Hi Arix,
Which EX platform and Junos version are you working with? These messages are indicating that the device is protecting it's routing-engine from excess of such packets from causing issues. The default thresholds and the violation times can be troubleshoot as follows:
https://forums.juniper.net/t5/Ethernet-Switching/EX-DDOS-explanation/td-p/460382
show ddos-protection protocols statistics terse
show ddos-protection protocols statistics | find "Protocol Group: TTL"
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).
show ddos-protection protocols statistics | find "Protocol Group: L3MTU"
show ddos-protection protocols statistics | find "Protocol Group: IPMCAST"
Based on the timing of log messages, you can check for actual packets hitting the routing engine of the device using:
monitor traffic interface <intf_name> no-resolve extensive
OR
monitor traffic interface <intf_name> no-resolve extensive write-file /var/tmp/DDOS.pcap --------> remember to stop this, copy out the file "DDOS.pcap" from /var/tmp/ and delete it before its too big.
Note that you'll need to make an educated guess on which interface to monitor based on your network and interface usage, as to which device is likely to send host-bound traffic to this EX. If all the traffic you see is legit, and still seeing these logs, try to play around with the ddos-protection threshold:
Example:
set system ddos-protection protocols ttl aggregate bandwidth 1000
set system ddos-protection protocols ttl aggregate burst 500