Ethernet Switching
Highlighted
Ethernet Switching

jddosd warning on multiple fpc(s)

[ Edited ]
a week ago

Hi all,

When looking at the following errors on EX switches in VC, is about TTL, L3MTU and IPMCAST. These messages are time-to-time have been generating... What troublesthooting approach should be taken to idetify the case and resolving? Any ideas please?

 

DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception TTL:aggregate exceeded its allowed bandwidth at fpc 0 for 30 times, started at xxxx
DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception L3MTU-fail:aggregate exceeded its allowed bandwidth at fpc 0 for 30 times, started at xxxx
DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMCAST-miss:aggregate exceeded its allowed bandwidth at fpc 1 for 252 times, started at xxxx

 

Thanks,

Arix...

1 REPLY 1
Ethernet Switching

Re: jddosd warning on multiple fpc(s)

a week ago

Hi Arix,

 

Which EX platform and Junos version are you working with? These messages are indicating that the device is protecting it's routing-engine from excess of such packets from causing issues.  The default thresholds and the violation times can be troubleshoot as follows:

 

https://forums.juniper.net/t5/Ethernet-Switching/EX-DDOS-explanation/td-p/460382

show ddos-protection protocols statistics terse
show ddos-protection protocols statistics | find "Protocol Group: TTL"

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.


show ddos-protection protocols statistics | find "Protocol Group: L3MTU"
show ddos-protection protocols statistics | find "Protocol Group: IPMCAST"

 

Based on the timing of log messages, you can check for actual packets hitting the routing engine of the device using:

monitor traffic interface <intf_name> no-resolve extensive
OR

monitor traffic interface <intf_name> no-resolve extensive write-file /var/tmp/DDOS.pcap --------> remember to stop this, copy out the file "DDOS.pcap" from /var/tmp/ and delete it before its too big.

 

Note that you'll need to make an educated guess on which interface to monitor based on your network and interface usage, as to which device is likely to send host-bound traffic to this EX.  If all the traffic you see is legit, and still seeing these logs, try to play around with the ddos-protection threshold:
Example:
set system ddos-protection protocols ttl aggregate bandwidth 1000

set system ddos-protection protocols ttl aggregate burst 500