Junos
Junos

DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

‎11-27-2014 01:29 AM

Hi,

 

I'm getting lots of this kind messages:

 

jddosd[1460]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 0 for 1448 times, started at 2014-11-27 10:56:58 EET

 

jddosd[1460]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 0 for 1448 times, from 2014-11-27 10:56:58 EET to 2014-11-27 11:02:38 EET

 

and I can't figure out: why? Could you point me to the right direction please?

 

Packet Forwarding Engine traffic statistics:
Input packets: 15240676085 17916 pps
Output packets: 21412011088 24572 pps
Packet Forwarding Engine local traffic statistics:
Local packets input : 15544166
Local packets output : 29380069
Software input control plane drops : 0
Software input high drops : 0
Software input medium drops : 0
Software input low drops : 0
Software output drops : 0
Hardware input drops : 0
Packet Forwarding Engine local protocol statistics:
HDLC keepalives : 0
ATM OAM : 0
Frame Relay LMI : 0
PPP LCP/NCP : 0
OSPF hello : 1702744
OSPF3 hello : 0
RSVP hello : 0
LDP hello : 0
BFD : 0
IS-IS IIH : 0
LACP : 0
ARP : 286860
ETHER OAM : 0
Unknown : 10
Packet Forwarding Engine hardware discard statistics:
Timeout : 0
Truncated key : 0
Bits to test : 0
Data error : 0
Stack underflow : 0
Stack overflow : 0
Normal discard : 11094859
Extended discard : 0
Invalid interface : 0
Info cell drops : 0
Fabric drops : 0
Packet Forwarding Engine Input IPv4 Header Checksum Error and Output MTU Error statistics:
Input Checksum : 0
Output MTU : 0

 

Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0
Currently tracked flows: 0, Total detected flows: 0
* = User configured value

Protocol Group: Reject

Packet type: aggregate (Aggregate for v4 all reject traffic)
Aggregate policer configuration:
Bandwidth: 2000 pps
Burst: 10000 packets
Recover time: 300 seconds
Enabled: Yes
Flow detection configuration:
Detection mode: Automatic Detect time: 3 seconds
Log flows: Yes Recover time: 60 seconds
Timeout flows: No Timeout time: 300 seconds
Flow aggregation level configuration:
Aggregation level Detection mode Control mode Flow rate
Subscriber Automatic Drop 10 pps
Logical interface Automatic Drop 10 pps
Physical interface Automatic Drop 2000 pps
System-wide information:
Aggregate bandwidth is no longer being violated
No. of FPCs that have received excess traffic: 1
Last violation started at: 2014-11-27 11:15:03 EET
Last violation ended at: 2014-11-27 11:22:18 EET
Duration of last violation: 00:07:15 Number of violations: 1449
Received: 35017543 Arrival rate: 19 pps
Dropped: 195341 Max arrival rate: 3398 pps
Routing Engine information:
Bandwidth: 2000 pps, Burst: 10000 packets, enabled
Aggregate policer is never violated
Received: 0 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 0 pps
Dropped by individual policers: 0
FPC slot 0 information:
Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
Aggregate policer is no longer being violated
Last violation started at: 2014-11-27 11:15:03 EET
Last violation ended at: 2014-11-27 11:22:18 EET
Duration of last violation: 00:07:15 Number of violations: 1449
Received: 35017543 Arrival rate: 19 pps
Dropped: 195341 Max arrival rate: 3398 pps
Dropped by individual policers: 0
Dropped by aggregate policer: 195341
Dropped by flow suppression: 0
Flow counts:
Aggregation level Current Total detected State
Subscriber 0 0 Active

 

6 REPLIES 6
Junos

Re: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

‎11-27-2014 07:10 PM

anyone?

To mee it seem like not really to be related to some kind of ddos, but to some other reason..

kind of routes flap or somthing. Nothing useful in logs though.

In the same time I do not have any reject rules in firewall.

I'm running setup with 2 RRs with 3 clients connected to each of them.

OSPF advertises loopbacks, iBGP other stuff.

Junos
Solution
Accepted by topic author romeo.r
‎08-26-2015 01:27 AM

Re: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

[ Edited ]
‎11-29-2014 06:31 AM

Resolved.

 

The default action for aggregate route is to reject anything, that does not hit more specific route from aggregated route. 

So basically when you have an access network with clients in it and suddenly you lose it (company decides to stop this service ie), those IP-s keep being under resolve by torrents, maleware, viruses etc and as you do not have those specific routes in routing table anymore, router keeps REJECTing them as it is default action. So to solve this:

 

set routing-options protocol aggregate defaults discard

 

and forget of this. Anyway any reject action is a vector for attack, so try to keep your core systems without any rejects...

 

Thanks to Saku Ytti for great help in pointing me to the right directions.

His article http://blog.ip.fi/2014/02/junos-l3-incompletes-what-and-why.html and personal help were priceless during this case.

 

Junos

Re: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

[ Edited ]
a month ago
 
Junos

Re: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

[ Edited ]
a month ago
 
Junos

Re: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

a month ago

Arix,

 

Open a new thread, as solutiuon has been already accepted on this thread.

 

And as a good practice- close your threads with solution accepted where solution has been provided to you.

 

Tks,

Abhishek.

Junos

Re: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

a month ago

okay... opened a new case... thanks