Junos
Junos

ddos-protection violation protocol sample

‎05-29-2019 04:04 AM

Hello,

 

What means the DDOS-PROTECTION sample, coming from pfe, when you aren't using sampling on any interface.

 

admin@RT> show ddos-protection protocols violations
Packet types: 219, Currently violated: 2

Protocol Packet Bandwidth Arrival Peak Policer bandwidth
group type (pps) rate(pps) rate(pps) violation detected at
sample aggregate 1000 71268 101310 2019-05-28 22:04:42 BRT
Detected on: FPC-0
sample pfe 1000 71337 101209 2019-05-28 22:04:41 BRT
Detected on: FPC-0

 

admin@RT> show configuration | match sampl

admin@RT>

 

admin@RT> show pfe statistics notification | match sample

Sample 35946049 35946049 0 0

 

Any ideas?

 

6 REPLIES 6
Junos

Re: ddos-protection violation protocol sample

‎05-29-2019 04:17 AM

Hi rganascim
as per the this link https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-pfe-statisti...  this is the number of notifications sampled , sample—"Number of notifications sampled." as this command is related to Information about Packet Forwarding Engine notification statistics.

 

Thanks

Regards,
A.A.
Junos

Re: ddos-protection violation protocol sample

‎05-29-2019 04:34 AM

Hello @asaleh,

 

Thanks. But is this high volume targetting the threshold of ddos-protection all the time a normal behavior?

 

Junos

Re: ddos-protection violation protocol sample

‎05-29-2019 08:33 AM

Another application using sampling is port mirror. Do you have that?

Usually these messages are not harmful. They just impact how much traffic is sent to you collection device. You can increase the sampling rate, but you don't have. For port mirror, turn it off if you are not actively collecting transit traffic 


Mengzhe Hu
JNCIE x 3 (SP DC ENT)
Junos

Re: ddos-protection violation protocol sample

‎05-29-2019 09:38 AM

There is no port mirror configured.

 

Our scenario is a MX 104 with ~11k pppoe subscribers. Using LACP + dmux interfaces (some with dot1q and some with qinq).

 

 

 

Junos
Solution
Accepted by topic author rganascim
‎05-29-2019 12:09 PM

Re: ddos-protection violation protocol sample

‎05-29-2019 10:20 AM

do you have any firewall filter with syslog/log action? 


Mengzhe Hu
JNCIE x 3 (SP DC ENT)
Junos

Re: ddos-protection violation protocol sample

‎05-29-2019 12:11 PM

I disabled all the "log/syslog" action from firewall filters as you said, and the ddos-protection was clean. The problem is solved.

 

Thanks @mhu !

 

admin@RT> show ddos-protection protocols violations
Packet types: 219, Currently violated: 0