth.. 20000 20000 High 300 yes no no
    ntp aggregate 20000 20000 -- 300 yes -- no
    tacacs aggregate 20000 20000 -- 300 yes -- no
    dns aggregate 20000 20000 -- 300 yes -- no
    diameter aggregate 20000 20000 -- 300 yes -- no
    ip-frag aggregate 20000 20000 -- 300 yes -- no
    ip-frag first-frag 20000 20000 Low 300 yes no no
    ip-frag trail-frag 20000 20000 Low 300 yes no no
    l2tp aggregate 20000 20000 -- 300 yes -- no
    gre aggregate 20000 20000 -- 300 yes -- no
    gre hbc 20000 20000 Low 300 yes no no
    gre punt 20000 20000 Low 300 yes no no
    pimv6 aggregate 8000 16000 -- 300 yes -- no
    icmpv6 aggregate 20000 20000 -- 300 yes -- no
    ndpv6 aggregate 20000 20000 -- 300 yes -- no
    ndpv6 router-sol 5000 10000 High 300 yes no no
    ndpv6 router-adv 5000 10000 Low 300 yes no no
    ndpv6 neighb-sol 5000 10000 High 300 yes no no
    ndpv6 neighb-adv 5000 10000 Low 300 yes no no
    ndpv6 redirect 5000 10000 Low 300 yes no no
    ndpv6 inval-hop 0 0 Low 300 yes no no
    sample aggregate 1000 1000 -- 300 yes -- no
    sample syslog 1000 1000 Medium 300 yes no no
    sample host 1000 1000 Medium 300 yes no no
    sample pfe 1000 1000 Medium 300 yes no no
    sample tap 1000 1000 Medium 300 yes no no
    sample sflow 1000 1000 Medium 300 yes no no
    fab-probe aggregate 20000 20000 -- 300 yes -- no
    uncls aggregate 20000 20000 -- 300 yes -- no
    uncls other 2000 10000 Low 300 yes no no
    uncls control-v4 2000 10000 Low 300 yes no no
    uncls control-v6 2000 10000 Low 300 yes no no
    uncls host-rt-v4 2000 10000 Low 300 yes no no
    uncls host-rt-v6 2000 10000 Low 300 yes no no
    uncls control-l2 2000 10000 Low 300 yes no no
    uncls fw-host 20000 20000 High 300 yes no no
    uncls mcast-copy 2000 10000 High 300 yes no no
    rejectv6 aggregate 2000 10000 -- 300 yes -- no
    l2pt aggregate 20000 20000 -- 300 yes -- no
    frame-relay frf16 12000 12000 Low 300 yes no no
    amtv4 aggregate 20000 20000 -- 300 yes -- no
    amtv6 aggregate 20000 20000 -- 300 yes -- no
    re-services aggregate 20000 20000 -- 300 yes -- no
    re-services capti..v4 20000 20000 Medium 300 yes no no
    re-services-v6 aggregate 20000 20000 -- 300 yes -- no
    re-services-v6 capti..v6 20000 20000 Medium 300 yes no no
    syslog aggregate 2000 10000 -- 300 yes -- no
    vxlan aggregate 20000 20000 -- 300 yes -- no

    EX9200>



  • 2.  RE: DDOS_PROTOCOL_VIOLATION

    Posted 08-22-2019 04:39

    Hello,

     


    @Arix wrote:

    Hi all,

    The following log messages occur a lot.....DDOS_PROTOCOL_VIOLATION_SET  and then DDOS_PROTOCOL_VIOLATION_CLEAR....

    What is "Host-bound traffic" that in the the following log messages... What kind of protocol is it using for?...I

     

    The "Host-bound traffic" in this particular case are exception messages raised by linecard CPU towards Routing Engine. The protocol is Juniper proprietary.

    The root cause is that You have lots of packets with DF bit set && exceeding Your link MTU on said linecard. According to RFC 1191 section 4, the EX9200 shall return ICMP Unreachable with "Next Hop MTU" embedded in the ICMP header.

    Linecard CPU cannot embed this information, it has to be done by RE, hence it raises an exception message for each violating packet.

    As a side note, linecard CPU can handle simpler cases such as sending ICMP TTL Exceeded without disturbing the RE.

    Please check all Your link MTUs and correct as necessary to stop these messages from polluting Your logs.

    Raising the DDOS policer limit is not recommended, it is there for a reason to protect Your RE CPU from wasting the cycles by sending ICMP Type 3 Code 4 which may be lost or blocked somewhere along the way to the traffic source.

    HTH

    Thx
    Alex

     

     

     

     

     

     



  • 3.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-22-2019 05:48

    Hi Alex, thanks for the reply.

    I am just concerning how to find the associated link as there is a number of links connected to? 



  • 4.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-22-2019 20:44

    HI Arix, 

     

         Try collecting below commands . This will give you some idea about who is the culprit .

     

    show ddos-protection protocols exceptions mtu-exceeded culprit-flows detail fpc-slot 0

    show ddos-protection protocols culprit-flows detail fpc-slot 0

     

    Additonally you can refer this link below to understand the Juniper DoS protection. Even if you have no DoS config , the system have some default DoS parameters which can be modified via config. 

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-ddos-protection.html 

     

    Regards

    Arpit 

     

     

    _____________________________________________________________________

    Please ask Your Juniper account team about Juniper Professional Services offerings. 
    Juniper PS can design, test & build the network/part of the network as per Your requirements

    +++++++++++++++++++++++++++++++++++++++++++++

    Accept as Solution = cool !
    Accept as Solution+Kudo = You are a Star !

     



  • 5.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-22-2019 21:04

    Hi Arpit,

    I tried it to all pic and fpc cards, it didn't give any thing....Here:

     

    > show ddos-protection protocols exceptions mtu-exceeded culprit-flows fpc-slot 0
    Currently tracked flows: 0, Total detected flows: 0

     

    > show ddos-protection protocols culprit-flows detail fpc-slot 2
    Currently tracked flows: 0, Total detected flows: 0

     

    thx

    A

     



  • 6.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-22-2019 21:23

    Can you collect : 

    show ddos-protection protocols exceptions mtu-exceeded

    show ddos-protection protocols violations

     

    Are you having any violations currently (i.e. do you see any DDoS set messages")  ??

    What code are you running ; can you share "show version"

     

    Regards

    Arpit 



  • 7.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-22-2019 21:58

    Basically when this violation occurs  the packets that are forwarded have length greater than MTU size.

    We need to find out which interface is receiving packets of higher MTU than configured and see if we can incrrease the MTU on that interface.

    also collect 

     

    show ddos-protection protocols statistics terse

    show ddos-protection protocols statistics

    show ddos-protection protocols flow-detection brief

    request pfe execute command "show ddos policer exceptions stats" target fpc0

    request pfe execute command "show ddos policer exceptions violations-history" target fpc0

    request pfe execute command "show ddos policer violations-history" target fpc0

    request pfe execute command "show syslog messages" target fpc0

     

    check MTU of all the interfaces in FPC0 and the IRBs and see if any interface is accidently configured for a lower value.

     

    show interfaces irb | match "irb|mtu"

     

     

    Regards

    Arpit 



  • 8.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-23-2019 00:38
      |   view attached

    Hi 

     

    What is irb interface? What is the purpose use of irb interface as there is a plenty number of physical interface!!!

     

    And also when number of "MTU error:" is increasing why we don't see number of "Dropped packets" is not increasing?

     

    Please see your attached file....

     

     

    thx

    A.

     

     

    Attachment(s)

    txt
    ddos_logs.txt.txt   477 KB 1 version


  • 9.  RE: DDOS_PROTOCOL_VIOLATION

    Posted 08-23-2019 00:41

    Hello,

     


    @Arix wrote:

    Hi Arpit,

    I tried it to all pic and fpc cards, it didn't give any thing....Here:

     

    You need to enable suspicious control flow-detection (SCFD) at least globally :

     

     

    set system ddos-protection global flow-detection

     

     

    And it will be detected and output populated when suspicious flow PPS rate is greater than default policer PPS.

    For MTU-exceeded, the default policers are:

     

    regress@agg3# run show ddos-protection protocols exceptions mtu-exceeded 
    Currently tracked flows: 0, Total detected flows: 0
    * = User configured value
    Protocol Group: exceptions
    
      Packet type: mtu-exceeded (Packets exceeded MTU)
        Individual policer configuration:
          Bandwidth:        250 pps  <==== overall policer towards RE
          Burst:            250 packets
          Priority:         High
          Recover time:     300 seconds
          Enabled:          Yes
          Bypass aggregate: No
        Flow detection configuration:
          Detection mode: Off        Detect time:  3 seconds
          Log flows:      Yes        Recover time: 60 seconds
          Timeout flows:  No         Timeout time: 300 seconds
          Flow aggregation level configuration:
            Aggregation level   Detection mode  Control mode  Flow rate
            Subscriber          Automatic       Drop          10 pps  <=== per individual source
            Logical interface   Automatic       Drop          10 pps  <=== per subinterface
            Physical interface  Automatic       Drop          250 pps <=== per phys.interface

    Once at least 1 policer is exceeded, the flow detection will report it in the syslog as below:

     

    Aug 23 10:25:17.089 2019  agg2 jddosd[7279]: %DAEMON-4-DDOS_SCFD_FLOW_FOUND: A new flow of protocol exceptions:mtu-exceeded on xe-0/3/0.0 with source addr 192.168.99.33 is found at 2019-08-23 10:25:14 AST
    Aug 23 10:25:17.089 2019  agg2 jddosd[7279]: %DAEMON-4-DDOS_SCFD_FLOW_FOUND: A new flow of protocol exceptions:mtu-exceeded on xe-0/3/0.0 with source addr -- -- -- is found at 2019-08-23 10:25:14 AST
    Aug 23 10:26:17.086 2019  agg2 jddosd[7279]: %DAEMON-4-DDOS_SCFD_FLOW_RETURN_NORMAL: A flow of protocol exceptions:mtu-exceeded on xe-0/3/0.0 with source addr -- -- -- returned normal and is removed from monitoring. Found at 2019-08-23 10:25:14 AST, last observed at 2019-08-23 10:25:16 AST

    - and in the below printout BUT ONLY during the ongoing violation:

     

    regress@agg2# run show ddos-protection protocols exceptions culprit-flows detail 
    Currently tracked flows: 2, Total detected flows: 8
    
    Protocol    Packet      Arriving           Aggr    Flow Id
    group       type        Interface          level
    exception   mtu-exceed  xe-0/3/0.0         sub     0002000000000006
       Source Address:      192.168.99.33                          
       Destination Address: 192.168.99.107                         
       Source Port:    0        Destination Port: 0    
       Found at:       2019-08-23 10:36:47 AST
       Last Violation: 2019-08-23 10:37:01 AST
       Rate:        9 pps  received packets: 136
    exception   mtu-exceed  xe-0/3/0.0         ifl     0002000000000007
       Found at:       2019-08-23 10:36:47 AST
       Last Violation: 2019-08-23 10:36:49 AST
       Rate:        0 pps  received packets: 19

    If You want an early warning, You'd need to enable "always-on" flow detection for this particular protocol and/or lower the policer PPS, example below:

     

    set system ddos-protection protocols exceptions mtu-exceeded flow-detection-mode on
    set system ddos-protection protocols exceptions mtu-exceeded flow-level-bandwidth subscriber 2
    set system ddos-protection protocols exceptions mtu-exceeded flow-level-bandwidth logical-interface 2
    set system ddos-protection protocols exceptions mtu-exceeded flow-level-bandwidth physical-interface 3
    set system ddos-protection protocols exceptions mtu-exceeded flow-level-detection subscriber on
    set system ddos-protection protocols exceptions mtu-exceeded flow-level-detection logical-interface on
    set system ddos-protection protocols exceptions mtu-exceeded flow-level-detection physical-interface on
    set system ddos-protection protocols exceptions mtu-exceeded flow-detect-time 5

    HTH

    Thx

    Alex



  • 10.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-26-2019 04:48

    Hi arpitch,

    What do you think about Alex's solutions? Any different idea or?



  • 11.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-26-2019 07:01

    Hi Arix, 

     

            Yes,  you should configure this to see the flow which is causing this. I thought you already have this configued but there is no current violation. But we do see that there are current violations. 

    So configuring this command will help you narrow down the flow.

    "set system ddos-protection global flow-detection"

     

    Once you configur it ; please collect the following :

    show ddos-protection protocols exceptions mtu-exceeded culprit-flows detail fpc-slot 0

    show ddos-protection protocols culprit-flows detail fpc-slot 0

    show log messages

     

    As we see in outputs below that its violated. You should be able to find the cultprit soon. 

     

     

     

     

    9200EX> show ddos-protection protocols statistics terse

    Packet types: 216, Received traffic: 45, Currently violated: 1

     

    Protocol    Packet      Received        Dropped        Rate     Violation State

    group       type        (packets)       (packets)      (pps)    counts

    resolve     aggregate   278951888       40812          6        0         ok

    resolve     ucast-v4    278951888       40812          6        3         ok

    dhcpv4      aggregate   70938878        268            4        0         ok

    dhcpv4      discover    1986321         0              0        0         ok

    dhcpv4      offer       37323           0              0        0         ok

    dhcpv4      request     4245428         0              1        0         ok

    dhcpv4      decline     38              0              0        0         ok

    dhcpv4      ack         26861799        160            1        2         ok

    dhcpv4      nak         26391           0              0        0         ok

    dhcpv4      release     1099            0              0        0         ok

    dhcpv4      inform      33886007        0              2        0         ok

    dhcpv4      renew       3882593         0              0        0         ok

    dhcpv4      bad-pack..  108             108            0        17        ok

    dhcpv4      rebind      11771           0              0        0         ok

    icmp        aggregate   26311463        0              1        0         ok

    igmp        aggregate   419430          0              0        0         ok

    ospf        aggregate   6260159         0              0        0         ok

    bfd         aggregate   97833793        0              3        0         ok

    ldp         aggregate   21633697        0              1        0         ok

    bgp         aggregate   8094413         0              0        0         ok

    vrrp        aggregate   359682365       0              14       0         ok

    telnet      aggregate   40              0              0        0         ok

    ftp         aggregate   941             0              0        0         ok

    ssh         aggregate   9458765         0              0        0         ok

    snmp        aggregate   165987353       0              0        0         ok

    lacp        aggregate   744524855       0              26       0         ok

    arp         aggregate   537301390       0              23       0         ok

    mlp         aggregate   601759312       0              20       0         ok

    mlp         lookup      82819413        0              2        0         ok

    mlp         add         18911095        0              0        0         ok

    mlp         delete      500028804       0              17       0         ok

    ttl         aggregate   111902738       0              2        0         ok

    exception   aggregate   80385260        23033587       0        1364      ok

    exception   mtu-exceed  80385260        23033553       0        23756     viol

     

     

    9200EX> ...show ddos policer exceptions violations-history" target fpc0 | no-more

    SENT: Ukern command: show ddos policer exceptions violations-history

     

    DDOS Policer Violations:

     

                                        seen   is   viol

     idx prot        group        proto viol viol  count  start-t(ms)   last-t(ms)

     ---  ---  -----------  ----------- ---- ---- ------  -----------  -----------

     140 4000    exception    aggregate  yes   no   1299  27042019255  27042019255

     142 4002    exception   mtu-exceed  yes  yes  23511  27109749565  27109749565

     

     

    Hope this helps!

    Thanks 

    Arpit 

    +++++++++++++++++++++++++++++++++++++++++++++

    Accept as Solution = cool !
    Accept as Solution+Kudo = You are a Star !
    +++++++++++++++++++++++++++++++++++++++++++++


  • 12.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-27-2019 05:46

    Hi Arpitch,

    Thanks for reply... And one thanks to Arseniev...

    I will follow up your approaches that previously pointed. But I like to ask some interfaces's MTU value from output of cli >sh  irb | match "irb|mtu" | no-more are about 1496, I checked the interface configuration, there is no any mtu value manually assigned to..... What do you think about irb mtu 1496? HAve you noticed this from output? How does itself assign MTU 1496 there?

    And also I have recently found that one Physical interface "MTU errors:" has been hugely and constantly increasing .... This interface sits on FPC 0..... This can be causing ddos alert?

     

    Thanks A.



  • 13.  RE: DDOS_PROTOCOL_VIOLATION

     
    Posted 08-27-2019 14:09

    Hi Arix, 

     

          Please refer to this KB KB27446 regarding the MTU calculation of IRB. Artice is for MX but same logic applies to EX too.

           Basically you need to change (or increase) the MTU of all the physical interfaces that are part of that VLAN if you want to change the IRB MTU. 

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB27446&actp=METADATA

     

    Explanation for MTU errors. 

    MTU errors—Number of packets whose size exceeded the MTU of the interface. 

     

    https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-interfaces-gigabit-ethernet.html 

     

    These are output errors , basically we are trying to send the packets out of these interface (which we got some other interface). 

    Packets may received on a different interface ; we need to find out which interface is receiving packets with higher MTU.

     

    Hope this helps!!

    Regards

    Arpit